New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency undici to v6.21.1 [SECURITY] #571

Open

renovate wants to merge 1 commit into main from renovate/npm-undici-vulnerability

Contributor

renovate bot commented Apr 4, 2024 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`6.6.2` -> `6.21.1`

GitHub Vulnerability Alerts

CVE-2024-30260

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

CVE-2024-30261

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

Release Notes

nodejs/undici (undici)

`v6.21.1`

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

fix(#3736): back-port 183f8e9 to v6.x by @ggoodman in https://github.com/nodejs/undici/pull/3855
fix(#3817): send servername for SNI on TLS (#3821) [backport] by @metcoder95 in https://github.com/nodejs/undici/pull/3864
fix: sending formdata bodies with http2 (#3863) [backport] by @metcoder95 in https://github.com/nodejs/undici/pull/3866
[Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @github-actions in https://github.com/nodejs/undici/pull/3877
types: [backport] Update return type of RetryCallback (#3851) by @metcoder95 in https://github.com/nodejs/undici/pull/3876

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

`v6.21.0`

What's Changed

[Backport v6.x] web: mark as uncloneable when possible (#3709) by @jazelly in https://github.com/nodejs/undici/pull/3744
[Backport v6.x] fetch: fix content-encoding order by @github-actions in https://github.com/nodejs/undici/pull/3764
[Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by @github-actions in https://github.com/nodejs/undici/pull/3822
[Backport v6.x] fix: range end is zero-indexed by @github-actions in https://github.com/nodejs/undici/pull/3827

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

`v6.20.1`

`v6.20.0`

What's Changed

Remove patched dom types (v6.x branch) by @eXhumer in https://github.com/nodejs/undici/pull/3531
docs(Backport v6.x): Fix signature of RetryHandler by @github-actions in https://github.com/nodejs/undici/pull/3594
deps(dev): update @types/node by @metcoder95 in https://github.com/nodejs/undici/pull/3618
fix: throw on retry when payload is consume by downstream by @github-actions in https://github.com/nodejs/undici/pull/3596
feat(Backport v6.x): move throwOnError to interceptor by @github-actions in https://github.com/nodejs/undici/pull/3595
[Backport v6.x] fix: reduce memory usage in client-h1 by @github-actions in https://github.com/nodejs/undici/pull/3672
[Backport v6.x] fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @github-actions in https://github.com/nodejs/undici/pull/3673
[Backport v6.x] fix: run asserts first if possible by @github-actions in https://github.com/nodejs/undici/pull/3674
[Backport v6.x] fix: use fasttimers for all connection timeouts by @github-actions in https://github.com/nodejs/undici/pull/3675
[Backport v6.x] ci: less flaky test/request-timeout.js test by @github-actions in https://github.com/nodejs/undici/pull/3678
[Backport v6.x] test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @github-actions in https://github.com/nodejs/undici/pull/3679
[Backport v6.x] ignore leading and trailing crlfs in formdata body by @github-actions in https://github.com/nodejs/undici/pull/3681
[Backport v6.x] mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @github-actions in https://github.com/nodejs/undici/pull/3689
[Backport v6.x] handle body errors by @Uzlopak in https://github.com/nodejs/undici/pull/3700

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

`v6.19.8`

`v6.19.7`

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

`v6.19.6`

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

`v6.19.5`

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

`v6.19.4`

`v6.19.3`

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

`v6.19.2`

What's Changed

fix #3337 by @KhafraDev in https://github.com/nodejs/undici/pull/3338
build: use husky as husky install is deprecated by @jazelly in https://github.com/nodejs/undici/pull/3340
fix: interceptors.d.ts has no default export by @Uzlopak in https://github.com/nodejs/undici/pull/3332

Full Changelog: nodejs/undici@v6.19.1...v6.19.2

`v6.19.1`

What's Changed

don't append empty origin by @KhafraDev in https://github.com/nodejs/undici/pull/3335

Full Changelog: nodejs/undici@v6.19.0...v6.19.1

`v6.19.0`

What's Changed

build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in https://github.com/nodejs/undici/pull/3305
build(deps): bump codecov/codecov-action from 4.3.1 to 4.4.1 by @dependabot in https://github.com/nodejs/undici/pull/3303
build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by @dependabot in https://github.com/nodejs/undici/pull/3304
build(deps): bump github/codeql-action from 3.25.3 to 3.25.7 by @dependabot in https://github.com/nodejs/undici/pull/3306
build(deps): bump node from 9e8f45f to dd7e693 in /build by @dependabot in https://github.com/nodejs/undici/pull/3309
build(deps): bump node from dd7e693 to e6d4495 in /build by @dependabot in https://github.com/nodejs/undici/pull/3313
remove websocket experimental warning by @KhafraDev in https://github.com/nodejs/undici/pull/3311
perf: optimization of request instantiation by @tsctx in https://github.com/nodejs/undici/pull/3107
perf: convert object to params by @DarkGL in https://github.com/nodejs/undici/pull/3302
build(deps-dev): bump borp from 0.14.0 to 0.15.0 by @dependabot in https://github.com/nodejs/undici/pull/3320
build(deps-dev): bump c8 from 9.1.0 to 10.0.0 by @dependabot in https://github.com/nodejs/undici/pull/3321
fix: add missing error classes to types by @maxbeatty in https://github.com/nodejs/undici/pull/3316
export interceptor to type def file by @jakecastelli in https://github.com/nodejs/undici/pull/3318
build(deps): bump node from e6d4495 to 075a5cc in /build by @dependabot in https://github.com/nodejs/undici/pull/3326
doc: clearify the behaviour of bodyTimeout in the request by @jakecastelli in https://github.com/nodejs/undici/pull/3324
feature: support pre-shared sessions by @tastypackets in https://github.com/nodejs/undici/pull/3325

New Contributors

@maxbeatty made their first contribution in https://github.com/nodejs/undici/pull/3316
@jakecastelli made their first contribution in https://github.com/nodejs/undici/pull/3318

Full Changelog: nodejs/undici@v6.18.2...v6.19.0

`v6.18.2`

`v6.18.1`

What's Changed

docs: Update references to dispatcher in docs by @haikyuu in https://github.com/nodejs/undici/pull/3281
fix: compatibility for global headers by @tsctx in https://github.com/nodejs/undici/pull/3286
websocket: pre-calculated length by @tsctx in https://github.com/nodejs/undici/pull/3284
ci: fix autobahn workflow by @Uzlopak in https://github.com/nodejs/undici/pull/3291
revert: "websocket: pre-calculated length" by @KhafraDev in https://github.com/nodejs/undici/pull/3290
websocket: use FixedQueue instead of Set by @tsctx in https://github.com/nodejs/undici/pull/3283

New Contributors

@haikyuu made their first contribution in https://github.com/nodejs/undici/pull/3281

Full Changelog: nodejs/undici@v6.18.0...v6.18.1

`v6.18.0`

What's Changed

permessage-deflate decompression support in websocket by @KhafraDev in https://github.com/nodejs/undici/pull/3263
fix: Fix server closing in tests. by @ShogunPanda in https://github.com/nodejs/undici/pull/3279

