Update dependency undici to v5.28.3 [SECURITY] - abandoned

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.26.2 -> 5.28.3

GitHub Vulnerability Alerts

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

---

Release Notes

nodejs/undici (undici)

v5.28.3

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

Compare Source

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in https://github.com/nodejs/undici/pull/2470
• fix: remove node: prefix by @​tsctx in https://github.com/nodejs/undici/pull/2471
• perf: avoid Headers initialization by @​tsctx in https://github.com/nodejs/undici/pull/2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in https://github.com/nodejs/undici/pull/2466
• fix: Add null type to signal in RequestInit by @​gebsh in https://github.com/nodejs/undici/pull/2455
• fix: correctly handle data URL with hashes. by @​tsctx in https://github.com/nodejs/undici/pull/2475
• fix: check response for timinginfo allow flag by @​ToshB in https://github.com/nodejs/undici/pull/2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in https://github.com/nodejs/undici/pull/2478
• refactor: better integrity check by @​tsctx in https://github.com/nodejs/undici/pull/2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in https://github.com/nodejs/undici/pull/2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in https://github.com/nodejs/undici/pull/2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in https://github.com/nodejs/undici/pull/2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in https://github.com/nodejs/undici/pull/2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in https://github.com/nodejs/undici/pull/2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in https://github.com/nodejs/undici/pull/2302

New Contributors

• @​bugb made their first contribution in https://github.com/nodejs/undici/pull/2470
• @​gebsh made their first contribution in https://github.com/nodejs/undici/pull/2455
• @​ToshB made their first contribution in https://github.com/nodejs/undici/pull/2477
• @​MzUgM made their first contribution in https://github.com/nodejs/undici/pull/2478
• @​matt-way made their first contribution in https://github.com/nodejs/undici/pull/2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

Compare Source

What's Changed

• perf: Improve normalizeMethod by @​tsctx in https://github.com/nodejs/undici/pull/2456
• fix: dispatch error handling by @​ronag in https://github.com/nodejs/undici/pull/2459
• perf(request): optimize if headers are given by @​tsctx in https://github.com/nodejs/undici/pull/2454

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

v5.28.0

Compare Source

What's Changed

• fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @​mdoria12 in https://github.com/nodejs/undici/pull/2398
• docs: add license to undici-types by @​dancastillo in https://github.com/nodejs/undici/pull/2401
• perf: optimize Readable.dump by @​ronag in https://github.com/nodejs/undici/pull/2402
• perf(headers): Improve Headers by @​tsctx in https://github.com/nodejs/undici/pull/2397
• test: re-enable conditional WPT Report for websockets by @​panva in https://github.com/nodejs/undici/pull/2407
• fix: delay abort on 'close' by @​ronag in https://github.com/nodejs/undici/pull/2408
• refactor: use substring instead of substr by @​tsctx in https://github.com/nodejs/undici/pull/2411
• add additional http2 test with fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2419
• fix: HTTPToken check by @​tsctx in https://github.com/nodejs/undici/pull/2410
• perf: optimize HeadersList.get by @​tsctx in https://github.com/nodejs/undici/pull/2420
• properly handle pseudo-headers in fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2422
• perf(headers): if the guard is immutable by @​tsctx in https://github.com/nodejs/undici/pull/2424
• fix(mock-agent): send stream body by @​tsctx in https://github.com/nodejs/undici/pull/2425
• build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by @​dependabot in https://github.com/nodejs/undici/pull/2394
• feat(#​2264): Expose Retry Handler by @​metcoder95 in https://github.com/nodejs/undici/pull/2281
• fix: implement Headers#set correctly by @​tsctx in https://github.com/nodejs/undici/pull/2432
• fix: implement Headers#delete correctly by @​tsctx in https://github.com/nodejs/undici/pull/2430
• test: update websocket wpt availability by @​panva in https://github.com/nodejs/undici/pull/2437
• fix: type comment position by @​tsctx in https://github.com/nodejs/undici/pull/2443
• fix: onHeaders type declaration by @​tsctx in https://github.com/nodejs/undici/pull/2444
• remove http2 status pseudo header from headers by @​KhafraDev in https://github.com/nodejs/undici/pull/2438
• docs: Clarify path matching in intercept() by @​oliversalzburg in https://github.com/nodejs/undici/pull/2426
• fix: set-cookie clone by @​tsctx in https://github.com/nodejs/undici/pull/2446
• docs: fix typo in maxConcurrentStreams by @​tniessen in https://github.com/nodejs/undici/pull/2450
• refactor: remove leftovers by @​metcoder95 in https://github.com/nodejs/undici/pull/2451
• refactor: add missing new operator by @​tsctx in https://github.com/nodejs/undici/pull/2452

New Contributors

• @​mdoria12 made their first contribution in https://github.com/nodejs/undici/pull/2398
• @​tsctx made their first contribution in https://github.com/nodejs/undici/pull/2397
• @​oliversalzburg made their first contribution in https://github.com/nodejs/undici/pull/2426

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

v5.27.2

Compare Source

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

v5.27.1

Compare Source

What's Changed

• add regression test by @​KhafraDev in https://github.com/nodejs/undici/pull/2376
• fix: define conditions when content-length should be sent by @​pxue in https://github.com/nodejs/undici/pull/2305
• refactor: removed unnecessary default by @​nikelborm in https://github.com/nodejs/undici/pull/2381
• fix: stream body handling by @​ronag in https://github.com/nodejs/undici/pull/2391

New Contributors

• @​pxue made their first contribution in https://github.com/nodejs/undici/pull/2305
• @​nikelborm made their first contribution in https://github.com/nodejs/undici/pull/2381

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

v5.27.0

Compare Source

What's Changed

• Use sets and reusable TextEncoder/TextDecoder instances by @​kibertoad in https://github.com/nodejs/undici/pull/2368
• feat: forward onRequestSent to handler by @​ronag in https://github.com/nodejs/undici/pull/2375
• skip bundle test on node 16 by @​KhafraDev in https://github.com/nodejs/undici/pull/2377
• fix windows CI by @​KhafraDev in https://github.com/nodejs/undici/pull/2379

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

v5.26.5

Compare Source

What's Changed

• Drop race condition in connect-timeout test by @​mcollina in https://github.com/nodejs/undici/pull/2360
• Remove a couple of unnecessary async functions by @​kibertoad in https://github.com/nodejs/undici/pull/2367
• Update namespace type with Fetch exports by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2361

Full Changelog: nodejs/undici@v5.26.4...v5.26.5

v5.26.4

Compare Source

What's Changed

• use esbuild define/hooks by @​KhafraDev in https://github.com/nodejs/undici/pull/2342
• fix request's arrayBuffer returning uint8 instead of arraybuffer by @​KhafraDev in https://github.com/nodejs/undici/pull/2344
• fix: skip readMore call if parser is null or undefined by @​iiAku in https://github.com/nodejs/undici/pull/2346
• test: first attempt for flaky fix by @​metcoder95 in https://github.com/nodejs/undici/pull/2337
• test: only include WebSocket in WPT Report where it's landed by @​panva in https://github.com/nodejs/undici/pull/2351
• Update DispatchInterceptor.md by @​Uzlopak in https://github.com/nodejs/undici/pull/2354
• fix: Avoid error for stream() being aborted by @​BobNobrain in https://github.com/nodejs/undici/pull/2355
• fix names with esbuild by @​KhafraDev in https://github.com/nodejs/undici/pull/2359

New Contributors

• @​iiAku made their first contribution in https://github.com/nodejs/undici/pull/2346
• @​Uzlopak made their first contribution in https://github.com/nodejs/undici/pull/2354
• @​BobNobrain made their first contribution in https://github.com/nodejs/undici/pull/2355

Full Changelog: nodejs/undici@v5.26.3...v5.26.4

v5.26.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 5fd4a37

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[ernestognw]

Doesn't seem to affect since we're using undici only to know whether we've already published a package in the release process, but there's no secret exposed to it or a way in which the request can be manipulated maliciously based on the corresponding CVE.

Imo it's suspicious that the CI is failing because the compiler can't be downloaded. I'll wait a couple hours and retry

[ernestognw]

There are a couple of updates. Retrying the CI.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠ Warning: custom changes will be lost.

[renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.