Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
101: chore(deps): [security] bump node-fetch from 2.6.0 to 2.6.1 r=jniles a=dependabot-preview[bot] Bumps [node-fetch](https://github.com/bitinn/node-fetch) from 2.6.0 to 2.6.1. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-w7rc-rwvf-8q5r">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>The <code>size</code> option isn't honored after following a redirect in node-fetch</strong></p> <h3>Impact</h3> <p>Node Fetch did not honor the <code>size</code> option after following a redirect, which means that when a content size was over the limit, a <code>FetchError</code> would never get thrown and the process would end without failure.</p> <p>For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after <code>fetch()</code> has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.</p> <h3>Patches</h3> <p>We released patched versions for both stable and beta channels:</p> <ul> <li>For <code>v2</code>: 2.6.1</li> <li>For <code>v3</code>: 3.0.0-beta.9</li> </ul> <h3>Workarounds</h3> <p>None, it is strongly recommended to update as soon as possible.</p> <h3>For more information</h3> <p>If you have any questions or comments about this advisory:</p> <ul> <li>Open an issue in <a href="https://github.com/node-fetch/node-fetch/issues/new?assignees=&labels=question&template=support-or-usage.md&title=Question%3A+">node-fetch</a></li> <li>Contact one of the core maintainers (<a href="https://github.com/xxczaki">@xxczaki</a>, <a href="https://github.com/bitinn">@bitinn</a>, <a href="https://github.com/jimmywarting">@jimmywarting</a>, <a href="https://github.com/Richienb">@Richienb</a>, or <a href="https://github.com/gr2m">@gr2m</a>)</li> </ul> <p>Affected versions: < 2.6.1</p> </blockquote> Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
- Loading branch information