From d4e7ac4801e4c9fcafe1435c333123a3be3151da Mon Sep 17 00:00:00 2001
From: "aikido-autofix[bot]"
 <119856028+aikido-autofix[bot]@users.noreply.github.com>
Date: Thu, 16 Jan 2025 10:09:38 +0100
Subject: [PATCH] [Aikido] Fix  security issue in undici via major version
 upgrade from 5.28.4 to 6.15.0 (#36)

This PR will resolve the following CVEs:
| CVE ID | Severity | Description |
| --- | --- | --- |
|
<pre>[AIKIDO-2024-10065](https://app.aikido.dev/issues/3744841/detail?groupId=324#AIKIDO-2024-10065)</pre>
| <pre>MEDIUM</pre> | Affected versions of the `undici` library are
vulnerable to memory leaks. By making multiple fetch requests with the
same `AbortSignal`, undici adds event listeners without removing them,
leading to excessive memory consumption. |

## Summary by Sourcery

Bug Fixes:
- Fix memory leaks when making multiple fetch requests with the same
`AbortSignal` in `undici`.

Co-authored-by: aikido-autofix[bot] <119856028+aikido-autofix[bot]@users.noreply.github.com>
---
 package-lock.json | 19 ++++---------------
 package.json      | 33 +++++++++++++++++++++++++++------
 2 files changed, 31 insertions(+), 21 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 694afab..3f0273e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2274,14 +2274,6 @@
         "@ethersproject/strings": "^5.7.0"
       }
     },
-    "node_modules/@fastify/busboy": {
-      "version": "2.1.1",
-      "resolved": "https://registry.npmjs.org/@fastify/busboy/-/busboy-2.1.1.tgz",
-      "integrity": "sha512-vBZP4NlzfOlerQTnba4aqZoMhE/a9HY7HRqoOPaETQcSQuWEIyZMHGfVu6w9wGtGK5fED5qRs2DteVCjOH60sA==",
-      "engines": {
-        "node": ">=14"
-      }
-    },
     "node_modules/@github/local-action": {
       "version": "2.5.0",
       "resolved": "https://registry.npmjs.org/@github/local-action/-/local-action-2.5.0.tgz",
@@ -8946,14 +8938,11 @@
       }
     },
     "node_modules/undici": {
-      "version": "5.28.4",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.4.tgz",
-      "integrity": "sha512-72RFADWFqKmUb2hmmvNODKL3p9hcB6Gt2DOQMis1SEBaV6a4MH8soBvzg+95CYhCKPFedut2JY9bMfrDl9D23g==",
-      "dependencies": {
-        "@fastify/busboy": "^2.0.0"
-      },
+      "version": "6.15.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-6.15.0.tgz",
+      "integrity": "sha512-VviMt2tlMg1BvQ0FKXxrz1eJuyrcISrL2sPfBf7ZskX/FCEc/7LeThQaoygsMJpNqrATWQIsRVx+1Dpe4jaYuQ==",
       "engines": {
-        "node": ">=14.0"
+        "node": ">=18.17"
       }
     },
     "node_modules/undici-types": {
diff --git a/package.json b/package.json
index 686f0b5..614186d 100644
--- a/package.json
+++ b/package.json
@@ -12,7 +12,11 @@
   "bugs": {
     "url": "https://github.com/actions/typescript-action/issues"
   },
-  "keywords": ["actions", "node", "setup"],
+  "keywords": [
+    "actions",
+    "node",
+    "setup"
+  ],
   "exports": {
     ".": "./dist/index.js"
   },
@@ -37,15 +41,29 @@
     "verbose": true,
     "clearMocks": true,
     "testEnvironment": "node",
-    "moduleFileExtensions": ["js", "ts"],
-    "testMatch": ["**/*.test.ts"],
-    "testPathIgnorePatterns": ["/node_modules/", "/dist/"],
+    "moduleFileExtensions": [
+      "js",
+      "ts"
+    ],
+    "testMatch": [
+      "**/*.test.ts"
+    ],
+    "testPathIgnorePatterns": [
+      "/node_modules/",
+      "/dist/"
+    ],
     "transform": {
       "^.+\\.ts$": "ts-jest"
     },
-    "coverageReporters": ["json-summary", "text", "lcov"],
+    "coverageReporters": [
+      "json-summary",
+      "text",
+      "lcov"
+    ],
     "collectCoverage": true,
-    "collectCoverageFrom": ["./src/**"]
+    "collectCoverageFrom": [
+      "./src/**"
+    ]
   },
   "dependencies": {
     "@actions/core": "^1.11.1"
@@ -63,5 +81,8 @@
     "ts-jest": "^29.2.5",
     "typescript": "^5.7.3",
     "ultracite": "^4.1.15"
+  },
+  "overrides": {
+    "undici@<=6.15.0": "6.15.0"
   }
 }