Update dependency request to ~2.68.0 [SECURITY]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
request	~2.9 -> ~2.68.0

GitHub Vulnerability Alerts

CVE-2017-16026

Affected versions of request will disclose local system memory to remote systems in certain circumstances. When a multipart request is made, and the type of body is number, then a buffer of that size will be allocated and sent to the remote server as the body.

Proof of Concept

var request = require('request');
var http = require('http');

var serveFunction = function (req, res){
	req.on('data', function (data) {
            console.log(data)
        });
	res.end();
};
var server = http.createServer(serveFunction);
server.listen(8000);

request({
	method: "POST",
	uri: 'http://localhost:8000',
	multipart: [{body:500}]
},function(err,res,body){});

Recommendation

Update to version 2.68.0 or later

---

Release Notes

request/request (request)

v2.68.0

Compare Source

• #​2036 Add AWS Signature Version 4 (@​simov, @​mirkods)
• #​2022 Convert numeric multipart bodies to string (@​simov, @​feross)
• #​2024 Update har-validator dependency for nsp advisory #​76 (@​TylerDixon)
• #​2016 Update qs to version 6.0.2 🚀 (@​greenkeeperio-bot)
• #​2007 Use the extend module instead of util._extend (@​simov)
• #​2003 Update browserify to version 13.0.0 🚀 (@​greenkeeperio-bot)
• #​1989 Update buffer-equal to version 1.0.0 🚀 (@​greenkeeperio-bot)
• #​1956 Check form-data content-length value before setting up the header (@​jongyoonlee)
• #​1958 Use IncomingMessage.destroy method (@​simov)
• #​1952 Adds example for Tor proxy (@​prometheansacrifice)
• #​1943 Update eslint to version 1.10.3 🚀 (@​simov, @​greenkeeperio-bot)
• #​1924 Update eslint to version 1.10.1 🚀 (@​greenkeeperio-bot)
• #​1915 Remove content-length and transfer-encoding headers from defaultProxyHeaderWhiteList (@​yaxia)

v2.67.0

Compare Source

• #​1913 Update http-signature to version 1.1.0 🚀 (@​greenkeeperio-bot)

v2.66.0

Compare Source

• #​1906 Update README URLs based on HTTP redirects (@​ReadmeCritic)
• #​1905 Convert typed arrays into regular buffers (@​simov)
• #​1902 node-uuid@​1.4.7 breaks build 🚨 (@​greenkeeperio-bot)
• #​1894 Fix tunneling after redirection from https (Original: #​1881) (@​simov, @​falms)
• #​1893 Update eslint to version 1.9.0 🚀 (@​greenkeeperio-bot)
• #​1852 Update eslint to version 1.7.3 🚀 (@​simov, @​greenkeeperio-bot, @​paulomcnally, @​michelsalib, @​arbaaz, @​nsklkn, @​LoicMahieu, @​JoshWillik, @​jzaefferer, @​ryanwholey, @​djchie, @​thisconnect, @​mgenereu, @​acroca, @​Sebmaster, @​KoltesDigital)
• #​1876 Implement loose matching for har mime types (@​simov)
• #​1875 Update bluebird to version 3.0.2 🚀 (@​simov, @​greenkeeperio-bot)
• #​1871 Update browserify to version 12.0.1 🚀 (@​greenkeeperio-bot)
• #​1866 Add missing quotes on x-token property in README (@​miguelmota)
• #​1874 Fix typo in README.md (@​gswalden)
• #​1860 Improve referer header tests and docs (@​simov)
• #​1861 Remove redundant call to Stream constructor (@​watson)
• #​1857 Fix Referer header to point to the original host name (@​simov)
• #​1850 Update karma-coverage to version 0.5.3 🚀 (@​greenkeeperio-bot)
• #​1847 Use node's latest version when building (@​simov)
• #​1836 Tunnel: fix wrong property name (@​KoltesDigital)
• #​1820 Set href as request.js uses it (@​mgenereu)
• #​1840 Update http-signature to version 1.0.2 🚀 (@​greenkeeperio-bot)
• #​1845 Update istanbul to version 0.4.0 🚀 (@​greenkeeperio-bot)

v2.65.0

Compare Source

• #​1833 Update aws-sign2 to version 0.6.0 🚀 (@​greenkeeperio-bot)
• #​1811 Enable loose cookie parsing in tough-cookie (@​Sebmaster)
• #​1830 Bring back tilde ranges for all dependencies (@​simov)
• #​1821 Implement support for RFC 2617 MD5-sess algorithm. (@​BigDSK)
• #​1828 Updated qs dependency to 5.2.0 (@​acroca)
• #​1818 Extract readResponseBody method out of onRequestResponse (@​pvoisin)
• #​1819 Run stringify once (@​mgenereu)
• #​1814 Updated har-validator to version 2.0.2 (@​greenkeeperio-bot)
• #​1807 Updated tough-cookie to version 2.1.0 (@​greenkeeperio-bot)
• #​1800 Add caret ranges for devDependencies, except eslint (@​simov)
• #​1799 Updated karma-browserify to version 4.4.0 (@​greenkeeperio-bot)
• #​1797 Updated tape to version 4.2.0 (@​greenkeeperio-bot)
• #​1788 Pinned all dependencies (@​greenkeeperio-bot)

v2.64.0

Compare Source

• #​1787 npm ignore examples, release.sh and disabled.appveyor.yml (@​thisconnect)
• #​1775 Fix typo in README.md (@​djchie)
• #​1776 Changed word 'conjuction' to read 'conjunction' in README.md (@​ryanwholey)
• #​1785 Revert: Set default application/json content-type when using json option #​1772 (@​simov)

v2.63.0

Compare Source

• #​1772 Set default application/json content-type when using json option (@​jzaefferer)

v2.62.0

Compare Source

• #​1768 Add node 4.0 to the list of build targets (@​simov)
• #​1767 Query strings now cooperate with unix sockets (@​JoshWillik)
• #​1750 Revert doc about installation of tough-cookie added in #​884 (@​LoicMahieu)
• #​1746 Missed comma in Readme (@​nsklkn)
• #​1743 Fix options not being initialized in defaults method (@​simov)

v2.61.0

Compare Source

• #​1721 Minor fix in README.md (@​arbaaz)
• #​1733 Avoid useless Buffer transformation (@​michelsalib)
• #​1726 Update README.md (@​paulomcnally)
• #​1715 Fix forever option in node > 0.10 #​1709 (@​calibr)
• #​1716 Do not create Buffer from Object in setContentLength(iojs v3.0 issue) (@​calibr)
• #​1711 Add ability to detect connect timeouts (@​kevinburke)
• #​1712 Set certificate expiration to August 2, 2018 (@​kevinburke)
• #​1700 debug() when JSON.parse() on a response body fails (@​phillipj)

v2.60.0

Compare Source

• #​1687 Fix caseless bug - content-type not being set for multipart/form-data (@​simov, @​garymathews)

v2.59.0

Compare Source

• #​1671 Add tests and docs for using the agent, agentClass, agentOptions and forever options.
  Forever option defaults to using http(s).Agent in node 0.12+ (@​simov)
• #​1679 Fix - do not remove OAuth param when using OAuth realm (@​simov, @​jhalickman)
• #​1668 updated dependencies (@​deamme)
• #​1656 Fix form method (@​simov)
• #​1651 Preserve HEAD method when using followAllRedirects (@​simov)
• #​1652 Update encoding option documentation in README.md (@​daniel347x)
• #​1650 Allow content-type overriding when using the form option (@​simov)
• #​1646 Clarify the nature of setting ca in agentOptions (@​jeffcharles)

v2.58.0

Compare Source

• #​1638 Use the extend module to deep extend in the defaults method (@​simov)
• #​1631 Move tunnel logic into separate module (@​simov)
• #​1634 Fix OAuth query transport_method (@​simov)
• #​1603 Add codecov (@​simov)

v2.57.0

Compare Source

• #​1615 Replace '.client' with '.socket' as the former was deprecated in 2.2.0. (@​ChALkeR)

v2.56.0

Compare Source

• #​1610 Bump module dependencies (@​simov)
• #​1600 Extract the querystring logic into separate module (@​simov)
• #​1607 Re-generate certificates (@​simov)
• #​1599 Move getProxyFromURI logic below the check for Invaild URI (#​1595) (@​simov)
• #​1598 Fix the way http verbs are defined in order to please intellisense IDEs (@​simov, @​flannelJesus)
• #​1591 A few minor fixes: (@​simov)
• #​1584 Refactor test-default tests (according to comments in #​1430) (@​simov)
• #​1585 Fixing documentation regarding TLS options (#​1583) (@​mainakae)
• #​1574 Refresh the oauth_nonce on redirect (#​1573) (@​simov)
• #​1570 Discovered tests that weren't properly running (@​seanstrom)
• #​1569 Fix pause before response arrives (@​kevinoid)
• #​1558 Emit error instead of throw (@​simov)
• #​1568 Fix stall when piping gzipped response (@​kevinoid)
• #​1560 Update combined-stream (@​apechimp)
• #​1543 Initial support for oauth_body_hash on json payloads (@​simov, @​aesopwolf)
• #​1541 Fix coveralls (@​simov)
• #​1540 Fix recursive defaults for convenience methods (@​simov)
• #​1536 More eslint style rules (@​froatsnook)
• #​1533 Adding dependency status bar to README.md (@​YasharF)
• #​1539 ensure the latest version of har-validator is included (@​ahmadnassri)
• #​1516 forever+pool test (@​devTristan)

v2.55.0

Compare Source

• #​1520 Refactor defaults (@​simov)
• #​1525 Delete request headers with undefined value. (@​froatsnook)
• #​1521 Add promise tests (@​simov)
• #​1518 Fix defaults (@​simov)
• #​1515 Allow static invoking of convenience methods (@​simov)
• #​1505 Fix multipart boundary extraction regexp (@​simov)
• #​1510 Fix basic auth form data (@​simov)

v2.54.0

Compare Source

• #​1501 HTTP Archive 1.2 support (@​ahmadnassri)
• #​1486 Add a test for the forever agent (@​akshayp)
• #​1500 Adding handling for no auth method and null bearer (@​philberg)
• #​1498 Add table of contents in readme (@​simov)
• #​1477 Add support for qs options via qsOptions key (@​simov)
• #​1496 Parameters encoded to base 64 should be decoded as UTF-8, not ASCII. (@​albanm)
• #​1494 Update eslint (@​froatsnook)
• #​1474 Require Colon in Basic Auth (@​erykwalder)
• #​1481 Fix baseUrl and redirections. (@​burningtree)
• #​1469 Feature/base url (@​froatsnook)
• #​1459 Add option to time request/response cycle (including rollup of redirects) (@​aaron-em)
• #​1468 Re-enable io.js/node 0.12 build (@​simov, @​mikeal, @​BBB)
• #​1442 Fixed the issue with strictSSL tests on 0.12 & io.js by explicitly setting a cipher that matches the cert. (@​BBB, @​nickmccurdy, @​demohi, @​simov, @​0x4139)
• #​1460 localAddress or proxy config is lost when redirecting (@​simov, @​0x4139)
• #​1453 Test on Node.js 0.12 and io.js with allowed failures (@​nickmccurdy, @​demohi)
• #​1426 Fixing tests to pass on io.js and node 0.12 (only test-https.js stiff failing) (@​mikeal)
• #​1446 Missing HTTP referer header with redirects Fixes #​1038 (@​simov, @​guimon)
• #​1428 Deprecate Node v0.8.x (@​nylen)
• #​1436 Add ability to set a requester without setting default options (@​tikotzky)
• #​1435 dry up verb methods (@​sethpollack)
• #​1423 Allow fully qualified multipart content-type header (@​simov)
• #​1430 Fix recursive requester (@​tikotzky)
• #​1429 Throw error when making HEAD request with a body (@​tikotzky)
• #​1419 Add note that the project is broken in 0.12.x (@​nylen)
• #​1413 Fix basic auth (@​simov)
• #​1397 Improve pipe-from-file tests (@​nylen)

v2.53.0

Compare Source

• #​1396 Do not rfc3986 escape JSON bodies (@​nylen, @​simov)
• #​1392 Improve timeout option description (@​watson)

v2.52.0

Compare Source

• #​1383 Add missing HTTPS options that were not being passed to tunnel (@​brichard19) (@​nylen)
• #​1388 Upgrade mime-types package version (@​roderickhsiao)
• #​1389 Revise Setup Tunnel Function (@​seanstrom)
• #​1374 Allow explicitly disabling tunneling for proxied https destinations (@​nylen)
• #​1376 Use karma-browserify for tests. Add browser test coverage reporter. (@​eiriksm)
• #​1366 Refactor OAuth into separate module (@​simov)
• #​1373 Rewrite tunnel test to be pure Node.js (@​nylen)
• #​1371 Upgrade test reporter (@​nylen)
• #​1360 Refactor basic, bearer, digest auth logic into separate class (@​simov)
• #​1354 Remove circular dependency from debugging code (@​nylen)
• #​1351 Move digest auth into private prototype method (@​simov)
• #​1352 Update hawk dependency to ~2.3.0 (@​mridgway)
• #​1353 Correct travis-ci badge (@​dogancelik)
• #​1349 Make sure we return on errored browser requests. (@​eiriksm)
• #​1346 getProxyFromURI Extraction Refactor (@​seanstrom)
• #​1337 Standardize test ports on 6767 (@​nylen)
• #​1341 Emit FormData error events as Request error events (@​nylen, @​rwky)
• #​1343 Clean up readme badges, and add Travis and Coveralls badges (@​nylen)
• #​1345 Update README.md (@​Aaron-Hartwig)
• #​1338 Always wait for server.close() callback in tests (@​nylen)
• #​1342 Add mock https server and redo start of browser tests for this purpose. (@​eiriksm)
• #​1339 Improve auth docs (@​nylen)
• #​1335 Add support for OAuth plaintext signature method (@​simov)
• #​1332 Add clean script to remove test-browser.js after the tests run (@​seanstrom)
• #​1327 Fix errors generating coverage reports. (@​nylen)
• #​1330 Return empty buffer upon empty response body and encoding is set to null (@​seanstrom)
• #​1326 Use faster container-based infrastructure on Travis (@​nylen)
• #​1315 Implement rfc3986 option (@​simov, @​nylen, @​apoco, @​DullReferenceException, @​mmalecki, @​oliamb, @​cliffcrosland, @​LewisJEllis, @​eiriksm, @​poislagarde)
• #​1314 Detect urlencoded form data header via regex (@​simov)
• #​1317 Improve OAuth1.0 server side flow example (@​simov)

v2.51.0

Compare Source

• #​1310 Revert changes introduced in #​1282 (@​simov)

v2.50.0

Compare Source

• #​1308 Add browser test to keep track of browserify compability. (@​eiriksm)
• #​1299 Add optional support for jsonReviver (@​poislagarde)
• #​1277 Add Coveralls configuration (@​simov)
• #​1307 Upgrade form-data, add back browserify compability. Fixes #​455. (@​eiriksm)
• #​1305 Fix typo in README.md (@​LewisJEllis)
• #​1288 Update README.md to explain custom file use case (@​cliffcrosland)

v2.49.0

Compare Source

• #​1295 fix(proxy): no-proxy false positive (@​oliamb)
• #​1292 Upgrade caseless to 0.8.1 (@​mmalecki)
• #​1276 Set transfer encoding for multipart/related to chunked by default (@​simov)
• #​1275 Fix multipart content-type headers detection (@​simov)
• #​1269 adds streams example for review (@​tbuchok)
• #​1238 Add examples README.md (@​simov)

v2.48.0

Compare Source

• #​1263 Fixed a syntax error / typo in README.md (@​xna2)
• #​1253 Add multipart chunked flag (@​simov, @​nylen)
• #​1251 Clarify that defaults() does not modify global defaults (@​nylen)
• #​1250 Improve documentation for pool and maxSockets options (@​nylen)
• #​1237 Documenting error handling when using streams (@​vmattos)
• #​1244 Finalize changelog command (@​nylen)
• #​1241 Fix typo (@​alexanderGugel)
• #​1223 Show latest version number instead of "upcoming" in changelog (@​nylen)
• #​1236 Document how to use custom CA in README (#​1229) (@​hypesystem)
• #​1228 Support for oauth with RSA-SHA1 signing (@​nylen)
• #​1216 Made json and multipart options coexist (@​nylen, @​simov)
• #​1225 Allow header white/exclusive lists in any case. (@​RReverser)

v2.47.0

Compare Source

• #​1222 Move from mikeal/request to request/request (@​nylen)
• #​1220 update qs dependency to 2.3.1 (@​FredKSchott)
• #​1212 Improve tests/test-timeout.js (@​nylen)
• #​1219 remove old globalAgent workaround for node 0.4 (@​request)
• #​1214 Remove cruft left over from optional dependencies (@​nylen)
• #​1215 Add proxyHeaderExclusiveList option for proxy-only headers. (@​RReverser)
• #​1211 Allow 'Host' header instead of 'host' and remember case across redirects (@​nylen)
• #​1208 Improve release script (@​nylen)
• #​1213 Support for custom cookie store (@​nylen, @​mitsuru)
• #​1197 Clean up some code around setting the agent (@​FredKSchott)
• #​1209 Improve multipart form append test (@​simov)
• #​1207 Update changelog (@​nylen)
• #​1185 Stream multipart/related bodies (@​simov)

v2.46.0

Compare Source

• #​1198 doc for TLS/SSL protocol options (@​shawnzhu)
• #​1200 Add a Gitter chat badge to README.md (@​gitter-badger)
• #​1196 Upgrade taper test reporter to v0.3.0 (@​nylen)
• #​1199 Fix lint error: undeclared var i (@​nylen)
• #​1191 Move self.proxy decision logic out of init and into a helper (@​FredKSchott)
• #​1190 Move _buildRequest() logic back into init (@​FredKSchott)
• #​1186 Support Smarter Unix URL Scheme (@​FredKSchott)
• #​1178 update form documentation for new usage (@​FredKSchott)
• #​1180 Enable no-mixed-requires linting rule (@​nylen)
• #​1184 Don't forward authorization header across redirects to different hosts (@​nylen)
• #​1183 Correct README about pre and postamble CRLF using multipart and not mult... (@​netpoetica)
• #​1179 Lint tests directory (@​nylen)
• #​1169 add metadata for form-data file field (@​dotcypress)
• #​1173 remove optional dependencies (@​seanstrom)
• #​1165 Cleanup event listeners and remove function creation from init (@​FredKSchott)
• #​1174 update the request.cookie docs to have a valid cookie example (@​seanstrom)
• #​1168 create a detach helper and use detach helper in replace of nextTick (@​seanstrom)
• #​1171 in post can send form data and use callback (@​MiroRadenovic)
• #​1159 accept charset for x-www-form-urlencoded content-type (@​seanstrom)
• #​1157 Update README.md: body with json=true (@​Rob--W)
• #​1164 Disable tests/test-timeout.js on Travis (@​nylen)
• #​1153 Document how to run a single test (@​nylen)
• #​1144 adds documentation for the "response" event within the streaming section (@​tbuchok)
• #​1162 Update eslintrc file to no longer allow past errors (@​FredKSchott)
• #​1155 Support/use self everywhere (@​seanstrom)
• #​1161 fix no-use-before-define lint warnings (@​emkay)
• #​1156 adding curly brackets to get rid of lint errors (@​emkay)
• #​1151 Fix localAddress test on OS X (@​nylen)
• #​1145 documentation: fix outdated reference to setCookieSync old name in README (@​FredKSchott)
• #​1131 Update pool documentation (@​FredKSchott)
• #​1143 Rewrite all tests to use tape (@​nylen)
• #​1137 Add ability to specifiy querystring lib in options. (@​jgrund)
• #​1138 allow hostname and port in place of host on uri (@​cappslock)
• #​1134 Fix multiple redirects and self.followRedirect (@​blakeembrey)
• #​1130 documentation fix: add note about npm test for contributing (@​FredKSchott)
• #​1120 Support/refactor request setup tunnel (@​seanstrom)
• #​1129 linting fix: convert double quote strings to use single quotes (@​FredKSchott)
• #​1124 linting fix: remove unneccesary semi-colons (@​FredKSchott)

v2.45.0

Compare Source

• #​1128 Add test for setCookie regression (@​nylen)
• #​1127 added tests around using objects as values in a query string (@​bcoe)
• #​1103 Support/refactor request constructor (@​nylen, @​seanstrom)
• #​1119 add basic linting to request library (@​FredKSchott)
• #​1121 Revert "Explicitly use sync versions of cookie functions" (@​nylen)
• #​1118 linting fix: Restructure bad empty if statement (@​FredKSchott)
• #​1117 Fix a bad check for valid URIs (@​FredKSchott)
• #​1113 linting fix: space out operators (@​FredKSchott)
• #​1116 Fix typo in noProxyHost definition (@​FredKSchott)
• #​1114 linting fix: Added a new operator that was missing when creating and throwing a new error (@​FredKSchott)
• #​1096 No_proxy support (@​samcday)
• #​1107 linting-fix: remove unused variables (@​FredKSchott)
• #​1112 linting fix: Make return values consistent and more straitforward (@​FredKSchott)
• #​1111 linting fix: authPieces was getting redeclared (@​FredKSchott)
• #​1105 Use strict mode in request (@​FredKSchott)
• #​1110 linting fix: replace lazy '==' with more strict '===' (@​FredKSchott)
• #​1109 linting fix: remove function call from if-else conditional statement (@​FredKSchott)
• #​1102 Fix to allow setting a requester on recursive calls to request.defaults (@​tikotzky)
• #​1095 Tweaking engines in package.json (@​pdehaan)
• #​1082 Forward the socket event from the httpModule request (@​seanstrom)
• #​972 Clarify gzip handling in the README (@​kevinoid)
• #​1089 Mention that encoding defaults to utf8, not Buffer (@​stuartpb)
• #​1088 Fix cookie example in README.md and make it more clear (@​pipi32167)
• #​1027 Add support for multipart form data in request options. (@​crocket)
• #​1076 use Request.abort() to abort the request when the request has timed-out (@​seanstrom)
• #​1068 add optional postamble required by .NET multipart requests (@​netpoetica)

v2.44.0

Compare Source

v2.43.0

Compare Source

• #​1057 Defaults should not overwrite defined options (@​davidwood)
• #​1046 Propagate datastream errors, useful in case gzip fails. (@​ZJONSSON, @​Janpot)
• [#​1063](https://redire

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.