[Snyk] Security upgrade undici from 5.26.5 to 5.28.4

[patooworld]

This PR was automatically created by Snyk using the credentials of a real user.

Snyk has created this PR to fix one or more vulnerable packages in the `npm` dependencies of this project.

Changes included in this PR

• Changes to the following files to upgrade the vulnerable dependencies to a fixed version:
  • packages/kit/package.json

Vulnerabilities that will be fixed

With an upgrade:

Severity	Priority Score (*)	Issue	Breaking Change	Exploit Maturity
	40/1000 Why? Confidentiality impact: None, Integrity impact: Low, Availability impact: None, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): Low, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 98, Impact: 2.35, Likelihood: 1.67, Score Version: V5	Improper Access Control SNYK-JS-UNDICI-6564963	No	No Known Exploit
	90/1000 Why? Confidentiality impact: Low, Integrity impact: Low, Availability impact: Low, Scope: Unchanged, Exploit Maturity: No data, User Interaction (UI): Required, Privileges Required (PR): High, Attack Complexity: High, Attack Vector: Network, EPSS: 0.01055, Social Trends: No, Days since published: 0, Reachable: No, Transitive dependency: No, Is Malicious: No, Business Criticality: High, Provider Urgency: Low, Package Popularity Score: 98, Impact: 5.62, Likelihood: 1.59, Score Version: V5	Improper Authorization SNYK-JS-UNDICI-6564964	No	No Known Exploit

(*) Note that the real score may have changed since the PR was raised.

Commit messages

Package name: undici

The new version differs by 73 commits.

• fb98306 Bumped v5.28.4
• 2b39440 Merge pull request from GHSA-9qxr-qj54-h672
• 64e3402 Merge pull request from GHSA-m4v8-wqvr-p9f7
• 723c4e7 Revert "build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 ([fix] deeply-nested error components render with correct layout sveltejs/kit#2389)"
• 0e9d54b skip failing test due to Node.js changes
• e71cb4c Bumped v5.28.3
• 20c65b8 Fix tests for Node.js v20.11.0 ([fix] allow users to override build target sveltejs/kit#2618)
• 8ec52cd Fix tests for Node.js v21 ([fix] Invalidating a route now fires sveltekit:navigation-start event sveltejs/kit#2609)
• d3aa574 Merge pull request from GHSA-3787-6prv-h9w3
• 9a14e5f Bumped v5.28.2
• fcdfe87 build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 (Route with no content is not torn down properly on navigation sveltejs/kit#2302)
• 169c157 build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 ([fix] deeply-nested error components render with correct layout sveltejs/kit#2389)
• 9788177 build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 (Version Packages (next) sveltejs/kit#2392)
• 1f6d159 build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 ([chore] remove overriden CSS property sveltejs/kit#2395)
• a393a86 build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 ([chore] template: use installed cookie package to serialize cookie sveltejs/kit#2396)
• ea2f606 build(deps-dev): bump sinon from 16.1.3 to 17.0.1 (chore: bump lockfile after versioning sveltejs/kit#2405)
• 80979ed build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 (deno svelte kit sveltejs/kit#2472)
• 08183ea fix: Added support for inline URL username:password proxy auth (Remove usages of waitForTimeout sveltejs/kit#2473)
• 28759f4 refactor: better integrity check ([fix] browser only redirect during load sveltejs/kit#2462)
• ed15e98 Make call to onBodySent conditional in RetryHandler (Pages with duplicate styling blocks don't always generate a .css file on build sveltejs/kit#2478)
• 19c69a0 fix: check response for timinginfo allow flag (Async _navigate() unintuitively prevents scrolling or focusing with onMount() or actions sveltejs/kit#2477)
• c5d73ca fix: correctly handle data URL with hashes. (Version Packages (next) sveltejs/kit#2475)
• 0437f69 Add `null` to `signal` in `RequestInit` (Page script is only executed once sveltejs/kit#2455)
• 56efa96 fix: handle SharedArrayBuffer correctly (Version Packages (next) sveltejs/kit#2466)

See the full diff

Check the changes in this PR to ensure they won't cause issues with your project.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report

🛠 Adjust project settings

📚 Read more about Snyk's upgrade and patch logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Improper Access Control

[cr-gpt]

Seems you are using me but didn't get OPENAI_API_KEY seted in Variables/Secrets for this repo. you could follow readme for more information