Skip to content

build(deps): bump undici from 6.24.1 to 6.27.0 (backport #2322)#2325

Merged
andrewazores merged 1 commit into
cryostat-v4.2from
mergify/bp/cryostat-v4.2/pr-2322
Jun 23, 2026
Merged

build(deps): bump undici from 6.24.1 to 6.27.0 (backport #2322)#2325
andrewazores merged 1 commit into
cryostat-v4.2from
mergify/bp/cryostat-v4.2/pr-2322

Conversation

@mergify

@mergify mergify Bot commented Jun 22, 2026

Copy link
Copy Markdown

Bumps undici from 6.24.1 to 6.27.0.

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

This is an automatic backport of pull request #2322 done by [Mergify](https://mergify.com).

@andrewazores andrewazores added dependencies Pull requests that update a dependency file chore Refactor, rename, cleanup, etc. safe-to-test labels Jun 22, 2026
@andrewazores andrewazores force-pushed the mergify/bp/cryostat-v4.2/pr-2322 branch from ce26459 to 98ca0bf Compare June 22, 2026 14:24
@github-actions github-actions Bot added the needs-triage Needs thorough attention from code reviewers label Jun 22, 2026
@github-actions

github-actions Bot commented Jun 22, 2026

Copy link
Copy Markdown

Hi @mergify[bot]! Add at least one of the required labels to this PR

Required labels are : chore,ci,cleanup,docs,feat,fix,perf,refactor,style,test

@mergify

mergify Bot commented Jun 23, 2026

Copy link
Copy Markdown
Author

Tick the box to add this pull request to the merge queue (same as @mergifyio queue).

  • Queue this pull request

@dependabot @andrewazores
build(deps): bump undici from 6.24.1 to 6.27.0 (#2322)
7669ae5 
Bumps [undici](https://github.com/nodejs/undici) from 6.24.1 to 6.27.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.1...v6.27.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
(cherry picked from commit 2548522)
@andrewazores andrewazores force-pushed the mergify/bp/cryostat-v4.2/pr-2322 branch from 98ca0bf to 7669ae5 Compare June 23, 2026 17:26
@andrewazores andrewazores removed the needs-triage Needs thorough attention from code reviewers label Jun 23, 2026
@andrewazores andrewazores merged commit bfc824c into cryostat-v4.2 Jun 23, 2026
15 of 16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ebaron ebaron ebaron approved these changes

Assignees

No one assigned

Labels

chore Refactor, rename, cleanup, etc. dependencies Pull requests that update a dependency file safe-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ebaron @andrewazores