New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency undici to v5.28.4 [security] - autoclosed #10

Closed

renovate wants to merge 1 commit into main from renovate/npm-undici-vulnerability

renovate bot commented Jun 2, 2024

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`5.20.0` -> `5.28.4`

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

CVE-2024-30261

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

CVE-2024-30260

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

Release Notes

nodejs/undici (undici)

`v5.28.4`

⚠️ Security Release ⚠️

Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

`v5.28.3`

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

`v5.28.2`

What's Changed

fix: remove optional chainning for compatible with Nodejs12 and below by @bugb in https://github.com/nodejs/undici/pull/2470
fix: remove node: prefix by @tsctx in https://github.com/nodejs/undici/pull/2471
perf: avoid Headers initialization by @tsctx in https://github.com/nodejs/undici/pull/2468
fix: handle SharedArrayBuffer correctly by @tsctx in https://github.com/nodejs/undici/pull/2466
fix: Add null type to signal in RequestInit by @gebsh in https://github.com/nodejs/undici/pull/2455
fix: correctly handle data URL with hashes. by @tsctx in https://github.com/nodejs/undici/pull/2475
fix: check response for timinginfo allow flag by @ToshB in https://github.com/nodejs/undici/pull/2477
Make call to onBodySent conditional in RetryHandler by @MzUgM in https://github.com/nodejs/undici/pull/2478
refactor: better integrity check by @tsctx in https://github.com/nodejs/undici/pull/2462
fix: Added support for inline URL username:password proxy auth by @matt-way in https://github.com/nodejs/undici/pull/2473
build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @dependabot in https://github.com/nodejs/undici/pull/2472
build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @dependabot in https://github.com/nodejs/undici/pull/2405
build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @dependabot in https://github.com/nodejs/undici/pull/2396
build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in https://github.com/nodejs/undici/pull/2395
build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2392
build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @dependabot in https://github.com/nodejs/undici/pull/2389
build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in https://github.com/nodejs/undici/pull/2302

New Contributors

@bugb made their first contribution in https://github.com/nodejs/undici/pull/2470
@gebsh made their first contribution in https://github.com/nodejs/undici/pull/2455
@ToshB made their first contribution in https://github.com/nodejs/undici/pull/2477
@MzUgM made their first contribution in https://github.com/nodejs/undici/pull/2478
@matt-way made their first contribution in https://github.com/nodejs/undici/pull/2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

`v5.28.1`

What's Changed

perf: Improve normalizeMethod by @tsctx in https://github.com/nodejs/undici/pull/2456
fix: dispatch error handling by @ronag in https://github.com/nodejs/undici/pull/2459
perf(request): optimize if headers are given by @tsctx in https://github.com/nodejs/undici/pull/2454

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

`v5.28.0`

What's Changed

fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @mdoria12 in https://github.com/nodejs/undici/pull/2398
docs: add license to undici-types by @dancastillo in https://github.com/nodejs/undici/pull/2401
perf: optimize Readable.dump by @ronag in https://github.com/nodejs/undici/pull/2402
perf(headers): Improve Headers by @tsctx in https://github.com/nodejs/undici/pull/2397
test: re-enable conditional WPT Report for websockets by @panva in https://github.com/nodejs/undici/pull/2407
fix: delay abort on 'close' by @ronag in https://github.com/nodejs/undici/pull/2408
refactor: use substring instead of substr by @tsctx in https://github.com/nodejs/undici/pull/2411
add additional http2 test with fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2419
fix: HTTPToken check by @tsctx in https://github.com/nodejs/undici/pull/2410
perf: optimize HeadersList.get by @tsctx in https://github.com/nodejs/undici/pull/2420
properly handle pseudo-headers in fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2422
perf(headers): if the guard is immutable by @tsctx in https://github.com/nodejs/undici/pull/2424
fix(mock-agent): send stream body by @tsctx in https://github.com/nodejs/undici/pull/2425
build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by @dependabot in https://github.com/nodejs/undici/pull/2394
feat(#2264): Expose Retry Handler by @metcoder95 in https://github.com/nodejs/undici/pull/2281
fix: implement Headers#set correctly by @tsctx in https://github.com/nodejs/undici/pull/2432
fix: implement Headers#delete correctly by @tsctx in https://github.com/nodejs/undici/pull/2430
test: update websocket wpt availability by @panva in https://github.com/nodejs/undici/pull/2437
fix: type comment position by @tsctx in https://github.com/nodejs/undici/pull/2443
fix: onHeaders type declaration by @tsctx in https://github.com/nodejs/undici/pull/2444
remove http2 status pseudo header from headers by @KhafraDev in https://github.com/nodejs/undici/pull/2438
docs: Clarify path matching in intercept() by @oliversalzburg in https://github.com/nodejs/undici/pull/2426
fix: set-cookie clone by @tsctx in https://github.com/nodejs/undici/pull/2446
docs: fix typo in maxConcurrentStreams by @tniessen in https://github.com/nodejs/undici/pull/2450
refactor: remove leftovers by @metcoder95 in https://github.com/nodejs/undici/pull/2451
refactor: add missing new operator by @tsctx in https://github.com/nodejs/undici/pull/2452

New Contributors

@mdoria12 made their first contribution in https://github.com/nodejs/undici/pull/2398
@tsctx made their first contribution in https://github.com/nodejs/undici/pull/2397
@oliversalzburg made their first contribution in https://github.com/nodejs/undici/pull/2426

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

`v5.27.2`

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

`v5.27.1`

What's Changed

add regression test by @KhafraDev in https://github.com/nodejs/undici/pull/2376
fix: define conditions when content-length should be sent by @pxue in https://github.com/nodejs/undici/pull/2305
refactor: removed unnecessary default by @nikelborm in https://github.com/nodejs/undici/pull/2381
fix: stream body handling by @ronag in https://github.com/nodejs/undici/pull/2391

New Contributors

@pxue made their first contribution in https://github.com/nodejs/undici/pull/2305
@nikelborm made their first contribution in https://github.com/nodejs/undici/pull/2381

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

`v5.27.0`

What's Changed

Use sets and reusable TextEncoder/TextDecoder instances by @kibertoad in https://github.com/nodejs/undici/pull/2368
feat: forward onRequestSent to handler by @ronag in https://github.com/nodejs/undici/pull/2375
skip bundle test on node 16 by @KhafraDev in https://github.com/nodejs/undici/pull/2377
fix windows CI by @KhafraDev in https://github.com/nodejs/undici/pull/2379

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

`v5.26.5`

What's Changed

Drop race condition in connect-timeout test by @mcollina in https://github.com/nodejs/undici/pull/2360
Remove a couple of unnecessary async functions by @kibertoad in https://github.com/nodejs/undici/pull/2367
Update namespace type with Fetch exports by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2361

Full Changelog: nodejs/undici@v5.26.4...v5.26.5

`v5.26.4`

What's Changed

use esbuild define/hooks by @KhafraDev in https://github.com/nodejs/undici/pull/2342
fix request's arrayBuffer returning uint8 instead of arraybuffer by @KhafraDev in https://github.com/nodejs/undici/pull/2344
fix: skip readMore call if parser is null or undefined by @iiAku in https://github.com/nodejs/undici/pull/2346
test: first attempt for flaky fix by @metcoder95 in https://github.com/nodejs/undici/pull/2337
test: only include WebSocket in WPT Report where it's landed by @panva in https://github.com/nodejs/undici/pull/2351
Update DispatchInterceptor.md by @Uzlopak in https://github.com/nodejs/undici/pull/2354
fix: Avoid error for stream() being aborted by @BobNobrain in https://github.com/nodejs/undici/pull/2355
fix names with esbuild by @KhafraDev in https://github.com/nodejs/undici/pull/2359

New Contributors

@iiAku made their first contribution in https://github.com/nodejs/undici/pull/2346
@Uzlopak made their first contribution in https://github.com/nodejs/undici/pull/2354
@BobNobrain made their first contribution in https://github.com/nodejs/undici/pull/2355

Full Changelog: nodejs/undici@v5.26.3...v5.26.4

`v5.26.3`

`v5.26.2`

Security Release, CVE-2023-45143.

`v5.26.1`

What's Changed

Fix publish undici-types once and for all! by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
Fix node detection omfg by @KhafraDev in https://github.com/nodejs/undici/pull/2341

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

`v5.26.0`

What's Changed

use npm install instead of npm ci by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
change default header to node by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310
chore: change order of the pseudo-headers by @kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
fix: Agent.Options.factory should accept URL object or string as parameter by @nicole0707 in https://github.com/nodejs/undici/pull/2295
build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2312
test: handle npm ignore-scripts settings by @panva in https://github.com/nodejs/undici/pull/2313
feat: respect --max-http-header-size Node.js flag by @balazsorban44 in https://github.com/nodejs/undici/pull/2234
fix(#2311): End stream after body sent by @metcoder95 in https://github.com/nodejs/undici/pull/2314
disallow setting host header in fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2322
[StepSecurity] ci: Harden GitHub Actions by @step-security-bot in https://github.com/nodejs/undici/pull/2325
fix fetch with coverage enabled by @KhafraDev in https://github.com/nodejs/undici/pull/2330
Fix stuck when using http2 POST Buffer by @binsee in https://github.com/nodejs/undici/pull/2336
fix: 🏷️ add allowH2 to BuildOptions by @binsee in https://github.com/nodejs/undici/pull/2334
fix: 🐛 fix process http2 header by @binsee in https://github.com/nodejs/undici/pull/2332

New Contributors

@kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
@nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
@balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
@binsee made their first contribution in https://github.com/nodejs/undici/pull/2336

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

`v5.25.4`

`v5.25.3`

What's Changed

perf: improve parse-url implementation by @anonrig in https://github.com/nodejs/undici/pull/2286
test: enable websockets inclusion in WPTReport by @panva in https://github.com/nodejs/undici/pull/2284
remove npm run test from pre-commit hook by @dancastillo in https://github.com/nodejs/undici/pull/2296
perf: use @fastify/busboy by @gurgunday in https://github.com/nodejs/undici/pull/2211
Disable finalizationregistry if node code cov by @mcollina in https://github.com/nodejs/undici/pull/2298

New Contributors

@gurgunday made their first contribution in https://github.com/nodejs/undici/pull/2211

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

`v5.25.2`

What's Changed

Add Khaf to releasers by @mcollina in https://github.com/nodejs/undici/pull/2276
fix: fix request with readable mode is object by @killagu in https://github.com/nodejs/undici/pull/2279
fix loading websockets when node is built w/ --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2282

New Contributors

@killagu made their first contribution in https://github.com/nodejs/undici/pull/2279

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

`v5.25.1`

What's Changed

Add publish types script by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2273

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

`v5.25.0`

What's Changed

fix: h2 without body by @metcoder95 in https://github.com/nodejs/undici/pull/2258
ci: remove duplicated runs by @metcoder95 in https://github.com/nodejs/undici/pull/2265
improve documentation of timeouts by making the units clear in all places by @mcfedr in https://github.com/nodejs/undici/pull/2266
expose websocket in node bundle by @KhafraDev in https://github.com/nodejs/undici/pull/2217
test: fix Fetch/HTTP2 tests by @metcoder95 in https://github.com/nodejs/undici/pull/2263
fix undici when node is built with --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2272
fix: Fix type definition for Client Interceptors by @ComradeCow in https://github.com/nodejs/undici/pull/2269
Fix http2 agent by @mcollina in https://github.com/nodejs/undici/pull/2275

New Contributors

@ComradeCow made their first contribution in https://github.com/nodejs/undici/pull/2269

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

`v5.24.0`

Notable Changes

feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061

What's Changed

build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @dependabot in https://github.com/nodejs/undici/pull/2203
better stack trace for body.json by @KhafraDev in https://github.com/nodejs/undici/pull/2215
allow http & https websocket urls by @KhafraDev in https://github.com/nodejs/undici/pull/2218
build(deps-dev): bump @sinonjs/fake-timers from 10.3.0 to 11.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2221
fix: pass ProxyAgent proxy status code error by @NBNGaming in https://github.com/nodejs/undici/pull/2162
fix failing test by @KhafraDev in https://github.com/nodejs/undici/pull/2223
docs: update MockPool.md intercept method description by @capaj in https://github.com/nodejs/undici/pull/2220
Update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2226
build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @dependabot in https://github.com/nodejs/undici/pull/2240
build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @dependabot in https://github.com/nodejs/undici/pull/2237
build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @dependabot in https://github.com/nodejs/undici/pull/2236
build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2241
build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @dependabot in https://github.com/nodejs/undici/pull/2238
fix: aborting request with non-object error by @KhafraDev in https://github.com/nodejs/undici/pull/2243
fix: preserve file path when parsing formdata by @jimmywarting in https://github.com/nodejs/undici/pull/2245
build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @dependabot in https://github.com/nodejs/undici/pull/2246
Updated benchmarks by @mcollina in https://github.com/nodejs/undici/pull/2250
Fix fetch in node v20.6.0 by @mcollina in https://github.com/nodejs/undici/pull/2251
Maybe fix v20 by @mcollina in https://github.com/nodejs/undici/pull/2252
feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061
docs: fix tables in README by @regseb in https://github.com/nodejs/undici/pull/2254
Fix http2 fetch test by @mcollina in https://github.com/nodejs/undici/pull/2253

New Contributors

@NBNGaming made their first contribution in https://github.com/nodejs/undici/pull/2162
@capaj made their first contribution in https://github.com/nodejs/undici/pull/2220
@regseb made their first contribution in https://github.com/nodejs/undici/pull/2254

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

`v5.23.0`

What's Changed

bump engines to node >= 16 by @ronag in https://github.com/nodejs/undici/pull/2119
Revert "bump engines to node >= 16 (#2119)" by @ronag in https://github.com/nodejs/undici/pull/2121
fetch: set referrer properly by @KhafraDev in https://github.com/nodejs/undici/pull/2125
fix: support truncated gzip by @jimmywarting in https://github.com/nodejs/undici/pull/2126
workflow: apply security best practices by @step-security-bot in https://github.com/nodejs/undici/pull/2130
build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in https://github.com/nodejs/undici/pull/2135
build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @dependabot in https://github.com/nodejs/undici/pull/2133
build(deps): bump node from 18-alpine to 20-alpine in /build by @dependabot in https://github.com/nodejs/undici/pull/2131
build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by @dependabot in https://github.com/nodejs/undici/pull/2136
build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in https://github.com/nodejs/undici/pull/2132
build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2142
build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by @dependabot in https://github.com/nodejs/undici/pull/2148
fix(pr): use correct pr template file by @AugustinMauroy in https://github.com/nodejs/undici/pull/2141
Additional WebSocket send tests to cover all payload size categories by @jawj in https://github.com/nodejs/undici/pull/2149
fix: reverse decompression order of "Content-Encoding" encodings (fixes #2158) by @rychkog in https://github.com/nodejs/undici/pull/2159
fix: keep running WPTs if a test times out by @KhafraDev in https://github.com/nodejs/undici/pull/2165
feat: add build environment info by @mhdawson in https://github.com/nodejs/undici/pull/2168
fix: forward error reason to fetch controller by @KhafraDev in https://github.com/nodejs/undici/pull/2172
stricter types for bodymixin.json by @KhafraDev in https://github.com/nodejs/undici/pull/2181
chore: Renable autoSelectFamily tests. by @ShogunPanda in https://github.com/nodejs/undici/pull/2180
build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @dependabot in https://github.com/nodejs/undici/pull/2147
build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by @dependabot in https://github.com/nodejs/undici/pull/2185
fix: fetch resource timing performance entry names should be strings by @GaryWilber in https://github.com/nodejs/undici/pull/2188
build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in https://github.com/nodejs/undici/pull/2176
build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by @dependabot in https://github.com/nodejs/undici/pull/2177
build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in https://github.com/nodejs/undici/pull/2178
build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @dependabot in https://github.com/nodejs/undici/pull/2175
test: fix autoselectfamily on platforms without IPv6 support by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2197
fix: make multipart/form-data boundary string more consistent by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2196
docs: add proxy agent options docs by @dancastillo in https://github.com/nodejs/undici/pull/2193
build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by @dependabot in https://github.com/nodejs/undici/pull/2205
feat: make use of addAbortListener where applicable by @atlowChemi in https://github.com/nodejs/undici/pull/2195

New Contributors

@step-security-bot made their first contribution in https://github.com/nodejs/undici/pull/2130
@AugustinMauroy made their first contribution in https://github.com/nodejs/undici/pull/2141
@rychkog made their first contribution in https://github.com/nodejs/undici/pull/2159
@mhdawson made their first contribution in https://github.com/nodejs/undici/pull/2168
@GaryWilber made their first contribution in https://github.com/nodejs/undici/pull/2188
@atlowChemi made their first contribution in https://github.com/nodejs/undici/pull/2195

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

`v5.22.1`

What's Changed

Cache storage by @KhafraDev in https://github.com/nodejs/undici/pull/2076
test: skip content-disposition test in node 18 by @KhafraDev in https://github.com/nodejs/undici/pull/2081
Cache storage cleanup by @KhafraDev in https://github.com/nodejs/undici/pull/2082
Cache storage fixes by @KhafraDev in https://github.com/nodejs/undici/pull/2083
test: improve test coverage for ErrorEvent and MessageEvent by @KhafraDev in https://github.com/nodejs/undici/pull/2085
test: remove --experimental-wasm-simd by @KhafraDev in https://github.com/nodejs/undici/pull/2087
websocket: add websocketinit by @KhafraDev in https://github.com/nodejs/undici/pull/2088
feat(websocket): allow setting custom headers by @KhafraDev in https://github.com/nodejs/undici/pull/2089
test: fix tests failing only on node v20 by @KhafraDev in https://github.com/nodejs/undici/pull/2096
fix: skip set content-length when FormData value is stream by @fengmk2 in https://github.com/nodejs/undici/pull/2091
doc: update outdated command in contributing.md by @jazelly in https://github.com/nodejs/undici/pull/2099
cache: fix most failing WPTs by @KhafraDev in https://github.com/nodejs/undici/pull/2100
feat: allow build:wasm to auto detect platform by @jazelly in https://github.com/nodejs/undici/pull/2102
docs: updated Error documentation (fixes #2090) by @titanism in https://github.com/nodejs/undici/pull/2092
mimesniff: fix many broken tests by @KhafraDev in https://github.com/nodejs/undici/pull/2103
test: fix failing tests by @KhafraDev in https://github.com/nodejs/undici/pull/2097
build(deps): bump github/codeql-action from 2.2.9 to 2.3.2 by @dependabot in https://github.com/nodejs/undici/pull/2105
fix: more informative error message to tell that the server doesn't match http/1.1 protocol by @Songkeys in https://github.com/nodejs/undici/pull/2055
Fix bug in 16-bit frame length when buffer is a subarray by @jawj in https://github.com/nodejs/undici/pull/2106
update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2108
fix: update error definitions by @dfilatov in https://github.com/nodejs/undici/pull/2112
fix: make assertion a noop by @ronag in https://github.com/nodejs/undici/pull/2111

New Contributors

@jazelly made their first contribution in https://github.com/nodejs/undici/pull/2099
@titanism made their first contribution in https://github.com/nodejs/undici/pull/2092
@Songkeys made their first contribution in https://github.com/nodejs/undici/pull/2055
@jawj made their first contribution in https://github.com/nodejs/undici/pull/2106
@dfilatov made their first contribution in https://github.com/nodejs/undici/pull/2112

Full Changelog: nodejs/undici@v5.22.0...v5.22.1

`v5.22.0`

What's Changed

build(deps-dev): bump tsd from 0.27.0 to 0.28.1 by @dependabot in https://github.com/nodejs/undici/pull/2042
build(deps): bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @dependabot in https://github.com/nodejs/undici/pull/2040
fix: handle opaque origin in sameOrigin by @KhafraDev in https://github.com/nodejs/undici/pull/2053
test: add typescript import test back by @KhafraDev in https://github.com/nodejs/undici/pull/2054
fix: use getMaxListeners when available by @KhafraDev in https://github.com/nodejs/undici/pull/2063
feat: allow overriding hwm by @ronag in https://github.com/nodejs/undici/pull/2057
fix: there is no sync connector by @ronag in https://github.com/nodejs/undici/pull/2059
fix: rename .wasm to -wasm to appease jest by @KhafraDev in https://github.com/nodejs/undici/pull/2064
fix: set content-length when using FormData body w/ request by @KhafraDev in https://github.com/nodejs/undici/pull/2066
refactor: unify error body handling by @ronag in https://github.com/nodejs/undici/pull/2060
fix: close and destroy overlap by @ronag in https://github.com/nodejs/undici/pull/2068
remove node 12 from test matrix by @ronag in https://github.com/nodejs/undici/pull/2069
fix: don't leak socket if client is destroyed while connecting by @ronag in https://github.com/nodejs/undici/pull/2058
fix: flaky leak test by @ronag in https://github.com/nodejs/undici/pull/2070
test: update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2073
perf: latin1 by @ronag in https://github.com/nodejs/undici/pull/2075
fix: mock fetch headers shouldn't be an array by @KhafraDev in https://github.com/nodejs/undici/pull/2080

Full Changelog: nodejs/undici@v5.21.2...v5.22.0

`v5.21.2`

What's Changed

Content disposition parsing by @KhafraDev in https://github.com/nodejs/undici/pull/2051
fix: clear set-cookie headers by @KhafraDev in https://github.com/nodejs/undici/pull/2052

Full Changelog: nodejs/undici@v5.21.1...v5.21.2

`v5.21.1`

What's Changed

Fix typo in kPipelining symbol by @andrewfecenko in https://github.com/nodejs/undici/pull/2005
fix(fetch): remove undefined error cause by @aduh95 in https://github.com/nodejs/undici/pull/2006
chore(deps-dev): bump tsd from 0.25.0 to 0.27.0 by @dependabot in https://github.com/nodejs/undici/pull/2007
build(deps-dev): bump wait-on from 6.0.1 to 7.0.1 by @dependabot in https://github.com/nodejs/undici/pull/1820
fix(wpt): set global META_TITLE for the runner by @panva in https://github.com/nodejs/undici/pull/2008
fix: issue 2009 by @KhafraDev in https://github.com/nodejs/undici/pull/2013
build(deps-dev): bump typescript from 4.9.5 to 5.0.2 by @dependabot in https://github.com/nodejs/undici/pull/2018
added descriptive error messages for URL parser by @RishabhKodes in https://github.com/nodejs/undici/pull/2016
fix(fetch): remove content-length header on redirect by @KhafraDev in https://github.com/nodejs/undici/pull/2022
fix(fetch): remove assertion on request.body.source on redirect (#2027) by @macno in https://github.com/nodejs/undici/pull/2028
fix: skip failing test in node >= v19.8 by @KhafraDev in https://github.com/nodejs/undici/pull/2034
fetch: treat content-encoding as case-insensitive & remove x-deflate by @KhafraDev in https://github.com/nodejs/undici/pull/2037
perf(fetch): use string comparisons for url schemes by @KhafraDev in https://github.com/nodejs/undici/pull/2038
util: replace util.toUSVString with String.prototype.toWellFormed by @KhafraDev in https://github.com/nodejs/undici/pull/2036
build(deps): bump github/codeql-action from 2.2.4 to 2.2.9 by @dependabot in https://github.com/nodejs/undici/pull/2039
build(deps-dev): bump concurrently from 7.6.0 to 8.0.1 by @dependabot in https://github.com/nodejs/undici/pull/2041
Small performance improvements by @anonrig in https://github.com/nodejs/undici/pull/2044
fix(types): Add missing Blob import by @dpogue in https://github.com/nodejs/undici/pull/2047
fix: set window option properly by @KhafraDev in https://github.com/nodejs/undici/pull/2048
fetch: fix leak by @ronag in https://github.com/nodejs/undici/pull/2049

New Contributors

@aduh95 made their first contribution in https://github.com/nodejs/undici/pull/2006
@RishabhKodes made their first contribution in https://github.com/nodejs/undici/pull/2016
@macno made their first contribution in [https://github.com/fix(fetch): remove assertion on request.body.source on redirect (#2027) nodejs/undici#2028](https://togithub.com/nodejs/undi

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.


          chore(deps): update dependency undici to v5.28.4 [security]

1fd53de

renovate bot changed the title ~~chore(deps): update dependency undici to v5.28.4 [security]~~ chore(deps): update dependency undici to v5.28.4 [security] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-undici-vulnerability branch

June 3, 2024 17:21

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet