[Security] Bump undici from 5.26.3 to 5.28.3
Bumps undici from 5.26.3 to 5.28.3. This update includes a security fix.
Vulnerabilities fixed
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
Impact
Undici already cleared Authorization headers on cross-origin redirects, but did not clear
Proxy-Authorizationheaders.Patches
This is patched in v5.28.3 and v6.6.1
Workarounds
There are no known workarounds.
References
- https://fetch.spec.whatwg.org/#authentication-entries
- https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g
Patched versions: 5.28.3 Affected versions: <= 5.28.2
Release notes
Sourced from undici's releases.
v5.28.3
⚠ ️ Security Release⚠ ️Fixes:
Full Changelog: https://github.com/nodejs/undici/compare/v5.28.2...v5.28.3
v5.28.2
What's Changed
- fix: remove optional chainning for compatible with Nodejs12 and below by
@bugbin nodejs/undici#2470- fix: remove
node:prefix by@tsctxin nodejs/undici#2471- perf: avoid Headers initialization by
@tsctxin nodejs/undici#2468- fix: handle SharedArrayBuffer correctly by
@tsctxin nodejs/undici#2466- fix: Add
nulltype tosignalinRequestInitby@gebshin nodejs/undici#2455- fix: correctly handle data URL with hashes. by
@tsctxin nodejs/undici#2475- fix: check response for timinginfo allow flag by
@ToshBin nodejs/undici#2477- Make call to onBodySent conditional in RetryHandler by
@MzUgMin nodejs/undici#2478- refactor: better integrity check by
@tsctxin nodejs/undici#2462- fix: Added support for inline URL username:password proxy auth by
@matt-wayin nodejs/undici#2473- build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by
@dependabotin nodejs/undici#2472- build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by
@dependabotin nodejs/undici#2405- build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by
@dependabotin nodejs/undici#2396- build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by
@dependabotin nodejs/undici#2395- build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by
@dependabotin nodejs/undici#2392- build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by
@dependabotin nodejs/undici#2389- build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by
@dependabotin nodejs/undici#2302New Contributors
@bugbmade their first contribution in nodejs/undici#2470@gebshmade their first contribution in nodejs/undici#2455@ToshBmade their first contribution in nodejs/undici#2477@MzUgMmade their first contribution in nodejs/undici#2478@matt-waymade their first contribution in nodejs/undici#2473Full Changelog: https://github.com/nodejs/undici/compare/v5.28.1...v5.28.2
v5.28.1
What's Changed
- perf: Improve
normalizeMethodby@tsctxin nodejs/undici#2456- fix: dispatch error handling by
@ronagin nodejs/undici#2459- perf(request): optimize if headers are given by
@tsctxin nodejs/undici#2454Full Changelog: https://github.com/nodejs/undici/compare/v5.28.0...v5.28.1
v5.28.0
What's Changed
- fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by
@mdoria12in nodejs/undici#2398
... (truncated)
Commits
-
e71cb4cBumped v5.28.3 -
20c65b8Fix tests for Node.js v20.11.0 (#2618) -
8ec52cdFix tests for Node.js v21 (#2609) -
d3aa574Merge pull request from GHSA-3787-6prv-h9w3 -
9a14e5fBumped v5.28.2 -
fcdfe87build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (#2302) -
169c157build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389) -
9788177build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 (#2392) -
1f6d159build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 (#2395) -
a393a86build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 (#2396) - Additional commits viewable in compare view
Dependabot commands
You can trigger Dependabot actions by commenting on this MR
-
$dependabot rebasewill rebase this MR -
$dependabot recreatewill recreate this MR rewriting all the manual changes and resolving conflicts