[Snyk] Upgrade undici from 5.28.3 to 6.11.1

[lholmquist]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to upgrade undici from 5.28.3 to 6.11.1.

:information_source: Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

Warning: This is a major version upgrade, and may be a breaking change.

• The recommended version is 21 versions ahead of your current version.
• The recommended version was released 24 days ago, on 2024-04-02.

The recommended version fixes:

Severity	Issue	PriorityScore (*)	Exploit Maturity
	Improper Access Control SNYK-JS-UNDICI-6564963	416/1000 Why? Recently disclosed, Has a fix available, CVSS 2.6	No Known Exploit
	Improper Authorization SNYK-JS-UNDICI-6564964	416/1000 Why? Recently disclosed, Has a fix available, CVSS 2.6	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Release notes

Package name: undici

• 6.11.1 - 2024-04-02

  ⚠️ Security Release ⚠️

  What's Changed

  • Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
  • Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261
  • Revert "fix: don't leak internal class (#3024)" by @ mcollina in #3044

  Full Changelog: v6.11.0...v6.11.1

• 6.11.0 - 2024-04-02

  What's Changed

  • refactor(#3023): Pass headers as array instead by @ metcoder95 in #3025
  • fix: don't leak internal class by @ ronag in #3024
  • build(deps): bump codecov/codecov-action from 4.1.0 to 4.1.1 by @ dependabot in #3034
  • build(deps-dev): bump tsd from 0.30.7 to 0.31.0 by @ dependabot in #3038
  • build(deps-dev): bump borp from 0.9.1 to 0.10.0 by @ dependabot in #2947
  • missing commits by @ ronag in #3040
  • build(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @ dependabot in #3036
  • fix: regexp pattern by @ tsctx in #3041

  Full Changelog: v6.10.2...v6.11.0

• 6.10.2 - 2024-03-27

  What's Changed

  • Do not fail test if streams support typed arrays by @ mcollina in #2978
  • fix(fetch): properly redirect non-ascii location header url by @ Xvezda in #2971
  • perf: Remove double-stringify in setCookie by @ peterver in #2980
  • [fix #2982] use DispatcherInterceptor type for Dispatcher#Compose by @ clovis-guillemot in #2983
  • fix: make EventSource properties enumerable by @ MattBidewell in #2987
  • docs: ✏️ fixed benchmark links by @ benhalverson in #2991
  • fix(#2986): bad start check by @ metcoder95 in #2992
  • fix(H2 Client): bind stream 'data' listener only after received 'response' event by @ st3ffgv4 in #2985
  • feat: added search input by @ benhalverson in #2993
  • chore: validate responses can be consumed without a Content-Length or… by @ jacob-ebey in #2995
  • fix error message by @ KhafraDev in #2998
  • Revert "perf: reuse TextDecoder instance (#2863)" by @ panva in #2999
  • test: remove only by @ metcoder95 in #3001

  New Contributors

  • @ Xvezda made their first contribution in #2971
  • @ peterver made their first contribution in #2980
  • @ clovis-guillemot made their first contribution in #2983
  • @ MattBidewell made their first contribution in #2987
  • @ benhalverson made their first contribution in #2991
  • @ st3ffgv4 made their first contribution in #2985
  • @ jacob-ebey made their first contribution in #2995

  Full Changelog: v6.10.0...v6.10.2

• 6.10.1 - 2024-03-21

  Full Changelog: v6.10.0...v6.10.1

• 6.10.0 - 2024-03-21 Read more
• 6.9.0 - 2024-03-14 Read more
• 6.8.0 - 2024-03-13 Read more
• 6.7.1 - 2024-03-08 Read more
• 6.7.0 - 2024-03-03 Read more
• 6.6.2 - 2024-02-06
• 6.6.1 - 2024-02-05
• 6.6.0 - 2024-02-01
• 6.5.0 - 2024-01-26
• 6.4.0 - 2024-01-19
• 6.3.0 - 2024-01-08
• 6.2.1 - 2023-12-22
• 6.2.0 - 2023-12-20
• 6.1.0 - 2023-12-20
• 6.0.1 - 2023-12-06
• 6.0.0 - 2023-12-05
• 5.28.4 - 2024-04-02

  ⚠️ Security Release ⚠️

  • Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
  • Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

  Full Changelog: v5.28.3...v5.28.4

• 5.28.3 - 2024-02-05

from undici GitHub release notes

Commit messages

Package name: undici

• 6df3c73 Bumped v6.11.1
• c346b66 Revert "fix: don't leak internal class (#3024)"
• d542b8c Merge pull request from GHSA-9qxr-qj54-h672
• 6805746 Merge pull request from GHSA-m4v8-wqvr-p9f7
• ee5f892 Bumped v6.11.0
• 71a6d74 Merge branch 'main' of github.com:nodejs/undici
• 0f0f239 fix: regexp pattern (#3041)
• 31f9e67 build(deps): bump actions/checkout from 4.1.1 to 4.1.2 (#3036)
• c8a43ae fixup
• 8b5e2c8 fixup
• f8bd60f fixup
• c61b5f9 fix(#2364): concurrent aborts (#3005)
• c18df9c chore(automerge): remove unnecessary actions:write permission (#3021)
• 9e47216 chore(workflows/nightly.yml): create issue only on all fail (#3020)
• 4b86ede chore: add automated CI testing with —no-intl node (#3015)
• b197a01 fix(workflows): missing top-level content.read permissions (#3013)
• 03e7b0c fix: node:util instead of util (#3007)
• 6131341 enhancement: link to the contributing guide from the README (#3003)
• 3ac3682 Merge branch 'main' of github.com:nodejs/undici
• 8dea744 build(deps-dev): bump borp from 0.9.1 to 0.10.0 (#2947)
• 63f0fee build(deps-dev): bump tsd from 0.30.7 to 0.31.0 (#3038)
• 63968e0 build(deps): bump codecov/codecov-action from 4.1.0 to 4.1.1 (#3034)
• 2d5cbdf fix: don't leak internal class (#3024)
• d7f10e1 refactor(#3023): Pass headers as array instead (#3025)

Compare

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

🧐 View latest project report

🛠 Adjust upgrade PR settings

🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[coveralls]

coverage: 98.802%. remained the same when pulling 1ab7bc13a28c2c879437d8d131a2b21c77492b78 on snyk-upgrade-e6eb88230c6670d331e0bfd8e21187de into 6e0aee43d07af4af7585a49d3c9b5bacf58215b5 on main.