chore(deps): update dependency undici to v6.6.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	6.4.0 -> 6.6.1

GitHub Vulnerability Alerts

CVE-2024-24750

Impact

Calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.

Patches

Patched in v6.6.1

Workarounds

Make sure to always consume the incoming body.

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

---

Release Notes

nodejs/undici (undici)

v6.6.1

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

What's Changed

• fix: flaky debug test by @​Uzlopak in https://github.com/nodejs/undici/pull/2687
• build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by @​dependabot in https://github.com/nodejs/undici/pull/2688
• build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2689
• fix: ci pipeline warnings by @​Uzlopak in https://github.com/nodejs/undici/pull/2685
• perf: optimize Iterator by @​tsctx in https://github.com/nodejs/undici/pull/2692

Full Changelog: nodejs/undici@v6.6.0...v6.6.1

v6.6.0

Compare Source

What's Changed

• add webSocket example by @​mertcanaltin in https://github.com/nodejs/undici/pull/2626
• chore: remove atomic-sleep as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2648
• chore: remove semver as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2646
• chore: remove table as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2649
• chore: remove delay as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2647
• chore: reduce noise in test-logs test/issue-2349.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2655
• chore: fix faketimer warning in test/request-timeout.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2656
• chore: reduce noise in test logs test/client-node-max-header-size.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2654
• refactor: use fromInnerResponse by @​tsctx in https://github.com/nodejs/undici/pull/2635
• fix: support deflate raw responses by @​Uzlopak in https://github.com/nodejs/undici/pull/2650
• Support building for externally shared js builtins by @​mochaaP in https://github.com/nodejs/undici/pull/2643
• fix: typo clampAndCoarsenConnectionTimingInfo by @​Uzlopak in https://github.com/nodejs/undici/pull/2653
• chore: use 'node:'-prefix for requiring node core modules by @​Uzlopak in https://github.com/nodejs/undici/pull/2662
• build(deps-dev): bump husky from 8.0.3 to 9.0.7 by @​dependabot in https://github.com/nodejs/undici/pull/2667
• build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by @​dependabot in https://github.com/nodejs/undici/pull/2668
• remove timers/promises import by @​KhafraDev in https://github.com/nodejs/undici/pull/2665
• chore: fix various codesmells by @​Uzlopak in https://github.com/nodejs/undici/pull/2669
• chore: remove this alias in agent.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2671
• chore: use optional chaining by @​Uzlopak in https://github.com/nodejs/undici/pull/2666
• chore: small perf improvements by @​Uzlopak in https://github.com/nodejs/undici/pull/2661
• implement spec changes from a while ago by @​KhafraDev in https://github.com/nodejs/undici/pull/2676
• websocket: fix close when no closing code is received by @​KhafraDev in https://github.com/nodejs/undici/pull/2680
• fix: make ci less flaky by @​Uzlopak in https://github.com/nodejs/undici/pull/2684

New Contributors

• @​mochaaP made their first contribution in https://github.com/nodejs/undici/pull/2643

Full Changelog: nodejs/undici@v6.5.0...v6.6.0

v6.5.0

Compare Source

What's Changed

• build(deps-dev): bump jsdom from 23.2.0 to 24.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2632
• feat: Implement EventSource by @​Uzlopak in https://github.com/nodejs/undici/pull/2608
• fix: readable body by @​ronag in https://github.com/nodejs/undici/pull/2642

Full Changelog: nodejs/undici@v6.4.0...v6.5.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

🎉 This PR is included in version 21.0.0-beta.1 🎉

The release is available on:

• GitHub release
• npm package (@beta dist-tag)

Your semantic-release bot 📦🚀

[github-actions]

🎉 This PR is included in version 20.1.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀

[github-actions]

🎉 This PR is included in version 20.1.0 🎉

The release is available on:

• GitHub release
• npm package (@release-20.x dist-tag)

Your semantic-release bot 📦🚀