Update dependency node-fetch to v3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
node-fetch	2.6.6 -> 3.2.10

GitHub Vulnerability Alerts

CVE-2022-0235

node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.

CVE-2022-2596

node-fetch is a light-weight module that brings window.fetch to node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'.

---

Release Notes

node-fetch/node-fetch (node-fetch)

v3.2.10

Compare Source

Bug Fixes

• ReDoS referrer (#​1611) (2880238)

v3.2.9

Compare Source

Bug Fixes

• Headers: don't forward secure headers on protocol change (#​1599) (e87b093)

v3.2.8

Compare Source

Bug Fixes

• possibly flaky test (#​1523) (11b7033)

v3.2.7

Compare Source

Bug Fixes

• always warn Request.data (#​1550) (4f43c9e)

v3.2.6

Compare Source

Bug Fixes

• undefined reference to response.body when aborted (#​1578) (1c5ed6b)

v3.2.5

Compare Source

Bug Fixes

• use space in accept-encoding values (#​1572) (a92b5d5), closes #​1571

v3.2.4

Compare Source

Bug Fixes

• don't uppercase unknown methods (#​1542) (004b3ac)

v3.2.3

Compare Source

Bug Fixes

• handle bom in text and json (#​1482) (6425e20)

v3.2.2

Compare Source

Bug Fixes

• add missing formdata export to types (#​1518) (a4ea5f9), closes #​1517

v3.2.1

Compare Source

Bug Fixes

• cancel request example import (#​1513) (61b3b5a)

v3.2.0

Compare Source

Features

• export Blob, File and FormData + utilities (#​1463) (81b1378)

v3.1.1

Compare Source

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

• core: update fetch-blob by @​jimmywarting in #​1371
• docs: Fix typo around sending a file by @​jimmywarting in #​1381
• core: (http.request): Cast URL to string before sending it to NodeJS core by @​jimmywarting in #​1378
• core: handle errors from the request body stream by @​mdmitry01 in #​1392
• core: Better handle wrong redirect header in a response by @​tasinet in #​1387
• core: Don't use buffer to make a blob by @​jimmywarting in #​1402
• docs: update readme for TS @​types/node-fetch by @​adamellsworth in #​1405
• core: Fix logical operator priority to disallow GET/HEAD with non-empty body by @​maxshirshin in #​1369
• core: Don't use global buffer by @​jimmywarting in #​1422
• ci: fix main branch by @​dnalborczyk in #​1429
• core: use more node: protocol imports by @​dnalborczyk in #​1428
• core: Warn when using data by @​jimmywarting in #​1421
• docs: Create SECURITY.md by @​JamieSlome in #​1445
• core: don't forward secure headers to 3th party by @​jimmywarting in #​1449

New Contributors

• @​mdmitry01 made their first contribution in #​1392
• @​tasinet made their first contribution in #​1387
• @​adamellsworth made their first contribution in #​1405
• @​maxshirshin made their first contribution in #​1369
• @​JamieSlome made their first contribution in #​1445

Full Changelog: node-fetch/node-fetch@v3.1.0...v3.1.1

v3.1.0

Compare Source

What's Changed

• fix(Body): Discourage form-data and buffer() by @​jimmywarting in #​1212
• fix: Pass url string to http.request by @​serverwentdown in #​1268
• Fix octocat image link by @​lakuapik in #​1281
• fix(Body.body): Normalize Body.body into a node:stream by @​jimmywarting in #​924
• docs(Headers): Add default Host request header to README.md file by @​robertoaceves in #​1316
• Update CHANGELOG.md by @​jimmywarting in #​1292
• Add highWaterMark to cloned properties by @​davesidious in #​1162
• Update README.md to fix HTTPResponseError by @​thedanfernandez in #​1135
• docs: switch url to URL by @​dhritzkiv in #​1318
• fix(types): declare buffer() deprecated by @​dnalborczyk in #​1345
• chore: fix lint by @​dnalborczyk in #​1348
• refactor: use node: prefix for imports by @​dnalborczyk in #​1346
• Bump data-uri-to-buffer from 3.0.1 to 4.0.0 by @​dependabot in #​1319
• Bump mocha from 8.4.0 to 9.1.3 by @​dependabot in #​1339
• Referrer and Referrer Policy by @​tekwiz in #​1057
• Add typing for Response.redirect(url, status) by @​c-w in #​1169
• chore: Correct stuff in README.md by @​Jiralite in #​1361
• docs: Improve clarity of "Loading and configuring" by @​serverwentdown in #​1323
• feat(Body): Added support for BodyMixin.formData() and constructing bodies with FormData by @​jimmywarting in #​1314
• template: Make PR template more task oriented by @​jimmywarting in #​1224
• docs: Update code examples by @​jimmywarting in #​1365

New Contributors

• @​serverwentdown made their first contribution in #​1268
• @​lakuapik made their first contribution in #​1281
• @​robertoaceves made their first contribution in #​1316
• @​davesidious made their first contribution in #​1162
• @​thedanfernandez made their first contribution in #​1135
• @​dhritzkiv made their first contribution in #​1318
• @​dnalborczyk made their first contribution in #​1345
• @​dependabot made their first contribution in #​1319
• @​c-w made their first contribution in #​1169

Full Changelog: node-fetch/node-fetch@v3.0.0...v3.1.0

v3.0.0

Compare Source

version 3 is going out of a long beta period and switches to stable

One major change is that it's now a ESM only package
See changelog for more information about all the changes.

v2.7.0

Compare Source

Features

• AbortError (#​1744) (9b9d458)

v2.6.13

Compare Source

Bug Fixes

• Remove the default connection close header (#​1765) (65ae25a), closes #​1735 #​1473 #​1736

v2.6.12

Compare Source

Bug Fixes

• socket variable testing for undefined (#​1726) (8bc3a7c)

v2.6.11

Compare Source

Reverts

• Revert "fix: handle bom in text and json (#​1739)" (#​1741) (afb36f6), closes #​1739 #​1741

v2.6.10

Compare Source

Bug Fixes

• handle bom in text and json (#​1739) (29909d7)

v2.6.9

Compare Source

Bug Fixes

• "global is not defined" (#​1704) (70f592d)

v2.6.8

Compare Source

Bug Fixes

• headers: don't forward secure headers on protocol change (#​1605) (fddad0e), closes #​1599
• premature close with chunked transfer encoding and for async iterators in Node 12 (#​1172) (50536d1), closes #​1064 /github.com/node-fetch/node-fetch/pull/1064#issuecomment-849167400
• prevent hoisting of the undefined global variable in browser.js (#​1534) (8bb6e31)

v2.6.7

Compare Source

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

• fix: don't forward secure headers to 3th party by @​jimmywarting in #​1453

Full Changelog: node-fetch/node-fetch@v2.6.6...v2.6.7

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.