Skip to content

Commit

Permalink
chore(deps): update dependency undici to v6.6.1 [security] (#410)
Browse files Browse the repository at this point in the history 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [undici](https://undici.nodejs.org)
([source](https://togithub.com/nodejs/undici)) | [`6.4.0` ->
`6.6.1`](https://renovatebot.com/diffs/npm/undici/6.4.0/6.6.1) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/6.4.0/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/6.4.0/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-24750](https://togithub.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw)

### Impact

Calling `fetch(url)` and not consuming the incoming body ((or consuming
it very slowing) will lead to a memory leak.

### Patches

Patched in v6.6.1

### Workarounds

Make sure to always consume the incoming body.

####
[CVE-2024-24758](https://togithub.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3)

### Impact

Undici already cleared Authorization headers on cross-origin redirects,
but did not clear `Proxy-Authorization` headers.

### Patches

This is patched in v5.28.3 and v6.6.1

### Workarounds

There are no known workarounds.

### References

- https://fetch.spec.whatwg.org/#authentication-entries
-
GHSA-wqq4-5wpv-mx2g

---

### Release Notes

<details>
<summary>nodejs/undici (undici)</summary>

### [`v6.6.1`](https://togithub.com/nodejs/undici/releases/tag/v6.6.1)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v6.6.0...v6.6.1)

#### ⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple
of days.

#### What's Changed

- fix: flaky debug test by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2687
- build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[nodejs/undici#2688
- build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0
by [@&#8203;dependabot](https://togithub.com/dependabot) in
[nodejs/undici#2689
- fix: ci pipeline warnings by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2685
- perf: optimize Iterator by [@&#8203;tsctx](https://togithub.com/tsctx)
in
[nodejs/undici#2692

**Full Changelog**:
nodejs/undici@v6.6.0...v6.6.1

### [`v6.6.0`](https://togithub.com/nodejs/undici/releases/tag/v6.6.0)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v6.5.0...v6.6.0)

#### What's Changed

- add webSocket example by
[@&#8203;mertcanaltin](https://togithub.com/mertcanaltin) in
[nodejs/undici#2626
- chore: remove atomic-sleep as dev dependency by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2648
- chore: remove semver as dev dependency by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2646
- chore: remove table as dev dependency by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2649
- chore: remove delay as dev dependency by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2647
- chore: reduce noise in test-logs test/issue-2349.js by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2655
- chore: fix faketimer warning in test/request-timeout.js by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2656
- chore: reduce noise in test logs test/client-node-max-header-size.js
by [@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2654
- refactor: use fromInnerResponse by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[nodejs/undici#2635
- fix: support deflate raw responses by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2650
- Support building for externally shared js builtins by
[@&#8203;mochaaP](https://togithub.com/mochaaP) in
[nodejs/undici#2643
- fix: typo clampAndCoarsenConnectionTimingInfo by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2653
- chore: use 'node:'-prefix for requiring node core modules by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2662
- build(deps-dev): bump husky from 8.0.3 to 9.0.7 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[nodejs/undici#2667
- build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[nodejs/undici#2668
- remove timers/promises import by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[nodejs/undici#2665
- chore: fix various codesmells by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2669
- chore: remove this alias in agent.js by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2671
- chore: use optional chaining by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2666
- chore: small perf improvements by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2661
- implement spec changes from a while ago by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[nodejs/undici#2676
- websocket: fix close when no closing code is received by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[nodejs/undici#2680
- fix: make ci less flaky by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2684

#### New Contributors

- [@&#8203;mochaaP](https://togithub.com/mochaaP) made their first
contribution in
[nodejs/undici#2643

**Full Changelog**:
nodejs/undici@v6.5.0...v6.6.0

### [`v6.5.0`](https://togithub.com/nodejs/undici/releases/tag/v6.5.0)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v6.4.0...v6.5.0)

#### What's Changed

- build(deps-dev): bump jsdom from 23.2.0 to 24.0.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[nodejs/undici#2632
- feat: Implement EventSource by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[nodejs/undici#2608
- fix: readable body by [@&#8203;ronag](https://togithub.com/ronag) in
[nodejs/undici#2642

**Full Changelog**:
nodejs/undici@v6.4.0...v6.5.0

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/octokit/rest.js).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@renovate
renovate[bot] committed Feb 16, 2024
1 parent 81488d4 commit e2d6559
Showing 1 changed file with 3 additions and 3 deletions.
6 changes: 3 additions & 3 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

0 comments on commit e2d6559

Please sign in to comment.