Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): update dependency node-fetch to v2.6.1 [security] #120

Merged
merged 1 commit into from
Sep 30, 2020

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 28, 2020

This PR contains the following updates:

Package Type Update Change
node-fetch dependencies patch 2.6.0 -> 2.6.1

GitHub Vulnerability Alerts

CVE-2020-15168

Impact

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Patches

We released patched versions for both stable and beta channels:

  • For v2: 2.6.1
  • For v3: 3.0.0-beta.9

Workarounds

None, it is strongly recommended to update as soon as possible.

For more information

If you have any questions or comments about this advisory:

  • Open an issue in node-fetch
  • Contact one of the core maintainers.

Release Notes

bitinn/node-fetch

v2.6.1

Compare Source

This is an important security release. It is strongly recommended to update as soon as possible.

See CHANGELOG for details.


Renovate configuration

📅 Schedule: "" (UTC).

🚦 Automerge: Enabled.

♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by WhiteSource Renovate. View repository job log here.

@ynnoj ynnoj merged commit db53d40 into next Sep 30, 2020
@ynnoj ynnoj deleted the renovate/npm-node-fetch-vulnerability branch September 30, 2020 12:13
@github-actions
Copy link

🎉 This PR is included in version 2.0.0-next.8 🎉

The release is available on:

Your semantic-release bot 📦🚀

ynnoj pushed a commit that referenced this pull request Oct 21, 2020
* chore: Housekeeping, init workspaces/monorepo

* feat: Build Gatsby nodes (#76)

* feat: Begin to build Gatsby nodes from remote GraphCMS schema

* fix: Remove fixed products query

* fix: Use correct key for remoteType

* chore: Ensure we use local dependency

* chore: Bump gatsby-graphql-source-toolkit dependency

* fix: Use correct pagination arguments in query

* feat: Finish building Gatsby nodes from GraphCMS schema

* feat: Build files nodes for GraphCMS image assets (#77)

* chore: Add gatsby-source-filesystem dependency

* feat: Create remote file nodes for GraphCMS image assets

* feat: Add downloadLocalImages config option

Opt in to create local nodes for GraphCMS images

* refactor: Rename file field

* feat: Add custom query executor to pass in Authorization header (#78)

* chore: Add node-fetch dependency

* feat: Add custom query executor to pass in Authorization header

* refactor: Use dotenv

* feat: Delta sourcing (#79)

* chore: Add ENABLE_GATSBY_REFRESH_ENDPOINT flag for rebuilds

* feat: Add query for individual node fetching

* fix: Correct individual node query

* feat: Handle webhooks for node deletion

* feat: Handle webhooks for node creation

* fix: Use correct input type, variable for NODE_ query

* feat: Handle webhooks for node updates

* feat: Handle webhooks for node publish, unpublish

* feat: Check for plugin options during onPreBootstrap (#84)

* chore: Automate package publishing (#85)

* chore: Configure semantic-release

* chore: Add GitHub Action workflow for publishing

* fix: try/catch for errors during createRemoteFileNode process (#86)

* chore: Add, initialise prettier (#88)

* fix: don't error no token provided (#87)

* fix: don't error when no token provided

* chore: run prettier

* docs: Add README (#89)

* docs: Begin README

* docs: Add notes about working with localFile asset nodes

* Update gatsby-source-graphcms/README.md

Co-authored-by: Jamie Barton <jamie@notrab.dev>

* Update gatsby-source-graphcms/README.md

Co-authored-by: Jamie Barton <jamie@notrab.dev>

* docs: Rephrase

* chore: Update package.json meta

* docs: Punctuation

Co-authored-by: Jamie Barton <jamie@notrab.dev>

* chore: Add demo (#80)

