Skip to content

Commit

Permalink
Merge #101
Browse files Browse the repository at this point in the history 
101: chore(deps): [security] bump node-fetch from 2.6.0 to 2.6.1 r=jniles a=dependabot-preview[bot]

Bumps [node-fetch](https://github.com/bitinn/node-fetch) from 2.6.0 to 2.6.1. **This update includes a security fix.**
<details>
<summary>Vulnerabilities fixed</summary>
<p><em>Sourced from <a href="https://github.com/advisories/GHSA-w7rc-rwvf-8q5r">The GitHub Security Advisory Database</a>.</em></p>
<blockquote>
<p><strong>The <code>size</code> option isn't honored after following a redirect in node-fetch</strong></p>
<h3>Impact</h3>
<p>Node Fetch did not honor the <code>size</code> option after following a redirect, which means that when a content size was over the limit, a <code>FetchError</code> would never get thrown and the process would end without failure.</p>
<p>For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after <code>fetch()</code> has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.</p>
<h3>Patches</h3>
<p>We released patched versions for both stable and beta channels:</p>
<ul>
<li>For <code>v2</code>: 2.6.1</li>
<li>For <code>v3</code>: 3.0.0-beta.9</li>
</ul>
<h3>Workarounds</h3>
<p>None, it is strongly recommended to update as soon as possible.</p>
<h3>For more information</h3>
<p>If you have any questions or comments about this advisory:</p>
<ul>
<li>Open an issue in <a href="https://github.com/node-fetch/node-fetch/issues/new?assignees=&amp;labels=question&amp;template=support-or-usage.md&amp;title=Question%3A+">node-fetch</a></li>
<li>Contact one of the core maintainers (<a href="https://github.com/xxczaki">@xxczaki</a>, <a href="https://github.com/bitinn">@bitinn</a>, <a href="https://github.com/jimmywarting">@jimmywarting</a>, <a href="https://github.com/Richienb">@Richienb</a>, or <a href="https://github.com/gr2m">@gr2m</a>)</li>
</ul>
<p>Affected versions: &lt; 2.6.1</p>
</blockquote>


Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]@users.noreply.github.com>
  • Loading branch information
@bors @dependabot-preview
bors[bot] and dependabot-preview[bot] authored Sep 11, 2020
2 parents dc1687b + 63ba81e commit 6eb52e2
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions yarn.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2413,9 +2413,9 @@ natural-compare@^1.4.0:
integrity sha1-Sr6/7tdUHywnrPspvbvRXI1bpPc=

node-fetch@^2.3.0:
version "2.6.0"
resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.0.tgz#e633456386d4aa55863f676a7ab0daa8fdecb0fd"
integrity sha512-8dG4H5ujfvFiqDmVu9fQ5bOHUC15JMjMY/Zumv26oOvvVJjM67KF8koCWIabKQ1GJIa9r2mMZscBq/TbdOcmNA==
version "2.6.1"
resolved "https://registry.yarnpkg.com/node-fetch/-/node-fetch-2.6.1.tgz#045bd323631f76ed2e2b55573394416b639a0052"
integrity sha512-V4aYg89jEoVRxRb2fJdAg8FHvI7cEyYdVAh94HH0UIK8oJxUfkjlDQN9RbMx+bEjP7+ggMiFRprSti032Oipxw==

normalize-package-data@^2.3.2, normalize-package-data@^2.5.0:
version "2.5.0"
Expand Down

0 comments on commit 6eb52e2

Please sign in to comment.