SocialGouv / www

Site de la fabrique numรฉrique des Ministรจres sociaux
https://www.fabrique.social.gouv.fr/
Other
34 stars 46 forks source link

fix(deps): update dependency node-fetch to v3 [security] - autoclosed #936

Closed renovate[bot] closed 2 years ago

renovate[bot] commented 2 years ago

WhiteSource Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
node-fetch ^2.6.6 -> ^3.0.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-0235

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor


Release Notes

node-fetch/node-fetch ### [`v3.1.1`](https://togithub.com/node-fetch/node-fetch/releases/v3.1.1) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v3.1.0...v3.1.1) #### Security patch release Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred #### What's Changed - core: update fetch-blob by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1371](https://togithub.com/node-fetch/node-fetch/pull/1371) - docs: Fix typo around sending a file by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1381](https://togithub.com/node-fetch/node-fetch/pull/1381) - core: (http.request): Cast URL to string before sending it to NodeJS core by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1378](https://togithub.com/node-fetch/node-fetch/pull/1378) - core: handle errors from the request body stream by [@​mdmitry01](https://togithub.com/mdmitry01) in [https://github.com/node-fetch/node-fetch/pull/1392](https://togithub.com/node-fetch/node-fetch/pull/1392) - core: Better handle wrong redirect header in a response by [@​tasinet](https://togithub.com/tasinet) in [https://github.com/node-fetch/node-fetch/pull/1387](https://togithub.com/node-fetch/node-fetch/pull/1387) - core: Don't use buffer to make a blob by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1402](https://togithub.com/node-fetch/node-fetch/pull/1402) - docs: update readme for TS [@​types/node-fetch](https://togithub.com/types/node-fetch) by [@​adamellsworth](https://togithub.com/adamellsworth) in [https://github.com/node-fetch/node-fetch/pull/1405](https://togithub.com/node-fetch/node-fetch/pull/1405) - core: Fix logical operator priority to disallow GET/HEAD with non-empty body by [@​maxshirshin](https://togithub.com/maxshirshin) in [https://github.com/node-fetch/node-fetch/pull/1369](https://togithub.com/node-fetch/node-fetch/pull/1369) - core: Don't use global buffer by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1422](https://togithub.com/node-fetch/node-fetch/pull/1422) - ci: fix main branch by [@​dnalborczyk](https://togithub.com/dnalborczyk) in [https://github.com/node-fetch/node-fetch/pull/1429](https://togithub.com/node-fetch/node-fetch/pull/1429) - core: use more node: protocol imports by [@​dnalborczyk](https://togithub.com/dnalborczyk) in [https://github.com/node-fetch/node-fetch/pull/1428](https://togithub.com/node-fetch/node-fetch/pull/1428) - core: Warn when using data by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1421](https://togithub.com/node-fetch/node-fetch/pull/1421) - docs: Create SECURITY.md by [@​JamieSlome](https://togithub.com/JamieSlome) in [https://github.com/node-fetch/node-fetch/pull/1445](https://togithub.com/node-fetch/node-fetch/pull/1445) - core: don't forward secure headers to 3th party by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1449](https://togithub.com/node-fetch/node-fetch/pull/1449) #### New Contributors - [@​mdmitry01](https://togithub.com/mdmitry01) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1392](https://togithub.com/node-fetch/node-fetch/pull/1392) - [@​tasinet](https://togithub.com/tasinet) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1387](https://togithub.com/node-fetch/node-fetch/pull/1387) - [@​adamellsworth](https://togithub.com/adamellsworth) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1405](https://togithub.com/node-fetch/node-fetch/pull/1405) - [@​maxshirshin](https://togithub.com/maxshirshin) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1369](https://togithub.com/node-fetch/node-fetch/pull/1369) - [@​JamieSlome](https://togithub.com/JamieSlome) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1445](https://togithub.com/node-fetch/node-fetch/pull/1445) **Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v3.1.0...v3.1.1 ### [`v3.1.0`](https://togithub.com/node-fetch/node-fetch/releases/v3.1.0) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v3.0.0...v3.1.0) ##### What's Changed - fix(Body): Discourage form-data and buffer() by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1212](https://togithub.com/node-fetch/node-fetch/pull/1212) - fix: Pass url string to http.request by [@​serverwentdown](https://togithub.com/serverwentdown) in [https://github.com/node-fetch/node-fetch/pull/1268](https://togithub.com/node-fetch/node-fetch/pull/1268) - Fix octocat image link by [@​lakuapik](https://togithub.com/lakuapik) in [https://github.com/node-fetch/node-fetch/pull/1281](https://togithub.com/node-fetch/node-fetch/pull/1281) - fix(Body.body): Normalize `Body.body` into a `node:stream` by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/924](https://togithub.com/node-fetch/node-fetch/pull/924) - docs(Headers): Add default Host request header to README.md file by [@​robertoaceves](https://togithub.com/robertoaceves) in [https://github.com/node-fetch/node-fetch/pull/1316](https://togithub.com/node-fetch/node-fetch/pull/1316) - Update CHANGELOG.md by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1292](https://togithub.com/node-fetch/node-fetch/pull/1292) - Add highWaterMark to cloned properties by [@​davesidious](https://togithub.com/davesidious) in [https://github.com/node-fetch/node-fetch/pull/1162](https://togithub.com/node-fetch/node-fetch/pull/1162) - Update README.md to fix HTTPResponseError by [@​thedanfernandez](https://togithub.com/thedanfernandez) in [https://github.com/node-fetch/node-fetch/pull/1135](https://togithub.com/node-fetch/node-fetch/pull/1135) - docs: switch `url` to `URL` by [@​dhritzkiv](https://togithub.com/dhritzkiv) in [https://github.com/node-fetch/node-fetch/pull/1318](https://togithub.com/node-fetch/node-fetch/pull/1318) - fix(types): declare buffer() deprecated by [@​dnalborczyk](https://togithub.com/dnalborczyk) in [https://github.com/node-fetch/node-fetch/pull/1345](https://togithub.com/node-fetch/node-fetch/pull/1345) - chore: fix lint by [@​dnalborczyk](https://togithub.com/dnalborczyk) in [https://github.com/node-fetch/node-fetch/pull/1348](https://togithub.com/node-fetch/node-fetch/pull/1348) - refactor: use node: prefix for imports by [@​dnalborczyk](https://togithub.com/dnalborczyk) in [https://github.com/node-fetch/node-fetch/pull/1346](https://togithub.com/node-fetch/node-fetch/pull/1346) - Bump data-uri-to-buffer from 3.0.1 to 4.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/node-fetch/node-fetch/pull/1319](https://togithub.com/node-fetch/node-fetch/pull/1319) - Bump mocha from 8.4.0 to 9.1.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/node-fetch/node-fetch/pull/1339](https://togithub.com/node-fetch/node-fetch/pull/1339) - Referrer and Referrer Policy by [@​tekwiz](https://togithub.com/tekwiz) in [https://github.com/node-fetch/node-fetch/pull/1057](https://togithub.com/node-fetch/node-fetch/pull/1057) - Add typing for Response.redirect(url, status) by [@​c-w](https://togithub.com/c-w) in [https://github.com/node-fetch/node-fetch/pull/1169](https://togithub.com/node-fetch/node-fetch/pull/1169) - chore: Correct stuff in README.md by [@​Jiralite](https://togithub.com/Jiralite) in [https://github.com/node-fetch/node-fetch/pull/1361](https://togithub.com/node-fetch/node-fetch/pull/1361) - docs: Improve clarity of "Loading and configuring" by [@​serverwentdown](https://togithub.com/serverwentdown) in [https://github.com/node-fetch/node-fetch/pull/1323](https://togithub.com/node-fetch/node-fetch/pull/1323) - feat(Body): Added support for `BodyMixin.formData()` and constructing bodies with FormData by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1314](https://togithub.com/node-fetch/node-fetch/pull/1314) - template: Make PR template more task oriented by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1224](https://togithub.com/node-fetch/node-fetch/pull/1224) - docs: Update code examples by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1365](https://togithub.com/node-fetch/node-fetch/pull/1365) ##### New Contributors - [@​serverwentdown](https://togithub.com/serverwentdown) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1268](https://togithub.com/node-fetch/node-fetch/pull/1268) - [@​lakuapik](https://togithub.com/lakuapik) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1281](https://togithub.com/node-fetch/node-fetch/pull/1281) - [@​robertoaceves](https://togithub.com/robertoaceves) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1316](https://togithub.com/node-fetch/node-fetch/pull/1316) - [@​davesidious](https://togithub.com/davesidious) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1162](https://togithub.com/node-fetch/node-fetch/pull/1162) - [@​thedanfernandez](https://togithub.com/thedanfernandez) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1135](https://togithub.com/node-fetch/node-fetch/pull/1135) - [@​dhritzkiv](https://togithub.com/dhritzkiv) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1318](https://togithub.com/node-fetch/node-fetch/pull/1318) - [@​dnalborczyk](https://togithub.com/dnalborczyk) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1345](https://togithub.com/node-fetch/node-fetch/pull/1345) - [@​dependabot](https://togithub.com/dependabot) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1319](https://togithub.com/node-fetch/node-fetch/pull/1319) - [@​c-w](https://togithub.com/c-w) made their first contribution in [https://github.com/node-fetch/node-fetch/pull/1169](https://togithub.com/node-fetch/node-fetch/pull/1169) **Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v3.0.0...v3.1.0 ### [`v3.0.0`](https://togithub.com/node-fetch/node-fetch/releases/v3.0.0) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v2.6.7...v3.0.0) version 3 is going out of a long beta period and switches to stable One major change is that it's now a ESM only package See [changelog](https://togithub.com/node-fetch/node-fetch/blob/main/docs/CHANGELOG.md#v300) for more information about all the changes. ### [`v2.6.7`](https://togithub.com/node-fetch/node-fetch/releases/v2.6.7) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7) ##### Security patch release Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred ##### What's Changed - fix: don't forward secure headers to 3th party by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1453](https://togithub.com/node-fetch/node-fetch/pull/1453) **Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7

Configuration

๐Ÿ“… Schedule: "" in timezone Europe/Paris.

๐Ÿšฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.

โ™ป Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

๐Ÿ”• Ignore: Close this PR and you won't be reminded about this update again.



This PR has been generated by WhiteSource Renovate. View repository job log here.

github-actions[bot] commented 2 years ago

๐ŸŽ‰ Deployment for commit 8f4bc4e14a8d5b6425f09931602c99cc2581e6ab :

Ingresses - ๐Ÿš€ [www-renovate-npm-node-fetch-vulnerability-5i6vvk.dev.fabrique.social.gouv.fr](https://www-renovate-npm-node-fetch-vulnerability-5i6vvk.dev.fabrique.social.gouv.fr)
Docker images - ๐Ÿ“ฆ docker pull ghcr.io/socialgouv/fabrique/www:sha-8f4bc4e14a8d5b6425f09931602c99cc2581e6ab
Debug - [๐Ÿ“• Loki logs for namespace www-renovate-npm-node-fetch-vulnerability-5i6vvk](https://grafana.fabrique.social.gouv.fr/explore?orgId=1&left=%5B%22now-6h%22,%22now%22,%22Loki%22,%7B%22expr%22:%22%7Bnamespace%3D%5C%22www-renovate-npm-node-fetch-vulnerability-5i6vvk%5C%22%7D%22%7D%5D) - [๐Ÿ“ˆ Pods monitoring for namespace www-renovate-npm-node-fetch-vulnerability-5i6vvk](https://grafana.fabrique.social.gouv.fr/d/85a562078cdf77779eaa1add43ccec1e/kubernetes-compute-resources-namespace-pods?orgId=1&refresh=10s&var-datasource=default&var-cluster=dev2&var-namespace=www-renovate-npm-node-fetch-vulnerability-5i6vvk) - [๐Ÿ“ˆ Workloads monitoring for namespace www-renovate-npm-node-fetch-vulnerability-5i6vvk](https://grafana.fabrique.social.gouv.fr/d/a87fb0d919ec0ea5f6543124e16c42a5/kubernetes-compute-resources-namespace-workloads?orgId=1&refresh=10s&var-datasource=default&var-cluster=dev2&var-namespace=www-renovate-npm-node-fetch-vulnerability-5i6vvk&var-type=deployment) - [๐Ÿ‘ฎโ€โ™‚๏ธ Project rancher www-renovate-npm-node-fetch-vulnerability-5i6vvk](https://rancher.fabrique.social.gouv.fr/p/c-gjtkk:p-qxn46/workloads) - [๐Ÿ‘ฎโ€โ™‚๏ธ Deployment www](https://rancher.fabrique.social.gouv.fr/p/c-gjtkk:p-qxn46/workload/deployment:www-renovate-npm-node-fetch-vulnerability-5i6vvk:www)