Skip to content

Update dependency undici to v6.27.0 [SECURITY]#234

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-undici-vulnerability
Open

Update dependency undici to v6.27.0 [SECURITY]#234
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-undici-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Aug 7, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
undici (source) 6.19.26.27.0 age confidence

Use of Insufficiently Random Values in undici

CVE-2025-22150 / GHSA-c76h-2ccp-4975

More information

Details

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

Severity

  • CVSS Score: 6.8 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici Denial of Service attack via bad certificate data

CVE-2025-47279 / GHSA-cxrh-j4jr-qwg3

More information

Details

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

Severity

  • CVSS Score: 3.1 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

CVE-2026-22036 / GHSA-g9mf-h72j-4rw9

More information

Details

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

CVE-2026-1528 / GHSA-f269-vfmq-vjvj

More information

Details

Impact

A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

There are no workarounds.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has an HTTP Request/Response Smuggling issue

CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm

More information

Details

Impact

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

  • Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
  • Applications that accept user-controlled header names without case-normalization

Potential consequences:

  • Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
  • HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

If upgrading is not immediately possible:

  1. Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
  2. Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
  3. Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

CVE-2026-2229 / GHSA-v9p9-hfj2-hcw8

More information

Details

Impact

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

  1. The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
  2. The createInflateRaw() call is not wrapped in a try-catch block
  3. The resulting exception propagates up through the call stack and crashes the Node.js process
Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

CVE-2026-1526 / GHSA-vrm6-8vpv-qv8q

More information

Details

Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

Impact
  • Remote denial of service against any Node.js application using undici's WebSocket client
  • A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
  • Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
  • No application-level mitigation is possible as decompression occurs before message delivery
Patches

Users should upgrade to fixed versions.

Workarounds

No workaround are possible.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has CRLF Injection in undici via upgrade option

CVE-2026-1527 / GHSA-4992-7rv2-5pvq

More information

Details

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

  1. Inject arbitrary HTTP headers
  2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici WebSocket client vulnerable to denial of service via fragment count bypass

CVE-2026-12151 / GHSA-vxpw-j846-p89q

More information

Details

Impact

The undici WebSocket client enforces maxPayloadSize on the cumulative byte count of fragments in a message but does not enforce a limit on the number of fragments. A malicious WebSocket server can stream many small or empty continuation frames that each pass per-frame and cumulative-size validation, collectively causing unbounded memory growth in the client process. The result is memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (new WebSocket(...)) or the WebSocketStream API that can be induced to connect to an attacker-controlled or compromised WebSocket endpoint.

All releases starting at undici 6.17.0 are affected.

Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

Workarounds

No workaround is available. The fix must be applied through an upgrade.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse

CVE-2026-6733 / GHSA-35p6-xmwp-9g52

More information

Details

Impact

Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.

Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

Workarounds

Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

CVE-2026-9679 / GHSA-p88m-4jfj-68fv

More information

Details

Impact

undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.

Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.

Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.

This was introduced in undici 7.0.0 via #​3789.

Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

Workarounds

If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching

CVE-2026-11525 / GHSA-g8m3-5g58-fq7m

More information

Details

Impact

When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens:

  • SameSite=NoneOfYourBusiness is parsed as None, the most permissive setting.
  • SameSite=StrictLax is parsed as Lax, a downgrade from Strict.

Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.

This was introduced in undici 5.15.0 when the cookies feature was added.

Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

Workarounds

After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nodejs/undici (undici)

v6.27.0

Compare Source

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0
v6.26.0 contains only the chunked-EOF fix (#​5308) and the version bump, none
of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g,
GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the
8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#​5423, backported to v6 in #​5428)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream
    against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: 25efa447 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning.

  • Workaround: sanitize values before forwarding — strip or reject CR, LF,
    NUL, ;, and =.

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: 25efa447 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: f4c31d60 fix: guard idle socket validation to skip fresh sockets (#​5400)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

  • Requirements: attacker-controlled/compromised upstream and active
    keep-alive reuse.
  • Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
    Client or Pool.

Release contents & deliberate backports

v6.27.0 is a security-only release — every change in it is one of the fixes
above, backported to the v6.x maintenance line on purpose:

  • #5428 — backport of the WebSocket maxPayloadSize fragment-count / cumulative-size limits to v6.x (CVE-2026-12151; this is the v6 counterpart of the v7 backport #​5423).
  • #5400 — idle-socket-validation fix for the queue-poisoning issue (CVE-2026-6733).

The cookie fix (25efa447,
covering both CVE-2026-9679 and CVE-2026-11525) was applied directly to the v6.x
branch. Full changelog:
v6.26.0...v6.27.0.


Credits

Per-advisory credits (as recorded in each GHSA):

v6.26.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.25.0...v6.26.0

v6.25.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.24.1...v6.25.0

v6.24.1

Compare Source

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Compare Source

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

v6.23.0

Compare Source

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

v6.21.3

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

v6.21.2

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

v6.21.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

v6.20.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.20.0...v6.20.1

v6.20.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

v6.19.8

Compare Source

Full Changelog: nodejs/undici@v6.19.7...v6.19.8

v6.19.7

Compare Source

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

v6.19.6

Compare Source

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

v6.19.5

Compare Source

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

v6.19.4

Compare Source

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

v6.19.3

Compare Source

Full Changelog: nodejs/undici@v6.19.2...v6.19.3


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 0939b30 to b7fe969 Compare August 7, 2025 12:25
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 3 times, most recently from 4477429 to 4743438 Compare August 15, 2025 13:01
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 6285fc0 to d020f4d Compare August 27, 2025 13:59
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 2a517e8 to 1db4e8a Compare September 19, 2025 13:24
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from c0f5d9a to ee0bbb3 Compare November 6, 2025 03:27
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from ee0bbb3 to e781edb Compare November 21, 2025 10:41
@codecov

codecov Bot commented Nov 21, 2025

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 96.60%. Comparing base (0edc5dc) to head (77f1cb3).
⚠️ Report is 26 commits behind head on master.

Additional details and impacted files
@@            Coverage Diff             @@
##           master     #234      +/-   ##
==========================================
- Coverage   98.65%   96.60%   -2.06%     
==========================================
  Files          51       48       -3     
  Lines        1933     1943      +10     
  Branches      513      489      -24     
==========================================
- Hits         1907     1877      -30     
- Misses         23       59      +36     
- Partials        3        7       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@renovate renovate Bot changed the title Update dependency undici to v6.21.2 [SECURITY] Update dependency undici to v6.23.0 [SECURITY] Jan 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from e781edb to dde5be6 Compare January 14, 2026 23:41
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from dde5be6 to 1b479c6 Compare March 14, 2026 01:26
@renovate renovate Bot changed the title Update dependency undici to v6.23.0 [SECURITY] Update dependency undici to v6.24.0 [SECURITY] Mar 14, 2026
@renovate renovate Bot changed the title Update dependency undici to v6.24.0 [SECURITY] Update dependency undici to v6.24.0 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-undici-vulnerability branch March 27, 2026 01:54
@renovate renovate Bot changed the title Update dependency undici to v6.24.0 [SECURITY] - autoclosed Update dependency undici to v6.24.0 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 1b479c6 to 6375ddc Compare March 30, 2026 21:37
@renovate renovate Bot changed the title Update dependency undici to v6.24.0 [SECURITY] Update dependency undici to v6.24.0 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title Update dependency undici to v6.24.0 [SECURITY] - autoclosed Update dependency undici to v6.24.0 [SECURITY] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 6375ddc to 8da2432 Compare April 27, 2026 21:34
@renovate renovate Bot changed the title Update dependency undici to v6.24.0 [SECURITY] Update dependency undici to v6.24.0 [SECURITY] - autoclosed May 23, 2026
@renovate renovate Bot closed this May 23, 2026
@renovate renovate Bot changed the title Update dependency undici to v6.24.0 [SECURITY] - autoclosed Update dependency undici to v6.24.0 [SECURITY] May 23, 2026
@renovate renovate Bot reopened this May 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 8da2432 to 77f1cb3 Compare May 23, 2026 17:02
@renovate renovate Bot changed the title Update dependency undici to v6.24.0 [SECURITY] Update dependency undici to v6.27.0 [SECURITY] Jun 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 77f1cb3 to 7cc37df Compare June 23, 2026 12:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants