fix(deps): update dependency undici to v5.5.1 [security] #13862
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.4.0
->5.5.1
GitHub Vulnerability Alerts
CVE-2022-32210
Description
Undici.ProxyAgent
never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.Impact
This affects all use of HTTPS via HTTP proxy using
Undici.ProxyAgent
with Undici or Node's globalfetch
. In this case, it removes all HTTPS security from all requests sent using Undici'sProxyAgent
, allowing trivial MitM attacks by anybody on the network path between the client and the target server (local network users, your ISP, the proxy, the target server's ISP, etc).This less seriously affects HTTPS via HTTPS proxies. When you send HTTPS via a proxy to a remote server, the proxy can freely view or modify all HTTPS traffic unexpectedly (but only the proxy).
Example:
Patches
This issue was patched in Undici v5.5.1.
Workarounds
At the time of writing, the only workaround is to not use
ProxyAgent
as a dispatcher for TLS Connections.For more information
If you have any questions or comments about this advisory:
Release Notes
nodejs/undici
v5.5.1
Compare Source
This releases fixes CVE CVE-2022-32210. See GHSA-pgw7-wx7w-2w33 for more details:
Full Changelog: nodejs/undici@v5.5.0...v5.5.1
v5.5.0
Compare Source
What's Changed
TypedArray
andDataView
as Request body by @LiviaMedeiros in https://github.com/nodejs/undici/pull/1472node-fetch
tests by @KhafraDev in https://github.com/nodejs/undici/pull/1486FormData Iterator
by @KhafraDev in https://github.com/nodejs/undici/pull/1473New Contributors
Full Changelog: nodejs/undici@v5.4.0...v5.5.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.