search

celo-org / celo-monorepo

Official repository for core projects comprising the Celo platform
https://celo.org
Apache License 2.0
684 stars 360 forks source link

fix(deps): update dependency cross-fetch to v3.1.5 [security] (release/core-contracts/11_old) - autoclosed #11057

Closed renovate[bot] closed 2 weeks ago

renovate[bot] commented 2 weeks ago

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cross-fetch 3.0.4 -> 3.1.5 age adoption passing confidence
cross-fetch 3.0.6 -> 3.1.5 age adoption passing confidence

Incorrect Authorization in cross-fetch

CVE-2022-1365 / GHSA-7gc6-qh9x-w6h8

More information #### Details When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie . #### Severity - CVSS Score: 6.1 / 10 (Medium) - Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-1365](https://nvd.nist.gov/vuln/detail/CVE-2022-1365) - [https://github.com/lquixada/cross-fetch/pull/135](https://togithub.com/lquixada/cross-fetch/pull/135) - [https://github.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a](https://togithub.com/lquixada/cross-fetch/commit/a3b3a9481091ddd06b8f83784ba9c4e034dc912a) - [https://github.com/lquixada/cross-fetch](https://togithub.com/lquixada/cross-fetch) - [https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac](https://huntr.dev/bounties/ab55dfdd-2a60-437a-a832-e3efe3d264ac) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-7gc6-qh9x-w6h8) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).

GitHub Vulnerability Alerts

CVE-2022-1365

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .

Release Notes

lquixada/cross-fetch (cross-fetch) ### [`v3.1.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.5) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5) #### What's Changed - chore: updated node-fetch version to 2.6.7 by [@​dlafreniere](https://togithub.com/dlafreniere) in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124) #### New Contributors - [@​dlafreniere](https://togithub.com/dlafreniere) made their first contribution in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124) **Full Changelog**: https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5 ### [`v3.1.4`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.4) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.3...v3.1.4) 🐞 fixed typescript errors. ### [`v3.1.3`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.3) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.2...v3.1.3) 🐞 fixed typescript compilation error causing [#​95](https://togithub.com/lquixada/cross-fetch/issues/95), [#​101](https://togithub.com/lquixada/cross-fetch/issues/101), [#​102](https://togithub.com/lquixada/cross-fetch/issues/102). ### [`v3.1.2`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.2) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.1...v3.1.2) 🐞 added missing Headers interface augmentation from lib.dom.iterable.d.ts ([#​97](https://togithub.com/lquixada/cross-fetch/issues/97)) ### [`v3.1.1`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.1) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.0...v3.1.1) 🐞 fixed missing fetch api types from constructor signatures [#​96](https://togithub.com/lquixada/cross-fetch/issues/96) (thanks [@​jstewmon](https://togithub.com/jstewmon)) ### [`v3.1.0`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.0) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.6...v3.1.0) ⚡️ improved TypeScript support with own fetch API type definitions (thanks [@​jstewmon](https://togithub.com/jstewmon)) ⚡️ set `fetch.ponyfill` to `true` when custom ponyfill implementation is used. 💡 set the same fetch API test suite to run against `node-fetch`, `whatwg-fetch` and native fetch. ### [`v3.0.6`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.6) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.5...v3.0.6) ⚡️ updated node-fetch to 2.6.1 ### [`v3.0.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.5) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.4...v3.0.5) ⚡️ whatwg-fetch is not a prod dependency anymore ([#​63](https://togithub.com/lquixada/cross-fetch/issues/63)) ⚡️ updated all dev dependencies.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

This PR has been generated by Mend Renovate. View repository job log here.