Conversation
Bumps [undici](https://github.com/nodejs/undici) from 5.16.0 to 5.19.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.16.0...v5.19.1) --- updated-dependencies: - dependency-name: undici dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
the
dependencies
|
@blackforestboi on a massive procrastination journey right now, so please ignore if it's not useful info. But as it looks like all these builds are failing because of an incorrect / missing public key. And now that dependabot has stopped for over a month, I wanted to add that input in case it is helpful and saves anyone else burning time... |
iamtouchskyer
left a comment
iamtouchskyer
left a comment
There was a problem hiding this comment.
🔒 SECURITY UPDATE - HIGH PRIORITY
This updates undici from 5.16.0 to 5.19.1, fixing critical security vulnerabilities:
- CVE-2023-24807: Regular Expression Denial of Service in Headers
- CVE-2023-23936: CRLF Injection via host
Recommendation: MERGE IMMEDIATELY - This is a security-critical dependency update with no breaking changes. The update only touches package.json and package-lock.json with minimal version bumps.
✅ Security fixes applied
✅ No functional changes to application code
✅ Automated dependency update from trusted source (dependabot)
|
🚨 Critical Security Update - Priority Merge Needed This Dependabot PR addresses two important security vulnerabilities:
Status: ✅ Already approved by @iamtouchskyer Risk Assessment: This is a standard dependency bump for security fixes - low risk, high security benefit. Recommendation: This should be merged immediately as security updates should not sit open for extended periods. Would a maintainer with merge permissions please merge this security fix? 🙏 cc: @iamtouchskyer |
2 participants
Bumps undici from 5.16.0 to 5.19.1.
Release notes
Sourced from undici's releases.
... (truncated)
Commits
984d53bBumped v5.19.16c32c0flint fixesf2324e5Merge pull request from GHSA-r6ch-mqf9-qc9wa2eff05Merge pull request from GHSA-5r9g-qh6m-jxfff5c89e5Bumped v5.19.0f7c6c6aMake the fetch() abort test pass locally, on Linux and Mac, Node 18 and 19 (#...aebb232fix(types): add missing keepAlive params (#1918)e155c6ddoc(mock): update out-of-date reply documentation (#1913)87fa734fix(headers): clone getSetCookie list & add getSetCookie type (#1917)ba5ef44feat: add Headers.prototype.getSetCookie (#1915)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and languageYou can disable automated security fix PRs for this repo from the Security Alerts page.