Skip to content

chore(deps): bump undici#41383

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-10b1db676f
Open

chore(deps): bump undici#41383
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-10b1db676f

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bumps and undici. These dependencies needed to be updated together.
Updates undici from 6.24.1 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Updates undici from 7.27.1 to 7.28.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump undici
78def45 
Bumps  and [undici](https://github.com/nodejs/undici). These dependencies needed to be updated together.

Updates `undici` from 6.24.1 to 6.27.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.1...v6.27.0)

Updates `undici` from 7.27.1 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.1...v6.27.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 19, 2026
@github-actions

github-actions Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Test results for "MCP"

7354 passed, 1122 skipped

Merge workflow run.

@github-actions

github-actions Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Test results for "tests 1"

1 failed
❌ [firefox-page] › page/workers.spec.ts:40 › should emit created and destroyed events @firefox-ubuntu-22.04-node20

4 flaky ⚠️ [chromium-library] › library/chromium/chromium.spec.ts:434 › should produce network events, routing, and annotations for Service Worker (advanced) `@frozen-time-library-chromium-linux`
⚠️ [chromium-library] › library/video.spec.ts:680 › screencast › should capture full viewport on hidpi `@chromium-ubuntu-22.04-arm-node20`
⚠️ [chromium-library] › library/video.spec.ts:717 › screencast › should work with video+trace `@chromium-ubuntu-22.04-node20`
⚠️ [firefox-library] › library/inspector/cli-codegen-3.spec.ts:224 › cli codegen › should generate frame locators (4) `@firefox-ubuntu-22.04-node20`

48899 passed, 1142 skipped

Merge workflow run.

@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

This comment has been minimized.

Sign in to view
@github-actions

github-actions Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Test results for "tests 2"

3 fatal errors, not part of any test
27 failed
❌ [firefox-page] › page/workers.spec.ts:40 › should emit created and destroyed events @tracing-firefox
❌ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:111 › should restore state from userDataDir @firefox-macos-15-large
❌ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:139 › should create userDataDir if it does not exist @firefox-macos-15-large
❌ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:166 › should have default URL when launching browser @firefox-macos-15-large
❌ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:180 › should have passed URL when launching with ignoreDefaultArgs: true @firefox-macos-15-large
❌ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:202 › should handle exception @firefox-macos-15-large
❌ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:246 › should connect to a browser with the default page @firefox-macos-15-large
❌ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:253 › should support har option @firefox-macos-15-large
❌ [firefox-library] › library/har.spec.ts:426 › should include sizes @firefox-macos-15-large
❌ [firefox-library] › library/heap.spec.ts:203 › cycle handles @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-1.spec.ts:400 › cli codegen › should fill textarea with new lines at the end @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-2.spec.ts:275 › cli codegen › should handle dialogs @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-3.spec.ts:146 › cli codegen › should generate frame locators (2) @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-3.spec.ts:185 › cli codegen › should generate frame locators (3) @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-3.spec.ts:224 › cli codegen › should generate frame locators (4) @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-csharp.spec.ts:202 › should not print context options method override in nunit if no options were passed @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-csharp.spec.ts:202 › should not print context options method override in xunit if no options were passed @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-java.spec.ts:125 › should print a valid basic program in junit @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-javascript.spec.ts:84 › should save the codegen output to a file if specified @firefox-macos-15-large
❌ [firefox-library] › library/inspector/cli-codegen-python.spec.ts:76 › should save the codegen output to a file if specified @firefox-macos-15-large
❌ [firefox-library] › library/proxy.spec.ts:125 › should allow bypassing 127.0.0.1 requests @firefox-macos-15-large
❌ [firefox-library] › library/proxy.spec.ts:144 › should authenticate @firefox-macos-15-large
❌ [firefox-library] › library/proxy.spec.ts:165 › should reconnect with credentials after CONNECT 407 closes the socket @firefox-macos-15-large
❌ [firefox-library] › library/tracing.spec.ts:210 › should respect tracesDir and name @firefox-macos-15-large
❌ [firefox-page] › page/workers.spec.ts:40 › should emit created and destroyed events @firefox-macos-15-large
❌ [firefox-page] › page/workers.spec.ts:40 › should emit created and destroyed events @firefox-windows-latest
❌ [firefox-page] › page/workers.spec.ts:40 › should emit created and destroyed events @firefox-macos-15-xlarge

