node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
Release Notes
node-fetch/node-fetch (node-fetch)
### [`v2.6.7`](https://redirect.github.com/node-fetch/node-fetch/releases/tag/v2.6.7)
[Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7)
### Security patch release
Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred
#### What's Changed
- fix: don't forward secure headers to 3th party by [@jimmywarting](https://redirect.github.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1453](https://redirect.github.com/node-fetch/node-fetch/pull/1453)
**Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7
### [`v2.6.6`](https://redirect.github.com/node-fetch/node-fetch/releases/tag/v2.6.6)
[Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.5...v2.6.6)
#### What's Changed
- fix(URL): prefer built in URL version when available and fallback to whatwg by [@jimmywarting](https://redirect.github.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1352](https://redirect.github.com/node-fetch/node-fetch/pull/1352)
**Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v2.6.5...v2.6.6
### [`v2.6.5`](https://redirect.github.com/node-fetch/node-fetch/compare/a41c469c6164e7175f39113c875a9ddd2f064504...v2.6.5)
[Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/a41c469c6164e7175f39113c875a9ddd2f064504...v2.6.5)
### [`v2.6.4`](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.3...a41c469c6164e7175f39113c875a9ddd2f064504)
[Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.3...a41c469c6164e7175f39113c875a9ddd2f064504)
### [`v2.6.3`](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.2...v2.6.3)
[Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.2...v2.6.3)
### [`v2.6.2`](https://redirect.github.com/node-fetch/node-fetch/releases/tag/v2.6.2)
[Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.1...v2.6.2)
fixed main path in package.json
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
2.6.1
->2.6.7
GitHub Vulnerability Alerts
CVE-2022-0235
node-fetch forwards secure headers such as
authorization
,www-authenticate
,cookie
, &cookie2
when redirecting to a untrusted site.Release Notes
node-fetch/node-fetch (node-fetch)
### [`v2.6.7`](https://redirect.github.com/node-fetch/node-fetch/releases/tag/v2.6.7) [Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7) ### Security patch release Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred #### What's Changed - fix: don't forward secure headers to 3th party by [@jimmywarting](https://redirect.github.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1453](https://redirect.github.com/node-fetch/node-fetch/pull/1453) **Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v2.6.6...v2.6.7 ### [`v2.6.6`](https://redirect.github.com/node-fetch/node-fetch/releases/tag/v2.6.6) [Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.5...v2.6.6) #### What's Changed - fix(URL): prefer built in URL version when available and fallback to whatwg by [@jimmywarting](https://redirect.github.com/jimmywarting) in [https://github.com/node-fetch/node-fetch/pull/1352](https://redirect.github.com/node-fetch/node-fetch/pull/1352) **Full Changelog**: https://github.com/node-fetch/node-fetch/compare/v2.6.5...v2.6.6 ### [`v2.6.5`](https://redirect.github.com/node-fetch/node-fetch/compare/a41c469c6164e7175f39113c875a9ddd2f064504...v2.6.5) [Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/a41c469c6164e7175f39113c875a9ddd2f064504...v2.6.5) ### [`v2.6.4`](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.3...a41c469c6164e7175f39113c875a9ddd2f064504) [Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.3...a41c469c6164e7175f39113c875a9ddd2f064504) ### [`v2.6.3`](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.2...v2.6.3) [Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.2...v2.6.3) ### [`v2.6.2`](https://redirect.github.com/node-fetch/node-fetch/releases/tag/v2.6.2) [Compare Source](https://redirect.github.com/node-fetch/node-fetch/compare/v2.6.1...v2.6.2) fixed main path in package.jsonConfiguration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.