chore(deps): update dependency undici to v6.6.1 [security] by renovate[bot] · Pull Request #410 · octokit/rest.js

renovate · 2024-02-16T18:08:33Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`6.4.0` -> `6.6.1`

GitHub Vulnerability Alerts

CVE-2024-24750

Impact

Calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.

Patches

Patched in v6.6.1

Workarounds

Make sure to always consume the incoming body.

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

Release Notes

nodejs/undici (undici)

`v6.6.1`

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

github-actions · 2024-03-05T19:10:25Z

🎉 This PR is included in version 21.0.0-beta.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

github-actions · 2024-04-03T19:03:06Z

🎉 This PR is included in version 20.1.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

github-actions · 2024-07-18T18:43:58Z

🎉 This PR is included in version 20.1.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

chore(deps): update dependency undici to v6.6.1 [security]

a5f4114

renovate Bot added the Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR label Feb 16, 2024

G-Rath enabled auto-merge (squash) February 16, 2024 18:09

G-Rath approved these changes Feb 16, 2024

View reviewed changes

G-Rath merged commit e2d6559 into main Feb 16, 2024

G-Rath deleted the renovate/npm-undici-vulnerability branch February 16, 2024 18:10

github-actions Bot added the released on @beta label Mar 5, 2024

github-actions Bot added the released label Apr 3, 2024

github-actions Bot added the released on @20.x label Jul 18, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency undici to v6.6.1 [security]#410

chore(deps): update dependency undici to v6.6.1 [security]#410
G-Rath merged 1 commit intomainfrom
renovate/npm-undici-vulnerability

renovate Bot commented Feb 16, 2024

Uh oh!

github-actions Bot commented Mar 5, 2024

Uh oh!

github-actions Bot commented Apr 3, 2024

Uh oh!

github-actions Bot commented Jul 18, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

renovate Bot commented Feb 16, 2024

GitHub Vulnerability Alerts

CVE-2024-24750

Impact

Patches

Workarounds

CVE-2024-24758

Impact

Patches

Workarounds

References

Release Notes

v6.6.1

⚠️ Security Release ⚠️

What's Changed

v6.6.0

What's Changed

New Contributors

v6.5.0

What's Changed

Configuration

Uh oh!

github-actions Bot commented Mar 5, 2024

Uh oh!

github-actions Bot commented Apr 3, 2024

Uh oh!

github-actions Bot commented Jul 18, 2024

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

`v6.6.1`

`v6.6.0`

`v6.5.0`