Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: updated node-fetch version to 2.6.7 #124

Merged
merged 2 commits into from Jan 20, 2022

Conversation

dlafreniere
Copy link
Contributor

Fixes CVE-2022-0235

Fixes #123

node-fetch 2.6.7 release notes

@MirzetKameric
Copy link

Nice one!

@@ -31,7 +31,7 @@ jobs:
strategy:
fail-fast: false
matrix:
node-version: [10.x, 12.x, 14.x, 15.x]
node-version: [10.x, 12.x, 14.x, 16.x]
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the build with 15.x was failing for a seemingly unrelated reason.

According to the matrix, 15 is no longer supported, so I wanted to try to see if it will work with 16.x

Copy link
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

makes sense to me!

@lquixada lquixada merged commit a3b3a94 into lquixada:main Jan 20, 2022
@lquixada
Copy link
Owner

thanks @dlafreniere!

@dlafreniere dlafreniere deleted the fix/CVE-2022-0235 branch January 20, 2022 22:46
@dlafreniere
Copy link
Contributor Author

@lquixada can we trigger a patch release please?

@lquixada
Copy link
Owner

@dlafreniere it's published already! not sure why it's not reflecting on the npmjs.com page though

@wbt
Copy link

wbt commented Feb 4, 2022

Any chance of getting a patch like this on the 2.x branch for all the projects still pinned to that leading to indirect vulnerabilities?

wbt added a commit to wbt/cross-fetch that referenced this pull request Apr 6, 2022
Backporting lquixada#124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
lquixada pushed a commit that referenced this pull request Apr 10, 2022
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
lquixada pushed a commit that referenced this pull request Apr 10, 2022
Backporting #124 to the 2.x branch for dependencies stuck on that which can't get a PR for moving on reviewed, e.g. MetaMask/web3-provider-engine#404
vanbasten17 pushed a commit to hubtype/botonic that referenced this pull request Jul 5, 2023
<p>This PR was automatically created by Snyk using the credentials of a
real user.</p><br /><h3>Snyk has created this PR to upgrade cross-fetch
from 3.1.4 to 3.1.6.</h3>

:information_source: Keep your dependencies up-to-date. This makes it
easier to fix existing vulnerabilities and to more quickly identify and
fix newly disclosed vulnerabilities when they affect your project.
<hr/>

- The recommended version is **2 versions** ahead of your current
version.
- The recommended version was released **a month ago**, on 2023-05-14.


<details>
<summary><b>Release notes</b></summary>
<br/>
  <details>
    <summary>Package name: <b>cross-fetch</b></summary>
    <ul>
      <li>
<b>3.1.6</b> - <a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/releases/tag/v3.1.6">2023-05-14</a></br><h2>What's
Changed</h2>
<ul>
<li>Updated node-fetch version to 2.6.11</li>
<li>Added caret range to node-fetch version for automatic feature and
fix updates.</li>
</ul>
<p><strong>Full Changelog</strong>: <a class="commit-link"
href="https://snyk.io/redirect/github/lquixada/cross-fetch/compare/v3.1.5...v3.1.6"><tt>v3.1.5...v3.1.6</tt></a></p>
      </li>
      <li>
<b>3.1.5</b> - <a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/releases/tag/v3.1.5">2022-01-20</a></br><h2>What's
Changed</h2>
<ul>
<li>chore: updated node-fetch version to 2.6.7 by <a class="user-mention
notranslate" data-hovercard-type="user"
data-hovercard-url="/users/dlafreniere/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://snyk.io/redirect/github/dlafreniere">@ dlafreniere</a> in
<a class="issue-link js-issue-link" data-error-text="Failed to load
title" data-id="1107437836" data-permission-text="Title is private"
data-url="lquixada/cross-fetch#124"
data-hovercard-type="pull_request"
data-hovercard-url="/lquixada/cross-fetch/pull/124/hovercard"
href="https://snyk.io/redirect/github/lquixada/cross-fetch/pull/124">#124</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a class="user-mention notranslate" data-hovercard-type="user"
data-hovercard-url="/users/dlafreniere/hovercard"
data-octo-click="hovercard-link-click"
data-octo-dimensions="link_type:self"
href="https://snyk.io/redirect/github/dlafreniere">@ dlafreniere</a>
made their first contribution in <a class="issue-link js-issue-link"
data-error-text="Failed to load title" data-id="1107437836"
data-permission-text="Title is private"
data-url="lquixada/cross-fetch#124"
data-hovercard-type="pull_request"
data-hovercard-url="/lquixada/cross-fetch/pull/124/hovercard"
href="https://snyk.io/redirect/github/lquixada/cross-fetch/pull/124">#124</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a class="commit-link"
href="https://snyk.io/redirect/github/lquixada/cross-fetch/compare/v3.1.4...v3.1.5"><tt>v3.1.4...v3.1.5</tt></a></p>
      </li>
      <li>
        <b>3.1.4</b> - 2021-04-02
      </li>
    </ul>
from <a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/releases">cross-fetch
GitHub release notes</a>
  </details>
</details>


<details>
  <summary><b>Commit messages</b></summary>
  </br>
  <details>
    <summary>Package name: <b>cross-fetch</b></summary>
    <ul>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/a2220175e3e2a585487b68cc0893a64076deb562">a222017</a>
chore(release): 3.1.6</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/33a0d90b43ab5c7f304a1d955a0a832524f07237">33a0d90</a>
chore: updated node-fetch to 2.6.11</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/a66f21bc3aec60907f5fa61efb1ca3af17f17550">a66f21b</a>
fix: fixed ESTree.StaticBlock error</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/bb6403a281db25aa1579b9921844adf467a3b21e">bb6403a</a>
chore: updated mocha-headless-chrome to 4.0.0</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/bef7bd3c365bbb6d133f61ff9e6e6d1f277a3851">bef7bd3</a>
chore: expanded Github Actions to trigger on release branches</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/fc9c16a4f10940e89316b02978ff4700dac62221">fc9c16a</a>
chore: updated node-fetch to 2.6.9.</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/24dedb4c8a16a33cb9b4d4682fb731438a6a9e2d">24dedb4</a>
chore: improved names of common checks on Github workflow</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/02a63ca1d34f86053d7527e292c31d926fbaacab">02a63ca</a>
chore: refactored out common checks on Github workflow</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/15f25c064d7cee3d17bad06ef205a1c15dddfcd3">15f25c0</a>
chore: upgraded Github actions to v3</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/5e7b4a409c81572b237075d2ebf32ba45486b357">5e7b4a4</a>
chore: removed unneeded step from Test specs job</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/9fb71cfc2fd5de86d541954f4496113dc29a903e">9fb71cf</a>
chore: enabled automatic CHANGELOG.md generation</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/ce651ec010160208e1a6ed34ca682f32b4492a3f">ce651ec</a>
chore: added node version back to setup-node action</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/0f55cad956f335583482c1bd07ced9d897171ed8">0f55cad</a>
chore: removed debug actions</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/601547dde2b59b0e769d536bb6dc31deac4ddf80">601547d</a>
chore: added debug action</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/b279d5c6d11a5b1c8bdc724858a1335f4c27b9d0">b279d5c</a>
chore: added action to debug payload</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/92eaaf8b35a15c6f226109969eb9eaddb614ce35">92eaaf8</a>
chore: added tag job on CI workflow</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/abbd73005f96657a7193587c7fb14bc0e5d2f78e">abbd730</a>
chore: added commitzen</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/5ffadbe44c714204572465752ce3eead7e0c6bc5">5ffadbe</a>
perf: make build runs faster</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/1b6d20d33af22595ef789e8210b39098c1f2bc4a">1b6d20d</a>
chore: added Release workflow</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/0827c35473f2dbc5361d72599eaaae9b229528e4">0827c35</a>
chore: renamed Github workflows</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/7e469cb4ec10f45dbe2556022adb7a710196e5d4">7e469cb</a>
chore: removed release conditions on CI workflow</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/1e53e263879bd8f7fced110de08b9fd818d55bce">1e53e26</a>
chore: removed commitlint on CI workflow</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/17aad4eefebaa9a8396a4551a26685b072adb58e">17aad4e</a>
chore: improved triggers for PR workflow</li>
<li><a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/commit/5d89fa223091a0d55e410873a1638f2a570058c5">5d89fa2</a>
chore: added title validation for PR workflow</li>
    </ul>

<a
href="https://snyk.io/redirect/github/lquixada/cross-fetch/compare/7e4b657fa43915672350bcc53413721cbc14bd36...a2220175e3e2a585487b68cc0893a64076deb562">Compare</a>
  </details>
</details>
<hr/>

**Note:** *You are seeing this because you or someone else with access
to this repository has authorized Snyk to open upgrade PRs.*

For more information: <img
src="https://api.segment.io/v1/pixel/track?data=eyJ3cml0ZUtleSI6InJyWmxZcEdHY2RyTHZsb0lYd0dUcVg4WkFRTnNCOUEwIiwiYW5vbnltb3VzSWQiOiI5NWEwMzk0MC1hNTdkLTQ1N2UtOWZiOS1jNzk4YjZkZGQxNTkiLCJldmVudCI6IlBSIHZpZXdlZCIsInByb3BlcnRpZXMiOnsicHJJZCI6Ijk1YTAzOTQwLWE1N2QtNDU3ZS05ZmI5LWM3OThiNmRkZDE1OSJ9fQ=="
width="0" height="0"/>

🧐 [View latest project
report](https://app.snyk.io/org/manuelfidalgo/project/6a7f3eb3-67c7-4731-b085-ac1ee0028d81?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr)

🛠 [Adjust upgrade PR
settings](https://app.snyk.io/org/manuelfidalgo/project/6a7f3eb3-67c7-4731-b085-ac1ee0028d81/settings/integration?utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr)

🔕 [Ignore this dependency or unsubscribe from future upgrade
PRs](https://app.snyk.io/org/manuelfidalgo/project/6a7f3eb3-67c7-4731-b085-ac1ee0028d81/settings/integration?pkg&#x3D;cross-fetch&amp;utm_source&#x3D;github&amp;utm_medium&#x3D;referral&amp;page&#x3D;upgrade-pr#auto-dep-upgrades)

<!---
(snyk:metadata:{"prId":"95a03940-a57d-457e-9fb9-c798b6ddd159","prPublicId":"95a03940-a57d-457e-9fb9-c798b6ddd159","dependencies":[{"name":"cross-fetch","from":"3.1.4","to":"3.1.6"}],"packageManager":"npm","type":"auto","projectUrl":"https://app.snyk.io/org/manuelfidalgo/project/6a7f3eb3-67c7-4731-b085-ac1ee0028d81?utm_source=github&utm_medium=referral&page=upgrade-pr","projectPublicId":"6a7f3eb3-67c7-4731-b085-ac1ee0028d81","env":"prod","prType":"upgrade","vulns":[],"issuesToFix":[],"upgrade":[],"upgradeInfo":{"versionsDiff":2,"publishedDate":"2023-05-14T11:50:35.739Z"},"templateVariants":[],"hasFixes":false,"isMajorUpgrade":false,"isBreakingChange":false,"priorityScoreList":[]})
--->

Co-authored-by: snyk-bot <snyk-bot@snyk.io>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Allow patch releases for node-fetch
4 participants