chore: bump up undici version to v6.6.1 [SECURITY] #5828
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
☁️ Nx Cloud ReportCI is running/has finished running commands for commit b6f776c. As they complete they will appear below. Click to see the status, the terminal output, and the build insights. 📂 See all runs for this CI Pipeline Execution ✅ Successfully ran 6 targets
Sent with 💌 from NxCloud. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## canary #5828 +/- ##
==========================================
- Coverage 65.23% 65.14% -0.10%
==========================================
Files 348 348
Lines 19670 19670
Branches 1661 1660 -1
==========================================
- Hits 12832 12814 -18
- Misses 6617 6635 +18
Partials 221 221
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability
branch
from
ee0fa99
to
682cef2
Compare
Brooooooklyn
approved these changes
Feb 20, 2024
Merge activity
|
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`6.0.1` -> `6.6.1`](https://renovatebot.com/diffs/npm/undici/6.0.1/6.6.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24750](https://togithub.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw) ### Impact Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. ### Patches Patched in v6.6.1 ### Workarounds Make sure to always consume the incoming body. #### [CVE-2024-24758](https://togithub.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3) ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - GHSA-wqq4-5wpv-mx2g --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v6.6.1`](https://togithub.com/nodejs/undici/releases/tag/v6.6.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.6.0...v6.6.1) ####⚠️ Security Release⚠️ Details on the vulnerabilities fixed will be shared in the next couple of days. #### What's Changed - fix: flaky debug test by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2687](https://togithub.com/nodejs/undici/pull/2687) - build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2688](https://togithub.com/nodejs/undici/pull/2688) - build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2689](https://togithub.com/nodejs/undici/pull/2689) - fix: ci pipeline warnings by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2685](https://togithub.com/nodejs/undici/pull/2685) - perf: optimize Iterator by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2692](https://togithub.com/nodejs/undici/pull/2692) **Full Changelog**: nodejs/undici@v6.6.0...v6.6.1 ### [`v6.6.0`](https://togithub.com/nodejs/undici/releases/tag/v6.6.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.5.0...v6.6.0) #### What's Changed - add webSocket example by [@​mertcanaltin](https://togithub.com/mertcanaltin) in [https://github.com/nodejs/undici/pull/2626](https://togithub.com/nodejs/undici/pull/2626) - chore: remove atomic-sleep as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2648](https://togithub.com/nodejs/undici/pull/2648) - chore: remove semver as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2646](https://togithub.com/nodejs/undici/pull/2646) - chore: remove table as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2649](https://togithub.com/nodejs/undici/pull/2649) - chore: remove delay as dev dependency by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2647](https://togithub.com/nodejs/undici/pull/2647) - chore: reduce noise in test-logs test/issue-2349.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2655](https://togithub.com/nodejs/undici/pull/2655) - chore: fix faketimer warning in test/request-timeout.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2656](https://togithub.com/nodejs/undici/pull/2656) - chore: reduce noise in test logs test/client-node-max-header-size.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2654](https://togithub.com/nodejs/undici/pull/2654) - refactor: use fromInnerResponse by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2635](https://togithub.com/nodejs/undici/pull/2635) - fix: support deflate raw responses by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2650](https://togithub.com/nodejs/undici/pull/2650) - Support building for externally shared js builtins by [@​mochaaP](https://togithub.com/mochaaP) in [https://github.com/nodejs/undici/pull/2643](https://togithub.com/nodejs/undici/pull/2643) - fix: typo clampAndCoarsenConnectionTimingInfo by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2653](https://togithub.com/nodejs/undici/pull/2653) - chore: use 'node:'-prefix for requiring node core modules by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2662](https://togithub.com/nodejs/undici/pull/2662) - build(deps-dev): bump husky from 8.0.3 to 9.0.7 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2667](https://togithub.com/nodejs/undici/pull/2667) - build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2668](https://togithub.com/nodejs/undici/pull/2668) - remove timers/promises import by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2665](https://togithub.com/nodejs/undici/pull/2665) - chore: fix various codesmells by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2669](https://togithub.com/nodejs/undici/pull/2669) - chore: remove this alias in agent.js by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2671](https://togithub.com/nodejs/undici/pull/2671) - chore: use optional chaining by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2666](https://togithub.com/nodejs/undici/pull/2666) - chore: small perf improvements by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2661](https://togithub.com/nodejs/undici/pull/2661) - implement spec changes from a while ago by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2676](https://togithub.com/nodejs/undici/pull/2676) - websocket: fix close when no closing code is received by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2680](https://togithub.com/nodejs/undici/pull/2680) - fix: make ci less flaky by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2684](https://togithub.com/nodejs/undici/pull/2684) #### New Contributors - [@​mochaaP](https://togithub.com/mochaaP) made their first contribution in [https://github.com/nodejs/undici/pull/2643](https://togithub.com/nodejs/undici/pull/2643) **Full Changelog**: nodejs/undici@v6.5.0...v6.6.0 ### [`v6.5.0`](https://togithub.com/nodejs/undici/releases/tag/v6.5.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.4.0...v6.5.0) #### What's Changed - build(deps-dev): bump jsdom from 23.2.0 to 24.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2632](https://togithub.com/nodejs/undici/pull/2632) - feat: Implement EventSource by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2608](https://togithub.com/nodejs/undici/pull/2608) - fix: readable body by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2642](https://togithub.com/nodejs/undici/pull/2642) **Full Changelog**: nodejs/undici@v6.4.0...v6.5.0 ### [`v6.4.0`](https://togithub.com/nodejs/undici/releases/tag/v6.4.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.3.0...v6.4.0) ##### What's Changed - refactor: version cleanup by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2605](https://togithub.com/nodejs/undici/pull/2605) - cacheStorage: separate matchAll logic by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2599](https://togithub.com/nodejs/undici/pull/2599) - cleanup index by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2598](https://togithub.com/nodejs/undici/pull/2598) - feat: port `balanced-pool`, `ca-fingerprint`, `client-abort` tests to `node:test` by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2584](https://togithub.com/nodejs/undici/pull/2584) - ci: unpin nodejs workflow version by [@​dominykas](https://togithub.com/dominykas) in [https://github.com/nodejs/undici/pull/2434](https://togithub.com/nodejs/undici/pull/2434) - test([#​2600](https://togithub.com/nodejs/undici/issues/2600)): Flaky debug test by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2607](https://togithub.com/nodejs/undici/pull/2607) - fix: h2 hang issue with empty body by [@​timursevimli](https://togithub.com/timursevimli) in [https://github.com/nodejs/undici/pull/2601](https://togithub.com/nodejs/undici/pull/2601) - Fix tests for Node.js v21 by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2609](https://togithub.com/nodejs/undici/pull/2609) - perf(cache): avoid Request and Response initialization by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2610](https://togithub.com/nodejs/undici/pull/2610) - Add more libraries to benchmarks by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2614](https://togithub.com/nodejs/undici/pull/2614) - feat: port `client-connect`, `client-dispatch`, `client-errors` test to `node:test` by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2591](https://togithub.com/nodejs/undici/pull/2591) - exit