Component
Other
Bug Description
Security vulnerability GHSA-g9mf-h72j-4rw9 (CVE-2026-22036) affects the undici npm package used transitively in this project.
| Attribute |
Value |
| CVE |
CVE-2026-22036 |
| GHSA |
GHSA-g9mf-h72j-4rw9 |
| Severity |
Low (CVSS 3.7/10) |
| CWE |
CWE-770 (Allocation of Resources Without Limits) |
| Affected |
undici >= 7.0.0, < 7.18.2 |
| Fixed |
undici 7.18.2 |
The vulnerability allows unbounded decompression chains in HTTP responses, potentially causing high CPU usage and memory allocation.
Expected Behavior
npm audit should report no vulnerabilities for GHSA-g9mf-h72j-4rw9.
Steps to Reproduce
- Run
npm audit
- Observe vulnerability reported for [email protected]
Dependency chain:
Additional Context
Risk Assessment: Low - undici is only used transitively by markdown-link-check for CI/CD link validation.
Remediation: Add npm overrides to force undici to patched version 7.18.2.
References:
Component
Other
Bug Description
Security vulnerability GHSA-g9mf-h72j-4rw9 (CVE-2026-22036) affects the
undicinpm package used transitively in this project.The vulnerability allows unbounded decompression chains in HTTP responses, potentially causing high CPU usage and memory allocation.
Expected Behavior
npm auditshould report no vulnerabilities for GHSA-g9mf-h72j-4rw9.Steps to Reproduce
npm auditDependency chain:
Additional Context
Risk Assessment: Low - undici is only used transitively by
markdown-link-checkfor CI/CD link validation.Remediation: Add npm overrides to force undici to patched version 7.18.2.
References: