Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): update dependency got to v11 [security] #289

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 1, 2022

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
got ^10.7.0 -> ^11.0.0 age adoption passing confidence

Test plan: CI should pass with updated dependencies. No review required: this is an automated dependency update PR.

GitHub Vulnerability Alerts

CVE-2022-33987

The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.


Release Notes

sindresorhus/got (got)

v11.8.5

Compare Source

v11.8.3

Compare Source

v11.8.2

Compare Source

  • Make the dnsCache option lazy (#​1529) 3bd245f
    This slightly improves Got startup performance and fixes an issue with Jest.

v11.8.1

Compare Source

v11.8.0

Compare Source

v11.7.0

Compare Source

Improvements
Fixes
  • Fix a regression where body was sent after redirect 88b32ea
  • Fix destructure error on promise.json() c97ce7c
  • Do not ignore userinfo on a redirect to the same origin 52de13b

v11.6.2

Compare Source

Bug fixes
  • Inherit the prefixUrl option from parent if it's undefined (#​1448) a3da70a
  • Prepare a fix for hanging promise on Node.js 14.10.x 29d4e32
  • Prepare for Node.js 15.0.0 c126ff1
Docs
Tests

v11.6.1

Compare Source

Fixes
Meta

v11.6.0

Compare Source

Improvements
  • Add retry stream event (#​1384) 7072198
  • Add types for http-cache-semantics options 2e2295f
  • Make CancelError inherit RequestError 1f132e8
  • Add retryAfter to RetryObject 643a305
  • Add documentation comments to exported TypeScript types (#​1278) eaf1e02
  • Move cache options into a cacheOptions property 9c16d90
Bug fixes
  • Got promise shouldn't retry when the body is a stream 6e1aeae
Docs
  • Add an example of nock integration with retrying f7bbc37
  • Fix CancelError docs 28c400f
  • Fix retry delay function in the README (#​1425) 38bbb04

v11.5.2

Compare Source

Docs
Bug fixes
  • Fix duplicated hooks when paginating e02845f
  • Fix dnsCache: true having no effect 043c950

v11.5.1

Compare Source

Enhancements
  • Upgrade http2-wrapper to 1.0.0-beta.5.0 16e7f03
  • Compatibility fix to ignore incorrect Node.js 12 typings f7a1379 61d6f61
Bug fixes
Docs

v11.5.0

Compare Source

Improvements
Fixes
  • Fix TypeScript types for Promise API (#​1344) 676be6d
  • Fix cache not working with HTTP2 ac5f67d
  • Fix response event not being emitted on cache verify request (#​1305) da4769e
  • Work around a bug in Node.js <=12.18.2 f33e8bc
  • Remove request error handler after response is downloaded e1afe82
  • Revert "Remove request error handler after response is downloaded" aeb2e07
Docs
  • Mention advanced usage of a beforeRequest hook 779062a
  • Mention to end the stream if there's no body 044767e

v11.4.0

Compare Source

  • Fix hanging promise on timeout on HTTP error 934211f
  • Use async iterators to get response body (#​1256) 7dcd145
  • Fix promise not returning Buffer on compressed response 5028c11
  • Clarify options.encoding docs 04f3ea4
  • Fix unhandled The server aborted pending request rejection 728aef9
  • Add missing ECONNRESET code to an abort error d325d35
  • Fix prefixUrl not working when the url argument is empty 8d3412a
  • Improve the searchParams option 4dbada9
  • Fix non-enumerable options [such as body] not being used 8f775c7

v11.3.0

Compare Source

v11.2.0

Compare Source

v11.1.4

Compare Source

v11.1.3

Compare Source

v11.1.2

Compare Source

Bug fixes
  • Disable options.dnsCache by default 79507c2

This should stay disabled when making requests to internal hostnames such as localhost, database.local etc.
CacheableLookup uses dns.resolver4(..) and dns.resolver6(...) under the hood and fall backs to dns.lookup(...) when the first two fail, which may lead to additional delay.

Enhancements

v11.1.1

Compare Source

  • Improve Node.js 14 compatibility 50ef99a
  • Fix got.mergeOptions() regression 157e02b
  • Fix hanging promise when using cache 7b19e8f
  • Make options.responseType optional when using a template 9ed0a39

v11.1.0

Compare Source

v11.0.3

Compare Source

Fixes
  • Limit number of requests in pagination to prevent accidental overflows (#​1181) 4344c3a
  • Fix promise rejecting before retry b927e2d
  • Fix options.searchParams duplicates 429db40
  • Prevent calling .abort() on a destroyed request 63c1b72
Docs
  • Fix incorrect usage in the readme examples (#​1203) 16ff82f
  • Note that cache and dnsCache can be false 7c5290d

v11.0.2

Compare Source

  • Fix response.statusMessage being null 965bd03
  • Update the http2-wrapper dependency to 1.0.0-beta.4.4 4e8de8e
  • Use Merge as it's stricter than the intersection operator d3b972e
  • Prevent silent rejections in rare cases 8501c69
  • Do not alter options.body 835c70b

v11.0.1

Compare Source

Fixed two regressions:

  • HTTPErrors have unspecified response body (#​1162)
  • Options are duplicated while merging (#​1163)

Improved TypeScript types for errors inherited from RequestError

v11.0.0

Compare Source

Introducing Got 11! 🎉 The last major version was in December last year. ❄️ Since then, a huge amount of bugs has been fixed. There are also many new features, for example, HTTP2 support is finally live! 🌐

If you find Got useful, you might want to sponsor the Got maintainers.


Breaking changes

Removed support for electron.net

Due to the inconsistencies between the Electron's net module and the Node.js http module, we have decided to officially drop support for it. Therefore, the useElectronNet option has been removed.

You'll still be able to use Got in the Electron main process and in the renderer process through the electron.remote module or if you use Node.js shims.

The Pagination API is now stable

We haven't seen any bugs yet, so please give it a try!
If you want to leave some feedback, you can do it here. Any suggestion is greatly appreciated!

 {
-    _pagination: {...}
+    pagination: {...}
 }
API
  • The options.encoding behavior has been reverted back to the Got 9 behavior.
    In other words, the options is only meant for the Got promise API.
    To set the encoding for streams, simply call stream.setEncoding(encoding).
-got.stream('https://sindresorhus.com', {encoding: 'base64'});
+got.stream('https://sindresorhus.com').setEncoding('base64');

// Promises stay untouched
await got('https://sindresorhus.com', {encoding: 'base64'});
  • The error name GotError has been renamed to RequestError for better readability and to comply with the documentation.
-const {GotError} = require('got');
+const {RequestError} = require('got');
  • The agent option now accepts only an object with http, https and http2 properties.
    While the http and https properties accept native http(s).Agent instances, the http2 property must be an instance of http2wrapper.Agent or be undefined.
{
-    agent: new https.Agent({keepAlive: true})
}

{
+    agent: {
+        http: new http.Agent({keepAlive: true}),
+        https: new https.Agent({keepAlive: true}),
+        http2: new http2wrapper.Agent()
+    }
}
  • The dnsCache option is now set to a default instance of CacheableLookup. It cannot be a Map-like instance anymore. The underlying cacheable-lookup package has received many improvements, for example, it has received hosts file support! Additionally, the cacheAdapter option has been renamed to cache. Note that it's no longer passed to Keyv, so you need to pass a Keyv instance it if you want to save the data for later.
{
-    dnsCache: new CacheableLookup({
-        cacheAdapter: new Map()
-    })
}

{
+    dnsCache: new CacheableLookup({
+        cache: new Keyv({
+            cacheAdapter: new Map()
+        })
+    })
}

// Default:

{
    dnsCache: new CacheableLookup()
}
  • Errors thrown in init hooks will be converted to instances of RequestError. RequestErrors provide much more useful information, for example, you can access the Got options (through error.options), which is very useful when debugging.
const got = require('got');

(async () => {
    try {
        await got('https://sindresorhus.com', {
            hooks: {
                init: [
                    options => {
                        if (!options.context) {
                            throw new Error('You need to pass a `context` option');
                        }
                    }
                ]
            }
        });
    } catch (error) {
        console.log(`Request failed: ${error.message}`);
        console.log('Here are the options:', error.options);
    }
})();
  • The options passed in an init hook may not have a url property. To modify the request URL you should use a beforeRequest hook instead.
{
    hooks: {
-        init: [
+        beforeRequest: [
            options => {
                options.url = 'https://sindresorhus.com';
            }
        ]
    }
}

Note that this example shows a simple use case. In more complicated algorithms, you need to split the init hook into another init hook and a beforeRequest hook.

  • The error.request property is no longer a ClientRequest instance. Instead, it gives a Got stream, which provides a set of useful properties.
const got = require('got');

(async () => {
    try {
        await got('https://sindresorhus.com/notfound');
    } catch (error) {
        console.log(`Request failed: ${error.message}`);
        console.log('Download progress:', error.request.downloadProgress);
    }
})();
Renamed TypeScript types

Some of the TypeScript types have been renamed to improve the readability:

Old type New type
ResponseObject Response
Defaults InstanceDefaults
DefaultOptions Defaults
DefaultRetryOptions RequiredRetryOptions
GotOptions Options
GotRequestMethod GotRequestFunction
Other
  • Now requires Node.js 10.19 or later.

Enhancements

HTTP2 support is here! Excited? Yay! Unfortunately, it's off by default to make the migration smoother. Many Got users have set up their own Agents and we didn't want to break them. But fear no more, it will come enabled by default in Got 12.

const got = require('got');

(async () => {
    const response = await got('https://nghttp2.org/httpbin/anything', {http2: true});
    console.log(response.socket.alpnProtocol);
    //=> 'h2'
})();
  1. The merge function is slow (#​1016)
  2. Use error.code instead of error.message to compare errors (#​981)
  3. Pass error thrown in the init hook to beforeError hook (#​929)
  4. Errors have undefined body when using streams (#​1138)
  5. Spaces should be normalized as + in query strings (#​1113)
  6. Modify response headers while using got.stream(...) (#​1129)
  7. Make error.request a Got stream (af0b147).

Known bugs

  1. When some errors occur, the timings may indicate that the request was successful although it failed.
  2. When some errors occur, the downloadProgress object may show incorrect data.

Bug fixes

  1. Requests to UNIX sockets are missing query strings (#​1036)
  2. beforeRequest hooks aren't called on redirects (#​994)
  3. Errors are swallowed when using stream.pipeline(got.stream(...), ...) (#​1026)
  4. Cannot use the cache along with the body option (#​1021)
  5. Got doesn't throw on leading slashes (#​1057)
  6. Got throws when passing already frozen options (#​1050)
  7. Cannot type Got options properly due to missing types (#​954)
  8. got.mergeOptions(...) doesn't merge URLSearchParams instances (#​1011)
  9. The authorization header is leaking (#​1090)
  10. Pagination should ignore the resolveBodyOnly option (#​1140)
  11. Cannot reuse user-provided options (#​1118)
  12. Broken with Node.js ≥ 13.10.0 (#​1107)
  13. Cache is not decompressed (#​1158)
  14. beforeRetry hooks are missing options.context (#​1141)
  15. promise.json() doesn't throw ParseError (#​1069)
  16. Not compatible with [email protected] (#​1131)
  17. Shortcuts give body from the failed request on token renewal (#​1120)
  18. No effect when replacing the cache option in a Got instance (#​1098)
  19. Memory leak when using cache (#​1128)
  20. Got doesn't throw on aborted requests by the server (#​1096)

All changes


Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot changed the title fix(deps): update dependency got to v11 [security] fix(deps): update dependency got to v11 [security] - autoclosed Aug 22, 2022
@renovate renovate bot closed this Aug 22, 2022
@renovate renovate bot deleted the renovate/npm-got-vulnerability branch August 22, 2022 21:10
@renovate renovate bot changed the title fix(deps): update dependency got to v11 [security] - autoclosed fix(deps): update dependency got to v11 [security] Aug 23, 2022
@renovate renovate bot reopened this Aug 23, 2022
@renovate renovate bot restored the renovate/npm-got-vulnerability branch August 23, 2022 00:15
@renovate renovate bot changed the title fix(deps): update dependency got to v11 [security] Update dependency got to v11 [SECURITY] Dec 17, 2022
@renovate renovate bot changed the title Update dependency got to v11 [SECURITY] fix(deps): update dependency got to v11 [security] Dec 17, 2022
@renovate renovate bot changed the title fix(deps): update dependency got to v11 [security] fix(deps): update dependency got to v11 [security] - autoclosed Jan 19, 2023
@renovate renovate bot closed this Jan 19, 2023
@renovate renovate bot deleted the renovate/npm-got-vulnerability branch January 19, 2023 04:40
@renovate renovate bot changed the title fix(deps): update dependency got to v11 [security] - autoclosed fix(deps): update dependency got to v11 [security] Jan 19, 2023
@renovate renovate bot reopened this Jan 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants