chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227 #1428

renovate · 2024-02-16T19:17:52Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`5.26.2` -> `5.28.3`

GitHub Vulnerability Alerts

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

Release Notes

nodejs/undici (undici)

`v5.28.3`

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

`v5.28.2`

Compare Source

What's Changed

fix: remove optional chainning for compatible with Nodejs12 and below by @bugb in https://github.com/nodejs/undici/pull/2470
fix: remove node: prefix by @tsctx in https://github.com/nodejs/undici/pull/2471
perf: avoid Headers initialization by @tsctx in https://github.com/nodejs/undici/pull/2468
fix: handle SharedArrayBuffer correctly by @tsctx in https://github.com/nodejs/undici/pull/2466
fix: Add null type to signal in RequestInit by @gebsh in https://github.com/nodejs/undici/pull/2455
fix: correctly handle data URL with hashes. by @tsctx in https://github.com/nodejs/undici/pull/2475
fix: check response for timinginfo allow flag by @ToshB in https://github.com/nodejs/undici/pull/2477
Make call to onBodySent conditional in RetryHandler by @MzUgM in https://github.com/nodejs/undici/pull/2478
refactor: better integrity check by @tsctx in https://github.com/nodejs/undici/pull/2462
fix: Added support for inline URL username:password proxy auth by @matt-way in https://github.com/nodejs/undici/pull/2473
build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @dependabot in https://github.com/nodejs/undici/pull/2472
build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @dependabot in https://github.com/nodejs/undici/pull/2405
build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @dependabot in https://github.com/nodejs/undici/pull/2396
build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in https://github.com/nodejs/undici/pull/2395
build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2392
build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @dependabot in https://github.com/nodejs/undici/pull/2389
build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in https://github.com/nodejs/undici/pull/2302

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

github-actions · 2024-02-16T19:18:21Z

Thanks for your contribution @renovate[bot] !
When your pull-request is ready to be merged, check the box below to merge it

Merge!

github-actions · 2024-02-16T19:19:23Z

Pull Request Report

PR Title

✅ Title follows the conventional commit spec.

renovate bot requested a review from a team as a code owner February 16, 2024 19:17

renovate bot requested review from olamothe and y-lakhdar and removed request for a team February 16, 2024 19:17

renovate bot added the dependencies Pull requests that update a dependency file label Feb 16, 2024

renovate bot requested a review from fbeaudoincoveo February 16, 2024 19:17

github-actions bot mentioned this pull request Feb 16, 2024

chore(deps): update dependency undici to v5.28.3 [security] and jest snaps j:cdx-227 #1429

Closed

renovate bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 1ee0afd to 3bf8337 Compare February 20, 2024 06:23

github-actions bot mentioned this pull request Feb 20, 2024

chore(deps): update dependency undici to v5.28.3 [security] and jest snaps j:cdx-227 #1440

Open

renovate bot force-pushed the renovate/npm-undici-vulnerability branch from 3bf8337 to ef86b1d Compare February 20, 2024 18:19

chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227

04f89cf

renovate bot force-pushed the renovate/npm-undici-vulnerability branch from ef86b1d to 04f89cf Compare February 20, 2024 19:26

louis-bompart approved these changes Feb 21, 2024

View reviewed changes

louis-bompart merged commit 929af8e into master Feb 21, 2024
49 checks passed

louis-bompart deleted the renovate/npm-undici-vulnerability branch February 21, 2024 18:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227 #1428

chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227 #1428

renovate bot commented Feb 16, 2024

github-actions bot commented Feb 16, 2024

github-actions bot commented Feb 16, 2024

chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227 #1428

chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227 #1428

Conversation

renovate bot commented Feb 16, 2024

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Release Notes

⚠️ Security Release ⚠️

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

What's Changed

New Contributors

Configuration

github-actions bot commented Feb 16, 2024

github-actions bot commented Feb 16, 2024