Closed renovate[bot] closed 3 months ago
Visit the preview URL for this PR (updated for commit 2f62fff):
https://whatsappapijs--pr329-renovate-npm-undici-yk23k8kw.web.app
(expires Thu, 11 Apr 2024 14:24:00 GMT)
🔥 via Firebase Hosting GitHub Action 🌎
Sign: 80a8dc4ceea5c783aae1d47b75797ee5b6c2f4be
This PR contains the following updates:
6.10.2
->6.11.1
GitHub Vulnerability Alerts
CVE-2024-30260
Impact
Undici cleared Authorization and Proxy-Authorization headers for
fetch()
, but did not clear them forundici.request()
.Patches
This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use
fetch()
or disablemaxRedirections
.References
Linzi Shang reported this.
CVE-2024-30261
Impact
If an attacker can alter the
integrity
option passed tofetch()
, they can letfetch()
accept requests as valid even if they have been tampered.Patches
Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
Ensure that
integrity
cannot be tampered with.References
https://hackerone.com/reports/2377760
Release Notes
nodejs/undici (undici)
### [`v6.11.1`](https://togithub.com/nodejs/undici/compare/v6.11.0...6df3c738d03dc4014a26640316bf699950d62024) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.11.0...v6.11.1) ### [`v6.11.0`](https://togithub.com/nodejs/undici/compare/v6.10.2...ee5f892f3955eaca37730ed30349153ba203e9cd) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.10.2...v6.11.0)