Sourced from The Sonatype OSS Index.

CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.

Affected versions: <3.7.0

Sourced from The GitHub Vulnerability Alert Database.

CVE-2017-16129
See https://nvd.nist.gov/vuln/detail/CVE-2017-16129.

Affected versions: <3.7.0

Sourced from superagent's releases.

v3.8.3

• Add flags for 201 & 422 responses (Nikhil Fadnis)
• Emit progress event while uploading Node Buffer via send method (Sergey Akhalkov)
• Fixed setting correct cookies for redirects (Damien Clark)
• Replace .catch with ['catch'] for IE9 Support (Miguel Stevens)

v3.8.2

• Fixed handling of exceptions thrown from callbacks
• Stricter matching of +json MIME types.

v3.8.1

• Clear authorization header on cross-domain redirect

v3.8.0

• Added support for "globally" defined headers and event handlers via superagent.agent(). It now remembers default settings for all its requests.
• Added optional callback to .retry() (Alexander Murphy)
• Unified auth args handling in node/browser (Edmundo Alvarez)
• Fixed error handling in zlib pipes (Kornel)
• Documented that 3xx status codes are errors (Mickey Reiss)

v3.7.0

• Limit maximum response size. Prevents zip bombs (Kornel)
• Catch and pass along errors in .ok() callback (Jeremy Ruppel)
• Fixed parsing of XHR headers without a newline (nsf)

v3.6.2

• Upgrade MIME type dependency to a newer, secure version
• Recognize PDF MIME as binary
• Fix for error in subsequent require() calls (Steven de Salas)

v3.6.0

• Support disabling TCP_NODELAY option (#1240) (xiamengyu)
• Send payload in query string for GET and HEAD shorthand API (Peter Lyons)
• Support passphrase with pfx certificate (Paul Westerdale (ABRS Limited))
• Documentation improvements (Peter Lyons)
• Fixed duplicated query string params (#1200) (Kornel)

Sourced from superagent's changelog.

3.8.3 (2018-04-29)

• Add flags for 201 & 422 responses (Nikhil Fadnis)
• Emit progress event while uploading Node Buffer via send method (Sergey Akhalkov)
• Fixed setting correct cookies for redirects (Damien Clark)
• Replace .catch with ['catch'] for IE9 Support (Miguel Stevens)

3.8.2 (2017-12-09)

• Fixed handling of exceptions thrown from callbacks
• Stricter matching of +json MIME types.

3.8.1 (2017-11-08)

• Clear authorization header on cross-domain redirect

3.8.0

• Added support for "globally" defined headers and event handlers via superagent.agent(). It now remembers default settings for all its requests.
• Added optional callback to .retry() (Alexander Murphy)
• Unified auth args handling in node/browser (Edmundo Alvarez)
• Fixed error handling in zlib pipes (Kornel)
• Documented that 3xx status codes are errors (Mickey Reiss)

3.7.0 (2017-10-17)

• Limit maximum response size. Prevents zip bombs (Kornel)
• Catch and pass along errors in .ok() callback (Jeremy Ruppel)
• Fixed parsing of XHR headers without a newline (nsf)

3.6.2 (2017-10-02)

• Upgrade MIME type dependency to a newer, secure version
• Recognize PDF MIME as binary
• Fix for error in subsequent require() calls (Steven de Salas)

3.6.0 (2017-08-20)

• Support disabling TCP_NODELAY option (#1240) (xiamengyu)
• Send payload in query string for GET and HEAD shorthand API (Peter Lyons)
• Support passphrase with pfx certificate (Paul Westerdale (ABRS Limited))
• Documentation improvements (Peter Lyons)
• Fixed duplicated query string params (#1200) (Kornel)

3.5.1 (2017-03-18)

• Allow crossDomain errors to be retried (#1194) (Michael Olson)
• Read responseType property from the correct object (Julien Dupouy)
• Check for ownProperty before adding header (Lucas Vieira)

... (truncated)

• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge
• @dependabot reopen will reopen this PR if it is closed
• @dependabot ignore this [patch|minor|major] version will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Automerge options (never/patch/minor, and dev/runtime dependencies)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.