Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update dependency undici to v5.19.1 [SECURITY] #7

Merged

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 18, 2023

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici (source) 5.14.0 -> 5.19.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-23936

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.


Release Notes

nodejs/undici (undici)

v5.19.1

Compare Source

⚠️ Security Release ⚠️

This release is part of the Node.js security release train: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/

v5.19.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.18.0...v5.19.0

v5.18.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.17.1...v5.18.0

v5.17.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.17.0...v5.17.1

v5.17.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.16.0...v5.17.0

v5.16.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.15.2...v5.16.0

v5.15.2

Compare Source

v5.15.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v5.15.0...v5.15.1

v5.15.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v5.14.0...v5.15.0


Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@stackblitz
Copy link

stackblitz bot commented Sep 18, 2023

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

@changeset-bot
Copy link

changeset-bot bot commented Sep 18, 2023

⚠️ No Changeset found

Latest commit: ff03b1d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@kodiakhq kodiakhq bot merged commit 7f8f85b into 01-30-Add_test_for_issue_45393 Sep 18, 2023
1 check passed
@kodiakhq kodiakhq bot deleted the renovate/npm-undici-vulnerability branch September 18, 2023 10:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants