chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.26.2 -> 5.28.3

GitHub Vulnerability Alerts

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

---

Release Notes

nodejs/undici (undici)

v5.28.3

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

Compare Source

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in https://github.com/nodejs/undici/pull/2470
• fix: remove node: prefix by @​tsctx in https://github.com/nodejs/undici/pull/2471
• perf: avoid Headers initialization by @​tsctx in https://github.com/nodejs/undici/pull/2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in https://github.com/nodejs/undici/pull/2466
• fix: Add null type to signal in RequestInit by @​gebsh in https://github.com/nodejs/undici/pull/2455
• fix: correctly handle data URL with hashes. by @​tsctx in https://github.com/nodejs/undici/pull/2475
• fix: check response for timinginfo allow flag by @​ToshB in https://github.com/nodejs/undici/pull/2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in https://github.com/nodejs/undici/pull/2478
• refactor: better integrity check by @​tsctx in https://github.com/nodejs/undici/pull/2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in https://github.com/nodejs/undici/pull/2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in https://github.com/nodejs/undici/pull/2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in https://github.com/nodejs/undici/pull/2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in https://github.com/nodejs/undici/pull/2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in https://github.com/nodejs/undici/pull/2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in https://github.com/nodejs/undici/pull/2302

New Contributors

• @​bugb made their first contribution in https://github.com/nodejs/undici/pull/2470
• @​gebsh made their first contribution in https://github.com/nodejs/undici/pull/2455
• @​ToshB made their first contribution in https://github.com/nodejs/undici/pull/2477
• @​MzUgM made their first contribution in https://github.com/nodejs/undici/pull/2478
• @​matt-way made their first contribution in https://github.com/nodejs/undici/pull/2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

Compare Source

What's Changed

• perf: Improve normalizeMethod by @​tsctx in https://github.com/nodejs/undici/pull/2456
• fix: dispatch error handling by @​ronag in https://github.com/nodejs/undici/pull/2459
• perf(request): optimize if headers are given by @​tsctx in https://github.com/nodejs/undici/pull/2454

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

v5.28.0

Compare Source

What's Changed

• fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @​mdoria12 in https://github.com/nodejs/undici/pull/2398
• docs: add license to undici-types by @​dancastillo in https://github.com/nodejs/undici/pull/2401
• perf: optimize Readable.dump by @​ronag in https://github.com/nodejs/undici/pull/2402
• perf(headers): Improve Headers by @​tsctx in https://github.com/nodejs/undici/pull/2397
• test: re-enable conditional WPT Report for websockets by @​panva in https://github.com/nodejs/undici/pull/2407
• fix: delay abort on 'close' by @​ronag in https://github.com/nodejs/undici/pull/2408
• refactor: use substring instead of substr by @​tsctx in https://github.com/nodejs/undici/pull/2411
• add additional http2 test with fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2419
• fix: HTTPToken check by @​tsctx in https://github.com/nodejs/undici/pull/2410
• perf: optimize HeadersList.get by @​tsctx in https://github.com/nodejs/undici/pull/2420
• properly handle pseudo-headers in fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2422
• perf(headers): if the guard is immutable by @​tsctx in https://github.com/nodejs/undici/pull/2424
• fix(mock-agent): send stream body by @​tsctx in https://github.com/nodejs/undici/pull/2425
• build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by @​dependabot in https://github.com/nodejs/undici/pull/2394
• feat(#​2264): Expose Retry Handler by @​metcoder95 in https://github.com/nodejs/undici/pull/2281
• fix: implement Headers#set correctly by @​tsctx in https://github.com/nodejs/undici/pull/2432
• fix: implement Headers#delete correctly by @​tsctx in https://github.com/nodejs/undici/pull/2430
• test: update websocket wpt availability by @​panva in https://github.com/nodejs/undici/pull/2437
• fix: type comment position by @​tsctx in https://github.com/nodejs/undici/pull/2443
• fix: onHeaders type declaration by @​tsctx in https://github.com/nodejs/undici/pull/2444
• remove http2 status pseudo header from headers by @​KhafraDev in https://github.com/nodejs/undici/pull/2438
• docs: Clarify path matching in intercept() by @​oliversalzburg in https://github.com/nodejs/undici/pull/2426
• fix: set-cookie clone by @​tsctx in https://github.com/nodejs/undici/pull/2446
• docs: fix typo in maxConcurrentStreams by @​tniessen in https://github.com/nodejs/undici/pull/2450
• refactor: remove leftovers by @​metcoder95 in https://github.com/nodejs/undici/pull/2451
• refactor: add missing new operator by @​tsctx in https://github.com/nodejs/undici/pull/2452

New Contributors

• @​mdoria12 made their first contribution in https://github.com/nodejs/undici/pull/2398
• @​tsctx made their first contribution in https://github.com/nodejs/undici/pull/2397
• @​oliversalzburg made their first contribution in https://github.com/nodejs/undici/pull/2426

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

v5.27.2

Compare Source

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

v5.27.1

Compare Source

What's Changed

• add regression test by @​KhafraDev in https://github.com/nodejs/undici/pull/2376
• fix: define conditions when content-length should be sent by @​pxue in https://github.com/nodejs/undici/pull/2305
• refactor: removed unnecessary default by @​nikelborm in https://github.com/nodejs/undici/pull/2381
• fix: stream body handling by @​ronag in https://github.com/nodejs/undici/pull/2391

New Contributors

• @​pxue made their first contribution in https://github.com/nodejs/undici/pull/2305
• @​nikelborm made their first contribution in https://github.com/nodejs/undici/pull/2381

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

v5.27.0

Compare Source

What's Changed

• Use sets and reusable TextEncoder/TextDecoder instances by @​kibertoad in https://github.com/nodejs/undici/pull/2368
• feat: forward onRequestSent to handler by @​ronag in https://github.com/nodejs/undici/pull/2375
• skip bundle test on node 16 by @​KhafraDev in https://github.com/nodejs/undici/pull/2377
• fix windows CI by @​KhafraDev in https://github.com/nodejs/undici/pull/2379

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

v5.26.5

Compare Source

What's Changed

• Drop race condition in connect-timeout test by @​mcollina in https://github.com/nodejs/undici/pull/2360
• Remove a couple of unnecessary async functions by @​kibertoad in https://github.com/nodejs/undici/pull/2367
• Update namespace type with Fetch exports by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2361

Full Changelog: nodejs/undici@v5.26.4...v5.26.5

v5.26.4

Compare Source

What's Changed

• use esbuild define/hooks by @​KhafraDev in https://github.com/nodejs/undici/pull/2342
• fix request's arrayBuffer returning uint8 instead of arraybuffer by @​KhafraDev in https://github.com/nodejs/undici/pull/2344
• fix: skip readMore call if parser is null or undefined by @​iiAku in https://github.com/nodejs/undici/pull/2346
• test: first attempt for flaky fix by @​metcoder95 in https://github.com/nodejs/undici/pull/2337
• test: only include WebSocket in WPT Report where it's landed by @​panva in https://github.com/nodejs/undici/pull/2351
• Update DispatchInterceptor.md by @​Uzlopak in https://github.com/nodejs/undici/pull/2354
• fix: Avoid error for stream() being aborted by @​BobNobrain in https://github.com/nodejs/undici/pull/2355
• fix names with esbuild by @​KhafraDev in https://github.com/nodejs/undici/pull/2359

New Contributors

• @​iiAku made their first contribution in https://github.com/nodejs/undici/pull/2346
• @​Uzlopak made their first contribution in https://github.com/nodejs/undici/pull/2354
• @​BobNobrain made their first contribution in https://github.com/nodejs/undici/pull/2355

Full Changelog: nodejs/undici@v5.26.3...v5.26.4

v5.26.3

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

Thanks for your contribution @renovate[bot] !
When your pull-request is ready to be merged, check the box below to merge it

• Merge!

[github-actions]

Pull Request Report

PR Title

✅ Title follows the conventional commit spec.