[Security] Bump undici from 5.21.2 to 5.26.3
Bumps undici from 5.21.2 to 5.26.3. This update includes a security fix.
Vulnerabilities fixed
Undici's cookie header not cleared on cross-origin redirect in fetch
Impact
Undici clears Authorization headers on cross-origin redirects, but does not clear
Cookieheaders. By design,cookieheaders are forbidden request headers, disallowing them to be set inRequestInit.headersin browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
Patched versions: 5.26.2 Affected versions: < 5.26.2
Release notes
Sourced from undici's releases.
v5.26.3
No release notes provided.
v5.26.2
Security Release, CVE-2023-45143.
v5.26.1
What's Changed
- Fix publish undici-types once and for all! by
@Ethan-Arrowoodin nodejs/undici#2338- Fix node detection omfg by
@KhafraDevin nodejs/undici#2341Full Changelog: https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1
v5.26.0
What's Changed
- use npm install instead of npm ci by
@Ethan-Arrowoodin nodejs/undici#2309- change default header to
nodeby@Ethan-Arrowoodin nodejs/undici#2310- chore: change order of the pseudo-headers by
@kyrylodolynskyiin nodejs/undici#2308- fix: Agent.Options.factory should accept URL object or string as parameter by
@nicole0707in nodejs/undici#2295- build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by
@dependabotin nodejs/undici#2312- test: handle npm ignore-scripts settings by
@panvain nodejs/undici#2313- feat: respect
--max-http-header-sizeNode.js flag by@balazsorban44in nodejs/undici#2234- fix(#2311): End stream after body sent by
@metcoder95in nodejs/undici#2314- disallow setting host header in fetch by
@KhafraDevin nodejs/undici#2322- [StepSecurity] ci: Harden GitHub Actions by
@step-security-botin nodejs/undici#2325- fix fetch with coverage enabled by
@KhafraDevin nodejs/undici#2330- Fix stuck when using http2 POST Buffer by
@binseein nodejs/undici#2336- fix:
🏷 ️ add allowH2 to BuildOptions by@binseein nodejs/undici#2334- fix:
🐛 fix process http2 header by@binseein nodejs/undici#2332New Contributors
@kyrylodolynskyimade their first contribution in nodejs/undici#2308@nicole0707made their first contribution in nodejs/undici#2295@balazsorban44made their first contribution in nodejs/undici#2234@binseemade their first contribution in nodejs/undici#2336Full Changelog: https://github.com/nodejs/undici/compare/v5.23.4...v5.26.0
v5.25.3
What's Changed
- perf: improve parse-url implementation by
@anonrigin nodejs/undici#2286- test: enable websockets inclusion in WPTReport by
@panvain nodejs/undici#2284- remove npm run test from pre-commit hook by
@dancastilloin nodejs/undici#2296- perf: use
@fastify/busboyby@gurgundayin nodejs/undici#2211- Disable finalizationregistry if node code cov by
@mcollinain nodejs/undici#2298New Contributors
@gurgundaymade their first contribution in nodejs/undici#2211
... (truncated)
Commits
-
227b9be5.26.3 -
5351f1finclude esbuild script in files -
12a6218Bumped v5.26.2 -
e041de3Merge pull request from GHSA-wqq4-5wpv-mx2g -
c8c80b15.26.1 -
7bcb80cFix node detection omfg (#2341) -
69ea7b9hopefully this fixes it for good (#2338) -
4006aafBumped v5.26.0 -
df97958fix:🐛 fix process http2 header (#2332) -
b9d8368fix:🏷 ️ add allowH2 to BuildOptions (#2334) - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebasewill rebase this MR -
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts