Skip to content

chore(deps): update dependency undici to v6.6.1 [security] #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
G-Rath merged 1 commit into from
Feb 16, 2024
Merged

chore(deps): update dependency undici to v6.6.1 [security] #410

G-Rath merged 1 commit into from
Feb 16, 2024

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Feb 16, 2024

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici (source) 6.4.0 -> 6.6.1 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-24750

Impact

Calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.

Patches

Patched in v6.6.1

Workarounds

Make sure to always consume the incoming body.

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

Release Notes

nodejs/undici (undici)

v6.6.1

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

What's Changed

Full Changelog: nodejs/undici@v6.6.0...v6.6.1

v6.6.0

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.5.0...v6.6.0

v6.5.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.4.0...v6.5.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR label Feb 16, 2024
@G-Rath G-Rath enabled auto-merge (squash) February 16, 2024 18:09
@G-Rath G-Rath merged commit e2d6559 into main Feb 16, 2024
@G-Rath G-Rath deleted the renovate/npm-undici-vulnerability branch February 16, 2024 18:10
@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2024

🎉 This PR is included in version 21.0.0-beta.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions
Copy link
Contributor

github-actions bot commented Apr 3, 2024

🎉 This PR is included in version 20.1.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

@github-actions
Copy link
Contributor

github-actions bot commented Jul 18, 2024

🎉 This PR is included in version 20.1.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@G-Rath G-Rath G-Rath approved these changes

Assignees

No one assigned

Labels

released on @beta released on @20.x released Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR

Projects

🧰 Octokit Active
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@G-Rath