Full Changelog: nodejs/undici@v6.17.0...v6.18.0

`v6.17.0`

What's Changed

fetch: fix captureStackTrace by @Uzlopak in https://github.com/nodejs/undici/pull/3227
fetch: fix wpt test request-upload.any.js by @Uzlopak in https://github.com/nodejs/undici/pull/3234
websocket: don't clone buffer by @tsctx in https://github.com/nodejs/undici/pull/3240
Remove unecessary async from writeBuffer by @DarkGL in https://github.com/nodejs/undici/pull/3245
refactor websocket control frame handling by @KhafraDev in https://github.com/nodejs/undici/pull/3241
fix parsing continuation frames in websocket by @KhafraDev in https://github.com/nodejs/undici/pull/3247
ci: node nightly test should use node 23 by @Uzlopak in https://github.com/nodejs/undici/pull/3248
Add test to verify if the connection is correctly aborted on cancel by @mcollina in https://github.com/nodejs/undici/pull/3219
Autobahn suite by @KhafraDev in https://github.com/nodejs/undici/pull/3251
websocket: fix 6 autobahn tests by @KhafraDev in https://github.com/nodejs/undici/pull/3254
websocket: checkout correct commit in autobahn workflow by @Uzlopak in https://github.com/nodejs/undici/pull/3258
Cleanup websocket by @KhafraDev in https://github.com/nodejs/undici/pull/3257
websocket: autobahn workflow should fail on error by @Uzlopak in https://github.com/nodejs/undici/pull/3259
add bodymixin bytes by @KhafraDev in https://github.com/nodejs/undici/pull/3262
perf: avoid buffer cloning by @tsctx in https://github.com/nodejs/undici/pull/3264
feat: dump interceptor by @metcoder95 in https://github.com/nodejs/undici/pull/3118
use private properties in Headers by @KhafraDev in https://github.com/nodejs/undici/pull/3269
Revert "websocket: autobahn workflow should fail on error" by @Uzlopak in https://github.com/nodejs/undici/pull/3270
build(deps): bump node from 487dc5d to 9e8f45f in /build by @dependabot in https://github.com/nodejs/undici/pull/3271

New Contributors

@DarkGL made their first contribution in https://github.com/nodejs/undici/pull/3245

Full Changelog: nodejs/undici@v6.16.1...v6.17.0

`v6.16.1`

What's Changed

fix some typos by @Uzlopak in https://github.com/nodejs/undici/pull/3217
websocket: move codeblock in parseCloseBody by @Uzlopak in https://github.com/nodejs/undici/pull/3215
fetch: enable wpt test request-referrer.any.js by @Uzlopak in https://github.com/nodejs/undici/pull/3223
fetch: wpt add /fetch/api/resources/cache.py to server.mjs by @Uzlopak in https://github.com/nodejs/undici/pull/3225
add pipe support for wpt server by @KhafraDev in https://github.com/nodejs/undici/pull/3228
test: reduce the number of requests in fire-and-forget.js by @tsctx in https://github.com/nodejs/undici/pull/3229
ci: add node 22 in ci test matrix, use 22 for coverage by @Uzlopak in https://github.com/nodejs/undici/pull/3226
fetch: don't set an invalid origin header by @KhafraDev in https://github.com/nodejs/undici/pull/3235
fail wpt runner if expected failures does not match actual by @KhafraDev in https://github.com/nodejs/undici/pull/3236
fix: ignore content-length when dumping HEAD by @ronag in https://github.com/nodejs/undici/pull/3222

Full Changelog: nodejs/undici@v6.16.0...v6.16.1

`v6.16.0`

What's Changed

add index to sequence converter errors by @KhafraDev in https://github.com/nodejs/undici/pull/3178
build(deps-dev): bump borp from 0.12.0 to 0.13.0 by @dependabot in https://github.com/nodejs/undici/pull/3179
build(deps): bump node from 21-alpine3.19 to 22-alpine3.19 in /build by @dependabot in https://github.com/nodejs/undici/pull/3180
build(deps): bump superagent from 8.1.2 to 9.0.2 in /benchmarks by @dependabot in https://github.com/nodejs/undici/pull/3181
fix: keep raw header name by @tsctx in https://github.com/nodejs/undici/pull/3183
fix(fetch): improve Headers and Request type-compatibility by @kettanaito in https://github.com/nodejs/undici/pull/1964
fix 3 mimesniff tests by @KhafraDev in https://github.com/nodejs/undici/pull/3185
build(deps): bump hendrikmuhs/ccache-action from 1.2.12 to 1.2.13 by @dependabot in https://github.com/nodejs/undici/pull/3187
build(deps): bump codecov/codecov-action from 4.1.1 to 4.3.1 by @dependabot in https://github.com/nodejs/undici/pull/3191
build(deps): bump github/codeql-action from 3.24.9 to 3.25.3 by @dependabot in https://github.com/nodejs/undici/pull/3192
build(deps): bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @dependabot in https://github.com/nodejs/undici/pull/3189
build(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 by @dependabot in https://github.com/nodejs/undici/pull/3188
build(deps): bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in https://github.com/nodejs/undici/pull/3190
build(deps): bump node from 9459e24 to 487dc5d in /build by @dependabot in https://github.com/nodejs/undici/pull/3195
perf: avoid spread in makeRequest() by @gunjam in https://github.com/nodejs/undici/pull/3193
refactor: code cleanup by @tsctx in https://github.com/nodejs/undici/pull/3194
fix parsing when receiving empty body websocket by @KhafraDev in https://github.com/nodejs/undici/pull/3205
fix: MockResponseCallbackOptions type by @merojosa in https://github.com/nodejs/undici/pull/2951
docs(proxy): fix typo by @kanadgupta in https://github.com/nodejs/undici/pull/3207
fix websocket receiving an invalid utf-8 in close frame by @KhafraDev in https://github.com/nodejs/undici/pull/3206
perf: avoid setImmediate if body is reading by @ronag in https://github.com/nodejs/undici/pull/3210
fix: request abort signal by @ronag in https://github.com/nodejs/undici/pull/3209
fix: remove abort handler on close by @ronag in https://github.com/nodejs/undici/pull/3211
fix: pass abort function by @tsctx in https://github.com/nodejs/undici/pull/3212
websocket: 200x faster generate mask by @tsctx in https://github.com/nodejs/undici/pull/3204
use FinalizationRegistry to cancel the body if response is collected by @mcollina in https://github.com/nodejs/undici/pull/3199
websocket: don't clone buffer if it's not needed. by @tsctx in https://github.com/nodejs/undici/pull/3214
websocket: use FastBuffer by @tsctx in https://github.com/nodejs/undici/pull/3213

New Contributors

@kettanaito made their first contribution in https://github.com/nodejs/undici/pull/1964
@gunjam made their first contribution in https://github.com/nodejs/undici/pull/3193
@merojosa made their first contribution in https://github.com/nodejs/undici/pull/2951
@kanadgupta made their first contribution in https://github.com/nodejs/undici/pull/3207

Full Changelog: nodejs/undici@v6.15.0...v6.16.0

`v6.15.0`

What's Changed

Expose EnvHttpProxyAgent to Node.js core bundle, so it can be turned … by @mcollina in https://github.com/nodejs/undici/pull/3148
test: add headerslist copy check by @tsctx in https://github.com/nodejs/undici/pull/3156
chore: ensure automated v6 release compared to v6 by @mweberxyz in https://github.com/nodejs/undici/pull/3149
fetch: do not leak signal listeners by @mcollina in https://github.com/nodejs/undici/pull/3158
fix: request cache mode is not the same as request mode by @tsibley in https://github.com/nodejs/undici/pull/3151
fetch: don't re-lowercase HeadersList by @tsctx in https://github.com/nodejs/undici/pull/3159
fix casing issue when cloning Headers object by @KhafraDev in https://github.com/nodejs/undici/pull/3160
build(deps): bump node from 6d0f18a to db8772d in /build by @dependabot in https://github.com/nodejs/undici/pull/3163
fix header cloning bug by @tsctx in https://github.com/nodejs/undici/pull/3162
chore: change bench naming for h2 by @metcoder95 in https://github.com/nodejs/undici/pull/3165
expose WebSocket related events in node bundle by @KhafraDev in https://github.com/nodejs/undici/pull/3167
feat: add support for if-match on retry handler by @metcoder95 in https://github.com/nodejs/undici/pull/3144
fix: correct firing order of abort events by @tsctx in https://github.com/nodejs/undici/pull/3169
create fast MessageEvent by @KhafraDev in https://github.com/nodejs/undici/pull/3170
chore: add explicitly @fastify/busboy by @Uzlopak in https://github.com/nodejs/undici/pull/3172
chore: remove sinon as dev dependency by @Uzlopak in https://github.com/nodejs/undici/pull/3171
webidl changes by @KhafraDev in https://github.com/nodejs/undici/pull/3175
preserve dictionary key name in webidl errors by @KhafraDev in https://github.com/nodejs/undici/pull/3176

New Contributors

@tsibley made their first contribution in https://github.com/nodejs/undici/pull/3151

Full Changelog: nodejs/undici@v6.14.1...v6.15.0

`v6.14.1`

What's Changed

fix: tweak keep-alive timeout implementation by @mweberxyz in https://github.com/nodejs/undici/pull/3145
build(deps-dev): bump borp from 0.11.0 to 0.12.0 by @dependabot in https://github.com/nodejs/undici/pull/3153
build(deps): bump node from ad255c6 to 6d0f18a in /build by @dependabot in https://github.com/nodejs/undici/pull/3154
fix(EnvHttpProxyAgent): prefer lowercase env vars by @10xLaCroixDrinker in https://github.com/nodejs/undici/pull/3152

Full Changelog: nodejs/undici@v6.14.0...v6.14.1

`v6.14.0`

What's Changed

bench: enable benchmarks for h2 by @metcoder95 in https://github.com/nodejs/undici/pull/3100
perf: improve performance of isomorphicEncode by @tsctx in https://github.com/nodejs/undici/pull/3101
util: remove isReadableAborted by @Uzlopak in https://github.com/nodejs/undici/pull/3104
fix(types): The second parameter of EventSource is optional by @zbinlin in https://github.com/nodejs/undici/pull/3106
fix: onConnect types by @ronag in https://github.com/nodejs/undici/pull/3116
add dispatcher option to EventSource by @KhafraDev in https://github.com/nodejs/undici/pull/3119
core: improve parseURL by @Uzlopak in https://github.com/nodejs/undici/pull/3102
test: increase coverage by @Uzlopak in https://github.com/nodejs/undici/pull/3121
docs: add directions to run docs and benchmarks by @FatumaA in https://github.com/nodejs/undici/pull/3092
perf: avoid unnecessary clone by @tsctx in https://github.com/nodejs/undici/pull/3117
build(deps-dev): bump borp from 0.10.0 to 0.11.0 by @dependabot in https://github.com/nodejs/undici/pull/3126
drop node support for < v18.17.0 by @KhafraDev in https://github.com/nodejs/undici/pull/3125
test: improve test and ci performance by @Uzlopak in https://github.com/nodejs/undici/pull/3135
Added EnvHttpProxyAgent to support HTTP_PROXY by @10xLaCroixDrinker in https://github.com/nodejs/undici/pull/2994
fetch: Change wording of "Body is unusable" error by @nzakas in https://github.com/nodejs/undici/pull/3105
perf: use class instead of object literals with getters by @tsctx in https://github.com/nodejs/undici/pull/3138
fix: unhandled exception or failing error body by @ronag in https://github.com/nodejs/undici/pull/3137
reuse realm for Request/Response by @KhafraDev in https://github.com/nodejs/undici/pull/3142
fix(H2-#3140): abort requets upon GOAWAY by @metcoder95 in https://github.com/nodejs/undici/pull/3143
don't store realm on Request/Response by @KhafraDev in https://github.com/nodejs/undici/pull/3146
improve: wasm build by @Uzlopak in https://github.com/nodejs/undici/pull/3074

New Contributors

@10xLaCroixDrinker made their first contribution in https://github.com/nodejs/undici/pull/2994
@nzakas made their first contribution in https://github.com/nodejs/undici/pull/3105

Full Changelog: nodejs/undici@v6.13.0...v6.14.0

`v6.13.0`

What's Changed

build(deps): bump node from 9696b26 to ad255c6 in /build by @dependabot in https://github.com/nodejs/undici/pull/3073
test: remove only by @metcoder95 in https://github.com/nodejs/undici/pull/3077
fix: defer errors with setImmediate by @ronag in https://github.com/nodejs/undici/pull/3081
improve DecoratorHandler by @Uzlopak in https://github.com/nodejs/undici/pull/3079
chore: removed unused escapeFormDataName by @mcollina in https://github.com/nodejs/undici/pull/3084
Mention option to pass streams into FormData by @JaoodxD in https://github.com/nodejs/undici/pull/3086
fetch: improve performance of isValidEncodedURL by @Uzlopak in https://github.com/nodejs/undici/pull/3090
optimize utf8Decode by @Uzlopak in https://github.com/nodejs/undici/pull/3085
refactor: h2 refactoring by @metcoder95 in https://github.com/nodejs/undici/pull/3082
Skip the creation of a transform stream in fetch by @mcollina in https://github.com/nodejs/undici/pull/3093
fetch: improve performance of urlHasHttpsScheme by @Uzlopak in https://github.com/nodejs/undici/pull/3094
fetch: avoid creation of an intermediary ReadableStream by @KhafraDev in https://github.com/nodejs/undici/pull/3095
test: duplicate jest unspecific tests to native runner by @Uzlopak in https://github.com/nodejs/undici/pull/3075
build(deps): bump node from ad255c6 to 6d0f18a in /build by @dependabot in https://github.com/nodejs/undici/pull/3096
fetch: improve performance of isValidHeaderValue by @Uzlopak in https://github.com/nodejs/undici/pull/3098
chore: automate releases with pr by @mweberxyz in https://github.com/nodejs/undici/pull/3089

New Contributors

@github-actions made their first contribution in https://github.com/nodejs/undici/pull/3099

Full Changelog: nodejs/undici@v6.12.0...v6.13.0

`v6.12.0`

What's Changed

fix: broken test by @tsctx in https://github.com/nodejs/undici/pull/3045
fix: http2 header parsing by @climba03003 in https://github.com/nodejs/undici/pull/3047
types: fix Request.refererPolicy and RequestInit.refererPolicy are incompatible by @zbinlin in https://github.com/nodejs/undici/pull/3039
fix(types): onHeaders always takes headers as an array of buffer by @ronag in https://github.com/nodejs/undici/pull/3050
fix: ProxyAgent causes request.headers.host to be forcibly reset by @1zilc in https://github.com/nodejs/undici/pull/3026
fallback to Buffer.isUtf8 on platforms without icu by @KhafraDev in https://github.com/nodejs/undici/pull/3006
build(deps): bump github/codeql-action from 3.24.6 to 3.24.9 by @dependabot in https://github.com/nodejs/undici/pull/3037
build(deps): bump actions/dependency-review-action from 4.1.3 to 4.2.5 by @dependabot in https://github.com/nodejs/undici/pull/3035
build(deps): bump node from 577f8eb to 87524df in /build by @dependabot in https://github.com/nodejs/undici/pull/3055
build(deps): bump node from 87524df to 9696b26 in /build by @dependabot in https://github.com/nodejs/undici/pull/3058
fetch: Block ports 4190 & 6679 by @KhafraDev in https://github.com/nodejs/undici/pull/3059
test: activate testing for interceptors and cache by @Uzlopak in https://github.com/nodejs/undici/pull/3061
cache: improve test coverage by @Uzlopak in https://github.com/nodejs/undici/pull/3063
feat: modernize fuzzing by @Uzlopak in https://github.com/nodejs/undici/pull/3060
fix: request abort by @ronag in https://github.com/nodejs/undici/pull/3056
fix: signal handling by @ronag in https://github.com/nodejs/undici/pull/3053
fix(H2): handle goaway properly by @metcoder95 in https://github.com/nodejs/undici/pull/3057
test: client, set body to null if bigger than CHUNK_LIMIT by @Uzlopak in https://github.com/nodejs/undici/pull/3064
mock: improve mock interceptor by @Uzlopak in https://github.com/nodejs/undici/pull/3062
fix: bad client destroy on servername change by @ronag in https://github.com/nodejs/undici/pull/3066
perf: improve isBlobLike by @Uzlopak in https://github.com/nodejs/undici/pull/3070
test: add sanity check for llhttp wasm files by @Uzlopak in https://github.com/nodejs/undici/pull/3068

New Contributors

@zbinlin made their first contribution in https://github.com/nodejs/undici/pull/3039
@1zilc made their first contribution in https://github.com/nodejs/undici/pull/3026

Full Changelog: nodejs/undici@v6.11.1...v6.12.0

`v6.11.1`

⚠️ Security Release ⚠️

What's Changed

Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261
Revert "fix: don't leak internal class (#3024)" by @mcollina in https://github.com/nodejs/undici/pull/3044

Full Changelog: nodejs/undici@v6.11.0...v6.11.1

`v6.11.0`

What's Changed

refactor(#3023): Pass headers as array instead by @metcoder95 in https://github.com/nodejs/undici/pull/3025
fix: don't leak internal class by @ronag in https://github.com/nodejs/undici/pull/3024
build(deps): bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in https://github.com/nodejs/undici/pull/3034
build(deps-dev): bump tsd from 0.30.7 to 0.31.0 by @dependabot in https://github.com/nodejs/undici/pull/3038
build(deps-dev): bump borp from 0.9.1 to 0.10.0 by @dependabot in https://github.com/nodejs/undici/pull/2947
missing commits by @ronag in https://github.com/nodejs/undici/pull/3040
build(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in https://github.com/nodejs/undici/pull/3036
fix: regexp pattern by @tsctx in https://github.com/nodejs/undici/pull/3041

Full Changelog: nodejs/undici@v6.10.2...v6.11.0

`v6.10.2`

What's Changed

Do not fail test if streams support typed arrays by @mcollina in https://github.com/nodejs/undici/pull/2978
fix(fetch): properly redirect non-ascii location header url by @Xvezda in https://github.com/nodejs/undici/pull/2971
perf: Remove double-stringify in setCookie by @peterver in https://github.com/nodejs/undici/pull/2980
[fix #2982] use DispatcherInterceptor type for Dispatcher#Compose by @clovis-guillemot in https://github.com/nodejs/undici/pull/2983
fix: make EventSource properties enumerable by @MattBidewell in https://github.com/nodejs/undici/pull/2987
docs: ✏️ fixed benchmark links by @benhalverson in https://github.com/nodejs/undici/pull/2991
fix(#2986): bad start check by @metcoder95 in https://github.com/nodejs/undici/pull/2992
fix(H2 Client): bind stream 'data' listener only after received 'response' event by @St3ffGv4 in https://github.com/nodejs/undici/pull/2985
feat: added search input by @benhalverson in https://github.com/nodejs/undici/pull/2993
chore: validate responses can be consumed without a Content-Length or… by @jacob-ebey in https://github.com/nodejs/undici/pull/2995
fix error message by @KhafraDev in https://github.com/nodejs/undici/pull/2998
Revert "perf: reuse TextDecoder instance (#2863)" by @panva in https://github.com/nodejs/undici/pull/2999
test: remove only by @metcoder95 in https://github.com/nodejs/undici/pull/3001

New Contributors

@Xvezda made their first contribution in https://github.com/nodejs/undici/pull/2971
@peterver made their first contribution in https://github.com/nodejs/undici/pull/2980
[@&Add debug logging for objects #8

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot added the dependencies label

codecov bot commented Apr 4, 2024 •

edited

Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 64.25%. Comparing base (87632f6) to head (a61d503).

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #571   +/-   ##
=======================================
  Coverage   64.25%   64.25%           
=======================================
  Files         262      262           
  Lines       19527    19527           
  Branches     1550     1550           
=======================================
  Hits        12547    12547           
  Misses       6980     6980

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.


          Update dependency undici to v6.21.1 [SECURITY]

a61d503

renovate bot force-pushed the renovate/npm-undici-vulnerability branch from 3057353 to a61d503 Compare

January 22, 2025 01:36

renovate bot changed the title ~~Update dependency undici to v6.11.1 [SECURITY]~~ Update dependency undici to v6.21.1 [SECURITY]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels