chore(deps): undici v6.11.1 [security]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	6.10.2 -> 6.11.1

GitHub Vulnerability Alerts

CVE-2024-30260

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

• https://hackerone.com/reports/2408074
• https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3

CVE-2024-30261

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

---

Release Notes

nodejs/undici (undici)

### [`v6.11.1`](https://togithub.com/nodejs/undici/compare/v6.11.0...6df3c738d03dc4014a26640316bf699950d62024) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.11.0...v6.11.1) ### [`v6.11.0`](https://togithub.com/nodejs/undici/compare/v6.10.2...ee5f892f3955eaca37730ed30349153ba203e9cd) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.10.2...v6.11.0)

---

• [ ] If you want to rebase/retry this PR, check this box

[github-actions[bot]]

Visit the preview URL for this PR (updated for commit 2f62fff):

https://whatsappapijs--pr329-renovate-npm-undici-yk23k8kw.web.app

_{(expires Thu, 11 Apr 2024 14:24:00 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 80a8dc4ceea5c783aae1d47b75797ee5b6c2f4be}