Bump undici due to security issue (#8044)

See GHSA-3787-6prv-h9w3 For reference, `undici` is used to polyfill `fetch` in our Node bundles, as we are not restricting Node support to 18+ yet. Fixes #8038
firebase · Feb 27, 2024 · f3cec28 · f3cec28
1 parent e5a1a34
commit f3cec28
Show file tree

Hide file tree

Showing 10 changed files with 21 additions and 12 deletions.
diff --git a/.changeset/short-falcons-look.md b/.changeset/short-falcons-look.md
@@ -0,0 +1,9 @@
+---
+'@firebase/auth-compat': patch
+'@firebase/firestore': patch
+'@firebase/functions': patch
+'@firebase/storage': patch
+'@firebase/auth': patch
+---
+
+Bump undici version to 5.28.3 due to security issue.
diff --git a/integration/messaging/package.json b/integration/messaging/package.json
@@ -15,7 +15,7 @@
     "express": "4.18.2",
     "geckodriver": "2.0.4",
     "mocha": "9.2.2",
-    "undici": "5.26.5",
+    "undici": "5.28.3",
     "selenium-assistant": "6.1.1"
   }
 }
diff --git a/package.json b/package.json
@@ -153,7 +153,7 @@
     "tslint": "6.1.3",
     "typedoc": "0.16.11",
     "typescript": "4.7.4",
-    "undici": "5.26.5",
+    "undici": "5.28.3",
     "watch": "1.0.2",
     "webpack": "5.76.0",
     "yargs": "17.7.2"

diff --git a/packages/auth-compat/package.json b/packages/auth-compat/package.json
@@ -54,7 +54,7 @@
     "@firebase/auth-types": "0.12.0",
     "@firebase/component": "0.6.5",
     "@firebase/util": "1.9.4",
-    "undici": "5.26.5",
+    "undici": "5.28.3",
     "tslib": "^2.1.0"
   },
   "license": "Apache-2.0",

diff --git a/packages/auth/package.json b/packages/auth/package.json
@@ -129,7 +129,7 @@
     "@firebase/component": "0.6.5",
     "@firebase/logger": "0.4.0",
     "@firebase/util": "1.9.4",
-    "undici": "5.26.5",
+    "undici": "5.28.3",
     "tslib": "^2.1.0"
   },
   "license": "Apache-2.0",

diff --git a/packages/firestore/package.json b/packages/firestore/package.json
@@ -102,7 +102,7 @@
     "@firebase/webchannel-wrapper": "0.10.5",
     "@grpc/grpc-js": "~1.9.0",
     "@grpc/proto-loader": "^0.7.8",
-    "undici": "5.26.5",
+    "undici": "5.28.3",
     "tslib": "^2.1.0"
   },
   "peerDependencies": {

diff --git a/packages/functions/package.json b/packages/functions/package.json
@@ -71,7 +71,7 @@
     "@firebase/auth-interop-types": "0.2.1",
     "@firebase/app-check-interop-types": "0.3.0",
     "@firebase/util": "1.9.4",
-    "undici": "5.26.5",
+    "undici": "5.28.3",
     "tslib": "^2.1.0"
   },
   "nyc": {

diff --git a/packages/storage/package.json b/packages/storage/package.json
@@ -48,7 +48,7 @@
   "dependencies": {
     "@firebase/util": "1.9.4",
     "@firebase/component": "0.6.5",
-    "undici": "5.26.5",
+    "undici": "5.28.3",
     "tslib": "^2.1.0"
   },
   "peerDependencies": {

diff --git a/repo-scripts/changelog-generator/package.json b/repo-scripts/changelog-generator/package.json
@@ -20,7 +20,7 @@
     "@changesets/types": "3.3.0",
     "@changesets/get-github-info": "0.5.2",
     "@types/node": "20.8.10",
-    "undici": "5.26.5"
+    "undici": "5.28.3"
   },
   "license": "Apache-2.0",
   "devDependencies": {

diff --git a/yarn.lock b/yarn.lock
@@ -16835,10 +16835,10 @@ undici-types@~5.26.4:
   resolved "https://registry.npmjs.org/undici-types/-/undici-types-5.26.5.tgz#bcd539893d00b56e964fd2657a4866b221a65617"
   integrity sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==
 
-undici@5.26.5:
-  version "5.26.5"
-  resolved "https://registry.npmjs.org/undici/-/undici-5.26.5.tgz#f6dc8c565e3cad8c4475b187f51a13e505092838"
-  integrity sha512-cSb4bPFd5qgR7qr2jYAi0hlX9n5YKK2ONKkLFkxl+v/9BvC0sOpZjBHDBSXc5lWAf5ty9oZdRXytBIHzgUcerw==
+undici@5.28.3:
+  version "5.28.3"
+  resolved "https://registry.npmjs.org/undici/-/undici-5.28.3.tgz#a731e0eff2c3fcfd41c1169a869062be222d1e5b"
+  integrity sha512-3ItfzbrhDlINjaP0duwnNsKpDQk3acHI3gVJ1z4fmwMK31k5G9OVIAMLSIaP6w4FaGkaAkN6zaQO9LUvZ1t7VA==
   dependencies:
     "@fastify/busboy" "^2.0.0"