Bump undici from 5.22.1 to 5.28.5 in /fixtures/flight-esm #126

dependabot · 2025-01-21T22:22:25Z

Bumps undici from 5.22.1 to 5.28.5.

Release notes

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

v5.28.4

⚠️ Security Release ⚠️

Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260

Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

What's Changed

fix: remove optional chainning for compatible with Nodejs12 and below by @bugb in nodejs/undici#2470

fix: remove node: prefix by @tsctx in nodejs/undici#2471

perf: avoid Headers initialization by @tsctx in nodejs/undici#2468

fix: handle SharedArrayBuffer correctly by @tsctx in nodejs/undici#2466

fix: Add null type to signal in RequestInit by @gebsh in nodejs/undici#2455

fix: correctly handle data URL with hashes. by @tsctx in nodejs/undici#2475

fix: check response for timinginfo allow flag by @ToshB in nodejs/undici#2477

Make call to onBodySent conditional in RetryHandler by @MzUgM in nodejs/undici#2478

refactor: better integrity check by @tsctx in nodejs/undici#2462

fix: Added support for inline URL username:password proxy auth by @matt-way in nodejs/undici#2473

build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @dependabot in nodejs/undici#2472

build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @dependabot in nodejs/undici#2405

build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @dependabot in nodejs/undici#2396

build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in nodejs/undici#2395

build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @dependabot in nodejs/undici#2392

build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @dependabot in nodejs/undici#2389

build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in nodejs/undici#2302

New Contributors

@bugb made their first contribution in nodejs/undici#2470

@gebsh made their first contribution in nodejs/undici#2455

@ToshB made their first contribution in nodejs/undici#2477

@MzUgM made their first contribution in nodejs/undici#2478

@matt-way made their first contribution in nodejs/undici#2473

... (truncated)

Commits

6139ed2 Bumped v5.28.5
711e207 Backport of c2d78cd
fb98306 Bumped v5.28.4
2b39440 Merge pull request from GHSA-9qxr-qj54-h672
64e3402 Merge pull request from GHSA-m4v8-wqvr-p9f7
723c4e7 Revert "build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)"
0e9d54b skip failing test due to Node.js changes
e71cb4c Bumped v5.28.3
20c65b8 Fix tests for Node.js v20.11.0 (#2618)
8ec52cd Fix tests for Node.js v21 (#2609)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [undici](https://github.com/nodejs/undici) from 5.22.1 to 5.28.5. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.22.1...v5.28.5) --- updated-dependencies: - dependency-name: undici dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

rafikmojr · 2025-01-21T22:42:14Z

Checkmarx One – Scan Summary & Details – a2faf060-42bc-45e5-a575-d71bd0282cce

New Issues (316)

Checkmarx found the following issues in this Pull Request

Issue	Source File / Package	Checkmarx Insight
CVE-2023-4860	Npm-electron-23.1.2	Vulnerable Package
CVE-2023-7012	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-12692	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-12694	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-12695	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-40643	Npm-htmlparser2-3.10.1	Vulnerable Package
CVE-2024-40643	Npm-htmlparser2-3.3.0	Vulnerable Package
CVE-2024-42461	Npm-elliptic-6.5.4	Vulnerable Package
CVE-2024-42461	Npm-elliptic-6.4.0	Vulnerable Package
CVE-2024-42461	Npm-elliptic-6.5.3	Vulnerable Package
CVE-2024-4558	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-4671	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-48949	Npm-elliptic-6.5.4	Vulnerable Package
CVE-2024-48949	Npm-elliptic-6.5.3	Vulnerable Package
CVE-2024-48949	Npm-elliptic-6.4.0	Vulnerable Package
CVE-2024-6779	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-7024	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-7971	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-9370	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-9963	Npm-electron-23.1.2	Vulnerable Package
CVE-2025-0443	Npm-electron-23.1.2	Vulnerable Package
Cx1113a032-799e	Npm-webmarker-js-0.0.3	Vulnerable Package
CVE-2022-21213	Npm-mout-1.1.0	Vulnerable Package
CVE-2022-25858	Npm-terser-4.8.0	Vulnerable Package
CVE-2022-37620	Npm-html-minifier-3.5.6	Vulnerable Package
CVE-2022-37620	Npm-html-minifier-3.5.3	Vulnerable Package
CVE-2022-37620	Npm-html-minifier-3.5.21	Vulnerable Package
CVE-2022-37620	Npm-html-minifier-3.2.3	Vulnerable Package
CVE-2023-7010	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-10229	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-10230	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-10231	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-10487	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-10488	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-10826	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-10827	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-11112	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-11113	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-11114	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-11115	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-11395	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-12053	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-12381	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-12382	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-12693	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-1674	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-21536	Npm-http-proxy-middleware-2.0.6	Vulnerable Package
CVE-2024-21536	Npm-http-proxy-middleware-0.17.4	Vulnerable Package
CVE-2024-21536	Npm-http-proxy-middleware-0.17.3	Vulnerable Package
CVE-2024-21538	Npm-cross-spawn-6.0.5	Vulnerable Package
CVE-2024-21538	Npm-cross-spawn-5.1.0	Vulnerable Package
CVE-2024-21538	Npm-cross-spawn-7.0.1	Vulnerable Package
CVE-2024-21538	Npm-cross-spawn-7.0.3	Vulnerable Package
CVE-2024-21538	Npm-cross-spawn-4.0.2	Vulnerable Package
CVE-2024-2176	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-29415	Npm-ip-1.1.5	Vulnerable Package
CVE-2024-30056	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3156	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3158	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3159	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3168	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3169	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3170	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3171	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3172	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3173	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3174	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3176	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-37890	Npm-ws-8.12.0	Vulnerable Package
CVE-2024-37890	Npm-ws-7.5.9	Vulnerable Package
CVE-2024-37890	Npm-ws-6.2.2	Vulnerable Package
CVE-2024-37890	Npm-ws-7.5.5	Vulnerable Package
CVE-2024-37890	Npm-ws-8.13.0	Vulnerable Package
CVE-2024-37890	Npm-ws-3.3.2	Vulnerable Package
CVE-2024-37890	Npm-ws-7.2.1	Vulnerable Package
CVE-2024-37890	Npm-ws-7.2.3	Vulnerable Package
CVE-2024-3832	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3833	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3834	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3837	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-3840	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-4058	Npm-electron-23.1.2	Vulnerable Package
CVE-2024-4068	Npm-braces-2.3.2	Vulnerable Package
CVE-2024-4068	Npm-braces-1.8.5	Vulnerable Package
CVE-2024-4068	Npm-braces-3.0.2	Vulnerable Package

More results are available on the CxOne platform

Fixed Issues (36)

Great job! The following issues were fixed in this Pull Request

Severity	Issue	Source File / Package
	CVE-2022-25927	Npm-ua-parser-js-0.7.14
	CVE-2022-25927	Npm-ua-parser-js-0.7.23
	CVE-2022-25927	Npm-ua-parser-js-0.7.20
	CVE-2022-25927	Npm-ua-parser-js-0.7.28
	CVE-2022-25927	Npm-ua-parser-js-0.7.12
	CVE-2022-25927	Npm-ua-parser-js-0.7.22
	CVE-2022-25927	Npm-ua-parser-js-0.7.17
	CVE-2024-26192	Npm-electron-23.1.2
	Cx89601373-08db	Npm-debug-3.2.6
	Cx89601373-08db	Npm-debug-2.6.8
	Cx89601373-08db	Npm-debug-2.6.7
	Cx89601373-08db	Npm-debug-2.6.9
	Cx89601373-08db	Npm-debug-4.1.1
	Cx89601373-08db	Npm-debug-3.2.7
	Cx89601373-08db	Npm-debug-4.2.0
	Cx89601373-08db	Npm-debug-2.2.0
	Cx89601373-08db	Npm-debug-4.1.0
	Cx89601373-08db	Npm-debug-3.1.0
	Cx89601373-08db	Npm-debug-2.6.0
	Cxab55612e-3a56	Npm-braces-3.0.2
	Cxab55612e-3a56	Npm-braces-1.8.5
	Cxab55612e-3a56	Npm-braces-2.3.2
	Cxca84a1c2-1f12	Npm-micromatch-4.0.2
	Cxca84a1c2-1f12	Npm-micromatch-3.1.10
	Cxca84a1c2-1f12	Npm-micromatch-4.0.5
	Cxca84a1c2-1f12	Npm-micromatch-4.0.4
	Cxca84a1c2-1f12	Npm-micromatch-2.3.11
	Cxf6e7f2c1-dc59	Npm-yauzl-2.4.1
	Cxf6e7f2c1-dc59	Npm-yauzl-2.10.0
	CVE-2024-21423	Npm-electron-23.1.2
	CVE-2024-26167	Npm-electron-23.1.2
	CVE-2024-26188	Npm-electron-23.1.2
	Open_Redirect	/scripts/bench/server.js: 24
	Open_Redirect	/scripts/bench/server.js: 7
	Open_Redirect	/scripts/bench/server.js: 7
	Open_Redirect	/scripts/bench/server.js: 24

dependabot bot added the dependencies Pull requests that update a dependency file label Jan 21, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump undici from 5.22.1 to 5.28.5 in /fixtures/flight-esm #126

Bump undici from 5.22.1 to 5.28.5 in /fixtures/flight-esm #126

dependabot bot commented on behalf of github Jan 21, 2025

rafikmojr commented Jan 21, 2025

Bump undici from 5.22.1 to 5.28.5 in /fixtures/flight-esm #126

Are you sure you want to change the base?

Bump undici from 5.22.1 to 5.28.5 in /fixtures/flight-esm #126

Conversation

dependabot bot commented on behalf of github Jan 21, 2025

v5.28.5

⚠️ Security Release ⚠️

v5.28.4

⚠️ Security Release ⚠️

v5.28.3

⚠️ Security Release ⚠️

v5.28.2

What's Changed

New Contributors

rafikmojr commented Jan 21, 2025