Skip to content

fix(deps): update dependency node-fetch to ^2.6.7 [security]#39544

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-node-fetch-vulnerability
Open

fix(deps): update dependency node-fetch to ^2.6.7 [security]#39544
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-node-fetch-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Apr 15, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
node-fetch ^2.6.0^2.6.7 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

node-fetch forwards secure headers to untrusted sites

CVE-2022-0235 / GHSA-r683-j2x4-v87g

More information

Details

node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.

Severity

  • CVSS Score: 8.8 / 10 (High)
  • Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

node-fetch/node-fetch (node-fetch)

v2.6.7

Compare Source

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

Full Changelog: node-fetch/node-fetch@v2.6.6...v2.6.7

v2.6.6

Compare Source

What's Changed

Full Changelog: node-fetch/node-fetch@v2.6.5...v2.6.6

v2.6.5

Compare Source

v2.6.4

Compare Source

v2.6.3

Compare Source

v2.6.2

Compare Source

fixed main path in package.json

v2.6.1

Compare Source

This is an important security release. It is strongly recommended to update as soon as possible.

See CHANGELOG for details.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@gatsbot gatsbot Bot added the status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer label Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch 2 times, most recently from 4634cb8 to 8dc3168 Compare April 16, 2026 11:02
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.7.0 [security] fix(deps): update dependency node-fetch to ^2.6.7 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from 8dc3168 to e8e2046 Compare April 16, 2026 17:50
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.6.7 [security] fix(deps): update dependency node-fetch to ^2.7.0 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from e8e2046 to e9cecd8 Compare April 16, 2026 22:37
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.7.0 [security] fix(deps): update dependency node-fetch to ^2.6.7 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from e9cecd8 to 8dfa099 Compare April 21, 2026 20:06
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.6.7 [security] fix(deps): update dependency node-fetch to ^2.7.0 [security] Apr 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from 8dfa099 to 25aad89 Compare April 21, 2026 23:41
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.7.0 [security] fix(deps): update dependency node-fetch to ^2.6.7 [security] Apr 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from 25aad89 to 01708f5 Compare April 23, 2026 11:03
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.6.7 [security] fix(deps): update dependency node-fetch to ^2.7.0 [security] Apr 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from 01708f5 to d18ab58 Compare April 23, 2026 17:12
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.7.0 [security] fix(deps): update dependency node-fetch to ^2.6.7 [security] Apr 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from d18ab58 to 01cfd4e Compare April 29, 2026 15:57
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.6.7 [security] fix(deps): update dependency node-fetch to ^2.7.0 [security] Apr 29, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from 01cfd4e to ea08bba Compare April 29, 2026 21:48
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.7.0 [security] fix(deps): update dependency node-fetch to ^2.6.7 [security] Apr 29, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from ea08bba to c765827 Compare April 30, 2026 15:47
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.6.7 [security] fix(deps): update dependency node-fetch to ^2.7.0 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from c765827 to 68929ed Compare April 30, 2026 18:35
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.7.0 [security] fix(deps): update dependency node-fetch to ^2.6.7 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from 68929ed to 1b4de64 Compare May 11, 2026 15:06
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.6.7 [security] fix(deps): update dependency node-fetch to ^2.7.0 [security] May 11, 2026
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from 1b4de64 to 61c96fc Compare May 11, 2026 15:13
@renovate renovate Bot force-pushed the renovate/npm-node-fetch-vulnerability branch from 61c96fc to 28ba9f8 Compare May 11, 2026 19:03
@renovate renovate Bot changed the title fix(deps): update dependency node-fetch to ^2.7.0 [security] fix(deps): update dependency node-fetch to ^2.6.7 [security] May 11, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

status: triage needed Issue or pull request that need to be triaged and assigned to a reviewer

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants