Update dependency undici to v5.26.2 [SECURITY] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.22.1 -> 5.26.2

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

---

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

• Fix publish undici-types once and for all! by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
• Fix node detection omfg by @​KhafraDev in https://github.com/nodejs/undici/pull/2341

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

• use npm install instead of npm ci by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
• change default header to node by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310
• chore: change order of the pseudo-headers by @​kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
• fix: Agent.Options.factory should accept URL object or string as parameter by @​nicole0707 in https://github.com/nodejs/undici/pull/2295
• build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2312
• test: handle npm ignore-scripts settings by @​panva in https://github.com/nodejs/undici/pull/2313
• feat: respect --max-http-header-size Node.js flag by @​balazsorban44 in https://github.com/nodejs/undici/pull/2234
• fix(#​2311): End stream after body sent by @​metcoder95 in https://github.com/nodejs/undici/pull/2314
• disallow setting host header in fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2322
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in https://github.com/nodejs/undici/pull/2325
• fix fetch with coverage enabled by @​KhafraDev in https://github.com/nodejs/undici/pull/2330
• Fix stuck when using http2 POST Buffer by @​binsee in https://github.com/nodejs/undici/pull/2336
• fix: 🏷️ add allowH2 to BuildOptions by @​binsee in https://github.com/nodejs/undici/pull/2334
• fix: 🐛 fix process http2 header by @​binsee in https://github.com/nodejs/undici/pull/2332

New Contributors

• @​kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
• @​nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
• @​balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
• @​binsee made their first contribution in https://github.com/nodejs/undici/pull/2336

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

• perf: improve parse-url implementation by @​anonrig in https://github.com/nodejs/undici/pull/2286
• test: enable websockets inclusion in WPTReport by @​panva in https://github.com/nodejs/undici/pull/2284
• remove npm run test from pre-commit hook by @​dancastillo in https://github.com/nodejs/undici/pull/2296
• perf: use @​fastify/busboy by @​gurgunday in https://github.com/nodejs/undici/pull/2211
• Disable finalizationregistry if node code cov by @​mcollina in https://github.com/nodejs/undici/pull/2298

New Contributors

• @​gurgunday made their first contribution in https://github.com/nodejs/undici/pull/2211

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

• Add Khaf to releasers by @​mcollina in https://github.com/nodejs/undici/pull/2276
• fix: fix request with readable mode is object by @​killagu in https://github.com/nodejs/undici/pull/2279
• fix loading websockets when node is built w/ --without-ssl by @​KhafraDev in https://github.com/nodejs/undici/pull/2282

New Contributors

• @​killagu made their first contribution in https://github.com/nodejs/undici/pull/2279

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

• Add publish types script by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2273

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

• fix: h2 without body by @​metcoder95 in https://github.com/nodejs/undici/pull/2258
• ci: remove duplicated runs by @​metcoder95 in https://github.com/nodejs/undici/pull/2265
• improve documentation of timeouts by making the units clear in all places by @​mcfedr in https://github.com/nodejs/undici/pull/2266
• expose websocket in node bundle by @​KhafraDev in https://github.com/nodejs/undici/pull/2217
• test: fix Fetch/HTTP2 tests by @​metcoder95 in https://github.com/nodejs/undici/pull/2263
• fix undici when node is built with --without-ssl by @​KhafraDev in https://github.com/nodejs/undici/pull/2272
• fix: Fix type definition for Client Interceptors by @​ComradeCow in https://github.com/nodejs/undici/pull/2269
• Fix http2 agent by @​mcollina in https://github.com/nodejs/undici/pull/2275

New Contributors

• @​ComradeCow made their first contribution in https://github.com/nodejs/undici/pull/2269

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

• feat: Add H2 support by @​metcoder95 in https://github.com/nodejs/undici/pull/2061

What's Changed

• build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @​dependabot in https://github.com/nodejs/undici/pull/2203
• better stack trace for body.json by @​KhafraDev in https://github.com/nodejs/undici/pull/2215
• allow http & https websocket urls by @​KhafraDev in https://github.com/nodejs/undici/pull/2218
• build(deps-dev): bump @​sinonjs/fake-timers from 10.3.0 to 11.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2221
• fix: pass ProxyAgent proxy status code error by @​NBNGaming in https://github.com/nodejs/undici/pull/2162
• fix failing test by @​KhafraDev in https://github.com/nodejs/undici/pull/2223
• docs: update MockPool.md intercept method description by @​capaj in https://github.com/nodejs/undici/pull/2220
• Update wpts by @​KhafraDev in https://github.com/nodejs/undici/pull/2226
• build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @​dependabot in https://github.com/nodejs/undici/pull/2240
• build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @​dependabot in https://github.com/nodejs/undici/pull/2237
• build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @​dependabot in https://github.com/nodejs/undici/pull/2236
• build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @​dependabot in https://github.com/nodejs/undici/pull/2241
• build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @​dependabot in https://github.com/nodejs/undici/pull/2238
• fix: aborting request with non-object error by @​KhafraDev in https://github.com/nodejs/undici/pull/2243
• fix: preserve file path when parsing formdata by @​jimmywarting in https://github.com/nodejs/undici/pull/2245
• build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @​dependabot in https://github.com/nodejs/undici/pull/2246
• Updated benchmarks by @​mcollina in https://github.com/nodejs/undici/pull/2250
• Fix fetch in node v20.6.0 by @​mcollina in https://github.com/nodejs/undici/pull/2251
• Maybe fix v20 by @​mcollina in https://github.com/nodejs/undici/pull/2252
• feat: Add H2 support by @​metcoder95 in https://github.com/nodejs/undici/pull/2061
• docs: fix tables in README by @​regseb in https://github.com/nodejs/undici/pull/2254
• Fix http2 fetch test by @​mcollina in https://github.com/nodejs/undici/pull/2253

New Contributors

• @​NBNGaming made their first contribution in https://github.com/nodejs/undici/pull/2162
• @​capaj made their first contribution in https://github.com/nodejs/undici/pull/2220
• @​regseb made their first contribution in https://github.com/nodejs/undici/pull/2254

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

• bump engines to node >= 16 by @​ronag in https://github.com/nodejs/undici/pull/2119
• Revert "bump engines to node >= 16 (#​2119)" by @​ronag in https://github.com/nodejs/undici/pull/2121
• fetch: set referrer properly by @​KhafraDev in https://github.com/nodejs/undici/pull/2125
• fix: support truncated gzip by @​jimmywarting in https://github.com/nodejs/undici/pull/2126
• workflow: apply security best practices by @​step-security-bot in https://github.com/nodejs/undici/pull/2130
• build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @​dependabot in https://github.com/nodejs/undici/pull/2135
• build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @​dependabot in https://github.com/nodejs/undici/pull/2133
• build(deps): bump node from 18-alpine to 20-alpine in /build by @​dependabot in https://github.com/nodejs/undici/pull/2131
• build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by @​dependabot in https://github.com/nodejs/undici/pull/2136
• build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @​dependabot in https://github.com/nodejs/undici/pull/2132
• build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2142
• build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by @​dependabot in https://github.com/nodejs/undici/pull/2148
• fix(pr): use correct pr template file by @​AugustinMauroy in https://github.com/nodejs/undici/pull/2141
• Additional WebSocket send tests to cover all payload size categories by @​jawj in https://github.com/nodejs/undici/pull/2149
• fix: reverse decompression order of "Content-Encoding" encodings (fixes #​2158) by @​rychkog in https://github.com/nodejs/undici/pull/2159
• fix: keep running WPTs if a test times out by @​KhafraDev in https://github.com/nodejs/undici/pull/2165
• feat: add build environment info by @​mhdawson in https://github.com/nodejs/undici/pull/2168
• fix: forward error reason to fetch controller by @​KhafraDev in https://github.com/nodejs/undici/pull/2172
• stricter types for bodymixin.json by @​KhafraDev in https://github.com/nodejs/undici/pull/2181
• chore: Renable autoSelectFamily tests. by @​ShogunPanda in https://github.com/nodejs/undici/pull/2180
• build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @​dependabot in https://github.com/nodejs/undici/pull/2147
• build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by @​dependabot in https://github.com/nodejs/undici/pull/2185
• fix: fetch resource timing performance entry names should be strings by @​GaryWilber in https://github.com/nodejs/undici/pull/2188
• build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @​dependabot in https://github.com/nodejs/undici/pull/2176
• build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by @​dependabot in https://github.com/nodejs/undici/pull/2177
• build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @​dependabot in https://github.com/nodejs/undici/pull/2178
• build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @​dependabot in https://github.com/nodejs/undici/pull/2175
• test: fix autoselectfamily on platforms without IPv6 support by @​LiviaMedeiros in https://github.com/nodejs/undici/pull/2197
• fix: make multipart/form-data boundary string more consistent by @​LiviaMedeiros in https://github.com/nodejs/undici/pull/2196
• docs: add proxy agent options docs by @​dancastillo in https://github.com/nodejs/undici/pull/2193
• build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by @​dependabot in https://github.com/nodejs/undici/pull/2205
• feat: make use of addAbortListener where applicable by @​atlowChemi in https://github.com/nodejs/undici/pull/2195

New Contributors

• @​step-security-bot made their first contribution in https://github.com/nodejs/undici/pull/2130
• @​AugustinMauroy made their first contribution in https://github.com/nodejs/undici/pull/2141
• @​rychkog made their first contribution in https://github.com/nodejs/undici/pull/2159
• @​mhdawson made their first contribution in https://github.com/nodejs/undici/pull/2168
• @​GaryWilber made their first contribution in https://github.com/nodejs/undici/pull/2188
• @​atlowChemi made their first contribution in https://github.com/nodejs/undici/pull/2195

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
undici	5.22.1...5.28.2	None	+1/-2	1.25 MB	matteo.collina