Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

unidici security issue #3382

Closed
char0n opened this issue Feb 22, 2024 · 1 comment
Closed

unidici security issue #3382

char0n opened this issue Feb 22, 2024 · 1 comment
Assignees
@char0n
Labels
cat: security security vulnerability Security vulnerability detected by WhiteSource version: 3.x

Comments

@char0n
Copy link
Member

char0n commented Feb 22, 2024

Undici@5 has a security issue described in GHSA-3787-6prv-h9w3

First non-vulnerable version is [email protected]. Unfortunately the security fix introduced Nullish coalescing operator which is not supported in Node.js@12.

This means that the undici patch release which is applied automatically with every swagger-client installation will break Node.js@12 compatibility.

We ideally want to break compatibility with Node@12 explicitly, when we need to.

Keeping security issue in production dep tree is not an option, which leaves us to remove undici@5 from our deps:

Fetch API support will move from this:

>=12.20.0 <16.8 - [node-fetch@3](https://www.npmjs.com/package/node-fetch)
>=16.8 <18 - [undici](https://www.npmjs.com/package/undici)
>=18 - [native Node.js fetch](https://nodejs.org/dist/latest-v18.x/docs/api/globals.html#fetch)

to the following

>=12.20.0 <18 - [node-fetch@3](https://www.npmjs.com/package/node-fetch)
>=18 - [native Node.js fetch](https://nodejs.org/dist/latest-v18.x/docs/api/globals.html#fetch)
@char0n char0n mentioned this issue Feb 22, 2024
Closed
@char0n char0n self-assigned this Feb 22, 2024
@char0n char0n added cat: security security vulnerability Security vulnerability detected by WhiteSource version: 3.x labels Feb 22, 2024
char0n added a commit that referenced this issue Feb 22, 2024
@char0n
fix(security): fix proxy-Authorization header security issue
4da0d89 
Refs #3382
@char0n char0n mentioned this issue Feb 22, 2024
Merged
char0n added a commit that referenced this issue Feb 22, 2024
@char0n
fix(security): fix proxy-Authorization header security issue (#3383)
649ab4b 
Refs #3382
@char0n
Copy link
Member Author

char0n commented Feb 22, 2024
edited
Loading

Addressed by #3383

@char0n char0n closed this as completed Feb 22, 2024
swagger-bot pushed a commit that referenced this issue Feb 22, 2024
@semantic-release-bot
chore(release): cut the 3.25.2 release [skip ci]
900c2b5 
## [3.25.2](v3.25.1...v3.25.2) (2024-02-22)

### Bug Fixes

* **security:** fix proxy-Authorization header security issue ([#3383](#3383)) ([649ab4b](649ab4b)), closes [#3382](#3382)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@char0n char0n

Labels
cat: security security vulnerability Security vulnerability detected by WhiteSource version: 3.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@char0n