lib: update undici to v5.28.3

Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: nodejs-private/node-private#536 CVE-ID: CVE-2024-24758
nodejs · Feb 12, 2024 · f48b896 · f48b896
1 parent d3d357a
commit f48b896
Show file tree

Hide file tree

Showing 4 changed files with 6 additions and 2 deletions.
diff --git a/deps/undici/src/lib/fetch/index.js b/deps/undici/src/lib/fetch/index.js
@@ -1201,6 +1201,9 @@ async function httpRedirectFetch (fetchParams, response) {
     // https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name
     request.headersList.delete('authorization')
 
+    // https://fetch.spec.whatwg.org/#authentication-entries
+    request.headersList.delete('proxy-authorization', true)
+
     // "Cookie" and "Host" are forbidden request-headers, which undici doesn't implement.
     request.headersList.delete('cookie')
     request.headersList.delete('host')

diff --git a/deps/undici/src/package.json b/deps/undici/src/package.json
@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "5.26.4",
+  "version": "5.28.3",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {

diff --git a/deps/undici/undici.js b/deps/undici/undici.js
@@ -10002,6 +10002,7 @@ var require_fetch = __commonJS({
       }
       if (!sameOrigin(requestCurrentURL(request), locationURL)) {
         request.headersList.delete("authorization");
+        request.headersList.delete("proxy-authorization", true);
         request.headersList.delete("cookie");
         request.headersList.delete("host");
       }

diff --git a/src/undici_version.h b/src/undici_version.h
@@ -2,5 +2,5 @@
 // Refer to tools/update-undici.sh
 #ifndef SRC_UNDICI_VERSION_H_
 #define SRC_UNDICI_VERSION_H_
-#define UNDICI_VERSION "5.26.4"
+#define UNDICI_VERSION "5.28.3"
 #endif  // SRC_UNDICI_VERSION_H_