fix(deps): update dependency undici to v5.28.3 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.26.5 -> 5.28.3

GitHub Vulnerability Alerts

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

---

Release Notes

nodejs/undici (undici)

v5.28.3

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

Compare Source

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in https://github.com/nodejs/undici/pull/2470
• fix: remove node: prefix by @​tsctx in https://github.com/nodejs/undici/pull/2471
• perf: avoid Headers initialization by @​tsctx in https://github.com/nodejs/undici/pull/2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in https://github.com/nodejs/undici/pull/2466
• fix: Add null type to signal in RequestInit by @​gebsh in https://github.com/nodejs/undici/pull/2455
• fix: correctly handle data URL with hashes. by @​tsctx in https://github.com/nodejs/undici/pull/2475
• fix: check response for timinginfo allow flag by @​ToshB in https://github.com/nodejs/undici/pull/2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in https://github.com/nodejs/undici/pull/2478
• refactor: better integrity check by @​tsctx in https://github.com/nodejs/undici/pull/2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in https://github.com/nodejs/undici/pull/2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in https://github.com/nodejs/undici/pull/2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in https://github.com/nodejs/undici/pull/2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in https://github.com/nodejs/undici/pull/2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in https://github.com/nodejs/undici/pull/2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in https://github.com/nodejs/undici/pull/2302

New Contributors

• @​bugb made their first contribution in https://github.com/nodejs/undici/pull/2470
• @​gebsh made their first contribution in https://github.com/nodejs/undici/pull/2455
• @​ToshB made their first contribution in https://github.com/nodejs/undici/pull/2477
• @​MzUgM made their first contribution in https://github.com/nodejs/undici/pull/2478
• @​matt-way made their first contribution in https://github.com/nodejs/undici/pull/2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

Compare Source

What's Changed

• perf: Improve normalizeMethod by @​tsctx in https://github.com/nodejs/undici/pull/2456
• fix: dispatch error handling by @​ronag in https://github.com/nodejs/undici/pull/2459
• perf(request): optimize if headers are given by @​tsctx in https://github.com/nodejs/undici/pull/2454

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

v5.28.0

Compare Source

What's Changed

• fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @​mdoria12 in https://github.com/nodejs/undici/pull/2398
• docs: add license to undici-types by @​dancastillo in https://github.com/nodejs/undici/pull/2401
• perf: optimize Readable.dump by @​ronag in https://github.com/nodejs/undici/pull/2402
• perf(headers): Improve Headers by @​tsctx in https://github.com/nodejs/undici/pull/2397
• test: re-enable conditional WPT Report for websockets by @​panva in https://github.com/nodejs/undici/pull/2407
• fix: delay abort on 'close' by @​ronag in https://github.com/nodejs/undici/pull/2408
• refactor: use substring instead of substr by @​tsctx in https://github.com/nodejs/undici/pull/2411
• add additional http2 test with fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2419
• fix: HTTPToken check by @​tsctx in https://github.com/nodejs/undici/pull/2410
• perf: optimize HeadersList.get by @​tsctx in https://github.com/nodejs/undici/pull/2420
• properly handle pseudo-headers in fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2422
• perf(headers): if the guard is immutable by @​tsctx in https://github.com/nodejs/undici/pull/2424
• fix(mock-agent): send stream body by @​tsctx in https://github.com/nodejs/undici/pull/2425
• build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by @​dependabot in https://github.com/nodejs/undici/pull/2394
• feat(#​2264): Expose Retry Handler by @​metcoder95 in https://github.com/nodejs/undici/pull/2281
• fix: implement Headers#set correctly by @​tsctx in https://github.com/nodejs/undici/pull/2432
• fix: implement Headers#delete correctly by @​tsctx in https://github.com/nodejs/undici/pull/2430
• test: update websocket wpt availability by @​panva in https://github.com/nodejs/undici/pull/2437
• fix: type comment position by @​tsctx in https://github.com/nodejs/undici/pull/2443
• fix: onHeaders type declaration by @​tsctx in https://github.com/nodejs/undici/pull/2444
• remove http2 status pseudo header from headers by @​KhafraDev in https://github.com/nodejs/undici/pull/2438
• docs: Clarify path matching in intercept() by @​oliversalzburg in https://github.com/nodejs/undici/pull/2426
• fix: set-cookie clone by @​tsctx in https://github.com/nodejs/undici/pull/2446
• docs: fix typo in maxConcurrentStreams by @​tniessen in https://github.com/nodejs/undici/pull/2450
• refactor: remove leftovers by @​metcoder95 in https://github.com/nodejs/undici/pull/2451
• refactor: add missing new operator by @​tsctx in https://github.com/nodejs/undici/pull/2452

New Contributors

• @​mdoria12 made their first contribution in https://github.com/nodejs/undici/pull/2398
• @​tsctx made their first contribution in https://github.com/nodejs/undici/pull/2397
• @​oliversalzburg made their first contribution in https://github.com/nodejs/undici/pull/2426

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

v5.27.2

Compare Source

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

v5.27.1

Compare Source

What's Changed

• add regression test by @​KhafraDev in https://github.com/nodejs/undici/pull/2376
• fix: define conditions when content-length should be sent by @​pxue in https://github.com/nodejs/undici/pull/2305
• refactor: removed unnecessary default by @​nikelborm in https://github.com/nodejs/undici/pull/2381
• fix: stream body handling by @​ronag in https://github.com/nodejs/undici/pull/2391

New Contributors

• @​pxue made their first contribution in https://github.com/nodejs/undici/pull/2305
• @​nikelborm made their first contribution in https://github.com/nodejs/undici/pull/2381

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

v5.27.0

Compare Source

What's Changed

• Use sets and reusable TextEncoder/TextDecoder instances by @​kibertoad in https://github.com/nodejs/undici/pull/2368
• feat: forward onRequestSent to handler by @​ronag in https://github.com/nodejs/undici/pull/2375
• skip bundle test on node 16 by @​KhafraDev in https://github.com/nodejs/undici/pull/2377
• fix windows CI by @​KhafraDev in https://github.com/nodejs/undici/pull/2379

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0c821af

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Changeset File Check ⚠️

• Changeset formatting error in following file:%0A %0A Some packages have been changed but no changesets were found. Run `changeset add` to resolve this error.%0A If this change doesn't need a release, run `changeset add --empty`.%0A %0A

[google-oss-bot]

Size Report ¹

Affected Products

No changes between base commit (9fa0e9f) and merge commit (46c75af).

Test Logs

• Base (9fa0e9f): https://github.com/firebase/firebase-js-sdk/actions/runs/7748332201
• Merge (46c75af): https://github.com/firebase/firebase-js-sdk/actions/runs/7935234272

1. https://storage.googleapis.com/firebase-sdk-metric-reports/JMiwER2ax0.html

[google-oss-bot]

Size Analysis Report ¹

Affected Products

No changes between base commit (9fa0e9f) and merge commit (46c75af).

Test Logs

• Base (9fa0e9f): https://github.com/firebase/firebase-js-sdk/actions/runs/7748332201
• Merge (46c75af): https://github.com/firebase/firebase-js-sdk/actions/runs/7935234272

1. https://storage.googleapis.com/firebase-sdk-metric-reports/notU5xm1Bt.html

[baraknaveh]

What's the ETA for a fix for this security issue?