🚨 [security] [js] Update node-fetch: 3.0.0 → 3.2.0 (minor)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ node-fetch (3.0.0 → 3.2.0) · Repo · Changelog

Security Advisories 🚨

🚨 node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor

Release Notes

3.2.0

3.2.0 (2022-01-20)

Features

• export Blob, File and FormData + utilities (#1463) (81b1378)

3.1.1

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

• core: update fetch-blob by @jimmywarting in #1371
• docs: Fix typo around sending a file by @jimmywarting in #1381
• core: (http.request): Cast URL to string before sending it to NodeJS core by @jimmywarting in #1378
• core: handle errors from the request body stream by @mdmitry01 in #1392
• core: Better handle wrong redirect header in a response by @tasinet in #1387
• core: Don't use buffer to make a blob by @jimmywarting in #1402
• docs: update readme for TS @types/node-fetch by @adamellsworth in #1405
• core: Fix logical operator priority to disallow GET/HEAD with non-empty body by @maxshirshin in #1369
• core: Don't use global buffer by @jimmywarting in #1422
• ci: fix main branch by @dnalborczyk in #1429
• core: use more node: protocol imports by @dnalborczyk in #1428
• core: Warn when using data by @jimmywarting in #1421
• docs: Create SECURITY.md by @JamieSlome in #1445
• core: don't forward secure headers to 3th party by @jimmywarting in #1449

New Contributors

• @mdmitry01 made their first contribution in #1392
• @tasinet made their first contribution in #1387
• @adamellsworth made their first contribution in #1405
• @maxshirshin made their first contribution in #1369
• @JamieSlome made their first contribution in #1445

Full Changelog: v3.1.0...v3.1.1

3.1.0

What's Changed

• fix(Body): Discourage form-data and buffer() by @jimmywarting in #1212
• fix: Pass url string to http.request by @serverwentdown in #1268
• Fix octocat image link by @lakuapik in #1281
• fix(Body.body): Normalize Body.body into a node:stream by @jimmywarting in #924
• docs(Headers): Add default Host request header to README.md file by @robertoaceves in #1316
• Update CHANGELOG.md by @jimmywarting in #1292
• Add highWaterMark to cloned properties by @davesidious in #1162
• Update README.md to fix HTTPResponseError by @thedanfernandez in #1135
• docs: switch url to URL by @dhritzkiv in #1318
• fix(types): declare buffer() deprecated by @dnalborczyk in #1345
• chore: fix lint by @dnalborczyk in #1348
• refactor: use node: prefix for imports by @dnalborczyk in #1346
• Bump data-uri-to-buffer from 3.0.1 to 4.0.0 by @dependabot in #1319
• Bump mocha from 8.4.0 to 9.1.3 by @dependabot in #1339
• Referrer and Referrer Policy by @tekwiz in #1057
• Add typing for Response.redirect(url, status) by @c-w in #1169
• chore: Correct stuff in README.md by @Jiralite in #1361
• docs: Improve clarity of "Loading and configuring" by @serverwentdown in #1323
• feat(Body): Added support for BodyMixin.formData() and constructing bodies with FormData by @jimmywarting in #1314
• template: Make PR template more task oriented by @jimmywarting in #1224
• docs: Update code examples by @jimmywarting in #1365

New Contributors

• @serverwentdown made their first contribution in #1268
• @lakuapik made their first contribution in #1281
• @robertoaceves made their first contribution in #1316
• @davesidious made their first contribution in #1162
• @thedanfernandez made their first contribution in #1135
• @dhritzkiv made their first contribution in #1318
• @dnalborczyk made their first contribution in #1345
• @dependabot made their first contribution in #1319
• @c-w made their first contribution in #1169

Full Changelog: v3.0.0...v3.1.0

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 44 commits:

• feat: export Blob, File and FormData + utilities (#1463)
• ci: semantic-release (#1270)
• test: Modernize and convert some test in `main.js` to async/await (#1456)
• test: Update major busboy version (#1457)
• Handle zero-length OK deflate responses (master) (#965)
• Simplify check in isDomainOrSubdomain (#1455)
• 3.1.1 release (#1451)
• Don't change relative location header on manual redirect (#1105)
• fix(Headers): don't forward secure headers to 3th party (#1449)
• Create SECURITY.md (#1445)
• core: Warn when using data (#1421)
• fix: use more node: protocol imports (#1428)
• ci: fix main branch (#1429)
• core: Don't use global buffer (#1422)
• Chore: Fix logical operator priority (regression) to disallow GET/HEAD with non-empty body (#1369)
• update readme for TS @type/node-fetch (#1405)
• core: Don't use buffer to make a blob (#1402)
• fix(Redirect): Better handle wrong redirect header in a response (#1387)
• fix: handle errors from the request body stream (#1392)
• fix(http.request): Cast URL to string before sending it to NodeJS core (#1378)
• docs: Fix typo around sending a file (#1381)
• update fetch-blob (#1371)
• release minor change (3.1.0) (#1364)
• docs: Update code examples (#1365)
• template: Make PR template more task oriented (#1224)
• feat(Body): Added support for `BodyMixin.formData()` and constructing bodies with FormData (#1314)
• docs: Improve clarity of "Loading and configuring" (#1323)
• chore: Correct stuff in README.md (#1361)
• Add typing for Response.redirect(url, status) (#1169)
• Add support for Referrer and Referrer Policy (#1057)
• Bump mocha from 8.4.0 to 9.1.3 (#1339)
• Bump data-uri-to-buffer from 3.0.1 to 4.0.0 (#1319)
• refactor: use node: prefix for imports (#1346)
• chore: fix lint (#1348)
• fix(types): declare buffer() deprecated (#1345)
• docs: switch url to URL
• Update README.md to fix HTTPResponseError (#1135)
• Update response.js (#1162)
• Update CHANGELOG.md (#1292)
• Add default Host request header to README.md file (#1316)
• fix(Body.body): Normalize `Body.body` into a `node:stream` (#924)
• Fix octocat image link (#1281)
• fix: Pass url string to http.request (#1268)
• fix(Body): Discurage form-data and buffer() (#1212)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[depfu]

Closed in favor of #61.