Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore(deps): update dependency undici to v6.6.1 [security] (#410)
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`6.4.0` -> `6.6.1`](https://renovatebot.com/diffs/npm/undici/6.4.0/6.6.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/6.4.0/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/6.4.0/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24750](https://togithub.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw) ### Impact Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. ### Patches Patched in v6.6.1 ### Workarounds Make sure to always consume the incoming body. #### [CVE-2024-24758](https://togithub.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3) ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - GHSA-wqq4-5wpv-mx2g --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v6.6.1`](https://togithub.com/nodejs/undici/releases/tag/v6.6.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.6.0...v6.6.1) ####⚠️ Security Release⚠️ Details on the vulnerabilities fixed will be shared in the next couple of days. #### What's Changed - fix: flaky debug test by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2687 - build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2688 - build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2689 - fix: ci pipeline warnings by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2685 - perf: optimize Iterator by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2692 **Full Changelog**: nodejs/undici@v6.6.0...v6.6.1 ### [`v6.6.0`](https://togithub.com/nodejs/undici/releases/tag/v6.6.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.5.0...v6.6.0) #### What's Changed - add webSocket example by [@​mertcanaltin](https://togithub.com/mertcanaltin) in [nodejs/undici#2626 - chore: remove atomic-sleep as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2648 - chore: remove semver as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2646 - chore: remove table as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2649 - chore: remove delay as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2647 - chore: reduce noise in test-logs test/issue-2349.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2655 - chore: fix faketimer warning in test/request-timeout.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2656 - chore: reduce noise in test logs test/client-node-max-header-size.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2654 - refactor: use fromInnerResponse by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2635 - fix: support deflate raw responses by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2650 - Support building for externally shared js builtins by [@​mochaaP](https://togithub.com/mochaaP) in [nodejs/undici#2643 - fix: typo clampAndCoarsenConnectionTimingInfo by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2653 - chore: use 'node:'-prefix for requiring node core modules by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2662 - build(deps-dev): bump husky from 8.0.3 to 9.0.7 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2667 - build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2668 - remove timers/promises import by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2665 - chore: fix various codesmells by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2669 - chore: remove this alias in agent.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2671 - chore: use optional chaining by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2666 - chore: small perf improvements by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2661 - implement spec changes from a while ago by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2676 - websocket: fix close when no closing code is received by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2680 - fix: make ci less flaky by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2684 #### New Contributors - [@​mochaaP](https://togithub.com/mochaaP) made their first contribution in [nodejs/undici#2643 **Full Changelog**: nodejs/undici@v6.5.0...v6.6.0 ### [`v6.5.0`](https://togithub.com/nodejs/undici/releases/tag/v6.5.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.4.0...v6.5.0) #### What's Changed - build(deps-dev): bump jsdom from 23.2.0 to 24.0.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2632 - feat: Implement EventSource by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2608 - fix: readable body by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2642 **Full Changelog**: nodejs/undici@v6.4.0...v6.5.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/octokit/rest.js). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjE3My4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
- Loading branch information