Conversation
Bumps [node-fetch](https://github.com/node-fetch/node-fetch) from 2.6.1 to 2.6.7. - [Release notes](https://github.com/node-fetch/node-fetch/releases) - [Commits](node-fetch/node-fetch@v2.6.1...v2.6.7) --- updated-dependencies: - dependency-name: node-fetch dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/node-fetch-2.6.7
branch
from
bf389de to
d9810f9
Compare
foxpatch-aleph
left a comment
foxpatch-aleph
left a comment
There was a problem hiding this comment.
This is a Dependabot security patch bumping node-fetch from 2.6.1 to 2.6.7. The primary fix addresses a security vulnerability where sensitive cookie and authorization headers were being forwarded to third-party hosts during redirects. The lock file changes are consistent with this upgrade: @solana/web3.js was independently updated from 0.90.5 to 1.33.0 (which itself switched from node-fetch to cross-fetch, pulling in node-fetch 2.6.7), several transitive dependencies were updated or reclassified as devDependencies, and removed packages (npm-run-all, esdoc-inject-style-plugin, cheerio, mz, etc.) are legitimate cleanup from the @solana/web3.js major version upgrade. The security fix is important and the diff is mechanically generated by Dependabot with no logic changes to application code.
package-lock.json (line None): The @solana/web3.js dependency jumped from 0.90.5 to 1.33.0, which is a major version bump with breaking changes. While this appears to be a side effect of resolving the node-fetch dependency tree, it's worth verifying that the aleph-js code using @solana/web3.js still works correctly against the 1.x API, since the 0.x → 1.x transition involved significant API changes (e.g., Transaction, PublicKey, Connection APIs changed). This should be tested before merging.
1 participant
Bumps node-fetch from 2.6.1 to 2.6.7.
Release notes
Sourced from node-fetch's releases.
Commits
1ef4b56backport of #1449 (#1453)8fe5c4e2.x: Specify encoding as an optional peer dependency in package.json (#1310)f56b0c6fix(URL): prefer built in URL version when available and fallback to whatwg (...b5417aefix: import whatwg-url in a way compatible with ESM Node (#1303)18193c5fix v2.6.3 that did not sending query params (#1301)ace7536fix: properly encode url with unicode characters (#1291)152214cFix(package.json): Corrected main file path in package.json (#1274)Maintainer changes
This version was pushed to npm by endless, a new releaser for node-fetch since your current version.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and languageYou can disable automated security fix PRs for this repo from the Security Alerts page.