[Snyk] Upgrade undici from 5.28.4 to 7.0.0

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade undici from 5.28.4 to 7.0.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 54 versions ahead of your current version.

• The recommended version was released 25 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	169	Proof of Concept

Release notes

Package name: undici

• 7.0.0 - 2024-11-27
  

  What's Changed

  • fetch: fix content-encoding order by @ tsctx in #3343
  • Add regression test for broken body by @ mcollina in #3346
  • build(deps): bump node from 075a5cc to 9af472b in /build by @ dependabot in #3355
  • fix: post request signal by @ Gigioliva in #3354
  • Revert "fix: post request signal (#3354)" by @ ronag in #3359
  • websocket: don't use pooled buffer in mask pool by @ tsctx in #3357
  • fix: consider bytes read when dumping by @ ronag in #3360
  • refactor: simplify signal handling by @ ronag in #3362
  • fix: use explicit flag for when use has interacted with stream by @ ronag in #3361
  • Refactor example documentation structure and add CacheableLookup example by @ DarkGL in #3363
  • refactor: simplify request error handling by @ ronag in #3364
  • fix: ensure onConnect is always called by @ ronag in #3327
  • Refactor responseHeader to responseHeaders by @ DarkGL in #3375
  • fix: don't override user defined MaxListeners by @ fawazahmed0 in #3372
  • fix: forward dispatch return value by @ ronag in #3368
  • build(deps): bump github/codeql-action from 3.25.7 to 3.25.11 by @ dependabot in #3382
  • build(deps): bump codecov/codecov-action from 4.4.1 to 4.5.0 by @ dependabot in #3384
  • build(deps): bump actions/dependency-review-action from 4.3.2 to 4.3.3 by @ dependabot in #3383
  • build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 by @ dependabot in #3381
  • fix: throw on retry when payload is consume by downstream by @ climba03003 in #3389
  • Remove file by @ KhafraDev in #3367
  • build(deps): bump node from 9af472b to 138d0b5 in /build by @ dependabot in #3392
  • feat!: upgrade llhttp to 9.2.0 (#2705) by @ metcoder95 in #3388
  • websocket: reduce memory usage by @ tsctx in #3393
  • feat: implement BodyReadable.bytes by @ tsctx in #3391
  • websocket: avoid using Buffer.byteLength by @ tsctx in #3394
  • separate whatwg websocket logic from rfc 6455 by @ KhafraDev in #3396
  • websocket: add fast-path for string input by @ tsctx in #3395
  • Add generic type for opaque object by @ jfhr in #3385
  • build(deps): bump node from 138d0b5 to 67225d4 in /build by @ dependabot in #3398
  • interceptors: move throwOnError to interceptor by @ mertcanaltin in #3331
  • chore!: drop interceptors by @ metcoder95 in #3399
  • build(deps-dev): bump @ fastify/busboy from 2.1.1 to 3.0.0 by @ dependabot in #3404
  • fix: don't call onConnect automatically by @ ronag in #3407
  • In CITGM, skip tests that are flaky there by @ mcollina in #3413
  • Update esbuild to 0.19.10 by @ mcollina in #3415
  • Fix signature of RetryHandler by @ JbIPS in #3416
  • docs: fix ToC in CONTRIBUTING.md by @ richardlau in #3420
  • Fix fetch duplex docs by @ Ethan-Arrowood in #3422
  • fix: restore externalized Node.js dep compatibility by @ richardlau in #3421
  • fix: cast falsy servername to null to avoid falsy inequality by @ ronag in #3426
  • Add backport action by @ mcollina in #3427
  • build(deps): bump node from 67225d4 to 858234a in /build by @ dependabot in #3411
  • build(deps): bump github/codeql-action from 3.25.11 to 3.25.15 by @ dependabot in #3432
  • build(deps): bump actions/dependency-review-action from 4.3.3 to 4.3.4 by @ dependabot in #3431
  • build(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4 by @ dependabot in #3430
  • build(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @ dependabot in #3428
  • build(deps): bump step-security/harden-runner from 2.8.1 to 2.9.0 by @ dependabot in #3429
  • build(deps): bump superagent from 9.0.2 to 10.0.0 in /benchmarks by @ dependabot in #3439
  • build(deps): bump node from 17e6738 to 30c5be9 in /build by @ dependabot in #3443
  • docs: use default link of Web Streams API by @ trivikr in #3446
  • fix: increased memory in finalization first appearing in v6.16.0 by @ snyamathi in #3445
  • test: add test for memory leak by @ snyamathi in #3450
  • build: parametrize the location of wasm-opt by @ khardix in #3454
  • test: streamline test scripts in regard of without-intl and run more tests for without-intl case by @ Uzlopak in #3453
  • feat!: drop throwOnError by @ metcoder95 in #3451
  • types: allow non strict HTTPMethod by @ Uzlopak in #3457
  • build(deps-dev): bump borp from 0.15.0 to 0.17.0 by @ dependabot in #3424
  • remove core isErrored and isReadable by @ KhafraDev in #3459
  • use bodyUnusable to check if body is unusable by @ KhafraDev in #3460
  • perf: non-recursive implementation of euclidian gcd in balanced pool by @ Uzlopak in #3461
  • fix: do validation first before actual business logic, like super() by @ Uzlopak in #3463
  • use FinalizationRegistry for cloned response body by @ KhafraDev in #3458
  • perf: use isIPv6 for checking if hostname is isIPv6 by @ Uzlopak in #3466
  • fix: stripURLForReferrer jsdoc in fetch logic by @ Uzlopak in #3471
  • fix: remove kInterceptors in ProxyAgent by @ Uzlopak in #3474
  • fix: fix codesmells in retry-handler by @ Uzlopak in #3475
  • add autocompletable header types by @ KhafraDev in #3462
  • fix: add missing kOriginalDispatch Symbol in mock-logic by @ Uzlopak in #3470
  • fix: fix jsdoc in cookies/parse.js by @ Uzlopak in #3469
  • fix: remove unnecessary parameters in USVString calls by @ Uzlopak in #3467
  • fix: add jsdoc in tree.js, avoiding codesmells by @ Uzlopak in #3476
  • perf: set isLowerCase param on all calls of HeadersList.append by @ Uzlopak in #3468
  • fix: instantiation of ResponseError, pass headers and data correctly by @ Uzlopak in #3472
  • ci: add WPT updater by @ Uzlopak in #3482
  • meta: move nightly comment body to issue body by @ RedYetiDev in #3484
  • chore: improve jsdoc in cookies by @ Uzlopak in #3478
  • chore: improve jsdoc and minor changes in EventSource by @ Uzlopak in #3480
  • types: add Autocomplete utility type by @ Uzlopak in #3479
  • fix: instantiation of SecureProxyConnectionError should pass options to parent class by @ Uzlopak in #3473
  • chore: replace standard and snazzy with neostandard by @ Uzlopak in #3485
  • fix: workflow commit user by @ tsctx in #3491
  • build(deps): bump node from 30c5be9 to a20e858 in /build by @ dependabot in #3496
  • chore: add --noEmit for typescript tests by @ Uzlopak in #3498
  • perf: only create wasm buffer if requested by @ Uzlopak in #3499
  • fix(types): MockAgent accepts ProxyAgent, EnvHttpProxyAgent and RetryAgent for agent option by @ Uzlopak in #3497
  • stricter Headers brand checks in cookies by @ KhafraDev in #3500
  • Update WPT by @ github-actions in #3488
  • fix: setEncoding should not throw on body #1125 by @ Uzlopak in #3505
  • websocket: set websocket readyState on fail by @ KhafraDev in #3507
  • build(deps-dev): bump jsdom from 24.1.3 to 25.0.0 by @ dependabot in #3511
  • build(deps): bump wait-on from 7.2.0 to 8.0.0 in /benchmarks by @ dependabot in #3513
  • Update WPT by @ github-actions in #3515
  • fix: reduce memory usage in client-h1 by @ Uzlopak in #3510
  • fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @ Uzlopak in #3495
  • ci: make autobahn workflow reusable workflow, run the autobahn on nightly tests by @ Uzlopak in

[sourcery-ai]

Reviewer's Guide by Sourcery

This pull request upgrades the undici dependency from version 5.28.4 to 7.0.0 in the attest package. This upgrade fixes a ReDoS vulnerability and includes several other fixes and improvements.

Class diagram showing dependency version update

classDiagram
    class Package {
        +name: string
        +version: string
        +dependencies: Dependencies
    }
    class Dependencies {
        +undici: string
    }
    Package --> Dependencies
    note for Dependencies "undici updated from 5.28.4 to 7.0.0"

Loading

File-Level Changes

Change	Details	Files
Upgrade undici to 7.0.0	Updated the undici dependency version from 5.28.4 to 7.0.0 in the package.json file.	packages/attest/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.