[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [undici](https://undici.nodejs.org) ([source](https://github.com/nodejs/undici)) | [`6.4.0` -> `6.6.1`](https://renovatebot.com/diffs/npm/undici/6.4.0/6.6.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/undici/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/undici/6.4.0/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/6.4.0/6.6.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2024-24750](https://github.com/nodejs/undici/security/advisories/GHSA-9f24-jqhm-jfcw) ### Impact Calling `fetch(url)` and not consuming the incoming body ((or consuming it very slowing) will lead to a memory leak. ### Patches Patched in v6.6.1 ### Workarounds Make sure to always consume the incoming body. #### [CVE-2024-24758](https://github.com/nodejs/undici/security/advisories/GHSA-3787-6prv-h9w3) ### Impact Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authorization` headers. ### Patches This is patched in v5.28.3 and v6.6.1 ### Workarounds There are no known workarounds. ### References - https://fetch.spec.whatwg.org/#authentication-entries - GHSA-wqq4-5wpv-mx2g --- ### Release Notes <details> <summary>nodejs/undici (undici)</summary> ### [`v6.6.1`](https://github.com/nodejs/undici/releases/tag/v6.6.1) [Compare Source](https://github.com/nodejs/undici/compare/v6.6.0...v6.6.1) #### ⚠️ Security Release ⚠️ Details on the vulnerabilities fixed will be shared in the next couple of days. #### What's Changed - fix: flaky debug test by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2687](https://github.com/nodejs/undici/pull/2687) - build(deps): bump github/codeql-action from 3.22.12 to 3.23.2 by [@dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2688](https://github.com/nodejs/undici/pull/2688) - build(deps): bump actions/dependency-review-action from 3.1.0 to 4.0.0 by [@dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2689](https://github.com/nodejs/undici/pull/2689) - fix: ci pipeline warnings by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2685](https://github.com/nodejs/undici/pull/2685) - perf: optimize Iterator by [@tsctx](https://github.com/tsctx) in [https://github.com/nodejs/undici/pull/2692](https://github.com/nodejs/undici/pull/2692) **Full Changelog**: nodejs/undici@v6.6.0...v6.6.1 ### [`v6.6.0`](https://github.com/nodejs/undici/releases/tag/v6.6.0) [Compare Source](https://github.com/nodejs/undici/compare/v6.5.0...v6.6.0) #### What's Changed - add webSocket example by [@mertcanaltin](https://github.com/mertcanaltin) in [https://github.com/nodejs/undici/pull/2626](https://github.com/nodejs/undici/pull/2626) - chore: remove atomic-sleep as dev dependency by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2648](https://github.com/nodejs/undici/pull/2648) - chore: remove semver as dev dependency by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2646](https://github.com/nodejs/undici/pull/2646) - chore: remove table as dev dependency by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2649](https://github.com/nodejs/undici/pull/2649) - chore: remove delay as dev dependency by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2647](https://github.com/nodejs/undici/pull/2647) - chore: reduce noise in test-logs test/issue-2349.js by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2655](https://github.com/nodejs/undici/pull/2655) - chore: fix faketimer warning in test/request-timeout.js by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2656](https://github.com/nodejs/undici/pull/2656) - chore: reduce noise in test logs test/client-node-max-header-size.js by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2654](https://github.com/nodejs/undici/pull/2654) - refactor: use fromInnerResponse by [@tsctx](https://github.com/tsctx) in [https://github.com/nodejs/undici/pull/2635](https://github.com/nodejs/undici/pull/2635) - fix: support deflate raw responses by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2650](https://github.com/nodejs/undici/pull/2650) - Support building for externally shared js builtins by [@mochaaP](https://github.com/mochaaP) in [https://github.com/nodejs/undici/pull/2643](https://github.com/nodejs/undici/pull/2643) - fix: typo clampAndCoarsenConnectionTimingInfo by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2653](https://github.com/nodejs/undici/pull/2653) - chore: use 'node:'-prefix for requiring node core modules by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2662](https://github.com/nodejs/undici/pull/2662) - build(deps-dev): bump husky from 8.0.3 to 9.0.7 by [@dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2667](https://github.com/nodejs/undici/pull/2667) - build(deps-dev): bump cronometro from 1.2.0 to 2.0.2 by [@dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2668](https://github.com/nodejs/undici/pull/2668) - remove timers/promises import by [@KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2665](https://github.com/nodejs/undici/pull/2665) - chore: fix various codesmells by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2669](https://github.com/nodejs/undici/pull/2669) - chore: remove this alias in agent.js by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2671](https://github.com/nodejs/undici/pull/2671) - chore: use optional chaining by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2666](https://github.com/nodejs/undici/pull/2666) - chore: small perf improvements by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2661](https://github.com/nodejs/undici/pull/2661) - implement spec changes from a while ago by [@KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2676](https://github.com/nodejs/undici/pull/2676) - websocket: fix close when no closing code is received by [@KhafraDev](https://github.com/KhafraDev) in [https://github.com/nodejs/undici/pull/2680](https://github.com/nodejs/undici/pull/2680) - fix: make ci less flaky by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2684](https://github.com/nodejs/undici/pull/2684) #### New Contributors - [@mochaaP](https://github.com/mochaaP) made their first contribution in [https://github.com/nodejs/undici/pull/2643](https://github.com/nodejs/undici/pull/2643) **Full Changelog**: nodejs/undici@v6.5.0...v6.6.0 ### [`v6.5.0`](https://github.com/nodejs/undici/releases/tag/v6.5.0) [Compare Source](https://github.com/nodejs/undici/compare/v6.4.0...v6.5.0) #### What's Changed - build(deps-dev): bump jsdom from 23.2.0 to 24.0.0 by [@dependabot](https://github.com/dependabot) in [https://github.com/nodejs/undici/pull/2632](https://github.com/nodejs/undici/pull/2632) - feat: Implement EventSource by [@Uzlopak](https://github.com/Uzlopak) in [https://github.com/nodejs/undici/pull/2608](https://github.com/nodejs/undici/pull/2608) - fix: readable body by [@ronag](https://github.com/ronag) in [https://github.com/nodejs/undici/pull/2642](https://github.com/nodejs/undici/pull/2642) **Full Changelog**: nodejs/undici@v6.4.0...v6.5.0 </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/octokit/rest.js).  Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>