socket-security[bot]
commented
3 months ago New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@celo/base@1.1.1, npm/@celo/connect@1.2.4, npm/@celo/phone-number-privacy-common@1.0.34, npm/@celo/utils@0.1.2, npm/@celo/wallet-base@1.2.4, npm/@celo/wallet-local@1.2.4, npm/@ethersproject/abstract-provider@5.4.0, npm/@ethersproject/abstract-signer@5.4.0, npm/@ethersproject/bignumber@5.4.1, npm/@ethersproject/logger@5.4.0, npm/@ethersproject/networks@5.4.1, npm/@ethersproject/properties@5.4.0, npm/@truffle/contract-schema@3.0.16, npm/@types/body-parser@1.17.1, npm/@types/debug@4.1.7, npm/@types/express-serve-static-core@4.16.10, npm/@types/express@4.17.1, npm/@types/mime@2.0.1, npm/@types/ms@0.7.31, npm/@types/prettier@1.18.3, npm/@types/qs@6.5.3, npm/@types/secp256k1@4.0.3, npm/@types/serve-static@1.13.3, npm/@types/zen-observable@0.8.0, npm/@wry/equality@0.1.9, npm/abi-decoder@1.2.0, npm/acorn-jsx@5.1.0, npm/apollo-cache@1.3.2, npm/apollo-client@2.6.4, npm/apollo-link@1.2.13, npm/apollo-utilities@1.3.2, npm/available-typed-arrays@1.0.4, npm/blake2s-js@1.3.0, npm/block-stream@0.0.9, npm/chai@4.3.4, npm/cli-spinners@2.2.0, npm/deprecate@1.0.0, npm/dot-prop@4.2.0, npm/es-abstract@1.18.3, npm/es5-ext@0.10.51, npm/es6-symbol@3.1.2, npm/eth-gas-reporter@0.1.12, npm/ethjs-abi@0.1.8, npm/flatted@2.0.1, npm/fs-promise@2.0.3, npm/futoin-hkdf@1.2.1, npm/google-libphonenumber@3.2.22, npm/google-libphonenumber@3.2.6, npm/is-arguments@1.1.0, npm/is-bigint@1.0.2, npm/is-boolean-object@1.1.1, npm/is-date-object@1.0.4, npm/is-generator-function@1.0.9, npm/is-number-object@1.0.5, npm/is-regex@1.1.3, npm/is-string@1.0.6, npm/libphonenumber-js@1.9.22, npm/mock-fs@4.10.2, npm/moment@2.24.0, npm/mout@0.11.1, npm/mythxjs@1.3.6, npm/node-fetch@2.3.0, npm/normalize-url@4.5.0, npm/object.getownpropertydescriptors@2.1.2, npm/openzeppelin-solidity@2.2.0, npm/parse-asn1@5.1.5, npm/pathval@1.1.1, npm/promise@8.0.3, npm/remix-lib@0.4.14, npm/request-promise-native@1.0.7, npm/scmp@2.0.0, npm/shelljs@0.7.8, npm/solhint@2.3.0, npm/tar.gz@1.0.7, npm/tar@4.4.13, npm/truffle-artifactor@3.0.9, npm/truffle-blockchain-utils@0.0.5, npm/truffle-compile-vyper@1.0.27, npm/truffle-compile@4.2.3, npm/truffle-config@1.1.20, npm/truffle-contract-schema@2.0.3, npm/truffle-contract-sources@0.1.5, npm/truffle-contract@3.0.8, npm/truffle-error@0.0.3, npm/truffle-expect@0.0.4, npm/truffle-external-compile@1.0.16, npm/truffle-provider@0.1.16, npm/truffle-resolver@4.0.6, npm/truffle-security@1.6.1, npm/truffle@5.0.20, npm/ts-invariant@0.4.4, npm/twilio@3.36.0, npm/web3-bzz@1.3.5, npm/web3-core-helpers@1.3.5, npm/web3-core-method@1.3.5, npm/web3-core-promievent@1.3.5, npm/web3-core-requestmanager@1.3.5, npm/web3-core-subscriptions@1.3.5, npm/web3-core@1.3.5, npm/web3-eth-accounts@1.3.5, npm/web3-eth-contract@1.3.5, npm/web3-eth-ens@1.3.5, npm/web3-eth-iban@1.3.5, npm/web3-eth-personal@1.3.5, npm/web3-eth@1.3.5, npm/web3-net@1.3.5, npm/web3-providers-http@1.3.5, npm/web3-providers-ipc@1.3.5, npm/web3-providers-ws@1.3.5, npm/web3-shh@1.3.5, npm/web3@1.3.5, npm/xmlbuilder@9.0.1, npm/yaassertion@1.0.2, npm/zen-observable-ts@0.8.20, npm/zen-observable@0.8.14
This PR contains the following updates:
2.6.1->2.6.7GitHub Vulnerability Alerts
CVE-2022-0235
node-fetch forwards secure headers such as
authorization,www-authenticate,cookie, &cookie2when redirecting to a untrusted site.node-fetch forwards secure headers to untrusted sites
CVE-2022-0235 / GHSA-r683-j2x4-v87g
More information
#### Details node-fetch forwards secure headers such as `authorization`, `www-authenticate`, `cookie`, & `cookie2` when redirecting to a untrusted site. #### Severity - CVSS Score: 8.8 / 10 (High) - Vector String: `CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H` #### References - [https://nvd.nist.gov/vuln/detail/CVE-2022-0235](https://nvd.nist.gov/vuln/detail/CVE-2022-0235) - [https://github.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60](https://togithub.com/node-fetch/node-fetch/pull/1449/commits/5c32f002fdd65b1c6a8f1e3620210813d45c7e60) - [https://github.com/node-fetch/node-fetch/pull/1453](https://togithub.com/node-fetch/node-fetch/pull/1453) - [https://github.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35](https://togithub.com/node-fetch/node-fetch/commit/1ef4b560a17e644a02a3bfdea7631ffeee578b35) - [https://github.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10](https://togithub.com/node-fetch/node-fetch/commit/36e47e8a6406185921e4985dcbeff140d73eaa10) - [https://github.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60](https://togithub.com/node-fetch/node-fetch/commit/5c32f002fdd65b1c6a8f1e3620210813d45c7e60) - [https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf) - [https://github.com/node-fetch/node-fetch](https://togithub.com/node-fetch/node-fetch) - [https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7](https://huntr.dev/bounties/d26ab655-38d6-48b3-be15-f9ad6b6ae6f7) - [https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html](https://lists.debian.org/debian-lts-announce/2022/12/msg00007.html) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-r683-j2x4-v87g) and the [GitHub Advisory Database](https://togithub.com/github/advisory-database) ([CC-BY 4.0](https://togithub.com/github/advisory-database/blob/main/LICENSE.md)).Release Notes
node-fetch/node-fetch (node-fetch)
### [`v2.6.7`](https://togithub.com/node-fetch/node-fetch/releases/tag/v2.6.7) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7) ### Security patch release Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred #### What's Changed - fix: don't forward secure headers to 3th party by [@jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1453](https://togithub.com/node-fetch/node-fetch/pull/1453) **Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7 ### [`v2.6.6`](https://togithub.com/node-fetch/node-fetch/releases/tag/v2.6.6) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v2.6.5...v2.6.6) #### What's Changed - fix(URL): prefer built in URL version when available and fallback to whatwg by [@jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1352](https://togithub.com/node-fetch/node-fetch/pull/1352) **Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v2.6.5...v2.6.6 ### [`v2.6.5`](https://togithub.com/node-fetch/node-fetch/compare/a41c469c6164e7175f39113c875a9ddd2f064504...v2.6.5) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/a41c469c6164e7175f39113c875a9ddd2f064504...v2.6.5) ### [`v2.6.4`](https://togithub.com/node-fetch/node-fetch/compare/v2.6.3...a41c469c6164e7175f39113c875a9ddd2f064504) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v2.6.3...a41c469c6164e7175f39113c875a9ddd2f064504) ### [`v2.6.3`](https://togithub.com/node-fetch/node-fetch/compare/v2.6.2...v2.6.3) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v2.6.2...v2.6.3) ### [`v2.6.2`](https://togithub.com/node-fetch/node-fetch/releases/tag/v2.6.2) [Compare Source](https://togithub.com/node-fetch/node-fetch/compare/v2.6.1...v2.6.2) fixed main path in package.jsonConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.