Skip to content

fix: update undici to >=6.27.0 to resolve CVE-2026-12151 and related CVEs#30

Merged
bnavetta merged 1 commit into
mainfrom
independabot/undici-CVE-2026-12151
Jun 29, 2026
Merged

fix: update undici to >=6.27.0 to resolve CVE-2026-12151 and related CVEs#30
bnavetta merged 1 commit into
mainfrom
independabot/undici-CVE-2026-12151

Conversation

@liliwilson

Copy link
Copy Markdown
Contributor

Summary

Fixes 4 undici vulnerabilities by adding an npm overrides entry to force undici >= 6.27.0.

undici is a transitive dependency pulled in by @actions/http-client@4.0.1 (which requires ^6.23.0). Dependabot cannot auto-fix this because of constraints elsewhere in the dependency tree, so we use npm's overrides field to force a safe version.

Vulnerabilities Fixed

Severity CVE Summary
High CVE-2026-12151 WebSocket DoS via fragment count bypass
Moderate CVE-2026-9679 HTTP header injection via Set-Cookie percent-decoding
Low CVE-2026-6733 HTTP response queue poisoning via keep-alive socket reuse
Low CVE-2026-11525 Set-Cookie SameSite attribute downgrade

Dependabot Alert Links

Verification

  • npm audit no longer reports undici vulnerabilities
  • npm run package (rollup build) succeeds
  • All 12 tests pass (npm test)

This PR was generated with Oz.

@liliwilson liliwilson requested a review from bnavetta June 24, 2026 13:06
@bnavetta bnavetta force-pushed the independabot/undici-CVE-2026-12151 branch from 6af8dbc to 206f1c4 Compare June 29, 2026 17:24
…CVEs

Adds npm override to force undici to >=6.27.0, resolving:
- CVE-2026-12151 (high): WebSocket DoS via fragment count bypass
- CVE-2026-9679 (moderate): HTTP header injection via Set-Cookie
- CVE-2026-6733 (low): HTTP response queue poisoning
- CVE-2026-11525 (low): SameSite attribute downgrade

Co-Authored-By: Oz <oz-agent@warp.dev>
@bnavetta bnavetta force-pushed the independabot/undici-CVE-2026-12151 branch from 206f1c4 to 105e251 Compare June 29, 2026 17:26
@bnavetta bnavetta merged commit 8ba4e14 into main Jun 29, 2026
8 checks passed
@bnavetta bnavetta deleted the independabot/undici-CVE-2026-12151 branch June 29, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants