renovate[bot]
commented
1 month ago Renovate Ignore Notification
Because you closed this PR without merging, Renovate will ignore this update (6.19.2). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.
If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.
This PR contains the following updates:
6.16.0->6.19.2GitHub Vulnerability Alerts
CVE-2024-38372
Impact
Depending on network and process conditions of a
fetch()request,response.arrayBuffer()might include portion of memory from the Node.js process.Patches
This has been patched in v6.19.2.
Workarounds
There are no known workaround.
References
https://github.com/nodejs/undici/issues/3337 https://github.com/nodejs/undici/issues/3328 https://github.com/nodejs/undici/pull/3338 https://github.com/nodejs/undici/commit/f979ec3204ca489abf30e7d20e9fee9ea7711d36
Release Notes
nodejs/undici (undici)
### [`v6.19.2`](https://togithub.com/nodejs/undici/releases/tag/v6.19.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.19.1...v6.19.2) #### What's Changed - fix [#3337](https://togithub.com/nodejs/undici/issues/3337) by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3338](https://togithub.com/nodejs/undici/pull/3338) - build: use `husky` as `husky install` is deprecated by [@jazelly](https://togithub.com/jazelly) in [https://github.com/nodejs/undici/pull/3340](https://togithub.com/nodejs/undici/pull/3340) - fix: interceptors.d.ts has no default export by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3332](https://togithub.com/nodejs/undici/pull/3332) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.19.1...v6.19.2 ### [`v6.19.1`](https://togithub.com/nodejs/undici/releases/tag/v6.19.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.19.0...v6.19.1) #### What's Changed - don't append empty origin by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3335](https://togithub.com/nodejs/undici/pull/3335) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.19.0...v6.19.1 ### [`v6.19.0`](https://togithub.com/nodejs/undici/releases/tag/v6.19.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.18.2...v6.19.0) #### What's Changed - build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3305](https://togithub.com/nodejs/undici/pull/3305) - build(deps): bump codecov/codecov-action from 4.3.1 to 4.4.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3303](https://togithub.com/nodejs/undici/pull/3303) - build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3304](https://togithub.com/nodejs/undici/pull/3304) - build(deps): bump github/codeql-action from 3.25.3 to 3.25.7 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3306](https://togithub.com/nodejs/undici/pull/3306) - build(deps): bump node from `9e8f45f` to `dd7e693` in /build by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3309](https://togithub.com/nodejs/undici/pull/3309) - build(deps): bump node from `dd7e693` to `e6d4495` in /build by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3313](https://togithub.com/nodejs/undici/pull/3313) - remove websocket experimental warning by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3311](https://togithub.com/nodejs/undici/pull/3311) - perf: optimization of request instantiation by [@tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/3107](https://togithub.com/nodejs/undici/pull/3107) - perf: convert object to params by [@DarkGL](https://togithub.com/DarkGL) in [https://github.com/nodejs/undici/pull/3302](https://togithub.com/nodejs/undici/pull/3302) - build(deps-dev): bump borp from 0.14.0 to 0.15.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3320](https://togithub.com/nodejs/undici/pull/3320) - build(deps-dev): bump c8 from 9.1.0 to 10.0.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3321](https://togithub.com/nodejs/undici/pull/3321) - fix: add missing error classes to types by [@maxbeatty](https://togithub.com/maxbeatty) in [https://github.com/nodejs/undici/pull/3316](https://togithub.com/nodejs/undici/pull/3316) - export interceptor to type def file by [@jakecastelli](https://togithub.com/jakecastelli) in [https://github.com/nodejs/undici/pull/3318](https://togithub.com/nodejs/undici/pull/3318) - build(deps): bump node from `e6d4495` to `075a5cc` in /build by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3326](https://togithub.com/nodejs/undici/pull/3326) - doc: clearify the behaviour of `bodyTimeout` in the request by [@jakecastelli](https://togithub.com/jakecastelli) in [https://github.com/nodejs/undici/pull/3324](https://togithub.com/nodejs/undici/pull/3324) - feature: support pre-shared sessions by [@tastypackets](https://togithub.com/tastypackets) in [https://github.com/nodejs/undici/pull/3325](https://togithub.com/nodejs/undici/pull/3325) #### New Contributors - [@maxbeatty](https://togithub.com/maxbeatty) made their first contribution in [https://github.com/nodejs/undici/pull/3316](https://togithub.com/nodejs/undici/pull/3316) - [@jakecastelli](https://togithub.com/jakecastelli) made their first contribution in [https://github.com/nodejs/undici/pull/3318](https://togithub.com/nodejs/undici/pull/3318) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.18.2...v6.19.0 ### [`v6.18.2`](https://togithub.com/nodejs/undici/compare/v6.18.1...665f24738041757789fab95cce40cb0345cf2c0f) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.18.1...v6.18.2) ### [`v6.18.1`](https://togithub.com/nodejs/undici/releases/tag/v6.18.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.18.0...v6.18.1) #### What's Changed - docs: Update references to dispatcher in docs by [@haikyuu](https://togithub.com/haikyuu) in [https://github.com/nodejs/undici/pull/3281](https://togithub.com/nodejs/undici/pull/3281) - fix: compatibility for global headers by [@tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/3286](https://togithub.com/nodejs/undici/pull/3286) - websocket: pre-calculated length by [@tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/3284](https://togithub.com/nodejs/undici/pull/3284) - ci: fix autobahn workflow by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3291](https://togithub.com/nodejs/undici/pull/3291) - revert: "websocket: pre-calculated length" by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3290](https://togithub.com/nodejs/undici/pull/3290) - websocket: use FixedQueue instead of Set by [@tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/3283](https://togithub.com/nodejs/undici/pull/3283) #### New Contributors - [@haikyuu](https://togithub.com/haikyuu) made their first contribution in [https://github.com/nodejs/undici/pull/3281](https://togithub.com/nodejs/undici/pull/3281) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.18.0...v6.18.1 ### [`v6.18.0`](https://togithub.com/nodejs/undici/releases/tag/v6.18.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.17.0...v6.18.0) #### What's Changed - permessage-deflate decompression support in websocket by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3263](https://togithub.com/nodejs/undici/pull/3263) - fix: Fix server closing in tests. by [@ShogunPanda](https://togithub.com/ShogunPanda) in [https://github.com/nodejs/undici/pull/3279](https://togithub.com/nodejs/undici/pull/3279) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.17.0...v6.18.0 ### [`v6.17.0`](https://togithub.com/nodejs/undici/releases/tag/v6.17.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.16.1...v6.17.0) #### What's Changed - fetch: fix captureStackTrace by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3227](https://togithub.com/nodejs/undici/pull/3227) - fetch: fix wpt test request-upload.any.js by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3234](https://togithub.com/nodejs/undici/pull/3234) - websocket: don't clone buffer by [@tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/3240](https://togithub.com/nodejs/undici/pull/3240) - Remove unecessary async from writeBuffer by [@DarkGL](https://togithub.com/DarkGL) in [https://github.com/nodejs/undici/pull/3245](https://togithub.com/nodejs/undici/pull/3245) - refactor websocket control frame handling by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3241](https://togithub.com/nodejs/undici/pull/3241) - fix parsing continuation frames in websocket by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3247](https://togithub.com/nodejs/undici/pull/3247) - ci: node nightly test should use node 23 by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3248](https://togithub.com/nodejs/undici/pull/3248) - Add test to verify if the connection is correctly aborted on cancel by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/3219](https://togithub.com/nodejs/undici/pull/3219) - Autobahn suite by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3251](https://togithub.com/nodejs/undici/pull/3251) - websocket: fix 6 autobahn tests by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3254](https://togithub.com/nodejs/undici/pull/3254) - websocket: checkout correct commit in autobahn workflow by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3258](https://togithub.com/nodejs/undici/pull/3258) - Cleanup websocket by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3257](https://togithub.com/nodejs/undici/pull/3257) - websocket: autobahn workflow should fail on error by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3259](https://togithub.com/nodejs/undici/pull/3259) - add bodymixin bytes by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3262](https://togithub.com/nodejs/undici/pull/3262) - perf: avoid buffer cloning by [@tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/3264](https://togithub.com/nodejs/undici/pull/3264) - feat: dump interceptor by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/3118](https://togithub.com/nodejs/undici/pull/3118) - use private properties in Headers by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3269](https://togithub.com/nodejs/undici/pull/3269) - Revert "websocket: autobahn workflow should fail on error" by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3270](https://togithub.com/nodejs/undici/pull/3270) - build(deps): bump node from `487dc5d` to `9e8f45f` in /build by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/3271](https://togithub.com/nodejs/undici/pull/3271) #### New Contributors - [@DarkGL](https://togithub.com/DarkGL) made their first contribution in [https://github.com/nodejs/undici/pull/3245](https://togithub.com/nodejs/undici/pull/3245) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.16.1...v6.17.0 ### [`v6.16.1`](https://togithub.com/nodejs/undici/releases/tag/v6.16.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v6.16.0...v6.16.1) #### What's Changed - fix some typos by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3217](https://togithub.com/nodejs/undici/pull/3217) - websocket: move codeblock in parseCloseBody by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3215](https://togithub.com/nodejs/undici/pull/3215) - fetch: enable wpt test request-referrer.any.js by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3223](https://togithub.com/nodejs/undici/pull/3223) - fetch: wpt add /fetch/api/resources/cache.py to server.mjs by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3225](https://togithub.com/nodejs/undici/pull/3225) - add pipe support for wpt server by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3228](https://togithub.com/nodejs/undici/pull/3228) - test: reduce the number of requests in `fire-and-forget.js` by [@tsctx](https://togithub.com/tsctx) in [https://github.com/nodejs/undici/pull/3229](https://togithub.com/nodejs/undici/pull/3229) - ci: add node 22 in ci test matrix, use 22 for coverage by [@Uzlopak](https://togithub.com/Uzlopak) in [https://github.com/nodejs/undici/pull/3226](https://togithub.com/nodejs/undici/pull/3226) - fetch: don't set an invalid origin header by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3235](https://togithub.com/nodejs/undici/pull/3235) - fail wpt runner if expected failures does not match actual by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/3236](https://togithub.com/nodejs/undici/pull/3236) - fix: ignore content-length when dumping HEAD by [@ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/3222](https://togithub.com/nodejs/undici/pull/3222) **Full Changelog**: https://github.com/nodejs/undici/compare/v6.16.0...v6.16.1Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
â™» Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.