fix(deps): update dependency undici to v5.26.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.25.4 -> 5.26.2

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-45143

Impact

Undici clears Authorization headers on cross-origin redirects, but does not clear Cookie headers. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since Undici handles headers more liberally than the specification, there was a disconnect from the assumptions the spec made, and Undici's implementation of fetch.

As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site.

Patches

This was patched in e041de359221ebeae04c469e8aff4145764e6d76, which is included in version 5.26.2.

---

Release Notes

nodejs/undici (undici)

v5.26.2

Compare Source

Security Release, CVE-2023-45143.

v5.26.1

Compare Source

What's Changed

• Fix publish undici-types once and for all! by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2338
• Fix node detection omfg by @​KhafraDev in https://github.com/nodejs/undici/pull/2341

Full Changelog: nodejs/undici@v5.26.0...v5.26.1

v5.26.0

Compare Source

What's Changed

• use npm install instead of npm ci by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2309
• change default header to node by @​Ethan-Arrowood in https://github.com/nodejs/undici/pull/2310
• chore: change order of the pseudo-headers by @​kyrylodolynskyi in https://github.com/nodejs/undici/pull/2308
• fix: Agent.Options.factory should accept URL object or string as parameter by @​nicole0707 in https://github.com/nodejs/undici/pull/2295
• build(deps-dev): bump sinon from 15.2.0 to 16.1.0 by @​dependabot in https://github.com/nodejs/undici/pull/2312
• test: handle npm ignore-scripts settings by @​panva in https://github.com/nodejs/undici/pull/2313
• feat: respect --max-http-header-size Node.js flag by @​balazsorban44 in https://github.com/nodejs/undici/pull/2234
• fix(#​2311): End stream after body sent by @​metcoder95 in https://github.com/nodejs/undici/pull/2314
• disallow setting host header in fetch by @​KhafraDev in https://github.com/nodejs/undici/pull/2322
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in https://github.com/nodejs/undici/pull/2325
• fix fetch with coverage enabled by @​KhafraDev in https://github.com/nodejs/undici/pull/2330
• Fix stuck when using http2 POST Buffer by @​binsee in https://github.com/nodejs/undici/pull/2336
• fix: 🏷️ add allowH2 to BuildOptions by @​binsee in https://github.com/nodejs/undici/pull/2334
• fix: 🐛 fix process http2 header by @​binsee in https://github.com/nodejs/undici/pull/2332

New Contributors

• @​kyrylodolynskyi made their first contribution in https://github.com/nodejs/undici/pull/2308
• @​nicole0707 made their first contribution in https://github.com/nodejs/undici/pull/2295
• @​balazsorban44 made their first contribution in https://github.com/nodejs/undici/pull/2234
• @​binsee made their first contribution in https://github.com/nodejs/undici/pull/2336

Full Changelog: nodejs/undici@v5.23.4...v5.26.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[codecov]

Codecov Report

Merging #1232 (b494622) into main (ef6d4d8) will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##             main    #1232   +/-   ##
=======================================
  Coverage   92.48%   92.48%           
=======================================
  Files          36       36           
  Lines        1357     1357           
  Branches      273      273           
=======================================
  Hits         1255     1255           
  Misses         70       70           
  Partials       32       32           

Flag	Coverage Δ
aarch64	92.48% <ø> (ø)
aarch64-without-git	92.48% <ø> (ø)
alpine	92.48% <ø> (ø)
alpine-proxy	92.48% <ø> (ø)
alpine-without-git	92.48% <ø> (ø)
linux	92.48% <ø> (ø)
linux-without-git	92.48% <ø> (ø)
macos	92.48% <ø> (ø)
macos-without-git	92.48% <ø> (ø)
windows	92.48% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.