Skip to content

build(deps): Bump undici from 7.24.6 to 7.28.0#1036

Merged
BrandtH22 merged 1 commit into
mainfrom
dependabot/npm_and_yarn/undici-7.28.0
Jun 22, 2026
Merged

build(deps): Bump undici from 7.24.6 to 7.28.0#1036
BrandtH22 merged 1 commit into
mainfrom
dependabot/npm_and_yarn/undici-7.28.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 18, 2026

Copy link
Copy Markdown
Contributor

Bumps undici from 7.24.6 to 7.28.0.

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 7.28.0 8cb10f98
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 7.28.0 04201f89
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 7.28.0 3805b8f8
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 7.28.0 85a24055
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 7.28.0 d0574cc4
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 7.28.0 d0574cc4
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 7.28.0 ea8930cf

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits
  • f9eba0a Bumped v7.28.0 (#5430)
  • a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
  • 8cb10f9 websocket: limit the number of fragments in a message
  • 04201f8 fix: honor requestTls when proxy is SOCKS5
  • fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
  • bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
  • 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
  • 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
  • 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
  • 85a2405 fix(cache): trim qualified field names
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note

Low Risk
Lockfile-only dependency bump with no app code changes; risk is mainly routine regression in HTTP/WebSocket behavior from the patched undici release, offset by required security fixes.

Overview
Bumps the lockfile-resolved undici version from 7.24.6 to 7.28.0 (transitive dependency, e.g. via cheerio). No application source changes.

7.28.0 is a security release that fixes multiple advisories (including high-severity WebSocket DoS, SOCKS5 TLS validation bypass, and per-origin pool routing). Upgrading closes those issues for whatever in the tree pulls in undici.

Reviewed by Cursor Bugbot for commit 168c6fd. Bugbot is set up for automated code reviews on this repo. Configure here.

Bumps [undici](https://github.com/nodejs/undici) from 7.24.6 to 7.28.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.24.6...v7.28.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 18, 2026
@github-actions

Copy link
Copy Markdown

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how undici is used in this repo and validating the malware scan findings against the dependency update.
Verdict: benign

Task 1: Supply-chain malware review

This is a legitimate security patch from the official nodejs/undici package. The PR only bumps the lockfile entry for a transitive dependency (7.24.67.28.0); there are no new direct dependencies, no new install lifecycle scripts in the consumed artifact, and no signs of compromise.

Checklist summary

Category Finding
Classic obfuscation No eval/XOR/obfuscated payloads in shipped lib/ code. Base64 usage is normal (auth headers, WASM).
Unexpected network / exfil Scanner network_c2_indicator hits are 127.0.0.1 and test fixtures — not in the published npm tarball.
Process spawning / persistence spawn/exec hits are upstream tests and dev tooling; not shipped to consumers (tarball contains lib/ + one build script).
npm lifecycle scripts Published undici@7.28.0 has no preinstall/install/postinstall. Zero runtime dependencies.
Invisible Unicode / GlassWorm 1 unicode hit: visible ⚠️ in upstream docs (not in tarball). 0 confusable/IOC hits. charCodeAt hits are normal HTTP/WebIDL parsing — not hidden-payload assembly.
Dependency integrity Transitive via cheerio@1.1.2 (^7.12.0). Same major line, tagged release v7.28.0, valid npm integrity hash. Official Node.js project maintainers unchanged.
Dependabot-specific PR scope is package-lock.json only. Scanner flagged upstream .github/workflows/ changes — those are not installed via npm.

Scanner vs. interpretation: Status is warn with 68 heuristics, but 0 IOC / 0 confusable after allowlisting. I disagree with treating the heuristics as malicious; they match expected patterns for an HTTP client library and its test suite. The single unicode finding is a documentation emoji, not Trojan Source.


Task 2: Compatibility and adoption

1) Where it appears

  • Not used directly in chia-docs source (no import/require('undici')).
  • Transitive path: @easyops-cn/docusaurus-search-local → nested cheerio@1.1.2undici@^7.12.0 (resolved to 7.28.0 in lockfile).
  • Used at build time by the local search plugin to parse/index site content — not a runtime user-facing API in this repo.

2) API intersection with v7.28.0 changes

Release changes focus on WebSocket, Socks5ProxyAgent, and cache hardening. Cheerio’s undici usage (when used) is undici.Client + redirect interceptor + stream() for fromURL() — standard HTTP fetch, not WebSocket/SOCKS5.

This docs site does not call cheerio.fromURL() or undici APIs directly; search indexing uses local HTML parsing. Low intersection with the changed surface area.

3) Risks / unknowns

  • Low runtime risk for this repo: static Docusaurus build, no SOCKS5/WebSocket usage expected.
  • Security benefit is real even with low exposure — fixes 3 high-severity CVEs in the installed tree.
  • Minor semver bump within v7; no new transitive deps. Residual unknown: full CI/build not run in this review environment.

4) Recommendation: merge

Priority security update with minimal compatibility risk for chia-docs. If you want extra confidence before merge, run npm run build once on the PR branch — breakage is unlikely given indirect usage and patch-level security fixes within the same major line.

Compatibility Analysis

I'll trace how undici is referenced in this repo and whether those paths overlap with the APIs changed in 7.28.0.

Compatibility & adoption analysis — undici 7.24.6 → 7.28.0

1) Where undici appears

Location Role
Not a direct dependency package.json does not list undici.
Transitive only @easyops-cn/docusaurus-search-local → nested cheerio@1.1.2undici@^7.12.0 (hoisted to node_modules/undici in lockfile).
App source No import/require of undici, WebSocket, ProxyAgent, or Socks5ProxyAgent in src/, docusaurus.config.js, or other project code.
undici-types Separate @types/node typing package; unrelated to runtime undici.

How cheerio uses undici: only in cheerio.fromURL() — HTTP fetch via undici.Client, undici.stream, and the redirect interceptor.

How this repo uses cheerio: @easyops-cn/docusaurus-search-local@0.55.2 calls cheerio.load(html) on built HTML during indexing (parse.js). It does not call fromURL().

Runtime context: Docusaurus static site — undici is a build-time transitive dep for search indexing, not shipped to browsers.


2) Intersection with changed APIs (7.24.6 → 7.28.0)

Changed area in 7.28.0 Used here?
WebSocket / WebSocketStream (fragment DoS) No
SOCKS5 ProxyAgent (TLS bypass, cross-origin routing) No
HTTP cache interceptor No
undici.Client + stream + redirect (cheerio fromURL path) Not invokedfromURL is unused

Conclusion: No application or plugin code path in this repo touches the APIs fixed in the security release. The lockfile bump is supply-chain hygiene, not a behavioral change to documented site behavior.


3) Risks / unknowns

  • Low compatibility risk: Same major line (7.x); PR is lockfile-only; Node >=24.14.1 satisfies undici’s >=20.18.1 engine requirement; CI uses node:24-alpine.
  • Residual exposure if vulns aren’t patched: Theoretically present while on 7.24.6, but practical exploit surface is negligible here because vulnerable APIs are not called.
  • Unknown (minor): Whether npm run build passes on the PR branch — standard CI gate, not expected to fail for this change.

4) Recommendation: merge

Security release addressing 7 advisories (3 high). No direct or indirect usage of the affected WebSocket/SOCKS5/cache surfaces. Transitive undici is unused at runtime for the actual cheerio.load() indexing path. Merge to clear Dependabot alerts with negligible compatibility risk.

Optional post-merge check: Confirm CI npm ci && npm run build is green (routine, not a blocker from this analysis).


Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 82
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved upstream range: 38eab360daff8f72927dd6083e755ca37d6d624e..f9eba0ad9134e1c0977848476bba9d49734696e4
  • Resolved refs: from=38eab360daff8f72927dd6083e755ca37d6d624e to=f9eba0ad9134e1c0977848476bba9d49734696e4
  • Unicode findings (post-allowlist): 1
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 68

Top findings

  • docs/docs/api/Dispatcher.md:1191 unicode :: ⚠️ The decompress interceptor is experimental and subject to change.
  • lib/web/webidl/index.js:637 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
  • lib/web/webidl/index.js:640 codepoint_decoder :: index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
  • lib/web/cookies/parse.js:190 codepoint_decoder :: const charCode = attributeValue.charCodeAt(0)
  • lib/web/fetch/formdata-parser.js:19 codepoint_decoder :: if ((chars.charCodeAt(i) & ~0x7F) !== 0) {
  • lib/web/fetch/formdata-parser.js:42 codepoint_decoder :: const cp = boundary.charCodeAt(i)
  • lib/core/request.js:37 codepoint_decoder :: const charCode = val.charCodeAt(i)
  • lib/web/fetch/util.js:64 codepoint_decoder :: const code = url.charCodeAt(i)
  • lib/web/fetch/util.js:120 codepoint_decoder :: const c = statusText.charCodeAt(i)
  • lib/web/fetch/util.js:1104 codepoint_decoder :: if (data.charCodeAt(position.position) !== 0x3D) {
  • lib/web/fetch/util.js:1125 codepoint_decoder :: const code = char.charCodeAt(0)
  • lib/web/fetch/util.js:1148 codepoint_decoder :: if (data.charCodeAt(position.position) !== 0x2D) {
  • lib/web/fetch/util.js:1171 codepoint_decoder :: const code = char.charCodeAt(0)
  • lib/web/fetch/util.js:1378 codepoint_decoder :: if (input.charCodeAt(position.position) === 0x22) {
  • lib/web/fetch/util.js:1393 codepoint_decoder :: assert(input.charCodeAt(position.position) === 0x2C)
  • test/node-test/global-dispatcher-version.js:5 shell_process_spawn :: const { spawnSync } = require('node:child_process')
  • test/parser-issues.js:321 shell_process_spawn :: const { spawnSync } = require('node:child_process')
  • scripts/release.js:6 shell_process_spawn :: const match = /^v(\d+)\./.exec(versionTag)
  • lib/cache/sqlite-cache-store.js:117 shell_process_spawn :: this.#db.exec(
  • test/node-test/global-dispatcher-version.js:30 network_c2_indicator :: const url = 'http://127.0.0.1:' + server.address().port

@BrandtH22 BrandtH22 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@BrandtH22 BrandtH22 merged commit c8b5696 into main Jun 22, 2026
11 checks passed
@BrandtH22 BrandtH22 deleted the dependabot/npm_and_yarn/undici-7.28.0 branch June 22, 2026 18:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant