[Security] Bump undici from 5.10.0 to 5.20.0

Bumps undici from 5.10.0 to 5.20.0. This update includes security fixes.

Vulnerabilities fixed

Regular Expression Denial of Service in Headers

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

• https://hackerone.com/bugs?report_id=1784449

Credits

Carter Snook reported this vulnerability.

Patched versions: 5.19.1 Affected versions: < 5.19.1

CRLF Injection in Nodejs ‘undici’ via host

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

Patched versions: 5.19.1 Affected versions: >= 2.0.0, < 5.19.1

Release notes

Sourced from undici's releases.

v5.20.0

What's Changed

• perf: improve cookie parsing performance by @​KhafraDev in nodejs/undici#1931
• fix: disable websocket wpts in ci :( by @​KhafraDev in nodejs/undici#1932
• fix: Allow “undefined“ as value in headers by @​pan93412 in nodejs/undici#1929
• feat: Support autoSelectFamily when connecting. by @​ShogunPanda in nodejs/undici#1914
• fix: copy cookies when cloning haders by @​KhafraDev in nodejs/undici#1936
• test: more logs in wpt runner by @​KhafraDev in nodejs/undici#1933
• feat: change headersTimeout and bodyTimeout to 300s by @​kyrylkov in nodejs/undici#1937

Full Changelog: https://github.com/nodejs/undici/compare/v5.19.1...v5.20.0

v5.19.1

⚠️ Security Release ⚠️

• Regular Expression Denial of Service in Headers with CVE-2023-24807
• CRLF Injection in Nodejs ‘undici’ via host with CVE-2023-23936

This release is part of the Node.js security release train: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/

v5.19.0

What's Changed

• fix(fetch): raise AbortSignal max event listeners by @​KhafraDev in nodejs/undici#1910
• fix: content-disposition header parsing by @​climba03003 in nodejs/undici#1911
• fix: remove test by @​KhafraDev in nodejs/undici#1916
• feat: add Headers.prototype.getSetCookie by @​KhafraDev in nodejs/undici#1915
• fix(headers): clone getSetCookie list & add getSetCookie type by @​KhafraDev in nodejs/undici#1917
• doc(mock): update out-of-date reply documentation by @​p9f in nodejs/undici#1913
• fix(types): add missing keepAlive params by @​SkeLLLa in nodejs/undici#1918
• Make the fetch() abort test pass locally, on Linux and Mac, Node 18/19. by @​mcollina in nodejs/undici#1927

New Contributors

• @​climba03003 made their first contribution in nodejs/undici#1911
• @​p9f made their first contribution in nodejs/undici#1913

Full Changelog: https://github.com/nodejs/undici/compare/v5.18.0...v5.19.0

v5.18.0

What's Changed

• Add ability to set TCP keepalive by @​xconverge in nodejs/undici#1904
• use faster timers by @​ronag in nodejs/undici#1908
• fix: ensure header value is a string by @​ronag in nodejs/undici#1899

Full Changelog: https://github.com/nodejs/undici/compare/v5.17.1...v5.18.0

v5.17.1

What's Changed

• fix: bad buffer slice (https://github.com/nodejs/undici/commit/d2be675575512794dcd41b9683b209fc15368154)

... (truncated)

Commits

• 28b9dea Bumped v5.20.0
• 30dafe3 feat: change headersTimeout and bodyTimeout to 300s (#1937)
• eaf4dc9 test: more logs in wpt runner (#1933)
• 8b8bfa7 fix: copy cookies when cloning haders (#1936)
• eae6807 feat: Support autoSelectFamily when connecting. (#1914)
• c2387e8 fix: Allow “undefined“ as value in headers (#1929)
• f73ec63 fix: disable websocket wpts in ci :( (#1932)
• 2971280 perf: improve cookie parsing performance (#1931)
• 984d53b Bumped v5.19.1
• 6c32c0f lint fixes
• Additional commits viewable in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot rebase will rebase this MR
• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts