From 929af8ea39c90025075c8541e1a42e843065a8ac Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Wed, 21 Feb 2024 13:24:57 -0500 Subject: [PATCH] chore(deps): update dependency undici to v5.28.3 [security] j:cdx-227 (#1428) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://togithub.com/nodejs/undici)) | [`5.26.2` -> `5.28.3`](https://renovatebot.com/diffs/npm/undici/5.26.2/5.28.3) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/5.28.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/5.28.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/5.26.2/5.28.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/5.26.2/5.28.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24758](https://togithub.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3) ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g --- ### Release Notes
nodejs/undici (undici) ### [`v5.28.3`](https://togithub.com/nodejs/undici/releases/tag/v5.28.3) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.28.2...v5.28.3) #### ⚠️ Security Release ⚠️ Details on the vulnerabilities fixed will be shared in the next couple of days. **Full Changelog**: https://github.com/nodejs/undici/compare/v5.28.2...v5.28.3 ### [`v5.28.2`](https://togithub.com/nodejs/undici/releases/tag/v5.28.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.28.1...v5.28.2) #### What's Changed - fix: remove optional chainning for compatible with Nodejs12 and below by [@​bugb](https://togithub.com/bugb) in [https://github.com/nodejs/undici/pull/2470](https://togithub.com/nodejs/undici/pull/2470) - fix: remove `node:` prefix by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2471](https://togithub.com/nodejs/undici/pull/2471) - perf: avoid Headers initialization by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2468](https://togithub.com/nodejs/undici/pull/2468) - fix: handle SharedArrayBuffer correctly by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2466](https://togithub.com/nodejs/undici/pull/2466) - fix: Add `null` type to `signal` in `RequestInit` by [@​gebsh](https://togithub.com/gebsh) in [https://github.com/nodejs/undici/pull/2455](https://togithub.com/nodejs/undici/pull/2455) - fix: correctly handle data URL with hashes. by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2475](https://togithub.com/nodejs/undici/pull/2475) - fix: check response for timinginfo allow flag by [@​ToshB](https://togithub.com/ToshB) in [https://github.com/nodejs/undici/pull/2477](https://togithub.com/nodejs/undici/pull/2477) - Make call to onBodySent conditional in RetryHandler by [@​MzUgM](https://togithub.com/MzUgM) in [https://github.com/nodejs/undici/pull/2478](https://togithub.com/nodejs/undici/pull/2478) - refactor: better integrity check by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2462](https://togithub.com/nodejs/undici/pull/2462) - fix: Added support for inline URL username:password proxy auth by [@​matt-way](https://togithub.com/matt-way) in [https://github.com/nodejs/undici/pull/2473](https://togithub.com/nodejs/undici/pull/2473) - build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2472](https://togithub.com/nodejs/undici/pull/2472) - build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2405](https://togithub.com/nodejs/undici/pull/2405) - build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2396](https://togithub.com/nodejs/undici/pull/2396) - build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2395](https://togithub.com/nodejs/undici/pull/2395) - build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2392](https://togithub.com/nodejs/undici/pull/2392) - build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2389](https://togithub.com/nodejs/undici/pull/2389) - build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2302](https://togithub.com/nodejs/undici/pull/2302) #### New Contributors - [@​bugb](https://togithub.com/bugb) made their first contribution in [https://github.com/nodejs/undici/pull/2470](https://togithub.com/nodejs/undici/pull/2470) - [@​gebsh](https://togithub.com/gebsh) made their first contribution in [https://github.com/nodejs/undici/pull/2455](https://togithub.com/nodejs/undici/pull/2455) - [@​ToshB](https://togithub.com/ToshB) made their first contribution in [https://github.com/nodejs/undici/pull/2477](https://togithub.com/nodejs/undici/pull/2477) - [@​MzUgM](https://togithub.com/MzUgM) made their first contribution in [https://github.com/nodejs/undici/pull/2478](https://togithub.com/nodejs/undici/pull/2478) - [@​matt-way](https://togithub.com/matt-way) made their first contribution in [https://github.com/nodejs/undici/pull/2473](https://togithub.com/nodejs/undici/pull/2473) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.28.1...v5.28.2 ### [`v5.28.1`](https://togithub.com/nodejs/undici/releases/tag/v5.28.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.28.0...v5.28.1) #### What's Changed - perf: Improve `normalizeMethod` by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2456](https://togithub.com/nodejs/undici/pull/2456) - fix: dispatch error handling by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2459](https://togithub.com/nodejs/undici/pull/2459) - perf(request): optimize if headers are given by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2454](https://togithub.com/nodejs/undici/pull/2454) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.28.0...v5.28.1 ### [`v5.28.0`](https://togithub.com/nodejs/undici/releases/tag/v5.28.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.27.2...v5.28.0) #### What's Changed - fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by [@​mdoria12](https://togithub.com/mdoria12) in [https://github.com/nodejs/undici/pull/2398](https://togithub.com/nodejs/undici/pull/2398) - docs: add license to undici-types by [@​dancastillo](https://togithub.com/dancastillo) in [https://github.com/nodejs/undici/pull/2401](https://togithub.com/nodejs/undici/pull/2401) - perf: optimize Readable.dump by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2402](https://togithub.com/nodejs/undici/pull/2402) - perf(headers): Improve Headers by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2397](https://togithub.com/nodejs/undici/pull/2397) - test: re-enable conditional WPT Report for websockets by [@​panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2407](https://togithub.com/nodejs/undici/pull/2407) - fix: delay abort on 'close' by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2408](https://togithub.com/nodejs/undici/pull/2408) - refactor: use `substring` instead of `substr` by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2411](https://togithub.com/nodejs/undici/pull/2411) - add additional http2 test with fetch by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2419](https://togithub.com/nodejs/undici/pull/2419) - fix: HTTPToken check by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2410](https://togithub.com/nodejs/undici/pull/2410) - perf: optimize HeadersList.get by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2420](https://togithub.com/nodejs/undici/pull/2420) - properly handle pseudo-headers in fetch by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2422](https://togithub.com/nodejs/undici/pull/2422) - perf(headers): if the guard is immutable by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2424](https://togithub.com/nodejs/undici/pull/2424) - fix(mock-agent): send stream body by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2425](https://togithub.com/nodejs/undici/pull/2425) - build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2394](https://togithub.com/nodejs/undici/pull/2394) - feat([#​2264](https://togithub.com/nodejs/undici/issues/2264)): Expose Retry Handler by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2281](https://togithub.com/nodejs/undici/pull/2281) - fix: implement `Headers#set` correctly by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2432](https://togithub.com/nodejs/undici/pull/2432) - fix: implement `Headers#delete` correctly by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2430](https://togithub.com/nodejs/undici/pull/2430) - test: update websocket wpt availability by [@​panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2437](https://togithub.com/nodejs/undici/pull/2437) - fix: type comment position by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2443](https://togithub.com/nodejs/undici/pull/2443) - fix: `onHeaders` type declaration by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2444](https://togithub.com/nodejs/undici/pull/2444) - remove http2 status pseudo header from headers by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2438](https://togithub.com/nodejs/undici/pull/2438) - docs: Clarify `path` matching in `intercept()` by [@​oliversalzburg](https://togithub.com/oliversalzburg) in [https://github.com/nodejs/undici/pull/2426](https://togithub.com/nodejs/undici/pull/2426) - fix: set-cookie clone by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2446](https://togithub.com/nodejs/undici/pull/2446) - docs: fix typo in maxConcurrentStreams by [@​tniessen](https://togithub.com/tniessen) in [https://github.com/nodejs/undici/pull/2450](https://togithub.com/nodejs/undici/pull/2450) - refactor: remove leftovers by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2451](https://togithub.com/nodejs/undici/pull/2451) - refactor: add missing new operator by [@​tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/2452](https://togithub.com/nodejs/undici/pull/2452) #### New Contributors - [@​mdoria12](https://togithub.com/mdoria12) made their first contribution in [https://github.com/nodejs/undici/pull/2398](https://togithub.com/nodejs/undici/pull/2398) - [@​tsctx](https://togithub.com/tsctx) made their first contribution in [https://github.com/nodejs/undici/pull/2397](https://togithub.com/nodejs/undici/pull/2397) - [@​oliversalzburg](https://togithub.com/oliversalzburg) made their first contribution in [https://github.com/nodejs/undici/pull/2426](https://togithub.com/nodejs/undici/pull/2426) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.27.2...v5.28.0 ### [`v5.27.2`](https://togithub.com/nodejs/undici/releases/tag/v5.27.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.27.1...v5.27.2) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.27.1...v5.27.2 ### [`v5.27.1`](https://togithub.com/nodejs/undici/releases/tag/v5.27.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.27.0...v5.27.1) #### What's Changed - add regression test by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2376](https://togithub.com/nodejs/undici/pull/2376) - fix: define conditions when content-length should be sent by [@​pxue](https://togithub.com/pxue) in [https://github.com/nodejs/undici/pull/2305](https://togithub.com/nodejs/undici/pull/2305) - refactor: removed unnecessary default by [@​nikelborm](https://togithub.com/nikelborm) in [https://github.com/nodejs/undici/pull/2381](https://togithub.com/nodejs/undici/pull/2381) - fix: stream body handling by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2391](https://togithub.com/nodejs/undici/pull/2391) #### New Contributors - [@​pxue](https://togithub.com/pxue) made their first contribution in [https://github.com/nodejs/undici/pull/2305](https://togithub.com/nodejs/undici/pull/2305) - [@​nikelborm](https://togithub.com/nikelborm) made their first contribution in [https://github.com/nodejs/undici/pull/2381](https://togithub.com/nodejs/undici/pull/2381) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.27.0...v5.27.1 ### [`v5.27.0`](https://togithub.com/nodejs/undici/releases/tag/v5.27.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.5...v5.27.0) #### What's Changed - Use sets and reusable TextEncoder/TextDecoder instances by [@​kibertoad](https://togithub.com/kibertoad) in [https://github.com/nodejs/undici/pull/2368](https://togithub.com/nodejs/undici/pull/2368) - feat: forward onRequestSent to handler by [@​ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2375](https://togithub.com/nodejs/undici/pull/2375) - skip bundle test on node 16 by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2377](https://togithub.com/nodejs/undici/pull/2377) - fix windows CI by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2379](https://togithub.com/nodejs/undici/pull/2379) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.26.5...v5.27.0 ### [`v5.26.5`](https://togithub.com/nodejs/undici/releases/tag/v5.26.5) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.4...v5.26.5) #### What's Changed - Drop race condition in connect-timeout test by [@​mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2360](https://togithub.com/nodejs/undici/pull/2360) - Remove a couple of unnecessary async functions by [@​kibertoad](https://togithub.com/kibertoad) in [https://github.com/nodejs/undici/pull/2367](https://togithub.com/nodejs/undici/pull/2367) - Update namespace type with Fetch exports by [@​Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2361](https://togithub.com/nodejs/undici/pull/2361) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.26.4...v5.26.5 ### [`v5.26.4`](https://togithub.com/nodejs/undici/releases/tag/v5.26.4) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.3...v5.26.4) #### What's Changed - use esbuild define/hooks by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2342](https://togithub.com/nodejs/undici/pull/2342) - fix request's arrayBuffer returning uint8 instead of arraybuffer by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2344](https://togithub.com/nodejs/undici/pull/2344) - fix: skip readMore call if parser is null or undefined by [@​iiAku](https://togithub.com/iiAku) in [https://github.com/nodejs/undici/pull/2346](https://togithub.com/nodejs/undici/pull/2346) - test: first attempt for flaky fix by [@​metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2337](https://togithub.com/nodejs/undici/pull/2337) - test: only include WebSocket in WPT Report where it's landed by [@​panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2351](https://togithub.com/nodejs/undici/pull/2351) - Update DispatchInterceptor.md by [@​Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2354](https://togithub.com/nodejs/undici/pull/2354) - fix: Avoid error for stream() being aborted by [@​BobNobrain](https://togithub.com/BobNobrain) in [https://github.com/nodejs/undici/pull/2355](https://togithub.com/nodejs/undici/pull/2355) - fix names with esbuild by [@​KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2359](https://togithub.com/nodejs/undici/pull/2359) #### New Contributors - [@​iiAku](https://togithub.com/iiAku) made their first contribution in [https://github.com/nodejs/undici/pull/2346](https://togithub.com/nodejs/undici/pull/2346) - [@​Uzlopak](https://togithub.com/Uzlopak) made their first contribution in [https://github.com/nodejs/undici/pull/2354](https://togithub.com/nodejs/undici/pull/2354) - [@​BobNobrain](https://togithub.com/BobNobrain) made their first contribution in [https://github.com/nodejs/undici/pull/2355](https://togithub.com/nodejs/undici/pull/2355) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.26.3...v5.26.4 ### [`v5.26.3`](https://togithub.com/nodejs/undici/compare/12a62187d45f332cf39dd405f7c52b759cf40cdd...227b9bedf233f741b86dda4ae9d1c7ad69f5d75c) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.2...v5.26.3)
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/coveo/cli). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- package-lock.json | 8 ++++---- packages/cli/source/package.json | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/package-lock.json b/package-lock.json index 9aa9e5b61..41fb1f609 100644 --- a/package-lock.json +++ b/package-lock.json @@ -27754,9 +27754,9 @@ } }, "node_modules/undici": { - "version": "5.26.2", - "resolved": "https://registry.npmjs.org/undici/-/undici-5.26.2.tgz", - "integrity": "sha512-a4PDLQgLTPHVzOK+x3F79/M4GtyYPl+aX9AAK7aQxpwxDwCqkeZCScy7Gk5kWT3JtdFq1uhO3uZJdLtHI4dK9A==", + "version": "5.28.3", + "resolved": "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz", + "integrity": "sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==", "dependencies": { "@fastify/busboy": "^2.0.0" }, @@ -30543,7 +30543,7 @@ "tsconfig-paths": "4.2.0", "tslib": "2.5.0", "typescript": "4.9.5", - "undici": "5.26.2" + "undici": "5.28.3" }, "engines": { "node": "^18.18.1 || ^20.9.0" diff --git a/packages/cli/source/package.json b/packages/cli/source/package.json index 2ccb96cdc..4909f22b9 100644 --- a/packages/cli/source/package.json +++ b/packages/cli/source/package.json @@ -40,7 +40,7 @@ "tsconfig-paths": "4.2.0", "tslib": "2.5.0", "typescript": "4.9.5", - "undici": "5.26.2" + "undici": "5.28.3" }, "oclif": { "bin": "coveo",