🚨 [security] Update node-fetch: 2.6.0 → 2.6.1 (patch)

[depfu]

---

Welcome to Depfu 👋

This is one of the first three pull requests with dependency updates we've sent your way. We tried to start with a few easy patch-level updates. Hopefully your tests will pass and you can merge this pull request without too much risk. This should give you an idea how Depfu works in general.

After you merge your first pull request, we'll send you a few more. We'll never open more than seven PRs at the same time so you're not getting overwhelmed with updates.

Let us know if you have any questions. Thanks so much for giving Depfu a try!

---

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ node-fetch (2.6.0 → 2.6.1) · Repo · Changelog

Security Advisories 🚨

🚨 The `size` option isn't honored after following a redirect in node-fetch

Impact

Node Fetch did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure.

For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.

Patches

We released patched versions for both stable and beta channels:

• For v2: 2.6.1
• For v3: 3.0.0-beta.9

Workarounds

None, it is strongly recommended to update as soon as possible.

For more information

If you have any questions or comments about this advisory:

• Open an issue in node-fetch
• Contact one of the core maintainers (@xxczaki, @bitinn, @jimmywarting, @Richienb, or @gr2m)

Release Notes

2.6.1

This is an important security release. It is strongly recommended to update as soon as possible.

See CHANGELOG for details.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 12 commits:

• update version number
• Honor the `size` option after following a redirect and revert data uri support
• docs: Fix typos and grammatical errors in README.md (#686)
• fix: Change error message thrown with redirect mode set to error (#653)
• docs: Show backers in README
• fix: Properly parse meta tag when parameters are reversed (#682)
• chore: Add opencollective badge
• chore: Add funding link
• fix: Check for global.fetch before binding it (#674)
• docs: Add Discord badge
• feat: Data URI support (#659)
• Remove --save option as it isn't required anymore (#581)

✳️ @​babel/runtime (7.10.3 → 7.11.2) · Repo · Changelog

Release Notes

7.11.2

v7.11.2 (2020-08-05)

🐛 Bug Fix

• babel-parser
  • #11916 fix: do not eat get/set after async is parsed (@JLHwung)

Committers: 1

• Huáng Jùnliàng (@JLHwung)

7.11.1

v7.11.1 (2020-08-04)

🐛 Bug Fix

• babel-parser
  • #11912 rescan gt/lt token after TsAsExpression is parsed (@JLHwung)
• babel-core
  • #11906 Do not cache non-existent config files forever (@devongovett)
• babel-plugin-transform-block-scoping, babel-standalone
  • #11901 fix: ensure […map.keys] can be correctly transformed in loose mode (@JLHwung)

📝 Documentation

• #11900 docs: remove experimental warning on README (@JLHwung)

🏠 Internal

• babel-parser
  • #11871 Parser refactoring (@JLHwung)
• Other
  • #11899 Update @babel/* deps (@JLHwung)

Committers: 2

• Devon Govett (@devongovett)
• Huáng Jùnliàng (@JLHwung)

7.11.0

v7.11.0 (2020-07-30)

Thanks @coderaiser, @cwohlman, @morrme, @ryzokuken, @SirWindfield, @sz-coder and @vahnag for their first PRs!

👓 Spec Compliance

• babel-parser
  • #11852 fix: disallow \8, \9 in strict mode string (@JLHwung)
  • #11854 fix: allow 09.1_1 and 09e1_1 in sloppy mode (@JLHwung)
• babel-plugin-proposal-optional-chaining
  • #11850 fix: eval?.() is indirect (@JLHwung)

🚀 New Feature

• babel-cli, babel-core
  • #11588 add showConfig support (@JLHwung)
• babel-compat-data, babel-preset-env
  • #11876 enable logical assignment in babel preset env (@morrme)
  • #11865 Add numeric-separator to preset-env (@JLHwung)
  • #11849 Add export-namespace-from to preset-env (@JLHwung)
• babel-parser
  • #11863 feat: enable numericSeparator parsing support (@JLHwung)
  • #11755 Allow unknown/any in TS catch clause param (@existentialism)
  • #11753 TypeScript 4.0: Allow spread in the middle of tuples (@nicolo-ribaudo)
  • #11815 eslint-parser: ES2020 features (@JLHwung)
• babel-generator, babel-parser, babel-types
  • #11754 TypeScript 4.0: Support labeled tuple elements (@nicolo-ribaudo)
• babel-core, babel-generator, babel-parser, babel-plugin-syntax-decimal, babel-standalone, babel-types
  • #11640 Add decimal parsing support (@JLHwung)
• babel-core
  • #10241 Add cloneInputAst option to babel.transformFromAst (@coderaiser)

🐛 Bug Fix

• Other
  • #11896 update: hardcode @babel/eslint-parser min supported version check (@kaicataldo)
• babel-helper-skip-transparent-expression-wrappers, babel-plugin-proposal-optional-chaining, babel-plugin-transform-spread
  • #11404 Skip TSAsExpression when transforming spread in CallExpression (@oliverdunk)
• babel-helper-member-expression-to-functions, babel-plugin-proposal-class-properties, babel-plugin-proposal-logical-assignment-operators
  • #11702 add support for logical assignments with private properties (@ryzokuken)
• babel-plugin-transform-typescript
  • #11747 Typescript: always strip declare from class fields (@jamescdavis)
• babel-plugin-transform-runtime
  • #11893 Fix incorrect module path when absoluteRuntime is specified (@sz-coder)
• babel-parser
  • #11862 Correctly check reserved word for PropertyDefinition: IdentifierReference (@JLHwung)
  • #11847 fix: correctly set innerEndPos in CoverParenthesizedExpressionAndArrowParameterList (@JLHwung)
• babel-generator, babel-parser, babel-plugin-transform-typescript
  • #11767 Follow-up on initial TS4 catch param support (@JLHwung)
• babel-generator
  • #11836 Always retain lines for async arrow (@cwohlman)

💅 Polish

• babel-traverse
  • #11791 babel-traverse: prefer clearer, reduced-bias option naming (@jayaddison)

🏠 Internal

• Other
  • #11688 fix build config to work the same when running on windows (@zxbodya)
  • #11894 Prepare to publish @babel/eslint-* packages (@JLHwung)
  • #11879 chore: use modules: "auto" (@JLHwung)
  • #11875 chore(github): fix issue template typo (@SirWindfield)
  • #11706 chore: update spec-new in CONTRIBUTING.md [skip ci] (@JLHwung)
• babel-standalone
  • #11777 chore: build standalone once in prepublish step (@JLHwung)
• babel-compat-data, babel-helper-compilation-targets, babel-preset-env
  • #11838 refactor: replace caniuse-db by mdn-browser-compat-data (@JLHwung)
• babel-compat-data, babel-core, babel-helper-module-transforms, babel-helper-split-export-declaration, babel-parser, babel-plugin-proposal-object-rest-spread, babel-plugin-transform-classes, babel-preset-env, babel-traverse, babel-types
  • #11846 chore: fix typo in codebase (@JLHwung)
• babel-types
  • #11843 refactor: reorganize babel types definitions structure (@JLHwung)
• babel-compat-data
  • #11837 chore: use repository HEAD when pulling third party repos (@JLHwung)

Committers: 15

• Bogdan Savluk (@zxbodya)
• Brian Ng (@existentialism)
• Huáng Jùnliàng (@JLHwung)
• James Addison (@jayaddison)
• James C. Davis (@jamescdavis)
• Joshua Ohlman (@cwohlman)
• Kai Cataldo (@kaicataldo)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Oliver Dunk (@oliverdunk)
• SZ-Coder (@sz-coder)
• Sven (@SirWindfield)
• Ujjwal Sharma (@ryzokuken)
• Vahagn Aharonian (@vahnag)
• @morrme
• coderaiser (@coderaiser)

7.10.5

v7.10.5 (2020-07-14)

Thanks @jayaddison and @RafaelSalguero for their first PRs!

🐛 Bug Fix

• babel-helper-builder-react-jsx-experimental, babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-helper-module-transforms, babel-helper-transform-fixture-test-runner, babel-plugin-proposal-async-generator-functions, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-proposal-partial-application, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-block-scoping, babel-plugin-transform-modules-amd, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-react-jsx-source, babel-plugin-transform-runtime, babel-plugin-transform-template-literals, babel-plugin-transform-typescript
  • #11807 Disallow duplicated AST nodes (@JLHwung)
• babel-parser
  • #11814 fix: add optional: false to chained optional call expression (@JLHwung)
  • #11774 fix: throw expect jsx plugin error when an idStart or > is seen (@JLHwung)
• babel-plugin-transform-typescript
  • #11816 Typescript transform now removes generic arguments from optional calls (Closes #11813) (@RafaelSalguero)
• babel-plugin-transform-block-scoping
  • #11802 Fix break/continue when switch is nested inside loop (@existentialism)
• babel-generator, babel-plugin-transform-typescript, babel-types
  • #11582 Refactor generated builder names in @babel/types (@zxbodya)
• babel-compat-data
  • #11783 fix: update class properties support matrix (@JLHwung)

📝 Documentation

• Other
  • #11799 docs: update README example and REPL link (@JLHwung)
  • #11761 Add note about running Make targets in Windows 10 (@kaicataldo)
• babel-parser
  • #11729 docs: add AST spec on optional chain [skip ci] (@JLHwung)

