chore: bump up undici version to v6.11.1 [SECURITY] #6457
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Your org has enabled the Graphite merge queue for merging into canaryAdd the label “merge” to the PR and Graphite will automatically add it to the merge queue when it’s ready to merge. Or use the label “hotfix” to add to the merge queue as a hot fix. You must have a Graphite account in order to use the merge queue. Sign up using this link. |
☁️ Nx Cloud ReportCI is running/has finished running commands for commit 39c90a4. As they complete they will appear below. Click to see the status, the terminal output, and the build insights. 📂 See all runs for this CI Pipeline Execution ✅ Successfully ran 5 targets
Sent with 💌 from NxCloud. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## canary #6457 +/- ##
===========================================
- Coverage 62.32% 38.71% -23.61%
===========================================
Files 519 363 -156
Lines 24016 7884 -16132
Branches 2267 1363 -904
===========================================
- Hits 14967 3052 -11915
+ Misses 8783 4600 -4183
+ Partials 266 232 -34
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Brooooooklyn
approved these changes
Apr 8, 2024
Merge activity
|
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`6.6.2` -> `6.11.1`](https://renovatebot.com/diffs/npm/undici/6.6.2/6.11.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-30260](https://togithub.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7) ### Impact Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. ### Patches This has been patched in nodejs/undici@6805746. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds use `fetch()` or disable `maxRedirections`. ### References Linzi Shang reported this. * https://hackerone.com/reports/2408074 * GHSA-3787-6prv-h9w3 #### [CVE-2024-30261](https://togithub.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672) ### Impact If an attacker can alter the `integrity` option passed to `fetch()`, they can let `fetch()` accept requests as valid even if they have been tampered. ### Patches Fixed in nodejs/undici@d542b8c. Fixes has been released in v5.28.4 and v6.11.1. ### Workarounds Ensure that `integrity` cannot be tampered with. ### References https://hackerone.com/reports/2377760 --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v6.11.1`](https://togithub.com/nodejs/undici/compare/v6.11.0...6df3c738d03dc4014a26640316bf699950d62024) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.11.0...v6.11.1) ### [`v6.11.0`](https://togithub.com/nodejs/undici/compare/v6.10.2...ee5f892f3955eaca37730ed30349153ba203e9cd) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.10.2...v6.11.0) ### [`v6.10.2`](https://togithub.com/nodejs/undici/releases/tag/v6.10.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.10.1...v6.10.2) ##### What's Changed - Do not fail test if streams support typed arrays by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2978 - fix(fetch): properly redirect non-ascii location header url by [@​Xvezda](https://togithub.com/Xvezda) in [nodejs/undici#2971 - perf: Remove double-stringify in setCookie by [@​peterver](https://togithub.com/peterver) in [nodejs/undici#2980 - \[fix [#​2982](https://togithub.com/nodejs/undici/issues/2982)] use DispatcherInterceptor type for Dispatcher#Compose by [@​clovis-guillemot](https://togithub.com/clovis-guillemot) in [nodejs/undici#2983 - fix: make EventSource properties enumerable by [@​MattBidewell](https://togithub.com/MattBidewell) in [nodejs/undici#2987 - docs: ✏️ fixed benchmark links by [@​benhalverson](https://togithub.com/benhalverson) in [nodejs/undici#2991 - fix([#​2986](https://togithub.com/nodejs/undici/issues/2986)): bad start check by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2992 - fix(H2 Client): bind stream 'data' listener only after received 'response' event by [@​St3ffGv4](https://togithub.com/St3ffGv4) in [nodejs/undici#2985 - feat: added search input by [@​benhalverson](https://togithub.com/benhalverson) in [nodejs/undici#2993 - chore: validate responses can be consumed without a Content-Length or… by [@​jacob-ebey](https://togithub.com/jacob-ebey) in [nodejs/undici#2995 - fix error message by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2998 - Revert "perf: reuse TextDecoder instance ([#​2863](https://togithub.com/nodejs/undici/issues/2863))" by [@​panva](https://togithub.com/panva) in [nodejs/undici#2999 - test: remove only by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#3001 ##### New Contributors - [@​Xvezda](https://togithub.com/Xvezda) made their first contribution in [nodejs/undici#2971 - [@​peterver](https://togithub.com/peterver) made their first contribution in [nodejs/undici#2980 - [@​clovis-guillemot](https://togithub.com/clovis-guillemot) made their first contribution in [nodejs/undici#2983 - [@​MattBidewell](https://togithub.com/MattBidewell) made their first contribution in [nodejs/undici#2987 - [@​benhalverson](https://togithub.com/benhalverson) made their first contribution in [nodejs/undici#2991 - [@​St3ffGv4](https://togithub.com/St3ffGv4) made their first contribution in [nodejs/undici#2985 - [@​jacob-ebey](https://togithub.com/jacob-ebey) made their first contribution in [nodejs/undici#2995 **Full Changelog**: nodejs/undici@v6.10.0...v6.10.2 ### [`v6.10.1`](https://togithub.com/nodejs/undici/compare/v6.10.0...dd3918fee4f90e02fb93ff1bc04e707144041938) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.10.0...v6.10.1) ### [`v6.10.0`](https://togithub.com/nodejs/undici/releases/tag/v6.10.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.9.0...v6.10.0) #### What's Changed - test: fix flakyness of issue-803 test by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2960 - Cleanup format by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2959 - Chore: run tests daily against node nightly by [@​mweberxyz](https://togithub.com/mweberxyz) in [nodejs/undici#2969 - fix: fix retry handler option by [@​acommodari](https://togithub.com/acommodari) in [nodejs/undici#2962 - build(deps): bump node from `4999fa1` to `577f8eb` in /build by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2974 - feat(TS): add types for composed dispatchers by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2967 - fix: count for error response and network errors by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2966 #### New Contributors - [@​mweberxyz](https://togithub.com/mweberxyz) made their first contribution in [nodejs/undici#2969 - [@​acommodari](https://togithub.com/acommodari) made their first contribution in [nodejs/undici#2962 **Full Changelog**: nodejs/undici@v6.9.0...v6.10.0 ### [`v6.9.0`](https://togithub.com/nodejs/undici/releases/tag/v6.9.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.8.0...v6.9.0) #### What's Changed - feat: add new dispatch compose by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2826 - ci: add macos-latest to test-matrix by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2952 - types: align RequestInit.body type with lib.dom.ts by [@​jdufresne](https://togithub.com/jdufresne) in [nodejs/undici#2956 - ci: pin versions of github actions by [@​UlisesGascon](https://togithub.com/UlisesGascon) in [nodejs/undici#2957 - fetch: improve output for FormData, Response, Request by [@​mertcanaltin](https://togithub.com/mertcanaltin) in [nodejs/undici#2955 - perf: optimize collectASequenceOfBytes by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2958 #### New Contributors - [@​jdufresne](https://togithub.com/jdufresne) made their first contribution in [nodejs/undici#2956 - [@​UlisesGascon](https://togithub.com/UlisesGascon) made their first contribution in [nodejs/undici#2957 **Full Changelog**: nodejs/undici@v6.8.0...v6.9.0 ### [`v6.8.0`](https://togithub.com/nodejs/undici/releases/tag/v6.8.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.7.1...v6.8.0) #### What's Changed - fix: send correct SNI for proxy connections by [@​chrros95](https://togithub.com/chrros95) in [nodejs/undici#2939 - build(deps): bump node from `8bf9240` to `7bfef1d` in /build by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2937 - fetch: improve util.inspect output for web specifications by [@​mertcanaltin](https://togithub.com/mertcanaltin) in [nodejs/undici#2938 - ci: fix broken ci on windows and node v21 because of libuv bug by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2941 - perf: improve getResolveErrorBodyCallback by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2940 - fix: don't assign kAgent twice by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2942 - perf: dump immediatly if known size exceeds limit by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2882 - build(deps): bump node from `7bfef1d` to `4999fa1` in /build by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2946 - try to fix windows failure by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2950 - perf: improve parsing form-data by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2944 #### New Contributors - [@​chrros95](https://togithub.com/chrros95) made their first contribution in [nodejs/undici#2939 **Full Changelog**: nodejs/undici@v6.7.1...v6.8.0 ### [`v6.7.1`](https://togithub.com/nodejs/undici/releases/tag/v6.7.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.7.0...v6.7.1) #### What's Changed - fetch: use EOL of os-module by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2915 - ci: only send codecov from ubuntu and node by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2914 - tests: improve skip for unix.js tests, remove skipped tests by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2916 - chore: fix typo in isHistoryNavigation comments by [@​kachick](https://togithub.com/kachick) in [nodejs/undici#2920 - fix(benchmark): set body correctly by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2918 - chore: increase test coverage to 100% for /lib/api/api-request.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2912 - fix: chunksDecode cuts off 3 characters at the end if having BOM by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2922 - docs: clarify URI parsing behavior of ProxyAgent constructor by [@​rossilor95](https://togithub.com/rossilor95) in [nodejs/undici#2893 - implement sync formdata parser by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2911 - Fix docs links and add examples to sidebar by [@​tastypackets](https://togithub.com/tastypackets) in [nodejs/undici#2895 - doc: update diagnostics channel request headers type change by [@​jessezhang91](https://togithub.com/jessezhang91) in [nodejs/undici#2925 - perf: optimize getResolveErrorBodyCallback by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2921 - override request dispatcher from init by [@​matthieusieben](https://togithub.com/matthieusieben) in [nodejs/undici#2928 - add busboy tests by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2924 - fix(benchmark): make it fair by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2929 - Revert "chore: remove no-simd wasm" by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2935 - build(deps): bump node from `d3271e4` to `8bf9240` in /build by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2936 - Flip link between docs and README by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2933 #### New Contributors - [@​kachick](https://togithub.com/kachick) made their first contribution in [nodejs/undici#2920 - [@​tastypackets](https://togithub.com/tastypackets) made their first contribution in [nodejs/undici#2895 - [@​jessezhang91](https://togithub.com/jessezhang91) made their first contribution in [nodejs/undici#2925 - [@​matthieusieben](https://togithub.com/matthieusieben) made their first contribution in [nodejs/undici#2928 **Full Changelog**: nodejs/undici@v6.7.0...v6.7.1 ### [`v6.7.0`](https://togithub.com/nodejs/undici/releases/tag/v6.7.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.6.2...v6.7.0) #### What's Changed - test: remove t.diagnostics() calls in push-dont-push.js test by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2715 - fix: fix flaky debug test by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2714 - fix: HTTP2 tweaks by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2711 - test: improve cookie tests by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2693 - test: response.url after redirect is set to target url by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2716 - chore: remove mocha and chai by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2696 - test: replace t.pass with t.ok by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2721 - perf: remove redundant operation in FormData by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2726 - Add support for passing iterable objects as headers by [@​JaoodxD](https://togithub.com/JaoodxD) in [nodejs/undici#2708 - chore: refine esbuild & node detection by [@​mochaaP](https://togithub.com/mochaaP) in [nodejs/undici#2677 - chore: rephrase some comments by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2717 - test: replace t.type with t.ok and instanceof by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2720 - remove useless options in web streams by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2729 - Let's add superagent to the benchmark. closes [#​2730](https://togithub.com/nodejs/undici/issues/2730) by [@​eddienubes](https://togithub.com/eddienubes) in [nodejs/undici#2731 - convert node build to latin1 by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2673 - simplify formData body parsing by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2735 - chore: migrate a batch of tests to node test runner no. 1 by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2719 - chore: migrate a batch of tests to node test runner no. 2 by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2737 - chore: migrate a batch of tests to node test runner no. 4 by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2739 - chore: migrate a batch of tests to node test runner no. 5 by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2740 - chore: migrate a batch of tests to node test runner no. 3 by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2738 - chore: migrate a batch of tests to node test runner no. 6 by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2741 - chore: migrate a batch of tests to node test runner no. 8 by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2744 - chore: migrate a batch of tests to node test runner no. 7 by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2742 - build(deps-dev): bump cronometro from 2.0.2 to 3.0.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2749 - perf: always use the same prototype Iterator by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2743 - chore: migrate a batch of tests to node test runner no. 9, remove tap by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2746 - chore: remove usage of http-errors in proxy example by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2753 - fix: dont ship wasm files of llhttp via npm by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2752 - fix: handle request body as late as possible by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2734 - perf(tree): avoid recursive calls by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2755 - docs: fix favicon by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2758 - chore: use mermaid engine and mermaid in markdown by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2759 - chore: remove sinon dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2767 - tests: skip test/node-test/debug on node 21.6.2 and windows by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2765 - chore: improve usage of skip in tests by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2761 - feat: improve mock error breadcrumbs by [@​rossilor95](https://togithub.com/rossilor95) in [nodejs/undici#2774 - expose MessageEvent in fetch bundle by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2770 - test: always exit with 0 when running in Node's Daily WPT Report CI job by [@​panva](https://togithub.com/panva) in [nodejs/undici#2778 - fix: add node prefix for util to fix issue in env with min version node 18 by [@​riderx](https://togithub.com/riderx) in [nodejs/undici#2775 - perf: improve perf of parseRawHeaders by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2781 - fix: make mock-agent.js test more resilient by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2780 - chore: make some test run even without internet connection by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2786 - mock: improve validateReplyParameters by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2783 - perf: improve TernarySearchTree by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2782 - fix: convert HeadersInit to sequence/dictionary correctly by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2784 - chore: improve getFieldValue by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2785 - Add RetryHandler to sidebar by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2797 - Add RetryAgent by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2798 - build(deps): bump step-security/harden-runner from 2.6.0 to 2.7.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2690 - build(deps): bump actions/checkout from 4.1.0 to 4.1.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2393 - build(deps): bump actions/upload-artifact from 3.1.3 to 4.3.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2799 - build(deps): bump node from 20-alpine to 21-alpine in /build by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2803 - perf: improve sort algorithm by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2756 - refactor: move web stuff into their own folder by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2793 - `s/ dispactgher/dispatcher/` by [@​steveluscher](https://togithub.com/steveluscher) in [nodejs/undici#2807 - Use paralellelRequests instead of connections to calculate req/sec in benchmarks by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2800 - Split out documentation into separate directory by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [nodejs/undici#2788 - build(deps): bump fastify/github-action-merge-dependabot from 3.9.1 to 3.10.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2820 - build(deps): bump actions/dependency-review-action from 4.0.0 to 4.1.3 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2821 - build(deps): bump github/codeql-action from 3.23.2 to 3.24.4 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2818 - build(deps): bump actions/setup-node from 4.0.1 to 4.0.2 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2819 - fix: move CNAME and .nojekyll to root by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2822 - remove all fetchParam event handlers by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2823 - feat: refactor ProxyAgent constructor to also accept single URL argument by [@​rossilor95](https://togithub.com/rossilor95) in [nodejs/undici#2810 - fix: isCTLExcludingHtab by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2790 - refactor: move files into logical folders by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2813 - refactor: move fixed-queeu to dispatcher and rm node folder by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2827 - chore: create package.json in benchmarks by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2766 - build(deps): bump github/codeql-action from 3.24.4 to 3.24.5 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2829 - chore: use lts for pubish types workflow by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2830 - add dispatcher option to Request by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2831 - fix url referrer wpt by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2832 - refactor: remove own sort logic by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2834 - fix(fetch): prevent crash when `fetch` is aborted with `null` as the `AbortSignal's` `reason` by [@​steveluscher](https://togithub.com/steveluscher) in [nodejs/undici#2833 - refactor: avoid http2 dynamic dispatch in socket handlers by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2839 - build(deps-dev): bump proxy from 1.0.2 to 2.1.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2137 - perf(tree): reduce overhead of build TernarySearchTree by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2840 - webidl: implement resizable arraybuffer checks by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2094 - websocket server only needs to reply with a single subprotocol by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2845 - unite webidl stringification by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2843 - fix: deflake connect-timeout test by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2851 - fix: coverage reporting by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2763 - fix: pipelining logic is not relevant for h2 by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2850 - processBody doesn't need to return a promise by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2858 - refactor: split client into client-h1/h2 by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2848 - ci: fix concurrency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2862 - perf: improve performance of isValidSubprotocol by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2861 - perf: reuse TextDecoder instance by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2863 - chore: restructure benchmarks, use kebab-case by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2864 - cookies: improve perf of toIMFDate by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2867 - cookies: fix validateCookiePath by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2866 - refactor: move out more h2 from core client by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2860 - mock: improve test coverage of buildHeadersFromArray by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2872 - fix: remove broken build request hack by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2874 - chore: filenames should use kebab-case by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2873 - refactor: split out last h1 specific code from core by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2876 - fix: make pipelining limit work for h2 by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2875 - fix: http2 doesn't have pipelining queue by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2878 - fix: minor connect cleanup by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2877 - Request headers types by [@​JaoodxD](https://togithub.com/JaoodxD) in [nodejs/undici#2879 - ci: remove concurrency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2880 - fix: prefer queueMicrotask by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2881 - chore: remove no-simd wasm by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2871 - cookies: improve validateCookieValue by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2883 - cookies: improve validateCookieName by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2884 - Properly parse set-cookie header using http2 by [@​jeanp413](https://togithub.com/jeanp413) in [nodejs/undici#2886 - doc deprecate bodymixin.formData by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2892 - perf: optimize check invalid field-vchar by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2889 - build(deps): bump github/codeql-action from 3.24.5 to 3.24.6 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2897 - fix issue 2898 by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2900 - tests: ignore catch block when requiring crypto module by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2901 - websocket: remove dead code in parseCloseBody by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2902 - fix: tests dont need process.exit by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2909 - chore: remove proxyquire by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2906 - chore: remove import-fresh as devDependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2908 - perf(headers): a single set-cookie by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2903 - websocket: improve .close() by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2865 - feat: add sending data benchmark by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2905 - ci: integrate workflows into nodejs.yml by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2899 #### New Contributors - [@​JaoodxD](https://togithub.com/JaoodxD) made their first contribution in [nodejs/undici#2708 - [@​eddienubes](https://togithub.com/eddienubes) made their first contribution in [nodejs/undici#2731 - [@​riderx](https://togithub.com/riderx) made their first contribution in [nodejs/undici#2775 - [@​steveluscher](https://togithub.com/steveluscher) made their first contribution in [nodejs/undici#2807 - [@​jeanp413](https://togithub.com/jeanp413) made their first contribution in [nodejs/undici#2886 **Full Changelog**: nodejs/undici@v6.6.2...v6.7.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5In0=-->
Brooooooklyn
force-pushed
the
renovate/npm-undici-vulnerability
branch
from
96fb064
to
39c90a4
Compare
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.6.2->6.11.1GitHub Vulnerability Alerts
CVE-2024-30260
Impact
Undici cleared Authorization and Proxy-Authorization headers for
fetch(), but did not clear them forundici.request().Patches
This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use
fetch()or disablemaxRedirections.References
Linzi Shang reported this.
CVE-2024-30261
Impact
If an attacker can alter the
integrityoption passed tofetch(), they can letfetch()accept requests as valid even if they have been tampered.Patches
Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
Ensure that
integritycannot be tampered with.References
https://hackerone.com/reports/2377760
Release Notes
nodejs/undici (undici)
v6.11.1Compare Source
v6.11.0Compare Source
v6.10.2Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v6.10.0...v6.10.2
v6.10.1Compare Source
v6.10.0Compare Source
What's Changed
4999fa1to577f8ebin /build by @dependabot in https://github.com/nodejs/undici/pull/2974New Contributors
Full Changelog: nodejs/undici@v6.9.0...v6.10.0
v6.9.0Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v6.8.0...v6.9.0
v6.8.0Compare Source
What's Changed
8bf9240to7bfef1din /build by @dependabot in https://github.com/nodejs/undici/pull/29377bfef1dto4999fa1in /build by @dependabot in https://github.com/nodejs/undici/pull/2946New Contributors
Full Changelog: nodejs/undici@v6.7.1...v6.8.0
v6.7.1Compare Source
What's Changed
d3271e4to8bf9240in /build by @dependabot in https://github.com/nodejs/undici/pull/2936New Contributors
Full Changelog: nodejs/undici@v6.7.0...v6.7.1
v6.7.0Compare Source
What's Changed
s/ dispactgher/dispatcher/by @steveluscher in https://github.com/nodejs/undici/pull/2807fetchis aborted withnullas theAbortSignal'sreasonby @steveluscher in https://github.com/nodejs/undici/pull/2833New Contributors
Full Changelog: nodejs/undici@v6.6.2...v6.7.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.