Bump node-fetch from 2.6.1 to 3.1.1

[dependabot]

Bumps node-fetch from 2.6.1 to 3.1.1.

Release notes

Sourced from node-fetch's releases.

v3.1.1

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

• core: update fetch-blob by @​jimmywarting in node-fetch/node-fetch#1371
• docs: Fix typo around sending a file by @​jimmywarting in node-fetch/node-fetch#1381
• core: (http.request): Cast URL to string before sending it to NodeJS core by @​jimmywarting in node-fetch/node-fetch#1378
• core: handle errors from the request body stream by @​mdmitry01 in node-fetch/node-fetch#1392
• core: Better handle wrong redirect header in a response by @​tasinet in node-fetch/node-fetch#1387
• core: Don't use buffer to make a blob by @​jimmywarting in node-fetch/node-fetch#1402
• docs: update readme for TS @​types/node-fetch by @​adamellsworth in node-fetch/node-fetch#1405
• core: Fix logical operator priority to disallow GET/HEAD with non-empty body by @​maxshirshin in node-fetch/node-fetch#1369
• core: Don't use global buffer by @​jimmywarting in node-fetch/node-fetch#1422
• ci: fix main branch by @​dnalborczyk in node-fetch/node-fetch#1429
• core: use more node: protocol imports by @​dnalborczyk in node-fetch/node-fetch#1428
• core: Warn when using data by @​jimmywarting in node-fetch/node-fetch#1421
• docs: Create SECURITY.md by @​JamieSlome in node-fetch/node-fetch#1445
• core: don't forward secure headers to 3th party by @​jimmywarting in node-fetch/node-fetch#1449

New Contributors

• @​mdmitry01 made their first contribution in node-fetch/node-fetch#1392
• @​tasinet made their first contribution in node-fetch/node-fetch#1387
• @​adamellsworth made their first contribution in node-fetch/node-fetch#1405
• @​maxshirshin made their first contribution in node-fetch/node-fetch#1369
• @​JamieSlome made their first contribution in node-fetch/node-fetch#1445

Full Changelog: node-fetch/node-fetch@v3.1.0...v3.1.1

v3.1.0

What's Changed

• fix(Body): Discourage form-data and buffer() by @​jimmywarting in node-fetch/node-fetch#1212
• fix: Pass url string to http.request by @​serverwentdown in node-fetch/node-fetch#1268
• Fix octocat image link by @​lakuapik in node-fetch/node-fetch#1281
• fix(Body.body): Normalize Body.body into a node:stream by @​jimmywarting in node-fetch/node-fetch#924
• docs(Headers): Add default Host request header to README.md file by @​robertoaceves in node-fetch/node-fetch#1316
• Update CHANGELOG.md by @​jimmywarting in node-fetch/node-fetch#1292
• Add highWaterMark to cloned properties by @​davesidious in node-fetch/node-fetch#1162
• Update README.md to fix HTTPResponseError by @​thedanfernandez in node-fetch/node-fetch#1135
• docs: switch url to URL by @​dhritzkiv in node-fetch/node-fetch#1318
• fix(types): declare buffer() deprecated by @​dnalborczyk in node-fetch/node-fetch#1345
• chore: fix lint by @​dnalborczyk in node-fetch/node-fetch#1348
• refactor: use node: prefix for imports by @​dnalborczyk in node-fetch/node-fetch#1346
• Bump data-uri-to-buffer from 3.0.1 to 4.0.0 by @​dependabot in node-fetch/node-fetch#1319
• Bump mocha from 8.4.0 to 9.1.3 by @​dependabot in node-fetch/node-fetch#1339
• Referrer and Referrer Policy by @​tekwiz in node-fetch/node-fetch#1057
• Add typing for Response.redirect(url, status) by @​c-w in node-fetch/node-fetch#1169
• chore: Correct stuff in README.md by @​Jiralite in node-fetch/node-fetch#1361
• docs: Improve clarity of "Loading and configuring" by @​serverwentdown in node-fetch/node-fetch#1323
• feat(Body): Added support for BodyMixin.formData() and constructing bodies with FormData by @​jimmywarting in node-fetch/node-fetch#1314

... (truncated)

Changelog

Sourced from node-fetch's changelog.

Changelog

All notable changes will be recorded here.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

What's Changed

• core: update fetch-blob by @​jimmywarting in node-fetch/node-fetch#1371
• docs: Fix typo around sending a file by @​jimmywarting in node-fetch/node-fetch#1381
• core: (http.request): Cast URL to string before sending it to NodeJS core by @​jimmywarting in node-fetch/node-fetch#1378
• core: handle errors from the request body stream by @​mdmitry01 in node-fetch/node-fetch#1392
• core: Better handle wrong redirect header in a response by @​tasinet in node-fetch/node-fetch#1387
• core: Don't use buffer to make a blob by @​jimmywarting in node-fetch/node-fetch#1402
• docs: update readme for TS @​types/node-fetch by @​adamellsworth in node-fetch/node-fetch#1405
• core: Fix logical operator priority to disallow GET/HEAD with non-empty body by @​maxshirshin in node-fetch/node-fetch#1369
• core: Don't use global buffer by @​jimmywarting in node-fetch/node-fetch#1422
• ci: fix main branch by @​dnalborczyk in node-fetch/node-fetch#1429
• core: use more node: protocol imports by @​dnalborczyk in node-fetch/node-fetch#1428
• core: Warn when using data by @​jimmywarting in node-fetch/node-fetch#1421
• docs: Create SECURITY.md by @​JamieSlome in node-fetch/node-fetch#1445
• core: don't forward secure headers to 3th party by @​jimmywarting in node-fetch/node-fetch#1449

New Contributors

• @​mdmitry01 made their first contribution in node-fetch/node-fetch#1392
• @​tasinet made their first contribution in node-fetch/node-fetch#1387
• @​adamellsworth made their first contribution in node-fetch/node-fetch#1405
• @​maxshirshin made their first contribution in node-fetch/node-fetch#1369
• @​JamieSlome made their first contribution in node-fetch/node-fetch#1445

Full Changelog: node-fetch/node-fetch@v3.1.0...v3.1.2

3.1.0

What's Changed

• fix(Body): Discourage form-data and buffer() by @​jimmywarting in node-fetch/node-fetch#1212
• fix: Pass url string to http.request by @​serverwentdown in node-fetch/node-fetch#1268
• Fix octocat image link by @​lakuapik in node-fetch/node-fetch#1281
• fix(Body.body): Normalize Body.body into a node:stream by @​jimmywarting in node-fetch/node-fetch#924
• docs(Headers): Add default Host request header to README.md file by @​robertoaceves in node-fetch/node-fetch#1316
• Update CHANGELOG.md by @​jimmywarting in node-fetch/node-fetch#1292
• Add highWaterMark to cloned properties by @​davesidious in node-fetch/node-fetch#1162
• Update README.md to fix HTTPResponseError by @​thedanfernandez in node-fetch/node-fetch#1135
• docs: switch url to URL by @​dhritzkiv in node-fetch/node-fetch#1318
• fix(types): declare buffer() deprecated by @​dnalborczyk in node-fetch/node-fetch#1345
• chore: fix lint by @​dnalborczyk in node-fetch/node-fetch#1348
• refactor: use node: prefix for imports by @​dnalborczyk in node-fetch/node-fetch#1346
• Bump data-uri-to-buffer from 3.0.1 to 4.0.0 by @​dependabot in node-fetch/node-fetch#1319
• Bump mocha from 8.4.0 to 9.1.3 by @​dependabot in node-fetch/node-fetch#1339
• Referrer and Referrer Policy by @​tekwiz in node-fetch/node-fetch#1057
• Add typing for Response.redirect(url, status) by @​c-w in node-fetch/node-fetch#1169

... (truncated)

Commits

• 36e47e8 3.1.1 release (#1451)
• 5304f3f Don't change relative location header on manual redirect (#1105)
• f5d3cf5 fix(Headers): don't forward secure headers to 3th party (#1449)
• f2c3d56 Create SECURITY.md (#1445)
• 4ae3538 core: Warn when using data (#1421)
• 41f53b9 fix: use more node: protocol imports (#1428)
• f674875 ci: fix main branch (#1429)
• 1493d04 core: Don't use global buffer (#1422)
• eb33090 Chore: Fix logical operator priority (regression) to disallow GET/HEAD with n...
• 7ba5bc9 update readme for TS @​type/node-fetch (#1405)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by endless, a new releaser for node-fetch since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[changelogg]

Hey! Changelogs info seems to be missing or might be in incorrect format.
Please use the below template in PR description to ensure Changelogg can detect your changes:
- (tag) changelog_text
or
- tag: changelog_text
OR
You can add tag in PR header or while doing a commit too
(tag) PR header
or
tag: PR header
Valid tags: added / feat, changed, deprecated, fixed / fix, removed, security, build, ci, chore, docs, perf, refactor, revert, style, test
Thanks!
For more info, check out changelogg docs

[performance-testing-bot]

Unable to locate .performanceTestingBot config file

[pull-request-quantifier-deprecated]

This PR has 2 quantified lines of changes. In general, a change size of upto 200 lines is ideal for the best PR experience!

---

Quantification details

Label      : Extra Small
Size       : +1 -1
Percentile : 0.8%

Total files changed: 2

Change summary by file extension:
.json : +1 -1

Change counts above are quantified counts, based on the PullRequestQuantifier customizations.

Why proper sizing of changes matters

Optimal pull request sizes drive a better predictable PR flow as they strike a
balance between between PR complexity and PR review overhead. PRs within the
optimal size (typical small, or medium sized PRs) mean:

• Fast and predictable releases to production:
  • Optimal size changes are more likely to be reviewed faster with fewer
    iterations.
  • Similarity in low PR complexity drives similar review times.
• Review quality is likely higher as complexity is lower:
  • Bugs are more likely to be detected.
  • Code inconsistencies are more likely to be detetcted.
• Knowledge sharing is improved within the participants:
  • Small portions can be assimilated better.
• Better engineering practices are exercised:
  • Solving big problems by dividing them in well contained, smaller problems.
  • Exercising separation of concerns within the code changes.

What can I do to optimize my changes

• Use the PullRequestQuantifier to quantify your PR accurately
  • Create a context profile for your repo using the context generator
  • Exclude files that are not necessary to be reviewed or do not increase the review complexity. Example: Autogenerated code, docs, project IDE setting files, binaries, etc. Check out the Excluded section from your prquantifier.yaml context profile.
  • Understand your typical change complexity, drive towards the desired complexity by adjusting the label mapping in your prquantifier.yaml context profile.
  • Only use the labels that matter to you, see context specification to customize your prquantifier.yaml context profile.
• Change your engineering behaviors
  • For PRs that fall outside of the desired spectrum, review the details and check if:
    • Your PR could be split in smaller, self-contained PRs instead
    • Your PR only solves one particular issue. (For example, don't refactor and code new features in the same PR).

How to interpret the change counts in git diff output

• One line was added: +1 -0
• One line was deleted: +0 -1
• One line was modified: +1 -1 (git diff doesn't know about modified, it will
  interpret that line like one addition plus one deletion)
• Change percentiles: Change characteristics (addition, deletion, modification)
  of this PR in relation to all other PRs within the repository.

---

Was this comment helpful? 👍  :ok_hand:  :thumbsdown: (Email)
Customize PullRequestQuantifier for this repository.

[mergebase-codegreen]

Mergebase Code Green

Updated Vulnerability Report

The report below shows the state of the repository after the pull request.

Critical

Vulnerability	Dependency	Source Path
CVE-2019-10744	npm:lodash.defaults:4.2.0	package-lock.json
CVE-2021-26707	npm:merge-deep:3.0.2	package-lock.json

Extra High

Vulnerability	Dependency	Source Path
CVE-2020-8265	npm:@types/node:14.10.0	package-lock.json

High

Vulnerability	Dependency	Source Path
CVE-2021-33502	npm:@sindresorhus/is:0.14.0	package-lock.json
CVE-2021-33502	npm:@sindresorhus/is:2.1.1	package-lock.json
CVE-2021-33502	npm:@szmarczak/http-timer:1.1.2	package-lock.json
CVE-2021-33502	npm:@szmarczak/http-timer:4.0.5	package-lock.json
CVE-2021-33502	npm:@types/cacheable-request:6.0.1	package-lock.json
CVE-2021-33502	npm:@types/http-cache-semantics:4.0.0	package-lock.json
CVE-2021-33502	npm:@types/keyv:3.1.1	package-lock.json
CVE-2021-22884, CVE-2021-22883, CVE-2020-8277, CVE-2020-8252, CVE-2020-8251, CVE-2020-8201	npm:@types/node:14.10.0	package-lock.json
CVE-2021-33502	npm:@types/responselike:1.0.0	package-lock.json
CVE-2021-33502	npm:cacheable-lookup:2.0.1	package-lock.json
CVE-2021-33502	npm:cacheable-request:6.1.0	package-lock.json
CVE-2021-33502	npm:cacheable-request:7.0.1	package-lock.json
CVE-2021-33502	npm:clone-response:1.0.2	package-lock.json
CVE-2021-33502	npm:defer-to-connect:1.1.3	package-lock.json
CVE-2021-33502	npm:defer-to-connect:2.0.0	package-lock.json
CVE-2020-28469	npm:glob-parent:3.1.0	package-lock.json
CVE-2020-28469	npm:glob-parent:5.1.0	package-lock.json
CVE-2020-28469	npm:glob-parent:5.1.1	package-lock.json
CVE-2021-33502	npm:got:10.7.0	package-lock.json
CVE-2021-33502	npm:got:9.6.0	package-lock.json
CVE-2021-33502	npm:http-cache-semantics:4.0.3	package-lock.json
CVE-2021-33502	npm:keyv:3.1.0	package-lock.json
CVE-2021-33502	npm:keyv:4.0.1	package-lock.json
CVE-2019-20149	npm:kind-of:2.0.1	package-lock.json
CVE-2019-20149	npm:kind-of:3.2.2	package-lock.json
CVE-2019-20149	npm:kind-of:4.0.0	package-lock.json
CVE-2019-20149	npm:kind-of:5.1.0	package-lock.json
CVE-2021-23337	npm:lodash.assignin:4.2.0	package-lock.json
CVE-2021-23337	npm:lodash.bind:4.2.1	package-lock.json
CVE-2021-23337	npm:lodash.defaults:4.2.0	package-lock.json
CVE-2021-23337	npm:lodash.filter:4.6.0	package-lock.json
CVE-2021-23337	npm:lodash.flatten:4.4.0	package-lock.json
CVE-2021-23337	npm:lodash.foreach:4.5.0	package-lock.json
CVE-2021-23337	npm:lodash.get:4.4.2	package-lock.json
CVE-2021-23337	npm:lodash.map:4.6.0	package-lock.json
CVE-2021-23337	npm:lodash.merge:4.6.2	package-lock.json
CVE-2021-23337	npm:lodash.pick:4.4.0	package-lock.json
CVE-2021-23337	npm:lodash.reduce:4.6.0	package-lock.json
CVE-2021-23337	npm:lodash.reject:4.6.0	package-lock.json
CVE-2021-23337	npm:lodash.set:4.3.2	package-lock.json
CVE-2021-23337	npm:lodash.some:4.6.0	package-lock.json
CVE-2021-23337	npm:lodash.sortby:4.7.0	package-lock.json
CVE-2021-23337	npm:lodash.uniq:4.5.0	package-lock.json
CVE-2021-23337	npm:lodash:4.17.20	package-lock.json
CVE-2021-21306	npm:marked:1.2.9	package-lock.json
CVE-2021-33502	npm:normalize-url:1.9.1	package-lock.json
CVE-2021-33502	npm:normalize-url:4.2.0	package-lock.json
CVE-2021-29469	npm:redis-commands:1.6.0	package-lock.json
CVE-2021-29469	npm:redis-errors:1.2.0	package-lock.json
CVE-2021-29469	npm:redis-parser:3.0.0	package-lock.json
CVE-2021-29469	npm:redis:3.0.2	package-lock.json
CVE-2021-33502	npm:responselike:1.0.2	package-lock.json
CVE-2021-33502	npm:responselike:2.0.0	package-lock.json
CVE-2021-27290	npm:ssri:6.0.1	package-lock.json
CVE-2021-27290	npm:ssri:8.0.0	package-lock.json
CVE-2018-7408	npm:tar:4.4.13	package-lock.json
CVE-2017-15010	npm:tough-cookie:2.4.3	package-lock.json
CVE-2020-7774	npm:y18n:4.0.0	package-lock.json

