search

jmannau / serverless-ts-template

An opinionated Serverless starter template including Typescript, Koa & Jest
MIT License
3 stars 0 forks source link

[Security] Bump node-fetch from 2.6.0 to 2.6.1 #273

Closed dependabot-preview[bot] closed 4 years ago

dependabot-preview[bot] commented 4 years ago

Bumps node-fetch from 2.6.0 to 2.6.1. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

The size option isn't honored after following a redirect in node-fetch

Impact

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Patches

We released patched versions for both stable and beta channels:

  • For v2: 2.6.1
  • For v3: 3.0.0-beta.9

Workarounds

None, it is strongly recommended to update as soon as possible.

For more information

If you have any questions or comments about this advisory:

Affected versions: < 2.6.1

Release notes

Sourced from node-fetch's releases.

v2.6.1

This is an important security release. It is strongly recommended to update as soon as possible.

See CHANGELOG for details.

Changelog

Sourced from node-fetch's changelog.

v2.6.1

This is an important security release. It is strongly recommended to update as soon as possible.

  • Fix: honor the size option after following a redirect.
Commits
  • b5e2e41 update version number
  • 2358a6c Honor the size option after following a redirect and revert data uri support
  • 8c197f8 docs: Fix typos and grammatical errors in README.md (#686)
  • 1e99050 fix: Change error message thrown with redirect mode set to error (#653)
  • 244e6f6 docs: Show backers in README
  • 6a5d192 fix: Properly parse meta tag when parameters are reversed (#682)
  • 47a24a0 chore: Add opencollective badge
  • 7b13662 chore: Add funding link
  • 5535c2e fix: Check for global.fetch before binding it (#674)
  • 1d5778a docs: Add Discord badge
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by akepinski, a new releaser for node-fetch since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)
jmannau commented 4 years ago

@dependabot merge

On Sun, 1 Nov 2020 at 16:23, dependabot-preview[bot] < notifications@github.com> wrote:

Bumps node-fetch https://github.com/bitinn/node-fetch from 2.6.0 to 2.6.1. This update includes a security fix. Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database https://github.com/advisories/GHSA-w7rc-rwvf-8q5r.

The size option isn't honored after following a redirect in node-fetch Impact

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing. Patches

We released patched versions for both stable and beta channels:

  • For v2: 2.6.1
  • For v3: 3.0.0-beta.9

Workarounds

None, it is strongly recommended to update as soon as possible. For more information

If you have any questions or comments about this advisory:

Affected versions: < 2.6.1

Release notes

Sourced from node-fetch's releases https://github.com/bitinn/node-fetch/releases.

v2.6.1

This is an important security release. It is strongly recommended to update as soon as possible.

See CHANGELOG https://github.com/node-fetch/node-fetch/blob/master/docs/CHANGELOG.md#v261 for details.

Changelog

Sourced from node-fetch's changelog https://github.com/node-fetch/node-fetch/blob/master/docs/CHANGELOG.md.

v2.6.1

This is an important security release. It is strongly recommended to update as soon as possible.

  • Fix: honor the size option after following a redirect.

Commits

Maintainer changes

This version was pushed to npm by akepinski https://www.npmjs.com/~akepinski, a new releaser for node-fetch since your current version.

[image: Dependabot compatibility score] https://dependabot.com/compatibility-score/?dependency-name=node-fetch&package-manager=npm_and_yarn&previous-version=2.6.0&new-version=2.6.1

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard https://app.dependabot.com:

  • Update frequency (including time of day and day of week)
  • Pull request limits (per update run and/or open at any time)
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

You can view, comment on, or merge this pull request online at:

https://github.com/jmannau/serverless-ts-template/pull/273 Commit Summary

  • [Security] Bump node-fetch from 2.6.0 to 2.6.1

File Changes

Patch Links:

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jmannau/serverless-ts-template/pull/273, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABK6JMQ7B2C6VNPUGZG5XDSNTWF7ANCNFSM4TGJ33BA .