Closed renovate[bot] closed 1 year ago
Merging #152 (3b786d4) into master (7e6cad0) will not change coverage. The diff coverage is
n/a
.:exclamation: Current head 3b786d4 differs from pull request most recent head 51ecdc2. Consider uploading reports for the commit 51ecdc2 to get more accurate results
This PR contains the following updates:
2.1.2
->2.6.7
GitHub Vulnerability Alerts
CVE-2020-15168
Impact
Node Fetch did not honor the
size
option after following a redirect, which means that when a content size was over the limit, aFetchError
would never get thrown and the process would end without failure.For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after
fetch()
has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.Patches
We released patched versions for both stable and beta channels:
v2
: 2.6.1v3
: 3.0.0-beta.9Workarounds
None, it is strongly recommended to update as soon as possible.
For more information
If you have any questions or comments about this advisory:
CVE-2022-0235
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Configuration
π Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
π¦ Automerge: Disabled by config. Please merge this manually once you are satisfied.
β» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
π Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.