Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chore: bump up undici version to v6.6.1 [SECURITY] (#5828)
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`6.0.1` -> `6.6.1`](https://renovatebot.com/diffs/npm/undici/6.0.1/6.6.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/6.0.1/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/6.0.1/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24750](https://togithub.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw) ### Impact Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. ### Patches Patched in v6.6.1 ### Workarounds Make sure to always consume the incoming body. #### [CVE-2024-24758](https://togithub.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3) ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - GHSA-wqq4-5wpv-mx2g --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v6.6.1`](https://togithub.com/nodejs/undici/releases/tag/v6.6.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.6.0...v6.6.1) ####⚠️ Security Release⚠️ Details on the vulnerabilities fixed will be shared in the next couple of days. #### What's Changed - fix: flaky debug test by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2687 - build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2688 - build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2689 - fix: ci pipeline warnings by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2685 - perf: optimize Iterator by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2692 **Full Changelog**: nodejs/undici@v6.6.0...v6.6.1 ### [`v6.6.0`](https://togithub.com/nodejs/undici/releases/tag/v6.6.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.5.0...v6.6.0) #### What's Changed - add webSocket example by [@​mertcanaltin](https://togithub.com/mertcanaltin) in [nodejs/undici#2626 - chore: remove atomic-sleep as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2648 - chore: remove semver as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2646 - chore: remove table as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2649 - chore: remove delay as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2647 - chore: reduce noise in test-logs test/issue-2349.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2655 - chore: fix faketimer warning in test/request-timeout.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2656 - chore: reduce noise in test logs test/client-node-max-header-size.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2654 - refactor: use fromInnerResponse by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2635 - fix: support deflate raw responses by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2650 - Support building for externally shared js builtins by [@​mochaaP](https://togithub.com/mochaaP) in [nodejs/undici#2643 - fix: typo clampAndCoarsenConnectionTimingInfo by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2653 - chore: use 'node:'-prefix for requiring node core modules by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2662 - build(deps-dev): bump husky from 8.0.3 to 9.0.7 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2667 - build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2668 - remove timers/promises import by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2665 - chore: fix various codesmells by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2669 - chore: remove this alias in agent.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2671 - chore: use optional chaining by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2666 - chore: small perf improvements by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2661 - implement spec changes from a while ago by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2676 - websocket: fix close when no closing code is received by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2680 - fix: make ci less flaky by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2684 #### New Contributors - [@​mochaaP](https://togithub.com/mochaaP) made their first contribution in [nodejs/undici#2643 **Full Changelog**: nodejs/undici@v6.5.0...v6.6.0 ### [`v6.5.0`](https://togithub.com/nodejs/undici/releases/tag/v6.5.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.4.0...v6.5.0) #### What's Changed - build(deps-dev): bump jsdom from 23.2.0 to 24.0.0 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2632 - feat: Implement EventSource by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2608 - fix: readable body by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2642 **Full Changelog**: nodejs/undici@v6.4.0...v6.5.0 ### [`v6.4.0`](https://togithub.com/nodejs/undici/releases/tag/v6.4.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.3.0...v6.4.0) ##### What's Changed - refactor: version cleanup by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2605 - cacheStorage: separate matchAll logic by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2599 - cleanup index by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2598 - feat: port `balanced-pool`, `ca-fingerprint`, `client-abort` tests to `node:test` by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2584 - ci: unpin nodejs workflow version by [@​dominykas](https://togithub.com/dominykas) in [nodejs/undici#2434 - test([#​2600](https://togithub.com/nodejs/undici/issues/2600)): Flaky debug test by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2607 - fix: h2 hang issue with empty body by [@​timursevimli](https://togithub.com/timursevimli) in [nodejs/undici#2601 - Fix tests for Node.js v21 by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2609 - perf(cache): avoid Request and Response initialization by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2610 - Add more libraries to benchmarks by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2614 - feat: port `client-connect`, `client-dispatch`, `client-errors` test to `node:test` by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2591 - exit with 1 if WPT runner has unexpected errors by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2621 - Fix tests for Node.js v20.11.0 by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2618 - fix(mock-agent): split set-cookie by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2619 - feat: implement throwOnMaxRedirect option for RedirectHandler by [@​mertcanaltin](https://togithub.com/mertcanaltin) in [nodejs/undici#2563 - test: fix flaky debug test by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2613 - fix: hide statusOutput if empty in handleRunnerCompletion by [@​Uzlopak](https://togithub.com/Uzlopak) in [nodejs/undici#2624 - docs: Fix typo in Debug.md by [@​Skn0tt](https://togithub.com/Skn0tt) in [nodejs/undici#2625 - fix(cache): set AbortSignal by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2612 - Use correct http Agent for node-fetch, axios, got and request by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2629 ##### New Contributors - [@​timursevimli](https://togithub.com/timursevimli) made their first contribution in [nodejs/undici#2601 - [@​mertcanaltin](https://togithub.com/mertcanaltin) made their first contribution in [nodejs/undici#2563 - [@​Skn0tt](https://togithub.com/Skn0tt) made their first contribution in [nodejs/undici#2625 **Full Changelog**: nodejs/undici@v6.3.0...v6.4.0 ### [`v6.3.0`](https://togithub.com/nodejs/undici/releases/tag/v6.3.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.2.1...v6.3.0) #### What's Changed - Clear all timeout on destroy and close by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2535 - ConnectOptions should include 'origin' field by [@​dvoytenko](https://togithub.com/dvoytenko) in [nodejs/undici#2532 - perf: avoid toLowerCase call by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2537 - revert [`a1a8136`](https://togithub.com/nodejs/undici/commit/a1a8136) by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2539 - docs: add Util to sidebar by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2529 - fix: call explicitly unregister by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2534 - fix: check the content-type of invalid formData by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2541 - Add request examples. by [@​autopulated](https://togithub.com/autopulated) in [nodejs/undici#2380 - fix(HTTP/2): handle consumption of aborted request by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2387 - chore: update tst test by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2538 - fix(fetch): do not abort fetch on redirect by [@​angelyan](https://togithub.com/angelyan) in [nodejs/undici#2545 - drop verifyVersion in scripts by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2549 - types: remove unused Client and Pool types by [@​RafaelGSS](https://togithub.com/RafaelGSS) in [nodejs/undici#2557 - lib: fix Host header when CONNECT ProxyAgent by [@​RafaelGSS](https://togithub.com/RafaelGSS) in [nodejs/undici#2556 - feat: port cookies tests to node runner by [@​pmarchini](https://togithub.com/pmarchini) in [nodejs/undici#2547 - feat: port webidl tests to node test runner by [@​ilteoood](https://togithub.com/ilteoood) in [nodejs/undici#2554 - perf: Improve percentDecode by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2562 - Fix parseHashWithOptions regex by [@​flapenna](https://togithub.com/flapenna) in [nodejs/undici#2561 - feat: port diagnostic-channel tests to node test runner by [@​ilteoood](https://togithub.com/ilteoood) in [nodejs/undici#2559 - feat: port websocket tests to node test runner by [@​ilteoood](https://togithub.com/ilteoood) in [nodejs/undici#2553 - build(deps-dev): bump tsd from 0.29.0 to 0.30.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2551 - build(deps): bump actions/setup-node from 4.0.0 to 4.0.1 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2572 - build(deps): bump github/codeql-action from 2.22.5 to 3.22.12 by [@​dependabot](https://togithub.com/dependabot) in [nodejs/undici#2574 - Update `@matteo.collina/tspl` to 0.1.1 by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2576 - mark wpt as failing by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2581 - feat: port `abort-controller.js` tests to `node:test` runner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2564 - fix data url test by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2580 - feat: port `async_hooks.js` tests to `node:test` runner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2568 - feat: port `agent.js` tests to `node:test` runner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2566 - feat: port `abort-event-emitter.js` tests to `node:test` runnner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2565 - feat: port first half of fetch tests to node test runner by [@​anurag-roy](https://togithub.com/anurag-roy) in [nodejs/undici#2569 - perf: bypass method validation by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2583 - fetch: warn when using patch method by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2577 - feat: port `autoselectfamily.js` tests to `node:test` runner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2570 - feat: port remaining fetch tests to node test runner by [@​anurag-roy](https://togithub.com/anurag-roy) in [nodejs/undici#2587 - fix: use isArrayBuffer instead of isAnyArrayBuffer by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2586 - Feat/migrate tests to node runner by [@​pmarchini](https://togithub.com/pmarchini) in [nodejs/undici#2593 - abort request with reason if one is provided by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2592 - feat: port tst test to node test runner by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2595 - feat([#​2191](https://togithub.com/nodejs/undici/issues/2191)): Add support for `NODE_DEBUG` by [@​metcoder95](https://togithub.com/metcoder95) in [nodejs/undici#2585 - cacheStorage: fix bugs make wpts pass by [@​KhafraDev](https://togithub.com/KhafraDev) in [nodejs/undici#2596 - fix: non-object error in abort throws bad error by [@​atlowChemi](https://togithub.com/atlowChemi) in [nodejs/undici#2597 - fix: add test helper for closing server as promise by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [nodejs/undici#2604 #### New Contributors - [@​dvoytenko](https://togithub.com/dvoytenko) made their first contribution in [nodejs/undici#2532 - [@​autopulated](https://togithub.com/autopulated) made their first contribution in [nodejs/undici#2380 - [@​angelyan](https://togithub.com/angelyan) made their first contribution in [nodejs/undici#2545 - [@​pmarchini](https://togithub.com/pmarchini) made their first contribution in [nodejs/undici#2547 - [@​ilteoood](https://togithub.com/ilteoood) made their first contribution in [nodejs/undici#2554 - [@​flapenna](https://togithub.com/flapenna) made their first contribution in [nodejs/undici#2561 - [@​sosukesuzuki](https://togithub.com/sosukesuzuki) made their first contribution in [nodejs/undici#2576 - [@​anurag-roy](https://togithub.com/anurag-roy) made their first contribution in [nodejs/undici#2569 **Full Changelog**: nodejs/undici@v6.2.1...v6.3.0 ### [`v6.2.1`](https://togithub.com/nodejs/undici/releases/tag/v6.2.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.2.0...v6.2.1) ##### What's Changed - perf: use tree by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2528 - chore: reduce dependencies by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2533 - Remove timers in agent.js by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2536 **Full Changelog**: nodejs/undici@v6.2.0...v6.2.1 ### [`v6.2.0`](https://togithub.com/nodejs/undici/releases/tag/v6.2.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.1.0...v6.2.0) #### What's Changed - Remove FinalizationRegistry from Agent by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2530 **Full Changelog**: nodejs/undici@v6.1.0...v6.2.0 ### [`v6.1.0`](https://togithub.com/nodejs/undici/releases/tag/v6.1.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.0.1...v6.1.0) #### What's Changed - fix: more sensible stack trace from dump error by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2503 - refactor: remove some node compat by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2502 - refactor: version cleanup by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2507 - perf(fetch): Improve fetch of detaurl by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2479 - feat: expose parseHeader by [@​ronag](https://togithub.com/ronag) in [nodejs/undici#2511 - perf(fetch): optimize call `dispatch` by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2493 - perf(util/parseHeaders): If the header name is buffer by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2501 - perf: twice faster method check by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2495 - refactor: remove Error.captureStackTrace by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2509 - perf: Improve processHeader by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2513 - perf: reduce `String#toLowerCase` call by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2516 - perf: optimize consumeEnd by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2510 - perf: reduce tst built time by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2517 - feat: allow customization of build environment by [@​khardix](https://togithub.com/khardix) in [nodejs/undici#2403 - fix: clear cache by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2519 - feat: Add resource timing entries for connection, request and response by [@​ToshB](https://togithub.com/ToshB) in [nodejs/undici#2481 - Call fg.unregister() after a dispatcher is done, adds UNDICI_NO_FG to… by [@​mcollina](https://togithub.com/mcollina) in [nodejs/undici#2527 - feat: expose headerNameToString by [@​tsctx](https://togithub.com/tsctx) in [nodejs/undici#2525 #### New Contributors - [@​khardix](https://togithub.com/khardix) made their first contribution in [nodejs/undici#2403 **Full Changelog**: nodejs/undici@v6.0.1...v6.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIwMC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5In0=-->
- Loading branch information