Skip to content

chore(deps): Bump undici from 6.24.1 to 6.27.0#1564

Merged
crazy-max merged 2 commits into
masterfrom
dependabot/npm_and_yarn/undici-6.27.0
Jul 1, 2026
Merged

chore(deps): Bump undici from 6.24.1 to 6.27.0#1564
crazy-max merged 2 commits into
masterfrom
dependabot/npm_and_yarn/undici-6.27.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps undici from 6.24.1 to 6.27.0.

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

@crazy-max

Copy link
Copy Markdown
Member

@dependabot recreate

Bumps [undici](https://github.com/nodejs/undici) from 6.24.1 to 6.27.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.1...v6.27.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/undici-6.27.0 branch from bbfead1 to 11e972a Compare July 1, 2026 13:51
@crazy-max crazy-max merged commit d37484f into master Jul 1, 2026
72 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/undici-6.27.0 branch July 1, 2026 13:55
umati-bot added a commit to umati/Sample-Server that referenced this pull request Jul 2, 2026
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [docker/build-push-action](https://github.com/docker/build-push-action) | action | minor | `v7.2.0` → `v7.3.0` |

---

### Release Notes

<details>
<summary>docker/build-push-action (docker/build-push-action)</summary>

### [`v7.3.0`](https://github.com/docker/build-push-action/releases/tag/v7.3.0)

[Compare Source](docker/build-push-action@v7.2.0...v7.3.0)

- Preserve names in esbuild bundle by [@&#8203;crazy-max](https://github.com/crazy-max) in [#&#8203;1567](docker/build-push-action#1567)
- Bump [@&#8203;docker/actions-toolkit](https://github.com/docker/actions-toolkit) from 0.90.0 to 0.92.0 in [#&#8203;1545](docker/build-push-action#1545) [#&#8203;1572](docker/build-push-action#1572)
- Bump [@&#8203;sigstore/core](https://github.com/sigstore/core) from 3.1.0 to 3.2.1 in [#&#8203;1568](docker/build-push-action#1568)
- Bump js-yaml from 4.1.1 to 4.3.0 in [#&#8203;1566](docker/build-push-action#1566)
- Bump tmp from 0.2.5 to 0.2.7 in [#&#8203;1547](docker/build-push-action#1547)
- Bump undici from 6.24.1 to 6.27.0 in [#&#8203;1564](docker/build-push-action#1564)
- Bump vite from 7.3.2 to 7.3.6 in [#&#8203;1563](docker/build-push-action#1563)

**Full Changelog**: <docker/build-push-action@v7.2.0...v7.3.0>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNDYuMSIsInVwZGF0ZWRJblZlciI6IjQzLjI0OS41IiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6W119-->

Reviewed-on: https://codeberg.org/umati/Sample-Server/pulls/1725
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant