chore(deps): update dependency undici to v5 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	^4.12.1 → ^5.0.0

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

GitHub Vulnerability Alerts

CVE-2022-32210

Description

Undici.ProxyAgent never verifies the remote server's certificate, and always exposes all request & response data to the proxy. This unexpectedly means that proxies can MitM all HTTPS traffic, and if the proxy's URL is HTTP then it also means that nominally HTTPS requests are actually sent via plain-text HTTP between Undici and the proxy server.

Impact

This affects all use of HTTPS via HTTP proxy using Undici.ProxyAgent with Undici or Node's global fetch. In this case, it removes all HTTPS security from all requests sent using Undici's ProxyAgent, allowing trivial MitM attacks by anybody on the network path between the client and the target server (local network users, your ISP, the proxy, the target server's ISP, etc).
This less seriously affects HTTPS via HTTPS proxies. When you send HTTPS via a proxy to a remote server, the proxy can freely view or modify all HTTPS traffic unexpectedly (but only the proxy).

Patches

This issue was patched in Undici v5.5.1.

Workarounds

At the time of writing, the only workaround is to not use ProxyAgent as a dispatcher for TLS Connections.

Severity

• CVSS Score: 7.7 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N

CVE-2022-31150

Impact

It is possible to inject CRLF sequences into request headers in Undici.

const undici = require('undici')

const response = undici.request("http://127.0.0.1:1000", {
  headers: {'a': "\r\nb"}
})

The same applies to path and method

Patches

Update to v5.8.0

Workarounds

Sanitize all HTTP headers from untrusted sources to eliminate \r\n.

References

https://hackerone.com/reports/409943
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12116

For more information

If you have any questions or comments about this advisory:

• Open an issue in undici repository
• To make a report, follow the SECURITY document

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE-2022-31151

Impact

Authorization headers are already cleared on cross-origin redirect in
https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189, based on https://github.com/nodejs/undici/issues/872.

However, cookie headers which are sensitive headers and are official headers found in the spec, remain uncleared. There also has been active discussion of implementing a cookie store https://github.com/nodejs/undici/pull/1441, which suggests that there are active users using cookie headers in undici.
As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in v5.8.0.

Workarounds

By default, this vulnerability is not exploitable.
Do not enable redirections, i.e. maxRedirections: 0 (the default).

References

https://hackerone.com/reports/1635514
https://curl.se/docs/CVE-2018-1000007.html
https://curl.se/docs/CVE-2022-27776.html

For more information

If you have any questions or comments about this advisory:

• Open an issue in undici repository
• To make a report, follow the SECURITY document

Severity

• CVSS Score: 3.7 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE-2022-35949

Impact

undici is vulnerable to SSRF (Server-side Request Forgery) when an application takes in user input into the path/pathname option of undici.request.

If a user specifies a URL such as http://127.0.0.1 or //127.0.0.1

const undici = require("undici")
undici.request({origin: "http://example.com", pathname: "//127.0.0.1"})

Instead of processing the request as http://example.org//127.0.0.1 (or http://example.org/http://127.0.0.1 when http://127.0.0.1 is used), it actually processes the request as http://127.0.0.1/ and sends it to http://127.0.0.1.

If a developer passes in user input into path parameter of undici.request, it can result in an SSRF as they will assume that the hostname cannot change, when in actual fact it can change because the specified path parameter is combined with the base URL.

Patches

This issue was fixed in undici@5.8.1.

Workarounds

The best workaround is to validate user input before passing it to the undici.request call.

For more information

If you have any questions or comments about this advisory:

• Open an issue in undici repository
• To make a report, follow the SECURITY document

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CVE-2022-35948

Impact

=< undici@5.8.0 users are vulnerable to CRLF Injection on headers when using unsanitized input as request headers, more specifically, inside the content-type header.

Example:

import { request } from 'undici'

const unsanitizedContentTypeInput =  'application/json\r\n\r\nGET /foo2 HTTP/1.1'

await request('http://localhost:3000, {
    method: 'GET',
    headers: {
      'content-type': unsanitizedContentTypeInput
    },
})

The above snippet will perform two requests in a single request API call:

1. http://localhost:3000/
2. http://localhost:3000/foo2

Patches

This issue was patched in Undici v5.8.1

Workarounds

Sanitize input when sending content-type headers using user input.

For more information

If you have any questions or comments about this advisory:

• Open an issue in undici repository
• To make a report, follow the SECURITY document

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CVE-2023-23936

Impact

undici library does not protect host HTTP header from CRLF injection vulnerabilities.

Patches

This issue was patched in Undici v5.19.1.

Workarounds

Sanitize the headers.host string before passing to undici.

References

Reported at https://hackerone.com/reports/1820955.

Credits

Thank you to Zhipeng Zhang (@​timon8) for reporting this vulnerability.

Severity

• CVSS Score: 4.6 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

CVE-2023-24807

Impact

The Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function.

Patches

This vulnerability was patched in v5.19.1.

Workarounds

There is no workaround. Please update to an unaffected version.

References

• https://hackerone.com/bugs?report_id=1784449

Credits

Carter Snook reported this vulnerability.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

Severity

• CVSS Score: 3.9 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

Severity

• CVSS Score: 3.9 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CVE-2024-30260

Impact

Undici cleared Authorization and Proxy-Authorization headers for fetch(), but did not clear them for undici.request().

Patches

This has been patched in nodejs/undici@6805746.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

use fetch() or disable maxRedirections.

References

Linzi Shang reported this.

• https://hackerone.com/reports/2408074
• GHSA-3787-6prv-h9w3

Severity

• CVSS Score: 3.9 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L

CVE-2024-30261

Impact

If an attacker can alter the integrity option passed to fetch(), they can let fetch() accept requests as valid even if they have been tampered.

Patches

Fixed in nodejs/undici@d542b8c.
Fixes has been released in v5.28.4 and v6.11.1.

Workarounds

Ensure that integrity cannot be tampered with.

References

https://hackerone.com/reports/2377760

Severity

• CVSS Score: 2.6 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

---

Release Notes

nodejs/undici (undici)

v5.28.4

Compare Source

⚠️ Security Release ⚠️

• Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
• Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

Compare Source

⚠️ Security Release ⚠️

Fixes:

• CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

Compare Source

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in #​2470
• fix: remove node: prefix by @​tsctx in #​2471
• perf: avoid Headers initialization by @​tsctx in #​2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in #​2466
• fix: Add null type to signal in RequestInit by @​gebsh in #​2455
• fix: correctly handle data URL with hashes. by @​tsctx in #​2475
• fix: check response for timinginfo allow flag by @​ToshB in #​2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in #​2478
• refactor: better integrity check by @​tsctx in #​2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in #​2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in #​2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in #​2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in #​2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in #​2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in #​2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in #​2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in #​2302

New Contributors

• @​bugb made their first contribution in #​2470
• @​gebsh made their first contribution in #​2455
• @​ToshB made their first contribution in #​2477
• @​MzUgM made their first contribution in #​2478
• @​matt-way made their first contribution in #​2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

Compare Source

What's Changed

• perf: Improve normalizeMethod by @​tsctx in #​2456
• fix: dispatch error handling by @​ronag in #​2459
• perf(request): optimize if headers are given by @​tsctx in #​2454

Full Changelog: nodejs/undici@v5.28.0...v5.28.1

v5.28.0

Compare Source

What's Changed

• fix(parseHeaders): util.parseHeaders handle correctly array of buffer… by @​mdoria12 in #​2398
• docs: add license to undici-types by @​dancastillo in #​2401
• perf: optimize Readable.dump by @​ronag in #​2402
• perf(headers): Improve Headers by @​tsctx in #​2397
• test: re-enable conditional WPT Report for websockets by @​panva in #​2407
• fix: delay abort on 'close' by @​ronag in #​2408
• refactor: use substring instead of substr by @​tsctx in #​2411
• add additional http2 test with fetch by @​KhafraDev in #​2419
• fix: HTTPToken check by @​tsctx in #​2410
• perf: optimize HeadersList.get by @​tsctx in #​2420
• properly handle pseudo-headers in fetch by @​KhafraDev in #​2422
• perf(headers): if the guard is immutable by @​tsctx in #​2424
• fix(mock-agent): send stream body by @​tsctx in #​2425
• build(deps): bump github/codeql-action from 2.21.5 to 2.22.5 by @​dependabot in #​2394
• feat(#​2264): Expose Retry Handler by @​metcoder95 in #​2281
• fix: implement Headers#set correctly by @​tsctx in #​2432
• fix: implement Headers#delete correctly by @​tsctx in #​2430
• test: update websocket wpt availability by @​panva in #​2437
• fix: type comment position by @​tsctx in #​2443
• fix: onHeaders type declaration by @​tsctx in #​2444
• remove http2 status pseudo header from headers by @​KhafraDev in #​2438
• docs: Clarify path matching in intercept() by @​oliversalzburg in #​2426
• fix: set-cookie clone by @​tsctx in #​2446
• docs: fix typo in maxConcurrentStreams by @​tniessen in #​2450
• refactor: remove leftovers by @​metcoder95 in #​2451
• refactor: add missing new operator by @​tsctx in #​2452

New Contributors

• @​mdoria12 made their first contribution in #​2398
• @​tsctx made their first contribution in #​2397
• @​oliversalzburg made their first contribution in #​2426

Full Changelog: nodejs/undici@v5.27.2...v5.28.0

v5.27.2

Compare Source

Full Changelog: nodejs/undici@v5.27.1...v5.27.2

v5.27.1

Compare Source

What's Changed

• add regression test by @​KhafraDev in #​2376
• fix: define conditions when content-length should be sent by @​pxue in #​2305
• refactor: removed unnecessary default by @​nikelborm in #​2381
• fix: stream body handling by @​ronag in #​2391

New Contributors

• @​pxue made their first contribution in #​2305
• @​nikelborm made their first contribution in #​2381

Full Changelog: nodejs/undici@v5.27.0...v5.27.1

v5.27.0

Compare Source

What's Changed

• Use sets and reusable TextEncoder/TextDecoder instances by @​kibertoad in #​2368
• feat: forward onRequestSent to handler by @​ronag in #​2375
• skip bundle test on node 16 by @​KhafraDev in #​2377
• fix windows CI by @​KhafraDev in #​2379

Full Changelog: nodejs/undici@v5.26.5...v5.27.0

v5.26.5

Compare Source

What's Changed

• Drop race condition in connect-timeout test by @​mcollina in #​2360
• Remove a couple of unnecessary async functions by @​kibertoad in #​2367
• Update namespace type with Fetch exports by @​Ethan-Arrowood in #​2361

Full Changelog: nodejs/undici@v5.26.4...v5.26.5

v5.26.4

Compare Source

What's Changed

• use esbuild define/hooks by @​KhafraDev in #​2342
• fix request's arrayBuffer returning uint8 instead of arraybuffer by @​KhafraDev in #​2344
• fix: skip readMore call if parser is null or undefined by @​iiAku in #​2346
• test: first attempt for flaky fix by @​metcoder95 in #​2337
• test: only include WebSocket in WPT Report where it's landed by @​panva in #​2351
• Update DispatchInterceptor.md by @​Uzlopak in #​2354
• fix: Avoid error for stream() being aborted by @​BobNobrain in #​2355
• fix names with esbuild by @​KhafraDev in #​2359

New Contributors

• @​iiAku made their first contribution in #​2346
• @​Uzlopak made their first contribution in #​2354
• @​BobNobrain made their first contribution in #​2355

Full Changelog: nodejs/undici@v5.26.3...v5.26.4

v5.26.3

Compare Source

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

• Fix publish undici-types once and for all! by @​Ethan-Arrowood in #​2338
• Fix node detection omfg by @​KhafraDev in #​2341

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

• use npm install instead of npm ci by @​Ethan-Arrowood in #​2309
• change default header to node by @​Ethan-Arrowood in #​2310
• chore: change order of the pseudo-headers by @​kyrylodolynskyi in #​2308
• fix: Agent.Options.factory should accept URL object or string as parameter by @​nicole0707 in #​2295
• build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @​dependabot in #​2312
• test: handle npm ignore-scripts settings by @​panva in #​2313
• feat: respect --max-http-header-size Node.js flag by @​balazsorban44 in #​2234
• fix(#​2311): End stream after body sent by @​metcoder95 in #​2314
• disallow setting host header in fetch by @​KhafraDev in #​2322
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in #​2325
• fix fetch with coverage enabled by @​KhafraDev in #​2330
• Fix stuck when using http2 POST Buffer by @​binsee in #​2336
• fix: 🏷️ add allowH2 to BuildOptions by @​binsee in #​2334
• fix: 🐛 fix process http2 header by @​binsee in #​2332

New Contributors

• @​kyrylodolynskyi made their first contribution in #​2308
• @​nicole0707 made their first contribution in #​2295
• @​balazsorban44 made their first contribution in #​2234
• @​binsee made their first contribution in #​2336

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

v5.25.4

Compare Source

v5.25.3

Compare Source

What's Changed

• perf: improve parse-url implementation by @​anonrig in #​2286
• test: enable websockets inclusion in WPTReport by @​panva in #​2284
• remove npm run test from pre-commit hook by @​dancastillo in #​2296
• perf: use @​fastify/busboy by @​gurgunday in #​2211
• Disable finalizationregistry if node code cov by @​mcollina in #​2298

New Contributors

• @​gurgunday made their first contribution in #​2211

Full Changelog: nodejs/undici@v5.25.2...v5.25.3

v5.25.2

Compare Source

What's Changed

• Add Khaf to releasers by @​mcollina in #​2276
• fix: fix request with readable mode is object by @​killagu in #​2279
• fix loading websockets when node is built w/ --without-ssl by @​KhafraDev in #​2282

New Contributors

• @​killagu made their first contribution in #​2279

Full Changelog: nodejs/undici@v5.25.1...v5.25.2

v5.25.1

Compare Source

What's Changed

• Add publish types script by @​Ethan-Arrowood in #​2273

Full Changelog: nodejs/undici@v5.25.0...v5.25.1

v5.25.0

Compare Source

What's Changed

• fix: h2 without body by @​metcoder95 in #​2258
• ci: remove duplicated runs by @​metcoder95 in #​2265
• improve documentation of timeouts by making the units clear in all places by @​mcfedr in #​2266
• expose websocket in node bundle by @​KhafraDev in #​2217
• test: fix Fetch/HTTP2 tests by @​metcoder95 in #​2263
• fix undici when node is built with --without-ssl by @​KhafraDev in #​2272
• fix: Fix type definition for Client Interceptors by @​ComradeCow in #​2269
• Fix http2 agent by @​mcollina in #​2275

New Contributors

• @​ComradeCow made their first contribution in #​2269

Full Changelog: nodejs/undici@v5.24.0...v5.25.0

v5.24.0

Compare Source

Notable Changes

• feat: Add H2 support by @​metcoder95 in #​2061

What's Changed

• build(deps): bump step-security/harden-runner from 2.4.1 to 2.5.0 by @​dependabot in #​2203
• better stack trace for body.json by @​KhafraDev in #​2215
• allow http & https websocket urls by @​KhafraDev in #​2218
• build(deps-dev): bump @​sinonjs/fake-timers from 10.3.0 to 11.1.0 by @​dependabot in #​2221
• fix: pass ProxyAgent proxy status code error by @​NBNGaming in #​2162
• fix failing test by @​KhafraDev in #​2223
• docs: update MockPool.md intercept method description by @​capaj in #​2220
• Update wpts by @​KhafraDev in #​2226
• build(deps): bump github/codeql-action from 2.21.2 to 2.21.5 by @​dependabot in #​2240
• build(deps): bump actions/setup-node from 3.6.0 to 3.8.1 by @​dependabot in #​2237
• build(deps): bump fastify/github-action-merge-dependabot from 3.9.0 to 3.9.1 by @​dependabot in #​2236
• build(deps): bump actions/checkout from 3.5.3 to 3.6.0 by @​dependabot in #​2241
• build(deps): bump actions/dependency-review-action from 3.0.6 to 3.0.8 by @​dependabot in #​2238
• fix: aborting request with non-object error by @​KhafraDev in #​2243
• fix: preserve file path when parsing formdata by @​jimmywarting in #​2245
• build(deps-dev): bump tsd from 0.28.1 to 0.29.0 by @​dependabot in #​2246
• Updated benchmarks by @​mcollina in #​2250
• Fix fetch in node v20.6.0 by @​mcollina in #​2251
• Maybe fix v20 by @​mcollina in #​2252
• feat: Add H2 support by @​metcoder95 in #​2061
• docs: fix tables in README by @​regseb in #​2254
• Fix http2 fetch test by @​mcollina in #​2253

New Contributors

• @​NBNGaming made their first contribution in #​2162
• @​capaj made their first contribution in #​2220
• @​regseb made their first contribution in #​2254

Full Changelog: nodejs/undici@v5.23.0...v5.24.0

v5.23.0

Compare Source

What's Changed

• bump engines to node >= 16 by @​ronag in #​2119
• Revert "bump engines to node >= 16 (#​2119)" by @​ronag in #​2121
• fetch: set referrer properly by @​KhafraDev in #​2125
• fix: support truncated gzip by @​jimmywarting in #​2126
• workflow: apply security best practices by @​step-security-bot in #​2130
• build(deps): bump actions/upload-artifact from 3.1.0 to 3.1.2 by @​dependabot in #​2135
• build(deps): bump actions/dependency-review-action from 2.5.1 to 3.0.4 by @​dependabot in #​2133
• build(deps): bump node from 18-alpine to 20-alpine in /build by @​dependabot in #​2131
• build(deps): bump pkgjs/action from 0.1.6 to 0.1.7 by @​dependabot in #​2136
• build(deps): bump actions/checkout from 3.1.0 to 3.5.2 by @​dependabot in #​2132
• build(deps-dev): bump jsdom from 21.1.2 to 22.1.0 by @​dependabot in #​2142
• build(deps): bump fastify/github-action-merge-dependabot from 3.7.0 to 3.8.0 by @​dependabot in #​2148
• fix(pr): use correct pr template file by @​AugustinMauroy in #​2141
• Additional WebSocket send tests to cover all payload size categories by @​jawj in #​2149
• fix: reverse decompression order of "Content-Encoding" encodings (fixes #​2158) by @​rychkog in #​2159
• fix: keep running WPTs if a test times out by @​KhafraDev in #​2165
• feat: add build environment info by @​mhdawson in #​2168
• fix: forward error reason to fetch controller by @​KhafraDev in #​2172
• stricter types for bodymixin.json by @​KhafraDev in #​2181
• chore: Renable autoSelectFamily tests. by @​ShogunPanda in #​2180
• build(deps): bump actions/dependency-review-action from 3.0.4 to 3.0.6 by @​dependabot in #​2147
• build(deps): bump github/codeql-action from 2.3.2 to 2.20.3 by @​dependabot in #​2185
• fix: fetch resource timing performance entry names should be strings by @​GaryWilber in #​2188
• build(deps): bump actions/checkout from 3.5.2 to 3.5.3 by @​dependabot in #​2176
• build(deps): bump fastify/github-action-merge-dependabot from 3.8.0 to 3.9.0 by @​dependabot in #​2177
• build(deps): bump ossf/scorecard-action from 2.1.3 to 2.2.0 by @​dependabot in #​2178
• build(deps): bump step-security/harden-runner from 2.4.0 to 2.4.1 by @​dependabot in #​2175
• test: fix autoselectfamily on platforms without IPv6 support by @​LiviaMedeiros in #​2197
• fix: make multipart/form-data boundary string more consistent by @​LiviaMedeiros in #​2196
• docs: add proxy agent options docs by @​dancastillo in #​2193
• build(deps): bump github/codeql-action from 2.20.3 to 2.21.2 by @​dependabot in #​2205
• feat: make use of addAbortListener where applicable by @​atlowChemi in #​2195

New Contributors

• @​step-security-bot made their first contribution in #​2130
• @​AugustinMauroy made their first contribution in #​2141
• @​rychkog made their first contribution in #​2159
• @​mhdawson made their first contribution in #​2168
• @​GaryWilber made their first contribution in #​2188
• @​atlowChemi made their first contribution in #​2195

Full Changelog: nodejs/undici@v5.22.1...v5.23.0

v5.22.1

Compare Source

What's Changed

• Cache storage by @​KhafraDev in #​2076
• test: skip content-disposition test in node 18 by @​KhafraDev in #​2081
• Cache storage cleanup by @​KhafraDev in #​2082
• Cache storage fixes by @​KhafraDev in #​2083
• test: improve test coverage for ErrorEvent and MessageEvent by @​KhafraDev in #​2085
• test: remove --experimental-wasm-simd by @​KhafraDev in #​2087
• websocket: add websocketinit by @​KhafraDev in #​2088
• feat(websocket): allow setting custom headers by @​KhafraDev in #​2089
• test: fix tests failing only on node v20 by @​KhafraDev in #​2096
• fix: skip set content-length when FormData value is stream by @​fengmk2 in #​2091
• doc: update outdated command in contributing.md by @​jazelly in #​2099
• cache: fix most failing WPTs by @​KhafraDev in #​2100
• feat: allow build:wasm to auto detect platform by @​jazelly in #​2102
• docs: updated Error documentation (fixes #​2090) by @​titanism in #​2092
• mimesniff: fix many broken tests by @​KhafraDev in #​2103
• test: fix failing tests by @​KhafraDev in #​2097
• build(deps): bump github/codeql-action from 2.2.9 to 2.3.2 by @​dependabot in #​2105
• fix: more informative error message to tell that the server doesn't match http/1.1 protocol by @​Songkeys in #​2055
• Fix bug in 16-bit frame length when buffer is a subarray by @​jawj in #​2106
• update wpts by @​KhafraDev in #​2108
• fix: update error definitions by @​dfilatov in #​2112
• fix: make assertion a noop by @​ronag in #​2111

New Contributors

• @​jazelly made their first contribution in #​2099
• @​titanism made their first contribution in #​2092
• @​Songkeys made their first contribution in #​2055
• @​jawj made their first contribution in #​2106
• @​dfilatov made their first contribution in #​2112

Full Changelog: nodejs/undici@v5.22.0...v5.22.1

v5.22.0

Compare Source

What's Changed

• build(deps-dev): bump tsd from 0.27.0 to 0.28.1 by @​dependabot in #​2042
• build(deps): bump ossf/scorecard-action from 2.1.2 to 2.1.3 by @​dependabot in #​2040
• fix: handle opaque origin in sameOrigin by @​KhafraDev in #​2053
• test: add typescript import test back by @​KhafraDev in #​2054
• fix: use getMaxListeners when available by @​KhafraDev in #​2063
• feat: allow overriding hwm by @​ronag in #​2057
• fix: there is no sync connector by @​ronag in #​2059
• fix: rename .wasm to -wa

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.