Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency got to v12 [SECURITY] - autoclosed #503

Closed
wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
got ^11.8.5 -> ^12.0.0 age adoption passing confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2022-33987

The got package before 11.8.5 and 12.1.0 for Node.js allows a redirect to a UNIX socket.


Release Notes

sindresorhus/got (got)

v12.0.0

Compare Source

Introducing Got v12.0.0 🎉

Long time no see! The latest Got version (v11.8.2) was released just in February ❄️
We have been working hard on squashing bugs and improving overall experience.

If you find Got useful, you might want to sponsor the Got maintainers.

This package is now pure ESM

Please read this. Also see https://github.com/sindresorhus/got/issues/1789.

  • Please don't open issues about [ERR_REQUIRE_ESM] and Must use import to load ES Module errors. This is a problem with your setup, not Got.
  • Please don't open issues about using Got with Jest. Jest does not fully support ESM.
  • Pretty much any problem with loading this package is a problem with your bundler, test framework, etc, not Got.
  • If you use TypeScript, you will want to stay on Got v11 until TypeScript 4.6 is out. Why.
  • If you use a bundler, make sure it supports ESM and that you have correctly configured it for ESM.
  • The Got issue tracker is not a support channel for your favorite build/bundler tool.
Required Node.js >=14

While working with streams, we encountered more Node.js bugs that needed workarounds.
In order to keep our code clean, we had to drop Node.js v12 as the code would get more messy.
We strongly recommend that you update Node.js to v14 LTS.

HTTP/2 support

Every Node.js release, the native http2 module gets more stable.
Unfortunately there are still some issues on the Node.js side, so we decided to keep HTTP/2 disabled for now.
We may enable it by default in Got v13. It is still possible to turn it on via the http2 option.

To run HTTP/2 requests, it is required to use Node.js v15.10 or above.

Bug fixes

Woah, we possibly couldn't make a release if we didn't fix some bugs!

Improvements
Breaking changes
Improved option normalization
  • Got exports an Option class that is specifically designed to parse and validate Got options.
    It is made of setters and getters that provide fast normalization and more consistent behavior.

When passing an option does not exist, Got will throw an error. In order to retrieve the options before the error, use error.options.

import got from 'got';

try {
    await got('https://httpbin.org/anything', {
        thisOptionDoesNotExist: true
    });
} catch (error) {
    console.error(error);
    console.error(error.options.url.href);
    // Unexpected option: thisOptionDoesNotExist
    // https://httpbin.org/anything
}
  • The init hook now accepts a second argument: self, which points to an Options instance.

In order to define your own options, you have to move them to options.context in an init hook or store them in options.context directly.

  • The init hooks are ran only when passing an options object explicitly.
- await got('https://example.com'); // this will *not* trigger the init hooks
+ await got('https://example.com', {}); // this *will** trigger init hooks
- got.defaults.options = got.mergeOptions(got.defaults.options, {…});
+ got.defaults.options.merge(…);

This fixes issues like #​1450

  • Legacy Url instances are not supported anymore. You need to use WHATWG URL instead.
- await got(string, {port: 8443});
+ const url = new URL(string);
+ url.port = 8443;
+ await got(url);
  • No implicit timeout declaration.
- await got('https://example.com', {timeout: 5000})
+ await got('https://example.com', {timeout: {request: 5000})
  • No implicit retry declaration.
- await got('https://example.com', {retry: 5})
+ await got('https://example.com', {retry: {limit: 5})
  • dnsLookupIpVersion is now a number (4 or 6) or undefined
- await got('https://example.com', {dnsLookupIpVersion: 'ipv4'})
+ await got('https://example.com', {dnsLookupIpVersion: 4})
  • redirectUrls and requestUrl now give URL instances
- request.requestUrl
+ request.requestUrl.origin
+ request.requestUrl.href
+ request.requestUrl.toString()
- request.redirectUrls[0]
+ request.redirectUrls[0].origin
+ request.redirectUrls[0].href
+ request.redirectUrls[0].toString()
  • Renamed request.aborted to request.isAborted
- request.aborted
+ request.isAborted

Reason: consistency with options.isStream.

  • Renamed the lookup option to dnsLookup
- await got('https://example.com', {lookup: cacheable.lookup})
+ await got('https://example.com', {dnsLookup: cacheable.lookup})
  • The beforeRetry hook now accepts only two arguments: error and retryCount
await got('https://example.com', {
    hooks: {
        beforeRetry: [
-            (options, error, retryCount) => {
-                console.log(options, error, retryCount);
-            }
+            (error, retryCount) => {
+                console.log(error.options, error, retryCount);
+            }
        ]
    }
})

The options argument has been removed, however it's still accessible via error.options. All modifications on error.options will be reflected in the next requests (no behavior change, same as with Got 11).

  • The beforeRedirect hook's first argument (options) is now a cloned instance of the Request options.

This was done to make retrieving the original options possible: plainResponse.request.options.

await got('http://szmarczak.com', {
    hooks: {
        beforeRedirect: [
            (options, response) => {
-                console.log(options === response.request.options); //=> true [invalid! our original options were overriden]
+                console.log(options === response.request.options); //=> false [we can access the original options now]
            }
        ]
    }
})
  • The redirect event now takes two arguments in this order: updatedOptions and plainResponse.
- stream.on('redirect', (response, options) => …)
+ stream.on('redirect', (options, response) => …)

Reason: consistency with the beforeRedirect hook.

  • The socketPath option has been removed. Use the unix: protocol instead.
- got('/containers/json', {socketPath: '/var/run/docker.sock'})
+ got('unix:/var/run/docker.sock:/containers/json')
+ got('http://unix:/var/run/docker.sock:/containers/json')
  • The retryWithMergedOptions function in an afterResponse hook no longer returns a Promise.

It now throws RetryError, so this should this should be the last function being executed.
This was done to allow beforeRetry hooks getting called.

  • You can no longer set options.agent to false.
    To do so, you need to define all the options.agent properties: http, https and http2.
await got('https://example.com', {
-    agent: false
+    agent: {
+        http: false,
+        https: false,
+        http2: false
+    }
})
  • When passing a url option when paginating, it now needs to be an absolute URL - the prefixUrl option is always reset from now on. The same when retrying in an afterResponse hook.
- return {url: '/location'};
+ return {url: new URL('/location', response.request.options.url)};

There was confusion around the prefixUrl option. It was counterintuitive if used with the Pagination API. For example, it worked fine if the server replied with a relative URL, but if it was an absolute URL then the prefixUrl would end up duplicated. In order to fix this, Got now requires an absolute URL - no prefixUrl will be applied.

  • got.extend(…) will throw when passing some options that don't accept undefined - undefined no longer retains the old value, as setting undefined explicitly may reset the option
Documentation

We have redesigned the documentation so it's easier to navigate and find exactly what you are looking for. We hope you like it ❤️


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Copy link

vercel bot commented Sep 25, 2024

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
rollout ❌ Failed (Inspect) Sep 25, 2024 4:25pm

@renovate renovate bot changed the title Update dependency got to v12 [SECURITY] Update dependency got to v12 [SECURITY] - autoclosed Sep 25, 2024
@renovate renovate bot closed this Sep 25, 2024
@renovate renovate bot deleted the renovate/npm-got-vulnerability branch September 25, 2024 15:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants