From 9a5c0e9ac1f73f285cd9bdbae2cacc0e32e69a9c Mon Sep 17 00:00:00 2001
From: prih <prihmail@gmail.com>
Date: Mon, 13 Apr 2026 17:02:38 +0100
Subject: [PATCH] fix: resolve undici CVE-2025-22 by pinning to 6.24.0

Pin transitive undici dependency (via release-it) to 6.24.0 to fix
high-severity WebSocket ByteParser overflow vulnerability (CWE-248/1284).
---
 package.json | 3 +++
 yarn.lock    | 8 ++++----
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/package.json b/package.json
index 350597f..be03ffe 100644
--- a/package.json
+++ b/package.json
@@ -98,6 +98,9 @@
   "workspaces": [
     "example"
   ],
+  "resolutions": {
+    "undici": "6.24.0"
+  },
   "packageManager": "yarn@4.11.0",
   "react-native-builder-bob": {
     "source": "src",
diff --git a/yarn.lock b/yarn.lock
index 75b6dd9..eae7170 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -11828,10 +11828,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"undici@npm:6.23.0":
-  version: 6.23.0
-  resolution: "undici@npm:6.23.0"
-  checksum: 10c0/d846b3fdfd05aa6081ba1eab5db6bbc21b283042c7a43722b86d1ee2bf749d7c990ceac0c809f9a07ffd88b1b0f4c0f548a8362c035088cb1997d63abdda499c
+"undici@npm:6.24.0":
+  version: 6.24.0
+  resolution: "undici@npm:6.24.0"
+  checksum: 10c0/a97d7f1214b34c5b2802558d06cbed97ff96a27ab6548972ba9d07c13951c69e2e9f2f01581f71c86b74755d2bf92e64091cf8f2c6eba4184f10c6d583e60388
   languageName: node
   linkType: hard