From 7f8f85b42b17ebb4cbb9fe40c4c957c38b468903 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Mon, 18 Sep 2023 10:38:35 +0000 Subject: [PATCH] Update dependency undici to v5.19.1 [SECURITY] (#7) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`5.14.0` -> `5.19.1`](https://renovatebot.com/diffs/npm/undici/5.14.0/5.19.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.19.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.19.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.14.0/5.19.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.14.0/5.19.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2023-23936](https://togithub.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff) ### Impact undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. ### Patches This issue was patched in Undici v5.19.1. ### Workarounds Sanitize the `headers.host` string before passing to undici. ### References Reported at https://hackerone.com/reports/1820955. ### Credits Thank you to Zhipeng Zhang ([@​timon8](https://hackerone.com/timon8)) for reporting this vulnerability. --- ### Release Notes
nodejs/undici (undici) ### [`v5.19.1`](https://togithub.com/nodejs/undici/releases/tag/v5.19.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.19.0...v5.19.1) #### ⚠️ Security Release ⚠️ - [Regular Expression Denial of Service in Headers](https://togithub.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w) with CVE-2023-24807 - [CRLF Injection in Nodejs ‘undici’ via host](https://togithub.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff) with CVE-2023-23936 This release is part of the Node.js security release train: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/ ### [`v5.19.0`](https://togithub.com/nodejs/undici/releases/tag/v5.19.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.18.0...v5.19.0) #### What's Changed - fix(fetch): raise AbortSignal max event listeners by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1910](https://togithub.com/nodejs/undici/pull/1910) - fix: content-disposition header parsing by [@​climba03003](https://togithub.com/climba03003) in [https://github.com/nodejs/undici/pull/1911](https://togithub.com/nodejs/undici/pull/1911) - fix: remove test by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1916](https://togithub.com/nodejs/undici/pull/1916) - feat: add Headers.prototype.getSetCookie by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1915](https://togithub.com/nodejs/undici/pull/1915) - fix(headers): clone getSetCookie list & add getSetCookie type by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1917](https://togithub.com/nodejs/undici/pull/1917) - doc(mock): update out-of-date reply documentation by [@​p9f](https://togithub.com/p9f) in [https://github.com/nodejs/undici/pull/1913](https://togithub.com/nodejs/undici/pull/1913) - fix(types): add missing keepAlive params by [@​SkeLLLa](https://togithub.com/SkeLLLa) in [https://github.com/nodejs/undici/pull/1918](https://togithub.com/nodejs/undici/pull/1918) - Make the fetch() abort test pass locally, on Linux and Mac, Node 18/19. by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/1927](https://togithub.com/nodejs/undici/pull/1927) #### New Contributors - [@​climba03003](https://togithub.com/climba03003) made their first contribution in [https://github.com/nodejs/undici/pull/1911](https://togithub.com/nodejs/undici/pull/1911) - [@​p9f](https://togithub.com/p9f) made their first contribution in [https://github.com/nodejs/undici/pull/1913](https://togithub.com/nodejs/undici/pull/1913) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.18.0...v5.19.0 ### [`v5.18.0`](https://togithub.com/nodejs/undici/releases/tag/v5.18.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.17.1...v5.18.0) ##### What's Changed - Add ability to set TCP keepalive by [@​xconverge](https://togithub.com/xconverge) in [https://github.com/nodejs/undici/pull/1904](https://togithub.com/nodejs/undici/pull/1904) - use faster timers by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1908](https://togithub.com/nodejs/undici/pull/1908) - fix: ensure header value is a string by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1899](https://togithub.com/nodejs/undici/pull/1899) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.17.1...v5.18.0 ### [`v5.17.1`](https://togithub.com/nodejs/undici/releases/tag/v5.17.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.17.0...v5.17.1) #### What's Changed - fix: bad buffer slice (https://github.com/nodejs/undici/commit/d2be675575512794dcd41b9683b209fc15368154) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.17.0...v5.17.1 ### [`v5.17.0`](https://togithub.com/nodejs/undici/releases/tag/v5.17.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.16.0...v5.17.0) #### What's Changed - fix(wpts): Blob is a global getter in >=v19.x.x by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1880](https://togithub.com/nodejs/undici/pull/1880) - doc: fix anchor links dispatcher.stream by [@​RafaelGSS](https://togithub.com/RafaelGSS) in [https://github.com/nodejs/undici/pull/1881](https://togithub.com/nodejs/undici/pull/1881) - wpt: make runner more resilient by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1884](https://togithub.com/nodejs/undici/pull/1884) - Make test pass in v19.x by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/1879](https://togithub.com/nodejs/undici/pull/1879) - Correct the type of DispatchOptions\["headers"] by [@​pan93412](https://togithub.com/pan93412) in [https://github.com/nodejs/undici/pull/1896](https://togithub.com/nodejs/undici/pull/1896) - perf(content-type parser): faster string collector by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1894](https://togithub.com/nodejs/undici/pull/1894) - feat: expose content-type parser by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1895](https://togithub.com/nodejs/undici/pull/1895) - fix(types): Update DispatchOptions type for missing "blocking" by [@​xconverge](https://togithub.com/xconverge) in [https://github.com/nodejs/undici/pull/1889](https://togithub.com/nodejs/undici/pull/1889) - fix(types): update error type definitions by [@​rafaelcr](https://togithub.com/rafaelcr) in [https://github.com/nodejs/undici/pull/1888](https://togithub.com/nodejs/undici/pull/1888) - fix: ensure connection header is a string by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1900](https://togithub.com/nodejs/undici/pull/1900) - fix: throw if invalid content-type header by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1901](https://togithub.com/nodejs/undici/pull/1901) - fix(fetch): use semicolon for Cookie header delimiter by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1906](https://togithub.com/nodejs/undici/pull/1906) - Use FastBuffer by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1907](https://togithub.com/nodejs/undici/pull/1907) #### New Contributors - [@​pan93412](https://togithub.com/pan93412) made their first contribution in [https://github.com/nodejs/undici/pull/1896](https://togithub.com/nodejs/undici/pull/1896) - [@​rafaelcr](https://togithub.com/rafaelcr) made their first contribution in [https://github.com/nodejs/undici/pull/1888](https://togithub.com/nodejs/undici/pull/1888) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.16.0...v5.17.0 ### [`v5.16.0`](https://togithub.com/nodejs/undici/releases/tag/v5.16.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.15.2...v5.16.0) #### What's Changed - Add feature to specify custom headers for proxies by [@​Sebmaster](https://togithub.com/Sebmaster) in [https://github.com/nodejs/undici/pull/1877](https://togithub.com/nodejs/undici/pull/1877) #### New Contributors - [@​Sebmaster](https://togithub.com/Sebmaster) made their first contribution in [https://github.com/nodejs/undici/pull/1877](https://togithub.com/nodejs/undici/pull/1877) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.15.2...v5.16.0 ### [`v5.15.2`](https://togithub.com/nodejs/undici/compare/9d5f23177408dc16d3d4cbb8cebf463081c54e16...9457c9719029945ef9ff36b71d58557443730942) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.15.1...v5.15.2) ### [`v5.15.1`](https://togithub.com/nodejs/undici/releases/tag/v5.15.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.15.0...v5.15.1) #### What's Changed - fix(websocket): simplify typedarray copying by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1854](https://togithub.com/nodejs/undici/pull/1854) - fix: wpts on node v18.13.0+ by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1859](https://togithub.com/nodejs/undici/pull/1859) - perf: allow keep alive for HEAD requests by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1858](https://togithub.com/nodejs/undici/pull/1858) - fix: flaky abort test by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1863](https://togithub.com/nodejs/undici/pull/1863) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.15.0...v5.15.1 ### [`v5.15.0`](https://togithub.com/nodejs/undici/releases/tag/v5.15.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.14.0...v5.15.0) #### What's Changed - \[types] update ProxyAgent Options (timeout) by [@​sosoba](https://togithub.com/sosoba) in [https://github.com/nodejs/undici/pull/1801](https://togithub.com/nodejs/undici/pull/1801) - feat: implement websockets by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1795](https://togithub.com/nodejs/undici/pull/1795) - feat(websocket): handle ping/pong frames & fix fragmented frames by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1809](https://togithub.com/nodejs/undici/pull/1809) - docs: add basic fetch & company docs by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1810](https://togithub.com/nodejs/undici/pull/1810) - make formdata body immutable and encode it only once by [@​jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/nodejs/undici/pull/1814](https://togithub.com/nodejs/undici/pull/1814) - test: add regression test for [#​1814](https://togithub.com/nodejs/undici/issues/1814) by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1815](https://togithub.com/nodejs/undici/pull/1815) - feat(websocket): only consume necessary bytes by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1812](https://togithub.com/nodejs/undici/pull/1812) - websocket: use Buffer.allocUnsafe by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1817](https://togithub.com/nodejs/undici/pull/1817) - build(deps-dev): bump [@​sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 9.1.2 to 10.0.2 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/1819](https://togithub.com/nodejs/undici/pull/1819) - fix(websocket): deprecation warning & 64-bit unsigned int body length by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1818](https://togithub.com/nodejs/undici/pull/1818) - Use nodejs.stream.destroyed symbol by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1816](https://togithub.com/nodejs/undici/pull/1816) - fetch: removal of redundant condition by [@​debadree25](https://togithub.com/debadree25) in [https://github.com/nodejs/undici/pull/1821](https://togithub.com/nodejs/undici/pull/1821) - fix(request): request headers array by [@​jd-carroll](https://togithub.com/jd-carroll) in [https://github.com/nodejs/undici/pull/1807](https://togithub.com/nodejs/undici/pull/1807) - fix(websocket): validate payload length received by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1822](https://togithub.com/nodejs/undici/pull/1822) - fix(websocket): run parser in loop, instead of recursively by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1828](https://togithub.com/nodejs/undici/pull/1828) - fix(fetch): weaker refs by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1824](https://togithub.com/nodejs/undici/pull/1824) - websocket: add tests for opening handshake by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1831](https://togithub.com/nodejs/undici/pull/1831) - websocket: add tests for constructor, close, and send by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1832](https://togithub.com/nodejs/undici/pull/1832) - websocket: more test coverage by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1833](https://togithub.com/nodejs/undici/pull/1833) - fix(WPTs): flaky abort test by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1835](https://togithub.com/nodejs/undici/pull/1835) - wpt: add test by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1836](https://togithub.com/nodejs/undici/pull/1836) - fix: don't send keep-alive if we want reset by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/1846](https://togithub.com/nodejs/undici/pull/1846) - fetch: update body consume to match spec by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1847](https://togithub.com/nodejs/undici/pull/1847) - feat: allow connection header in request by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/1829](https://togithub.com/nodejs/undici/pull/1829) - feat: add cookie parsing ability by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1848](https://togithub.com/nodejs/undici/pull/1848) - fix(cookie): add docs & expose in node v16 by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1849](https://togithub.com/nodejs/undici/pull/1849) - fix(cookies): work with global Headers by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/1850](https://togithub.com/nodejs/undici/pull/1850) - docs(Dispatcher): adjust documentation for reset flag by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/1852](https://togithub.com/nodejs/undici/pull/1852) - Fix broken interceptor test by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/1853](https://togithub.com/nodejs/undici/pull/1853) #### New Contributors - [@​sosoba](https://togithub.com/sosoba) made their first contribution in [https://github.com/nodejs/undici/pull/1801](https://togithub.com/nodejs/undici/pull/1801) - [@​debadree25](https://togithub.com/debadree25) made their first contribution in [https://github.com/nodejs/undici/pull/1821](https://togithub.com/nodejs/undici/pull/1821) - [@​jd-carroll](https://togithub.com/jd-carroll) made their first contribution in [https://github.com/nodejs/undici/pull/1807](https://togithub.com/nodejs/undici/pull/1807) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.14.0...v5.15.0
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/sammyfilly/Canary-nextjs). --- packages/next/package.json | 2 +- pnpm-lock.yaml | 8 ++++---- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/packages/next/package.json b/packages/next/package.json index 5a1c7904e3..56bd2bcc02 100644 --- a/packages/next/package.json +++ b/packages/next/package.json @@ -279,7 +279,7 @@ "timers-browserify": "2.0.12", "tty-browserify": "0.0.1", "ua-parser-js": "0.7.28", - "undici": "5.14.0", + "undici": "5.19.1", "unistore": "3.4.1", "util": "0.12.4", "uuid": "8.3.2", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 4846025f6d..7b086502d0 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -672,7 +672,7 @@ importers: timers-browserify: 2.0.12 tty-browserify: 0.0.1 ua-parser-js: 0.7.28 - undici: 5.14.0 + undici: 5.19.1 unistore: 3.4.1 util: 0.12.4 uuid: 8.3.2 @@ -872,7 +872,7 @@ importers: timers-browserify: 2.0.12 tty-browserify: 0.0.1 ua-parser-js: 0.7.28 - undici: 5.14.0 + undici: 5.19.1 unistore: 3.4.1_react@18.2.0 util: 0.12.4 uuid: 8.3.2 @@ -22984,8 +22984,8 @@ packages: engines: {node: '>=0.10.0'} dev: true - /undici/5.14.0: - resolution: {integrity: sha512-yJlHYw6yXPPsuOH0x2Ib1Km61vu4hLiRRQoafs+WUgX1vO64vgnxiCEN9dpIrhZyHFsai3F0AEj4P9zy19enEQ==} + /undici/5.19.1: + resolution: {integrity: sha512-YiZ61LPIgY73E7syxCDxxa3LV2yl3sN8spnIuTct60boiiRaE1J8mNWHO8Im2Zi/sFrPusjLlmRPrsyraSqX6A==} engines: {node: '>=12.18'} dependencies: busboy: 1.6.0