fix(deps): update dependency undici to v5.26.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.8.2 -> 5.26.2

GitHub Vulnerability Alerts

CVE-2023-23936

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

CVE-2023-24807

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

• https://hackerone.com/bugs?report_id=1784449

Credits

Carter Snook reported this vulnerability.

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

---

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

• Fix publish undici-types once and for all! by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
• Fix node detection omfg by @​KhafraDev in https://github.com/nodejs/undici/pull/2341

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

• use npm install instead of npm ci by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
• change default header to node by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310
• chore: change order of the pseudo-headers by @​kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
• fix: Agent.Options.factory should accept URL object or string as parameter by @​nicole0707 in https://github.com/nodejs/undici/pull/2295
• build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2312
• test: handle npm ignore-scripts settings by @​panva in https://github.com/nodejs/undici/pull/2313
• feat: respect --max-http-header-size Node.js flag by @​balazsorban44 in https://github.com/nodejs/undici/pull/2234
• fix(#​2311): End stream after body sent by @​metcoder95 in https://github.com/nodejs/undici/pull/2314
• disallow setting host header in fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2322
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in https://github.com/nodejs/undici/pull/2325
• fix fetch with coverage enabled by @​KhafraDev in https://github.com/nodejs/undici/pull/2330
• Fix stuck when using http2 POST Buffer by @​binsee in https://github.com/nodejs/undici/pull/2336
• fix: 🏷️ add allowH2 to BuildOptions by @​binsee in https://github.com/nodejs/undici/pull/2334
• fix: 🐛 fix process http2 header by @​binsee in https://github.com/nodejs/undici/pull/2332

New Contributors

• @​kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
• @​nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
• @​balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
• @​binsee made their first contribution in https://github.com/nodejs/undici/pull/2336

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

• perf: improve parse-url implementation by @​anonrig in https://github.com/nodejs/undici/pull/2286
• test: enable websockets inclusion in WPTReport by @​panva in https://github.com/nodejs/undici/pull/2284
• remove npm run test from pre-commit hook by @​dancastillo in https://github.com/nodejs/undici/pull/2296
• perf: use @​fastify/busboy by @​gurgunday in https://github.com/nodejs/undici/pull/2211
• Disable finalizationregistry if node code cov by @​mcollina in https://github.com/nodejs/undici/pull/2298

New Contributors

• @​gurgunday made their first contribution in https://github.com/nodejs/undici/pull/2211

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

• Add Khaf to releasers by @​mcollina in https://github.com/nodejs/undici/pull/2276
• fix: fix request with readable mode is object by @​killagu in https://github.com/nodejs/undici/pull/2279
• fix loading websockets when node is built w/ --without-ssl by @​KhafraDev in https://github.com/nodejs/undici/pull/2282

New Contributors

• @​killagu made their first contribution in https://github.com/nodejs/undici/pull/2279

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

• Add publish types script by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2273

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

• fix: h2 without body by @​metcoder95 in https://github.com/nodejs/undici/pull/2258
• ci: remove duplicated runs by @​metcoder95 in https://github.com/nodejs/undici/pull/2265
• improve documentation of timeouts by making the units clear in all places by @​mcfedr in https://github.com/nodejs/undici/pull/2266
• expose websocket in node bundle by @​KhafraDev in https://github.com/nodejs/undici/pull/2217
• test: fix Fetch/HTTP2 tests by @​metcoder95 in https://github.com/nodejs/undici/pull/2263
• fix undici when node is built with --without-ssl by @​KhafraDev in https://github.com/nodejs/undici/pull/2272
• fix: Fix type definition for Client Interceptors by @​ComradeCow in https://github.com/nodejs/undici/pull/2269
• Fix http2 agent by @​mcollina in https://github.com/nodejs/undici/pull/2275

New Contributors

• @​ComradeCow made their first contribution in https://github.com/nodejs/undici/pull/2269

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

• feat: Add H2 support by @​metcoder95 in https://github.com/nodejs/undici/pull/2061

What's Changed

• build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @​dependabot in https://github.com/nodejs/undici/pull/2203
• better stack trace for body.json by @​KhafraDev in https://github.com/nodejs/undici/pull/2215
• allow http & https websocket urls by @​KhafraDev in https://github.com/nodejs/undici/pull/2218
• build(deps-dev): bump @​sinonjs/fake-timers from 10.3.0 to 11.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2221
• fix: pass ProxyAgent proxy status code error by @​NBNGaming in https://github.com/nodejs/undici/pull/2162
• fix failing test by @​KhafraDev in https://github.com/nodejs/undici/pull/2223
• docs: update MockPool.md intercept method description by @​capaj in https://github.com/nodejs/undici/pull/2220
• Update wpts by @​KhafraDev in https://github.com/nodejs/undici/pull/2226
• build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @​dependabot in https://github.com/nodejs/undici/pull/2240
• build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @​dependabot in https://github.com/nodejs/undici/pull/2237
• build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @​dependabot in https://github.com/nodejs/undici/pull/2236
• build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @​dependabot in https://github.com/nodejs/undici/pull/2241
• build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @​dependabot in https://github.com/nodejs/undici/pull/2238
• fix: aborting request with non-object error by @​KhafraDev in https://github.com/nodejs/undici/pull/2243
• fix: preserve file path when parsing formdata by @​jimmywarting in https://github.com/nodejs/undici/pull/2245
• build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @​dependabot in https://github.com/nodejs/undici/pull/2246
• Updated benchmarks by @​mcollina in https://github.com/nodejs/undici/pull/2250
• Fix fetch in node v20.6.0 by @​mcollina in https://github.com/nodejs/undici/pull/2251
• Maybe fix v20 by @​mcollina in https://github.com/nodejs/undici/pull/2252
• feat: Add H2 support by @​metcoder95 in https://github.com/nodejs/undici/pull/2061
• docs: fix tables in README by @​regseb in https://github.com/nodejs/undici/pull/2254
• Fix http2 fetch test by @​mcollina in https://github.com/nodejs/undici/pull/2253

New Contributors

• @​NBNGaming made their first contribution in https://github.com/nodejs/undici/pull/2162
• @​capaj made their first contribution in https://github.com/nodejs/undici/pull/2220
• @​regseb made their first contribution in https://github.com/nodejs/undici/pull/2254

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

• bump engines to node >= 16 by @​ronag in https://github.com/nodejs/undici/pull/2119
• Revert "bump engines to node >= 16 (#​2119)" by @​ronag in https://github.com/nodejs/undici/pull/2121
• fetch: set referrer properly by @​KhafraDev in https://github.com/nodejs/undici/pull/2125
• fix: support truncated gzip by @​jimmywarting in https://github.com/nodejs/undici/pull/2126
• workflow: apply security best practices by @​step-security-bot in https://github.com/nodejs/undici/pull/2130
• build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @​dependabot in https://github.com/nodejs/undici/pull/2135
• build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @​dependabot in https://github.com/nodejs/undici/pull/2133
• build(deps): bump node from 18-alpine to 20-alpine in /build by @​dependabot in https://github.com/nodejs/undici/pull/2131
• build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by @​dependabot in https://github.com/nodejs/undici/pull/2136
• build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @​dependabot in https://github.com/nodejs/undici/pull/2132
• build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2142
• build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by @​dependabot in https://github.com/nodejs/undici/pull/2148
• fix(pr): use correct pr template file by @​AugustinMauroy in https://github.com/nodejs/undici/pull/2141
• Additional WebSocket send tests to cover all payload size categories by @​jawj in https://github.com/nodejs/undici/pull/2149
• fix: reverse decompression order of "Content-Encoding" encodings (fixes #​2158) by @​rychkog in https://github.com/nodejs/undici/pull/2159
• fix: keep running WPTs if a test times out by @​KhafraDev in https://github.com/nodejs/undici/pull/2165
• feat: add build environment info by @​mhdawson in https://github.com/nodejs/undici/pull/2168
• fix: forward error reason to fetch controller by @​KhafraDev in https://github.com/nodejs/undici/pull/2172
• stricter types for bodymixin.json by @​KhafraDev in https://github.com/nodejs/undici/pull/2181
• chore: Renable autoSelectFamily tests. by @​ShogunPanda in https://github.com/nodejs/undici/pull/2180
• build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @​dependabot in https://github.com/nodejs/undici/pull/2147
• build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by @​dependabot in https://github.com/nodejs/undici/pull/2185
• fix: fetch resource timing performance entry names should be strings by @​GaryWilber in https://github.com/nodejs/undici/pull/2188
• build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @​dependabot in https://github.com/nodejs/undici/pull/2176
• build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by @​dependabot in https://github.com/nodejs/undici/pull/2177
• build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @​dependabot in https://github.com/nodejs/undici/pull/2178
• build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @​dependabot in https://github.com/nodejs/undici/pull/2175
• test: fix autoselectfamily on platforms without IPv6 support by @​LiviaMedeiros in https://github.com/nodejs/undici/pull/2197
• fix: make multipart/form-data boundary string more consistent by @​LiviaMedeiros in https://github.com/nodejs/undici/pull/2196
• docs: add proxy agent options docs by @​dancastillo in https://github.com/nodejs/undici/pull/2193
• build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by @​dependabot in https://github.com/nodejs/undici/pull/2205
• feat: make use of addAbortListener where applicable by @​atlowChemi in https://github.com/nodejs/undici/pull/2195

