From cc0d9a70284914ff0e785418e7ddce1e6439f270 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" Date: Wed, 14 Nov 2018 14:43:38 -0500 Subject: [PATCH] [Security] Bump superagent from 3.6.0 to 3.8.3 (#145) Bumps [superagent](https://github.com/visionmedia/superagent) from 3.6.0 to 3.8.3. **This update includes security fixes.**
Vulnerabilities fixed *Sourced from The GitHub Security Advisory Database.* > **Low severity vulnerability that affects superagent** > The HTTP client module superagent is vulnerable to ZIP bomb attacks. In a ZIP bomb attack, the HTTP server replies with a compressed response that becomes several magnitudes larger once uncompressed. If a client does not take special care when processing such responses, it may result in excessive CPU and/or memory consumption. An attacker might exploit such a weakness for a DoS attack. To exploit this the attacker must control the location (URL) that superagent makes a request to. > > Affected versions: <3.7.0 *Sourced from [The Sonatype OSS Index](https://ossindex.sonatype.org/vuln/6b42d0b8-d68c-4f60-8815-a51f4a3efa29).* > **CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)** > The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output. > > Affected versions: <3.7.0
Release notes *Sourced from [superagent's releases](https://github.com/visionmedia/superagent/releases).* > ## v3.8.3 > > * Add flags for 201 & 422 responses (Nikhil Fadnis) > * Emit progress event while uploading Node `Buffer` via send method (Sergey Akhalkov) > * Fixed setting correct cookies for redirects (Damien Clark) > * Replace .catch with ['catch'] for IE9 Support (Miguel Stevens) > > ## v3.8.2 > > * Fixed handling of exceptions thrown from callbacks > * Stricter matching of `+json` MIME types. > > ## v3.8.1 > > * Clear authorization header on cross-domain redirect > > ## v3.8.0 > > * Added support for "globally" defined headers and event handlers via `superagent.agent()`. It now remembers default settings for all its requests. > * Added optional callback to `.retry()` (Alexander Murphy) > * Unified auth args handling in node/browser (Edmundo Alvarez) > * Fixed error handling in zlib pipes (Kornel) > * Documented that 3xx status codes are errors (Mickey Reiss) > > ## v3.7.0 > > * Limit maximum response size. Prevents zip bombs (Kornel) > * Catch and pass along errors in `.ok()` callback (Jeremy Ruppel) > * Fixed parsing of XHR headers without a newline (nsf) > > ## v3.6.2 > > * Upgrade MIME type dependency to a newer, secure version > * Recognize PDF MIME as binary > * Fix for error in subsequent require() calls (Steven de Salas)
Changelog *Sourced from [superagent's changelog](https://github.com/visionmedia/superagent/blob/master/History.md).* > # 3.8.3 (2018-04-29) > > * Add flags for 201 & 422 responses (Nikhil Fadnis) > * Emit progress event while uploading Node `Buffer` via send method (Sergey Akhalkov) > * Fixed setting correct cookies for redirects (Damien Clark) > * Replace .catch with ['catch'] for IE9 Support (Miguel Stevens) > > # 3.8.2 (2017-12-09) > > * Fixed handling of exceptions thrown from callbacks > * Stricter matching of `+json` MIME types. > > # 3.8.1 (2017-11-08) > > * Clear authorization header on cross-domain redirect > > # 3.8.0 > > * Added support for "globally" defined headers and event handlers via `superagent.agent()`. It now remembers default settings for all its requests. > * Added optional callback to `.retry()` (Alexander Murphy) > * Unified auth args handling in node/browser (Edmundo Alvarez) > * Fixed error handling in zlib pipes (Kornel) > * Documented that 3xx status codes are errors (Mickey Reiss) > > # 3.7.0 (2017-10-17) > > * Limit maximum response size. Prevents zip bombs (Kornel) > * Catch and pass along errors in `.ok()` callback (Jeremy Ruppel) > * Fixed parsing of XHR headers without a newline (nsf) > > # 3.6.2 (2017-10-02) > > * Upgrade MIME type dependency to a newer, secure version > * Recognize PDF MIME as binary > * Fix for error in subsequent require() calls (Steven de Salas)
