chore(deps): undici v6.6.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	6.5.0 -> 6.6.1

GitHub Vulnerability Alerts

CVE-2024-24750

Impact

Calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.

Patches

Patched in v6.6.1

Workarounds

Make sure to always consume the incoming body.

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

---

Release Notes

nodejs/undici (undici)

v6.6.1

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

What's Changed

• fix: flaky debug test by @​Uzlopak in https://github.com/nodejs/undici/pull/2687
• build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by @​dependabot in https://github.com/nodejs/undici/pull/2688
• build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2689
• fix: ci pipeline warnings by @​Uzlopak in https://github.com/nodejs/undici/pull/2685
• perf: optimize Iterator by @​tsctx in https://github.com/nodejs/undici/pull/2692

Full Changelog: nodejs/undici@v6.6.0...v6.6.1

v6.6.0

Compare Source

What's Changed

• add webSocket example by @​mertcanaltin in https://github.com/nodejs/undici/pull/2626
• chore: remove atomic-sleep as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2648
• chore: remove semver as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2646
• chore: remove table as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2649
• chore: remove delay as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2647
• chore: reduce noise in test-logs test/issue-2349.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2655
• chore: fix faketimer warning in test/request-timeout.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2656
• chore: reduce noise in test logs test/client-node-max-header-size.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2654
• refactor: use fromInnerResponse by @​tsctx in https://github.com/nodejs/undici/pull/2635
• fix: support deflate raw responses by @​Uzlopak in https://github.com/nodejs/undici/pull/2650
• Support building for externally shared js builtins by @​mochaaP in https://github.com/nodejs/undici/pull/2643
• fix: typo clampAndCoarsenConnectionTimingInfo by @​Uzlopak in https://github.com/nodejs/undici/pull/2653
• chore: use 'node:'-prefix for requiring node core modules by @​Uzlopak in https://github.com/nodejs/undici/pull/2662
• build(deps-dev): bump husky from 8.0.3 to 9.0.7 by @​dependabot in https://github.com/nodejs/undici/pull/2667
• build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by @​dependabot in https://github.com/nodejs/undici/pull/2668
• remove timers/promises import by @​KhafraDev in https://github.com/nodejs/undici/pull/2665
• chore: fix various codesmells by @​Uzlopak in https://github.com/nodejs/undici/pull/2669
• chore: remove this alias in agent.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2671
• chore: use optional chaining by @​Uzlopak in https://github.com/nodejs/undici/pull/2666
• chore: small perf improvements by @​Uzlopak in https://github.com/nodejs/undici/pull/2661
• implement spec changes from a while ago by @​KhafraDev in https://github.com/nodejs/undici/pull/2676
• websocket: fix close when no closing code is received by @​KhafraDev in https://github.com/nodejs/undici/pull/2680
• fix: make ci less flaky by @​Uzlopak in https://github.com/nodejs/undici/pull/2684

New Contributors

• @​mochaaP made their first contribution in https://github.com/nodejs/undici/pull/2643

Full Changelog: nodejs/undici@v6.5.0...v6.6.0

---

• If you want to rebase/retry this PR, check this box

[github-actions]

Visit the preview URL for this PR (updated for commit e4d274c):

https://whatsappapijs--pr302-renovate-npm-undici-5qkn74jo.web.app

_{(expires Mon, 26 Feb 2024 02:50:52 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 80a8dc4ceea5c783aae1d47b75797ee5b6c2f4be}