deps: update undici to v5.26.3 #50153
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Review requested:
|
nodejs-github-bot
added
lib / src
Signed-off-by: Matteo Collina <hello@matteocollina.com>
mcollina
force-pushed
the
update-undici
branch
from
3f793b7 to
7554382
Compare
mcollina
changed the title
mcollina
added
request-ci
|
Fast-track has been requested by @mcollina. Please 👍 to approve. |
anonrig
approved these changes
Oct 11, 2023
RafaelGSS
approved these changes
Oct 11, 2023
github-actions
bot
removed
the
request-ci
Ethan-Arrowood
approved these changes
Oct 11, 2023
panva
approved these changes
Oct 11, 2023
KhafraDev
approved these changes
Oct 11, 2023
|
CI failures seem consistent across the latest two runs but unrelated to undici. |
marco-ippolito
approved these changes
Oct 12, 2023
|
A few fs.watch tests are failing on Mac OS X. cc @nodejs/build @nodejs/releasers |
panva
added
the
commit-queue
nodejs-github-bot
removed
the
commit-queue
|
Landed in 7ed50e5 |
alexfernandez
pushed a commit
to alexfernandez/node
that referenced
this pull request
Nov 1, 2023
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs#50153 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
gisbdzhch
pushed a commit
to gisktzh/gb3-web_ui
that referenced
this pull request
Nov 9, 2023
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [node](https://github.com/nodejs/node) | engines | major | [`18.x` -> `20.x`](https://renovatebot.com/diffs/npm/node/v18.18.2/v20.9.0) | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v20.9.0`](https://github.com/nodejs/node/releases/tag/v20.9.0): 2023-10-24, Version 20.9.0 'Iron' (LTS), @​richardlau [Compare Source](nodejs/node@v20.8.1...v20.9.0) ##### Notable Changes This release marks the transition of Node.js 20.x into Long Term Support (LTS) with the codename 'Iron'. The 20.x release line now moves into "Active LTS" and will remain so until October 2024. After that time, it will move into "Maintenance" until end of life in April 2026. ##### Known issue Collecting code coverage via the `NODE_V8_COVERAGE` environment variable may lead to a hang. This is not thought to be a regression in Node.js 20 (some reports are on Node.js 18). For more information, including some potential workarounds, see issue [#​49344](nodejs/node#49344). ### [`v20.8.1`](https://github.com/nodejs/node/releases/tag/v20.8.1): 2023-10-13, Version 20.8.1 (Current), @​RafaelGSS [Compare Source](nodejs/node@v20.8.0...v20.8.1) This is a security release. ##### Notable Changes The following CVEs are fixed in this release: - [CVE-2023-44487](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-44487): `nghttp2` Security Release (High) - [CVE-2023-45143](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-45143): `undici` Security Release (High) - [CVE-2023-39332](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39332): Path traversal through path stored in Uint8Array (High) - [CVE-2023-39331](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39331): Permission model improperly protects against path traversal (High) - [CVE-2023-38552](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-38552): Integrity checks according to policies can be circumvented (Medium) - [CVE-2023-39333](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39333): Code injection via WebAssembly export names (Low) More detailed information on each of the vulnerabilities can be found in [October 2023 Security Releases](https://nodejs.org/en/blog/vulnerability/october-2023-security-releases/) blog post. ##### Commits - \[[`c86883e844`](nodejs/node@c86883e844)] - **deps**: update nghttp2 to 1.57.0 (James M Snell) [#​50121](nodejs/node#50121) - \[[`2860631359`](nodejs/node@2860631359)] - **deps**: update undici to v5.26.3 (Matteo Collina) [#​50153](nodejs/node#50153) - \[[`cd37838bf8`](nodejs/node@cd37838bf8)] - **lib**: let deps require `node` prefixed modules (Matthew Aitken) [#&...
3 tasks
aduh95
pushed a commit
to aduh95/node
that referenced
this pull request
Feb 18, 2025
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs#50153 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> CVE-ID: CVE-2023-45143
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes CVE-2023-45143.
Fixes #50150
Fixes #50145