New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Update dependency undici to v6.11.1 [SECURITY] #44

Merged

mcollina merged 1 commit into main from renovate/npm-undici-vulnerability

Oct 15, 2024

Contributor

renovate bot commented Apr 4, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`6.8.0` -> `6.11.1`

GitHub Vulnerability Alerts

CVE-2024-30260

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

CVE-2024-30261

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

Release Notes

nodejs/undici (undici)

`v6.11.1`

⚠️ Security Release ⚠️

What's Changed

Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261
Revert "fix: don't leak internal class (#3024)" by @mcollina in https://github.com/nodejs/undici/pull/3044

Full Changelog: nodejs/undici@v6.11.0...v6.11.1

`v6.11.0`

What's Changed

refactor(#3023): Pass headers as array instead by @metcoder95 in https://github.com/nodejs/undici/pull/3025
fix: don't leak internal class by @ronag in https://github.com/nodejs/undici/pull/3024
build(deps): bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in https://github.com/nodejs/undici/pull/3034
build(deps-dev): bump tsd from 0.30.7 to 0.31.0 by @dependabot in https://github.com/nodejs/undici/pull/3038
build(deps-dev): bump borp from 0.9.1 to 0.10.0 by @dependabot in https://github.com/nodejs/undici/pull/2947
missing commits by @ronag in https://github.com/nodejs/undici/pull/3040
build(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in https://github.com/nodejs/undici/pull/3036
fix: regexp pattern by @tsctx in https://github.com/nodejs/undici/pull/3041

Full Changelog: nodejs/undici@v6.10.2...v6.11.0

`v6.10.2`

What's Changed

Do not fail test if streams support typed arrays by @mcollina in https://github.com/nodejs/undici/pull/2978
fix(fetch): properly redirect non-ascii location header url by @Xvezda in https://github.com/nodejs/undici/pull/2971
perf: Remove double-stringify in setCookie by @peterver in https://github.com/nodejs/undici/pull/2980
[fix #2982] use DispatcherInterceptor type for Dispatcher#Compose by @clovis-guillemot in https://github.com/nodejs/undici/pull/2983
fix: make EventSource properties enumerable by @MattBidewell in https://github.com/nodejs/undici/pull/2987
docs: ✏️ fixed benchmark links by @benhalverson in https://github.com/nodejs/undici/pull/2991
fix(#2986): bad start check by @metcoder95 in https://github.com/nodejs/undici/pull/2992
fix(H2 Client): bind stream 'data' listener only after received 'response' event by @St3ffGv4 in https://github.com/nodejs/undici/pull/2985
feat: added search input by @benhalverson in https://github.com/nodejs/undici/pull/2993
chore: validate responses can be consumed without a Content-Length or… by @jacob-ebey in https://github.com/nodejs/undici/pull/2995
fix error message by @KhafraDev in https://github.com/nodejs/undici/pull/2998
Revert "perf: reuse TextDecoder instance (#2863)" by @panva in https://github.com/nodejs/undici/pull/2999
test: remove only by @metcoder95 in https://github.com/nodejs/undici/pull/3001

New Contributors

@Xvezda made their first contribution in https://github.com/nodejs/undici/pull/2971
@peterver made their first contribution in https://github.com/nodejs/undici/pull/2980
@clovis-guillemot made their first contribution in https://github.com/nodejs/undici/pull/2983
@MattBidewell made their first contribution in https://github.com/nodejs/undici/pull/2987
@benhalverson made their first contribution in https://github.com/nodejs/undici/pull/2991
@St3ffGv4 made their first contribution in https://github.com/nodejs/undici/pull/2985
@jacob-ebey made their first contribution in https://github.com/nodejs/undici/pull/2995

Full Changelog: nodejs/undici@v6.10.0...v6.10.2

`v6.10.1`

Full Changelog: nodejs/undici@v6.10.0...v6.10.1

`v6.10.0`

What's Changed

test: fix flakyness of issue-803 test by @Uzlopak in https://github.com/nodejs/undici/pull/2960
Cleanup format by @KhafraDev in https://github.com/nodejs/undici/pull/2959
Chore: run tests daily against node nightly by @mweberxyz in https://github.com/nodejs/undici/pull/2969
fix: fix retry handler option by @acommodari in https://github.com/nodejs/undici/pull/2962
build(deps): bump node from 4999fa1 to 577f8eb in /build by @dependabot in https://github.com/nodejs/undici/pull/2974
feat(TS): add types for composed dispatchers by @metcoder95 in https://github.com/nodejs/undici/pull/2967
fix: count for error response and network errors by @metcoder95 in https://github.com/nodejs/undici/pull/2966

New Contributors

@mweberxyz made their first contribution in https://github.com/nodejs/undici/pull/2969
@acommodari made their first contribution in https://github.com/nodejs/undici/pull/2962

Full Changelog: nodejs/undici@v6.9.0...v6.10.0

`v6.9.0`

What's Changed

feat: add new dispatch compose by @metcoder95 in https://github.com/nodejs/undici/pull/2826
ci: add macos-latest to test-matrix by @Uzlopak in https://github.com/nodejs/undici/pull/2952
types: align RequestInit.body type with lib.dom.ts by @jdufresne in https://github.com/nodejs/undici/pull/2956
ci: pin versions of github actions by @UlisesGascon in https://github.com/nodejs/undici/pull/2957
fetch: improve output for FormData, Response, Request by @mertcanaltin in https://github.com/nodejs/undici/pull/2955
perf: optimize collectASequenceOfBytes by @tsctx in https://github.com/nodejs/undici/pull/2958

New Contributors

@jdufresne made their first contribution in https://github.com/nodejs/undici/pull/2956
@UlisesGascon made their first contribution in https://github.com/nodejs/undici/pull/2957

Full Changelog: nodejs/undici@v6.8.0...v6.9.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          Update dependency undici to v6.11.1 [SECURITY]

2ea5d50

mcollina merged commit 4761491 into main

1 check passed

renovate bot deleted the renovate/npm-undici-vulnerability branch

October 15, 2024 12:38

# for free to join this conversation on GitHub. Already have an account? # to comment

Labels

None yet