fix(deps): update dependency undici to v5.28.4 [security] - autoclosed

renovate[bot] commented 7 months ago

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`5.28.2` -> `5.28.4`

GitHub Vulnerability Alerts

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75. Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

Release Notes

nodejs/undici (undici)

### [`v5.28.4`](https://togithub.com/nodejs/undici/releases/tag/v5.28.4) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.28.3...v5.28.4) #### :warning: Security Release :warning: **Full Changelog**: https://github.com/nodejs/undici/compare/v6.11.0...v5.28.4 ### [`v5.28.3`](https://togithub.com/nodejs/undici/releases/tag/v5.28.3) [Compare Source](https://togithub.com/nodejs/undici/compare/v5.28.2...v5.28.3) #### ⚠️ Security Release ⚠️ Details on the vulnerabilities fixed will be shared in the next couple of days. **Full Changelog**: https://github.com/nodejs/undici/compare/v5.28.2...v5.28.3