Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update dependency undici to v5.28.5 [security] #471

Merged
merged 1 commit into from
Jan 22, 2025
Merged

chore(deps): update dependency undici to v5.28.5 [security] #471

merged 1 commit into from
Jan 22, 2025

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jan 22, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici (source) 5.28.4 -> 5.28.5 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

Release Notes

nodejs/undici (undici)

v5.28.5

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner January 22, 2025 00:55
@renovate renovate bot enabled auto-merge (squash) January 22, 2025 00:55
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jan 22, 2025

⚠️ No Changeset found

Latest commit: d9ac9ce

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@codesandbox-ci CodeSandbox CI
Copy link

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

@renovate renovate bot merged commit dae9646 into main Jan 22, 2025
10 of 11 checks passed
@renovate renovate bot deleted the renovate/npm-undici-vulnerability branch January 22, 2025 00:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees
No one assigned
Labels
🎄 dependencies
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants