[Security] Bump undici from 5.10.0 to 5.21.2
Bumps undici from 5.10.0 to 5.21.2. This update includes security fixes.
Vulnerabilities fixed
Regular Expression Denial of Service in Headers
Impact
The
Headers.set()
andHeaders.append()
methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in theheaderValueNormalize()
utility function.Patches
This vulnerability was patched in v5.19.1.
Workarounds
There is no workaround. Please update to an unaffected version.
References
Credits
Carter Snook reported this vulnerability.
Patched versions: 5.19.1 Affected versions: < 5.19.1
CRLF Injection in Nodejs ‘undici’ via host
Impact
undici library does not protect
host
HTTP header from CRLF injection vulnerabilities.Patches
This issue was patched in Undici v5.19.1.
Workarounds
Sanitize the
headers.host
string before passing to undici.References
Reported at https://hackerone.com/reports/1820955.
Credits
Thank you to Zhipeng Zhang (
@timon8
) for reporting this vulnerability.Patched versions: 5.19.1 Affected versions: >= 2.0.0, < 5.19.1
Release notes
Sourced from undici's releases.
v5.21.2
What's Changed
- Content disposition parsing by
@KhafraDev
in nodejs/undici#2051- fix: clear set-cookie headers by
@KhafraDev
in nodejs/undici#2052Full Changelog: https://github.com/nodejs/undici/compare/v5.21.1...v5.21.2
v5.21.1
What's Changed
- Fix typo in kPipelining symbol by
@andrewfecenko
in nodejs/undici#2005- fix(fetch): remove
undefined
error cause by@aduh95
in nodejs/undici#2006- chore(deps-dev): bump tsd from 0.25.0 to 0.27.0 by
@dependabot
in nodejs/undici#2007- build(deps-dev): bump wait-on from 6.0.1 to 7.0.1 by
@dependabot
in nodejs/undici#1820- fix(wpt): set global META_TITLE for the runner by
@panva
in nodejs/undici#2008- fix: issue 2009 by
@KhafraDev
in nodejs/undici#2013- build(deps-dev): bump typescript from 4.9.5 to 5.0.2 by
@dependabot
in nodejs/undici#2018- added descriptive error messages for URL parser by
@RishabhKodes
in nodejs/undici#2016- fix(fetch): remove content-length header on redirect by
@KhafraDev
in nodejs/undici#2022- fix(fetch): remove assertion on request.body.source on redirect (#2027) by
@macno
in nodejs/undici#2028- fix: skip failing test in node >= v19.8 by
@KhafraDev
in nodejs/undici#2034- fetch: treat content-encoding as case-insensitive & remove x-deflate by
@KhafraDev
in nodejs/undici#2037- perf(fetch): use string comparisons for url schemes by
@KhafraDev
in nodejs/undici#2038- util: replace util.toUSVString with String.prototype.toWellFormed by
@KhafraDev
in nodejs/undici#2036- build(deps): bump github/codeql-action from 2.2.4 to 2.2.9 by
@dependabot
in nodejs/undici#2039- build(deps-dev): bump concurrently from 7.6.0 to 8.0.1 by
@dependabot
in nodejs/undici#2041- Small performance improvements by
@anonrig
in nodejs/undici#2044- fix(types): Add missing Blob import by
@dpogue
in nodejs/undici#2047- fix: set window option properly by
@KhafraDev
in nodejs/undici#2048- fetch: fix leak by
@ronag
in nodejs/undici#2049New Contributors
@aduh95
made their first contribution in nodejs/undici#2006@RishabhKodes
made their first contribution in nodejs/undici#2016@macno
made their first contribution in nodejs/undici#2028@dpogue
made their first contribution in nodejs/undici#2047Full Changelog: https://github.com/nodejs/undici/compare/v5.21.0...v5.21.1
v5.21.0
What's Changed
- workflow: add scorecard.yml by
@RafaelGSS
in nodejs/undici#1942- ci: timeout CI jobs after 15 minutes by
@dominykas
in nodejs/undici#1946- test(wpt): respect variants by
@panva
in nodejs/undici#1951- fix: improve isFormDataLike compat by
@ronag
in nodejs/undici#1953- fix: flaky fetch tests by
@KhafraDev
in nodejs/undici#1956- test(wpt): include all testing files by
@KhafraDev
in nodejs/undici#1954- fix: remove unneeded fetch tests by
@KhafraDev
in nodejs/undici#1960- fix: use normal timers for delays < 1s by
@ronag
in nodejs/undici#1961- perf: optimize happy path by
@anonrig
in nodejs/undici#1955
... (truncated)
Commits
-
b20405e
5.21.2 -
0562e9b
fix: clear set-cookie headers (#2052) -
fb84aac
Content disposition parsing (#2051) -
2d94417
5.21.1 -
a1846e5
fetch: fix leak (#2049) -
816dcaa
fix: set window option properly (#2048) -
eceaf9a
fix(types): Add missing Blob import (#2047) -
5f3b8e1
Small performance improvements (#2044) -
3d21d22
build(deps-dev): bump concurrently from 7.6.0 to 8.0.1 (#2041) -
a6d1474
build(deps): bump github/codeql-action from 2.2.4 to 2.2.9 (#2039) - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebase
will rebase this MR -
$dependabot recreate
will recreate this MR rewriting all the manual changes and resolving conflicts