dancefinder/dancefinder-app
5
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Activity

Build(deps): [security] bump cross-fetch from 3.1.4 to 3.1.5 #345

Merged
argoyle merged 1 commits from dependabot-npm_and_yarn-cross-fetch-3.1.5 into master 2022-05-02 04:49:12 +00:00
Conversation 1 Commits 1 Files Changed 1
+5 -17
argoyle commented 2022-05-02 04:40:01 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

Bumps cross-fetch from 3.1.4 to 3.1.5. This update includes a security fix.

Vulnerabilities fixed

Incorrect Authorization in cross-fetch When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .

Patched versions: 3.1.5 Affected versions: < 3.1.5

Release notes

Sourced from cross-fetch's releases.

v3.1.5

What's Changed

New Contributors

Full Changelog: https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5

Commits
  • c6089df chore(release): 3.1.5
  • a3b3a94 chore: updated node-fetch version to 2.6.7 (#124)
  • efed703 chore: updated node-fetch version to 2.6.5
  • 694ff77 refactor: removed ora from dependencies
  • efc5956 refactor: added .vscode to .gitignore
  • da605d5 refactor: renamed test/fetch/ to test/fetch-api/ and test/module/ to test/mod...
  • 0f0d51d chore: updated minor and patch versions of dev dependencies
  • c6e34ea refactor: removed sinon.js
  • f524a52 fix: yargs was incompatible with node 10
  • 7906fcf chore: updated dev dependencies
  • Additional commits viewable in compare view

Dependabot commands
You can trigger Dependabot actions by commenting on this MR
  • $dependabot rebase will rebase this MR
  • $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts
Bumps [cross-fetch](https://github.com/lquixada/cross-fetch) from 3.1.4 to 3.1.5. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <blockquote> <p><strong>Incorrect Authorization in cross-fetch</strong> When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .</p> <p>Patched versions: 3.1.5 Affected versions: &lt; 3.1.5</p> </blockquote> </details> <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/lquixada/cross-fetch/releases">cross-fetch's releases</a>.</em></p> <blockquote> <h2>v3.1.5</h2> <h2>What's Changed</h2> <ul> <li>chore: updated node-fetch version to 2.6.7 by <a href="https://github.com/dlafreniere"><code>@​dlafreniere</code></a> in <a href="https://github.com/lquixada/cross-fetch/pull/124">lquixada/cross-fetch#124</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/dlafreniere"><code>@​dlafreniere</code></a> made their first contribution in <a href="https://github.com/lquixada/cross-fetch/pull/124">lquixada/cross-fetch#124</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5">https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/lquixada/cross-fetch/commit/c6089dfafc1fd6253b4d204d37c0439eea631cd0"><code>c6089df</code></a> chore(release): 3.1.5</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a"><code>a3b3a94</code></a> chore: updated node-fetch version to 2.6.7 (<a href="https://github.com/lquixada/cross-fetch/issues/124">#124</a>)</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/efed703489d591eee76a15d12b088538d04f668b"><code>efed703</code></a> chore: updated node-fetch version to 2.6.5</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/694ff77b367cff4be7e16366988b394016717e88"><code>694ff77</code></a> refactor: removed ora from dependencies</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/efc5956f740440cf4684e982fd4ceef85f2a2c67"><code>efc5956</code></a> refactor: added .vscode to .gitignore</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/da605d5ab026e7986f6633307fbd3018f1eebb58"><code>da605d5</code></a> refactor: renamed test/fetch/ to test/fetch-api/ and test/module/ to test/mod...</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/0f0d51de7f07f5202ee9de472d88c71911da9cb9"><code>0f0d51d</code></a> chore: updated minor and patch versions of dev dependencies</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/c6e34ead1bb70845eccf9ec83c3144ccf4a73f2e"><code>c6e34ea</code></a> refactor: removed sinon.js</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/f524a522ecda60db99f57798beac8e7af3349580"><code>f524a52</code></a> fix: yargs was incompatible with node 10</li> <li><a href="https://github.com/lquixada/cross-fetch/commit/7906fcf4c2d3fa300690baa72dc6b8fa30ac02ea"><code>7906fcf</code></a> chore: updated dev dependencies</li> <li>Additional commits viewable in <a href="https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5">compare view</a></li> </ul> </details> <br /> --- <details> <summary>Dependabot commands</summary> <br /> You can trigger Dependabot actions by commenting on this MR - `$dependabot rebase` will rebase this MR - `$dependabot recreate` will recreate this MR rewriting all the manual changes and resolving conflicts </details>
argoyle (Migrated from gitlab.com) scheduled this pull request to auto merge when all checks succeed 2022-05-02 04:45:28 +00:00
argoyle commented 2022-05-02 04:49:12 +00:00 (Migrated from gitlab.com)
Copy Link
Copy Source

mentioned in commit 485dda0eb1

mentioned in commit 485dda0eb186226a2b2c870d8ab8ef19edc9c4c3
argoyle (Migrated from gitlab.com) merged commit 485dda0eb1 into master 2022-05-02 04:49:12 +00:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
Clear labels
dependencies
Pull requests that update a dependency file
 docker
javascript
security
Pull requests that address a security vulnerability
 severity:critical
severity:high
severity:low
severity:moderate
No Label dependencies javascript security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
argoyle (Joakim Olsson) buildtools (Buildtools) kubernetes (Kubernetes) releaser (Unbound Releaser) renovate (Renovate Bot)
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dancefinder/dancefinder-app#345
Delete Branch "dependabot-npm_and_yarn-cross-fetch-3.1.5"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?