Commits - [`295dfcd`](https://github.com/visionmedia/superagent/commit/295dfcdacedd45e43a22d250bcaac6bf3d0a9229) Bump - [`c2f65c6`](https://github.com/visionmedia/superagent/commit/c2f65c665cf1738c5ed8f31c9d255f0a0afa70b2) Lock marked version due to bug - [`75d1ca0`](https://github.com/visionmedia/superagent/commit/75d1ca0751543a3413a5a1b390a8eb74d876f116) Fix [#1366](https://github-redirect.dependabot.com/visionmedia/superagent/issues/1366) docs - [`bf1a87a`](https://github.com/visionmedia/superagent/commit/bf1a87ab7556c6a5c22e2bd9ce27f9871cae5e59) Merge pull request [#1360](https://github-redirect.dependabot.com/visionmedia/superagent/issues/1360) from itsfadnis/flags_for_201_and_422 - [`386f702`](https://github.com/visionmedia/superagent/commit/386f7021e836f415d69e061ef30bd88385e0f3ed) Add flags for 201 & 422 responses - [`d70933c`](https://github.com/visionmedia/superagent/commit/d70933ce585c08451cb571d4f9acb58dbb451549) Make GitHub happy - [`b176c0e`](https://github.com/visionmedia/superagent/commit/b176c0e953dd27233e965a1cbe774fecf3e584fd) Be super clear piping in superagent breaks everything else - [`336b51e`](https://github.com/visionmedia/superagent/commit/336b51e8f87d937d81f59703cdd70bee701214e7) Merge pull request [#1351](https://github-redirect.dependabot.com/visionmedia/superagent/issues/1351) from jedwards1211/patch-2 - [`038bd46`](https://github.com/visionmedia/superagent/commit/038bd464d80c5991c16326b7b9c8d1ad308faf8a) file => field - [`a6fc595`](https://github.com/visionmedia/superagent/commit/a6fc5959c725814f075afcbeb40941ad89be2804) typo fix - Additional commits viewable in [compare view](https://github.com/visionmedia/superagent/compare/v3.6.0...v3.8.3)

[![Dependabot compatibility score](https://api.dependabot.com/badges/compatibility_score?dependency-name=superagent&package-manager=npm_and_yarn&previous-version=3.6.0&new-version=3.8.3)](https://dependabot.com/compatibility-score.html?dependency-name=superagent&package-manager=npm_and_yarn&previous-version=3.6.0&new-version=3.8.3) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Automerge options (never/patch/minor, and dev/runtime dependencies) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) Finally, you can contact us by mentioning @dependabot.
--- package-lock.json | 52 ----------------------------------- yarn.lock | 70 +++++++++++++++++++++++++++++++++++++---------- 2 files changed, 55 insertions(+), 67 deletions(-) diff --git a/package-lock.json b/package-lock.json index 1298bd5..c8be287 100644 --- a/package-lock.json +++ b/package-lock.json @@ -3047,11 +3047,6 @@ "resolved": "https://registry.npmjs.org/cookie-signature/-/cookie-signature-1.0.6.tgz", "integrity": "sha1-4wOogrNCzD7oylE6eZmXNNqzriw=" }, - "cookiejar": { - "version": "2.1.1", - "resolved": "https://registry.npmjs.org/cookiejar/-/cookiejar-2.1.1.tgz", - "integrity": "sha1-Qa1XsbVVlR7BcUEqgZQrHoIA00o=" - }, "copy-concurrently": { "version": "1.0.5", "resolved": "https://registry.npmjs.org/copy-concurrently/-/copy-concurrently-1.0.5.tgz", @@ -6221,11 +6216,6 @@ "mime-types": "2.1.17" } }, - "formidable": { - "version": "1.1.1", - "resolved": "https://registry.npmjs.org/formidable/-/formidable-1.1.1.tgz", - "integrity": "sha1-lriIb3w8NQi5Mta9cMTTqI818ak=" - }, "forwarded": { "version": "0.1.2", "resolved": "https://registry.npmjs.org/forwarded/-/forwarded-0.1.2.tgz", @@ -18549,48 +18539,6 @@ "chalk": "1.1.3" } }, - "superagent": { - "version": "3.8.2", - "resolved": "https://registry.npmjs.org/superagent/-/superagent-3.8.2.tgz", - "integrity": "sha512-gVH4QfYHcY3P0f/BZzavLreHW3T1v7hG9B+hpMQotGQqurOvhv87GcMCd6LWySmBuf+BDR44TQd0aISjVHLeNQ==", - "requires": { - "component-emitter": "1.2.1", - "cookiejar": "2.1.1", - "debug": "3.1.0", - "extend": "3.0.1", - "form-data": "2.3.1", - "formidable": "1.1.1", - "methods": "1.1.2", - "mime": "1.6.0", - "qs": "6.5.1", - "readable-stream": "2.3.3" - }, - "dependencies": { - "debug": { - "version": "3.1.0", - "resolved": "https://registry.npmjs.org/debug/-/debug-3.1.0.tgz", - "integrity": "sha512-OX8XqP7/1a9cqkxYw2yXss15f26NKWBpDXQd0/uK/KPqdQhxbPa994hnzjcE2VqQpDslf55723cKPUOGSmMY3g==", - "requires": { - "ms": "2.0.0" - } - }, - "form-data": { - "version": "2.3.1", - "resolved": "https://registry.npmjs.org/form-data/-/form-data-2.3.1.tgz", - "integrity": "sha1-b7lPvXGIUwbXPRXMSX/kzE7NRL8=", - "requires": { - "asynckit": "0.4.0", - "combined-stream": "1.0.5", - "mime-types": "2.1.17" - } - }, - "qs": { - "version": "6.5.1", - "resolved": "https://registry.npmjs.org/qs/-/qs-6.5.1.tgz", - "integrity": "sha512-eRzhrN1WSINYCDCbrz796z37LOe3m5tmW7RQf6oBntukAG1nmovJvhnwHHRMAfeoItc1m2Hk02WER2aQ/iqs+A==" - } - } - }, "supports-color": { "version": "2.0.0", "resolved": "https://registry.npmjs.org/supports-color/-/supports-color-2.0.0.tgz", diff --git a/yarn.lock b/yarn.lock index a08c0ec..7450a14 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2006,6 +2006,12 @@ combined-stream@^1.0.5, combined-stream@~1.0.5: dependencies: delayed-stream "~1.0.0" +combined-stream@^1.0.6: + version "1.0.7" + resolved "https://registry.yarnpkg.com/combined-stream/-/combined-stream-1.0.7.tgz#2d1d24317afb8abe95d6d2c0b07b57813539d828" + dependencies: + delayed-stream "~1.0.0" + commander@2.11.x, commander@~2.11.0: version "2.11.0" resolved "https://registry.yarnpkg.com/commander/-/commander-2.11.0.tgz#157152fd1e7a6c8d98a5b715cf376df928004563" @@ -2474,7 +2480,7 @@ debug@2.6.8: dependencies: ms "2.0.0" -debug@2.6.9, debug@^2.2.0, debug@^2.3.3, debug@^2.6.0, debug@^2.6.6, debug@^2.6.8, debug@~2.6.4, debug@~2.6.6, debug@~2.6.9: +debug@2.6.9, debug@^2.2.0, debug@^2.3.3, debug@^2.6.6, debug@^2.6.8, debug@~2.6.4, debug@~2.6.6, debug@~2.6.9: version "2.6.9" resolved "https://registry.yarnpkg.com/debug/-/debug-2.6.9.tgz#5d128515df134ff327e90a4c93f4e077a536341f" dependencies: @@ -3778,7 +3784,15 @@ forever-agent@~0.6.1: version "0.6.1" resolved "https://registry.yarnpkg.com/forever-agent/-/forever-agent-0.6.1.tgz#fbc71f0c41adeb37f96c577ad1ed42d8fdacca91" -form-data@^2.1.1, form-data@~2.1.1: +form-data@^2.3.1: + version "2.3.3" + resolved "https://registry.yarnpkg.com/form-data/-/form-data-2.3.3.tgz#dcce52c05f644f298c6a7ab936bd724ceffbf3a6" + dependencies: + asynckit "^0.4.0" + combined-stream "^1.0.6" + mime-types "^2.1.12" + +form-data@~2.1.1: version "2.1.4" resolved "https://registry.yarnpkg.com/form-data/-/form-data-2.1.4.tgz#33c183acf193276ecaa98143a69e94bfee1750d1" dependencies: @@ -3786,9 +3800,9 @@ form-data@^2.1.1, form-data@~2.1.1: combined-stream "^1.0.5" mime-types "^2.1.12" -formidable@^1.1.1: - version "1.1.1" - resolved "https://registry.yarnpkg.com/formidable/-/formidable-1.1.1.tgz#96b8886f7c3c3508b932d6bd70c4d3a88f35f1a9" +formidable@^1.2.0: + version "1.2.1" + resolved "https://registry.yarnpkg.com/formidable/-/formidable-1.2.1.tgz#70fb7ca0290ee6ff961090415f4b3df3d2082659" forwarded@~0.1.2: version "0.1.2" @@ -6092,7 +6106,7 @@ mime@1.4.1: version "1.4.1" resolved "https://registry.yarnpkg.com/mime/-/mime-1.4.1.tgz#121f9ebc49e3766f311a76e1fa1c8003c4b03aa6" -mime@^1.3.4, mime@^1.3.6, mime@^1.5.0: +mime@^1.3.4, mime@^1.4.1, mime@^1.5.0: version "1.6.0" resolved "https://registry.yarnpkg.com/mime/-/mime-1.6.0.tgz#32cd9e5c64553bd58d19a568af452acff04981b1" @@ -7468,6 +7482,10 @@ process-nextick-args@~1.0.6: version "1.0.7" resolved "https://registry.yarnpkg.com/process-nextick-args/-/process-nextick-args-1.0.7.tgz#150e20b756590ad3f91093f25a4f2ad8bff30ba3" +process-nextick-args@~2.0.0: + version "2.0.0" + resolved "https://registry.yarnpkg.com/process-nextick-args/-/process-nextick-args-2.0.0.tgz#a37d732f4271b4ab1ad070d35508e8290788ffaa" + process@^0.11.0: version "0.11.10" resolved "https://registry.yarnpkg.com/process/-/process-0.11.10.tgz#7332300e840161bda3e69a1d1d91a7d4bc16f182" @@ -7564,10 +7582,14 @@ qs@6.2.1: version "6.2.1" resolved "https://registry.yarnpkg.com/qs/-/qs-6.2.1.tgz#ce03c5ff0935bc1d9d69a9f14cbd18e568d67625" -qs@6.5.1, qs@^6.2.0, qs@^6.4.0: +qs@6.5.1, qs@^6.2.0: version "6.5.1" resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.1.tgz#349cdf6eef89ec45c12d7d5eb3fc0c870343a6d8" +qs@^6.5.1: + version "6.5.2" + resolved "https://registry.yarnpkg.com/qs/-/qs-6.5.2.tgz#cb3ae806e8740444584ef154ce8ee98d403f3e36" + qs@~6.3.0: version "6.3.2" resolved "https://registry.yarnpkg.com/qs/-/qs-6.3.2.tgz#e75bd5f6e268122a2a0e0bda630b2550c166502c" @@ -7715,6 +7737,18 @@ read-pkg@^3.0.0: isarray "0.0.1" string_decoder "~0.10.x" +readable-stream@^2.3.5: + version "2.3.6" + resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-2.3.6.tgz#b11c27d88b8ff1fbe070643cf94b0c79ae1b0aaf" + dependencies: + core-util-is "~1.0.0" + inherits "~2.0.3" + isarray "~1.0.0" + process-nextick-args "~2.0.0" + safe-buffer "~5.1.1" + string_decoder "~1.1.1" + util-deprecate "~1.0.1" + readable-stream@~1.1.9: version "1.1.14" resolved "https://registry.yarnpkg.com/readable-stream/-/readable-stream-1.1.14.tgz#7cf4c54ef648e3813084c636dd2079e166c081d9" @@ -8886,6 +8920,12 @@ string_decoder@~1.0.3: dependencies: safe-buffer "~5.1.0" +string_decoder@~1.1.1: + version "1.1.1" + resolved "https://registry.yarnpkg.com/string_decoder/-/string_decoder-1.1.1.tgz#9cf1611ba62685d7030ae9e4ba34149c3af03fc8" + dependencies: + safe-buffer "~5.1.0" + stringify-entities@^1.0.1: version "1.3.1" resolved "https://registry.yarnpkg.com/stringify-entities/-/stringify-entities-1.3.1.tgz#b150ec2d72ac4c1b5f324b51fb6b28c9cdff058c" @@ -9106,19 +9146,19 @@ sum-up@^1.0.1: chalk "^1.0.0" superagent@^3.3.1: - version "3.6.0" - resolved "https://registry.yarnpkg.com/superagent/-/superagent-3.6.0.tgz#eb679651057c3462199c7b902b696c25350e1b87" + version "3.8.3" + resolved "https://registry.yarnpkg.com/superagent/-/superagent-3.8.3.tgz#460ea0dbdb7d5b11bc4f78deba565f86a178e128" dependencies: component-emitter "^1.2.0" cookiejar "^2.1.0" - debug "^2.6.0" + debug "^3.1.0" extend "^3.0.0" - form-data "^2.1.1" - formidable "^1.1.1" + form-data "^2.3.1" + formidable "^1.2.0" methods "^1.1.1" - mime "^1.3.6" - qs "^6.4.0" - readable-stream "^2.0.5" + mime "^1.4.1" + qs "^6.5.1" + readable-stream "^2.3.5" supports-color@^2.0.0: version "2.0.0"