Update dependency undici to v5.28.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.28.1 -> 5.28.3

GitHub Vulnerability Alerts

CVE-2024-24758

Impact

Undici already cleared Authorization headers on cross-origin redirects, but did not clear Proxy-Authorization headers.

Patches

This is patched in v5.28.3 and v6.6.1

Workarounds

There are no known workarounds.

References

• https://fetch.spec.whatwg.org/#authentication-entries
• GHSA-wqq4-5wpv-mx2g

---

Release Notes

nodejs/undici (undici)

v5.28.3

Compare Source

⚠️ Security Release ⚠️

Details on the vulnerabilities fixed will be shared in the next couple of days.

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

Compare Source

What's Changed

• fix: remove optional chainning for compatible with Nodejs12 and below by @​bugb in https://github.com/nodejs/undici/pull/2470
• fix: remove node: prefix by @​tsctx in https://github.com/nodejs/undici/pull/2471
• perf: avoid Headers initialization by @​tsctx in https://github.com/nodejs/undici/pull/2468
• fix: handle SharedArrayBuffer correctly by @​tsctx in https://github.com/nodejs/undici/pull/2466
• fix: Add null type to signal in RequestInit by @​gebsh in https://github.com/nodejs/undici/pull/2455
• fix: correctly handle data URL with hashes. by @​tsctx in https://github.com/nodejs/undici/pull/2475
• fix: check response for timinginfo allow flag by @​ToshB in https://github.com/nodejs/undici/pull/2477
• Make call to onBodySent conditional in RetryHandler by @​MzUgM in https://github.com/nodejs/undici/pull/2478
• refactor: better integrity check by @​tsctx in https://github.com/nodejs/undici/pull/2462
• fix: Added support for inline URL username:password proxy auth by @​matt-way in https://github.com/nodejs/undici/pull/2473
• build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2472
• build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @​dependabot in https://github.com/nodejs/undici/pull/2405
• build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @​dependabot in https://github.com/nodejs/undici/pull/2396
• build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/2395
• build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @​dependabot in https://github.com/nodejs/undici/pull/2392
• build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @​dependabot in https://github.com/nodejs/undici/pull/2389
• build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @​dependabot in https://github.com/nodejs/undici/pull/2302

New Contributors

• @​bugb made their first contribution in https://github.com/nodejs/undici/pull/2470
• @​gebsh made their first contribution in https://github.com/nodejs/undici/pull/2455
• @​ToshB made their first contribution in https://github.com/nodejs/undici/pull/2477
• @​MzUgM made their first contribution in https://github.com/nodejs/undici/pull/2478
• @​matt-way made their first contribution in https://github.com/nodejs/undici/pull/2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.