Merge pull request #2191 from ing-bank/changeset-release/master

Version Packages

.changeset/two-plums-run.md

@@ -1,12 +0,0 @@
----
-'@lion/ajax': major
----
-
-BREAKING: Only add XSRF token on mutable requests and on same origin or whitelisted origins
-
-Previously the XSRF token was added to any call to any origin.
-This is changed in two ways.  
-(1) The token is now only attached to requests that are POST/PUT/PATCH/DELETE.
-(2) It will validate if the request origin is the same as current origin or when the origin is in the xsrfTrustedOrigins.
-
-This is a fix for a vulnerability: we inadvertently revealed the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host. This allowed attackers to view sensitive information.

packages/ajax/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Change Log
 
+## 2.0.0
+
+### Major Changes
+
+- 04d08683: BREAKING: Only add XSRF token on mutable requests and on same origin or whitelisted origins
+
+  Previously the XSRF token was added to any call to any origin.
+  This is changed in two ways.
+  (1) The token is now only attached to requests that are POST/PUT/PATCH/DELETE.
+  (2) It will validate if the request origin is the same as current origin or when the origin is in the xsrfTrustedOrigins.
+
+  This is a fix for a vulnerability: we inadvertently revealed the confidential XSRF-TOKEN stored in cookies by including it in the HTTP header X-XSRF-TOKEN for every request made to any host. This allowed attackers to view sensitive information.
+
 ## 1.3.0
 
 ### Minor Changes

packages/ajax/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lion/ajax",
-  "version": "1.3.0",
+  "version": "2.0.0",
   "description": "Thin wrapper around fetch with support for interceptors.",
   "license": "MIT",
   "author": "ing-bank",