Skip to content

Commit

Permalink
Update dependency undici to 5.19.1 [SECURITY] (#1367)
Browse files Browse the repository at this point in the history 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change |
|---|---|
| undici | [`5.16.0` ->
`5.19.1`](https://renovatebot.com/diffs/npm/undici/5.16.0/5.19.1) |

### GitHub Vulnerability Alerts

####
[CVE-2023-23936](https://togithub.com/nodejs/undici/security/advisories/GHSA-5r9g-qh6m-jxff)

### Impact

undici library does not protect `host` HTTP header from CRLF injection
vulnerabilities.

### Patches

This issue was patched in Undici v5.19.1.

### Workarounds

Sanitize the `headers.host` string before passing to undici.

### References

Reported at https://hackerone.com/reports/1820955.

### Credits

Thank you to Zhipeng Zhang
([@​timon8](https://hackerone.com/timon8)) for reporting this
vulnerability.

####
[CVE-2023-24807](https://togithub.com/nodejs/undici/security/advisories/GHSA-r6ch-mqf9-qc9w)

### Impact
The `Headers.set()` and `Headers.append()` methods are vulnerable to
Regular Expression Denial of Service (ReDoS) attacks when untrusted
values are passed into the functions. This is due to the inefficient
regular expression used to normalize the values in the
`headerValueNormalize()` utility function.

### Patches

This vulnerability was patched in v5.19.1.

### Workarounds
There is no workaround. Please update to an unaffected version.

### References

* https://hackerone.com/bugs?report_id=1784449

### Credits

Carter Snook reported this vulnerability.

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://app.renovatebot.com/dashboard#github/defenseunicorns/zarf).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNC4xNDIuMSIsInVwZGF0ZWRJblZlciI6IjM0LjE0Mi4xIn0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
  • Loading branch information
@renovate
renovate[bot] authored Feb 18, 2023
1 parent b14eed5 commit 605b71d
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 18 deletions.
57 changes: 40 additions & 17 deletions package-lock.json
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion package.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
"devDependencies": {
"@playwright/test": "1.30.0",
"@sveltejs/adapter-static": "1.0.5",
"@sveltejs/kit": "1.3.7",
"@sveltejs/kit": "1.7.1",
"@sveltejs/package": "1.0.2",
"@testing-library/svelte": "3.2.2",
"@tsconfig/svelte": "3.0.0",
Expand Down

0 comments on commit 605b71d

Please sign in to comment.