Update dependency undici to v5.19.1 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.14.0 -> 5.19.1

GitHub Vulnerability Alerts

CVE-2023-23936

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

---

Release Notes

nodejs/undici (undici)

v5.19.1

Compare Source

⚠️ Security Release ⚠️

• Regular Expression Denial of Service in Headers with CVE-2023-24807
• CRLF Injection in Nodejs ‘undici’ via host with CVE-2023-23936

This release is part of the Node.js security release train: https://nodejs.org/en/blog/vulnerability/february-2023-security-releases/

v5.19.0

Compare Source

What's Changed

• fix(fetch): raise AbortSignal max event listeners by @​KhafraDev in https://github.com/nodejs/undici/pull/1910
• fix: content-disposition header parsing by @​climba03003 in https://github.com/nodejs/undici/pull/1911
• fix: remove test by @​KhafraDev in https://github.com/nodejs/undici/pull/1916
• feat: add Headers.prototype.getSetCookie by @​KhafraDev in https://github.com/nodejs/undici/pull/1915
• fix(headers): clone getSetCookie list & add getSetCookie type by @​KhafraDev in https://github.com/nodejs/undici/pull/1917
• doc(mock): update out-of-date reply documentation by @​p9f in https://github.com/nodejs/undici/pull/1913
• fix(types): add missing keepAlive params by @​SkeLLLa in https://github.com/nodejs/undici/pull/1918
• Make the fetch() abort test pass locally, on Linux and Mac, Node 18/19. by @​mcollina in https://github.com/nodejs/undici/pull/1927

New Contributors

• @​climba03003 made their first contribution in https://github.com/nodejs/undici/pull/1911
• @​p9f made their first contribution in https://github.com/nodejs/undici/pull/1913

Full Changelog: nodejs/undici@v5.18.0...v5.19.0

v5.18.0

Compare Source

What's Changed

• Add ability to set TCP keepalive by @​xconverge in https://github.com/nodejs/undici/pull/1904
• use faster timers by @​ronag in https://github.com/nodejs/undici/pull/1908
• fix: ensure header value is a string by @​ronag in https://github.com/nodejs/undici/pull/1899

Full Changelog: nodejs/undici@v5.17.1...v5.18.0

v5.17.1

Compare Source

What's Changed

• fix: bad buffer slice (nodejs/undici@d2be675)

Full Changelog: nodejs/undici@v5.17.0...v5.17.1

v5.17.0

Compare Source

What's Changed

• fix(wpts): Blob is a global getter in >=v19.x.x by @​KhafraDev in https://github.com/nodejs/undici/pull/1880
• doc: fix anchor links dispatcher.stream by @​RafaelGSS in https://github.com/nodejs/undici/pull/1881
• wpt: make runner more resilient by @​KhafraDev in https://github.com/nodejs/undici/pull/1884
• Make test pass in v19.x by @​mcollina in https://github.com/nodejs/undici/pull/1879
• Correct the type of DispatchOptions["headers"] by @​pan93412 in https://github.com/nodejs/undici/pull/1896
• perf(content-type parser): faster string collector by @​KhafraDev in https://github.com/nodejs/undici/pull/1894
• feat: expose content-type parser by @​KhafraDev in https://github.com/nodejs/undici/pull/1895
• fix(types): Update DispatchOptions type for missing "blocking" by @​xconverge in https://github.com/nodejs/undici/pull/1889
• fix(types): update error type definitions by @​rafaelcr in https://github.com/nodejs/undici/pull/1888
• fix: ensure connection header is a string by @​ronag in https://github.com/nodejs/undici/pull/1900
• fix: throw if invalid content-type header by @​ronag in https://github.com/nodejs/undici/pull/1901
• fix(fetch): use semicolon for Cookie header delimiter by @​KhafraDev in https://github.com/nodejs/undici/pull/1906
• Use FastBuffer by @​ronag in https://github.com/nodejs/undici/pull/1907

New Contributors

• @​pan93412 made their first contribution in https://github.com/nodejs/undici/pull/1896
• @​rafaelcr made their first contribution in https://github.com/nodejs/undici/pull/1888

Full Changelog: nodejs/undici@v5.16.0...v5.17.0

v5.16.0

Compare Source

What's Changed

• Add feature to specify custom headers for proxies by @​Sebmaster in https://github.com/nodejs/undici/pull/1877

New Contributors

• @​Sebmaster made their first contribution in https://github.com/nodejs/undici/pull/1877

Full Changelog: nodejs/undici@v5.15.2...v5.16.0

v5.15.2

Compare Source

v5.15.1

Compare Source

What's Changed

• fix(websocket): simplify typedarray copying by @​KhafraDev in https://github.com/nodejs/undici/pull/1854
• fix: wpts on node v18.13.0+ by @​KhafraDev in https://github.com/nodejs/undici/pull/1859
• perf: allow keep alive for HEAD requests by @​ronag in https://github.com/nodejs/undici/pull/1858
• fix: flaky abort test by @​KhafraDev in https://github.com/nodejs/undici/pull/1863

Full Changelog: nodejs/undici@v5.15.0...v5.15.1

v5.15.0

Compare Source

What's Changed

• [types] update ProxyAgent Options (timeout) by @​sosoba in https://github.com/nodejs/undici/pull/1801
• feat: implement websockets by @​KhafraDev in https://github.com/nodejs/undici/pull/1795
• feat(websocket): handle ping/pong frames & fix fragmented frames by @​KhafraDev in https://github.com/nodejs/undici/pull/1809
• docs: add basic fetch & company docs by @​KhafraDev in https://github.com/nodejs/undici/pull/1810
• make formdata body immutable and encode it only once by @​jimmywarting in https://github.com/nodejs/undici/pull/1814
• test: add regression test for #​1814 by @​KhafraDev in https://github.com/nodejs/undici/pull/1815
• feat(websocket): only consume necessary bytes by @​KhafraDev in https://github.com/nodejs/undici/pull/1812
• websocket: use Buffer.allocUnsafe by @​KhafraDev in https://github.com/nodejs/undici/pull/1817
• build(deps-dev): bump @​sinonjs/fake-timers from 9.1.2 to 10.0.2 by @​dependabot in https://github.com/nodejs/undici/pull/1819
• fix(websocket): deprecation warning & 64-bit unsigned int body length by @​KhafraDev in https://github.com/nodejs/undici/pull/1818
• Use nodejs.stream.destroyed symbol by @​ronag in https://github.com/nodejs/undici/pull/1816
• fetch: removal of redundant condition by @​debadree25 in https://github.com/nodejs/undici/pull/1821
• fix(request): request headers array by @​jd-carroll in https://github.com/nodejs/undici/pull/1807
• fix(websocket): validate payload length received by @​KhafraDev in https://github.com/nodejs/undici/pull/1822
• fix(websocket): run parser in loop, instead of recursively by @​KhafraDev in https://github.com/nodejs/undici/pull/1828
• fix(fetch): weaker refs by @​ronag in https://github.com/nodejs/undici/pull/1824
• websocket: add tests for opening handshake by @​KhafraDev in https://github.com/nodejs/undici/pull/1831
• websocket: add tests for constructor, close, and send by @​KhafraDev in https://github.com/nodejs/undici/pull/1832
• websocket: more test coverage by @​KhafraDev in https://github.com/nodejs/undici/pull/1833
• fix(WPTs): flaky abort test by @​KhafraDev in https://github.com/nodejs/undici/pull/1835
• wpt: add test by @​KhafraDev in https://github.com/nodejs/undici/pull/1836
• fix: don't send keep-alive if we want reset by @​ronag in https://github.com/nodejs/undici/pull/1846
• fetch: update body consume to match spec by @​KhafraDev in https://github.com/nodejs/undici/pull/1847
• feat: allow connection header in request by @​metcoder95 in https://github.com/nodejs/undici/pull/1829
• feat: add cookie parsing ability by @​KhafraDev in https://github.com/nodejs/undici/pull/1848
• fix(cookie): add docs & expose in node v16 by @​KhafraDev in https://github.com/nodejs/undici/pull/1849
• fix(cookies): work with global Headers by @​KhafraDev in https://github.com/nodejs/undici/pull/1850
• docs(Dispatcher): adjust documentation for reset flag by @​metcoder95 in https://github.com/nodejs/undici/pull/1852
• Fix broken interceptor test by @​mcollina in https://github.com/nodejs/undici/pull/1853

New Contributors

• @​sosoba made their first contribution in https://github.com/nodejs/undici/pull/1801
• @​debadree25 made their first contribution in https://github.com/nodejs/undici/pull/1821
• @​jd-carroll made their first contribution in https://github.com/nodejs/undici/pull/1807

Full Changelog: nodejs/undici@v5.14.0...v5.15.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ff03b1d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR