Skip to content

chore: Bump undici and @actions/http-client#847

Closed
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/npm_and_yarn/multi-b392ed0e23
Closed

chore: Bump undici and @actions/http-client#847
dependabot[bot] wants to merge 2 commits into
masterfrom
dependabot/npm_and_yarn/multi-b392ed0e23

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 14, 2026

Copy link
Copy Markdown
Contributor

Bumps undici and @actions/http-client. These dependencies needed to be updated together.
Updates undici from 5.29.0 to 6.24.0

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

v6.23.0

⚠️ Security Release

... (truncated)

Commits
  • 8873c94 Bumped v6.24.0
  • 411bd01 test(websocket): use node:assert for Node 18 compatibility
  • 844bf59 test: fix http2 lint regressions in backport
  • a444e4f test: stabilize h2 and tls-cert-leak under current test runner
  • dc032a1 fix: h2 CI (#4395)
  • 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
  • 7df6442 fix: adapt websocket frame-limit handling for v6 parser
  • 4e0179a fix: reject duplicate content-length and host headers
  • 5a97f08 Fix websocket 64-bit length overflow
  • e43e898 fix: validate upgrade header to prevent CRLF injection
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates @actions/http-client from 3.0.0 to 3.0.2

Changelog

Sourced from @​actions/http-client's changelog.

3.0.2

  • Bump undici from 5.28.5 to 6.23.0

3.0.1

  • Add support for ACTIONS_ORCHESTRATION_ID in user-agent and default user-agent #2229
Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​actions/http-client since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [undici](https://github.com/nodejs/undici) and [@actions/http-client](https://github.com/actions/toolkit/tree/HEAD/packages/http-client). These dependencies needed to be updated together.

Updates `undici` from 5.29.0 to 6.24.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.29.0...v6.24.0)

Updates `@actions/http-client` from 3.0.0 to 3.0.2
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/http-client/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/http-client)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.24.0
  dependency-type: indirect
- dependency-name: "@actions/http-client"
  dependency-version: 3.0.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 14, 2026
@s3cube s3cube self-requested a review March 20, 2026 19:37
@s3cube

s3cube commented Mar 20, 2026

Copy link
Copy Markdown
Contributor

@dependabot rebase

@dependabot @github

dependabot Bot commented on behalf of github Mar 20, 2026

Copy link
Copy Markdown
Contributor Author

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

@s3cube

s3cube commented Mar 20, 2026

Copy link
Copy Markdown
Contributor

@dependabot recreate

@dependabot @github

dependabot Bot commented on behalf of github Mar 20, 2026

Copy link
Copy Markdown
Contributor Author

Looks like these dependencies are up-to-date now, so this is no longer needed.

@dependabot dependabot Bot closed this Mar 20, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-b392ed0e23 branch March 20, 2026 19:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant