build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by dependabot[bot] · Pull Request #2236 · nodejs/undici (original) (raw)
Codecov Report
Patch and project coverage have no change.
Comparison is base (111fd23) 85.89% compared to head (d1ce5ce) 85.89%.
Report is 1 commits behind head on main.
Additional details and impacted files
@@ Coverage Diff @@ ## main #2236 +/- ##
Coverage 85.89% 85.89%
Files 76 76
Lines 6634 6634
Hits 5698 5698
Misses 936 936
☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.
[![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4)
kodiakhq Bot referenced this pull request in ascorbic/unpic-img
kodiakhq Bot referenced this pull request in X-oss-byte/Canary-nextjs
kodiakhq Bot referenced this pull request in X-oss-byte/Nextjs
kfcampbell referenced this pull request in octokit/rest.js
](https://renovatebot.comThis PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| undici | |||||
| (source) | [5.22.1 -> |
||||
5.26.2](https://renovatebot.com/diffs/npm/undici/5.22.1/5.26.2) |
|||||
GitHub Vulnerability Alerts
Impact
Undici clears Authorization headers on cross-origin redirects, but does
not clear Cookie headers. By design, cookie headers are forbidden
request
headers,
disallowing them to be set in RequestInit.headers in browser
environments. Since Undici handles headers more liberally than the
specification, there was a disconnect from the assumptions the spec
made, and Undici's implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
Release Notes
nodejs/undici (undici)
v5.26.2
Security Release, CVE-2023-45143.
v5.26.1
What's Changed
- Fix publish undici-types once and for all! by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
- Fix node detection omfg by @KhafraDev in https://github.com/nodejs/undici/pull/2341
Full Changelog: nodejs/undici@v5.26.0...v5.26.1
v5.26.0
What's Changed
- use npm install instead of npm ci by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
- change default header to
nodeby @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310 - chore: change order of the pseudo-headers by @kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
- fix: Agent.Options.factory should accept URL object or string as parameter by @nicole0707 in https://github.com/nodejs/undici/pull/2295
- build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2312
- test: handle npm ignore-scripts settings by @panva in https://github.com/nodejs/undici/pull/2313
- feat: respect
--max-http-header-sizeNode.js flag by @balazsorban44 in https://github.com/nodejs/undici/pull/2234 - fix(#2311): End stream after body sent by @metcoder95 in https://github.com/nodejs/undici/pull/2314
- disallow setting host header in fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2322
- [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in https://github.com/nodejs/undici/pull/2325
- fix fetch with coverage enabled by @KhafraDev in https://github.com/nodejs/undici/pull/2330
- Fix stuck when using http2 POST Buffer by @binsee in https://github.com/nodejs/undici/pull/2336
- fix: 🏷️ add allowH2 to BuildOptions by @binsee in https://github.com/nodejs/undici/pull/2334
- fix: 🐛 fix process http2 header by @binsee in https://github.com/nodejs/undici/pull/2332
New Contributors
- @kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
- @nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
- @balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
- @binsee made their first contribution in https://github.com/nodejs/undici/pull/2336
Full Changelog: nodejs/undici@v5.23.4...v5.26.0
v5.25.3
What's Changed
- perf: improve parse-url implementation by @anonrig in https://github.com/nodejs/undici/pull/2286
- test: enable websockets inclusion in WPTReport by @panva in https://github.com/nodejs/undici/pull/2284
- remove npm run test from pre-commit hook by @dancastillo in https://github.com/nodejs/undici/pull/2296
- perf: use @fastify/busboy by @gurgunday in https://github.com/nodejs/undici/pull/2211
- Disable finalizationregistry if node code cov by @mcollina in https://github.com/nodejs/undici/pull/2298
New Contributors
- @gurgunday made their first contribution in https://github.com/nodejs/undici/pull/2211
Full Changelog: nodejs/undici@v5.25.2...v5.25.3
v5.25.2
What's Changed
- Add Khaf to releasers by @mcollina in https://github.com/nodejs/undici/pull/2276
- fix: fix request with readable mode is object by @killagu in https://github.com/nodejs/undici/pull/2279
- fix loading websockets when node is built w/ --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2282
New Contributors
- @killagu made their first contribution in https://github.com/nodejs/undici/pull/2279
Full Changelog: nodejs/undici@v5.25.1...v5.25.2
v5.25.1
What's Changed
- Add publish types script by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2273
Full Changelog: nodejs/undici@v5.25.0...v5.25.1
v5.25.0
What's Changed
- fix: h2 without body by @metcoder95 in https://github.com/nodejs/undici/pull/2258
- ci: remove duplicated runs by @metcoder95 in https://github.com/nodejs/undici/pull/2265
- improve documentation of timeouts by making the units clear in all places by @mcfedr in https://github.com/nodejs/undici/pull/2266
- expose websocket in node bundle by @KhafraDev in https://github.com/nodejs/undici/pull/2217
- test: fix Fetch/HTTP2 tests by @metcoder95 in https://github.com/nodejs/undici/pull/2263
- fix undici when node is built with --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2272
- fix: Fix type definition for Client Interceptors by @ComradeCow in https://github.com/nodejs/undici/pull/2269
- Fix http2 agent by @mcollina in https://github.com/nodejs/undici/pull/2275
New Contributors
- @ComradeCow made their first contribution in https://github.com/nodejs/undici/pull/2269
Full Changelog: nodejs/undici@v5.24.0...v5.25.0
v5.24.0
Notable Changes
- feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061
What's Changed
- build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @dependabot in https://github.com/nodejs/undici/pull/2203
- better stack trace for body.json by @KhafraDev in https://github.com/nodejs/undici/pull/2215
- allow http & https websocket urls by @KhafraDev in https://github.com/nodejs/undici/pull/2218
- build(deps-dev): bump @sinonjs/fake-timers from 10.3.0 to 11.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2221
- fix: pass ProxyAgent proxy status code error by @NBNGaming in https://github.com/nodejs/undici/pull/2162
- fix failing test by @KhafraDev in https://github.com/nodejs/undici/pull/2223
- docs: update MockPool.md intercept method description by @capaj in https://github.com/nodejs/undici/pull/2220
- Update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2226
- build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @dependabot in https://github.com/nodejs/undici/pull/2240
- build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @dependabot in https://github.com/nodejs/undici/pull/2237
- build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @dependabot in https://github.com/nodejs/undici/pull/2236
- build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2241
- build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @dependabot in https://github.com/nodejs/undici/pull/2238
- fix: aborting request with non-object error by @KhafraDev in https://github.com/nodejs/undici/pull/2243
- fix: preserve file path when parsing formdata by @jimmywarting in https://github.com/nodejs/undici/pull/2245
- build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @dependabot in https://github.com/nodejs/undici/pull/2246
- Updated benchmarks by @mcollina in https://github.com/nodejs/undici/pull/2250
- Fix fetch in node v20.6.0 by @mcollina in https://github.com/nodejs/undici/pull/2251
- Maybe fix v20 by @mcollina in https://github.com/nodejs/undici/pull/2252
- feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061
- docs: fix tables in README by @regseb in https://github.com/nodejs/undici/pull/2254
- Fix http2 fetch test by @mcollina in https://github.com/nodejs/undici/pull/2253
New Contributors
- @NBNGaming made their first contribution in https://github.com/nodejs/undici/pull/2162
- @capaj made their first contribution in https://github.com/nodejs/undici/pull/2220
- @regseb made their first contribution in https://github.com/nodejs/undici/pull/2254
Full Changelog: nodejs/undici@v5.23.0...v5.24.0
v5.23.0
What's Changed
- bump engines to node >= 16 by @ronag in https://github.com/nodejs/undici/pull/2119
- Revert "bump engines to node >= 16 (#2119)" by
@ronag in https://github.com/nodejs/undici/pull/2121
- fetch: set referrer properly by @KhafraDev in https://github.com/nodejs/undici/pull/2125
- fix: support truncated gzip by @jimmywarting in https://github.com/nodejs/undici/pull/2126
- workflow: apply security best practices by @step-security-bot in https://github.com/nodejs/undici/pull/2130
- build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in https://github.com/nodejs/undici/pull/2135
- build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @dependabot in https://github.com/nodejs/undici/pull/2133
- build(deps): bump node from 18-alpine to 20-alpine in /build by @dependabot in https://github.com/nodejs/undici/pull/2131
- build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by @dependabot in https://github.com/nodejs/undici/pull/2136
- build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in https://github.com/nodejs/undici/pull/2132
- build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2142
- build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by @dependabot in https://github.com/nodejs/undici/pull/2148
- fix(pr): use correct pr template file by @AugustinMauroy in https://github.com/nodejs/undici/pull/2141
- Additional WebSocket send tests to cover all payload size categories by @jawj in https://github.com/nodejs/undici/pull/2149
- fix: reverse decompression order of "Content-Encoding" encodings (fixes #2158) by @rychkog in https://github.com/nodejs/undici/pull/2159
- fix: keep running WPTs if a test times out by @KhafraDev in https://github.com/nodejs/undici/pull/2165
- feat: add build environment info by @mhdawson in https://github.com/nodejs/undici/pull/2168
- fix: forward error reason to fetch controller by @KhafraDev in https://github.com/nodejs/undici/pull/2172
- stricter types for bodymixin.json by @KhafraDev in https://github.com/nodejs/undici/pull/2181
- chore: Renable autoSelectFamily tests. by @ShogunPanda in https://github.com/nodejs/undici/pull/2180
- build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @dependabot in https://github.com/nodejs/undici/pull/2147
- build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by @dependabot in https://github.com/nodejs/undici/pull/2185
- fix: fetch resource timing performance entry names should be strings by @GaryWilber in https://github.com/nodejs/undici/pull/2188
- build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in https://github.com/nodejs/undici/pull/2176
- build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by @dependabot in https://github.com/nodejs/undici/pull/2177
- build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in https://github.com/nodejs/undici/pull/2178
- build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @dependabot in https://github.com/nodejs/undici/pull/2175
- test: fix
autoselectfamilyon platforms without IPv6 support by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2197 - fix: make multipart/form-data boundary string more consistent by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2196
- docs: add proxy agent options docs by @dancastillo in https://github.com/nodejs/undici/pull/2193
- build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by @dependabot in https://github.com/nodejs/undici/pull/2205
- feat: make use of
addAbortListenerwhere applicable by @atlowChemi in https://github.com/nodejs/undici/pull/2195
New Contributors
- @step-security-bot made their first contribution in https://github.com/nodejs/undici/pull/2130
- @AugustinMauroy made their first contribution in https://github.com/nodejs/undici/pull/2141
- @rychkog made their first contribution in https://github.com/nodejs/undici/pull/2159
- @mhdawson made their first contribution in https://github.com/nodejs/undici/pull/2168
- @GaryWilber made their first contribution in https://github.com/nodejs/undici/pull/2188
- @atlowChemi made their first contribution in https://github.com/nodejs/undici/pull/2195
Full Changelog: nodejs/undici@v5.22.1...v5.23.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
renovate Bot referenced this pull request in specfy/specfy
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| undici | |||||
| (source) | [5.23.0 -> |
||||
5.26.2](https://renovatebot.com/diffs/npm/undici/5.23.0/5.26.2) |
|||||
GitHub Vulnerability Alerts
Impact
Undici clears Authorization headers on cross-origin redirects, but does
not clear Cookie headers. By design, cookie headers are forbidden
request
headers,
disallowing them to be set in RequestInit.headers in browser
environments. Since Undici handles headers more liberally than the
specification, there was a disconnect from the assumptions the spec
made, and Undici's implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
Release Notes
nodejs/undici (undici)
v5.26.2
Security Release, CVE-2023-45143.
v5.26.1
What's Changed
- Fix publish undici-types once and for all! by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
- Fix node detection omfg by @KhafraDev in https://github.com/nodejs/undici/pull/2341
Full Changelog: nodejs/undici@v5.26.0...v5.26.1
v5.26.0
What's Changed
- use npm install instead of npm ci by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
- change default header to
nodeby @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310 - chore: change order of the pseudo-headers by @kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
- fix: Agent.Options.factory should accept URL object or string as parameter by @nicole0707 in https://github.com/nodejs/undici/pull/2295
- build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2312
- test: handle npm ignore-scripts settings by @panva in https://github.com/nodejs/undici/pull/2313
- feat: respect
--max-http-header-sizeNode.js flag by @balazsorban44 in https://github.com/nodejs/undici/pull/2234 - fix(#2311): End stream after body sent by @metcoder95 in https://github.com/nodejs/undici/pull/2314
- disallow setting host header in fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2322
- [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in https://github.com/nodejs/undici/pull/2325
- fix fetch with coverage enabled by @KhafraDev in https://github.com/nodejs/undici/pull/2330
- Fix stuck when using http2 POST Buffer by @binsee in https://github.com/nodejs/undici/pull/2336
- fix: 🏷️ add allowH2 to BuildOptions by @binsee in https://github.com/nodejs/undici/pull/2334
- fix: 🐛 fix process http2 header by @binsee in https://github.com/nodejs/undici/pull/2332
New Contributors
- @kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
- @nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
- @balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
- @binsee made their first contribution in https://github.com/nodejs/undici/pull/2336
Full Changelog: nodejs/undici@v5.23.4...v5.26.0
v5.25.3
What's Changed
- perf: improve parse-url implementation by @anonrig in https://github.com/nodejs/undici/pull/2286
- test: enable websockets inclusion in WPTReport by @panva in https://github.com/nodejs/undici/pull/2284
- remove npm run test from pre-commit hook by @dancastillo in https://github.com/nodejs/undici/pull/2296
- perf: use @fastify/busboy by @gurgunday in https://github.com/nodejs/undici/pull/2211
- Disable finalizationregistry if node code cov by @mcollina in https://github.com/nodejs/undici/pull/2298
New Contributors
- @gurgunday made their first contribution in https://github.com/nodejs/undici/pull/2211
Full Changelog: nodejs/undici@v5.25.2...v5.25.3
v5.25.2
What's Changed
- Add Khaf to releasers by @mcollina in https://github.com/nodejs/undici/pull/2276
- fix: fix request with readable mode is object by @killagu in https://github.com/nodejs/undici/pull/2279
- fix loading websockets when node is built w/ --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2282
New Contributors
- @killagu made their first contribution in https://github.com/nodejs/undici/pull/2279
Full Changelog: nodejs/undici@v5.25.1...v5.25.2
v5.25.1
What's Changed
- Add publish types script by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2273
Full Changelog: nodejs/undici@v5.25.0...v5.25.1
v5.25.0
What's Changed
- fix: h2 without body by @metcoder95 in https://github.com/nodejs/undici/pull/2258
- ci: remove duplicated runs by @metcoder95 in https://github.com/nodejs/undici/pull/2265
- improve documentation of timeouts by making the units clear in all places by @mcfedr in https://github.com/nodejs/undici/pull/2266
- expose websocket in node bundle by @KhafraDev in https://github.com/nodejs/undici/pull/2217
- test: fix Fetch/HTTP2 tests by @metcoder95 in https://github.com/nodejs/undici/pull/2263
- fix undici when node is built with --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2272
- fix: Fix type definition for Client Interceptors by @ComradeCow in https://github.com/nodejs/undici/pull/2269
- Fix http2 agent by @mcollina in https://github.com/nodejs/undici/pull/2275
New Contributors
- @ComradeCow made their first contribution in https://github.com/nodejs/undici/pull/2269
Full Changelog: nodejs/undici@v5.24.0...v5.25.0
v5.24.0
Notable Changes
- feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061
What's Changed
- build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @dependabot in https://github.com/nodejs/undici/pull/2203
- better stack trace for body.json by @KhafraDev in https://github.com/nodejs/undici/pull/2215
- allow http & https websocket urls by @KhafraDev in https://github.com/nodejs/undici/pull/2218
- build(deps-dev): bump @sinonjs/fake-timers from 10.3.0 to 11.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2221
- fix: pass ProxyAgent proxy status code error by @NBNGaming in https://github.com/nodejs/undici/pull/2162
- fix failing test by @KhafraDev in https://github.com/nodejs/undici/pull/2223
- docs: update MockPool.md intercept method description by @capaj in https://github.com/nodejs/undici/pull/2220
- Update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2226
- build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @dependabot in https://github.com/nodejs/undici/pull/2240
- build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @dependabot in https://github.com/nodejs/undici/pull/2237
- build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @dependabot in https://github.com/nodejs/undici/pull/2236
- build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2241
- build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @dependabot in https://github.com/nodejs/undici/pull/2238
- fix: aborting request with non-object error by @KhafraDev in https://github.com/nodejs/undici/pull/2243
- fix: preserve file path when parsing formdata by @jimmywarting in https://github.com/nodejs/undici/pull/2245
- build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @dependabot in https://github.com/nodejs/undici/pull/2246
- Updated benchmarks by @mcollina in https://github.com/nodejs/undici/pull/2250
- Fix fetch in node v20.6.0 by @mcollina in https://github.com/nodejs/undici/pull/2251
- Maybe fix v20 by @mcollina in https://github.com/nodejs/undici/pull/2252
- feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061
- docs: fix tables in README by @regseb in https://github.com/nodejs/undici/pull/2254
- Fix http2 fetch test by @mcollina in https://github.com/nodejs/undici/pull/2253
New Contributors
- @NBNGaming made their first contribution in https://github.com/nodejs/undici/pull/2162
- @capaj made their first contribution in https://github.com/nodejs/undici/pull/2220
- @regseb made their first contribution in https://github.com/nodejs/undici/pull/2254
Full Changelog: nodejs/undici@v5.23.0...v5.24.0
Configuration
📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge
- At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
louis-bompart referenced this pull request in coveo/cli
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| undici | |||||
| (source) | [5.22.0 -> |
||||
5.26.2](https://renovatebot.com/diffs/npm/undici/5.22.0/5.26.2) |
|||||
GitHub Vulnerability Alerts
Impact
Undici clears Authorization headers on cross-origin redirects, but does
not clear Cookie headers. By design, cookie headers are forbidden
request
headers,
disallowing them to be set in RequestInit.headers in browser
environments. Since Undici handles headers more liberally than the
specification, there was a disconnect from the assumptions the spec
made, and Undici's implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
Release Notes
nodejs/undici (undici)
v5.26.2
Security Release, CVE-2023-45143.
v5.26.1
What's Changed
- Fix publish undici-types once and for all! by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
- Fix node detection omfg by @KhafraDev in https://github.com/nodejs/undici/pull/2341
Full Changelog: nodejs/undici@v5.26.0...v5.26.1
v5.26.0
What's Changed
- use npm install instead of npm ci by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
- change default header to
nodeby @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310 - chore: change order of the pseudo-headers by @kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
- fix: Agent.Options.factory should accept URL object or string as parameter by @nicole0707 in https://github.com/nodejs/undici/pull/2295
- build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2312
- test: handle npm ignore-scripts settings by @panva in https://github.com/nodejs/undici/pull/2313
- feat: respect
--max-http-header-sizeNode.js flag by @balazsorban44 in https://github.com/nodejs/undici/pull/2234 - fix(#2311): End stream after body sent by @metcoder95 in https://github.com/nodejs/undici/pull/2314
- disallow setting host header in fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2322
- [StepSecurity] ci: Harden GitHub Actions by @step-security-bot in https://github.com/nodejs/undici/pull/2325
- fix fetch with coverage enabled by @KhafraDev in https://github.com/nodejs/undici/pull/2330
- Fix stuck when using http2 POST Buffer by @binsee in https://github.com/nodejs/undici/pull/2336
- fix: 🏷️ add allowH2 to BuildOptions by @binsee in https://github.com/nodejs/undici/pull/2334
- fix: 🐛 fix process http2 header by @binsee in https://github.com/nodejs/undici/pull/2332
New Contributors
- @kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
- @nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
- @balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
- @binsee made their first contribution in https://github.com/nodejs/undici/pull/2336
Full Changelog: nodejs/undici@v5.23.4...v5.26.0
v5.25.3
What's Changed
- perf: improve parse-url implementation by @anonrig in https://github.com/nodejs/undici/pull/2286
- test: enable websockets inclusion in WPTReport by @panva in https://github.com/nodejs/undici/pull/2284
- remove npm run test from pre-commit hook by @dancastillo in https://github.com/nodejs/undici/pull/2296
- perf: use @fastify/busboy by @gurgunday in https://github.com/nodejs/undici/pull/2211
- Disable finalizationregistry if node code cov by @mcollina in https://github.com/nodejs/undici/pull/2298
New Contributors
- @gurgunday made their first contribution in https://github.com/nodejs/undici/pull/2211
Full Changelog: nodejs/undici@v5.25.2...v5.25.3
v5.25.2
What's Changed
- Add Khaf to releasers by @mcollina in https://github.com/nodejs/undici/pull/2276
- fix: fix request with readable mode is object by @killagu in https://github.com/nodejs/undici/pull/2279
- fix loading websockets when node is built w/ --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2282
New Contributors
- @killagu made their first contribution in https://github.com/nodejs/undici/pull/2279
Full Changelog: nodejs/undici@v5.25.1...v5.25.2
v5.25.1
What's Changed
- Add publish types script by @Ethan-Arrowood in https://github.com/nodejs/undici/pull/2273
Full Changelog: nodejs/undici@v5.25.0...v5.25.1
v5.25.0
What's Changed
- fix: h2 without body by @metcoder95 in https://github.com/nodejs/undici/pull/2258
- ci: remove duplicated runs by @metcoder95 in https://github.com/nodejs/undici/pull/2265
- improve documentation of timeouts by making the units clear in all places by @mcfedr in https://github.com/nodejs/undici/pull/2266
- expose websocket in node bundle by @KhafraDev in https://github.com/nodejs/undici/pull/2217
- test: fix Fetch/HTTP2 tests by @metcoder95 in https://github.com/nodejs/undici/pull/2263
- fix undici when node is built with --without-ssl by @KhafraDev in https://github.com/nodejs/undici/pull/2272
- fix: Fix type definition for Client Interceptors by @ComradeCow in https://github.com/nodejs/undici/pull/2269
- Fix http2 agent by @mcollina in https://github.com/nodejs/undici/pull/2275
New Contributors
- @ComradeCow made their first contribution in https://github.com/nodejs/undici/pull/2269
Full Changelog: nodejs/undici@v5.24.0...v5.25.0
v5.24.0
Notable Changes
- feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061
What's Changed
- build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @dependabot in https://github.com/nodejs/undici/pull/2203
- better stack trace for body.json by @KhafraDev in https://github.com/nodejs/undici/pull/2215
- allow http & https websocket urls by @KhafraDev in https://github.com/nodejs/undici/pull/2218
- build(deps-dev): bump @sinonjs/fake-timers from 10.3.0 to 11.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2221
- fix: pass ProxyAgent proxy status code error by @NBNGaming in https://github.com/nodejs/undici/pull/2162
- fix failing test by @KhafraDev in https://github.com/nodejs/undici/pull/2223
- docs: update MockPool.md intercept method description by @capaj in https://github.com/nodejs/undici/pull/2220
- Update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2226
- build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @dependabot in https://github.com/nodejs/undici/pull/2240
- build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @dependabot in https://github.com/nodejs/undici/pull/2237
- build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @dependabot in https://github.com/nodejs/undici/pull/2236
- build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2241
- build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @dependabot in https://github.com/nodejs/undici/pull/2238
- fix: aborting request with non-object error by @KhafraDev in https://github.com/nodejs/undici/pull/2243
- fix: preserve file path when parsing formdata by @jimmywarting in https://github.com/nodejs/undici/pull/2245
- build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @dependabot in https://github.com/nodejs/undici/pull/2246
- Updated benchmarks by @mcollina in https://github.com/nodejs/undici/pull/2250
- Fix fetch in node v20.6.0 by @mcollina in https://github.com/nodejs/undici/pull/2251
- Maybe fix v20 by @mcollina in https://github.com/nodejs/undici/pull/2252
- feat: Add H2 support by @metcoder95 in https://github.com/nodejs/undici/pull/2061
- docs: fix tables in README by @regseb in https://github.com/nodejs/undici/pull/2254
- Fix http2 fetch test by @mcollina in https://github.com/nodejs/undici/pull/2253
New Contributors
- @NBNGaming made their first contribution in https://github.com/nodejs/undici/pull/2162
- @capaj made their first contribution in https://github.com/nodejs/undici/pull/2220
- @regseb made their first contribution in https://github.com/nodejs/undici/pull/2254
Full Changelog: nodejs/undici@v5.23.0...v5.24.0
v5.23.0
What's Changed
- bump engines to node >= 16 by @ronag in https://github.com/nodejs/undici/pull/2119
- Revert "bump engines to node >= 16 (#2119)" by
@ronag in https://github.com/nodejs/undici/pull/2121
- fetch: set referrer properly by @KhafraDev in https://github.com/nodejs/undici/pull/2125
- fix: support truncated gzip by @jimmywarting in https://github.com/nodejs/undici/pull/2126
- workflow: apply security best practices by @step-security-bot in https://github.com/nodejs/undici/pull/2130
- build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @dependabot in https://github.com/nodejs/undici/pull/2135
- build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @dependabot in https://github.com/nodejs/undici/pull/2133
- build(deps): bump node from 18-alpine to 20-alpine in /build by @dependabot in https://github.com/nodejs/undici/pull/2131
- build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by @dependabot in https://github.com/nodejs/undici/pull/2136
- build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @dependabot in https://github.com/nodejs/undici/pull/2132
- build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by @dependabot in https://github.com/nodejs/undici/pull/2142
- build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by @dependabot in https://github.com/nodejs/undici/pull/2148
- fix(pr): use correct pr template file by @AugustinMauroy in https://github.com/nodejs/undici/pull/2141
- Additional WebSocket send tests to cover all payload size categories by @jawj in https://github.com/nodejs/undici/pull/2149
- fix: reverse decompression order of "Content-Encoding" encodings (fixes #2158) by @rychkog in https://github.com/nodejs/undici/pull/2159
- fix: keep running WPTs if a test times out by @KhafraDev in https://github.com/nodejs/undici/pull/2165
- feat: add build environment info by @mhdawson in https://github.com/nodejs/undici/pull/2168
- fix: forward error reason to fetch controller by @KhafraDev in https://github.com/nodejs/undici/pull/2172
- stricter types for bodymixin.json by @KhafraDev in https://github.com/nodejs/undici/pull/2181
- chore: Renable autoSelectFamily tests. by @ShogunPanda in https://github.com/nodejs/undici/pull/2180
- build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @dependabot in https://github.com/nodejs/undici/pull/2147
- build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by @dependabot in https://github.com/nodejs/undici/pull/2185
- fix: fetch resource timing performance entry names should be strings by @GaryWilber in https://github.com/nodejs/undici/pull/2188
- build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @dependabot in https://github.com/nodejs/undici/pull/2176
- build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by @dependabot in https://github.com/nodejs/undici/pull/2177
- build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @dependabot in https://github.com/nodejs/undici/pull/2178
- build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @dependabot in https://github.com/nodejs/undici/pull/2175
- test: fix
autoselectfamilyon platforms without IPv6 support by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2197 - fix: make multipart/form-data boundary string more consistent by @LiviaMedeiros in https://github.com/nodejs/undici/pull/2196
- docs: add proxy agent options docs by @dancastillo in https://github.com/nodejs/undici/pull/2193
- build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by @dependabot in https://github.com/nodejs/undici/pull/2205
- feat: make use of
addAbortListenerwhere applicable by @atlowChemi in https://github.com/nodejs/undici/pull/2195
New Contributors
- @step-security-bot made their first contribution in https://github.com/nodejs/undici/pull/2130
- @AugustinMauroy made their first contribution in https://github.com/nodejs/undici/pull/2141
- @rychkog made their first contribution in https://github.com/nodejs/undici/pull/2159
- @mhdawson made their first contribution in https://github.com/nodejs/undici/pull/2168
- @GaryWilber made their first contribution in https://github.com/nodejs/undici/pull/2188
- @atlowChemi made their first contribution in https://github.com/nodejs/undici/pull/2195
Full Changelog: nodejs/undici@v5.22.1...v5.23.0
v5.22.1
What's Changed
- Cache storage by @KhafraDev in https://github.com/nodejs/undici/pull/2076
- test: skip content-disposition test in node 18 by @KhafraDev in https://github.com/nodejs/undici/pull/2081
- Cache storage cleanup by @KhafraDev in https://github.com/nodejs/undici/pull/2082
- Cache storage fixes by @KhafraDev in https://github.com/nodejs/undici/pull/2083
- test: improve test coverage for ErrorEvent and MessageEvent by @KhafraDev in https://github.com/nodejs/undici/pull/2085
- test: remove --experimental-wasm-simd by @KhafraDev in https://github.com/nodejs/undici/pull/2087
- websocket: add websocketinit by @KhafraDev in https://github.com/nodejs/undici/pull/2088
- feat(websocket): allow setting custom headers by @KhafraDev in https://github.com/nodejs/undici/pull/2089
- test: fix tests failing only on node v20 by @KhafraDev in https://github.com/nodejs/undici/pull/2096
- fix: skip set content-length when FormData value is stream by @fengmk2 in https://github.com/nodejs/undici/pull/2091
- doc: update outdated command in contributing.md by @jazelly in https://github.com/nodejs/undici/pull/2099
- cache: fix most failing WPTs by @KhafraDev in https://github.com/nodejs/undici/pull/2100
- feat: allow build:wasm to auto detect platform by @jazelly in https://github.com/nodejs/undici/pull/2102
- docs: updated Error documentation (fixes #2090) by @titanism in https://github.com/nodejs/undici/pull/2092
- mimesniff: fix many broken tests by @KhafraDev in https://github.com/nodejs/undici/pull/2103
- test: fix failing tests by @KhafraDev in https://github.com/nodejs/undici/pull/2097
- build(deps): bump github/codeql-action from 2.2.9 to 2.3.2 by @dependabot in https://github.com/nodejs/undici/pull/2105
- fix: more informative error message to tell that the server doesn't match http/1.1 protocol by @Songkeys in https://github.com/nodejs/undici/pull/2055
- Fix bug in 16-bit frame length when buffer is a subarray by @jawj in https://github.com/nodejs/undici/pull/2106
- update wpts by @KhafraDev in https://github.com/nodejs/undici/pull/2108
- fix: update error definitions by @dfilatov in https://github.com/nodejs/undici/pull/2112
- fix: make assertion a noop by @ronag in https://github.com/nodejs/undici/pull/2111
New Contributors
- @jazelly made their first contribution in https://github.com/nodejs/undici/pull/2099
- @titanism made their first contribution in https://github.com/nodejs/undici/pull/2092
- @Songkeys made their first contribution in https://github.com/nodejs/undici/pull/2055
- @jawj made their first contribution in https://github.com/nodejs/undici/pull/2106
- @dfilatov made their first contribution in https://github.com/nodejs/undici/pull/2112
Full Changelog: nodejs/undici@v5.22.0...v5.22.1
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
Co-authored-by: developer-experience-bot[bot] <91079284+developer-experience-bot[bot]@users.noreply.github.com> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
crysmags pushed a commit to crysmags/undici that referenced this pull request
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})