chore(deps): [Security] Bump npm-registry-fetch from 4.0.2 to 4.0.6#42
Closed
![dependabot-preview[bot]](https://avatars.githubusercontent.com/in/2141?v=4)
Bumps [npm-registry-fetch](https://github.com/npm/registry-fetch) from 4.0.2 to 4.0.6. **This update includes a security fix.** <details> <summary>Vulnerabilities fixed</summary> <p><em>Sourced from <a href="https://github.com/advisories/GHSA-jmqm-f2gx-4fjv">The GitHub Security Advisory Database</a>.</em></p> <blockquote> <p><strong>Sensitive information exposure through logs in npm-registry-fetch</strong> Affected versions of <code>npm-registry-fetch</code> are vulnerable to an information exposure vulnerability through log files. The cli supports URLs like <code>://[[:]@][:][:][/]</code>. The password value is not redacted and is printed to stdout and also to any generated log files.</p> <p>Affected versions: < 4.0.5</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/npm/npm-registry-fetch/blob/v4.0.6/CHANGELOG.md">npm-registry-fetch's changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/npm/registry-fetch/compare/v4.0.5...v4.0.6">4.0.6</a> (2020-08-14)</h2> <h3>Bug Fixes</h3> <ul> <li>import URL from url module (<a href="https://github.com/npm/registry-fetch/commit/cd35987">cd35987</a>)</li> </ul> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> <h2><a href="https://github.com/npm/registry-fetch/compare/v4.0.4...v4.0.5">4.0.5</a> (2020-06-30)</h2> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> <h2><a href="https://github.com/npm/registry-fetch/compare/v4.0.3...v4.0.4">4.0.4</a> (2020-04-28)</h2> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> <h2><a href="https://github.com/npm/registry-fetch/compare/v4.0.2...v4.0.3">4.0.3</a> (2020-02-13)</h2> <h3>Bug Fixes</h3> <ul> <li>always bypass cache when ?write=true (<a href="https://github.com/npm/registry-fetch/commit/ba8b4fe">ba8b4fe</a>)</li> <li>use 30s default for timeout as per README (<a href="https://github.com/npm/registry-fetch/commit/69c2977">69c2977</a>), closes <a href="https://github-redirect.dependabot.com/npm/registry-fetch/issues/20">#20</a></li> </ul> <p><!-- raw HTML omitted --><!-- raw HTML omitted --></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/npm/npm-registry-fetch/commit/2275f55f59c90bbbd9b5399598ae630ddff0c478"><code>2275f55</code></a> chore(release): 4.0.6</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/cd3598735b0edb3f007c26ec878b9a6461239683"><code>cd35987</code></a> fix: import URL from url module</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/62ce833c8c01a1a307bcdf36d472b36b5b79bf81"><code>62ce833</code></a> chore(release): 4.0.5</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/43a5d842ead91368384387e6f003076a32a53523"><code>43a5d84</code></a> chore: remove basic auth data from logs</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/71ab0e79d5aed213b63b75b224ad0d5f44dd0d7e"><code>71ab0e7</code></a> chore(release): 4.0.4</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/fc5d94c39ca218d78df77249ab3a6bf1d9ed9db1"><code>fc5d94c</code></a> Put default timeout back to zero</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/2e0c446083638e7973a91a8c3fb81aeab98302f5"><code>2e0c446</code></a> chore(release): 4.0.3</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/d7d8c5873894fc415ba252319cc5af27dca174da"><code>d7d8c58</code></a> chore: publish as latest-v4</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/69c297732cfe2d23f0303ab931a7b02364107388"><code>69c2977</code></a> fix: use 30s default for timeout as per README</li> <li><a href="https://github.com/npm/npm-registry-fetch/commit/fe7b12936ae3ed00b6c7f915cd6e375f1bc9bb45"><code>fe7b129</code></a> chore(doc): document the effect of ?write=true on caching</li> <li>Additional commits viewable in <a href="https://github.com/npm/registry-fetch/compare/v4.0.2...v4.0.6">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~claudiahdz">claudiahdz</a>, a new releaser for npm-registry-fetch since your current version.</p> </details> <br /> [](https://dependabot.com/compatibility-score/?dependency-name=npm-registry-fetch&package-manager=npm_and_yarn&previous-version=4.0.2&new-version=4.0.6) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired) </details>
AI Analysis
This issue appears to be discussing a feature request or bug report related to the repository. Based on the content, it seems to be resolved. The issue was opened by dependabot-preview[bot] and has received 1 comments.
Add a comment
Comment form would go here