New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency undici to v5.26.2 [security] #270

Merged

renovate merged 1 commit into chore/renovateBaseBranch from renovate/npm-undici-vulnerability

Oct 16, 2023

Contributor

renovate bot commented Oct 16, 2023

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`5.23.0` -> `5.26.2`

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Release Notes

nodejs/undici (undici)

`v5.26.2`

Security Release, CVE-2023-45143.

`v5.26.1`

What's Changed

Fix publish undici-types once and for all! by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
Fix node detection omfg by @KhafraDev in https://github.com/nodejs/undici/pull/2341

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

`v5.26.0`

What's Changed

use npm install instead of npm ci by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
change default header to node by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310
chore: change order of the pseudo-headers by @kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
fix: Agent.Options.factory should accept URL object or string as parameter by @nicole0707 in https://github.com/nodejs/undici/pull/2295
build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2312
test: handle npm ignore-scripts settings by @panva in https://github.com/nodejs/undici/pull/2313
feat: respect --max-http-header-size Node.js flag by @balazsorban44 in https://github.com/nodejs/undici/pull/2234
fix(#2311): End stream after body sent by @metcoder95 in https://github.com/nodejs/undici/pull/2314
disallow setting host header in fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2322
[StepSecurity] ci: Harden GitHub Actions by @step-security-bot in https://github.com/nodejs/undici/pull/2325
fix fetch with coverage enabled by @KhafraDev in https://github.com/nodejs/undici/pull/2330
Fix stuck when using http2 POST Buffer by @binsee in https://github.com/nodejs/undici/pull/2336
fix: 🏷️ add allowH2 to BuildOptions by @binsee in https://github.com/nodejs/undici/pull/2334
fix: 🐛 fix process http2 header by @binsee in https://github.com/nodejs/undici/pull/2332

New Contributors

@kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
@nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
@balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
@binsee made their first contribution in https://github.com/nodejs/undici/pull/2336

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

`v5.25.4`

`v5.25.3`

What's Changed

perf: improve parse-url implementation by @anonrig in https://github.com/nodejs/undici/pull/2286
test: enable websockets inclusion in WPTReport by @panva in https://github.com/nodejs/undici/pull/2284
remove npm run test from pre-commit hook by @dancastillo in https://github.com/nodejs/undici/pull/2296
perf: use @fastify/busboy by @gurgunday in https://github.com/nodejs/undici/pull/2211
Disable finalizationregistry if node code cov by @mcollina in https://github.com/nodejs/undici/pull/2298

New Contributors

@gurgunday made their first contribution in https://github.com/nodejs/undici/pull/2211

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

`v5.25.2`

What's Changed

Add Khaf to releasers by @mcollina in https://github.com/nodejs/undici/pull/2276
fix: fix request with readable mode is object by @killagu in https://github.com/nodejs/undici/pull/2279
fix loading websockets when node is built w/ --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2282

New Contributors

@killagu made their first contribution in https://github.com/nodejs/undici/pull/2279

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

`v5.25.1`

What's Changed

Add publish types script by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2273

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

`v5.25.0`

What's Changed

fix: h2 without body by @metcoder95 in https://github.com/nodejs/undici/pull/2258
ci: remove duplicated runs by @metcoder95 in https://github.com/nodejs/undici/pull/2265
improve documentation of timeouts by making the units clear in all places by @mcfedr in https://github.com/nodejs/undici/pull/2266
expose websocket in node bundle by @KhafraDev in https://github.com/nodejs/undici/pull/2217
test: fix Fetch/HTTP2 tests by @metcoder95 in https://github.com/nodejs/undici/pull/2263
fix undici when node is built with --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2272
fix: Fix type definition for Client Interceptors by @ComradeCow in https://github.com/nodejs/undici/pull/2269
Fix http2 agent by @mcollina in https://github.com/nodejs/undici/pull/2275

New Contributors

@ComradeCow made their first contribution in https://github.com/nodejs/undici/pull/2269

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

`v5.24.0`

Notable Changes

feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061

What's Changed

build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @dependabot in https://github.com/nodejs/undici/pull/2203
better stack trace for body.json by @KhafraDev in https://github.com/nodejs/undici/pull/2215
allow http & https websocket urls by @KhafraDev in https://github.com/nodejs/undici/pull/2218
build(deps-dev): bump @sinonjs/fake-timers from 10.3.0 to 11.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2221
fix: pass ProxyAgent proxy status code error by @NBNGaming in https://github.com/nodejs/undici/pull/2162
fix failing test by @KhafraDev in https://github.com/nodejs/undici/pull/2223
docs: update MockPool.md intercept method description by @capaj in https://github.com/nodejs/undici/pull/2220
Update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2226
build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @dependabot in https://github.com/nodejs/undici/pull/2240
build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @dependabot in https://github.com/nodejs/undici/pull/2237
build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @dependabot in https://github.com/nodejs/undici/pull/2236
build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2241
build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @dependabot in https://github.com/nodejs/undici/pull/2238
fix: aborting request with non-object error by @KhafraDev in https://github.com/nodejs/undici/pull/2243
fix: preserve file path when parsing formdata by @jimmywarting in https://github.com/nodejs/undici/pull/2245
build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @dependabot in https://github.com/nodejs/undici/pull/2246
Updated benchmarks by @mcollina in https://github.com/nodejs/undici/pull/2250
Fix fetch in node v20.6.0 by @mcollina in https://github.com/nodejs/undici/pull/2251
Maybe fix v20 by @mcollina in https://github.com/nodejs/undici/pull/2252
feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061
docs: fix tables in README by @regseb in https://github.com/nodejs/undici/pull/2254
Fix http2 fetch test by @mcollina in https://github.com/nodejs/undici/pull/2253

New Contributors

@NBNGaming made their first contribution in https://github.com/nodejs/undici/pull/2162
@capaj made their first contribution in https://github.com/nodejs/undici/pull/2220
@regseb made their first contribution in https://github.com/nodejs/undici/pull/2254

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          chore(deps): update dependency undici to v5.26.2 [security]

801024f

codecov bot commented Oct 16, 2023

Codecov Report

All modified lines are covered by tests ✅

📢 Thoughts on this report? Let us know!.

renovate bot merged commit 71c83e7 into chore/renovateBaseBranch

4 checks passed

renovate bot deleted the renovate/npm-undici-vulnerability branch

October 16, 2023 22:24

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment