Skip to content

fix(deps): vuln undici (minor → 7.28.0) #2383

Merged
Drarig29 merged 2 commits into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1782468758
Jun 26, 2026
Merged

fix(deps): vuln undici (minor → 7.28.0) #2383
Drarig29 merged 2 commits into
masterfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1782468758

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: High-severity security update — 1 package upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
undici 7.25.0 7.28.0 minor Direct 3 HIGH, 2 MEDIUM, 2 LOW

Security Details

🚨 Critical & High Severity (3 fixed)
Package CVE Severity Summary Unsafe Version Fixed In
undici GHSA-vxpw-j846-p89q HIGH undici WebSocket client vulnerable to denial of service via fragment count bypass 7.25.0 6.27.0
undici GHSA-vmh5-mc38-953g HIGH undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent 7.25.0 7.28.0
undici GHSA-hm92-r4w5-c3mj HIGH undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse 7.25.0 7.28.0
ℹ️ Other Vulnerabilities (4)
Package CVE Severity Summary Unsafe Version Fixed In
undici GHSA-pr7r-676h-xcf6 MODERATE undici vulnerable to cross-user information disclosure via shared cache whitespace bypass 7.25.0 7.28.0
undici GHSA-p88m-4jfj-68fv MODERATE undici vulnerable to HTTP header injection via Set-Cookie percent-decoding 7.25.0 6.27.0
undici GHSA-35p6-xmwp-9g52 LOW undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse 7.25.0 6.27.0
undici GHSA-g8m3-5g58-fq7m LOW undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching 7.25.0 6.27.0

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@datadog-datadog-prod-us1

datadog-datadog-prod-us1 Bot commented Jun 26, 2026

Copy link
Copy Markdown

Pipelines

Fix all issues with BitsAI

⚠️ Warnings

🚦 2 Pipeline jobs failed

Continuous Integration | Test standalone binary in ARM Alpine   View in Datadog   GitHub Actions

Continuous Integration | Test standalone binary in Alpine   View in Datadog   GitHub Actions

Useful? React with 👍 / 👎

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: bf81d92 | Docs | Datadog PR Page | Give us feedback!

@Drarig29
Drarig29 marked this pull request as ready for review June 26, 2026 11:51
@Drarig29
Drarig29 requested a review from a team as a code owner June 26, 2026 11:51
@Drarig29
Drarig29 merged commit 6b8bc83 into master Jun 26, 2026
32 of 34 checks passed
@Drarig29
Drarig29 deleted the engraver-auto-version-upgrade/minorpatch/npm/0-1782468758 branch June 26, 2026 11:51
@ava-silver ava-silver mentioned this pull request Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant