lib: update undici to v5.28.3

Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: nodejs-private/node-private#536
CVE-ID: CVE-2024-24758

Author: mcollina

deps/undici/src/lib/fetch/index.js

@@ -1201,6 +1201,9 @@ async function httpRedirectFetch (fetchParams, response) {
     // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
     request.headersList.delete('authorization')
 
+    // https://fetch.spec.whatwg.org/#authentication-entries
+    request.headersList.delete('proxy-authorization', true)
+
     // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
     request.headersList.delete('cookie')
     request.headersList.delete('host')

deps/undici/src/package.json

@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "5.26.4",
+  "version": "5.28.3",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {

deps/undici/undici.js

@@ -10002,6 +10002,7 @@ var require_fetch = __commonJS({
       }
       if (!sameOrigin(requestCurrentURL(request), locationURL)) {
         request.headersList.delete("authorization");
+        request.headersList.delete("proxy-authorization", true);
         request.headersList.delete("cookie");
         request.headersList.delete("host");
       }

src/undici_version.h

@@ -2,5 +2,5 @@
 // Refer to tools/update-undici.sh
 #ifndef SRC_UNDICI_VERSION_H_
 #define SRC_UNDICI_VERSION_H_
-#define UNDICI_VERSION "5.26.4"
+#define UNDICI_VERSION "5.28.3"
 #endif  // SRC_UNDICI_VERSION_H_