From e2d6559bab2272e08c44f31a53d593d75437843d Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Fri, 16 Feb 2024 18:10:09 +0000 Subject: [PATCH] chore(deps): update dependency undici to v6.6.1 [security] (#410) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`6.4.0` -> `6.6.1`](https://renovatebot.com/diffs/npm/undici/6.4.0/6.6.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/6.4.0/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/6.4.0/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24750](https://togithub.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw) ### Impact Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. ### Patches Patched in v6.6.1 ### Workarounds Make sure to always consume the incoming body. #### [CVE-2024-24758](https://togithub.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3) ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g --- ### Release Notes
nodejs/undici (undici) ### [`v6.6.1`](https://togithub.com/nodejs/undici/releases/tag/v6.6.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.6.0...v6.6.1) #### ⚠️ Security Release ⚠️ Details on the vulnerabilities fixed will be shared in the next couple of days. #### What's Changed - fix: flaky debug test by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2687](https://togithub.com/nodejs/undici/pull/2687) - build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2688](https://togithub.com/nodejs/undici/pull/2688) - build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2689](https://togithub.com/nodejs/undici/pull/2689) - fix: ci pipeline warnings by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2685](https://togithub.com/nodejs/undici/pull/2685) - perf: optimize Iterator by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2692](https://togithub.com/nodejs/undici/pull/2692) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.6.0...v6.6.1 ### [`v6.6.0`](https://togithub.com/nodejs/undici/releases/tag/v6.6.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.5.0...v6.6.0) #### What's Changed - add webSocket example by [@​mertcanaltin](https://togithub.com/mertcanaltin) in [https://github.com/nodejs/undici/pull/2626](https://togithub.com/nodejs/undici/pull/2626) - chore: remove atomic-sleep as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2648](https://togithub.com/nodejs/undici/pull/2648) - chore: remove semver as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2646](https://togithub.com/nodejs/undici/pull/2646) - chore: remove table as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2649](https://togithub.com/nodejs/undici/pull/2649) - chore: remove delay as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2647](https://togithub.com/nodejs/undici/pull/2647) - chore: reduce noise in test-logs test/issue-2349.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2655](https://togithub.com/nodejs/undici/pull/2655) - chore: fix faketimer warning in test/request-timeout.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2656](https://togithub.com/nodejs/undici/pull/2656) - chore: reduce noise in test logs test/client-node-max-header-size.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2654](https://togithub.com/nodejs/undici/pull/2654) - refactor: use fromInnerResponse by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2635](https://togithub.com/nodejs/undici/pull/2635) - fix: support deflate raw responses by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2650](https://togithub.com/nodejs/undici/pull/2650) - Support building for externally shared js builtins by [@​mochaaP](https://togithub.com/mochaaP) in [https://github.com/nodejs/undici/pull/2643](https://togithub.com/nodejs/undici/pull/2643) - fix: typo clampAndCoarsenConnectionTimingInfo by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2653](https://togithub.com/nodejs/undici/pull/2653) - chore: use 'node:'-prefix for requiring node core modules by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2662](https://togithub.com/nodejs/undici/pull/2662) - build(deps-dev): bump husky from 8.0.3 to 9.0.7 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2667](https://togithub.com/nodejs/undici/pull/2667) - build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2668](https://togithub.com/nodejs/undici/pull/2668) - remove timers/promises import by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2665](https://togithub.com/nodejs/undici/pull/2665) - chore: fix various codesmells by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2669](https://togithub.com/nodejs/undici/pull/2669) - chore: remove this alias in agent.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2671](https://togithub.com/nodejs/undici/pull/2671) - chore: use optional chaining by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2666](https://togithub.com/nodejs/undici/pull/2666) - chore: small perf improvements by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2661](https://togithub.com/nodejs/undici/pull/2661) - implement spec changes from a while ago by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2676](https://togithub.com/nodejs/undici/pull/2676) - websocket: fix close when no closing code is received by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2680](https://togithub.com/nodejs/undici/pull/2680) - fix: make ci less flaky by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2684](https://togithub.com/nodejs/undici/pull/2684) #### New Contributors - [@​mochaaP](https://togithub.com/mochaaP) made their first contribution in [https://github.com/nodejs/undici/pull/2643](https://togithub.com/nodejs/undici/pull/2643) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.5.0...v6.6.0 ### [`v6.5.0`](https://togithub.com/nodejs/undici/releases/tag/v6.5.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.4.0...v6.5.0) #### What's Changed - build(deps-dev): bump jsdom from 23.2.0 to 24.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2632](https://togithub.com/nodejs/undici/pull/2632) - feat: Implement EventSource by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2608](https://togithub.com/nodejs/undici/pull/2608) - fix: readable body by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2642](https://togithub.com/nodejs/undici/pull/2642) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.4.0...v6.5.0
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/octokit/rest.js). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- package-lock.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index d29f82b9..d2fc30ed 100644 --- a/package-lock.json +++ b/package-lock.json @@ -13839,9 +13839,9 @@ } }, "node_modules/undici": { - "version": "6.4.0", - "resolved": "https://registry.npmjs.org/undici/-/undici-6.4.0.tgz", - "integrity": "sha512-wYaKgftNqf6Je7JQ51YzkEkEevzOgM7at5JytKO7BjaURQpERW8edQSMrr2xb+Yv4U8Yg47J24+lc9+NbeXMFA==", + "version": "6.6.1", + "resolved": "https://registry.npmjs.org/undici/-/undici-6.6.1.tgz", + "integrity": "sha512-J0GaEp0ztu/grIE2Uq57AbK6TRb+bWbOlxu0POCzhFKA6LKbwSAev+hDQaQcgUUA9CPs8Ky+cauzTHnQrtAQEA==", "dev": true, "dependencies": { "@fastify/busboy": "^2.0.0"