search

cloudflare / miniflare

🔥 Fully-local simulator for Cloudflare Workers. For the latest version, see https://github.com/cloudflare/workers-sdk/tree/main/packages/miniflare.
https://miniflare.dev
MIT License
3.78k stars 205 forks source link

Bump undici library from 5.28.3 to 5.28.4 #773

Closed italopiresshopify closed 2 months ago

italopiresshopify commented 3 months ago

In order to resolve:

Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect

Impact If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

References https://hackerone.com/reports/2377760

changeset-bot[bot] commented 3 months ago

⚠️ No Changeset found

Latest commit: aa80623f294bf16bfcfaa0fa3bbce5dfe76e88c2

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

italopiresshopify commented 3 months ago

@mrbbot Could you please merge this fix?

RamIdeas commented 2 months ago

It seems better-sqlite3 (a native dependency) does not compile on node v22

I have changed the github actions workflow to use v20 instead of "latest"