chore(deps): update dependency node-fetch to v3.2.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
node-fetch	3.2.0 -> 3.2.10

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2022-0235

node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.

CVE-2022-2596

node-fetch is a light-weight module that brings window.fetch to node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) in the isOriginPotentiallyTrustworthy() function in referrer.js, when processing a URL string with alternating letters and periods, such as 'http://' + 'a.a.'.repeat(i) + 'a'.

CVE-2020-15168

Impact

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Patches

We released patched versions for both stable and beta channels:

• For v2: 2.6.1
• For v3: 3.0.0-beta.9

Workarounds

None, it is strongly recommended to update as soon as possible.

For more information

If you have any questions or comments about this advisory:

• Open an issue in node-fetch
• Contact one of the core maintainers.

---

Release Notes

node-fetch/node-fetch (node-fetch)

v3.2.10

Compare Source

Bug Fixes

• ReDoS referrer (#​1611) (2880238)

v3.2.9

Compare Source

Bug Fixes

• Headers: don't forward secure headers on protocol change (#​1599) (e87b093)

v3.2.8

Compare Source

Bug Fixes

• possibly flaky test (#​1523) (11b7033)

v3.2.7

Compare Source

Bug Fixes

• always warn Request.data (#​1550) (4f43c9e)

v3.2.6

Compare Source

Bug Fixes

• undefined reference to response.body when aborted (#​1578) (1c5ed6b)

v3.2.5

Compare Source

Bug Fixes

• use space in accept-encoding values (#​1572) (a92b5d5), closes #​1571

v3.2.4

Compare Source

Bug Fixes

• don't uppercase unknown methods (#​1542) (004b3ac)

v3.2.3

Compare Source

Bug Fixes

• handle bom in text and json (#​1482) (6425e20)

v3.2.2

Compare Source

Bug Fixes

• add missing formdata export to types (#​1518) (a4ea5f9), closes #​1517

v3.2.1

Compare Source

Bug Fixes

• cancel request example import (#​1513) (61b3b5a)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: ┌ Resolution step
➤ YN0002: │ @commitlint/load@npm:16.1.0 doesn't provide @types/node (p28edd), requested by cosmiconfig-typescript-loader
➤ YN0002: │ @drizzle-http/example-nestjs@workspace:examples/nestjs doesn't provide typescript (p59e73), requested by @nestjs/schematics
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (p1ed42), requested by babel-loader
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (p43d50), requested by clean-webpack-plugin
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (pd3749), requested by html-webpack-plugin
➤ YN0002: │ @drizzle-http/example-react@workspace:examples/react doesn't provide webpack (pc82c0), requested by webpack-dev-server
➤ YN0002: │ webpack-dev-server@npm:4.7.3 [1cf60] doesn't provide @types/express (p93524), requested by http-proxy-middleware
➤ YN0002: │ webpack-dev-server@npm:4.7.3 [ee916] doesn't provide @types/express (pf59c4), requested by http-proxy-middleware
➤ YN0000: │ Some peer dependencies are incorrectly met; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code
➤ YN0000: └ Completed in 0s 480ms
➤ YN0000: ┌ Fetch step
➤ YN0001: │ TypeError: resolve@patch:resolve@npm%3A1.19.0#~builtin<compat/resolve>::version=1.19.0&hash=07638b: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: resolve@patch:resolve@npm%3A1.22.0#~builtin<compat/resolve>::version=1.22.0&hash=07638b: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: typescript@patch:typescript@npm%3A4.5.4#~builtin<compat/typescript>::version=4.5.4&hash=493e53: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0001: │ TypeError: typescript@patch:typescript@npm%3A4.5.5#~builtin<compat/typescript>::version=4.5.5&hash=493e53: (0 , QO.isDate) is not a function
    at ihe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:10860)
    at Jr.utimesImpl (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28773)
    at Jr.utimesSync (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28366)
    at Jr.utimesPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:317:28236)
    at Jr.mkdirpPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:12970)
    at async pO (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:7174)
    at async Jr.copyPromise (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:312:13674)
    at async /tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1676
    at async Object.kEe (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:382:3934)
    at async RM.patchPackage (/tmp/containerbase/cache/.cache/node/corepack/v1/yarn/3.1.1/yarn.js:721:1636)
➤ YN0013: │ 2008 packages were already cached, 7 had to be fetched
➤ YN0000: └ Completed in 0s 656ms
➤ YN0000: Failed with errors in 1s 139ms