[Security] Bump follow-redirects from 1.15.1 to 1.15.4 in /frontend (!147) · Merge requests · tools / LibVirtManager

Dependabot requested to merge dependabot-npm_and_yarn-frontend-follow-redirects-1.15.4 into master Jan 09, 2024

Bumps follow-redirects from 1.15.1 to 1.15.4. This update includes a security fix.

Vulnerabilities fixed

Follow Redirects improperly handles URLs in the url.parse() function Versions of the package follow-redirects before 1.15.4 are vulnerable to Improper Input Validation due to the improper handling of URLs by the url.parse() function. When new URL() throws an error, it can be manipulated to misinterpret the hostname. An attacker could exploit this weakness to redirect traffic to a malicious site, potentially leading to information disclosure, phishing attacks, or other security breaches.

Patched versions: 1.15.4 Affected versions: < 1.15.4

Commits

6585820 Release version 1.15.4 of the npm package.
7a6567e Disallow bracketed hostnames.
05629af Prefer native URL instead of deprecated url.parse.
1cba8e8 Prefer native URL instead of legacy url.resolve.
72bc2a4 Simplify _processResponse error handling.
3d42aec Add bracket tests.
bcbb096 Do not directly set Error properties.
192dbe7 Release version 1.15.3 of the npm package.
bd8c81e Fix resource leak on destroy.
9c728c3 Split linting and testing.
Additional commits viewable in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

$dependabot rebase will rebase this MR
$dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts

[Security] Bump follow-redirects from 1.15.1 to 1.15.4 in /frontend

Merge request reports