Closed renovate[bot] closed 5 months ago
Latest commit: a2b615038fa458bee0a534d3ad5e4b8238a227a8
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
This pull request is automatically built and testable in CodeSandbox.
To see build info of the built libraries, click here or the icon next to each commit SHA.
This PR contains the following updates:
5.28.3
->5.28.4
GitHub Vulnerability Alerts
CVE-2024-30261
Impact
If an attacker can alter the
integrity
option passed tofetch()
, they can letfetch()
accept requests as valid even if they have been tampered.Patches
Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
Ensure that
integrity
cannot be tampered with.References
https://hackerone.com/reports/2377760
CVE-2024-30260
Impact
Undici cleared Authorization and Proxy-Authorization headers for
fetch()
, but did not clear them forundici.request()
.Patches
This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.
Workarounds
use
fetch()
or disablemaxRedirections
.References
Linzi Shang reported this.
Release Notes
nodejs/undici (undici)
### [`v5.28.4`](https://togithub.com/nodejs/undici/releases/tag/v5.28.4) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.28.3...v5.28.4) #### :warning: Security Release :warning: **Full Changelog**: https://github.com/nodejs/undici/compare/v6.11.0...v5.28.4Configuration
📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.