[Security] Bump undici from 5.10.0 to 5.21.1

Bumps undici from 5.10.0 to 5.21.1. This update includes security fixes.

Vulnerabilities fixed

Regular Expression Denial of Service in Headers

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

• https://hackerone.com/bugs?report_id=1784449

Credits

Carter Snook reported this vulnerability.

Patched versions: 5.19.1 Affected versions: < 5.19.1

CRLF Injection in Nodejs ‘undici’ via host

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

Patched versions: 5.19.1 Affected versions: >= 2.0.0, < 5.19.1

Release notes

Sourced from undici's releases.

v5.21.1

What's Changed

• Fix typo in kPipelining symbol by @​andrewfecenko in nodejs/undici#2005
• fix(fetch): remove undefined error cause by @​aduh95 in nodejs/undici#2006
• chore(deps-dev): bump tsd from 0.25.0 to 0.27.0 by @​dependabot in nodejs/undici#2007
• build(deps-dev): bump wait-on from 6.0.1 to 7.0.1 by @​dependabot in nodejs/undici#1820
• fix(wpt): set global META_TITLE for the runner by @​panva in nodejs/undici#2008
• fix: issue 2009 by @​KhafraDev in nodejs/undici#2013
• build(deps-dev): bump typescript from 4.9.5 to 5.0.2 by @​dependabot in nodejs/undici#2018
• added descriptive error messages for URL parser by @​RishabhKodes in nodejs/undici#2016
• fix(fetch): remove content-length header on redirect by @​KhafraDev in nodejs/undici#2022
• fix(fetch): remove assertion on request.body.source on redirect (#2027) by @​macno in nodejs/undici#2028
• fix: skip failing test in node >= v19.8 by @​KhafraDev in nodejs/undici#2034
• fetch: treat content-encoding as case-insensitive & remove x-deflate by @​KhafraDev in nodejs/undici#2037
• perf(fetch): use string comparisons for url schemes by @​KhafraDev in nodejs/undici#2038
• util: replace util.toUSVString with String.prototype.toWellFormed by @​KhafraDev in nodejs/undici#2036
• build(deps): bump github/codeql-action from 2.2.4 to 2.2.9 by @​dependabot in nodejs/undici#2039
• build(deps-dev): bump concurrently from 7.6.0 to 8.0.1 by @​dependabot in nodejs/undici#2041
• Small performance improvements by @​anonrig in nodejs/undici#2044
• fix(types): Add missing Blob import by @​dpogue in nodejs/undici#2047
• fix: set window option properly by @​KhafraDev in nodejs/undici#2048
• fetch: fix leak by @​ronag in nodejs/undici#2049

New Contributors

• @​aduh95 made their first contribution in nodejs/undici#2006
• @​RishabhKodes made their first contribution in nodejs/undici#2016
• @​macno made their first contribution in nodejs/undici#2028
• @​dpogue made their first contribution in nodejs/undici#2047

Full Changelog: https://github.com/nodejs/undici/compare/v5.21.0...v5.21.1

v5.21.0

What's Changed

• workflow: add scorecard.yml by @​RafaelGSS in nodejs/undici#1942
• ci: timeout CI jobs after 15 minutes by @​dominykas in nodejs/undici#1946
• test(wpt): respect variants by @​panva in nodejs/undici#1951
• fix: improve isFormDataLike compat by @​ronag in nodejs/undici#1953
• fix: flaky fetch tests by @​KhafraDev in nodejs/undici#1956
• test(wpt): include all testing files by @​KhafraDev in nodejs/undici#1954
• fix: remove unneeded fetch tests by @​KhafraDev in nodejs/undici#1960
• fix: use normal timers for delays < 1s by @​ronag in nodejs/undici#1961
• perf: optimize happy path by @​anonrig in nodejs/undici#1955
• fix: 🐛 add URL upstream variations in BalancedPool types by @​jimmy-guzman in nodejs/undici#1966
• test(wpt): handle uncaught exceptions by @​KhafraDev in nodejs/undici#1965
• Fix failing wpts by @​KhafraDev in nodejs/undici#1967
• test(wpt): add results to an existing WPT Report by @​panva in nodejs/undici#1944
• fix: strengthen isStream condition checking by @​debadree25 in nodejs/undici#1969
• fix: implement basic policy container by @​KhafraDev in nodejs/undici#1970
• TypeScript type fixes, for #1949 by @​joshxyzhimself in nodejs/undici#1968
• websocket: separate connection logic from websocket by @​KhafraDev in nodejs/undici#1973

... (truncated)

Commits

• 2d94417 5.21.1
• a1846e5 fetch: fix leak (#2049)
• 816dcaa fix: set window option properly (#2048)
• eceaf9a fix(types): Add missing Blob import (#2047)
• 5f3b8e1 Small performance improvements (#2044)
• 3d21d22 build(deps-dev): bump concurrently from 7.6.0 to 8.0.1 (#2041)
• a6d1474 build(deps): bump github/codeql-action from 2.2.4 to 2.2.9 (#2039)
• 549e7ed util: replace util.toUSVString with String.prototype.toWellFormed (#2036)
• 7ae1779 perf(fetch): use string comparisons for url schemes (#2038)
• 9013a23 fetch: treat content-encoding as case-insensitive & remove x-deflate (#2037)
• Additional commits viewable in compare view

---

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

• $dependabot rebase will rebase this MR
• $dependabot recreate will recreate this MR rewriting all the manual changes and resolving conflicts