Update bundled undici to address CVE-2026-12151 (DoS via WebSocket fragment count bypass) · community · Discussion #199906 · GitHub
Skip to content

@community GitHub Community

Discussion options

NauhcNoohc
Jun 23, 2026

You must be logged in to vote
Answered by GARJE-01 Jun 23, 2026

Thanks for following up and sharing the upstream reference.

The dependency path and the node-gyp issue seem to explain why the vulnerable version is still appearing:

npm CLI → node-gyp → undici@6.26.0

Based on the information provided, it sounds like this is no longer a question of whether the dependency exists, but rather when the updated node-gyp release is incorporated into npm CLI's dependency tree.

For anyone finding this discussion later:

  • npm CLI 11.17.0 is pulling undici@6.26.0 transitively through node-gyp@13.0.0.
  • The dependency update appears to be tracked upstream in the referenced node-gyp issue.
  • Once node-gyp adopts a fixed undici version and npm CLI updates its dependency se…
View full answer

Replies: 2 comments 3 replies

This comment was marked as low quality.

Sign in to view
@NauhcNoohc
Comment options

NauhcNoohc Jun 23, 2026
Author

@GARJE-01

This comment was marked as low quality.

Sign in to view
Comment options

NauhcNoohc
Jun 23, 2026
Author

You must be logged in to vote
1 reply
@GARJE-01

This comment was marked as low quality.

Sign in to view
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
npm
Labels
Question Ask and answer questions about GitHub features and usage npm Discussions around programming langages, open source and software development Welcome 🎉 Used to greet and highlight first-time discussion participants. Welcome to the community! source:ui Discussions created via Community GitHub templates
2 participants
@NauhcNoohc @GARJE-01