* chore: Add gatsby-image dependencies

* feat: Query content, render data

* chore: Add, initialise tailwindcss

* feat: Grid for the index page

* feat: Build product pages

* feat: Use createResolvers to add formattedPrice field

* feat: Product grid design

* feat: Product page design

* chore: Empty publish commit

BREAKING CHANGE: Force publish

* docs: Update README to reflect npm dist tag

* chore(demo): Add templates directory to purge safelist

* docs: Add demo link to README

* docs: Add usage warning

* fix: Use correct root query fields (#96)

* fix: Build queries for node sourcing from GraphCMS project schema fields

* chore(deps): Remove pluralize

* refactor: Remove unnecessary query variable

* chore: Add renovate.json

* feat: Build markdown nodes from CMS RichText fields (#98)

* feat: Build markdown nodes for CMS markdown fields

Can be used with MDX

* feat: Add buildMarkdownNodes configuration option

Defaults to false

* style: Linting

* chore(demo): Add MDX dependencies

* chore(demo): Update demo to use MDX

* fix: Remove optional chaining

Eventually transpile with Babel

* docs: Update README to include markdownNode usage

* docs: Add link to demo source

For a full MDX example

* fix: Decode markdown field returned from GraphCMS (#99)

* chore(deps): Add he dependency

* fix: Decode markdown fields from GraphCMS

HTML characters are escaped in JSON response, can't render components from CMS

* docs: fix buildMarkdownNodes typo (#101)

* fix: Ensure unique node ID is used when building MarkdownNodes (#103)

There could be multiple RichText fields per type, so use the field key with createNodeId()

* docs: Add link to gatsby-starter-graphcms-blog

* feat: Save generated query fragments (#108)

* feat: Write query fragments to local directory to be extended/customised

* feat: Make fragments directory configurable

* chore(demo): Add saved query fragments

* refactor: remoteIdFields no more (#104)

* chore(deps): Bump gatsby-graphql-source-toolkit

* refactor: remoteIdFields no more

Generate fragements

* fix: Ensure MarkdownNode type always created

* chore(deps): Bump gatsby-graphql-source-toolkit

* chore(demo): Add static project endpoint (#111)

Easier to run demo when cloning repo

* fix: Ensure system fields are added generated fragments for localised types (#119)

* fix: Ensure system fields are added generated fragments for localised types

Supply default argument values for `createdAt`, `publishedAt`, `updatedAt`

* chore(demo): Update generted demo query fragments

* chore(deps): update dependency tailwindcss to v1.8.10 (#113)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update dependency node-fetch to v2.6.1 [security] (#120)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update dependency prettier to v2.1.2 (#112)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* chore(deps): update gatsby monorepo (#114)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* feat: Add localisation support (#117)

* feat: Update queries, fragment, variables to account for locales

* feat: Conditionally add locale field, arguments to query

Only for types where localisation is present

* chore: Update generated schema fragments

* feat: Build localised pages for demo

* feat: Validate locales config value

* docs: Update README to include localisation usage

* chore(deps): update mdx monorepo to v1.6.18 (#122)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* fix: Check if type has locale field (#125)

As opposed to locales argument, which is now available on all types regardless of if localisation is present

* feat: All configuration for multiple instances (#126)

* feat: Add `typePrefix` configuration option

Prevent conflicts for multiple instances

* docs: Add docs for `typePrefix`

* docs: Add docs note for `fragmentsPath`

* docs: Update README

* chore(deps): update dependency gatsby-graphql-source-toolkit to v0.6.3 (#121)

Co-authored-by: Renovate Bot <bot@renovateapp.com>

* fix: Force publish for dependency updates

* fix: Ensure we use typePrefix when generating nodes, types (#128)

* docs: Document query fragment usage (#130)

* docs: Table for configuration options

* docs: Add features list

* docs: Document query fragment usage

* docs: Formatting

* docs: Rephrasing

* style(lint): prettier --write

* docs: Formatting

* docs: Remove beta warning, updating installation command

Prepare for hitting master

Co-authored-by: Jamie Barton <jamie@notrab.dev>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: Renovate Bot <bot@renovateapp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants