Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
nodejs/undici (undici)
### [`v5.26.2`](https://togithub.com/nodejs/undici/releases/tag/v5.26.2)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.1...v5.26.2)
Security Release, CVE-2023-45143.
### [`v5.26.1`](https://togithub.com/nodejs/undici/releases/tag/v5.26.1)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.0...v5.26.1)
#### What's Changed
- Fix publish undici-types once and for all! by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://togithub.com/nodejs/undici/pull/2338)
- Fix node detection omfg by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://togithub.com/nodejs/undici/pull/2341)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1
### [`v5.26.0`](https://togithub.com/nodejs/undici/releases/tag/v5.26.0)
[Compare Source](https://togithub.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0)
#### What's Changed
- use npm install instead of npm ci by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://togithub.com/nodejs/undici/pull/2309)
- change default header to `node` by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://togithub.com/nodejs/undici/pull/2310)
- chore: change order of the pseudo-headers by [@kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308)
- fix: Agent.Options.factory should accept URL object or string as parameter by [@nicole0707](https://togithub.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295)
- build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://togithub.com/nodejs/undici/pull/2312)
- test: handle npm ignore-scripts settings by [@panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://togithub.com/nodejs/undici/pull/2313)
- feat: respect `--max-http-header-size` Node.js flag by [@balazsorban44](https://togithub.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234)
- fix([#2311](https://togithub.com/nodejs/undici/issues/2311)): End stream after body sent by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://togithub.com/nodejs/undici/pull/2314)
- disallow setting host header in fetch by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://togithub.com/nodejs/undici/pull/2322)
- \[StepSecurity] ci: Harden GitHub Actions by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://togithub.com/nodejs/undici/pull/2325)
- fix fetch with coverage enabled by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://togithub.com/nodejs/undici/pull/2330)
- Fix stuck when using http2 POST Buffer by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336)
- fix: 🏷️ add allowH2 to BuildOptions by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://togithub.com/nodejs/undici/pull/2334)
- fix: 🐛 fix process http2 header by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://togithub.com/nodejs/undici/pull/2332)
#### New Contributors
- [@kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308)
- [@nicole0707](https://togithub.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295)
- [@balazsorban44](https://togithub.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234)
- [@binsee](https://togithub.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.23.4...v5.26.0
### [`v5.25.4`](https://togithub.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787)
### [`v5.25.3`](https://togithub.com/nodejs/undici/releases/tag/v5.25.3)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.2...v5.25.3)
#### What's Changed
- perf: improve parse-url implementation by [@anonrig](https://togithub.com/anonrig) in [https://github.com/nodejs/undici/pull/2286](https://togithub.com/nodejs/undici/pull/2286)
- test: enable websockets inclusion in WPTReport by [@panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2284](https://togithub.com/nodejs/undici/pull/2284)
- remove npm run test from pre-commit hook by [@dancastillo](https://togithub.com/dancastillo) in [https://github.com/nodejs/undici/pull/2296](https://togithub.com/nodejs/undici/pull/2296)
- perf: use [@fastify/busboy](https://togithub.com/fastify/busboy) by [@gurgunday](https://togithub.com/gurgunday) in [https://github.com/nodejs/undici/pull/2211](https://togithub.com/nodejs/undici/pull/2211)
- Disable finalizationregistry if node code cov by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2298](https://togithub.com/nodejs/undici/pull/2298)
#### New Contributors
- [@gurgunday](https://togithub.com/gurgunday) made their first contribution in [https://github.com/nodejs/undici/pull/2211](https://togithub.com/nodejs/undici/pull/2211)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.2...v5.25.3
### [`v5.25.2`](https://togithub.com/nodejs/undici/releases/tag/v5.25.2)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.1...v5.25.2)
#### What's Changed
- Add Khaf to releasers by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2276](https://togithub.com/nodejs/undici/pull/2276)
- fix: fix request with readable mode is object by [@killagu](https://togithub.com/killagu) in [https://github.com/nodejs/undici/pull/2279](https://togithub.com/nodejs/undici/pull/2279)
- fix loading websockets when node is built w/ --without-ssl by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2282](https://togithub.com/nodejs/undici/pull/2282)
#### New Contributors
- [@killagu](https://togithub.com/killagu) made their first contribution in [https://github.com/nodejs/undici/pull/2279](https://togithub.com/nodejs/undici/pull/2279)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.1...v5.25.2
### [`v5.25.1`](https://togithub.com/nodejs/undici/releases/tag/v5.25.1)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.0...v5.25.1)
#### What's Changed
- Add publish types script by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2273](https://togithub.com/nodejs/undici/pull/2273)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.0...v5.25.1
### [`v5.25.0`](https://togithub.com/nodejs/undici/releases/tag/v5.25.0)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.24.0...v5.25.0)
#### What's Changed
- fix: h2 without body by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2258](https://togithub.com/nodejs/undici/pull/2258)
- ci: remove duplicated runs by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2265](https://togithub.com/nodejs/undici/pull/2265)
- improve documentation of timeouts by making the units clear in all places by [@mcfedr](https://togithub.com/mcfedr) in [https://github.com/nodejs/undici/pull/2266](https://togithub.com/nodejs/undici/pull/2266)
- expose websocket in node bundle by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2217](https://togithub.com/nodejs/undici/pull/2217)
- test: fix Fetch/HTTP2 tests by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2263](https://togithub.com/nodejs/undici/pull/2263)
- fix undici when node is built with --without-ssl by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2272](https://togithub.com/nodejs/undici/pull/2272)
- fix: Fix type definition for Client Interceptors by [@ComradeCow](https://togithub.com/ComradeCow) in [https://github.com/nodejs/undici/pull/2269](https://togithub.com/nodejs/undici/pull/2269)
- Fix http2 agent by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2275](https://togithub.com/nodejs/undici/pull/2275)
#### New Contributors
- [@ComradeCow](https://togithub.com/ComradeCow) made their first contribution in [https://github.com/nodejs/undici/pull/2269](https://togithub.com/nodejs/undici/pull/2269)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.24.0...v5.25.0
### [`v5.24.0`](https://togithub.com/nodejs/undici/releases/tag/v5.24.0)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.23.0...v5.24.0)
#### Notable Changes
- feat: Add H2 support by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://togithub.com/nodejs/undici/pull/2061)
#### What's Changed
- build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2203](https://togithub.com/nodejs/undici/pull/2203)
- better stack trace for body.json by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2215](https://togithub.com/nodejs/undici/pull/2215)
- allow http & https websocket urls by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2218](https://togithub.com/nodejs/undici/pull/2218)
- build(deps-dev): bump [@sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 10.3.0 to 11.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2221](https://togithub.com/nodejs/undici/pull/2221)
- fix: pass ProxyAgent proxy status code error by [@NBNGaming](https://togithub.com/NBNGaming) in [https://github.com/nodejs/undici/pull/2162](https://togithub.com/nodejs/undici/pull/2162)
- fix failing test by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2223](https://togithub.com/nodejs/undici/pull/2223)
- docs: update MockPool.md intercept method description by [@capaj](https://togithub.com/capaj) in [https://github.com/nodejs/undici/pull/2220](https://togithub.com/nodejs/undici/pull/2220)
- Update wpts by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2226](https://togithub.com/nodejs/undici/pull/2226)
- build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2240](https://togithub.com/nodejs/undici/pull/2240)
- build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2237](https://togithub.com/nodejs/undici/pull/2237)
- build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2236](https://togithub.com/nodejs/undici/pull/2236)
- build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2241](https://togithub.com/nodejs/undici/pull/2241)
- build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2238](https://togithub.com/nodejs/undici/pull/2238)
- fix: aborting request with non-object error by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2243](https://togithub.com/nodejs/undici/pull/2243)
- fix: preserve file path when parsing formdata by [@jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2245](https://togithub.com/nodejs/undici/pull/2245)
- build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2246](https://togithub.com/nodejs/undici/pull/2246)
- Updated benchmarks by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2250](https://togithub.com/nodejs/undici/pull/2250)
- Fix fetch in node v20.6.0 by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2251](https://togithub.com/nodejs/undici/pull/2251)
- Maybe fix v20 by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2252](https://togithub.com/nodejs/undici/pull/2252)
- feat: Add H2 support by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://togithub.com/nodejs/undici/pull/2061)
- docs: fix tables in README by [@regseb](https://togithub.com/regseb) in [https://github.com/nodejs/undici/pull/2254](https://togithub.com/nodejs/undici/pull/2254)
- Fix http2 fetch test by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2253](https://togithub.com/nodejs/undici/pull/2253)
#### New Contributors
- [@NBNGaming](https://togithub.com/NBNGaming) made their first contribution in [https://github.com/nodejs/undici/pull/2162](https://togithub.com/nodejs/undici/pull/2162)
- [@capaj](https://togithub.com/capaj) made their first contribution in [https://github.com/nodejs/undici/pull/2220](https://togithub.com/nodejs/undici/pull/2220)
- [@regseb](https://togithub.com/regseb) made their first contribution in [https://github.com/nodejs/undici/pull/2254](https://togithub.com/nodejs/undici/pull/2254)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.23.0...v5.24.0
### [`v5.23.0`](https://togithub.com/nodejs/undici/releases/tag/v5.23.0)
[Compare Source](https://togithub.com/nodejs/undici/compare/v5.22.1...v5.23.0)
#### What's Changed
- bump engines to node >= 16 by [@ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2119](https://togithub.com/nodejs/undici/pull/2119)
- Revert "bump engines to node >= 16 ([#2119](https://togithub.com/nodejs/undici/issues/2119))" by [@ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2121](https://togithub.com/nodejs/undici/pull/2121)
- fetch: set referrer properly by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2125](https://togithub.com/nodejs/undici/pull/2125)
- fix: support truncated gzip by [@jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2126](https://togithub.com/nodejs/undici/pull/2126)
- workflow: apply security best practices by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2130](https://togithub.com/nodejs/undici/pull/2130)
- build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2135](https://togithub.com/nodejs/undici/pull/2135)
- build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2133](https://togithub.com/nodejs/undici/pull/2133)
- build(deps): bump node from 18-alpine to 20-alpine in /build by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2131](https://togithub.com/nodejs/undici/pull/2131)
- build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2136](https://togithub.com/nodejs/undici/pull/2136)
- build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2132](https://togithub.com/nodejs/undici/pull/2132)
- build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2142](https://togithub.com/nodejs/undici/pull/2142)
- build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2148](https://togithub.com/nodejs/undici/pull/2148)
- fix(pr): use correct pr template file by [@AugustinMauroy](https://togithub.com/AugustinMauroy) in [https://github.com/nodejs/undici/pull/2141](https://togithub.com/nodejs/undici/pull/2141)
- Additional WebSocket send tests to cover all payload size categories by [@jawj](https://togithub.com/jawj) in [https://github.com/nodejs/undici/pull/2149](https://togithub.com/nodejs/undici/pull/2149)
- fix: reverse decompression order of "Content-Encoding" encodings (fixes [#2158](https://togithub.com/nodejs/undici/issues/2158)) by [@rychkog](https://togithub.com/rychkog) in [https://github.com/nodejs/undici/pull/2159](https://togithub.com/nodejs/undici/pull/2159)
- fix: keep running WPTs if a test times out by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2165](https://togithub.com/nodejs/undici/pull/2165)
- feat: add build environment info by [@mhdawson](https://togithub.com/mhdawson) in [https://github.com/nodejs/undici/pull/2168](https://togithub.com/nodejs/undici/pull/2168)
- fix: forward error reason to fetch controller by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2172](https://togithub.com/nodejs/undici/pull/2172)
- stricter types for bodymixin.json by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2181](https://togithub.com/nodejs/undici/pull/2181)
- chore: Renable autoSelectFamily tests. by [@ShogunPanda](https://togithub.com/ShogunPanda) in [https://github.com/nodejs/undici/pull/2180](https://togithub.com/nodejs/undici/pull/2180)
- build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2147](https://togithub.com/nodejs/undici/pull/2147)
- build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2185](https://togithub.com/nodejs/undici/pull/2185)
- fix: fetch resource timing performance entry names should be strings by [@GaryWilber](https://togithub.com/GaryWilber) in [https://github.com/nodejs/undici/pull/2188](https://togithub.com/nodejs/undici/pull/2188)
- build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2176](https://togithub.com/nodejs/undici/pull/2176)
- build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2177](https://togithub.com/nodejs/undici/pull/2177)
- build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2178](https://togithub.com/nodejs/undici/pull/2178)
- build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2175](https://togithub.com/nodejs/undici/pull/2175)
- test: fix `autoselectfamily` on platforms without IPv6 support by [@LiviaMedeiros](https://togithub.com/LiviaMedeiros) in [https://github.com/nodejs/undici/pull/2197](https://togithub.com/nodejs/undici/pull/2197)
- fix: make multipart/form-data boundary string more consistent by [@LiviaMedeiros](https://togithub.com/LiviaMedeiros) in [https://github.com/nodejs/undici/pull/2196](https://togithub.com/nodejs/undici/pull/2196)
- docs: add proxy agent options docs by [@dancastillo](https://togithub.com/dancastillo) in [https://github.com/nodejs/undici/pull/2193](https://togithub.com/nodejs/undici/pull/2193)
- build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2205](https://togithub.com/nodejs/undici/pull/2205)
- feat: make use of `addAbortListener` where applicable by [@atlowChemi](https://togithub.com/atlowChemi) in [https://github.com/nodejs/undici/pull/2195](https://togithub.com/nodejs/undici/pull/2195)
#### New Contributors
- [@step-security-bot](https://togithub.com/step-security-bot) made their first contribution in [https://github.com/nodejs/undici/pull/2130](https://togithub.com/nodejs/undici/pull/2130)
- [@AugustinMauroy](https://togithub.com/AugustinMauroy) made their first contribution in [https://github.com/nodejs/undici/pull/2141](https://togithub.com/nodejs/undici/pull/2141)
- [@rychkog](https://togithub.com/rychkog) made their first contribution in [https://github.com/nodejs/undici/pull/2159](https://togithub.com/nodejs/undici/pull/2159)
- [@mhdawson](https://togithub.com/mhdawson) made their first contribution in [https://github.com/nodejs/undici/pull/2168](https://togithub.com/nodejs/undici/pull/2168)
- [@GaryWilber](https://togithub.com/GaryWilber) made their first contribution in [https://github.com/nodejs/undici/pull/2188](https://togithub.com/nodejs/undici/pull/2188)
- [@atlowChemi](https://togithub.com/atlowChemi) made their first contribution in [https://github.com/nodejs/undici/pull/2195](https://togithub.com/nodejs/undici/pull/2195)
**Full Changelog**: https://github.com/nodejs/undici/compare/v5.22.1...v5.23.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR has been generated by Mend Renovate. View repository job log here.
This PR contains the following updates:
5.22.1
->5.26.2
GitHub Vulnerability Alerts
CVE-2023-45143
Impact
Undici clears Authorization headers on cross-origin redirects, but does not clear
Cookie
headers. By design,cookie
headers are forbidden request headers, disallowing them to be set inRequestInit.headers
in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.
Patches
This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.
Release Notes
nodejs/undici (undici)
### [`v5.26.2`](https://togithub.com/nodejs/undici/releases/tag/v5.26.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.1...v5.26.2) Security Release, CVE-2023-45143. ### [`v5.26.1`](https://togithub.com/nodejs/undici/releases/tag/v5.26.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.26.0...v5.26.1) #### What's Changed - Fix publish undici-types once and for all! by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2338](https://togithub.com/nodejs/undici/pull/2338) - Fix node detection omfg by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2341](https://togithub.com/nodejs/undici/pull/2341) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.26.0...v5.26.1 ### [`v5.26.0`](https://togithub.com/nodejs/undici/releases/tag/v5.26.0) [Compare Source](https://togithub.com/nodejs/undici/compare/5e654f351a9a813fed3e9feff4388b5c4fbda787...v5.26.0) #### What's Changed - use npm install instead of npm ci by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2309](https://togithub.com/nodejs/undici/pull/2309) - change default header to `node` by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2310](https://togithub.com/nodejs/undici/pull/2310) - chore: change order of the pseudo-headers by [@kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308) - fix: Agent.Options.factory should accept URL object or string as parameter by [@nicole0707](https://togithub.com/nicole0707) in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295) - build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2312](https://togithub.com/nodejs/undici/pull/2312) - test: handle npm ignore-scripts settings by [@panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2313](https://togithub.com/nodejs/undici/pull/2313) - feat: respect `--max-http-header-size` Node.js flag by [@balazsorban44](https://togithub.com/balazsorban44) in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234) - fix([#2311](https://togithub.com/nodejs/undici/issues/2311)): End stream after body sent by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2314](https://togithub.com/nodejs/undici/pull/2314) - disallow setting host header in fetch by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2322](https://togithub.com/nodejs/undici/pull/2322) - \[StepSecurity] ci: Harden GitHub Actions by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2325](https://togithub.com/nodejs/undici/pull/2325) - fix fetch with coverage enabled by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2330](https://togithub.com/nodejs/undici/pull/2330) - Fix stuck when using http2 POST Buffer by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336) - fix: 🏷️ add allowH2 to BuildOptions by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2334](https://togithub.com/nodejs/undici/pull/2334) - fix: 🐛 fix process http2 header by [@binsee](https://togithub.com/binsee) in [https://github.com/nodejs/undici/pull/2332](https://togithub.com/nodejs/undici/pull/2332) #### New Contributors - [@kyrylodolynskyi](https://togithub.com/kyrylodolynskyi) made their first contribution in [https://github.com/nodejs/undici/pull/2308](https://togithub.com/nodejs/undici/pull/2308) - [@nicole0707](https://togithub.com/nicole0707) made their first contribution in [https://github.com/nodejs/undici/pull/2295](https://togithub.com/nodejs/undici/pull/2295) - [@balazsorban44](https://togithub.com/balazsorban44) made their first contribution in [https://github.com/nodejs/undici/pull/2234](https://togithub.com/nodejs/undici/pull/2234) - [@binsee](https://togithub.com/binsee) made their first contribution in [https://github.com/nodejs/undici/pull/2336](https://togithub.com/nodejs/undici/pull/2336) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.23.4...v5.26.0 ### [`v5.25.4`](https://togithub.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.3...5e654f351a9a813fed3e9feff4388b5c4fbda787) ### [`v5.25.3`](https://togithub.com/nodejs/undici/releases/tag/v5.25.3) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.2...v5.25.3) #### What's Changed - perf: improve parse-url implementation by [@anonrig](https://togithub.com/anonrig) in [https://github.com/nodejs/undici/pull/2286](https://togithub.com/nodejs/undici/pull/2286) - test: enable websockets inclusion in WPTReport by [@panva](https://togithub.com/panva) in [https://github.com/nodejs/undici/pull/2284](https://togithub.com/nodejs/undici/pull/2284) - remove npm run test from pre-commit hook by [@dancastillo](https://togithub.com/dancastillo) in [https://github.com/nodejs/undici/pull/2296](https://togithub.com/nodejs/undici/pull/2296) - perf: use [@fastify/busboy](https://togithub.com/fastify/busboy) by [@gurgunday](https://togithub.com/gurgunday) in [https://github.com/nodejs/undici/pull/2211](https://togithub.com/nodejs/undici/pull/2211) - Disable finalizationregistry if node code cov by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2298](https://togithub.com/nodejs/undici/pull/2298) #### New Contributors - [@gurgunday](https://togithub.com/gurgunday) made their first contribution in [https://github.com/nodejs/undici/pull/2211](https://togithub.com/nodejs/undici/pull/2211) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.2...v5.25.3 ### [`v5.25.2`](https://togithub.com/nodejs/undici/releases/tag/v5.25.2) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.1...v5.25.2) #### What's Changed - Add Khaf to releasers by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2276](https://togithub.com/nodejs/undici/pull/2276) - fix: fix request with readable mode is object by [@killagu](https://togithub.com/killagu) in [https://github.com/nodejs/undici/pull/2279](https://togithub.com/nodejs/undici/pull/2279) - fix loading websockets when node is built w/ --without-ssl by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2282](https://togithub.com/nodejs/undici/pull/2282) #### New Contributors - [@killagu](https://togithub.com/killagu) made their first contribution in [https://github.com/nodejs/undici/pull/2279](https://togithub.com/nodejs/undici/pull/2279) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.1...v5.25.2 ### [`v5.25.1`](https://togithub.com/nodejs/undici/releases/tag/v5.25.1) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.25.0...v5.25.1) #### What's Changed - Add publish types script by [@Ethan-Arrowood](https://togithub.com/Ethan-Arrowood) in [https://github.com/nodejs/undici/pull/2273](https://togithub.com/nodejs/undici/pull/2273) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.25.0...v5.25.1 ### [`v5.25.0`](https://togithub.com/nodejs/undici/releases/tag/v5.25.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.24.0...v5.25.0) #### What's Changed - fix: h2 without body by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2258](https://togithub.com/nodejs/undici/pull/2258) - ci: remove duplicated runs by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2265](https://togithub.com/nodejs/undici/pull/2265) - improve documentation of timeouts by making the units clear in all places by [@mcfedr](https://togithub.com/mcfedr) in [https://github.com/nodejs/undici/pull/2266](https://togithub.com/nodejs/undici/pull/2266) - expose websocket in node bundle by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2217](https://togithub.com/nodejs/undici/pull/2217) - test: fix Fetch/HTTP2 tests by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2263](https://togithub.com/nodejs/undici/pull/2263) - fix undici when node is built with --without-ssl by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2272](https://togithub.com/nodejs/undici/pull/2272) - fix: Fix type definition for Client Interceptors by [@ComradeCow](https://togithub.com/ComradeCow) in [https://github.com/nodejs/undici/pull/2269](https://togithub.com/nodejs/undici/pull/2269) - Fix http2 agent by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2275](https://togithub.com/nodejs/undici/pull/2275) #### New Contributors - [@ComradeCow](https://togithub.com/ComradeCow) made their first contribution in [https://github.com/nodejs/undici/pull/2269](https://togithub.com/nodejs/undici/pull/2269) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.24.0...v5.25.0 ### [`v5.24.0`](https://togithub.com/nodejs/undici/releases/tag/v5.24.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.23.0...v5.24.0) #### Notable Changes - feat: Add H2 support by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://togithub.com/nodejs/undici/pull/2061) #### What's Changed - build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2203](https://togithub.com/nodejs/undici/pull/2203) - better stack trace for body.json by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2215](https://togithub.com/nodejs/undici/pull/2215) - allow http & https websocket urls by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2218](https://togithub.com/nodejs/undici/pull/2218) - build(deps-dev): bump [@sinonjs/fake-timers](https://togithub.com/sinonjs/fake-timers) from 10.3.0 to 11.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2221](https://togithub.com/nodejs/undici/pull/2221) - fix: pass ProxyAgent proxy status code error by [@NBNGaming](https://togithub.com/NBNGaming) in [https://github.com/nodejs/undici/pull/2162](https://togithub.com/nodejs/undici/pull/2162) - fix failing test by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2223](https://togithub.com/nodejs/undici/pull/2223) - docs: update MockPool.md intercept method description by [@capaj](https://togithub.com/capaj) in [https://github.com/nodejs/undici/pull/2220](https://togithub.com/nodejs/undici/pull/2220) - Update wpts by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2226](https://togithub.com/nodejs/undici/pull/2226) - build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2240](https://togithub.com/nodejs/undici/pull/2240) - build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2237](https://togithub.com/nodejs/undici/pull/2237) - build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2236](https://togithub.com/nodejs/undici/pull/2236) - build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2241](https://togithub.com/nodejs/undici/pull/2241) - build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2238](https://togithub.com/nodejs/undici/pull/2238) - fix: aborting request with non-object error by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2243](https://togithub.com/nodejs/undici/pull/2243) - fix: preserve file path when parsing formdata by [@jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2245](https://togithub.com/nodejs/undici/pull/2245) - build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2246](https://togithub.com/nodejs/undici/pull/2246) - Updated benchmarks by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2250](https://togithub.com/nodejs/undici/pull/2250) - Fix fetch in node v20.6.0 by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2251](https://togithub.com/nodejs/undici/pull/2251) - Maybe fix v20 by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2252](https://togithub.com/nodejs/undici/pull/2252) - feat: Add H2 support by [@metcoder95](https://togithub.com/metcoder95) in [https://github.com/nodejs/undici/pull/2061](https://togithub.com/nodejs/undici/pull/2061) - docs: fix tables in README by [@regseb](https://togithub.com/regseb) in [https://github.com/nodejs/undici/pull/2254](https://togithub.com/nodejs/undici/pull/2254) - Fix http2 fetch test by [@mcollina](https://togithub.com/mcollina) in [https://github.com/nodejs/undici/pull/2253](https://togithub.com/nodejs/undici/pull/2253) #### New Contributors - [@NBNGaming](https://togithub.com/NBNGaming) made their first contribution in [https://github.com/nodejs/undici/pull/2162](https://togithub.com/nodejs/undici/pull/2162) - [@capaj](https://togithub.com/capaj) made their first contribution in [https://github.com/nodejs/undici/pull/2220](https://togithub.com/nodejs/undici/pull/2220) - [@regseb](https://togithub.com/regseb) made their first contribution in [https://github.com/nodejs/undici/pull/2254](https://togithub.com/nodejs/undici/pull/2254) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.23.0...v5.24.0 ### [`v5.23.0`](https://togithub.com/nodejs/undici/releases/tag/v5.23.0) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.22.1...v5.23.0) #### What's Changed - bump engines to node >= 16 by [@ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2119](https://togithub.com/nodejs/undici/pull/2119) - Revert "bump engines to node >= 16 ([#2119](https://togithub.com/nodejs/undici/issues/2119))" by [@ronag](https://togithub.com/ronag) in [https://github.com/nodejs/undici/pull/2121](https://togithub.com/nodejs/undici/pull/2121) - fetch: set referrer properly by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2125](https://togithub.com/nodejs/undici/pull/2125) - fix: support truncated gzip by [@jimmywarting](https://togithub.com/jimmywarting) in [https://github.com/nodejs/undici/pull/2126](https://togithub.com/nodejs/undici/pull/2126) - workflow: apply security best practices by [@step-security-bot](https://togithub.com/step-security-bot) in [https://github.com/nodejs/undici/pull/2130](https://togithub.com/nodejs/undici/pull/2130) - build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2135](https://togithub.com/nodejs/undici/pull/2135) - build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2133](https://togithub.com/nodejs/undici/pull/2133) - build(deps): bump node from 18-alpine to 20-alpine in /build by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2131](https://togithub.com/nodejs/undici/pull/2131) - build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2136](https://togithub.com/nodejs/undici/pull/2136) - build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2132](https://togithub.com/nodejs/undici/pull/2132) - build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2142](https://togithub.com/nodejs/undici/pull/2142) - build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2148](https://togithub.com/nodejs/undici/pull/2148) - fix(pr): use correct pr template file by [@AugustinMauroy](https://togithub.com/AugustinMauroy) in [https://github.com/nodejs/undici/pull/2141](https://togithub.com/nodejs/undici/pull/2141) - Additional WebSocket send tests to cover all payload size categories by [@jawj](https://togithub.com/jawj) in [https://github.com/nodejs/undici/pull/2149](https://togithub.com/nodejs/undici/pull/2149) - fix: reverse decompression order of "Content-Encoding" encodings (fixes [#2158](https://togithub.com/nodejs/undici/issues/2158)) by [@rychkog](https://togithub.com/rychkog) in [https://github.com/nodejs/undici/pull/2159](https://togithub.com/nodejs/undici/pull/2159) - fix: keep running WPTs if a test times out by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2165](https://togithub.com/nodejs/undici/pull/2165) - feat: add build environment info by [@mhdawson](https://togithub.com/mhdawson) in [https://github.com/nodejs/undici/pull/2168](https://togithub.com/nodejs/undici/pull/2168) - fix: forward error reason to fetch controller by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2172](https://togithub.com/nodejs/undici/pull/2172) - stricter types for bodymixin.json by [@KhafraDev](https://togithub.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2181](https://togithub.com/nodejs/undici/pull/2181) - chore: Renable autoSelectFamily tests. by [@ShogunPanda](https://togithub.com/ShogunPanda) in [https://github.com/nodejs/undici/pull/2180](https://togithub.com/nodejs/undici/pull/2180) - build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2147](https://togithub.com/nodejs/undici/pull/2147) - build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2185](https://togithub.com/nodejs/undici/pull/2185) - fix: fetch resource timing performance entry names should be strings by [@GaryWilber](https://togithub.com/GaryWilber) in [https://github.com/nodejs/undici/pull/2188](https://togithub.com/nodejs/undici/pull/2188) - build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2176](https://togithub.com/nodejs/undici/pull/2176) - build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2177](https://togithub.com/nodejs/undici/pull/2177) - build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2178](https://togithub.com/nodejs/undici/pull/2178) - build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2175](https://togithub.com/nodejs/undici/pull/2175) - test: fix `autoselectfamily` on platforms without IPv6 support by [@LiviaMedeiros](https://togithub.com/LiviaMedeiros) in [https://github.com/nodejs/undici/pull/2197](https://togithub.com/nodejs/undici/pull/2197) - fix: make multipart/form-data boundary string more consistent by [@LiviaMedeiros](https://togithub.com/LiviaMedeiros) in [https://github.com/nodejs/undici/pull/2196](https://togithub.com/nodejs/undici/pull/2196) - docs: add proxy agent options docs by [@dancastillo](https://togithub.com/dancastillo) in [https://github.com/nodejs/undici/pull/2193](https://togithub.com/nodejs/undici/pull/2193) - build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by [@dependabot](https://togithub.com/dependabot) in [https://github.com/nodejs/undici/pull/2205](https://togithub.com/nodejs/undici/pull/2205) - feat: make use of `addAbortListener` where applicable by [@atlowChemi](https://togithub.com/atlowChemi) in [https://github.com/nodejs/undici/pull/2195](https://togithub.com/nodejs/undici/pull/2195) #### New Contributors - [@step-security-bot](https://togithub.com/step-security-bot) made their first contribution in [https://github.com/nodejs/undici/pull/2130](https://togithub.com/nodejs/undici/pull/2130) - [@AugustinMauroy](https://togithub.com/AugustinMauroy) made their first contribution in [https://github.com/nodejs/undici/pull/2141](https://togithub.com/nodejs/undici/pull/2141) - [@rychkog](https://togithub.com/rychkog) made their first contribution in [https://github.com/nodejs/undici/pull/2159](https://togithub.com/nodejs/undici/pull/2159) - [@mhdawson](https://togithub.com/mhdawson) made their first contribution in [https://github.com/nodejs/undici/pull/2168](https://togithub.com/nodejs/undici/pull/2168) - [@GaryWilber](https://togithub.com/GaryWilber) made their first contribution in [https://github.com/nodejs/undici/pull/2188](https://togithub.com/nodejs/undici/pull/2188) - [@atlowChemi](https://togithub.com/atlowChemi) made their first contribution in [https://github.com/nodejs/undici/pull/2195](https://togithub.com/nodejs/undici/pull/2195) **Full Changelog**: https://github.com/nodejs/undici/compare/v5.22.1...v5.23.0Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.