lib: update undici to v5.28.3

Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#539 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2024-24758
nodejs · Feb 13, 2024 · 89bd5fc · 89bd5fc
1 parent c213910
commit 89bd5fc
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 2 deletions.
diff --git a/deps/undici/src/lib/fetch/index.js b/deps/undici/src/lib/fetch/index.js
@@ -1203,6 +1203,9 @@ function httpRedirectFetch (fetchParams, response) {
     // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
     request.headersList.delete('authorization')
 
+    // https://fetch.spec.whatwg.org/#authentication-entries
+    request.headersList.delete('proxy-authorization', true)
+
     // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
     request.headersList.delete('cookie')
     request.headersList.delete('host')

diff --git a/deps/undici/src/package.json b/deps/undici/src/package.json
@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "5.27.2",
+  "version": "5.28.3",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {

diff --git a/deps/undici/undici.js b/deps/undici/undici.js
@@ -10618,6 +10618,7 @@ var require_fetch = __commonJS({
       }
       if (!sameOrigin(requestCurrentURL(request), locationURL)) {
         request.headersList.delete("authorization");
+        request.headersList.delete("proxy-authorization", true);
         request.headersList.delete("cookie");
         request.headersList.delete("host");
       }

diff --git a/src/undici_version.h b/src/undici_version.h
@@ -2,5 +2,5 @@
 // Refer to tools/dep_updaters/update-undici.sh
 #ifndef SRC_UNDICI_VERSION_H_
 #define SRC_UNDICI_VERSION_H_
-#define UNDICI_VERSION "5.27.2"
+#define UNDICI_VERSION "5.28.3"
 #endif  // SRC_UNDICI_VERSION_H_