chore(deps): update dependency undici to v6.6.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	6.0.0 -> 6.6.1

GitHub Vulnerability Alerts

CVE-2024-24750

Impact

Calling fetch(url) and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak.

Patches

Patched in v6.6.1

Workarounds

Make sure to always consume the incoming body.

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

---

Release Notes

nodejs/undici (undici)

v6.6.1

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

What's Changed

• fix: flaky debug test by @​Uzlopak in https://github.com/nodejs/undici/pull/2687
• build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by @​dependabot in https://github.com/nodejs/undici/pull/2688
• build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2689
• fix: ci pipeline warnings by @​Uzlopak in https://github.com/nodejs/undici/pull/2685
• perf: optimize Iterator by @​tsctx in https://github.com/nodejs/undici/pull/2692

Full Changelog: nodejs/undici@v6.6.0...v6.6.1

v6.6.0

Compare Source

What's Changed

• add webSocket example by @​mertcanaltin in https://github.com/nodejs/undici/pull/2626
• chore: remove atomic-sleep as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2648
• chore: remove semver as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2646
• chore: remove table as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2649
• chore: remove delay as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/2647
• chore: reduce noise in test-logs test/issue-2349.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2655
• chore: fix faketimer warning in test/request-timeout.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2656
• chore: reduce noise in test logs test/client-node-max-header-size.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2654
• refactor: use fromInnerResponse by @​tsctx in https://github.com/nodejs/undici/pull/2635
• fix: support deflate raw responses by @​Uzlopak in https://github.com/nodejs/undici/pull/2650
• Support building for externally shared js builtins by @​mochaaP in https://github.com/nodejs/undici/pull/2643
• fix: typo clampAndCoarsenConnectionTimingInfo by @​Uzlopak in https://github.com/nodejs/undici/pull/2653
• chore: use 'node:'-prefix for requiring node core modules by @​Uzlopak in https://github.com/nodejs/undici/pull/2662
• build(deps-dev): bump husky from 8.0.3 to 9.0.7 by @​dependabot in https://github.com/nodejs/undici/pull/2667
• build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by @​dependabot in https://github.com/nodejs/undici/pull/2668
• remove timers/promises import by @​KhafraDev in https://github.com/nodejs/undici/pull/2665
• chore: fix various codesmells by @​Uzlopak in https://github.com/nodejs/undici/pull/2669
• chore: remove this alias in agent.js by @​Uzlopak in https://github.com/nodejs/undici/pull/2671
• chore: use optional chaining by @​Uzlopak in https://github.com/nodejs/undici/pull/2666
• chore: small perf improvements by @​Uzlopak in https://github.com/nodejs/undici/pull/2661
• implement spec changes from a while ago by @​KhafraDev in https://github.com/nodejs/undici/pull/2676
• websocket: fix close when no closing code is received by @​KhafraDev in https://github.com/nodejs/undici/pull/2680
• fix: make ci less flaky by @​Uzlopak in https://github.com/nodejs/undici/pull/2684

New Contributors

• @​mochaaP made their first contribution in https://github.com/nodejs/undici/pull/2643

Full Changelog: nodejs/undici@v6.5.0...v6.6.0

v6.5.0

Compare Source

What's Changed

• build(deps-dev): bump jsdom from 23.2.0 to 24.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2632
• feat: Implement EventSource by @​Uzlopak in https://github.com/nodejs/undici/pull/2608
• fix: readable body by @​ronag in https://github.com/nodejs/undici/pull/2642

Full Changelog: nodejs/undici@v6.4.0...v6.5.0

v6.4.0

Compare Source

What's Changed

• refactor: version cleanup by @​tsctx in https://github.com/nodejs/undici/pull/2605
• cacheStorage: separate matchAll logic by @​KhafraDev in https://github.com/nodejs/undici/pull/2599
• cleanup index by @​KhafraDev in https://github.com/nodejs/undici/pull/2598
• feat: port balanced-pool, ca-fingerprint, client-abort tests to node:test by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2584
• ci: unpin nodejs workflow version by @​dominykas in https://github.com/nodejs/undici/pull/2434
• test(#​2600): Flaky debug test by @​metcoder95 in https://github.com/nodejs/undici/pull/2607
• fix: h2 hang issue with empty body by @​timursevimli in https://github.com/nodejs/undici/pull/2601
• Fix tests for Node.js v21 by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2609
• perf(cache): avoid Request and Response initialization by @​tsctx in https://github.com/nodejs/undici/pull/2610
• Add more libraries to benchmarks by @​mcollina in https://github.com/nodejs/undici/pull/2614
• feat: port client-connect, client-dispatch, client-errors test to node:test by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2591
• exit with 1 if WPT runner has unexpected errors by @​KhafraDev in https://github.com/nodejs/undici/pull/2621
• Fix tests for Node.js v20.11.0 by @​mcollina in https://github.com/nodejs/undici/pull/2618
• fix(mock-agent): split set-cookie by @​tsctx in https://github.com/nodejs/undici/pull/2619
• feat: implement throwOnMaxRedirect option for RedirectHandler by @​mertcanaltin in https://github.com/nodejs/undici/pull/2563
• test: fix flaky debug test by @​metcoder95 in https://github.com/nodejs/undici/pull/2613
• fix: hide statusOutput if empty in handleRunnerCompletion by @​Uzlopak in https://github.com/nodejs/undici/pull/2624
• docs: Fix typo in Debug.md by @​Skn0tt in https://github.com/nodejs/undici/pull/2625
• fix(cache): set AbortSignal by @​tsctx in https://github.com/nodejs/undici/pull/2612
• Use correct http Agent for node-fetch, axios, got and request by @​mcollina in https://github.com/nodejs/undici/pull/2629

New Contributors

• @​timursevimli made their first contribution in https://github.com/nodejs/undici/pull/2601
• @​mertcanaltin made their first contribution in https://github.com/nodejs/undici/pull/2563
• @​Skn0tt made their first contribution in https://github.com/nodejs/undici/pull/2625

Full Changelog: nodejs/undici@v6.3.0...v6.4.0

v6.3.0

Compare Source

What's Changed

• Clear all timeout on destroy and close by @​mcollina in https://github.com/nodejs/undici/pull/2535
• ConnectOptions should include 'origin' field by @​dvoytenko in https://github.com/nodejs/undici/pull/2532
• perf: avoid toLowerCase call by @​tsctx in https://github.com/nodejs/undici/pull/2537
• revert a1a8136 by @​KhafraDev in https://github.com/nodejs/undici/pull/2539
• docs: add Util to sidebar by @​tsctx in https://github.com/nodejs/undici/pull/2529
• fix: call explicitly unregister by @​tsctx in https://github.com/nodejs/undici/pull/2534
• fix: check the content-type of invalid formData by @​tsctx in https://github.com/nodejs/undici/pull/2541
• Add request examples. by @​autopulated in https://github.com/nodejs/undici/pull/2380
• fix(HTTP/2): handle consumption of aborted request by @​metcoder95 in https://github.com/nodejs/undici/pull/2387
• chore: update tst test by @​tsctx in https://github.com/nodejs/undici/pull/2538
• fix(fetch): do not abort fetch on redirect by @​angelyan in https://github.com/nodejs/undici/pull/2545
• drop verifyVersion in scripts by @​KhafraDev in https://github.com/nodejs/undici/pull/2549
• types: remove unused Client and Pool types by @​RafaelGSS in https://github.com/nodejs/undici/pull/2557
• lib: fix Host header when CONNECT ProxyAgent by @​RafaelGSS in https://github.com/nodejs/undici/pull/2556
• feat: port cookies tests to node runner by @​pmarchini in https://github.com/nodejs/undici/pull/2547
• feat: port webidl tests to node test runner by @​ilteoood in https://github.com/nodejs/undici/pull/2554
• perf: Improve percentDecode by @​tsctx in https://github.com/nodejs/undici/pull/2562
• Fix parseHashWithOptions regex by @​flapenna in https://github.com/nodejs/undici/pull/2561
• feat: port diagnostic-channel tests to node test runner by @​ilteoood in https://github.com/nodejs/undici/pull/2559
• feat: port websocket tests to node test runner by @​ilteoood in https://github.com/nodejs/undici/pull/2553
• build(deps-dev): bump tsd from 0.29.0 to 0.30.1 by @​dependabot in https://github.com/nodejs/undici/pull/2551
• build(deps): bump actions/setup-node from 4.0.0 to 4.0.1 by @​dependabot in https://github.com/nodejs/undici/pull/2572
• build(deps): bump github/codeql-action from 2.22.5 to 3.22.12 by @​dependabot in https://github.com/nodejs/undici/pull/2574
• Update @matteo.collina/tspl to 0.1.1 by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2576
• mark wpt as failing by @​KhafraDev in https://github.com/nodejs/undici/pull/2581
• feat: port abort-controller.js tests to node:test runner by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2564
• fix data url test by @​KhafraDev in https://github.com/nodejs/undici/pull/2580
• feat: port async_hooks.js tests to node:test runner by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2568
• feat: port agent.js tests to node:test runner by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2566
• feat: port abort-event-emitter.js tests to node:test runnner by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2565
• feat: port first half of fetch tests to node test runner by @​anurag-roy in https://github.com/nodejs/undici/pull/2569
• perf: bypass method validation by @​tsctx in https://github.com/nodejs/undici/pull/2583
• fetch: warn when using patch method by @​KhafraDev in https://github.com/nodejs/undici/pull/2577
• feat: port autoselectfamily.js tests to node:test runner by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2570
• feat: port remaining fetch tests to node test runner by @​anurag-roy in https://github.com/nodejs/undici/pull/2587
• fix: use isArrayBuffer instead of isAnyArrayBuffer by @​tsctx in https://github.com/nodejs/undici/pull/2586
• Feat/migrate tests to node runner by @​pmarchini in https://github.com/nodejs/undici/pull/2593
• abort request with reason if one is provided by @​KhafraDev in https://github.com/nodejs/undici/pull/2592
• feat: port tst test to node test runner by @​tsctx in https://github.com/nodejs/undici/pull/2595
• feat(#​2191): Add support for NODE_DEBUG by @​metcoder95 in https://github.com/nodejs/undici/pull/2585
• cacheStorage: fix bugs make wpts pass by @​KhafraDev in https://github.com/nodejs/undici/pull/2596
• fix: non-object error in abort throws bad error by @​atlowChemi in https://github.com/nodejs/undici/pull/2597
• fix: add test helper for closing server as promise by @​sosukesuzuki in https://github.com/nodejs/undici/pull/2604

New Contributors

• @​dvoytenko made their first contribution in https://github.com/nodejs/undici/pull/2532
• @​autopulated made their first contribution in https://github.com/nodejs/undici/pull/2380
• @​angelyan made their first contribution in https://github.com/nodejs/undici/pull/2545
• @​pmarchini made their first contribution in https://github.com/nodejs/undici/pull/2547
• @​ilteoood made their first contribution in https://github.com/nodejs/undici/pull/2554
• @​flapenna made their first contribution in https://github.com/nodejs/undici/pull/2561
• @​sosukesuzuki made their first contribution in https://github.com/nodejs/undici/pull/2576
• @​anurag-roy made their first contribution in https://github.com/nodejs/undici/pull/2569

Full Changelog: nodejs/undici@v6.2.1...v6.3.0

v6.2.1

Compare Source

What's Changed

• perf: use tree by @​tsctx in https://github.com/nodejs/undici/pull/2528
• chore: reduce dependencies by @​tsctx in https://github.com/nodejs/undici/pull/2533
• Remove timers in agent.js by @​mcollina in https://github.com/nodejs/undici/pull/2536

Full Changelog: nodejs/undici@v6.2.0...v6.2.1

v6.2.0

Compare Source

What's Changed

• Remove FinalizationRegistry from Agent by @​mcollina in https://github.com/nodejs/undici/pull/2530

Full Changelog: nodejs/undici@v6.1.0...v6.2.0

v6.1.0

Compare Source

What's Changed

• fix: more sensible stack trace from dump error by @​ronag in https://github.com/nodejs/undici/pull/2503
• refactor: remove some node compat by @​ronag in https://github.com/nodejs/undici/pull/2502
• refactor: version cleanup by @​tsctx in https://github.com/nodejs/undici/pull/2507
• perf(fetch): Improve fetch of detaurl by @​tsctx in https://github.com/nodejs/undici/pull/2479
• feat: expose parseHeader by @​ronag in https://github.com/nodejs/undici/pull/2511
• perf(fetch): optimize call dispatch by @​tsctx in https://github.com/nodejs/undici/pull/2493
• perf(util/parseHeaders): If the header name is buffer by @​tsctx in https://github.com/nodejs/undici/pull/2501
• perf: twice faster method check by @​tsctx in https://github.com/nodejs/undici/pull/2495
• refactor: remove Error.captureStackTrace by @​tsctx in https://github.com/nodejs/undici/pull/2509
• perf: Improve processHeader by @​tsctx in https://github.com/nodejs/undici/pull/2513
• perf: reduce String#toLowerCase call by @​tsctx in https://github.com/nodejs/undici/pull/2516
• perf: optimize consumeEnd by @​tsctx in https://github.com/nodejs/undici/pull/2510
• perf: reduce tst built time by @​tsctx in https://github.com/nodejs/undici/pull/2517
• feat: allow customization of build environment by @​khardix in https://github.com/nodejs/undici/pull/2403
• fix: clear cache by @​tsctx in https://github.com/nodejs/undici/pull/2519
• feat: Add resource timing entries for connection, request and response by @​ToshB in https://github.com/nodejs/undici/pull/2481
• Call fg.unregister() after a dispatcher is done, adds UNDICI_NO_FG to… by @​mcollina in https://github.com/nodejs/undici/pull/2527
• feat: expose headerNameToString by @​tsctx in https://github.com/nodejs/undici/pull/2525

New Contributors

• @​khardix made their first contribution in https://github.com/nodejs/undici/pull/2403

Full Changelog: nodejs/undici@v6.0.1...v6.1.0

v6.0.1

Compare Source

What's Changed

• fix: stream error timings by @​ronag in https://github.com/nodejs/undici/pull/2497

Full Changelog: nodejs/undici@v6.0.0...v6.0.1

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[github-actions]

🎉 This PR is included in version 6.0.0-beta.1 🎉

The release is available on:

• GitHub release
• npm package (@beta dist-tag)

Your semantic-release bot 📦🚀

[github-actions]

🎉 This PR is included in version 6.0.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)

Your semantic-release bot 📦🚀