build(deps): Bump undici from 7.24.6 to 7.28.0#1036
Conversation
Bumps [undici](https://github.com/nodejs/undici) from 7.24.6 to 7.28.0. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.24.6...v7.28.0) --- updated-dependencies: - dependency-name: undici dependency-version: 7.28.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing how Task 1: Supply-chain malware reviewThis is a legitimate security patch from the official Checklist summary
Scanner vs. interpretation: Status is Task 2: Compatibility and adoption1) Where it appears
2) API intersection with v7.28.0 changes Release changes focus on WebSocket, Socks5ProxyAgent, and cache hardening. Cheerio’s undici usage (when used) is This docs site does not call 3) Risks / unknowns
4) Recommendation: merge Priority security update with minimal compatibility risk for chia-docs. If you want extra confidence before merge, run Compatibility AnalysisI'll trace how Compatibility & adoption analysis —
|
| Location | Role |
|---|---|
| Not a direct dependency | package.json does not list undici. |
| Transitive only | @easyops-cn/docusaurus-search-local → nested cheerio@1.1.2 → undici@^7.12.0 (hoisted to node_modules/undici in lockfile). |
| App source | No import/require of undici, WebSocket, ProxyAgent, or Socks5ProxyAgent in src/, docusaurus.config.js, or other project code. |
undici-types |
Separate @types/node typing package; unrelated to runtime undici. |
How cheerio uses undici: only in cheerio.fromURL() — HTTP fetch via undici.Client, undici.stream, and the redirect interceptor.
How this repo uses cheerio: @easyops-cn/docusaurus-search-local@0.55.2 calls cheerio.load(html) on built HTML during indexing (parse.js). It does not call fromURL().
Runtime context: Docusaurus static site — undici is a build-time transitive dep for search indexing, not shipped to browsers.
2) Intersection with changed APIs (7.24.6 → 7.28.0)
| Changed area in 7.28.0 | Used here? |
|---|---|
| WebSocket / WebSocketStream (fragment DoS) | No |
SOCKS5 ProxyAgent (TLS bypass, cross-origin routing) |
No |
| HTTP cache interceptor | No |
undici.Client + stream + redirect (cheerio fromURL path) |
Not invoked — fromURL is unused |
Conclusion: No application or plugin code path in this repo touches the APIs fixed in the security release. The lockfile bump is supply-chain hygiene, not a behavioral change to documented site behavior.
3) Risks / unknowns
- Low compatibility risk: Same major line (7.x); PR is lockfile-only; Node
>=24.14.1satisfies undici’s>=20.18.1engine requirement; CI usesnode:24-alpine. - Residual exposure if vulns aren’t patched: Theoretically present while on 7.24.6, but practical exploit surface is negligible here because vulnerable APIs are not called.
- Unknown (minor): Whether
npm run buildpasses on the PR branch — standard CI gate, not expected to fail for this change.
4) Recommendation: merge
Security release addressing 7 advisories (3 high). No direct or indirect usage of the affected WebSocket/SOCKS5/cache surfaces. Transitive undici is unused at runtime for the actual cheerio.load() indexing path. Merge to clear Dependabot alerts with negligible compatibility risk.
Optional post-merge check: Confirm CI npm ci && npm run build is green (routine, not a blocker from this analysis).
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
82 - Resolution strategy:
tag_range - Changed node/vendor paths:
0 - Changed lockfiles:
0 - Resolved upstream range:
38eab360daff8f72927dd6083e755ca37d6d624e..f9eba0ad9134e1c0977848476bba9d49734696e4 - Resolved refs: from=
38eab360daff8f72927dd6083e755ca37d6d624eto=f9eba0ad9134e1c0977848476bba9d49734696e4 - Unicode findings (post-allowlist):
1 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
68
Top findings
docs/docs/api/Dispatcher.md:1191unicode ::⚠️ The decompress interceptor is experimental and subject to change.lib/web/webidl/index.js:637codepoint_decoder ::if (x.charCodeAt(index) > 255) {lib/web/webidl/index.js:640codepoint_decoder ::index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.lib/web/cookies/parse.js:190codepoint_decoder ::const charCode = attributeValue.charCodeAt(0)lib/web/fetch/formdata-parser.js:19codepoint_decoder ::if ((chars.charCodeAt(i) & ~0x7F) !== 0) {lib/web/fetch/formdata-parser.js:42codepoint_decoder ::const cp = boundary.charCodeAt(i)lib/core/request.js:37codepoint_decoder ::const charCode = val.charCodeAt(i)lib/web/fetch/util.js:64codepoint_decoder ::const code = url.charCodeAt(i)lib/web/fetch/util.js:120codepoint_decoder ::const c = statusText.charCodeAt(i)lib/web/fetch/util.js:1104codepoint_decoder ::if (data.charCodeAt(position.position) !== 0x3D) {lib/web/fetch/util.js:1125codepoint_decoder ::const code = char.charCodeAt(0)lib/web/fetch/util.js:1148codepoint_decoder ::if (data.charCodeAt(position.position) !== 0x2D) {lib/web/fetch/util.js:1171codepoint_decoder ::const code = char.charCodeAt(0)lib/web/fetch/util.js:1378codepoint_decoder ::if (input.charCodeAt(position.position) === 0x22) {lib/web/fetch/util.js:1393codepoint_decoder ::assert(input.charCodeAt(position.position) === 0x2C)test/node-test/global-dispatcher-version.js:5shell_process_spawn ::const { spawnSync } = require('node:child_process')test/parser-issues.js:321shell_process_spawn ::const { spawnSync } = require('node:child_process')scripts/release.js:6shell_process_spawn ::const match = /^v(\d+)\./.exec(versionTag)lib/cache/sqlite-cache-store.js:117shell_process_spawn ::this.#db.exec(test/node-test/global-dispatcher-version.js:30network_c2_indicator ::const url = 'http://127.0.0.1:' + server.address().port
Bumps undici from 7.24.6 to 7.28.0.
Release notes
Sourced from undici's releases.
... (truncated)
Commits
f9eba0aBumped v7.28.0 (#5430)a027a4aBackport WebSocket maxPayloadSize fixes to v7.x (#5423)8cb10f9websocket: limit the number of fragments in a message04201f8fix: honor requestTls when proxy is SOCKS5fcd642ffix(socks5): preserve dispatch backpressure return value (#5166)bc98c97fix(socks5): use configured connector in Socks5ProxyAgent (#5168)9e1c743fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)376c8befix(socks5): enforce authenticated state before CONNECT (#5097)3805b8ffix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...85a2405fix(cache): trim qualified field namesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.
Note
Low Risk
Lockfile-only dependency bump with no app code changes; risk is mainly routine regression in HTTP/WebSocket behavior from the patched
undicirelease, offset by required security fixes.Overview
Bumps the lockfile-resolved
undiciversion from 7.24.6 to 7.28.0 (transitive dependency, e.g. via cheerio). No application source changes.7.28.0 is a security release that fixes multiple advisories (including high-severity WebSocket DoS, SOCKS5 TLS validation bypass, and per-origin pool routing). Upgrading closes those issues for whatever in the tree pulls in
undici.Reviewed by Cursor Bugbot for commit 168c6fd. Bugbot is set up for automated code reviews on this repo. Configure here.