Medium

Vulnerability	Dependency	Source Path
CVE-2020-7598	npm:@types/minimist:1.2.1	package-lock.json
CVE-2020-8287	npm:@types/node:14.10.0	package-lock.json
CVE-2020-7608	npm:@types/yargs-parser:13.1.0	package-lock.json
CVE-2020-15366	npm:ajv:6.11.0	package-lock.json
CVE-2020-8244	npm:bl:4.0.3	package-lock.json
CVE-2021-23364	npm:browserslist:4.16.3	package-lock.json
CVE-2021-23382	npm:colorette:1.2.1	package-lock.json
CVE-2020-28498	npm:elliptic:6.5.3	package-lock.json
CVE-2021-23362	npm:hosted-git-info:2.7.1	package-lock.json
CVE-2020-28500	npm:lodash.assignin:4.2.0	package-lock.json
CVE-2020-28500	npm:lodash.bind:4.2.1	package-lock.json
CVE-2020-28500, CVE-2018-3721, CVE-2018-16487	npm:lodash.defaults:4.2.0	package-lock.json
CVE-2020-28500	npm:lodash.filter:4.6.0	package-lock.json
CVE-2020-28500	npm:lodash.flatten:4.4.0	package-lock.json
CVE-2020-28500	npm:lodash.foreach:4.5.0	package-lock.json
CVE-2020-28500	npm:lodash.get:4.4.2	package-lock.json
CVE-2020-28500	npm:lodash.map:4.6.0	package-lock.json
CVE-2020-28500	npm:lodash.merge:4.6.2	package-lock.json
CVE-2020-28500	npm:lodash.pick:4.4.0	package-lock.json
CVE-2020-28500	npm:lodash.reduce:4.6.0	package-lock.json
CVE-2020-28500	npm:lodash.reject:4.6.0	package-lock.json
CVE-2020-28500	npm:lodash.set:4.3.2	package-lock.json
CVE-2020-28500	npm:lodash.some:4.6.0	package-lock.json
CVE-2020-28500	npm:lodash.sortby:4.7.0	package-lock.json
CVE-2020-28500	npm:lodash.uniq:4.5.0	package-lock.json
CVE-2020-28500	npm:lodash:4.17.20	package-lock.json
CVE-2021-23382, CVE-2021-23368	npm:postcss:7.0.21	package-lock.json
CVE-2021-23382, CVE-2021-23368	npm:postcss:7.0.35	package-lock.json
CVE-2018-6341	npm:scheduler:0.20.1	package-lock.json
CVE-2021-32640	npm:ws:6.2.1	package-lock.json
CVE-2021-32640	npm:ws:7.2.5	package-lock.json

Low

Vulnerability	Dependency	Source Path
CVE-2013-7035	npm:react-dom:17.0.1	package-lock.json
CVE-2013-7035	npm:react-is:16.13.1	package-lock.json
CVE-2013-7035	npm:react:17.0.1	package-lock.json
CVE-2013-7035	npm:scheduler:0.20.1	package-lock.json

[vizipi]

Pull request analysis by VIZIPI

Below you will find who is the most qualified team member to review your code.
This analysis includes his/her work on the code included in this Pull request, in addition to their experience in code affected by these changes ( partly found within the list of potential missing files below )   Feedback always welcome

Reviewers with knowledge related to these changes

Match %	Person	Commit Count	Common Files
100.00 %	Jason Etcovitch	17	2
100.00 %	Sarah Schneider	14	2
100.00 %	Kevin Heis	12	2
100.00 %	James M. Greene	8	2
100.00 %	Rachael Sewell	7	2
100.00 %	Lucas Costi	6	2

---

Potential missing files from this Pull request

No commonly committed files found with a 40% threashold

---

Committed file ranks

(click to expand)

99.99%[package-lock.json]

100.00%[package.json]

[guardrails]

⚠️ We detected 1 security issue in this pull request:

Vulnerable Libraries (1)

Severity	Details
High	node-fetch@2.6.7 - no patch available

More info on how to fix Vulnerable Libraries in JavaScript.

---

👉 Go to the dashboard for detailed results.

📥 Happy? Share your feedback with us.

[secure-code-warrior-for-github]

Micro-Learning Topic: Vulnerable library (Detected by phrase)

Matched on "Vulnerable Libraries"

What is this? (2min video)

Use of vulnerable components will introduce weaknesses into the application. Components with published vulnerabilities will allow easy exploitation as resources will often be available to automate the process.

Try this challenge in Secure Code Warrior