-
Notifications
You must be signed in to change notification settings - Fork 5
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): update dependency undici to v5.28.4 [security] #423
Open
renovate
wants to merge
1
commit into
master
Choose a base branch
from
renovate/npm-undici-vulnerability/VF-000
base: master
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+16
−25
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
renovate
bot
added
dependencies
Pull requests that update a dependency file
ready for review
labels
Feb 20, 2023
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
March 3, 2023 13:52
bc06a6a
to
b76a7a2
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
from
March 7, 2023 15:03
b76a7a2
to
69d7476
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
March 17, 2023 18:40
2794627
to
53ca4b4
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
4 times, most recently
from
March 31, 2023 23:48
882bbc9
to
9b6d041
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
3 times, most recently
from
April 18, 2023 18:04
6fc092a
to
68ae376
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
5 times, most recently
from
May 2, 2023 15:43
ed1f820
to
a1dd1a2
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
from
May 3, 2023 18:33
a1dd1a2
to
6d31d20
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
5 times, most recently
from
May 18, 2023 09:27
7047d95
to
092a622
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
May 25, 2023 19:39
ca35dd7
to
2cf2732
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
May 29, 2023 20:36
00c8e86
to
90311c7
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
6 times, most recently
from
May 22, 2024 20:45
a4d2ab7
to
c1d3d18
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
3 times, most recently
from
June 6, 2024 19:56
9a75c9f
to
1f0011e
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
6 times, most recently
from
June 21, 2024 09:28
dfde1fe
to
c65d611
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
4 times, most recently
from
July 5, 2024 18:48
80c8a41
to
96f1770
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
2 times, most recently
from
July 30, 2024 19:16
be3af97
to
6801993
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
from
August 14, 2024 21:34
6801993
to
f63c0af
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
4 times, most recently
from
September 18, 2024 15:25
be16d70
to
91d2b07
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
from
September 20, 2024 02:20
91d2b07
to
880cac8
Compare
renovate
bot
force-pushed
the
renovate/npm-undici-vulnerability/VF-000
branch
from
September 20, 2024 02:23
880cac8
to
7e2c080
Compare
Quality Gate passedIssues Measures |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^5
->^5.28.4
5.12.0
->5.28.4
GitHub Vulnerability Alerts
CVE-2023-23936
Impact
undici library does not protect
host
HTTP header from CRLF injection vulnerabilities.Patches
This issue was patched in Undici v5.19.1.
Workarounds
Sanitize the
headers.host
string before passing to undici.References
Reported at https://hackerone.com/reports/1820955.
Credits
Thank you to Zhipeng Zhang (@timon8) for reporting this vulnerability.
CVE-2023-24807
Impact
The
Headers.set()
andHeaders.append()
methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in theheaderValueNormalize()
utility function.Patches
This vulnerability was patched in v5.19.1.
Workarounds
There is no workaround. Please update to an unaffected version.
References
Credits
Carter Snook reported this vulnerability.
CVE-2023-45143
Impact
Undici clears Authorization headers on cross-origin redirects, but does not clear
Cookie
headers. By design,cookie
headers are forbidden request headers, disallowing them to be set inRequestInit.headers
in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
CVE-2024-24758
Impact
Undici already cleared Authorization headers on cross-origin redirects, but did not clear
Proxy-Authorization
headers.Patches
This is patched in v5.28.3 and v6.6.1
Workarounds
There are no known workarounds.
References
CVE-2024-30261
Impact
If an attacker can alter the
integrity
option passed tofetch()
, they can letfetch()
accept requests as valid even if they have been tampered.Patches
Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
Ensure that
integrity
cannot be tampered with.References
https://hackerone.com/reports/2377760
CVE-2024-30260
Impact
Undici cleared Authorization and Proxy-Authorization headers for
fetch()
, but did not clear them forundici.request()
.Patches
This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use
fetch()
or disablemaxRedirections
.References
Linzi Shang reported this.
Release Notes
nodejs/undici (undici)
v5.28.4
Compare Source
Full Changelog: nodejs/undici@v5.28.3...v5.28.4
v5.28.3
Compare Source
Details on the vulnerabilities fixed will be shared in the next couple of days.
Full Changelog: nodejs/undici@v5.28.2...v5.28.3
v5.28.2
Compare Source
What's Changed
node:
prefix by @tsctx in https://github.com/nodejs/undici/pull/2471null
type tosignal
inRequestInit
by @gebsh in https://github.com/nodejs/undici/pull/2455New Contributors
Full Changelog: nodejs/undici@v5.28.1...v5.28.2
v5.28.1
Compare Source
What's Changed
normalizeMethod
by @tsctx in https://github.com/nodejs/undici/pull/2456Full Changelog: nodejs/undici@v5.28.0...v5.28.1
v5.28.0
Compare Source
What's Changed
substring
instead ofsubstr
by @tsctx in https://github.com/nodejs/undici/pull/2411Headers#set
correctly by @tsctx in https://github.com/nodejs/undici/pull/2432Headers#delete
correctly by @tsctx in https://github.com/nodejs/undici/pull/2430onHeaders
type declaration by @tsctx in https://github.com/nodejs/undici/pull/2444path
matching inintercept()
by @oliversalzburg in https://github.com/nodejs/undici/pull/2426New Contributors
Full Changelog: nodejs/undici@v5.27.2...v5.28.0
v5.27.2
Compare Source
Full Changelog: nodejs/undici@v5.27.1...v5.27.2
v5.27.1
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.27.0...v5.27.1
v5.27.0
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.5...v5.27.0
v5.26.5
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.4...v5.26.5
v5.26.4
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.26.3...v5.26.4
v5.26.3
Compare Source
v5.26.2
Compare Source
Security Release, CVE-2023-45143.
v5.26.1
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.26.0...v5.26.1
v5.26.0
Compare Source
What's Changed
node
by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310--max-http-header-size
Node.js flag by @balazsorban44 in https://github.com/nodejs/undici/pull/2234New Contributors
Full Changelog: nodejs/undici@v5.23.4...v5.26.0
v5.25.4
Compare Source
v5.25.3
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.25.2...v5.25.3
v5.25.2
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.25.1...v5.25.2
v5.25.1
Compare Source
What's Changed
Full Changelog: nodejs/undici@v5.25.0...v5.25.1
v5.25.0
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.24.0...v5.25.0
v5.24.0
Compare Source
Notable Changes
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.23.0...v5.24.0
v5.23.0
Compare Source
What's Changed
autoselectfamily
on platforms without IPv6 support by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2197addAbortListener
where applicable by @atlowChemi in https://github.com/nodejs/undici/pull/2195New Contributors
Full Changelog: nodejs/undici@v5.22.1...v5.23.0
v5.22.1
Compare Source
What's Changed
New Contributors
Full Changelog: nodejs/undici@v5.22.0...v5.22.1
v5.22.0
Compare Source
What's Changed
Full Changelog: htt
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR was generated by Mend Renovate. View the repository job log.