New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency undici to v5.28.4 [security] #75

Open

renovate wants to merge 1 commit into master from renovate/npm-undici-vulnerability

Contributor

renovate bot commented Feb 16, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`5.26.2` -> `5.28.4`

GitHub Vulnerability Alerts

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

CVE-2024-30261

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

CVE-2024-30260

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

Release Notes

nodejs/undici (undici)

`v5.28.4`

⚠️ Security Release ⚠️

Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

`v5.28.3`

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

`v5.28.2`

What's Changed

fix: remove optional chainning for compatible with Nodejs12 and below by @bugb in https://github.com/nodejs/undici/pull/2470
fix: remove node: prefix by @tsctx in https://github.com/nodejs/undici/pull/2471
perf: avoid Headers initialization by @tsctx in https://github.com/nodejs/undici/pull/2468
fix: handle SharedArrayBuffer correctly by @tsctx in https://github.com/nodejs/undici/pull/2466
fix: Add null type to signal in RequestInit by @gebsh in https://github.com/nodejs/undici/pull/2455
fix: correctly handle data URL with hashes. by @tsctx in https://github.com/nodejs/undici/pull/2475
fix: check response for timinginfo allow flag by @ToshB in https://github.com/nodejs/undici/pull/2477
Make call to onBodySent conditional in RetryHandler by @MzUgM in https://github.com/nodejs/undici/pull/2478
refactor: better integrity check by @tsctx in https://github.com/nodejs/undici/pull/2462
fix: Added support for inline URL username:password proxy auth by @matt-way in https://github.com/nodejs/undici/pull/2473
build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @dependabot in https://github.com/nodejs/undici/pull/2472
build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @dependabot in https://github.com/nodejs/undici/pull/2405
build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @dependabot in https://github.com/nodejs/undici/pull/2396
build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in https://github.com/nodejs/undici/pull/2395
build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2392
build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @dependabot in https://github.com/nodejs/undici/pull/2389
build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in https://github.com/nodejs/undici/pull/2302

New Contributors

@bugb made their first contribution in https://github.com/nodejs/undici/pull/2470
@gebsh made their first contribution in https://github.com/nodejs/undici/pull/2455
@ToshB made their first contribution in https://github.com/nodejs/undici/pull/2477
@MzUgM made their first contribution in https://github.com/nodejs/undici/pull/2478
@matt-way made their first contribution in https://github.com/nodejs/undici/pull/2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

`v5.28.1`

What's Changed

perf: Improve normalizeMethod by @tsctx in https://github.com/nodejs/undici/pull/2456
fix: dispatch error handling by @ronag in https://github.com/nodejs/undici/pull/2459
perf(request): optimize if headers are given by @tsctx in https://github.com/nodejs/undici/pull/2454

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

`v5.28.0`

What's Changed

fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @mdoria12 in https://github.com/nodejs/undici/pull/2398
docs: add license to undici-types by @dancastillo in https://github.com/nodejs/undici/pull/2401
perf: optimize Readable.dump by @ronag in https://github.com/nodejs/undici/pull/2402
perf(headers): Improve Headers by @tsctx in https://github.com/nodejs/undici/pull/2397
test: re-enable conditional WPT Report for websockets by @panva in https://github.com/nodejs/undici/pull/2407
fix: delay abort on 'close' by @ronag in https://github.com/nodejs/undici/pull/2408
refactor: use substring instead of substr by @tsctx in https://github.com/nodejs/undici/pull/2411
add additional http2 test with fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2419
fix: HTTPToken check by @tsctx in https://github.com/nodejs/undici/pull/2410
perf: optimize HeadersList.get by @tsctx in https://github.com/nodejs/undici/pull/2420
properly handle pseudo-headers in fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2422
perf(headers): if the guard is immutable by @tsctx in https://github.com/nodejs/undici/pull/2424
fix(mock-agent): send stream body by @tsctx in https://github.com/nodejs/undici/pull/2425
build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by @dependabot in https://github.com/nodejs/undici/pull/2394
feat(#2264): Expose Retry Handler by @metcoder95 in https://github.com/nodejs/undici/pull/2281
fix: implement Headers#set correctly by @tsctx in https://github.com/nodejs/undici/pull/2432
fix: implement Headers#delete correctly by @tsctx in https://github.com/nodejs/undici/pull/2430
test: update websocket wpt availability by @panva in https://github.com/nodejs/undici/pull/2437
fix: type comment position by @tsctx in https://github.com/nodejs/undici/pull/2443
fix: onHeaders type declaration by @tsctx in https://github.com/nodejs/undici/pull/2444
remove http2 status pseudo header from headers by @KhafraDev in https://github.com/nodejs/undici/pull/2438
docs: Clarify path matching in intercept() by @oliversalzburg in https://github.com/nodejs/undici/pull/2426
fix: set-cookie clone by @tsctx in https://github.com/nodejs/undici/pull/2446
docs: fix typo in maxConcurrentStreams by @tniessen in https://github.com/nodejs/undici/pull/2450
refactor: remove leftovers by @metcoder95 in https://github.com/nodejs/undici/pull/2451
refactor: add missing new operator by @tsctx in https://github.com/nodejs/undici/pull/2452

New Contributors

@mdoria12 made their first contribution in https://github.com/nodejs/undici/pull/2398
@tsctx made their first contribution in https://github.com/nodejs/undici/pull/2397
@oliversalzburg made their first contribution in https://github.com/nodejs/undici/pull/2426

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

`v5.27.2`

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

`v5.27.1`

What's Changed

add regression test by @KhafraDev in https://github.com/nodejs/undici/pull/2376
fix: define conditions when content-length should be sent by @pxue in https://github.com/nodejs/undici/pull/2305
refactor: removed unnecessary default by @nikelborm in https://github.com/nodejs/undici/pull/2381
fix: stream body handling by @ronag in https://github.com/nodejs/undici/pull/2391

New Contributors

@pxue made their first contribution in https://github.com/nodejs/undici/pull/2305
@nikelborm made their first contribution in https://github.com/nodejs/undici/pull/2381

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

`v5.27.0`

What's Changed

Use sets and reusable TextEncoder/TextDecoder instances by @kibertoad in https://github.com/nodejs/undici/pull/2368
feat: forward onRequestSent to handler by @ronag in https://github.com/nodejs/undici/pull/2375
skip bundle test on node 16 by @KhafraDev in https://github.com/nodejs/undici/pull/2377
fix windows CI by @KhafraDev in https://github.com/nodejs/undici/pull/2379

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

`v5.26.5`

What's Changed

Drop race condition in connect-timeout test by @mcollina in https://github.com/nodejs/undici/pull/2360
Remove a couple of unnecessary async functions by @kibertoad in https://github.com/nodejs/undici/pull/2367
Update namespace type with Fetch exports by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2361

Full Changelog: nodejs/undici@v5.26.4...v5.26.5

`v5.26.4`

What's Changed

use esbuild define/hooks by @KhafraDev in https://github.com/nodejs/undici/pull/2342
fix request's arrayBuffer returning uint8 instead of arraybuffer by @KhafraDev in https://github.com/nodejs/undici/pull/2344
fix: skip readMore call if parser is null or undefined by @iiAku in https://github.com/nodejs/undici/pull/2346
test: first attempt for flaky fix by @metcoder95 in https://github.com/nodejs/undici/pull/2337
test: only include WebSocket in WPT Report where it's landed by @panva in https://github.com/nodejs/undici/pull/2351
Update DispatchInterceptor.md by @Uzlopak in https://github.com/nodejs/undici/pull/2354
fix: Avoid error for stream() being aborted by @BobNobrain in https://github.com/nodejs/undici/pull/2355
fix names with esbuild by @KhafraDev in https://github.com/nodejs/undici/pull/2359

New Contributors

@iiAku made their first contribution in https://github.com/nodejs/undici/pull/2346
@Uzlopak made their first contribution in https://github.com/nodejs/undici/pull/2354
@BobNobrain made their first contribution in https://github.com/nodejs/undici/pull/2355

Full Changelog: nodejs/undici@v5.26.3...v5.26.4

`v5.26.3`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the dependencies label

github-actions bot added the chore label

github-actions bot requested a review from xhyrom

February 16, 2024 18:19

renovate bot changed the title ~~fix(deps): update dependency undici to v5.28.3 [security]~~ fix(deps): update dependency undici to v5.28.3 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-undici-vulnerability branch

April 3, 2024 13:17

renovate bot changed the title ~~fix(deps): update dependency undici to v5.28.3 [security] - autoclosed~~ fix(deps): update dependency undici to v5.28.3 [security]

renovate bot reopened this

renovate bot restored the renovate/npm-undici-vulnerability branch

April 3, 2024 15:47

renovate bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 6c7666b to 1417c7a Compare

April 4, 2024 16:32

renovate bot changed the title ~~fix(deps): update dependency undici to v5.28.3 [security]~~ fix(deps): update dependency undici to v5.28.4 [security]

renovate bot changed the title ~~fix(deps): update dependency undici to v5.28.4 [security]~~ fix(deps): update dependency undici to v5.28.4 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-undici-vulnerability branch

July 15, 2024 00:52

renovate bot restored the renovate/npm-undici-vulnerability branch

July 15, 2024 04:25

renovate bot changed the title ~~fix(deps): update dependency undici to v5.28.4 [security] - autoclosed~~ fix(deps): update dependency undici to v5.28.4 [security]

renovate bot reopened this


          fix(deps): update dependency undici to v5.28.4 [security]

5fed729

renovate bot force-pushed the renovate/npm-undici-vulnerability branch from 1417c7a to 5fed729 Compare

July 15, 2024 04:26

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

chore dependencies