From ed660413dbbbdba3603dbac126e1558d84b33dcd Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 20 Apr 2026 00:18:21 +0000 Subject: [PATCH 1/2] fix: apply audit fixes --- dist/index.js | 25 ++++++++++++++++++++++++- 1 file changed, 24 insertions(+), 1 deletion(-) diff --git a/dist/index.js b/dist/index.js index 492990f..5003dd4 100644 --- a/dist/index.js +++ b/dist/index.js @@ -5077,6 +5077,13 @@ catch (error) { useNativeURL = error.code === "ERR_INVALID_URL"; } +// HTTP headers to drop across HTTP/HTTPS and domain boundaries +var sensitiveHeaders = [ + "Authorization", + "Proxy-Authorization", + "Cookie", +]; + // URL fields to preserve in copy operations var preservedUrlFields = [ "auth", @@ -5158,6 +5165,11 @@ function RedirectableRequest(options, responseCallback) { } }; + // Create filter for sensitive HTTP headers + this._headerFilter = new RegExp("^(?:" + + sensitiveHeaders.concat(options.sensitiveHeaders).map(escapeRegex).join("|") + + ")$", "i"); + // Perform the first request this._performRequest(); } @@ -5341,6 +5353,9 @@ RedirectableRequest.prototype._sanitizeOptions = function (options) { if (!options.headers) { options.headers = {}; } + if (!isArray(options.sensitiveHeaders)) { + options.sensitiveHeaders = []; + } // Since http.request treats host as an alias of hostname, // but the url module interprets host as hostname plus port, @@ -5523,7 +5538,7 @@ RedirectableRequest.prototype._processResponse = function (response) { redirectUrl.protocol !== "https:" || redirectUrl.host !== currentHost && !isSubdomain(redirectUrl.host, currentHost)) { - removeMatchingHeaders(/^(?:(?:proxy-)?authorization|cookie)$/i, this._options.headers); + removeMatchingHeaders(this._headerFilter, this._options.headers); } // Evaluate the beforeRedirect callback @@ -5716,6 +5731,10 @@ function isSubdomain(subdomain, domain) { return dot > 0 && subdomain[dot] === "." && subdomain.endsWith(domain); } +function isArray(value) { + return value instanceof Array; +} + function isString(value) { return typeof value === "string" || value instanceof String; } @@ -5732,6 +5751,10 @@ function isURL(value) { return URL && value instanceof URL; } +function escapeRegex(regex) { + return regex.replace(/[\]\\/()*+?.$]/g, "\\$&"); +} + // Exports module.exports = wrap({ http: http, https: https }); module.exports.wrap = wrap; From 0869d5674f9bc6efcfe3fca781f0e64408c72515 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Mon, 20 Apr 2026 00:18:22 +0000 Subject: [PATCH 2/2] fix: apply audit fixes --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 45d883e..b32fb29 100644 --- a/yarn.lock +++ b/yarn.lock @@ -792,9 +792,9 @@ flatted@^3.2.9: integrity "sha1-9cI8EH8PN96NvfJPE3IrO5jVJyY= sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==" follow-redirects@^1.15.11: - version "1.15.11" - resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340" - integrity "sha1-d31z1yqS+OxNLkEOtHNSpWuOg0A= sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==" + version "1.16.0" + resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.16.0.tgz#28474a159d3b9d11ef62050a14ed60e4df6d61bc" + integrity "sha1-KEdKFZ07nRHvYgUKFO1g5N9tYbw= sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw==" form-data@^4.0.5: version "4.0.5"