Skip to content

fix: bump undici and form-data to patch Dependabot alerts#39

Merged
riglar merged 1 commit into
mainfrom
fix/dependabot-undici-form-data
Jul 1, 2026
Merged

fix: bump undici and form-data to patch Dependabot alerts#39
riglar merged 1 commit into
mainfrom
fix/dependabot-undici-form-data

Conversation

@riglar

@riglar riglar commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Resolves all 8 open Dependabot alerts by bumping two transitive dependencies pinned via the lockfile.

Package Before After Fixes
undici 7.24.4 8.5.0 7 advisories — WebSocket DoS (high), SOCKS5 cross-origin routing (high), TLS cert validation bypass (high), Set-Cookie / cache disclosure (med/low) — needed ≥7.28.0
form-data 4.0.5 4.0.6 CRLF injection via unescaped multipart field names (high)

Changes

  • package.json: pnpm.overrides.undici >=7.24.4>=7.28.0; form-data ^4.0.5^4.0.6
  • pnpm-lock.yaml: regenerated (undici → 8.5.0, form-data → 4.0.6)
  • dist/index.js: rebuilt via ncc build

Notes

  • undici jumps a major version (7 → 8) since the override permits the latest. It's a transitive dep only (not imported directly by the action), and pnpm run build compiles cleanly.
  • Recommend a CI / integration run against the rebuilt dist before release.

🤖 Generated with Claude Code


View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

Resolves 8 open Dependabot alerts:
- undici 7.24.4 -> 8.5.0 (override >=7.28.0): fixes 7 advisories incl.
  WebSocket DoS, SOCKS5 cross-origin routing, TLS validation bypass
- form-data 4.0.5 -> 4.0.6: fixes CRLF injection via multipart field names

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@riglar riglar force-pushed the fix/dependabot-undici-form-data branch from efbc6e5 to d3f95c6 Compare July 1, 2026 08:38
@riglar riglar merged commit 009e399 into main Jul 1, 2026
2 checks passed
@riglar riglar deleted the fix/dependabot-undici-form-data branch July 1, 2026 08:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant