Skip to content

Commit 7f8f85b

Browse files
renovate[bot]renovate[bot]
authored
Update dependency undici to v5.19.1 [SECURITY] (#7)
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`5.14.0` -> `5.19.1`](https://renovatebot.com/diffs/npm/undici/5.14.0/5.19.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.19.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.19.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.14.0/5.19.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.14.0/5.19.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-23936](https://togithub.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff) ### Impact undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. ### Patches This issue was patched in Undici v5.19.1. ### Workarounds Sanitize the `headers.host` string before passing to undici. ### References Reported at https://hackerone.com/reports/1820955. ### Credits Thank you to Zhipeng Zhang ([@&#8203;timon8](https://hackerone.com/timon8)) for reporting this vulnerability. --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v5.19.1`](https://togithub.com/nodejs/undici/releases/tag/v5.19.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.19.0...v5.19.1) #### ⚠️ Security Release ⚠️ - [Regular Expression Denial of Service in Headers](https://togithub.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w) with CVE-2023-24807 - [CRLF Injection in Nodejs ‘undici’ via host](https://togithub.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff) with CVE-2023-23936 This release is part of the Node.js security release train: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ ### [`v5.19.0`](https://togithub.com/nodejs/undici/releases/tag/v5.19.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.18.0...v5.19.0) #### What's Changed - fix(fetch): raise AbortSignal max event listeners by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1910](https://togithub.com/nodejs/undici/pull/1910) - fix: content-disposition header parsing by [@&#8203;climba03003](https://togithub.com/climba03003) in [https://github.com/nodejs/undici/pull/1911](https://togithub.com/nodejs/undici/pull/1911) - fix: remove test by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1916](https://togithub.com/nodejs/undici/pull/1916) - feat: add Headers.prototype.getSetCookie by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1915](https://togithub.com/nodejs/undici/pull/1915) - fix(headers): clone getSetCookie list & add getSetCookie type by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1917](https://togithub.com/nodejs/undici/pull/1917) - doc(mock): update out-of-date reply documentation by [@&#8203;p9f](https://togithub.com/p9f) in [https://github.com/nodejs/undici/pull/1913](https://togithub.com/nodejs/undici/pull/1913) - fix(types): add missing keepAlive params by [@&#8203;SkeLLLa](https://togithub.com/SkeLLLa) in [https://github.com/nodejs/undici/pull/1918](https://togithub.com/nodejs/undici/pull/1918) - Make the fetch() abort test pass locally, on Linux and Mac, Node 18/19. by [@&#8203;mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/1927](https://togithub.com/nodejs/undici/pull/1927) #### New Contributors - [@&#8203;climba03003](https://togithub.com/climba03003) made their first contribution in [https://github.com/nodejs/undici/pull/1911](https://togithub.com/nodejs/undici/pull/1911) - [@&#8203;p9f](https://togithub.com/p9f) made their first contribution in [https://github.com/nodejs/undici/pull/1913](https://togithub.com/nodejs/undici/pull/1913) **Full Changelog**: nodejs/undici@v5.18.0...v5.19.0 ### [`v5.18.0`](https://togithub.com/nodejs/undici/releases/tag/v5.18.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.17.1...v5.18.0) ##### What's Changed - Add ability to set TCP keepalive by [@&#8203;xconverge](https://togithub.com/xconverge) in [https://github.com/nodejs/undici/pull/1904](https://togithub.com/nodejs/undici/pull/1904) - use faster timers by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1908](https://togithub.com/nodejs/undici/pull/1908) - fix: ensure header value is a string by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1899](https://togithub.com/nodejs/undici/pull/1899) **Full Changelog**: nodejs/undici@v5.17.1...v5.18.0 ### [`v5.17.1`](https://togithub.com/nodejs/undici/releases/tag/v5.17.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.17.0...v5.17.1) #### What's Changed - fix: bad buffer slice (nodejs/undici@d2be675) **Full Changelog**: nodejs/undici@v5.17.0...v5.17.1 ### [`v5.17.0`](https://togithub.com/nodejs/undici/releases/tag/v5.17.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.16.0...v5.17.0) #### What's Changed - fix(wpts): Blob is a global getter in >=v19.x.x by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1880](https://togithub.com/nodejs/undici/pull/1880) - doc: fix anchor links dispatcher.stream by [@&#8203;RafaelGSS](https://togithub.com/RafaelGSS) in [https://github.com/nodejs/undici/pull/1881](https://togithub.com/nodejs/undici/pull/1881) - wpt: make runner more resilient by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1884](https://togithub.com/nodejs/undici/pull/1884) - Make test pass in v19.x by [@&#8203;mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/1879](https://togithub.com/nodejs/undici/pull/1879) - Correct the type of DispatchOptions\["headers"] by [@&#8203;pan93412](https://togithub.com/pan93412) in [https://github.com/nodejs/undici/pull/1896](https://togithub.com/nodejs/undici/pull/1896) - perf(content-type parser): faster string collector by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1894](https://togithub.com/nodejs/undici/pull/1894) - feat: expose content-type parser by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1895](https://togithub.com/nodejs/undici/pull/1895) - fix(types): Update DispatchOptions type for missing "blocking" by [@&#8203;xconverge](https://togithub.com/xconverge) in [https://github.com/nodejs/undici/pull/1889](https://togithub.com/nodejs/undici/pull/1889) - fix(types): update error type definitions by [@&#8203;rafaelcr](https://togithub.com/rafaelcr) in [https://github.com/nodejs/undici/pull/1888](https://togithub.com/nodejs/undici/pull/1888) - fix: ensure connection header is a string by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1900](https://togithub.com/nodejs/undici/pull/1900) - fix: throw if invalid content-type header by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1901](https://togithub.com/nodejs/undici/pull/1901) - fix(fetch): use semicolon for Cookie header delimiter by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1906](https://togithub.com/nodejs/undici/pull/1906) - Use FastBuffer by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1907](https://togithub.com/nodejs/undici/pull/1907) #### New Contributors - [@&#8203;pan93412](https://togithub.com/pan93412) made their first contribution in [https://github.com/nodejs/undici/pull/1896](https://togithub.com/nodejs/undici/pull/1896) - [@&#8203;rafaelcr](https://togithub.com/rafaelcr) made their first contribution in [https://github.com/nodejs/undici/pull/1888](https://togithub.com/nodejs/undici/pull/1888) **Full Changelog**: nodejs/undici@v5.16.0...v5.17.0 ### [`v5.16.0`](https://togithub.com/nodejs/undici/releases/tag/v5.16.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.15.2...v5.16.0) #### What's Changed - Add feature to specify custom headers for proxies by [@&#8203;Sebmaster](https://togithub.com/Sebmaster) in [https://github.com/nodejs/undici/pull/1877](https://togithub.com/nodejs/undici/pull/1877) #### New Contributors - [@&#8203;Sebmaster](https://togithub.com/Sebmaster) made their first contribution in [https://github.com/nodejs/undici/pull/1877](https://togithub.com/nodejs/undici/pull/1877) **Full Changelog**: nodejs/undici@v5.15.2...v5.16.0 ### [`v5.15.2`](https://togithub.com/nodejs/undici/compare/9d5f23177408dc16d3d4cbb8cebf463081c54e16...9457c9719029945ef9ff36b71d58557443730942) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.15.1...v5.15.2) ### [`v5.15.1`](https://togithub.com/nodejs/undici/releases/tag/v5.15.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.15.0...v5.15.1) #### What's Changed - fix(websocket): simplify typedarray copying by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1854](https://togithub.com/nodejs/undici/pull/1854) - fix: wpts on node v18.13.0+ by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1859](https://togithub.com/nodejs/undici/pull/1859) - perf: allow keep alive for HEAD requests by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1858](https://togithub.com/nodejs/undici/pull/1858) - fix: flaky abort test by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1863](https://togithub.com/nodejs/undici/pull/1863) **Full Changelog**: nodejs/undici@v5.15.0...v5.15.1 ### [`v5.15.0`](https://togithub.com/nodejs/undici/releases/tag/v5.15.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.14.0...v5.15.0) #### What's Changed - \[types] update ProxyAgent Options (timeout) by [@&#8203;sosoba](https://togithub.com/sosoba) in [https://github.com/nodejs/undici/pull/1801](https://togithub.com/nodejs/undici/pull/1801) - feat: implement websockets by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1795](https://togithub.com/nodejs/undici/pull/1795) - feat(websocket): handle ping/pong frames & fix fragmented frames by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1809](https://togithub.com/nodejs/undici/pull/1809) - docs: add basic fetch & company docs by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1810](https://togithub.com/nodejs/undici/pull/1810) - make formdata body immutable and encode it only once by [@&#8203;jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/nodejs/undici/pull/1814](https://togithub.com/nodejs/undici/pull/1814) - test: add regression test for [#&#8203;1814](https://togithub.com/nodejs/undici/issues/1814) by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1815](https://togithub.com/nodejs/undici/pull/1815) - feat(websocket): only consume necessary bytes by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1812](https://togithub.com/nodejs/undici/pull/1812) - websocket: use Buffer.allocUnsafe by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1817](https://togithub.com/nodejs/undici/pull/1817) - build(deps-dev): bump [@&#8203;sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 9.1.2 to 10.0.2 by [@&#8203;dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/1819](https://togithub.com/nodejs/undici/pull/1819) - fix(websocket): deprecation warning & 64-bit unsigned int body length by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1818](https://togithub.com/nodejs/undici/pull/1818) - Use nodejs.stream.destroyed symbol by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1816](https://togithub.com/nodejs/undici/pull/1816) - fetch: removal of redundant condition by [@&#8203;debadree25](https://togithub.com/debadree25) in [https://github.com/nodejs/undici/pull/1821](https://togithub.com/nodejs/undici/pull/1821) - fix(request): request headers array by [@&#8203;jd-carroll](https://togithub.com/jd-carroll) in [https://github.com/nodejs/undici/pull/1807](https://togithub.com/nodejs/undici/pull/1807) - fix(websocket): validate payload length received by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1822](https://togithub.com/nodejs/undici/pull/1822) - fix(websocket): run parser in loop, instead of recursively by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1828](https://togithub.com/nodejs/undici/pull/1828) - fix(fetch): weaker refs by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1824](https://togithub.com/nodejs/undici/pull/1824) - websocket: add tests for opening handshake by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1831](https://togithub.com/nodejs/undici/pull/1831) - websocket: add tests for constructor, close, and send by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1832](https://togithub.com/nodejs/undici/pull/1832) - websocket: more test coverage by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1833](https://togithub.com/nodejs/undici/pull/1833) - fix(WPTs): flaky abort test by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1835](https://togithub.com/nodejs/undici/pull/1835) - wpt: add test by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1836](https://togithub.com/nodejs/undici/pull/1836) - fix: don't send keep-alive if we want reset by [@&#8203;ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1846](https://togithub.com/nodejs/undici/pull/1846) - fetch: update body consume to match spec by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1847](https://togithub.com/nodejs/undici/pull/1847) - feat: allow connection header in request by [@&#8203;metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/1829](https://togithub.com/nodejs/undici/pull/1829) - feat: add cookie parsing ability by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1848](https://togithub.com/nodejs/undici/pull/1848) - fix(cookie): add docs & expose in node v16 by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1849](https://togithub.com/nodejs/undici/pull/1849) - fix(cookies): work with global Headers by [@&#8203;KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1850](https://togithub.com/nodejs/undici/pull/1850) - docs(Dispatcher): adjust documentation for reset flag by [@&#8203;metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/1852](https://togithub.com/nodejs/undici/pull/1852) - Fix broken interceptor test by [@&#8203;mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/1853](https://togithub.com/nodejs/undici/pull/1853) #### New Contributors - [@&#8203;sosoba](https://togithub.com/sosoba) made their first contribution in [https://github.com/nodejs/undici/pull/1801](https://togithub.com/nodejs/undici/pull/1801) - [@&#8203;debadree25](https://togithub.com/debadree25) made their first contribution in [https://github.com/nodejs/undici/pull/1821](https://togithub.com/nodejs/undici/pull/1821) - [@&#8203;jd-carroll](https://togithub.com/jd-carroll) made their first contribution in [https://github.com/nodejs/undici/pull/1807](https://togithub.com/nodejs/undici/pull/1807) **Full Changelog**: nodejs/undici@v5.14.0...v5.15.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/sammyfilly/Canary-nextjs).
1 parent d37cc6d commit 7f8f85b

File tree

2 files changed

+5
-5
lines changed

2 files changed

+5
-5
lines changed

packages/next/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -279,7 +279,7 @@
279279
"timers-browserify": "2.0.12",
280280
"tty-browserify": "0.0.1",
281281
"ua-parser-js": "0.7.28",
282-
"undici": "5.14.0",
282+
"undici": "5.19.1",
283283
"unistore": "3.4.1",
284284
"util": "0.12.4",
285285
"uuid": "8.3.2",

pnpm-lock.yaml

Lines changed: 4 additions & 4 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

0 commit comments

Comments
 (0)