-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency undici to v5.28.4 [security] #423
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-undici-vulnerability/VF-000
base: master
Could not load branches
Branch not found: {{ refName }}
Could not load tags
Nothing to show
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
added
dependencies
Pull requests that update a dependency file
ready for review
labels
Feb 20, 2023
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
March 3, 2023 13:52
bc06a6a
to
b76a7a2
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
from
March 7, 2023 15:03
b76a7a2
to
69d7476
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
March 17, 2023 18:40
2794627
to
53ca4b4
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
4 times, most recently
from
March 31, 2023 23:48
882bbc9
to
9b6d041
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
3 times, most recently
from
April 18, 2023 18:04
6fc092a
to
68ae376
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
5 times, most recently
from
May 2, 2023 15:43
ed1f820
to
a1dd1a2
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
from
May 3, 2023 18:33
a1dd1a2
to
6d31d20
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
5 times, most recently
from
May 18, 2023 09:27
7047d95
to
092a622
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
May 25, 2023 19:39
ca35dd7
to
2cf2732
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
May 29, 2023 20:36
00c8e86
to
90311c7
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
4 times, most recently
from
April 3, 2024 22:12
d500319
to
1516c94
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
April 15, 2024 16:12
f183816
to
1f7803d
Compare
renovate
bot
changed the title
chore(deps): update dependency undici to v5.28.3 [security]
chore(deps): update dependency undici to v5.28.4 [security]
Apr 15, 2024
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
4 times, most recently
from
April 24, 2024 17:14
c766c94
to
aba3f66
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
6 times, most recently
from
May 1, 2024 22:49
bb8c8ca
to
75b59b2
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
7 times, most recently
from
May 22, 2024 20:45
a4d2ab7
to
c1d3d18
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
3 times, most recently
from
June 6, 2024 19:56
9a75c9f
to
1f0011e
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
from
June 14, 2024 16:37
1f0011e
to
84754a6
Compare
Quality Gate passedIssues Measures |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
5.12.0
->5.28.4
GitHub Vulnerability Alerts
CVE-2023-23936
Impact
undici library does not protect
host
HTTP header from CRLF injection vulnerabilities.Patches
This issue was patched in Undici v5.19.1.
Workarounds
Sanitize the
headers.host
string before passing to undici.References
Reported at https://hackerone.com/reports/1820955.
Credits
Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.
CVE-2023-24807
Impact
The
Headers.set()
andHeaders.append()
methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in theheaderValueNormalize()
utility function.Patches
This vulnerability was patched in v5.19.1.
Workarounds
There is no workaround. Please update to an unaffected version.
References
Credits
Carter Snook reported this vulnerability.
CVE-2023-45143
Impact
Undici clears Authorization headers on cross-origin redirects, but does not clear
Cookie
headers. By design,cookie
headers are forbidden request headers, disallowing them to be set inRequestInit.headers
in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
CVE-2024-24758
Impact
Undici already cleared Authorization headers on cross-origin redirects, but did not clear
Proxy-Authorization
headers.Patches
This is patched in v5.28.3 and v6.6.1
Workarounds
There are no known workarounds.
References
CVE-2024-30261
Impact
If an attacker can alter the
integrity
option passed tofetch()
, they can letfetch()
accept requests as valid even if they have been tampered.Patches
Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
Ensure that
integrity
cannot be tampered with.References
https://hackerone.com/reports/2377760
CVE-2024-30260
Impact
Undici cleared Authorization and Proxy-Authorization headers for
fetch()
, but did not clear them forundici.request()
.Patches
This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use
fetch()
or disablemaxRedirections
.References
Linzi Shang reported this.
Release Notes
nodejs/undici (undici)
v5.28.4
Compare Source
Full Changelog: nodejs/undici@v5.28.3...v5.28.4
v5.28.3
Compare Source
Details on the vulnerabilities fixed will be shared in the next couple of days.
Full Changelog: nodejs/undici@v5.28.2...v5.28.3
v5.28.2
Compare Source
What's Changed
node:
prefix by @tsctx in https://github.com/nodejs/undici/pull/2471null
type tosignal
inRequestInit
by @gebsh in https://github.com/nodejs/undici/pull/2455New Contributors
Full Changelog: nodejs/undici@v5.28.1...v5.28.2
v5.28.1
Compare Source
What's Changed
normalizeMethod
by @tsctx in https://github.com/nodejs/undici/pull/2456Full Changelog: nodejs/undici@v5.28.0...v5.28.1
v5.28.0
Compare Source
What's Changed
substring
instead ofsubstr
by @tsctx in https://github.com/nodejs/undici/pull/2411Headers#set
correctly by @tsctx in https://github.com/nodejs/undici/pull/2432Headers#delete
correctly by @tsctx in https://github.com/nodejs/undici/pull/2430onHeaders
type declaration by @tsctx in https://github.com/nodejs/undici/pull/2444path
matching inintercept()
by @oliversalzburg in https://github.com/nodejs/undici/pull/2426New Contributors
Full Changelog: nodejs/undici@v5.27.2...v5.28.0
v5.27.2
Compare Source
Full Changelog: nodejs/undici@v5.27.1...v5.27.2
v5.27.1
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.27.0...v5.27.1
v5.27.0
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.5...v5.27.0
v5.26.5
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.4...v5.26.5
v5.26.4
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.26.3...v5.26.4
v5.26.3
Compare Source
v5.26.2
Compare Source
Security Release, CVE-2023-45143.
v5.26.1
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.0...v5.26.1
v5.26.0
Compare Source
What's Changed
node
by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310--max-http-header-size
Node.js flag by @balazsorban44 in https://github.com/nodejs/undici/pull/2234New Contributors
Full Changelog: nodejs/undici@v5.23.4...v5.26.0
v5.25.4
Compare Source
v5.25.3
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.25.2...v5.25.3
v5.25.2
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.25.1...v5.25.2
v5.25.1
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.25.0...v5.25.1
v5.25.0
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.24.0...v5.25.0
v5.24.0
Compare Source
Notable Changes
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.23.0...v5.24.0
v5.23.0
Compare Source
What's Changed
autoselectfamily
on platforms without IPv6 support by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2197addAbortListener
where applicable by @atlowChemi in https://github.com/nodejs/undici/pull/2195New Contributors
Full Changelog: nodejs/undici@v5.22.1...v5.23.0
v5.22.1
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.22.0...v5.22.1
v5.22.0
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.21.2...v5.22.0
v5.21.2
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.21.1...v5.21.2
v5.21.1
Compare Source
What's Changed
undefined
error cause by @aduh95 in https://github.com/nodejs/undici/pull/2006Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.