From 71c83e738c835a05a76fe42d480c4bcc5e5baf68 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 16 Oct 2023 22:24:47 +0000 Subject: [PATCH] chore(deps): update dependency undici to v5.26.2 [security] (#270) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`5.23.0` -> `5.26.2`](https://renovatebot.com/diffs/npm/undici/5.23.0/5.26.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.23.0/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.23.0/5.26.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-45143](https://togithub.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp) ### Impact Undici clears Authorization headers on cross-origin redirects, but does not clear `Cookie` headers. By design, `cookie` headers are [forbidden request headers](https://fetch.spec.whatwg.org/#forbidden-request-header), disallowing them to be set in `RequestInit.headers` in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. ### Patches This was patched in [e041de359221ebeae04c469e8aff4145764e6d76](https://togithub.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76), which is included in version 5.26.2. --- ### Release Notes
nodejs/undici (undici) ### [`v5.26.2`](https://togithub.com/nodejs/undici/releases/tag/v5.26.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.1...v5.26.2) Security Release, CVE-2023-45143. ### [`v5.26.1`](https://togithub.com/nodejs/undici/releases/tag/v5.26.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.0...v5.26.1) #### What's Changed - Fix publish undici-types once and for all! by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://togithub.com/nodejs/undici/pull/2338) - Fix node detection omfg by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://togithub.com/nodejs/undici/pull/2341) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1 ### [`v5.26.0`](https://togithub.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://togithub.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://togithub.com/nodejs/undici/pull/2309) - change default header to `node` by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://togithub.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@​kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@​nicole0707](https://togithub.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://togithub.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@​panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://togithub.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@​balazsorban44](https://togithub.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234) - fix([#​2311](https://togithub.com/nodejs/undici/issues/2311)): End stream after body sent by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://togithub.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://togithub.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@​step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://togithub.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://togithub.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@​binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@​binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://togithub.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@​binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://togithub.com/nodejs/undici/pull/2332) #### New Contributors - [@​kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308) - [@​nicole0707](https://togithub.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295) - [@​balazsorban44](https://togithub.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234) - [@​binsee](https://togithub.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.23.4...v5.26.0 ### [`v5.25.4`](https://togithub.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) ### [`v5.25.3`](https://togithub.com/nodejs/undici/releases/tag/v5.25.3) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.2...v5.25.3) #### What's Changed - perf: improve parse-url implementation by [@​anonrig](https://togithub.com/anonrig) in [https://github.com/nodejs/undici/pull/2286](https://togithub.com/nodejs/undici/pull/2286) - test: enable websockets inclusion in WPTReport by [@​panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2284](https://togithub.com/nodejs/undici/pull/2284) - remove npm run test from pre-commit hook by [@​dancastillo](https://togithub.com/dancastillo) in [https://github.com/nodejs/undici/pull/2296](https://togithub.com/nodejs/undici/pull/2296) - perf: use [@​fastify/busboy](https://togithub.com/fastify/busboy) by [@​gurgunday](https://togithub.com/gurgunday) in [https://github.com/nodejs/undici/pull/2211](https://togithub.com/nodejs/undici/pull/2211) - Disable finalizationregistry if node code cov by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2298](https://togithub.com/nodejs/undici/pull/2298) #### New Contributors - [@​gurgunday](https://togithub.com/gurgunday) made their first contribution in [https://github.com/nodejs/undici/pull/2211](https://togithub.com/nodejs/undici/pull/2211) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.2...v5.25.3 ### [`v5.25.2`](https://togithub.com/nodejs/undici/releases/tag/v5.25.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.1...v5.25.2) #### What's Changed - Add Khaf to releasers by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2276](https://togithub.com/nodejs/undici/pull/2276) - fix: fix request with readable mode is object by [@​killagu](https://togithub.com/killagu) in [https://github.com/nodejs/undici/pull/2279](https://togithub.com/nodejs/undici/pull/2279) - fix loading websockets when node is built w/ --without-ssl by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2282](https://togithub.com/nodejs/undici/pull/2282) #### New Contributors - [@​killagu](https://togithub.com/killagu) made their first contribution in [https://github.com/nodejs/undici/pull/2279](https://togithub.com/nodejs/undici/pull/2279) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.1...v5.25.2 ### [`v5.25.1`](https://togithub.com/nodejs/undici/releases/tag/v5.25.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.0...v5.25.1) #### What's Changed - Add publish types script by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2273](https://togithub.com/nodejs/undici/pull/2273) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.0...v5.25.1 ### [`v5.25.0`](https://togithub.com/nodejs/undici/releases/tag/v5.25.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.24.0...v5.25.0) #### What's Changed - fix: h2 without body by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2258](https://togithub.com/nodejs/undici/pull/2258) - ci: remove duplicated runs by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2265](https://togithub.com/nodejs/undici/pull/2265) - improve documentation of timeouts by making the units clear in all places by [@​mcfedr](https://togithub.com/mcfedr) in [https://github.com/nodejs/undici/pull/2266](https://togithub.com/nodejs/undici/pull/2266) - expose websocket in node bundle by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2217](https://togithub.com/nodejs/undici/pull/2217) - test: fix Fetch/HTTP2 tests by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2263](https://togithub.com/nodejs/undici/pull/2263) - fix undici when node is built with --without-ssl by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2272](https://togithub.com/nodejs/undici/pull/2272) - fix: Fix type definition for Client Interceptors by [@​ComradeCow](https://togithub.com/ComradeCow) in [https://github.com/nodejs/undici/pull/2269](https://togithub.com/nodejs/undici/pull/2269) - Fix http2 agent by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2275](https://togithub.com/nodejs/undici/pull/2275) #### New Contributors - [@​ComradeCow](https://togithub.com/ComradeCow) made their first contribution in [https://github.com/nodejs/undici/pull/2269](https://togithub.com/nodejs/undici/pull/2269) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.24.0...v5.25.0 ### [`v5.24.0`](https://togithub.com/nodejs/undici/releases/tag/v5.24.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.23.0...v5.24.0) #### Notable Changes - feat: Add H2 support by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://togithub.com/nodejs/undici/pull/2061) #### What's Changed - build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2203](https://togithub.com/nodejs/undici/pull/2203) - better stack trace for body.json by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2215](https://togithub.com/nodejs/undici/pull/2215) - allow http & https websocket urls by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2218](https://togithub.com/nodejs/undici/pull/2218) - build(deps-dev): bump [@​sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 10.3.0 to 11.1.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2221](https://togithub.com/nodejs/undici/pull/2221) - fix: pass ProxyAgent proxy status code error by [@​NBNGaming](https://togithub.com/NBNGaming) in [https://github.com/nodejs/undici/pull/2162](https://togithub.com/nodejs/undici/pull/2162) - fix failing test by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2223](https://togithub.com/nodejs/undici/pull/2223) - docs: update MockPool.md intercept method description by [@​capaj](https://togithub.com/capaj) in [https://github.com/nodejs/undici/pull/2220](https://togithub.com/nodejs/undici/pull/2220) - Update wpts by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2226](https://togithub.com/nodejs/undici/pull/2226) - build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2240](https://togithub.com/nodejs/undici/pull/2240) - build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2237](https://togithub.com/nodejs/undici/pull/2237) - build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2236](https://togithub.com/nodejs/undici/pull/2236) - build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2241](https://togithub.com/nodejs/undici/pull/2241) - build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2238](https://togithub.com/nodejs/undici/pull/2238) - fix: aborting request with non-object error by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2243](https://togithub.com/nodejs/undici/pull/2243) - fix: preserve file path when parsing formdata by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2245](https://togithub.com/nodejs/undici/pull/2245) - build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2246](https://togithub.com/nodejs/undici/pull/2246) - Updated benchmarks by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2250](https://togithub.com/nodejs/undici/pull/2250) - Fix fetch in node v20.6.0 by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2251](https://togithub.com/nodejs/undici/pull/2251) - Maybe fix v20 by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2252](https://togithub.com/nodejs/undici/pull/2252) - feat: Add H2 support by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://togithub.com/nodejs/undici/pull/2061) - docs: fix tables in README by [@​regseb](https://togithub.com/regseb) in [https://github.com/nodejs/undici/pull/2254](https://togithub.com/nodejs/undici/pull/2254) - Fix http2 fetch test by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2253](https://togithub.com/nodejs/undici/pull/2253) #### New Contributors - [@​NBNGaming](https://togithub.com/NBNGaming) made their first contribution in [https://github.com/nodejs/undici/pull/2162](https://togithub.com/nodejs/undici/pull/2162) - [@​capaj](https://togithub.com/capaj) made their first contribution in [https://github.com/nodejs/undici/pull/2220](https://togithub.com/nodejs/undici/pull/2220) - [@​regseb](https://togithub.com/regseb) made their first contribution in [https://github.com/nodejs/undici/pull/2254](https://togithub.com/nodejs/undici/pull/2254) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.23.0...v5.24.0
--- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/specfy/specfy). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- package-lock.json | 38 +++++++++++++------------------------- pkgs/api/package.json | 2 +- 2 files changed, 14 insertions(+), 26 deletions(-) diff --git a/package-lock.json b/package-lock.json index a8654ee5c..e75d07c66 100644 --- a/package-lock.json +++ b/package-lock.json @@ -906,6 +906,14 @@ "pkg-up": "^3.1.0" } }, + "node_modules/@fastify/busboy": { + "version": "2.0.0", + "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.0.0.tgz", + "integrity": "sha512-JUFJad5lv7jxj926GPgymrWQxxjPYuJNiNjNMzqT+HiuP6Vl3dk5xzG+8sTX96np0ZAluvaMzPsjhHZ5rNuNQQ==", + "engines": { + "node": ">=14" + } + }, "node_modules/@fastify/cookie": { "version": "9.0.4", "resolved": "https://registry.npmjs.org/@fastify/cookie/-/cookie-9.0.4.tgz", @@ -7210,17 +7218,6 @@ "esbuild": ">=0.17" } }, - "node_modules/busboy": { - "version": "1.6.0", - "resolved": "https://registry.npmjs.org/busboy/-/busboy-1.6.0.tgz", - "integrity": "sha512-8SFQbg/0hQ9xy3UNTB0YEnsNBbWfhf7RtnzpL7TkBiTBRfrQ9Fxcnz7VJsleJpyp6rVLvXiuORqjlHi5q+PYuA==", - "dependencies": { - "streamsearch": "^1.1.0" - }, - "engines": { - "node": ">=10.16.0" - } - }, "node_modules/bytes": { "version": "3.1.2", "resolved": "https://registry.npmjs.org/bytes/-/bytes-3.1.2.tgz", @@ -17774,14 +17771,6 @@ "url": "https://github.com/sponsors/sindresorhus" } }, - "node_modules/streamsearch": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/streamsearch/-/streamsearch-1.1.0.tgz", - "integrity": "sha512-Mcc5wHehp9aXz1ax6bZUyY5afg9u2rv5cqQI3mRrYkGC8rW2hM02jWuwjtL++LS5qinSyhj2QfLyNsuc+VsExg==", - "engines": { - "node": ">=10.0.0" - } - }, "node_modules/string_decoder": { "version": "1.3.0", "resolved": "https://registry.npmjs.org/string_decoder/-/string_decoder-1.3.0.tgz", @@ -19338,12 +19327,11 @@ "dev": true }, "node_modules/undici": { - "version": "5.23.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.23.0.tgz", - "integrity": "sha512-1D7w+fvRsqlQ9GscLBwcAJinqcZGHUKjbOmXdlE/v8BvEGXjeWAax+341q44EuTcHXXnfyKNbKRq4Lg7OzhMmg==", - "license": "MIT", + "version": "5.26.2", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.26.2.tgz", + "integrity": "sha512-a4PDLQgLTPHVzOK+x3F79/M4GtyYPl+aX9AAK7aQxpwxDwCqkeZCScy7Gk5kWT3JtdFq1uhO3uZJdLtHI4dK9A==", "dependencies": { - "busboy": "^1.6.0" + "@fastify/busboy": "^2.0.0" }, "engines": { "node": ">=14.0" @@ -20564,7 +20552,7 @@ "ts-node": "10.9.1", "type-fest": "4.2.0", "typescript": "5.2.2", - "undici": "5.23.0", + "undici": "5.26.2", "utility-types": "3.10.0" } }, diff --git a/pkgs/api/package.json b/pkgs/api/package.json index 4716b6577..93ac2f08e 100644 --- a/pkgs/api/package.json +++ b/pkgs/api/package.json @@ -70,7 +70,7 @@ "ts-node": "10.9.1", "type-fest": "4.2.0", "typescript": "5.2.2", - "undici": "5.23.0", + "undici": "5.26.2", "utility-types": "3.10.0" } }