Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update dependency undici to v5.26.2 [security] (#370)
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`5.22.1` -> `5.26.2`](https://renovatebot.com/diffs/npm/undici/5.22.1/5.26.2) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-45143](https://togithub.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp) ### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://togithub.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2. --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v5.26.2`](https://togithub.com/nodejs/undici/releases/tag/v5.26.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.1...v5.26.2) Security Release, CVE-2023-45143. ### [`v5.26.1`](https://togithub.com/nodejs/undici/releases/tag/v5.26.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.0...v5.26.1) #### What's Changed - Fix publish undici-types once and for all! by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [nodejs/undici#2338 - Fix node detection omfg by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2341 **Full Changelog**: nodejs/undici@v5.26.0...v5.26.1 ### [`v5.26.0`](https://togithub.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://togithub.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [nodejs/undici#2309 - change default header to `node` by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [nodejs/undici#2310 - chore: change order of the pseudo-headers by [@​kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) in [nodejs/undici#2308 - fix: Agent.Options.factory should accept URL object or string as parameter by [@​nicole0707](https://togithub.com/nicole0707) in [nodejs/undici#2295 - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2312 - test: handle npm ignore-scripts settings by [@​panva](https://togithub.com/panva) in [nodejs/undici#2313 - feat: respect `--max-http-header-size` Node.js flag by [@​balazsorban44](https://togithub.com/balazsorban44) in [nodejs/undici#2234 - fix([#​2311](https://togithub.com/nodejs/undici/issues/2311)): End stream after body sent by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2314 - disallow setting host header in fetch by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2322 - \[StepSecurity] ci: Harden GitHub Actions by [@​step-security-bot](https://togithub.com/step-security-bot) in [nodejs/undici#2325 - fix fetch with coverage enabled by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2330 - Fix stuck when using http2 POST Buffer by [@​binsee](https://togithub.com/binsee) in [nodejs/undici#2336 - fix: 🏷️ add allowH2 to BuildOptions by [@​binsee](https://togithub.com/binsee) in [nodejs/undici#2334 - fix: 🐛 fix process http2 header by [@​binsee](https://togithub.com/binsee) in [nodejs/undici#2332 #### New Contributors - [@​kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) made their first contribution in [nodejs/undici#2308 - [@​nicole0707](https://togithub.com/nicole0707) made their first contribution in [nodejs/undici#2295 - [@​balazsorban44](https://togithub.com/balazsorban44) made their first contribution in [nodejs/undici#2234 - [@​binsee](https://togithub.com/binsee) made their first contribution in [nodejs/undici#2336 **Full Changelog**: nodejs/undici@v5.23.4...v5.26.0 ### [`v5.25.4`](https://togithub.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) ### [`v5.25.3`](https://togithub.com/nodejs/undici/releases/tag/v5.25.3) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.2...v5.25.3) #### What's Changed - perf: improve parse-url implementation by [@​anonrig](https://togithub.com/anonrig) in [nodejs/undici#2286 - test: enable websockets inclusion in WPTReport by [@​panva](https://togithub.com/panva) in [nodejs/undici#2284 - remove npm run test from pre-commit hook by [@​dancastillo](https://togithub.com/dancastillo) in [nodejs/undici#2296 - perf: use [@​fastify/busboy](https://togithub.com/fastify/busboy) by [@​gurgunday](https://togithub.com/gurgunday) in [nodejs/undici#2211 - Disable finalizationregistry if node code cov by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2298 #### New Contributors - [@​gurgunday](https://togithub.com/gurgunday) made their first contribution in [nodejs/undici#2211 **Full Changelog**: nodejs/undici@v5.25.2...v5.25.3 ### [`v5.25.2`](https://togithub.com/nodejs/undici/releases/tag/v5.25.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.1...v5.25.2) #### What's Changed - Add Khaf to releasers by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2276 - fix: fix request with readable mode is object by [@​killagu](https://togithub.com/killagu) in [nodejs/undici#2279 - fix loading websockets when node is built w/ --without-ssl by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2282 #### New Contributors - [@​killagu](https://togithub.com/killagu) made their first contribution in [nodejs/undici#2279 **Full Changelog**: nodejs/undici@v5.25.1...v5.25.2 ### [`v5.25.1`](https://togithub.com/nodejs/undici/releases/tag/v5.25.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.0...v5.25.1) #### What's Changed - Add publish types script by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [nodejs/undici#2273 **Full Changelog**: nodejs/undici@v5.25.0...v5.25.1 ### [`v5.25.0`](https://togithub.com/nodejs/undici/releases/tag/v5.25.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.24.0...v5.25.0) #### What's Changed - fix: h2 without body by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2258 - ci: remove duplicated runs by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2265 - improve documentation of timeouts by making the units clear in all places by [@​mcfedr](https://togithub.com/mcfedr) in [nodejs/undici#2266 - expose websocket in node bundle by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2217 - test: fix Fetch/HTTP2 tests by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2263 - fix undici when node is built with --without-ssl by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2272 - fix: Fix type definition for Client Interceptors by [@​ComradeCow](https://togithub.com/ComradeCow) in [nodejs/undici#2269 - Fix http2 agent by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2275 #### New Contributors - [@​ComradeCow](https://togithub.com/ComradeCow) made their first contribution in [nodejs/undici#2269 **Full Changelog**: nodejs/undici@v5.24.0...v5.25.0 ### [`v5.24.0`](https://togithub.com/nodejs/undici/releases/tag/v5.24.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.23.0...v5.24.0) #### Notable Changes - feat: Add H2 support by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2061 #### What's Changed - build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2203 - better stack trace for body.json by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2215 - allow http & https websocket urls by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2218 - build(deps-dev): bump [@​sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 10.3.0 to 11.1.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2221 - fix: pass ProxyAgent proxy status code error by [@​NBNGaming](https://togithub.com/NBNGaming) in [nodejs/undici#2162 - fix failing test by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2223 - docs: update MockPool.md intercept method description by [@​capaj](https://togithub.com/capaj) in [nodejs/undici#2220 - Update wpts by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2226 - build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2240 - build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2237 - build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2236 - build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2241 - build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2238 - fix: aborting request with non-object error by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2243 - fix: preserve file path when parsing formdata by [@​jimmywarting](https://togithub.com/jimmywarting) in [nodejs/undici#2245 - build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2246 - Updated benchmarks by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2250 - Fix fetch in node v20.6.0 by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2251 - Maybe fix v20 by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2252 - feat: Add H2 support by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2061 - docs: fix tables in README by [@​regseb](https://togithub.com/regseb) in [nodejs/undici#2254 - Fix http2 fetch test by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2253 #### New Contributors - [@​NBNGaming](https://togithub.com/NBNGaming) made their first contribution in [nodejs/undici#2162 - [@​capaj](https://togithub.com/capaj) made their first contribution in [nodejs/undici#2220 - [@​regseb](https://togithub.com/regseb) made their first contribution in [nodejs/undici#2254 **Full Changelog**: nodejs/undici@v5.23.0...v5.24.0 ### [`v5.23.0`](https://togithub.com/nodejs/undici/releases/tag/v5.23.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.22.1...v5.23.0) #### What's Changed - bump engines to node >= 16 by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2119 - Revert "bump engines to node >= 16 ([#​2119](https://togithub.com/nodejs/undici/issues/2119))" by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2121 - fetch: set referrer properly by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2125 - fix: support truncated gzip by [@​jimmywarting](https://togithub.com/jimmywarting) in [nodejs/undici#2126 - workflow: apply security best practices by [@​step-security-bot](https://togithub.com/step-security-bot) in [nodejs/undici#2130 - build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2135 - build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2133 - build(deps): bump node from 18-alpine to 20-alpine in /build by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2131 - build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2136 - build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2132 - build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2142 - build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2148 - fix(pr): use correct pr template file by [@​AugustinMauroy](https://togithub.com/AugustinMauroy) in [nodejs/undici#2141 - Additional WebSocket send tests to cover all payload size categories by [@​jawj](https://togithub.com/jawj) in [nodejs/undici#2149 - fix: reverse decompression order of "Content-Encoding" encodings (fixes [#​2158](https://togithub.com/nodejs/undici/issues/2158)) by [@​rychkog](https://togithub.com/rychkog) in [nodejs/undici#2159 - fix: keep running WPTs if a test times out by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2165 - feat: add build environment info by [@​mhdawson](https://togithub.com/mhdawson) in [nodejs/undici#2168 - fix: forward error reason to fetch controller by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2172 - stricter types for bodymixin.json by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2181 - chore: Renable autoSelectFamily tests. by [@​ShogunPanda](https://togithub.com/ShogunPanda) in [nodejs/undici#2180 - build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2147 - build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2185 - fix: fetch resource timing performance entry names should be strings by [@​GaryWilber](https://togithub.com/GaryWilber) in [nodejs/undici#2188 - build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2176 - build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2177 - build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2178 - build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2175 - test: fix `autoselectfamily` on platforms without IPv6 support by [@​LiviaMedeiros](https://togithub.com/LiviaMedeiros) in [nodejs/undici#2197 - fix: make multipart/form-data boundary string more consistent by [@​LiviaMedeiros](https://togithub.com/LiviaMedeiros) in [nodejs/undici#2196 - docs: add proxy agent options docs by [@​dancastillo](https://togithub.com/dancastillo) in [nodejs/undici#2193 - build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2205 - feat: make use of `addAbortListener` where applicable by [@​atlowChemi](https://togithub.com/atlowChemi) in [nodejs/undici#2195 #### New Contributors - [@​step-security-bot](https://togithub.com/step-security-bot) made their first contribution in [nodejs/undici#2130 - [@​AugustinMauroy](https://togithub.com/AugustinMauroy) made their first contribution in [nodejs/undici#2141 - [@​rychkog](https://togithub.com/rychkog) made their first contribution in [nodejs/undici#2159 - [@​mhdawson](https://togithub.com/mhdawson) made their first contribution in [nodejs/undici#2168 - [@​GaryWilber](https://togithub.com/GaryWilber) made their first contribution in [nodejs/undici#2188 - [@​atlowChemi](https://togithub.com/atlowChemi) made their first contribution in [nodejs/undici#2195 **Full Changelog**: nodejs/undici@v5.22.1...v5.23.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/octokit/rest.js). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xOS4yIiwidXBkYXRlZEluVmVyIjoiMzcuMTkuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
- Loading branch information
1 parent
25abc9f
commit 9ffc749