[Snyk-dev] Upgrade node-fetch from 2.2.0 to 2.6.7

[snyk-bot]

Snyk has created this PR to upgrade node-fetch from 2.2.0 to 2.6.7.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 13 versions ahead of your current version.
• The recommended version was released 6 months ago, on 2022-01-16.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Denial of Service SNYK-JS-NODEFETCH-674311	520/1000 Why? Has a fix available, CVSS 5.9	No Known Exploit
	Information Exposure SNYK-JS-NODEFETCH-2342118	520/1000 Why? Has a fix available, CVSS 5.9	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: node-fetch

• 2.6.7 - 2022-01-16
  

  Security patch release

  Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

  What's Changed

  • fix: don't forward secure headers to 3th party by @ jimmywarting in #1453

  Full Changelog: v2.6.6...v2.6.7

• 2.6.6 - 2021-10-31
  

  What's Changed

  • fix(URL): prefer built in URL version when available and fallback to whatwg by @ jimmywarting in #1352

  Full Changelog: v2.6.5...v2.6.6

• 2.6.5 - 2021-09-22
  

  • fix: import whatwg-url in a way compatible with ESM Node

  • release: 2.6.5

• 2.6.4 - 2021-09-21
• 2.6.3 - 2021-09-20
  
  • fix: properly encode url with unicode characters
  • release: 2.6.3
• 2.6.2 - 2021-09-06
  

  fixed main path in package.json

• 2.6.1 - 2020-09-05
• 2.6.0 - 2019-05-16
• 2.5.0 - 2019-05-01
• 2.4.1 - 2019-04-27
• 2.4.0 - 2019-04-26
• 2.3.0 - 2018-11-13
• 2.2.1 - 2018-11-05
• 2.2.0 - 2018-07-22

from node-fetch GitHub release notes

Commit messages

Package name: node-fetch

• 1ef4b56 backport of #1449 (#1453)
• 8fe5c4e 2.x: Specify encoding as an optional peer dependency in package.json (#1310)
• f56b0c6 fix(URL): prefer built in URL version when available and fallback to whatwg (#1352)
• b5417ae fix: import whatwg-url in a way compatible with ESM Node (#1303)
• 18193c5 fix v2.6.3 that did not sending query params (#1301)
• ace7536 fix: properly encode url with unicode characters (#1291)
• 152214c Fix(package.json): Corrected main file path in package.json (#1274)
• b5e2e41 update version number
• 2358a6c Honor the `size` option after following a redirect and revert data uri support
• 8c197f8 docs: Fix typos and grammatical errors in README.md (#686)
• 1e99050 fix: Change error message thrown with redirect mode set to error (#653)
• 244e6f6 docs: Show backers in README
• 6a5d192 fix: Properly parse meta tag when parameters are reversed (#682)
• 47a24a0 chore: Add opencollective badge
• 7b13662 chore: Add funding link
• 5535c2e fix: Check for global.fetch before binding it (#674)
• 1d5778a docs: Add Discord badge
• eb3a572 feat: Data URI support (#659)
• 086be6f Remove --save option as it isn't required anymore (#581)
• 95286f5 v2.6.0 (#638)
• bf8b4e8 Allow agent option to be a function (#632)
• 0c2294e 2.5.0 release (#630)
• 0fc414c Allow third party blob implementation (#629)
• d8f5ba0 build: disable generation of package-lock since it is not used (#623)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs