Skip to content

chore(deps): update dependency undici to >=7.28.0 [security]#1394

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-undici-vulnerability
Open

chore(deps): update dependency undici to >=7.28.0 [security]#1394
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-undici-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 14, 2026

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
undici (source) >=7.18.2>=7.28.0 age adoption passing confidence

Undici has an HTTP Request/Response Smuggling issue

CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm

More information

Details

Impact

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

  • Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
  • Applications that accept user-controlled header names without case-normalization

Potential consequences:

  • Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
  • HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking
Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

If upgrading is not immediately possible:

  1. Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
  2. Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
  3. Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client

CVE-2026-1528 / GHSA-f269-vfmq-vjvj

More information

Details

Impact

A server can reply with a WebSocket frame using the 64-bit length form and an extremely large length. undici's ByteParser overflows internal math, ends up in an invalid state, and throws a fatal TypeError that terminates the process.

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

There are no workarounds.

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Undici has CRLF Injection in undici via upgrade option

CVE-2026-1527 / GHSA-4992-7rv2-5pvq

More information

Details

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

  1. Inject arbitrary HTTP headers
  2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}
Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})

Severity

  • CVSS Score: 4.6 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici vulnerable to cross-user information disclosure via shared cache whitespace bypass

CVE-2026-9678 / GHSA-pr7r-676h-xcf6

More information

Details

Impact

Undici's cache interceptor incorrectly classifies some responses as cacheable when the upstream Cache-Control header uses whitespace-padded qualified private or no-cache field names such as private=" authorization" or no-cache="\tauthorization". The parser preserves the surrounding whitespace, so later comparisons against the literal authorization field name fail and the response is stored.

In shared-cache mode, this allows a response containing one user's authenticated data to be served from cache to a subsequent caller, including an unauthenticated caller, when both requests resolve to the same cache key.

Affected applications are those that explicitly enable the cache interceptor (interceptors.cache()) in shared mode, forward Authorization headers upstream, and receive cacheable responses with non-canonical qualified private or no-cache directives.

Patches

Upgrade to undici v7.28.0 or v8.5.0.

Workarounds

If upgrade is not immediately possible, disable shared-cache mode for traffic that includes Authorization headers, avoid caching responses to authenticated requests, or add Vary: Authorization upstream.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse

CVE-2026-6733 / GHSA-35p6-xmwp-9g52

More information

Details

Impact

Undici's HTTP/1.1 client is vulnerable to response queue poisoning on reused keep-alive sockets. An attacker-controlled upstream server can inject an unsolicited HTTP/1.1 response onto an idle socket after a request completes. When the client dispatches the next request on that socket, it associates the injected response with the new request, causing responses to be delivered to the wrong requests.

This requires an attacker-controlled or compromised upstream HTTP/1.1 server and keep-alive connection reuse.

Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

Workarounds

Disable keep-alive connection reuse by setting keepAliveTimeout: 0 on the Client or Pool.

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici vulnerable to HTTP header injection via Set-Cookie percent-decoding

CVE-2026-9679 / GHSA-p88m-4jfj-68fv

More information

Details

Impact

undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into their literal byte equivalents. RFC 6265 §5.4 does not specify any decoding and browsers do not decode either.

Applications that parse a Set-Cookie header and then forward the parsed value into a response header (proxies, middleware, SSR frameworks) become vulnerable to HTTP response header injection: an attacker-controlled upstream can inject arbitrary Set-Cookie, Location, or Cache-Control headers into the application's downstream response, enabling session fixation, open redirect, or cache poisoning.

Affected applications are those that use undici's cookie parsing (parseSetCookie, parseCookie, getSetCookies) and forward the parsed cookie value into a response header.

This was introduced in undici 7.0.0 via #​3789.

Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

Workarounds

If upgrade is not immediately possible, do not forward values returned by parseSetCookie/parseCookie/getSetCookies directly into response headers; sanitize the value first to strip or reject CR, LF, NUL, ;, and = bytes.

Severity

  • CVSS Score: 5.9 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching

CVE-2026-11525 / GHSA-g8m3-5g58-fq7m

More information

Details

Impact

When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens:

  • SameSite=NoneOfYourBusiness is parsed as None, the most permissive setting.
  • SameSite=StrictLax is parsed as Lax, a downgrade from Strict.

Affected applications are those that consume Set-Cookie headers from server responses (for example via undici's fetch or proxy code paths) and then forward or rely on the parsed sameSite attribute. A malicious or non-compliant server can coerce the consumer's view of a cookie's SameSite policy to a weaker value, silently degrading the SameSite enforcement the cookie is supposed to provide.

This was introduced in undici 5.15.0 when the cookies feature was added.

Patches

Upgrade to undici v6.27.0, v7.28.0 or v8.5.0.

Workarounds

After parsing a Set-Cookie header, validate that the resulting sameSite attribute is one of 'Strict', 'Lax', or 'None' (exact, case-insensitive) before forwarding or relying on it.

Severity

  • CVSS Score: 3.7 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nodejs/undici (undici)

v7.28.0

Compare Source

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is
an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the
earlier 7.2x line — the vulnerable single-pool code was still present through
v7.27.2. The per-origin pool fix is
3805b8f8 (#​5041).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 7.28.0 8cb10f98
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 7.28.0 04201f89
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 7.28.0 3805b8f8
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 7.28.0 85a24055
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 7.28.0 d0574cc4
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 7.28.0 d0574cc4
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 7.28.0 ea8930cf

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770
Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #​5423)

A malicious WebSocket server can stream a large number of small or empty
continuation frames. Undici enforced a limit on cumulative payload size but did
not limit the number of fragments per message, leading to unbounded memory
growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream
    against untrusted endpoints.
  • Workaround: none — upgrade is required.
TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295
Fix: 04201f89 fix: honor requestTls when proxy is SOCKS5 (#​5417)

The ProxyAgent silently discarded the requestTls option when configured with
a SOCKS5 proxy. TLS connections through the SOCKS5 tunnel ignored user-configured
parameters such as ca, cert, key, rejectUnauthorized, and servername,
falling back to the default Mozilla CA bundle. Applications relying on
certificate pinning to an internal CA were exposed to man-in-the-middle attacks.

  • Affected: ProxyAgent / Socks5ProxyAgent over SOCKS5 that rely on
    requestTls.
  • Workaround: route traffic through an HTTP-proxy ProxyAgent, where
    requestTls functions correctly.
Cross-origin request routing via SOCKS5 proxy pool reuse — CVE-2026-6734

GHSA-hm92-r4w5-c3mj · CWE-346
Fix: 3805b8f8 fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing (#​5041)

Socks5ProxyAgent reused a single connection pool across different origins
without verifying the pool's origin matched the requested origin. This could
route credentials and request data to unintended destinations, cause responses
from the wrong origin to be trusted, and enable HTTPS→HTTP downgrade.

  • Affected: applications using Socks5ProxyAgent across multiple origins
    (introduced in 7.23.0 via #​4385).
  • Workaround: use a separate agent instance per origin.

Moderate severity

Cross-user information disclosure via shared cache whitespace bypass — CVE-2026-9678

GHSA-pr7r-676h-xcf6 · CWE-524
Fix: 85a24055 fix(cache): trim qualified field names

The cache interceptor mishandled responses with whitespace-padded
Cache-Control directives such as private=" authorization". In shared-cache
mode this could cause authenticated data to be cached and served to other users.

  • Affected: apps using the cache interceptor in shared mode that forward
    Authorization upstream and receive non-canonical qualified directives.
  • Workaround: disable shared-cache mode for authenticated traffic, avoid
    caching authenticated responses, or add Vary: Authorization upstream.
HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

GHSA-p88m-4jfj-68fv · CWE-93
Fix: d0574cc4 fix(cookies): preserve values and parse SameSite strictly

parseSetCookie applied percent-decoding to cookie values, turning encoded
sequences like %0D%0A and %00 into literal bytes, contrary to RFC 6265 §5.4
and browser behavior. Applications forwarding parsed Set-Cookie values into
response headers were exposed to header injection, enabling session fixation,
open redirects, and cache poisoning. Introduced in 7.0.0 via
#​3789.

  • Workaround: sanitize values before forwarding — strip or reject CR, LF,
    NUL, ;, and =.

Low severity

Set-Cookie SameSite attribute downgrade — CVE-2026-11525

GHSA-g8m3-5g58-fq7m · CWE-183
Fix: d0574cc4 fix(cookies): preserve values and parse SameSite strictly

The cookie parser accepted SameSite values containing Strict, Lax, or
None as substrings rather than requiring exact matches per RFC 6265. Values
like SameSite=NoneOfYourBusiness parsed as None, and SameSite=StrictLax
parsed as Lax, silently weakening cookie security policies for apps that
forward parsed attributes.

HTTP response queue poisoning via keep-alive socket reuse — CVE-2026-6733

GHSA-35p6-xmwp-9g52 · CWE-367 (TOCTOU race condition)
Fix: ea8930cf fix: guard idle socket validation to skip fresh sockets, hardened by 8e4046e4 keep idle validation on native timers (#​5402) and 0fa80869 keep idle validation on global timers (#​5409)

An attacker controlling an upstream HTTP/1.1 server could inject unsolicited
responses onto idle keep-alive sockets. On socket reuse, the injected response
was associated with a new request, delivering responses to the wrong requests.

  • Requirements: attacker-controlled/compromised upstream and active
    keep-alive reuse.
  • Workaround: disable keep-alive reuse with keepAliveTimeout: 0 on the
    Client or Pool.

Release contents & deliberate backports

v7.28.0 is a security-only release — every change in it is one of the fixes
above, backported to the v7.x maintenance line on purpose from the v8
development line:

The cookie (d0574cc4),
cache (85a24055) and
queue-poisoning core (ea8930cf)
fixes were applied directly to the v7.x branch. Full changelog:
v7.27.2...v7.28.0.


Credits

Per-advisory credits (as recorded in each GHSA):

v7.27.2

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.27.1...v7.27.2

v7.27.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.27.0...v7.27.1

v7.27.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.26.0...v7.27.0

v7.26.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.25.0...v7.26.0

v7.25.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

Compare Source

What's Changed
  • fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in #​4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Compare Source

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories
Affected and patched ranges
References

v7.23.0

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.22.0...v7.23.0

v7.22.0

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

Compare Source

What's Changed
New Contributors

Full Changelog: nodejs/undici@v7.19.1...v7.19.2

v7.19.1

Compare Source

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.19.0...v7.19.1

v7.19.0

Compare Source

What's Changed

  • fix: Handle FormData body type correctly in RetryAgent retried requests by @​eliotschu in #​4692
  • feat(cli

Note

PR body was truncated to here.


Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the renovate label Mar 14, 2026
@renovate renovate Bot requested a review from a team as a code owner March 14, 2026 01:50
@renovate renovate Bot requested review from chihiro-adachi and shabaraba and removed request for a team March 14, 2026 01:50
@renovate renovate Bot added the renovate label Mar 14, 2026
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.2 [security] Mar 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 5202aaf to 1dc240d Compare March 14, 2026 11:22
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.2 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 14, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 1dc240d to 7666a20 Compare March 15, 2026 17:07
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.3 [security] Mar 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 7666a20 to bbe24fc Compare March 15, 2026 17:12
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.3 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from bbe24fc to 1804347 Compare March 15, 2026 17:13
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.3 [security] Mar 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 1804347 to fd07625 Compare March 15, 2026 17:15
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.3 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from fd07625 to be556b8 Compare March 15, 2026 17:16
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.3 [security] Mar 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from be556b8 to c72c9da Compare March 15, 2026 17:19
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.3 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 15, 2026
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.4 [security] Mar 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from c72c9da to 45487d2 Compare March 16, 2026 17:21
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.4 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 2 times, most recently from 8ae27e3 to ae96f1c Compare March 20, 2026 16:55
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.5 [security] Mar 20, 2026
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.5 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 20, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from ae96f1c to 49a3396 Compare March 20, 2026 16:57
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 4bdfd30 to 7720c13 Compare March 23, 2026 17:31
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.5 [security] Mar 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 7720c13 to 53243f7 Compare March 23, 2026 17:36
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.5 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 53243f7 to 1cb5fe2 Compare March 26, 2026 17:44
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.6 [security] Mar 26, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 1cb5fe2 to 5993243 Compare March 26, 2026 20:32
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.6 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 26, 2026
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.0 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/npm-undici-vulnerability branch March 27, 2026 00:58
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] - autoclosed chore(deps): update dependency undici to >=7.24.0 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch 3 times, most recently from 23cf622 to 3db3c7c Compare March 31, 2026 07:39
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.6 [security] Mar 31, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 3db3c7c to 70ec918 Compare March 31, 2026 07:40
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.6 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 31, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 70ec918 to 2a6e53e Compare March 31, 2026 07:44
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.6 [security] Mar 31, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 2a6e53e to 407c0ff Compare March 31, 2026 07:46
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.6 [security] chore(deps): update dependency undici to >=7.24.0 [security] Mar 31, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 407c0ff to 13757d4 Compare April 1, 2026 18:15
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.7 [security] Apr 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 13757d4 to 1d997ae Compare April 1, 2026 23:17
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.7 [security] chore(deps): update dependency undici to >=7.24.0 [security] Apr 1, 2026
@renovate renovate Bot force-pushed the renovate/npm-undici-vulnerability branch from 1d997ae to 1973507 Compare April 3, 2026 17:55
@renovate renovate Bot changed the title chore(deps): update dependency undici to >=7.24.0 [security] chore(deps): update dependency undici to >=7.24.7 [security] Apr 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants