fix(deps): update dependency undici to v5.28.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.22.1 -> 5.28.3

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

---

Release Notes

nodejs/undici (undici)

v5.28.3

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

Compare Source

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in https://github.com/nodejs/undici/pull/2470
• fix: remove node: prefix by @​tsctx in https://github.com/nodejs/undici/pull/2471
• perf: avoid Headers initialization by @​tsctx in https://github.com/nodejs/undici/pull/2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in https://github.com/nodejs/undici/pull/2466
• fix: Add null type to signal in RequestInit by @​gebsh in https://github.com/nodejs/undici/pull/2455
• fix: correctly handle data URL with hashes. by @​tsctx in https://github.com/nodejs/undici/pull/2475
• fix: check response for timinginfo allow flag by @​ToshB in https://github.com/nodejs/undici/pull/2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in https://github.com/nodejs/undici/pull/2478
• refactor: better integrity check by @​tsctx in https://github.com/nodejs/undici/pull/2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in https://github.com/nodejs/undici/pull/2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in https://github.com/nodejs/undici/pull/2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in https://github.com/nodejs/undici/pull/2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in https://github.com/nodejs/undici/pull/2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in https://github.com/nodejs/undici/pull/2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in https://github.com/nodejs/undici/pull/2302

New Contributors

• @​bugb made their first contribution in https://github.com/nodejs/undici/pull/2470
• @​gebsh made their first contribution in https://github.com/nodejs/undici/pull/2455
• @​ToshB made their first contribution in https://github.com/nodejs/undici/pull/2477
• @​MzUgM made their first contribution in https://github.com/nodejs/undici/pull/2478
• @​matt-way made their first contribution in https://github.com/nodejs/undici/pull/2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

Compare Source

What's Changed

• perf: Improve normalizeMethod by @​tsctx in https://github.com/nodejs/undici/pull/2456
• fix: dispatch error handling by @​ronag in https://github.com/nodejs/undici/pull/2459
• perf(request): optimize if headers are given by @​tsctx in https://github.com/nodejs/undici/pull/2454

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

v5.28.0

Compare Source

What's Changed

• fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @​mdoria12 in https://github.com/nodejs/undici/pull/2398
• docs: add license to undici-types by @​dancastillo in https://github.com/nodejs/undici/pull/2401
• perf: optimize Readable.dump by @​ronag in https://github.com/nodejs/undici/pull/2402
• perf(headers): Improve Headers by @​tsctx in https://github.com/nodejs/undici/pull/2397
• test: re-enable conditional WPT Report for websockets by @​panva in https://github.com/nodejs/undici/pull/2407
• fix: delay abort on 'close' by @​ronag in https://github.com/nodejs/undici/pull/2408
• refactor: use substring instead of substr by @​tsctx in https://github.com/nodejs/undici/pull/2411
• add additional http2 test with fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2419
• fix: HTTPToken check by @​tsctx in https://github.com/nodejs/undici/pull/2410
• perf: optimize HeadersList.get by @​tsctx in https://github.com/nodejs/undici/pull/2420
• properly handle pseudo-headers in fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2422
• perf(headers): if the guard is immutable by @​tsctx in https://github.com/nodejs/undici/pull/2424
• fix(mock-agent): send stream body by @​tsctx in https://github.com/nodejs/undici/pull/2425
• build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by @​dependabot in https://github.com/nodejs/undici/pull/2394
• feat(#​2264): Expose Retry Handler by @​metcoder95 in https://github.com/nodejs/undici/pull/2281
• fix: implement Headers#set correctly by @​tsctx in https://github.com/nodejs/undici/pull/2432
• fix: implement Headers#delete correctly by @​tsctx in https://github.com/nodejs/undici/pull/2430
• test: update websocket wpt availability by @​panva in https://github.com/nodejs/undici/pull/2437
• fix: type comment position by @​tsctx in https://github.com/nodejs/undici/pull/2443
• fix: onHeaders type declaration by @​tsctx in https://github.com/nodejs/undici/pull/2444
• remove http2 status pseudo header from headers by @​KhafraDev in https://github.com/nodejs/undici/pull/2438
• docs: Clarify path matching in intercept() by @​oliversalzburg in https://github.com/nodejs/undici/pull/2426
• fix: set-cookie clone by @​tsctx in https://github.com/nodejs/undici/pull/2446
• docs: fix typo in maxConcurrentStreams by @​tniessen in https://github.com/nodejs/undici/pull/2450
• refactor: remove leftovers by @​metcoder95 in https://github.com/nodejs/undici/pull/2451
• refactor: add missing new operator by @​tsctx in https://github.com/nodejs/undici/pull/2452

New Contributors

• @​mdoria12 made their first contribution in https://github.com/nodejs/undici/pull/2398
• @​tsctx made their first contribution in https://github.com/nodejs/undici/pull/2397
• @​oliversalzburg made their first contribution in https://github.com/nodejs/undici/pull/2426

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

v5.27.2

Compare Source

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

v5.27.1

Compare Source

What's Changed

• add regression test by @​KhafraDev in https://github.com/nodejs/undici/pull/2376
• fix: define conditions when content-length should be sent by @​pxue in https://github.com/nodejs/undici/pull/2305
• refactor: removed unnecessary default by @​nikelborm in https://github.com/nodejs/undici/pull/2381
• fix: stream body handling by @​ronag in https://github.com/nodejs/undici/pull/2391

New Contributors

• @​pxue made their first contribution in https://github.com/nodejs/undici/pull/2305
• @​nikelborm made their first contribution in https://github.com/nodejs/undici/pull/2381

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

v5.27.0

Compare Source

What's Changed

• Use sets and reusable TextEncoder/TextDecoder instances by @​kibertoad in https://github.com/nodejs/undici/pull/2368
• feat: forward onRequestSent to handler by @​ronag in https://github.com/nodejs/undici/pull/2375
• skip bundle test on node 16 by @​KhafraDev in https://github.com/nodejs/undici/pull/2377
• fix windows CI by @​KhafraDev in https://github.com/nodejs/undici/pull/2379

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

v5.26.5

Compare Source

What's Changed

• Drop race condition in connect-timeout test by @​mcollina in https://github.com/nodejs/undici/pull/2360
• Remove a couple of unnecessary async functions by @​kibertoad in https://github.com/nodejs/undici/pull/2367
• Update namespace type with Fetch exports by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2361

Full Changelog: nodejs/undici@v5.26.4...v5.26.5

v5.26.4

Compare Source

What's Changed

• use esbuild define/hooks by @​KhafraDev in https://github.com/nodejs/undici/pull/2342
• fix request's arrayBuffer returning uint8 instead of arraybuffer by @​KhafraDev in https://github.com/nodejs/undici/pull/2344
• fix: skip readMore call if parser is null or undefined by @​iiAku in https://github.com/nodejs/undici/pull/2346
• test: first attempt for flaky fix by @​metcoder95 in https://github.com/nodejs/undici/pull/2337
• test: only include WebSocket in WPT Report where it's landed by @​panva in https://github.com/nodejs/undici/pull/2351
• Update DispatchInterceptor.md by @​Uzlopak in https://github.com/nodejs/undici/pull/2354
• fix: Avoid error for stream() being aborted by @​BobNobrain in https://github.com/nodejs/undici/pull/2355
• fix names with esbuild by @​KhafraDev in https://github.com/nodejs/undici/pull/2359

New Contributors

• @​iiAku made their first contribution in https://github.com/nodejs/undici/pull/2346
• @​Uzlopak made their first contribution in https://github.com/nodejs/undici/pull/2354
• @​BobNobrain made their first contribution in https://github.com/nodejs/undici/pull/2355

Full Changelog: nodejs/undici@v5.26.3...v5.26.4

v5.26.3

Compare Source

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

• Fix publish undici-types once and for all! by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
• Fix node detection omfg by @​KhafraDev in https://github.com/nodejs/undici/pull/2341

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

• use npm install instead of npm ci by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
• change default header to node by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310
• chore: change order of the pseudo-headers by @​kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
• fix: Agent.Options.factory should accept URL object or string as parameter by @​nicole0707 in https://github.com/nodejs/undici/pull/2295
• build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2312
• test: handle npm ignore-scripts settings by @​panva in https://github.com/nodejs/undici/pull/2313
• feat: respect --max-http-header-size Node.js flag by @​balazsorban44 in https://github.com/nodejs/undici/pull/2234
• fix(#​2311): End stream after body sent by @​metcoder95 in https://github.com/nodejs/undici/pull/2314
• disallow setting host header in fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2322
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in https://github.com/nodejs/undici/pull/2325
• fix fetch with coverage enabled by @​KhafraDev in https://github.com/nodejs/undici/pull/2330
• Fix stuck when using http2 POST Buffer by @​binsee in https://github.com/nodejs/undici/pull/2336
• fix: 🏷️ add allowH2 to BuildOptions by @​binsee in https://github.com/nodejs/undici/pull/2334
• fix: 🐛 fix process http2 header by @​binsee in https://github.com/nodejs/undici/pull/2332

New Contributors

• @​kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
• @​nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
• @​balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
• @​binsee made their first contribution in https://github.com/nodejs/undici/pull/2336

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

• perf: improve parse-url implementation by @​anonrig in https://github.com/nodejs/undici/pull/2286
• test: enable websockets inclusion in WPTReport by @​panva in https://github.com/nodejs/undici/pull/2284
• remove npm run test from pre-commit hook by @​dancastillo in https://github.com/nodejs/undici/pull/2296
• perf: use @​fastify/busboy by @​gurgunday in https://github.com/nodejs/undici/pull/2211
• Disable finalizationregistry if node code cov by @​mcollina in https://github.com/nodejs/undici/pull/2298

New Contributors

• @​gurgunday made their first contribution in https://github.com/nodejs/undici/pull/2211

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

• Add Khaf to releasers by @​mcollina in https://github.com/nodejs/undici/pull/2276
• fix: fix request with readable mode is object by @​killagu in https://github.com/nodejs/undici/pull/2279
• fix loading websockets when node is built w/ --without-ssl by @​KhafraDev in https://github.com/nodejs/undici/pull/2282

New Contributors

• @​killagu made their first contribution in https://github.com/nodejs/undici/pull/2279

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

• Add publish types script by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2273

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

• fix: h2 without body by @​metcoder95 in https://github.com/nodejs/undici/pull/2258
• ci: remove duplicated runs by @​metcoder95 in https://github.com/nodejs/undici/pull/2265
• improve documentation of timeouts by making the units clear in all places by @​mcfedr in https://github.com/nodejs/undici/pull/2266
• expose websocket in node bundle by @​KhafraDev in https://github.com/nodejs/undici/pull/2217
• test: fix Fetch/HTTP2 tests by @​metcoder95 in https://github.com/nodejs/undici/pull/2263
• fix undici when node is built with --without-ssl by @​KhafraDev in https://github.com/nodejs/undici/pull/2272
• fix: Fix type definition for Client Interceptors by @​ComradeCow in https://github.com/nodejs/undici/pull/2269
• Fix http2 agent by @​mcollina in https://github.com/nodejs/undici/pull/2275

New Contributors

• @​ComradeCow made their first contribution in https://github.com/nodejs/undici/pull/2269

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

• feat: Add H2 support by @​metcoder95 in https://github.com/nodejs/undici/pull/2061

What's Changed

• build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @​dependabot in https://github.com/nodejs/undici/pull/2203
• better stack trace for body.json by @​KhafraDev in https://github.com/nodejs/undici/pull/2215
• allow http & https websocket urls by @​KhafraDev in https://github.com/nodejs/undici/pull/2218
• build(deps-dev): bump @​sinonjs/fake-timers from 10.3.0 to 11.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2221
• fix: pass ProxyAgent proxy status code error by @​NBNGaming in https://github.com/nodejs/undici/pull/2162
• fix failing test by @​KhafraDev in https://github.com/nodejs/undici/pull/2223
• docs: update MockPool.md intercept method description by @​capaj in https://github.com/nodejs/undici/pull/2220
• Update wpts by @​KhafraDev in https://github.com/nodejs/undici/pull/2226
• build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @​dependabot in https://github.com/nodejs/undici/pull/2240
• build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @​dependabot in https://github.com/nodejs/undici/pull/2237
• build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @​dependabot in https://github.com/nodejs/undici/pull/2236
• build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @​dependabot in https://github.com/nodejs/undici/pull/2241
• build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @​dependabot in https://github.com/nodejs/undici/pull/2238
• fix: aborting request with non-object error by @​KhafraDev in https://github.com/nodejs/undici/pull/2243
• fix: preserve file path when parsing formdata by @​jimmywarting in https://github.com/nodejs/undici/pull/2245
• build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @​dependabot in https://github.com/nodejs/undici/pull/2246
• Updated benchmarks by @​mcollina in https://github.com/nodejs/undici/pull/2250
• Fix fetch in node v20.6.0 by @​mcollina in https://github.com/nodejs/undici/pull/2251
• Maybe fix v20 by @​mcollina in https://github.com/nodejs/undici/pull/2252
• feat: Add H2 support by @​metcoder95 in https://github.com/nodejs/undici/pull/2061
• docs: fix tables in README by @​regseb in https://github.com/nodejs/undici/pull/2254
• Fix http2 fetch test by @​mcollina in https://github.com/nodejs/undici/pull/2253

New Contributors

• @​NBNGaming made their first contribution in https://github.com/nodejs/undici/pull/2162
• @​capaj made their first contribution in https://github.com/nodejs/undici/pull/2220
• @​regseb made their first contribution in https://github.com/nodejs/undici/pull/2254

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

• bump engines to node >= 16 by @​ronag in https://github.com/nodejs/undici/pull/2119
• Revert "bump engines to node >= 16 (#​2119)" by @​ronag in https://github.com/nodejs/undici/pull/2121
• fetch: set referrer properly by @​KhafraDev in https://github.com/nodejs/undici/pull/2125
• fix: support truncated gzip by @​jimmywarting in https://github.com/nodejs/undici/pull/2126
• workflow: apply security best practices by @​step-security-bot in https://github.com/nodejs/undici/pull/2130
• build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @​dependabot in https://github.com/nodejs/undici/pull/2135
• build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @​dependabot in https://github.com/nodejs/undici/pull/2133
• build(deps): bump node from 18-alpine to 20-alpine in /build by @​dependabot in https://github.com/nodejs/undici/pull/2131
• build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by @​dependabot in https://github.com/nodejs/undici/pull/2136
• build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @​dependabot in https://github.com/nodejs/undici/pull/2132
• build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2142
• build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by @​dependabot in https://github.com/nodejs/undici/pull/2148
• fix(pr): use correct pr template file by @​AugustinMauroy in https://github.com/nodejs/undici/pull/2141
• Additional WebSocket send tests to cover all payload size categories by @​jawj in https://github.com/nodejs/undici/pull/2149
• fix: reverse decompression order of "Content-Encoding" encodings (fixes #​2158) by @​rychkog in https://github.com/nodejs/undici/pull/2159
• fix: keep running WPTs if a test times out by @​KhafraDev in https://github.com/nodejs/undici/pull/2165
• feat: add build environment info by @​mhdawson in https://github.com/nodejs/undici/pull/2168
• fix: forward error reason to fetch controller by @​KhafraDev in https://github.com/nodejs/undici/pull/2172
• stricter types for bodymixin.json by @​KhafraDev in https://github.com/nodejs/undici/pull/2181
• chore: Renable autoSelectFamily tests. by @​ShogunPanda in https://github.com/nodejs/undici/pull/2180
• build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @​dependabot in https://github.com/nodejs/undici/pull/2147
• build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by @​dependabot in https://github.com/nodejs/undici/pull/2185
• fix: fetch resource timing performance entry names should be strings by @​GaryWilber in https://github.com/nodejs/undici/pull/2188
• build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @​dependabot in https://github.com/nodejs/undici/pull/2176
• build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by @​dependabot in https://github.com/nodejs/undici/pull/2177
• build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @​dependabot in https://github.com/nodejs/undici/pull/2178
• build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @​dependabot in https://github.com/nodejs/undici/pull/2175
• test: fix autoselectfamily on platforms without IPv6 support by @​LiviaMedeiros in https://github.com/nodejs/undici/pull/2197
• fix: make multipart/form-data boundary string more consistent by @​LiviaMedeiros in https://github.com/nodejs/undici/pull/2196
• docs: add proxy agent options docs by @​dancastillo in https://github.com/nodejs/undici/pull/2193
• build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by @​dependabot in https://github.com/nodejs/undici/pull/2205
• feat: make use of addAbortListener where applicable by @​atlowChemi in https://github.com/nodejs/undici/pull/2195

New Contributors

• @​step-security-bot made their first contribution in https://github.com/nodejs/undici/pull/2130
• @​AugustinMauroy made their first contribution in https://github.com/nodejs/undici/pull/2141
• @​rychkog made their first contribution in https://github.com/nodejs/undici/pull/2159
• @​mhdawson made their first contribution in https://github.com/nodejs/undici/pull/2168
• @​GaryWilber made their first contribution in https://github.com/nodejs/undici/pull/2188
• @​atlowChemi made their first contribution in https://github.com/nodejs/undici/pull/2195

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[reg-suit]

✨✨ That's perfect, there is no visual difference! ✨✨

Check out the report here.