New Contributors

• @​step-security-bot made their first contribution in https://github.com/nodejs/undici/pull/2130
• @​AugustinMauroy made their first contribution in https://github.com/nodejs/undici/pull/2141
• @​rychkog made their first contribution in https://github.com/nodejs/undici/pull/2159
• @​mhdawson made their first contribution in https://github.com/nodejs/undici/pull/2168
• @​GaryWilber made their first contribution in https://github.com/nodejs/undici/pull/2188
• @​atlowChemi made their first contribution in https://github.com/nodejs/undici/pull/2195

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

v5.22.1

Compare Source

What's Changed

• Cache storage by @​KhafraDev in https://github.com/nodejs/undici/pull/2076
• test: skip content-disposition test in node 18 by @​KhafraDev in https://github.com/nodejs/undici/pull/2081
• Cache storage cleanup by @​KhafraDev in https://github.com/nodejs/undici/pull/2082
• Cache storage fixes by @​KhafraDev in https://github.com/nodejs/undici/pull/2083
• test: improve test coverage for ErrorEvent and MessageEvent by @​KhafraDev in https://github.com/nodejs/undici/pull/2085
• test: remove --experimental-wasm-simd by @​KhafraDev in https://github.com/nodejs/undici/pull/2087
• websocket: add websocketinit by @​KhafraDev in https://github.com/nodejs/undici/pull/2088
• feat(websocket): allow setting custom headers by @​KhafraDev in https://github.com/nodejs/undici/pull/2089
• test: fix tests failing only on node v20 by @​KhafraDev in https://github.com/nodejs/undici/pull/2096
• fix: skip set content-length when FormData value is stream by @​fengmk2 in https://github.com/nodejs/undici/pull/2091
• doc: update outdated command in contributing.md by @​jazelly in https://github.com/nodejs/undici/pull/2099
• cache: fix most failing WPTs by @​KhafraDev in https://github.com/nodejs/undici/pull/2100
• feat: allow build:wasm to auto detect platform by @​jazelly in https://github.com/nodejs/undici/pull/2102
• docs: updated Error documentation (fixes #​2090) by @​titanism in https://github.com/nodejs/undici/pull/2092
• mimesniff: fix many broken tests by @​KhafraDev in https://github.com/nodejs/undici/pull/2103
• test: fix failing tests by @​KhafraDev in https://github.com/nodejs/undici/pull/2097
• build(deps): bump github/codeql-action from 2.2.9 to 2.3.2 by @​dependabot in https://github.com/nodejs/undici/pull/2105
• fix: more informative error message to tell that the server doesn't match http/1.1 protocol by @​Songkeys in https://github.com/nodejs/undici/pull/2055
• Fix bug in 16-bit frame length when buffer is a subarray by @​jawj in https://github.com/nodejs/undici/pull/2106
• update wpts by @​KhafraDev in https://github.com/nodejs/undici/pull/2108
• fix: update error definitions by @​dfilatov in https://github.com/nodejs/undici/pull/2112
• fix: make assertion a noop by @​ronag in https://github.com/nodejs/undici/pull/2111

New Contributors

• @​jazelly made their first contribution in https://github.com/nodejs/undici/pull/2099
• @​titanism made their first contribution in https://github.com/nodejs/undici/pull/2092
• @​Songkeys made their first contribution in https://github.com/nodejs/undici/pull/2055
• @​jawj made their first contribution in https://github.com/nodejs/undici/pull/2106
• @​dfilatov made their first contribution in https://github.com/nodejs/undici/pull/2112

Full Changelog: nodejs/undici@v5.22.0...v5.22.1

v5.22.0

Compare Source

What's Changed

• build(deps-dev): bump tsd from 0.27.0 to 0.28.1 by @​dependabot in https://github.com/nodejs/undici/pull/2042
• build(deps): bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @​dependabot in https://github.com/nodejs/undici/pull/2040
• fix: handle opaque origin in sameOrigin by @​KhafraDev in https://github.com/nodejs/undici/pull/2053
• test: add typescript import test back by @​KhafraDev in https://github.com/nodejs/undici/pull/2054
• fix: use getMaxListeners when available by @​KhafraDev in https://github.com/nodejs/undici/pull/2063
• feat: allow overriding hwm by @​ronag in https://github.com/nodejs/undici/pull/2057
• fix: there is no sync connector by @​ronag in https://github.com/nodejs/undici/pull/2059
• fix: rename .wasm to -wasm to appease jest by @​KhafraDev in https://github.com/nodejs/undici/pull/2064
• fix: set content-length when using FormData body w/ request by @​KhafraDev in https://github.com/nodejs/undici/pull/2066
• refactor: unify error body handling by @​ronag in https://github.com/nodejs/undici/pull/2060
• fix: close and destroy overlap by @​ronag in https://github.com/nodejs/undici/pull/2068
• remove node 12 from test matrix by @​ronag in https://github.com/nodejs/undici/pull/2069
• fix: don't leak socket if client is destroyed while connecting by @​ronag in https://github.com/nodejs/undici/pull/2058
• fix: flaky leak test by @​ronag in https://github.com/nodejs/undici/pull/2070
• test: update wpts by @​KhafraDev in https://github.com/nodejs/undici/pull/2073
• perf: latin1 by @​ronag in https://github.com/nodejs/undici/pull/2075
• fix: mock fetch headers shouldn't be an array by @​KhafraDev in https://github.com/nodejs/undici/pull/2080

Full Changelog: nodejs/undici@v5.21.2...v5.22.0

v5.21.2

Compare Source

What's Changed

• Content disposition parsing by @​KhafraDev in https://github.com/nodejs/undici/pull/2051
• fix: clear set-cookie headers by @​KhafraDev in https://github.com/nodejs/undici/pull/2052

Full Changelog: nodejs/undici@v5.21.1...v5.21.2

v5.21.1

Compare Source

What's Changed

• Fix typo in kPipelining symbol by @​andrewfecenko in https://github.com/nodejs/undici/pull/2005
• fix(fetch): remove undefined error cause by @​aduh95 in https://github.com/nodejs/undici/pull/2006
• chore(deps-dev): bump tsd from 0.25.0 to 0.27.0 by @​dependabot in https://github.com/nodejs/undici/pull/2007
• build(deps-dev): bump wait-on from 6.0.1 to 7.0.1 by @​dependabot in https://github.com/nodejs/undici/pull/1820
• fix(wpt): set global META_TITLE for the runner by @​panva in https://github.com/nodejs/undici/pull/2008
• fix: issue 2009 by @​KhafraDev in https://github.com/nodejs/undici/pull/2013
• build(deps-dev): bump typescript from 4.9.5 to 5.0.2 by @​dependabot in https://github.com/nodejs/undici/pull/2018
• added descriptive error messages for URL parser by @​RishabhKodes in https://github.com/nodejs/undici/pull/2016
• fix(fetch): remove content-length header on redirect by @​KhafraDev in https://github.com/nodejs/undici/pull/2022
• fix(fetch): remove assertion on request.body.source on redirect (#​2027) by @​macno in https://github.com/nodejs/undici/pull/2028
• fix: skip failing test in node >= v19.8 by @​KhafraDev in https://github.com/nodejs/undici/pull/2034
• fetch: treat content-encoding as case-insensitive & remove x-deflate by @​KhafraDev in https://github.com/nodejs/undici/pull/2037
• perf(fetch): use string comparisons for url schemes by @​KhafraDev in https://github.com/nodejs/undici/pull/2038
• util: replace util.toUSVString with String.prototype.toWellFormed by @​KhafraDev in https://github.com/nodejs/undici/pull/2036
• build(deps): bump github/codeql-action from 2.2.4 to 2.2.9 by @​dependabot in https://github.com/nodejs/undici/pull/2039
• build(deps-dev): bump concurrently from 7.6.0 to 8.0.1 by @​dependabot in https://github.com/nodejs/undici/pull/2041
• Small performance improvements by @​anonrig in https://github.com/nodejs/undici/pull/2044
• fix(types): Add missing Blob import by @​dpogue in https://github.com/nodejs/undici/pull/2047
• fix: set window option properly by @​KhafraDev in https://github.com/nodejs/undici/pull/2048
• fetch: fix leak by @​ronag in https://github.com/nodejs/undici/pull/2049

New Contributors

• @​aduh95 made their first contribution in https://github.com/nodejs/undici/pull/2006
• @​RishabhKodes made their first contribution in https://github.com/nodejs/undici/pull/2016
• @​macno made their first contribution in https://github.com/nodejs/undici/pull/2028
• @​dpogue made their first contribution in https://github.com/nodejs/undici/pull/2047

Full Changelog: nodejs/undici@v5.21.0...v5.21.1

v5.21.0

Compare Source

What's Changed

• workflow: add scorecard.yml by @​RafaelGSS in https://github.com/nodejs/undici/pull/1942
• ci: timeout CI jobs after 15 minutes by @​dominykas in https://github.com/nodejs/undici/pull/1946
• test(wpt): respect variants by @​panva in https://github.com/nodejs/undici/pull/1951
• fix: improve isFormDataLike compat by @​ronag in https://github.com/nodejs/undici/pull/1953
• fix: flaky fetch tests by @​KhafraDev in https://github.com/nodejs/undici/pull/1956
• test(wpt): include all testing files by @​KhafraDev in https://github.com/nodejs/undici/pull/1954
• fix: remove unneeded fetch tests by @​KhafraDev in https://github.com/nodejs/undici/pull/1960
• fix: use normal timers for delays < 1s by @​ronag in https://github.com/nodejs/undici/pull/1961
• perf: optimize happy path by @​anonrig in https://github.com/nodejs/undici/pull/1955
• fix: 🐛 add URL upstream variations in BalancedPool types by @​jimmy-guzman in https://github.com/nodejs/undici/pull/1966
• test(wpt): handle uncaught exceptions by @​KhafraDev in https://github.com/nodejs/undici/pull/1965
• Fix failing wpts by @​KhafraDev in https://github.com/nodejs/undici/pull/1967
• test(wpt): add results to an existing WPT Report by @​panva in https://github.com/nodejs/undici/pull/1944
• fix: strengthen isStream condition checking by @​debadree25 in https://github.com/nodejs/undici/pull/1969
• fix: implement basic policy container by @​KhafraDev in https://github.com/nodejs/undici/pull/1970
• TypeScript type fixes, for #​1949 by @​joshxyzhimself in https://github.com/nodejs/undici/pull/1968
• websocket: separate connection logic from websocket by @​KhafraDev in https://github.com/nodejs/undici/pull/1973
• README: h3 not showing ### as a header by @​hilleer in https://github.com/nodejs/undici/pull/1975
• wptrunner: expose gc by @​KhafraDev in https://github.com/nodejs/undici/pull/1974
• perf: cork socket before writing by @​ronag in https://github.com/nodejs/undici/pull/1982
• fix: fast timers and event loop lag by @​ronag in https://github.com/nodejs/undici/pull/1977
• fix: correctly calculate resource timing duration by @​amilajack in https://github.com/nodejs/undici/pull/1988
• wpt: update tests by @​KhafraDev in https://github.com/nodejs/undici/pull/1984
• fix: undici stream throwOnError by @​dancastillo in https://github.com/nodejs/undici/pull/1995
• fix: remove unnecessary WeakRef by @​ronag in https://github.com/nodejs/undici/pull/2000
• Fix: websocket.d.ts - error TS2304: Cannot find name 'MessagePort' by @​ZaBlazzingZephyrus in https://github.com/nodejs/undici/pull/1997
• feat: add abort signal to body.dump() by @​debadree25 in https://github.com/nodejs/undici/pull/1993
• fix(fetch): third party abortcontrollers throwing errors by @​KhafraDev in https://github.com/nodejs/undici/pull/2002
• Improve ProxyAgent example with autentication by @​egmen in https://github.com/nodejs/undici/pull/2004
• Add clientFactory option to ProxyAgent by @​andrewfecenko in https://github.com/nodejs/undici/pull/2003

New Contributors

• @​jimmy-guzman made their first contribution in https://github.com/nodejs/undici/pull/1966
• @​hilleer made their first contribution in https://github.com/nodejs/undici/pull/1975
• @​amilajack made their first contribution in https://github.com/nodejs/undici/pull/1988
• @​ZaBlazzingZephyrus made their first contribution in https://github.com/nodejs/undici/pull/1997
• @​egmen made their first contribution in https://github.com/nodejs/undici/pull/2004
• @​andrewfecenko made their first contribution in https://github.com/nodejs/undici/pull/2003

Full Changelog: nodejs/undici@v5.20.0...v5.21.0

v5.20.0

Compare Source

What's Changed

• perf: improve cookie parsing performance by @​KhafraDev in https://github.com/nodejs/undici/pull/1931
• fix: disable websocket wpts in ci :( by @​KhafraDev in https://github.com/nodejs/undici/pull/1932
• fix: Allow “undefined“ as value in headers by @​pan93412 in https://github.com/nodejs/undici/pull/1929
• feat: Support autoSelectFamily when connecting. by @​ShogunPanda in https://github.com/nodejs/undici/pull/1914
• fix: copy cookies when cloning haders by @​KhafraDev in https://github.com/nodejs/undici/pull/1936
• test: more logs in wpt runner by @​KhafraDev in https://github.com/nodejs/undici/pull/1933
• feat: change headersTimeout and bodyTimeout to 300s by @​kyrylkov in https://github.com/nodejs/undici/pull/1937

Full Changelog: nodejs/undici@v5.19.1...v5.20.0

v5.19.1

Compare Source

⚠️ Security Release ⚠️

• Regular Expression Denial of Service in Headers with CVE-2023-24807
• CRLF Injection in Nodejs ‘undici’ via host with CVE-2023-23936

This release is part of the Node.js security release train: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/

v5.19.0

Compare Source

What's Changed

• fix(fetch): raise AbortSignal max event listeners by @​KhafraDev in https://github.com/nodejs/undici/pull/1910
• fix: content-disposition header parsing by @​climba03003 in https://github.com/nodejs/undici/pull/1911
• fix: remove test by @​KhafraDev in https://github.com/nodejs/undici/pull/1916
• feat: add Headers.prototype.getSetCookie by @​KhafraDev in https://github.com/nodejs/undici/pull/1915
• fix(headers): clone getSetCookie list & add getSetCookie type by @​KhafraDev in https://github.com/nodejs/undici/pull/1917
• doc(mock): update out-of-date reply documentation by @​p9f in https://github.com/nodejs/undici/pull/1913
• fix(types): add missing keepAlive params by @​SkeLLLa in https://github.com/nodejs/undici/pull/1918
• Make the fetch() abort test pass locally, on Linux and Mac, Node 18/19. by @​mcollina in https://github.com/nodejs/undici/pull/1927

New Contributors

• @​climba03003 made their first contribution in https://github.com/nodejs/undici/pull/1911
• @​p9f made their first contribution in https://github.com/nodejs/undici/pull/1913

Full Changelog: nodejs/undici@v5.18.0...v5.19.0

v5.18.0

Compare Source

What's Changed

• Add ability to set TCP keepalive by @​xconverge in https://github.com/nodejs/undici/pull/1904
• use faster timers by @​ronag in https://github.com/nodejs/undici/pull/1908
• fix: ensure header value is a string by @​ronag in https://github.com/nodejs/undici/pull/1899

Full Changelog: nodejs/undici@v5.17.1...v5.18.0

v5.17.1

Compare Source

What's Changed

• fix: bad buffer slice (nodejs/undici@d2be675)

Full Changelog: nodejs/undici@v5.17.0...v5.17.1

v5.17.0

Compare Source

What's Changed

• fix(wpts): Blob is a global getter in >=v19.x.x by @​KhafraDev in https://github.com/nodejs/undici/pull/1880
• doc: fix anchor links dispatcher.stream by @​RafaelGSS in https://github.com/nodejs/undici/pull/1881
• wpt: make runner more resilient by @​KhafraDev in https://github.com/nodejs/undici/pull/1884
• Make test pass in v19.x by @​mcollina in https://github.com/nodejs/undici/pull/1879
• Correct the type of DispatchOptions["headers"] by @​pan93412 in https://github.com/nodejs/undici/pull/1896
• perf(content-type parser): faster string collector by @​KhafraDev in https://github.com/nodejs/undici/pull/1894
• feat: expose content-type parser by @​KhafraDev in https://github.com/nodejs/undici/pull/1895
• fix(types): Update DispatchOptions type for missing "blocking" by @​xconverge in https://github.com/nodejs/undici/pull/1889
• fix(types): update error type definitions by @​rafaelcr in https://github.com/nodejs/undici/pull/1888
• fix: ensure connection header is a string by @​ronag in https://github.com/nodejs/undici/pull/1900
• fix: throw if invalid content-type header by @​ronag in https://github.com/nodejs/undici/pull/1901
• fix(fetch): use semicolon for Cookie header delimiter by @​KhafraDev in https://github.com/nodejs/undici/pull/1906
• Use FastBuffer by @​ronag in https://github.com/nodejs/undici/pull/1907

New Contributors

• @​pan93412 made their first contribution in https://github.com/nodejs/undici/pull/1896
• @​rafaelcr made their first contribution in https://github.com/nodejs/undici/pull/1888

Full Changelog: nodejs/undici@v5.16.0...v5.17.0

v5.16.0

Compare Source

What's Changed

• Add feature to specify custom headers for proxies by @​Sebmaster in https://github.com/nodejs/undici/pull/1877

New Contributors

• @​Sebmaster made their first contribution in https://github.com/nodejs/undici/pull/1877

Full Changelog: nodejs/undici@v5.15.2...v5.16.0

v5.15.2

Compare Source

v5.15.1

Compare Source

What's Changed

• fix(websocket): simplify typedarray copying by @​KhafraDev in https://github.com/nodejs/undici/pull/1854
• fix: wpts on node v18.13.0+ by @​KhafraDev in https://github.com/nodejs/undici/pull/1859
• perf: allow keep alive for HEAD requests by @​ronag in https://github.com/nodejs/undici/pull/1858
• fix: flaky abort test by @​KhafraDev in https://github.com/nodejs/undici/pull/1863

Full Changelog: nodejs/undici@v5.15.0...v5.15.1

v5.15.0

Compare Source

What's Changed

• [types] update ProxyAgent Options (timeout) by @​sosoba in https://github.com/nodejs/undici/pull/1801

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.