🏠 Internal

• babel-cli, babel-compat-data, babel-core, babel-helper-define-map, babel-helper-fixtures, babel-helper-module-transforms, babel-helper-regex, babel-helper-transform-fixture-test-runner, babel-node, babel-plugin-transform-proto-to-assign, babel-register, babel-traverse, babel-types
  • #11818 Bump some deps for audit (@existentialism)
• babel-helper-fixtures, babel-traverse
  • #11811 Replace lodash 'clone' usage with ES6 Spread initializer (@jayaddison)
• babel-helper-fixtures, babel-helper-transform-fixture-test-runner
  • #11812 Replace lodash 'extend' usage with Object.assign (@jayaddison)
• babel-plugin-transform-block-scoping
  • #11798 Reduce dependency on lodash functions: values, extends (@jayaddison)
• babel-generator, babel-plugin-transform-typescript, babel-types
  • #11582 Refactor generated builder names in @babel/types (@zxbodya)
• babel-cli, babel-generator, babel-helper-transform-fixture-test-runner, babel-traverse, babel-types
  • #11790 Reduce dependency on lodash functions: includes, uniq, repeat, isinteger (@jayaddison)
• Other
  • #11782 chore: refine yarn cache config (@JLHwung)
• babel-register
  • #11780 test: add console warn spy on babel-register tests (@JLHwung)
  • #11776 chore: remove babel-register generated test artifacts (@JLHwung)

Committers: 7

• Bogdan Savluk (@zxbodya)
• Brian Ng (@existentialism)
• Huáng Jùnliàng (@JLHwung)
• James Addison (@jayaddison)
• Kai Cataldo (@kaicataldo)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Rafael Salguero Iturrios (@RafaelSalguero)

7.10.4

v7.10.4 (2020-06-30)

Thanks @penguingovernor, @sajadtorkamani and @wojtekmaj for their first PRs!

👓 Spec Compliance

• babel-helper-member-expression-to-functions, babel-plugin-proposal-class-properties
  • #11669 Add delete obj?.#x.a support (@JLHwung)
• babel-parser, babel-types
  • #11652 fix: implement early errors for record and tuple (@JLHwung)

🐛 Bug Fix

• babel-types
  • #11752 [regression] Don't validate file.comments in @babel/types (@nicolo-ribaudo)
• babel-plugin-proposal-do-expressions, babel-types
  • #11724 fix: do-statementlist behavior (@wlawt)

💅 Polish

• babel-parser
  • #11722 Add better parser error when using jsx (@penguingovernor)
• babel-core
  • #11544 Refine babel core types (@JLHwung)

🏠 Internal

• babel-core, babel-helper-fixtures, babel-standalone, babel-traverse
  • #11758 Replace non-inclusive "whitelist" and "blacklist" terms with "allowlist" etc. (@wojtekmaj)
• babel-parser
  • #11376 Add @babel/eslint-plugin-development-internal (@kaicataldo)
• babel-core
  • #11544 Refine babel core types (@JLHwung)

Committers: 7

• Huáng Jùnliàng (@JLHwung)
• Jorge Henriquez (@penguingovernor)
• Kai Cataldo (@kaicataldo)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Simon Kotwicz (@simonkotwicz)
• William Law (@wlawt)
• Wojciech Maj (@wojtekmaj)

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ acorn (7.2.0 → 7.4.0) · Repo

Commits

See the full diff on Github. The new version differs by 16 commits:

• Mark version 7.4.0
• Remove link to plugin that's part of the repository now
• add numeric separators
• update test262
• add logical assignment operators
• update test262
• Also add license header to other packages
• Add "MIT License" at the top of acorn License file
• Mark version 7.2.0 of acorn-walk
• Mark version 7.3.1
• Mark version 7.1.0 of acorn-loose
• Mark version 7.3.0
• add optional chaining
• Fix parsing of ambiguous object pattern with a 'set' property with a default value
• Add type definitions for acorn.mjs (#954)
• Enable allowAwaitOutsideFunction in test262, update whitelist

✳️ strip-json-comments (3.1.0 → 3.1.1) · Repo

Release Notes

3.1.1

• Add jsonc to package.json keywords (#45) 60d2039

v3.1.0...v3.1.1

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by 3 commits:

• 3.1.1
• Meta tweaks
• Add `jsonc` to package.json keywords (#45)

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)

[github-actions]

	Fails
🚫	PR is not labeled with one of: ["cleanup","doc-dependencies:update","BREAKING CHANGE","feature request","bug","documentation","maintenance","dependencies:update","dependencies","other"]

Generated by 🚫 dangerJS against 7877562

[depfu]

Closed in favor of #144.

[depfu]

Closed in favor of #144.