firebase-js-sdk
firebase-js-sdk copied to clipboard

Published 20 hours ago •

Reame
Issues

fix(deps): update dependency undici to v5.28.3 [security]

Open renovate[bot] opened this issue 1 year ago • 4 comments

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	`5.26.5` -> `5.28.3`

GitHub Vulnerability Alerts

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

https://fetch.spec.whatwg.org/#authentication-entries
https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g

Release Notes

nodejs/undici (undici)

`v5.28.3`

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.2...v5.28.3

`v5.28.2`

What's Changed

fix: remove optional chainning for compatible with Nodejs12 and below by @bugb in https://github.com/nodejs/undici/pull/2470
fix: remove node: prefix by @tsctx in https://github.com/nodejs/undici/pull/2471
perf: avoid Headers initialization by @tsctx in https://github.com/nodejs/undici/pull/2468
fix: handle SharedArrayBuffer correctly by @tsctx in https://github.com/nodejs/undici/pull/2466
fix: Add null type to signal in RequestInit by @gebsh in https://github.com/nodejs/undici/pull/2455
fix: correctly handle data URL with hashes. by @tsctx in https://github.com/nodejs/undici/pull/2475
fix: check response for timinginfo allow flag by @ToshB in https://github.com/nodejs/undici/pull/2477
Make call to onBodySent conditional in RetryHandler by @MzUgM in https://github.com/nodejs/undici/pull/2478
refactor: better integrity check by @tsctx in https://github.com/nodejs/undici/pull/2462
fix: Added support for inline URL username:password proxy auth by @matt-way in https://github.com/nodejs/undici/pull/2473
build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @dependabot in https://github.com/nodejs/undici/pull/2472
build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @dependabot in https://github.com/nodejs/undici/pull/2405
build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @dependabot in https://github.com/nodejs/undici/pull/2396
build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in https://github.com/nodejs/undici/pull/2395
build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @dependabot in https://github.com/nodejs/undici/pull/2392
build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @dependabot in https://github.com/nodejs/undici/pull/2389
build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in https://github.com/nodejs/undici/pull/2302

New Contributors

@bugb made their first contribution in https://github.com/nodejs/undici/pull/2470
@gebsh made their first contribution in https://github.com/nodejs/undici/pull/2455
@ToshB made their first contribution in https://github.com/nodejs/undici/pull/2477
@MzUgM made their first contribution in https://github.com/nodejs/undici/pull/2478
@matt-way made their first contribution in https://github.com/nodejs/undici/pull/2473

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.1...v5.28.2

`v5.28.1`

What's Changed

perf: Improve normalizeMethod by @tsctx in https://github.com/nodejs/undici/pull/2456
fix: dispatch error handling by @ronag in https://github.com/nodejs/undici/pull/2459
perf(request): optimize if headers are given by @tsctx in https://github.com/nodejs/undici/pull/2454

Full Changelog: https://github.com/nodejs/undici/compare/v5.28.0...v5.28.1

`v5.28.0`

What's Changed

fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @mdoria12 in https://github.com/nodejs/undici/pull/2398
docs: add license to undici-types by @dancastillo in https://github.com/nodejs/undici/pull/2401
perf: optimize Readable.dump by @ronag in https://github.com/nodejs/undici/pull/2402
perf(headers): Improve Headers by @tsctx in https://github.com/nodejs/undici/pull/2397
test: re-enable conditional WPT Report for websockets by @panva in https://github.com/nodejs/undici/pull/2407
fix: delay abort on 'close' by @ronag in https://github.com/nodejs/undici/pull/2408
refactor: use substring instead of substr by @tsctx in https://github.com/nodejs/undici/pull/2411
add additional http2 test with fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2419
fix: HTTPToken check by @tsctx in https://github.com/nodejs/undici/pull/2410
perf: optimize HeadersList.get by @tsctx in https://github.com/nodejs/undici/pull/2420
properly handle pseudo-headers in fetch by @KhafraDev in https://github.com/nodejs/undici/pull/2422
perf(headers): if the guard is immutable by @tsctx in https://github.com/nodejs/undici/pull/2424
fix(mock-agent): send stream body by @tsctx in https://github.com/nodejs/undici/pull/2425
build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by @dependabot in https://github.com/nodejs/undici/pull/2394
feat(#2264): Expose Retry Handler by @metcoder95 in https://github.com/nodejs/undici/pull/2281
fix: implement Headers#set correctly by @tsctx in https://github.com/nodejs/undici/pull/2432
fix: implement Headers#delete correctly by @tsctx in https://github.com/nodejs/undici/pull/2430
test: update websocket wpt availability by @panva in https://github.com/nodejs/undici/pull/2437
fix: type comment position by @tsctx in https://github.com/nodejs/undici/pull/2443
fix: onHeaders type declaration by @tsctx in https://github.com/nodejs/undici/pull/2444
remove http2 status pseudo header from headers by @KhafraDev in https://github.com/nodejs/undici/pull/2438
docs: Clarify path matching in intercept() by @oliversalzburg in https://github.com/nodejs/undici/pull/2426
fix: set-cookie clone by @tsctx in https://github.com/nodejs/undici/pull/2446
docs: fix typo in maxConcurrentStreams by @tniessen in https://github.com/nodejs/undici/pull/2450
refactor: remove leftovers by @metcoder95 in https://github.com/nodejs/undici/pull/2451
refactor: add missing new operator by @tsctx in https://github.com/nodejs/undici/pull/2452

New Contributors

@mdoria12 made their first contribution in https://github.com/nodejs/undici/pull/2398
@tsctx made their first contribution in https://github.com/nodejs/undici/pull/2397
@oliversalzburg made their first contribution in https://github.com/nodejs/undici/pull/2426

Full Changelog: https://github.com/nodejs/undici/compare/v5.27.2...v5.28.0

`v5.27.2`

Full Changelog: https://github.com/nodejs/undici/compare/v5.27.1...v5.27.2

`v5.27.1`

What's Changed

add regression test by @KhafraDev in https://github.com/nodejs/undici/pull/2376
fix: define conditions when content-length should be sent by @pxue in https://github.com/nodejs/undici/pull/2305
refactor: removed unnecessary default by @nikelborm in https://github.com/nodejs/undici/pull/2381
fix: stream body handling by @ronag in https://github.com/nodejs/undici/pull/2391

New Contributors

@pxue made their first contribution in https://github.com/nodejs/undici/pull/2305
@nikelborm made their first contribution in https://github.com/nodejs/undici/pull/2381

Full Changelog: https://github.com/nodejs/undici/compare/v5.27.0...v5.27.1

`v5.27.0`

What's Changed

Use sets and reusable TextEncoder/TextDecoder instances by @kibertoad in https://github.com/nodejs/undici/pull/2368
feat: forward onRequestSent to handler by @ronag in https://github.com/nodejs/undici/pull/2375
skip bundle test on node 16 by @KhafraDev in https://github.com/nodejs/undici/pull/2377
fix windows CI by @KhafraDev in https://github.com/nodejs/undici/pull/2379

Full Changelog: https://github.com/nodejs/undici/compare/v5.26.5...v5.27.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

[ ] If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

Feb 16 '24 19:02 renovate[bot]

⚠️ No Changeset found

Latest commit: 0c821af320b119f4fa879d177fd0693bb44e31f9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

Feb 16 '24 19:02 changeset-bot[bot]

Changeset File Check :warning:

Changeset formatting error in following file:%0A %0A Some packages have been changed but no changesets were found. Run `changeset add` to resolve this error.%0A If this change doesn't need a release, run `changeset add --empty`.%0A %0A

Feb 16 '24 19:02 github-actions[bot]

Size Report ¹

Affected Products

No changes between base commit (9fa0e9f) and merge commit (46c75af).

Test Logs

Base (9fa0e9f): https://github.com/firebase/firebase-js-sdk/actions/runs/7748332201
Merge (46c75af): https://github.com/firebase/firebase-js-sdk/actions/runs/7935234272

Feb 16 '24 19:02 google-oss-bot

Size Analysis Report ¹

Affected Products

No changes between base commit (9fa0e9f) and merge commit (46c75af).

Test Logs

Base (9fa0e9f): https://github.com/firebase/firebase-js-sdk/actions/runs/7748332201
Merge (46c75af): https://github.com/firebase/firebase-js-sdk/actions/runs/7935234272

Feb 16 '24 19:02 google-oss-bot

What's the ETA for a fix for this security issue?

Feb 21 '24 17:02 baraknaveh