-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency node-fetch to 2.6.7 [security] #4115
Conversation
6f5d17d
to
87b2c0d
Compare
87b2c0d
to
e94fbcd
Compare
e94fbcd
to
bcf61d9
Compare
bcf61d9
to
ce5c5e9
Compare
ce5c5e9
to
eaaf908
Compare
📊 Benchmark resultsComparing with 68ef285 Package size: 369 MB⬆️ 2.43% increase vs. 68ef285
Legend
|
Please don't update node-fetch :/ 2.43% increase isn't worth it None of your other deps are using 3.x and you are not yet to the point to switch to ESM modules. |
I think we're good on the security side with the |
Renovate Ignore NotificationAs this PR has been closed unmerged, Renovate will now ignore this update (2.6.7). You will still receive a PR once a newer version is released, so if you wish to permanently ignore this dependency, please add it to the If this PR was closed by mistake or you changed your mind, you can simply rename this PR and you will soon get a fresh replacement PR opened. |
This PR contains the following updates:
1.7.3
->2.6.7
GitHub Vulnerability Alerts
CVE-2020-15168
Impact
Node Fetch did not honor the
size
option after following a redirect, which means that when a content size was over the limit, aFetchError
would never get thrown and the process would end without failure.For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after
fetch()
has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.Patches
We released patched versions for both stable and beta channels:
v2
: 2.6.1v3
: 3.0.0-beta.9Workarounds
None, it is strongly recommended to update as soon as possible.
For more information
If you have any questions or comments about this advisory:
CVE-2022-0235
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled due to failing status checks.
♻ Rebasing: Renovate will not automatically rebase this PR, because other commits have been found.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.