with 1 if WPT runner has unexpected errors by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2621](https://togithub.com/nodejs/undici/pull/2621) - Fix tests for Node.js v20.11.0 by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2618](https://togithub.com/nodejs/undici/pull/2618) - fix(mock-agent): split set-cookie by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2619](https://togithub.com/nodejs/undici/pull/2619) - feat: implement throwOnMaxRedirect option for RedirectHandler by [@​mertcanaltin](https://togithub.com/mertcanaltin) in [https://github.com/nodejs/undici/pull/2563](https://togithub.com/nodejs/undici/pull/2563) - test: fix flaky debug test by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2613](https://togithub.com/nodejs/undici/pull/2613) - fix: hide statusOutput if empty in handleRunnerCompletion by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2624](https://togithub.com/nodejs/undici/pull/2624) - docs: Fix typo in Debug.md by [@​Skn0tt](https://togithub.com/Skn0tt) in [https://github.com/nodejs/undici/pull/2625](https://togithub.com/nodejs/undici/pull/2625) - fix(cache): set AbortSignal by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2612](https://togithub.com/nodejs/undici/pull/2612) - Use correct http Agent for node-fetch, axios, got and request by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2629](https://togithub.com/nodejs/undici/pull/2629) ##### New Contributors - [@​timursevimli](https://togithub.com/timursevimli) made their first contribution in [https://github.com/nodejs/undici/pull/2601](https://togithub.com/nodejs/undici/pull/2601) - [@​mertcanaltin](https://togithub.com/mertcanaltin) made their first contribution in [https://github.com/nodejs/undici/pull/2563](https://togithub.com/nodejs/undici/pull/2563) - [@​Skn0tt](https://togithub.com/Skn0tt) made their first contribution in [https://github.com/nodejs/undici/pull/2625](https://togithub.com/nodejs/undici/pull/2625) **Full Changelog**: nodejs/undici@v6.3.0...v6.4.0 ### [`v6.3.0`](https://togithub.com/nodejs/undici/releases/tag/v6.3.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.2.1...v6.3.0) #### What's Changed - Clear all timeout on destroy and close by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2535](https://togithub.com/nodejs/undici/pull/2535) - ConnectOptions should include 'origin' field by [@​dvoytenko](https://togithub.com/dvoytenko) in [https://github.com/nodejs/undici/pull/2532](https://togithub.com/nodejs/undici/pull/2532) - perf: avoid toLowerCase call by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2537](https://togithub.com/nodejs/undici/pull/2537) - revert [`a1a8136`](https://togithub.com/nodejs/undici/commit/a1a8136) by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2539](https://togithub.com/nodejs/undici/pull/2539) - docs: add Util to sidebar by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2529](https://togithub.com/nodejs/undici/pull/2529) - fix: call explicitly unregister by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2534](https://togithub.com/nodejs/undici/pull/2534) - fix: check the content-type of invalid formData by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2541](https://togithub.com/nodejs/undici/pull/2541) - Add request examples. by [@​autopulated](https://togithub.com/autopulated) in [https://github.com/nodejs/undici/pull/2380](https://togithub.com/nodejs/undici/pull/2380) - fix(HTTP/2): handle consumption of aborted request by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2387](https://togithub.com/nodejs/undici/pull/2387) - chore: update tst test by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2538](https://togithub.com/nodejs/undici/pull/2538) - fix(fetch): do not abort fetch on redirect by [@​angelyan](https://togithub.com/angelyan) in [https://github.com/nodejs/undici/pull/2545](https://togithub.com/nodejs/undici/pull/2545) - drop verifyVersion in scripts by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2549](https://togithub.com/nodejs/undici/pull/2549) - types: remove unused Client and Pool types by [@​RafaelGSS](https://togithub.com/RafaelGSS) in [https://github.com/nodejs/undici/pull/2557](https://togithub.com/nodejs/undici/pull/2557) - lib: fix Host header when CONNECT ProxyAgent by [@​RafaelGSS](https://togithub.com/RafaelGSS) in [https://github.com/nodejs/undici/pull/2556](https://togithub.com/nodejs/undici/pull/2556) - feat: port cookies tests to node runner by [@​pmarchini](https://togithub.com/pmarchini) in [https://github.com/nodejs/undici/pull/2547](https://togithub.com/nodejs/undici/pull/2547) - feat: port webidl tests to node test runner by [@​ilteoood](https://togithub.com/ilteoood) in [https://github.com/nodejs/undici/pull/2554](https://togithub.com/nodejs/undici/pull/2554) - perf: Improve percentDecode by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2562](https://togithub.com/nodejs/undici/pull/2562) - Fix parseHashWithOptions regex by [@​flapenna](https://togithub.com/flapenna) in [https://github.com/nodejs/undici/pull/2561](https://togithub.com/nodejs/undici/pull/2561) - feat: port diagnostic-channel tests to node test runner by [@​ilteoood](https://togithub.com/ilteoood) in [https://github.com/nodejs/undici/pull/2559](https://togithub.com/nodejs/undici/pull/2559) - feat: port websocket tests to node test runner by [@​ilteoood](https://togithub.com/ilteoood) in [https://github.com/nodejs/undici/pull/2553](https://togithub.com/nodejs/undici/pull/2553) - build(deps-dev): bump tsd from 0.29.0 to 0.30.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2551](https://togithub.com/nodejs/undici/pull/2551) - build(deps): bump actions/setup-node from 4.0.0 to 4.0.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2572](https://togithub.com/nodejs/undici/pull/2572) - build(deps): bump github/codeql-action from 2.22.5 to 3.22.12 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2574](https://togithub.com/nodejs/undici/pull/2574) - Update `@matteo.collina/tspl` to 0.1.1 by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2576](https://togithub.com/nodejs/undici/pull/2576) - mark wpt as failing by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2581](https://togithub.com/nodejs/undici/pull/2581) - feat: port `abort-controller.js` tests to `node:test` runner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2564](https://togithub.com/nodejs/undici/pull/2564) - fix data url test by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2580](https://togithub.com/nodejs/undici/pull/2580) - feat: port `async_hooks.js` tests to `node:test` runner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2568](https://togithub.com/nodejs/undici/pull/2568) - feat: port `agent.js` tests to `node:test` runner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2566](https://togithub.com/nodejs/undici/pull/2566) - feat: port `abort-event-emitter.js` tests to `node:test` runnner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2565](https://togithub.com/nodejs/undici/pull/2565) - feat: port first half of fetch tests to node test runner by [@​anurag-roy](https://togithub.com/anurag-roy) in [https://github.com/nodejs/undici/pull/2569](https://togithub.com/nodejs/undici/pull/2569) - perf: bypass method validation by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2583](https://togithub.com/nodejs/undici/pull/2583) - fetch: warn when using patch method by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2577](https://togithub.com/nodejs/undici/pull/2577) - feat: port `autoselectfamily.js` tests to `node:test` runner by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2570](https://togithub.com/nodejs/undici/pull/2570) - feat: port remaining fetch tests to node test runner by [@​anurag-roy](https://togithub.com/anurag-roy) in [https://github.com/nodejs/undici/pull/2587](https://togithub.com/nodejs/undici/pull/2587) - fix: use isArrayBuffer instead of isAnyArrayBuffer by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2586](https://togithub.com/nodejs/undici/pull/2586) - Feat/migrate tests to node runner by [@​pmarchini](https://togithub.com/pmarchini) in [https://github.com/nodejs/undici/pull/2593](https://togithub.com/nodejs/undici/pull/2593) - abort request with reason if one is provided by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2592](https://togithub.com/nodejs/undici/pull/2592) - feat: port tst test to node test runner by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2595](https://togithub.com/nodejs/undici/pull/2595) - feat([#​2191](https://togithub.com/nodejs/undici/issues/2191)): Add support for `NODE_DEBUG` by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2585](https://togithub.com/nodejs/undici/pull/2585) - cacheStorage: fix bugs make wpts pass by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2596](https://togithub.com/nodejs/undici/pull/2596) - fix: non-object error in abort throws bad error by [@​atlowChemi](https://togithub.com/atlowChemi) in [https://github.com/nodejs/undici/pull/2597](https://togithub.com/nodejs/undici/pull/2597) - fix: add test helper for closing server as promise by [@​sosukesuzuki](https://togithub.com/sosukesuzuki) in [https://github.com/nodejs/undici/pull/2604](https://togithub.com/nodejs/undici/pull/2604) #### New Contributors - [@​dvoytenko](https://togithub.com/dvoytenko) made their first contribution in [https://github.com/nodejs/undici/pull/2532](https://togithub.com/nodejs/undici/pull/2532) - [@​autopulated](https://togithub.com/autopulated) made their first contribution in [https://github.com/nodejs/undici/pull/2380](https://togithub.com/nodejs/undici/pull/2380) - [@​angelyan](https://togithub.com/angelyan) made their first contribution in [https://github.com/nodejs/undici/pull/2545](https://togithub.com/nodejs/undici/pull/2545) - [@​pmarchini](https://togithub.com/pmarchini) made their first contribution in [https://github.com/nodejs/undici/pull/2547](https://togithub.com/nodejs/undici/pull/2547) - [@​ilteoood](https://togithub.com/ilteoood) made their first contribution in [https://github.com/nodejs/undici/pull/2554](https://togithub.com/nodejs/undici/pull/2554) - [@​flapenna](https://togithub.com/flapenna) made their first contribution in [https://github.com/nodejs/undici/pull/2561](https://togithub.com/nodejs/undici/pull/2561) - [@​sosukesuzuki](https://togithub.com/sosukesuzuki) made their first contribution in [https://github.com/nodejs/undici/pull/2576](https://togithub.com/nodejs/undici/pull/2576) - [@​anurag-roy](https://togithub.com/anurag-roy) made their first contribution in [https://github.com/nodejs/undici/pull/2569](https://togithub.com/nodejs/undici/pull/2569) **Full Changelog**: nodejs/undici@v6.2.1...v6.3.0 ### [`v6.2.1`](https://togithub.com/nodejs/undici/releases/tag/v6.2.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.2.0...v6.2.1) ##### What's Changed - perf: use tree by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2528](https://togithub.com/nodejs/undici/pull/2528) - chore: reduce dependencies by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2533](https://togithub.com/nodejs/undici/pull/2533) - Remove timers in agent.js by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2536](https://togithub.com/nodejs/undici/pull/2536) **Full Changelog**: nodejs/undici@v6.2.0...v6.2.1 ### [`v6.2.0`](https://togithub.com/nodejs/undici/releases/tag/v6.2.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.1.0...v6.2.0) #### What's Changed - Remove FinalizationRegistry from Agent by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2530](https://togithub.com/nodejs/undici/pull/2530) **Full Changelog**: nodejs/undici@v6.1.0...v6.2.0 ### [`v6.1.0`](https://togithub.com/nodejs/undici/releases/tag/v6.1.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.0.1...v6.1.0) #### What's Changed - fix: more sensible stack trace from dump error by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2503](https://togithub.com/nodejs/undici/pull/2503) - refactor: remove some node compat by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2502](https://togithub.com/nodejs/undici/pull/2502) - refactor: version cleanup by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2507](https://togithub.com/nodejs/undici/pull/2507) - perf(fetch): Improve fetch of detaurl by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2479](https://togithub.com/nodejs/undici/pull/2479) - feat: expose parseHeader by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2511](https://togithub.com/nodejs/undici/pull/2511) - perf(fetch): optimize call `dispatch` by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2493](https://togithub.com/nodejs/undici/pull/2493) - perf(util/parseHeaders): If the header name is buffer by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2501](https://togithub.com/nodejs/undici/pull/2501) - perf: twice faster method check by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2495](https://togithub.com/nodejs/undici/pull/2495) - refactor: remove Error.captureStackTrace by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2509](https://togithub.com/nodejs/undici/pull/2509) - perf: Improve processHeader by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2513](https://togithub.com/nodejs/undici/pull/2513) - perf: reduce `String#toLowerCase` call by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2516](https://togithub.com/nodejs/undici/pull/2516) - perf: optimize consumeEnd by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2510](https://togithub.com/nodejs/undici/pull/2510) - perf: reduce tst built time by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2517](https://togithub.com/nodejs/undici/pull/2517) - feat: allow customization of build environment by [@​khardix](https://togithub.com/khardix) in [https://github.com/nodejs/undici/pull/2403](https://togithub.com/nodejs/undici/pull/2403) - fix: clear cache by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2519](https://togithub.com/nodejs/undici/pull/2519) - feat: Add resource timing entries for connection, request and response by [@​ToshB](https://togithub.com/ToshB) in [https://github.com/nodejs/undici/pull/2481](https://togithub.com/nodejs/undici/pull/2481) - Call fg.unregister() after a dispatcher is done, adds UNDICI_NO_FG to… by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2527](https://togithub.com/nodejs/undici/pull/2527) - feat: expose headerNameToString by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2525](https://togithub.com/nodejs/undici/pull/2525) #### New Contributors - [@​khardix](https://togithub.com/khardix) made their first contribution in [https://github.com/nodejs/undici/pull/2403](https://togithub.com/nodejs/undici/pull/2403) **Full Changelog**: nodejs/undici@v6.0.1...v6.1.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/toeverything/AFFiNE). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNzMuMCIsInVwZGF0ZWRJblZlciI6IjM3LjIwMC4wIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5In0=-->
Brooooooklyn
force-pushed
the
renovate/npm-undici-vulnerability
branch
from
682cef2
to
b6f776c
Compare
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ Warning: custom changes will be lost. |
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
6.0.1->6.6.1GitHub Vulnerability Alerts
CVE-2024-24750
Impact
Calling
fetch(url)and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.Patches
Patched in v6.6.1
Workarounds
Make sure to always consume the incoming body.
CVE-2024-24758
Impact
Undici already cleared Authorization headers on cross-origin redirects, but did not clear
Proxy-Authorizationheaders.Patches
This is patched in v5.28.3 and v6.6.1
Workarounds
There are no known workarounds.
References
Release Notes
nodejs/undici (undici)
v6.6.1Compare Source
Details on the vulnerabilities fixed will be shared in the next couple of days.
What's Changed
Full Changelog: nodejs/undici@v6.6.0...v6.6.1
v6.6.0Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v6.5.0...v6.6.0
v6.5.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v6.4.0...v6.5.0
v6.4.0Compare Source
What's Changed
balanced-pool,ca-fingerprint,client-aborttests tonode:testby @sosukesuzuki in https://github.com/nodejs/undici/pull/2584client-connect,client-dispatch,client-errorstest tonode:testby @sosukesuzuki in https://github.com/nodejs/undici/pull/2591New Contributors
Full Changelog: nodejs/undici@v6.3.0...v6.4.0
v6.3.0Compare Source
What's Changed
a1a8136by @KhafraDev in https://github.com/nodejs/undici/pull/2539@matteo.collina/tsplto 0.1.1 by @sosukesuzuki in https://github.com/nodejs/undici/pull/2576abort-controller.jstests tonode:testrunner by @sosukesuzuki in https://github.com/nodejs/undici/pull/2564async_hooks.jstests tonode:testrunner by @sosukesuzuki in https://github.com/nodejs/undici/pull/2568agent.jstests tonode:testrunner by @sosukesuzuki in https://github.com/nodejs/undici/pull/2566abort-event-emitter.jstests tonode:testrunnner by @sosukesuzuki in https://github.com/nodejs/undici/pull/2565autoselectfamily.jstests tonode:testrunner by @sosukesuzuki in https://github.com/nodejs/undici/pull/2570NODE_DEBUGby @metcoder95 in https://github.com/nodejs/undici/pull/2585New Contributors
Full Changelog: nodejs/undici@v6.2.1...v6.3.0
v6.2.1Compare Source
What's Changed
Full Changelog: nodejs/undici@v6.2.0...v6.2.1
v6.2.0Compare Source
What's Changed
Full Changelog: nodejs/undici@v6.1.0...v6.2.0
v6.1.0Compare Source
What's Changed
dispatchby @tsctx in https://github.com/nodejs/undici/pull/2493String#toLowerCasecall by @tsctx in https://github.com/nodejs/undici/pull/2516New Contributors
Full Changelog: nodejs/undici@v6.0.1...v6.1.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.