[Security] Bump superagent from 0.17.0 to 5.1.2

[dependabot-preview]

Bumps superagent from 0.17.0 to 5.1.2. This update includes security fixes.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects superagent
The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

Affected versions: < 3.7.0

Sourced from The GitHub Security Advisory Database.

Low severity vulnerability that affects superagent
The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to.

Affected versions: <3.7.0

Release notes

Sourced from superagent's releases.

v5.1.2

• fix: fixed linting, fixed deprecation warning in tests 7d70a75
• Use res.getHeaders() to avoid deprecation warning (#1503) 8dc8b91

forwardemail/superagent@v5.1.1...v5.1.2

v5.1.0

• Disable setting default user-agent (#1495) e652b8c

forwardemail/superagent@v5.0.9...v5.1.0

v5.0.9

• feat: added fast-safe-stringify instead of JSON.stringify (closes #1464) 2e5d6fd

forwardemail/superagent@v5.0.8...v5.0.9

v5.0.8

• fix: removed @babel/transform-runtime (closes #1494) 28e7101

forwardemail/superagent@v5.0.7...v5.0.8

v5.0.7

• fix: switch browserify to use babelify as global transform, bump deps a44cca8
• docs: fixed arrow function for example 0a822ab

forwardemail/superagent@v5.0.6...v5.0.7

v5.0.6

• feat: bump deps, fixed lint issues a3f75ed
• fix: omit queries that are set to undefined (#1486) 7942c2d

forwardemail/superagent@v5.0.5...v5.0.6

v5.0.5

• fix: remove redundant defs, bump deps fcf6cff

forwardemail/superagent@v5.0.4...v5.0.5

v5.0.4

• Invalid redirect in pipe (#1471) 7d0ea4b
• docs: fixed missing polyfill 251a1cb
• fix: amilajack/eslint-plugin-compat#224 2d81605

forwardemail/superagent@v5.0.3...v5.0.4

v5.0.3

• fix: add browser compiled version to lib folder (#1470) 14acecd
• Revert "Avoiding to set the "Content-Length" header for GET requests (#1460)" (#1477) fe8d902
• Avoiding to set the "Content-Length" header for GET requests (#1460) 804c35c

... (truncated)

Changelog

Sourced from superagent's changelog.

This HISTORY log is deprecated

Please see GitHub releases page for the current changelog.

4.1.0 (2018-12-26)

• .connect() IP/DNS override option (Kornel)
• .trustLocalhost() option for allowing broken HTTPS on localhost
• .abort() used with promises rejects the promise.

4.0.0 (2018-11-17)

Breaking changes

• Node.js v4 has reached it's end of life, so we no longer support it. It's v6+ or later. We recommend Node.js 10.
• We now use ES6 in the browser code, too.
  • If you're using Browserify or Webpack to package code for Internet Explorer, you will also have to use Babel.
  • The pre-built node_modules/superagent.js is still ES5-compatible.
• .end(…) returns undefined instead of the request. If you need the request object after calling .end() (and you probably don't), save it in a variable and call request.end(…). Consider not using .end() at all, and migrating to promises by calling .then() instead.
• In Node, responses with unknown MIME type are buffered by default. To get old behavior, if you use custom unbuffered parsers, add .buffer(false) to requests or set superagent.buffer[yourMimeType] = false.
• Invalid uses of .pipe() throw.

Minor changes

• Throw if req.abort().end() is called
• Throw if using unsupported mix of send and field
• Reject .end() promise on all error events (Kornel Lesiński)
• Set https.servername from the Host header (Kornel Lesiński)
• Leave backticks unencoded in query strings where possible (Ethan Resnick)
• Update node-mime to 2.x (Alexey Kucherenko)
• Allow default buffer settings based on response-type (shrey)
• response.buffered is more accurate.

3.8.3 (2018-04-29)

• Add flags for 201 & 422 responses (Nikhil Fadnis)
• Emit progress event while uploading Node Buffer via send method (Sergey Akhalkov)
• Fixed setting correct cookies for redirects (Damien Clark)
• Replace .catch with ['catch'] for IE9 Support (Miguel Stevens)

3.8.2 (2017-12-09)

• Fixed handling of exceptions thrown from callbacks
• Stricter matching of +json MIME types.

3.8.1 (2017-11-08)

• Clear authorization header on cross-domain redirect

... (truncated)

Commits

• 477f3c5 v5.1.2
• 7d70a75 fix: fixed linting, fixed deprecation warning in tests
• 8dc8b91 Use res.getHeaders() to avoid deprecation warning (#1503)
• 158d759 5.1.1
• 73f64b0 fix: fixed lint issues
• fbfd7f7 Feature disable tls certs (#1511)
• bba9372 Add plugin for measuring http timings in node (#1525)
• 95acfc7 Delete yarn.lock
• db35cdc Fix issue #1506 regarding documentation for default tries (#1509)
• 67a5eee Add Node 12 to test matrix in TravisCI (#1504)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by niftylettuce, a new releaser for superagent since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language
• @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot dashboard:

• Update frequency (including time of day and day of week)
• Pull request limits (per update run and/or open at any time)
• Out-of-range updates (receive only lockfile updates, if desired)
• Security updates (receive only security updates, if desired)

[dependabot-preview]

Superseded by #10.