Skip to content

Commit

Permalink
chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227 (
Browse files Browse the repository at this point in the history
…#1428)

[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [undici](https://undici.nodejs.org)
([source](https://togithub.com/nodejs/undici)) | [`5.26.2` ->
`5.28.3`](https://renovatebot.com/diffs/npm/undici/5.26.2/5.28.3) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.28.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.28.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.26.2/5.28.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.26.2/5.28.3?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-24758](https://togithub.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3)

### Impact

Undici already cleared Authorization headers on cross-origin redirects,
but did not clear `Proxy-Authorization` headers.

### Patches

This is patched in v5.28.3 and v6.6.1

### Workarounds

There are no known workarounds.

### References

- https://fetch.spec.whatwg.org/#authentication-entries
-
GHSA-wqq4-5wpv-mx2g

---

### Release Notes

<details>
<summary>nodejs/undici (undici)</summary>

### [`v5.28.3`](https://togithub.com/nodejs/undici/releases/tag/v5.28.3)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.28.2...v5.28.3)

#### ⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple
of days.

**Full Changelog**:
nodejs/undici@v5.28.2...v5.28.3

### [`v5.28.2`](https://togithub.com/nodejs/undici/releases/tag/v5.28.2)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.28.1...v5.28.2)

#### What's Changed

- fix: remove optional chainning for compatible with Nodejs12 and below
by [@&#8203;bugb](https://togithub.com/bugb) in
[https://github.com/nodejs/undici/pull/2470](https://togithub.com/nodejs/undici/pull/2470)
- fix: remove `node:` prefix by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2471](https://togithub.com/nodejs/undici/pull/2471)
- perf: avoid Headers initialization by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2468](https://togithub.com/nodejs/undici/pull/2468)
- fix: handle SharedArrayBuffer correctly by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2466](https://togithub.com/nodejs/undici/pull/2466)
- fix: Add `null` type to `signal` in `RequestInit` by
[@&#8203;gebsh](https://togithub.com/gebsh) in
[https://github.com/nodejs/undici/pull/2455](https://togithub.com/nodejs/undici/pull/2455)
- fix: correctly handle data URL with hashes. by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2475](https://togithub.com/nodejs/undici/pull/2475)
- fix: check response for timinginfo allow flag by
[@&#8203;ToshB](https://togithub.com/ToshB) in
[https://github.com/nodejs/undici/pull/2477](https://togithub.com/nodejs/undici/pull/2477)
- Make call to onBodySent conditional in RetryHandler by
[@&#8203;MzUgM](https://togithub.com/MzUgM) in
[https://github.com/nodejs/undici/pull/2478](https://togithub.com/nodejs/undici/pull/2478)
- refactor: better integrity check by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2462](https://togithub.com/nodejs/undici/pull/2462)
- fix: Added support for inline URL username:password proxy auth by
[@&#8203;matt-way](https://togithub.com/matt-way) in
[https://github.com/nodejs/undici/pull/2473](https://togithub.com/nodejs/undici/pull/2473)
- build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/nodejs/undici/pull/2472](https://togithub.com/nodejs/undici/pull/2472)
- build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/nodejs/undici/pull/2405](https://togithub.com/nodejs/undici/pull/2405)
- build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/nodejs/undici/pull/2396](https://togithub.com/nodejs/undici/pull/2396)
- build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/nodejs/undici/pull/2395](https://togithub.com/nodejs/undici/pull/2395)
- build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/nodejs/undici/pull/2392](https://togithub.com/nodejs/undici/pull/2392)
- build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/nodejs/undici/pull/2389](https://togithub.com/nodejs/undici/pull/2389)
- build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/nodejs/undici/pull/2302](https://togithub.com/nodejs/undici/pull/2302)

#### New Contributors

- [@&#8203;bugb](https://togithub.com/bugb) made their first
contribution in
[https://github.com/nodejs/undici/pull/2470](https://togithub.com/nodejs/undici/pull/2470)
- [@&#8203;gebsh](https://togithub.com/gebsh) made their first
contribution in
[https://github.com/nodejs/undici/pull/2455](https://togithub.com/nodejs/undici/pull/2455)
- [@&#8203;ToshB](https://togithub.com/ToshB) made their first
contribution in
[https://github.com/nodejs/undici/pull/2477](https://togithub.com/nodejs/undici/pull/2477)
- [@&#8203;MzUgM](https://togithub.com/MzUgM) made their first
contribution in
[https://github.com/nodejs/undici/pull/2478](https://togithub.com/nodejs/undici/pull/2478)
- [@&#8203;matt-way](https://togithub.com/matt-way) made their first
contribution in
[https://github.com/nodejs/undici/pull/2473](https://togithub.com/nodejs/undici/pull/2473)

**Full Changelog**:
nodejs/undici@v5.28.1...v5.28.2

### [`v5.28.1`](https://togithub.com/nodejs/undici/releases/tag/v5.28.1)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.28.0...v5.28.1)

#### What's Changed

- perf: Improve `normalizeMethod` by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2456](https://togithub.com/nodejs/undici/pull/2456)
- fix: dispatch error handling by
[@&#8203;ronag](https://togithub.com/ronag) in
[https://github.com/nodejs/undici/pull/2459](https://togithub.com/nodejs/undici/pull/2459)
- perf(request): optimize if headers are given by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2454](https://togithub.com/nodejs/undici/pull/2454)

**Full Changelog**:
nodejs/undici@v5.28.0...v5.28.1

### [`v5.28.0`](https://togithub.com/nodejs/undici/releases/tag/v5.28.0)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.27.2...v5.28.0)

#### What's Changed

- fix(parseHeaders): util.parseHeaders handle correctly array of buffer…
by [@&#8203;mdoria12](https://togithub.com/mdoria12) in
[https://github.com/nodejs/undici/pull/2398](https://togithub.com/nodejs/undici/pull/2398)
- docs: add license to undici-types by
[@&#8203;dancastillo](https://togithub.com/dancastillo) in
[https://github.com/nodejs/undici/pull/2401](https://togithub.com/nodejs/undici/pull/2401)
- perf: optimize Readable.dump by
[@&#8203;ronag](https://togithub.com/ronag) in
[https://github.com/nodejs/undici/pull/2402](https://togithub.com/nodejs/undici/pull/2402)
- perf(headers): Improve Headers by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2397](https://togithub.com/nodejs/undici/pull/2397)
- test: re-enable conditional WPT Report for websockets by
[@&#8203;panva](https://togithub.com/panva) in
[https://github.com/nodejs/undici/pull/2407](https://togithub.com/nodejs/undici/pull/2407)
- fix: delay abort on 'close' by
[@&#8203;ronag](https://togithub.com/ronag) in
[https://github.com/nodejs/undici/pull/2408](https://togithub.com/nodejs/undici/pull/2408)
- refactor: use `substring` instead of `substr` by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2411](https://togithub.com/nodejs/undici/pull/2411)
- add additional http2 test with fetch by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[https://github.com/nodejs/undici/pull/2419](https://togithub.com/nodejs/undici/pull/2419)
- fix: HTTPToken check by [@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2410](https://togithub.com/nodejs/undici/pull/2410)
- perf: optimize HeadersList.get by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2420](https://togithub.com/nodejs/undici/pull/2420)
- properly handle pseudo-headers in fetch by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[https://github.com/nodejs/undici/pull/2422](https://togithub.com/nodejs/undici/pull/2422)
- perf(headers): if the guard is immutable by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2424](https://togithub.com/nodejs/undici/pull/2424)
- fix(mock-agent): send stream body by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2425](https://togithub.com/nodejs/undici/pull/2425)
- build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by
[@&#8203;dependabot](https://togithub.com/dependabot) in
[https://github.com/nodejs/undici/pull/2394](https://togithub.com/nodejs/undici/pull/2394)
- feat([#&#8203;2264](https://togithub.com/nodejs/undici/issues/2264)):
Expose Retry Handler by
[@&#8203;metcoder95](https://togithub.com/metcoder95) in
[https://github.com/nodejs/undici/pull/2281](https://togithub.com/nodejs/undici/pull/2281)
- fix: implement `Headers#set` correctly by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2432](https://togithub.com/nodejs/undici/pull/2432)
- fix: implement `Headers#delete` correctly by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2430](https://togithub.com/nodejs/undici/pull/2430)
- test: update websocket wpt availability by
[@&#8203;panva](https://togithub.com/panva) in
[https://github.com/nodejs/undici/pull/2437](https://togithub.com/nodejs/undici/pull/2437)
- fix: type comment position by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2443](https://togithub.com/nodejs/undici/pull/2443)
- fix: `onHeaders` type declaration by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2444](https://togithub.com/nodejs/undici/pull/2444)
- remove http2 status pseudo header from headers by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[https://github.com/nodejs/undici/pull/2438](https://togithub.com/nodejs/undici/pull/2438)
- docs: Clarify `path` matching in `intercept()` by
[@&#8203;oliversalzburg](https://togithub.com/oliversalzburg) in
[https://github.com/nodejs/undici/pull/2426](https://togithub.com/nodejs/undici/pull/2426)
- fix: set-cookie clone by [@&#8203;tsctx](https://togithub.com/tsctx)
in
[https://github.com/nodejs/undici/pull/2446](https://togithub.com/nodejs/undici/pull/2446)
- docs: fix typo in maxConcurrentStreams by
[@&#8203;tniessen](https://togithub.com/tniessen) in
[https://github.com/nodejs/undici/pull/2450](https://togithub.com/nodejs/undici/pull/2450)
- refactor: remove leftovers by
[@&#8203;metcoder95](https://togithub.com/metcoder95) in
[https://github.com/nodejs/undici/pull/2451](https://togithub.com/nodejs/undici/pull/2451)
- refactor: add missing new operator by
[@&#8203;tsctx](https://togithub.com/tsctx) in
[https://github.com/nodejs/undici/pull/2452](https://togithub.com/nodejs/undici/pull/2452)

#### New Contributors

- [@&#8203;mdoria12](https://togithub.com/mdoria12) made their first
contribution in
[https://github.com/nodejs/undici/pull/2398](https://togithub.com/nodejs/undici/pull/2398)
- [@&#8203;tsctx](https://togithub.com/tsctx) made their first
contribution in
[https://github.com/nodejs/undici/pull/2397](https://togithub.com/nodejs/undici/pull/2397)
- [@&#8203;oliversalzburg](https://togithub.com/oliversalzburg) made
their first contribution in
[https://github.com/nodejs/undici/pull/2426](https://togithub.com/nodejs/undici/pull/2426)

**Full Changelog**:
nodejs/undici@v5.27.2...v5.28.0

### [`v5.27.2`](https://togithub.com/nodejs/undici/releases/tag/v5.27.2)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.27.1...v5.27.2)

**Full Changelog**:
nodejs/undici@v5.27.1...v5.27.2

### [`v5.27.1`](https://togithub.com/nodejs/undici/releases/tag/v5.27.1)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.27.0...v5.27.1)

#### What's Changed

- add regression test by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[https://github.com/nodejs/undici/pull/2376](https://togithub.com/nodejs/undici/pull/2376)
- fix: define conditions when content-length should be sent by
[@&#8203;pxue](https://togithub.com/pxue) in
[https://github.com/nodejs/undici/pull/2305](https://togithub.com/nodejs/undici/pull/2305)
- refactor: removed unnecessary default by
[@&#8203;nikelborm](https://togithub.com/nikelborm) in
[https://github.com/nodejs/undici/pull/2381](https://togithub.com/nodejs/undici/pull/2381)
- fix: stream body handling by
[@&#8203;ronag](https://togithub.com/ronag) in
[https://github.com/nodejs/undici/pull/2391](https://togithub.com/nodejs/undici/pull/2391)

#### New Contributors

- [@&#8203;pxue](https://togithub.com/pxue) made their first
contribution in
[https://github.com/nodejs/undici/pull/2305](https://togithub.com/nodejs/undici/pull/2305)
- [@&#8203;nikelborm](https://togithub.com/nikelborm) made their first
contribution in
[https://github.com/nodejs/undici/pull/2381](https://togithub.com/nodejs/undici/pull/2381)

**Full Changelog**:
nodejs/undici@v5.27.0...v5.27.1

### [`v5.27.0`](https://togithub.com/nodejs/undici/releases/tag/v5.27.0)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.26.5...v5.27.0)

#### What's Changed

- Use sets and reusable TextEncoder/TextDecoder instances by
[@&#8203;kibertoad](https://togithub.com/kibertoad) in
[https://github.com/nodejs/undici/pull/2368](https://togithub.com/nodejs/undici/pull/2368)
- feat: forward onRequestSent to handler by
[@&#8203;ronag](https://togithub.com/ronag) in
[https://github.com/nodejs/undici/pull/2375](https://togithub.com/nodejs/undici/pull/2375)
- skip bundle test on node 16 by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[https://github.com/nodejs/undici/pull/2377](https://togithub.com/nodejs/undici/pull/2377)
- fix windows CI by [@&#8203;KhafraDev](https://togithub.com/KhafraDev)
in
[https://github.com/nodejs/undici/pull/2379](https://togithub.com/nodejs/undici/pull/2379)

**Full Changelog**:
nodejs/undici@v5.26.5...v5.27.0

### [`v5.26.5`](https://togithub.com/nodejs/undici/releases/tag/v5.26.5)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.26.4...v5.26.5)

#### What's Changed

- Drop race condition in connect-timeout test by
[@&#8203;mcollina](https://togithub.com/mcollina) in
[https://github.com/nodejs/undici/pull/2360](https://togithub.com/nodejs/undici/pull/2360)
- Remove a couple of unnecessary async functions by
[@&#8203;kibertoad](https://togithub.com/kibertoad) in
[https://github.com/nodejs/undici/pull/2367](https://togithub.com/nodejs/undici/pull/2367)
- Update namespace type with Fetch exports by
[@&#8203;Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in
[https://github.com/nodejs/undici/pull/2361](https://togithub.com/nodejs/undici/pull/2361)

**Full Changelog**:
nodejs/undici@v5.26.4...v5.26.5

### [`v5.26.4`](https://togithub.com/nodejs/undici/releases/tag/v5.26.4)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.26.3...v5.26.4)

#### What's Changed

- use esbuild define/hooks by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[https://github.com/nodejs/undici/pull/2342](https://togithub.com/nodejs/undici/pull/2342)
- fix request's arrayBuffer returning uint8 instead of arraybuffer by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[https://github.com/nodejs/undici/pull/2344](https://togithub.com/nodejs/undici/pull/2344)
- fix: skip readMore call if parser is null or undefined by
[@&#8203;iiAku](https://togithub.com/iiAku) in
[https://github.com/nodejs/undici/pull/2346](https://togithub.com/nodejs/undici/pull/2346)
- test: first attempt for flaky fix by
[@&#8203;metcoder95](https://togithub.com/metcoder95) in
[https://github.com/nodejs/undici/pull/2337](https://togithub.com/nodejs/undici/pull/2337)
- test: only include WebSocket in WPT Report where it's landed by
[@&#8203;panva](https://togithub.com/panva) in
[https://github.com/nodejs/undici/pull/2351](https://togithub.com/nodejs/undici/pull/2351)
- Update DispatchInterceptor.md by
[@&#8203;Uzlopak](https://togithub.com/Uzlopak) in
[https://github.com/nodejs/undici/pull/2354](https://togithub.com/nodejs/undici/pull/2354)
- fix: Avoid error for stream() being aborted by
[@&#8203;BobNobrain](https://togithub.com/BobNobrain) in
[https://github.com/nodejs/undici/pull/2355](https://togithub.com/nodejs/undici/pull/2355)
- fix names with esbuild by
[@&#8203;KhafraDev](https://togithub.com/KhafraDev) in
[https://github.com/nodejs/undici/pull/2359](https://togithub.com/nodejs/undici/pull/2359)

#### New Contributors

- [@&#8203;iiAku](https://togithub.com/iiAku) made their first
contribution in
[https://github.com/nodejs/undici/pull/2346](https://togithub.com/nodejs/undici/pull/2346)
- [@&#8203;Uzlopak](https://togithub.com/Uzlopak) made their first
contribution in
[https://github.com/nodejs/undici/pull/2354](https://togithub.com/nodejs/undici/pull/2354)
- [@&#8203;BobNobrain](https://togithub.com/BobNobrain) made their first
contribution in
[https://github.com/nodejs/undici/pull/2355](https://togithub.com/nodejs/undici/pull/2355)

**Full Changelog**:
nodejs/undici@v5.26.3...v5.26.4

###
[`v5.26.3`](https://togithub.com/nodejs/undici/compare/12a62187d45f332cf39dd405f7c52b759cf40cdd...227b9bedf233f741b86dda4ae9d1c7ad69f5d75c)

[Compare
Source](https://togithub.com/nodejs/undici/compare/v5.26.2...v5.26.3)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log [here](https://developer.mend.io/github/coveo/cli).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
renovate[bot] authored Feb 21, 2024
1 parent a947377 commit 929af8e
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 5 deletions.
8 changes: 4 additions & 4 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion packages/cli/source/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
"tsconfig-paths": "4.2.0",
"tslib": "2.5.0",
"typescript": "4.9.5",
"undici": "5.26.2"
"undici": "5.28.3"
},
"oclif": {
"bin": "coveo",
Expand Down

0 comments on commit 929af8e

Please sign in to comment.