When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
Release Notes
lquixada/cross-fetch (cross-fetch)
### [`v3.1.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.5)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5)
#### What's Changed
- chore: updated node-fetch version to 2.6.7 by [@dlafreniere](https://togithub.com/dlafreniere) in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124)
#### New Contributors
- [@dlafreniere](https://togithub.com/dlafreniere) made their first contribution in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124)
**Full Changelog**: https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5
### [`v3.1.4`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.4)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.3...v3.1.4)
π fixed typescript errors.
### [`v3.1.3`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.3)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.2...v3.1.3)
π fixed typescript compilation error causing [#95](https://togithub.com/lquixada/cross-fetch/issues/95), [#101](https://togithub.com/lquixada/cross-fetch/issues/101), [#102](https://togithub.com/lquixada/cross-fetch/issues/102).
### [`v3.1.2`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.2)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.1...v3.1.2)
π added missing Headers interface augmentation from lib.dom.iterable.d.ts ([#97](https://togithub.com/lquixada/cross-fetch/issues/97))
### [`v3.1.1`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.1)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.0...v3.1.1)
π fixed missing fetch api types from constructor signatures [#96](https://togithub.com/lquixada/cross-fetch/issues/96) (thanks [@jstewmon](https://togithub.com/jstewmon))
### [`v3.1.0`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.0)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.6...v3.1.0)
β‘οΈ improved TypeScript support with own fetch API type definitions (thanks [@jstewmon](https://togithub.com/jstewmon))
β‘οΈ set `fetch.ponyfill` to `true` when custom ponyfill implementation is used.
π‘ set the same fetch API test suite to run against `node-fetch`, `whatwg-fetch` and native fetch.
### [`v3.0.6`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.6)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.5...v3.0.6)
β‘οΈ updated node-fetch to 2.6.1
### [`v3.0.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.5)
[Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.4...v3.0.5)
β‘οΈ whatwg-fetch is not a prod dependency anymore ([#63](https://togithub.com/lquixada/cross-fetch/issues/63))
β‘οΈ updated all dev dependencies.
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
3.0.4
->3.1.5
GitHub Vulnerability Alerts
CVE-2022-1365
When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty. Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .
Release Notes
lquixada/cross-fetch (cross-fetch)
### [`v3.1.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.5) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5) #### What's Changed - chore: updated node-fetch version to 2.6.7 by [@dlafreniere](https://togithub.com/dlafreniere) in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124) #### New Contributors - [@dlafreniere](https://togithub.com/dlafreniere) made their first contribution in [https://github.com/lquixada/cross-fetch/pull/124](https://togithub.com/lquixada/cross-fetch/pull/124) **Full Changelog**: https://github.com/lquixada/cross-fetch/compare/v3.1.4...v3.1.5 ### [`v3.1.4`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.4) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.3...v3.1.4) π fixed typescript errors. ### [`v3.1.3`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.3) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.2...v3.1.3) π fixed typescript compilation error causing [#95](https://togithub.com/lquixada/cross-fetch/issues/95), [#101](https://togithub.com/lquixada/cross-fetch/issues/101), [#102](https://togithub.com/lquixada/cross-fetch/issues/102). ### [`v3.1.2`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.2) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.1...v3.1.2) π added missing Headers interface augmentation from lib.dom.iterable.d.ts ([#97](https://togithub.com/lquixada/cross-fetch/issues/97)) ### [`v3.1.1`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.1) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.1.0...v3.1.1) π fixed missing fetch api types from constructor signatures [#96](https://togithub.com/lquixada/cross-fetch/issues/96) (thanks [@jstewmon](https://togithub.com/jstewmon)) ### [`v3.1.0`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.1.0) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.6...v3.1.0) β‘οΈ improved TypeScript support with own fetch API type definitions (thanks [@jstewmon](https://togithub.com/jstewmon)) β‘οΈ set `fetch.ponyfill` to `true` when custom ponyfill implementation is used. π‘ set the same fetch API test suite to run against `node-fetch`, `whatwg-fetch` and native fetch. ### [`v3.0.6`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.6) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.5...v3.0.6) β‘οΈ updated node-fetch to 2.6.1 ### [`v3.0.5`](https://togithub.com/lquixada/cross-fetch/releases/tag/v3.0.5) [Compare Source](https://togithub.com/lquixada/cross-fetch/compare/v3.0.4...v3.0.5) β‘οΈ whatwg-fetch is not a prod dependency anymore ([#63](https://togithub.com/lquixada/cross-fetch/issues/63)) β‘οΈ updated all dev dependencies.Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.