38 flaky ⚠️ [chromium-library] › library/video.spec.ts:456 › screencast › should be 800x600 with null viewport `@msedge-dev-windows-latest`
⚠️ [chromium-library] › library/chromium/chromium.spec.ts:177 › serviceWorker(), and fromServiceWorker() work `@chrome-ubuntu-22.04`
⚠️ [chromium-library] › library/video.spec.ts:456 › screencast › should be 800x600 with null viewport `@chrome-ubuntu-22.04`
⚠️ [chromium-library] › library/video.spec.ts:456 › screencast › should be 800x600 with null viewport `@msedge-windows-latest`
⚠️ [chromium-page] › page/workers.spec.ts:63 › should have timestamp on worker console messages `@msedge-windows-latest`
⚠️ [chromium-library] › library/browsertype-connect.spec.ts:189 › launchServer › should ignore page.pause when headed `@chromium-macos-15-large`
⚠️ [chromium-library] › library/heap.spec.ts:106 › should not leak dispatchers after closing page `@chromium-macos-15-large`
⚠️ [chromium-library] › library/heap.spec.ts:203 › cycle handles `@chromium-macos-15-large`
⚠️ [chromium-library] › library/chromium/chromium.spec.ts:299 › should report intercepted service worker requests in HAR `@chromium-macos-14-xlarge`
⚠️ [chromium-library] › library/screenshot.spec.ts:213 › page screenshot › should not hang when event loop is blocked `@chromium-macos-14-xlarge`
⚠️ [chromium-library] › library/video.spec.ts:645 › screencast › should capture full viewport `@chromium-macos-15-xlarge`
⚠️ [chromium-library] › library/video.spec.ts:680 › screencast › should capture full viewport on hidpi `@chromium-macos-15-xlarge`
⚠️ [chromium-library] › library/chromium/connect-over-cdp.spec.ts:523 › emulate media should not be affected by second connectOverCDP with noDefaults `@chrome-windows-latest`
⚠️ [chromium-library] › library/video.spec.ts:456 › screencast › should be 800x600 with null viewport `@chrome-windows-latest`
⚠️ [chromium-page] › page/workers.spec.ts:63 › should have timestamp on worker console messages `@chrome-windows-latest`
⚠️ [chromium-library] › library/video.spec.ts:456 › screencast › should be 800x600 with null viewport `@chrome-beta-ubuntu-22.04`
⚠️ [chromium-library] › library/browsertype-connect.spec.ts:141 › launchServer › should be able to reconnect to a browser `@chrome-macos-latest`
⚠️ [chromium-library] › library/browsertype-connect.spec.ts:294 › launchServer › disconnected event should be emitted when browser is closed or server is closed `@chrome-macos-latest`
⚠️ [chromium-library] › library/video.spec.ts:456 › screencast › should be 800x600 with null viewport `@chrome-macos-latest`
⚠️ [chromium-library] › library/har-websocket.spec.ts:235 › should attach websocket messages `@driver`
⚠️ [firefox-library] › library/har-websocket.spec.ts:235 › should attach websocket messages `@tracing-firefox`
⚠️ [firefox-library] › library/beforeunload.spec.ts:20 › should close browser with beforeunload page `@firefox-macos-15-large`
⚠️ [firefox-library] › library/browsercontext-base-url.spec.ts:37 › should construct a new URL when a baseURL in browserType.launchPersistentContext is passed to page.goto `@firefox-macos-15-large`
⚠️ [firefox-library] › library/browsertype-connect.spec.ts:442 › launchServer › should reject waitForEvent before browser.onDisconnect fires `@firefox-macos-15-large`
⚠️ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:209 › should fire close event for a persistent context `@firefox-macos-15-large`
⚠️ [firefox-library] › library/defaultbrowsercontext-2.spec.ts:264 › user agent is up to date `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-1.spec.ts:415 › cli codegen › should fill [contentEditable] `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-csharp.spec.ts:28 › should print the correct imports and context options `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-csharp.spec.ts:208 › should print context options method override in nunit if options were passed `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-csharp.spec.ts:202 › should not print context options method override in mstest if no options were passed `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-csharp.spec.ts:208 › should print context options method override in xunit if options were passed `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-java.spec.ts:24 › should print the correct imports and context options `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-java.spec.ts:114 › should print the correct imports in junit `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-python-async.spec.ts:80 › should save the codegen output to a file if specified `@firefox-macos-15-large`
⚠️ [firefox-library] › library/inspector/cli-codegen-python.spec.ts:125 › should work with --save-har `@firefox-macos-15-large`
⚠️ [firefox-library] › library/logger.spec.ts:34 › should log context-level `@firefox-macos-15-large`
⚠️ [firefox-library] › library/proxy.spec.ts:235 › should exclude patterns `@firefox-macos-15-large`
⚠️ [firefox-library] › library/har-websocket.spec.ts:239 › should attach websocket messages for a still open websocket after stopping `@firefox-windows-latest`

104463 passed, 4400 skipped

Merge workflow run.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants