Update dependency normalize-url to v5.3.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
normalize-url	5.0.0 → 5.3.1

---

ReDoS in normalize-url

CVE-2021-33502 / GHSA-px4h-xg32-q955

More information

Details

The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://nvd.nist.gov/vuln/detail/CVE-2021-33502
• https://github.com/sindresorhus/normalize-url/releases/tag/v6.0.1
• https://github.com/sindresorhus/normalize-url/commit/b1fdb5120b6d27a88400d8800e67ff5a22bd2103
• https://security.netapp.com/advisory/ntap-20210706-0001/
• https://github.com/advisories/GHSA-px4h-xg32-q955

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

sindresorhus/normalize-url (normalize-url)

v5.3.1

Compare Source

v5.3.0

Compare Source

• Throw a friendly error on view-source: input (#​124) ddf2584

v5.2.1

Compare Source

• Fix removeSingleSlash option adding slashes (#​122) 1e06753

v5.2.0

Compare Source

• Add removeSingleSlash option (#​120) 18effbe

v5.1.0

Compare Source

• Improve stripWWW logic (#​117) 0ee9d94
• Allow any protocol in the duplicate slashes normalization (#​115) 14b79c6

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.