fix(security): remediate undici vulnerabilities by fro-bot · Pull Request #2322 · bfra-me/.github · GitHub
Skip to content

fix(security): remediate undici vulnerabilities#2322

Merged
marcusrbrown merged 2 commits into
mainfrom
security/undici-vulnerability-fix
Jun 25, 2026
Merged

fix(security): remediate undici vulnerabilities#2322
marcusrbrown merged 2 commits into
mainfrom
security/undici-vulnerability-fix

Conversation

@fro-bot

@fro-bot fro-bot commented Jun 20, 2026

Copy link
Copy Markdown
Collaborator

Summary

Remediates four Dependabot alerts for the transitive undici dependency (consumed via @octokit/request, @actions/http-client, etc.) by bumping the pnpm override floor from >=6.23.0 to >=6.27.0. This pulls in undici 8.5.0 transitively and closes all four advisories without modifying any source code.

Advisories Addressed

# GHSA Severity Summary CVSS
55 GHSA-vxpw-j846-p89q HIGH undici WebSocket client vulnerable to DoS via fragment count bypass (unbounded memory growth from many small/empty continuation frames) 7.5
56 GHSA-p88m-4jfj-68fv MEDIUM undici vulnerable to HTTP header injection via Set-Cookie percent-decoding 5.9
54 GHSA-35p6-xmwp-9g52 LOW undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse
57 GHSA-g8m3-5g58-fq7m LOW undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching

Changes

  • pnpm-workspace.yaml: undici@<6.23.0: '>=6.23.0'undici@<6.27.0: '>=6.27.0'
  • pnpm-lock.yaml: undici@6.25.0undici@8.5.0 for transitive consumers
  • .github/actions/*/dist/index.js: rebuilt to bundle the new undici (size increased as expected from updated vendored code)
  • .changeset/security-undici-vulnerability-fix.md: patch-level changeset for @bfra.me/.github

Scope

Pure dependency remediation — no source code changes, no unrelated dependency bumps. pnpm audit now reports zero undici findings (advisories 54, 55, 56, 57 will auto-resolve on merge).

Verification

  • pnpm run type-check: ✅ pass
  • pnpm run lint: ✅ pass
  • pnpm run test: ✅ pass (641 tests)
  • pnpm run build: ✅ pass (3 actions rebuilt)
  • pnpm audit: undici advisories resolved; only pre-existing esbuild + js-yaml advisories remain (covered by PR fix(security): remediate esbuild vulnerability #2292)

Note

undici 8.x requires Node.js >=22.19.0. All actions in this repo already use node24 runtime, and the repo's own .nvmrc / package.json#engines track Node 24, so this is consistent with the project's Node baseline.

Bump pnpm override to undici@>=6.27.0 to address four advisories:

- GHSA-vxpw-j846-p89q (HIGH, CVSS 7.5): WebSocket DoS via fragment count
  bypass — unbounded memory growth from many small/empty continuation
  frames that each pass per-frame validation.
- GHSA-p88m-4jfj-68fv (MEDIUM, CVSS 5.9): HTTP header injection via
  Set-Cookie percent-decoding.
- GHSA-35p6-xmwp-9g52 (LOW): HTTP response queue poisoning via
  keep-alive socket reuse.
- GHSA-g8m3-5g58-fq7m (LOW): Set-Cookie SameSite attribute downgrade
  via permissive substring matching.

Fix lands undici@6.27.0 (or 7.28.0 / 8.5.0). The override bumps
transitive consumers (@octokit/request, @actions/http-client) to
undici 8.5.0 to satisfy the new floor. dist/ regenerated to reflect
the bundled undici update. No source code changes — pure dependency
remediation.
@bfra-me bfra-me Bot added documentation Improvements or additions to documentation dependencies Dependency updates or security alerts labels Jun 20, 2026
@bfra-me bfra-me Bot requested a review from marcusrbrown June 20, 2026 17:05
@marcusrbrown marcusrbrown enabled auto-merge (squash) June 25, 2026 04:20
@marcusrbrown marcusrbrown merged commit 0da69bd into main Jun 25, 2026
12 checks passed
@marcusrbrown marcusrbrown deleted the security/undici-vulnerability-fix branch June 25, 2026 04:21
@fro-bot fro-bot mentioned this pull request Jun 25, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency updates or security alerts documentation Improvements or additions to documentation

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants