Skip to content

chore(deps): bump undici 7.27.2→7.28.0 to fix security advisories#263

Merged
finallyjay merged 2 commits into
mainfrom
chore/bump-undici-7.28.0
Jun 25, 2026
Merged

chore(deps): bump undici 7.27.2→7.28.0 to fix security advisories#263
finallyjay merged 2 commits into
mainfrom
chore/bump-undici-7.28.0

Conversation

@finallyjay

Copy link
Copy Markdown
Owner

Summary

Refreshes the lockfile to bump undici from 7.27.27.28.0, resolving 6 open Dependabot alerts.

undici is only a dev-only transitive dependency (via jsdom → tests), not part of the production bundle. jsdom@29.1.1 already declares undici@^7.25.0, so 7.28.0 falls within the existing range — this is a plain lockfile refresh with no overrides or pins.

Alerts resolved

Severity Issue
🔴 High Cross-origin request routing via SOCKS5 proxy pool reuse
🔴 High TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent
🟠 Medium HTTP header injection via Set-Cookie percent-decoding
🟠 Medium Cross-user information disclosure via shared cache whitespace bypass
🟡 Low Set-Cookie SameSite attribute downgrade
🟡 Low HTTP response queue poisoning via keep-alive socket reuse

Verification

  • Only pnpm-lock.yaml changed (12 lines); no package.json changes.
  • pnpm test481 tests / 53 files pass, no regressions.

🤖 Generated with Claude Code

Refreshes the lockfile to pull undici 7.28.0 within jsdom's existing
^7.25.0 range (no overrides/pins). Resolves 6 Dependabot alerts,
including two High severity (SOCKS5 proxy cross-origin routing and TLS
cert validation bypass). undici is a dev-only transitive dependency via
jsdom/vitest, not part of the production bundle.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: cc00b997-1335-40d3-9c86-06dcc80e0794

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/bump-undici-7.28.0

Comment @coderabbitai help to get the list of available commands.

@finallyjay finallyjay merged commit 6f38aa4 into main Jun 25, 2026
5 checks passed
@finallyjay finallyjay deleted the chore/bump-undici-7.28.0 branch June 25, 2026 15:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant