Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency cross-fetch to v3.1.5 [security] #191

Merged
merged 4 commits into from
Feb 29, 2024
Merged

fix(deps): update dependency cross-fetch to v3.1.5 [security] #191

merged 4 commits into from
Feb 29, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 6, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
cross-fetch 3.1.4 -> 3.1.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-1365

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .

Incorrect Authorization in cross-fetch

CVE-2022-1365 / GHSA-7gc6-qh9x-w6h8

More information

Details

When fetching a remote url with Cookie if it get Location response header then it will follow that url and try to fetch that url with provided cookie . So cookie is leaked here to thirdparty.
Ex: you try to fetch example.com with cookie and if it get redirect url to attacker.com then it fetch that redirect url with provided cookie .

Severity

  • CVSS Score: 6.1 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

Release Notes

lquixada/cross-fetch (cross-fetch)

v3.1.5

Compare Source

What's Changed

New Contributors

Full Changelog: lquixada/cross-fetch@v3.1.4...v3.1.5

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Dec 6, 2023
edited
Loading

⚠️ No Changeset found

Latest commit: e1a2bec

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@renovate renovate bot force-pushed the renovate/npm-cross-fetch-vulnerability branch from 0448df8 to 07aa57d Compare December 7, 2023 17:44
@renovate renovate bot force-pushed the renovate/npm-cross-fetch-vulnerability branch from 07aa57d to 3eac81c Compare December 18, 2023 16:27
@renovate renovate bot requested a review from a team as a code owner December 18, 2023 16:27
@renovate renovate bot force-pushed the renovate/npm-cross-fetch-vulnerability branch 2 times, most recently from 3b6c16a to d1b09ab Compare December 20, 2023 15:49
@renovate renovate bot changed the title Update dependency cross-fetch to v3.1.5 [SECURITY] fix(deps): update dependency cross-fetch to v3.1.5 [security] Jan 5, 2024
@renovate renovate bot force-pushed the renovate/npm-cross-fetch-vulnerability branch 4 times, most recently from 9080e29 to 1e1043c Compare January 12, 2024 10:33
@renovate renovate bot force-pushed the renovate/npm-cross-fetch-vulnerability branch from 1e1043c to 7ba3509 Compare January 26, 2024 15:08
@renovate renovate bot force-pushed the renovate/npm-cross-fetch-vulnerability branch 3 times, most recently from 862b1e8 to fe5b1c6 Compare February 9, 2024 15:42
@renovate renovate bot force-pushed the renovate/npm-cross-fetch-vulnerability branch 2 times, most recently from 1b3af04 to a3830ad Compare February 13, 2024 21:48
@renovate
fix(deps): update dependency cross-fetch to v3.1.5 [security]
bc1dbb6 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/npm-cross-fetch-vulnerability branch from a3830ad to bc1dbb6 Compare February 28, 2024 19:06
@renovate Renovate
Copy link
Contributor Author

renovate bot commented Feb 28, 2024

⚠ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
Type Error: URL.canParse is not a function
    at parseSpec (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:23627:21)
    at loadSpec (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:23704:11)
    at async findProjectSpec (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:23649:20)
    at async executePackageManagerRequest (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:24223:18)
    at async BinaryCommand.validateAndExecute (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:21173:22)
    at async _Cli.run (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:22148:18)
    at async Object.runMain (/opt/containerbase/tools/corepack/0.25.2/node_modules/corepack/dist/lib/corepack.cjs:24279:12)

@renovate Renovate
Copy link
Contributor Author

renovate bot commented Feb 29, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

Warning: custom changes will be lost.

@socket-security Socket Security
Copy link

socket-security bot commented Feb 29, 2024
edited
Loading

No dependency changes detected. Learn more about Socket for GitHub ↗︎

👍 No dependency changes detected in pull request

@soloseng soloseng merged commit c522f45 into main Feb 29, 2024
18 checks passed
@soloseng soloseng deleted the renovate/npm-cross-fetch-vulnerability branch February 29, 2024 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@soloseng soloseng soloseng approved these changes

Assignees
No one assigned
Labels
type:security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@soloseng