From add3486cc3b55d4a5e11c8045058cef96538edc7 Mon Sep 17 00:00:00 2001 From: Tingluo Huang Date: Tue, 5 Apr 2022 13:01:33 -0400 Subject: [PATCH] Patch to fix the dependbot alert. (#744) * Patch to fix the dependbot alert. * . * . * . --- .licenses/npm/node-fetch.dep.yml | 2 +- dist/index.js | 32 +++++++++++++++++++++++++++++--- package-lock.json | 6 +++--- src/misc/licensed-check.sh | 2 +- src/misc/licensed-download.sh | 14 +++++++------- src/misc/licensed-generate.sh | 2 +- 6 files changed, 42 insertions(+), 16 deletions(-) diff --git a/.licenses/npm/node-fetch.dep.yml b/.licenses/npm/node-fetch.dep.yml index 938f08995..b49a78a11 100644 --- a/.licenses/npm/node-fetch.dep.yml +++ b/.licenses/npm/node-fetch.dep.yml @@ -1,6 +1,6 @@ --- name: node-fetch -version: 2.6.5 +version: 2.6.7 type: npm summary: A light-weight module that brings window.fetch to node.js homepage: https://github.com/bitinn/node-fetch diff --git a/dist/index.js b/dist/index.js index 1dab10c53..271b0540b 100644 --- a/dist/index.js +++ b/dist/index.js @@ -10195,7 +10195,7 @@ Object.defineProperty(Response.prototype, Symbol.toStringTag, { }); const INTERNALS$2 = Symbol('Request internals'); -const URL = whatwgUrl.URL; +const URL = Url.URL || whatwgUrl.URL; // fix an issue where "format", "parse" aren't a named export for node <10 const parse_url = Url.parse; @@ -10458,9 +10458,17 @@ AbortError.prototype = Object.create(Error.prototype); AbortError.prototype.constructor = AbortError; AbortError.prototype.name = 'AbortError'; +const URL$1 = Url.URL || whatwgUrl.URL; + // fix an issue where "PassThrough", "resolve" aren't a named export for node <10 const PassThrough$1 = Stream.PassThrough; -const resolve_url = Url.resolve; + +const isDomainOrSubdomain = function isDomainOrSubdomain(destination, original) { + const orig = new URL$1(original).hostname; + const dest = new URL$1(destination).hostname; + + return orig === dest || orig[orig.length - dest.length - 1] === '.' && orig.endsWith(dest); +}; /** * Fetch function @@ -10548,7 +10556,19 @@ function fetch(url, opts) { const location = headers.get('Location'); // HTTP fetch step 5.3 - const locationURL = location === null ? null : resolve_url(request.url, location); + let locationURL = null; + try { + locationURL = location === null ? null : new URL$1(location, request.url).toString(); + } catch (err) { + // error here can only be invalid URL in Location: header + // do not throw when options.redirect == manual + // let the user extract the errorneous redirect URL + if (request.redirect !== 'manual') { + reject(new FetchError(`uri requested responds with an invalid redirect URL: ${location}`, 'invalid-redirect')); + finalize(); + return; + } + } // HTTP fetch step 5.5 switch (request.redirect) { @@ -10596,6 +10616,12 @@ function fetch(url, opts) { size: request.size }; + if (!isDomainOrSubdomain(request.url, locationURL)) { + for (const name of ['authorization', 'www-authenticate', 'cookie', 'cookie2']) { + requestOpts.headers.delete(name); + } + } + // HTTP-redirect fetch step 9 if (res.statusCode !== 303 && request.body && getTotalBytes(request) === null) { reject(new FetchError('Cannot follow redirect with body being a readable stream', 'unsupported-redirect')); diff --git a/package-lock.json b/package-lock.json index 9a3d6f4c6..5269d6f61 100644 --- a/package-lock.json +++ b/package-lock.json @@ -15895,9 +15895,9 @@ "integrity": "sha512-1nh45deeb5olNY7eX82BkPO7SSxR5SSYJiPTrTdFUVYwAl8CKMA5N9PjTYkHiRjisVcxcQ1HXdLhx2qxxJzLNQ==" }, "node-fetch": { - "version": "2.6.5", - "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.5.tgz", - "integrity": "sha512-mmlIVHJEu5rnIxgEgez6b9GgWXbkZj5YZ7fx+2r94a2E+Uirsp6HsPTPlomfdHtpt/B0cdKviwkoaM6pyvUOpQ==", + "version": "2.6.7", + "resolved": "https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.7.tgz", + "integrity": "sha512-ZjMPFEfVx5j+y2yF35Kzx5sF7kDzxuDj6ziH4FFbOp87zKDZNx8yExJIb05OGF4Nlt9IHFIMBkRl41VdvcNdbQ==", "requires": { "whatwg-url": "^5.0.0" }, diff --git a/src/misc/licensed-check.sh b/src/misc/licensed-check.sh index f5066fd55..81987b6ca 100755 --- a/src/misc/licensed-check.sh +++ b/src/misc/licensed-check.sh @@ -5,4 +5,4 @@ set -e src/misc/licensed-download.sh echo 'Running: licensed cached' -_temp/licensed-3.3.1/licensed status \ No newline at end of file +_temp/licensed-3.6.0/licensed status \ No newline at end of file diff --git a/src/misc/licensed-download.sh b/src/misc/licensed-download.sh index 192091e0a..973e8e217 100755 --- a/src/misc/licensed-download.sh +++ b/src/misc/licensed-download.sh @@ -2,23 +2,23 @@ set -e -if [ ! -f _temp/licensed-3.3.1.done ]; then +if [ ! -f _temp/licensed-3.6.0.done ]; then echo 'Clearing temp' - rm -rf _temp/licensed-3.3.1 || true + rm -rf _temp/licensed-3.6.0 || true echo 'Downloading licensed' - mkdir -p _temp/licensed-3.3.1 - pushd _temp/licensed-3.3.1 + mkdir -p _temp/licensed-3.6.0 + pushd _temp/licensed-3.6.0 if [[ "$OSTYPE" == "darwin"* ]]; then - curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-darwin-x64.tar.gz + curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-darwin-x64.tar.gz else - curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.3.1/licensed-3.3.1-linux-x64.tar.gz + curl -Lfs -o licensed.tar.gz https://github.com/github/licensed/releases/download/3.6.0/licensed-3.6.0-linux-x64.tar.gz fi echo 'Extracting licenesed' tar -xzf licensed.tar.gz popd - touch _temp/licensed-3.3.1.done + touch _temp/licensed-3.6.0.done else echo 'Licensed already downloaded' fi diff --git a/src/misc/licensed-generate.sh b/src/misc/licensed-generate.sh index e66e03b3c..d2e18774d 100755 --- a/src/misc/licensed-generate.sh +++ b/src/misc/licensed-generate.sh @@ -5,4 +5,4 @@ set -e src/misc/licensed-download.sh echo 'Running: licensed cached' -_temp/licensed-3.3.1/licensed cache \ No newline at end of file +_temp/licensed-3.6.0/licensed cache \ No newline at end of file