refactor: Bump undici from 6.23.0 to 6.24.1 by dependabot[bot] · Pull Request #820 · parse-community/parse-server-example

dependabot · 2026-03-30T17:05:35Z

Bumps undici from 6.23.0 to 6.24.1.

Release notes

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

CVE-2026-1525: affected < 6.24.0, patched 6.24.0

CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0

CVE-2026-1527: affected < 6.24.0, patched 6.24.0

CVE-2026-2229: affected < 6.24.0, patched 6.24.0

CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527

NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229

NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

Commits

c0cf656 Bumped v6.24.1
f5a9f0c Fix v6 release workflow branch targeting
af2cb8f wqremove maxDecompressedMessageSize (#4891)
8873c94 Bumped v6.24.0
411bd01 test(websocket): use node:assert for Node 18 compatibility
844bf59 test: fix http2 lint regressions in backport
a444e4f test: stabilize h2 and tls-cert-leak under current test runner
dc032a1 fix: h2 CI (#4395)
4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
7df6442 fix: adapt websocket frame-limit handling for v6 parser
Additional commits viewable in compare view

Summary by CodeRabbit

Chores
- Updated HTTP client library dependencies to their latest versions.

Bumps [undici](https://github.com/nodejs/undici) from 6.23.0 to 6.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v6.23.0...v6.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 6.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

mtrezza · 2026-03-30T19:00:59Z

@coderabbitai review

coderabbitai · 2026-03-30T19:01:06Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai · 2026-03-30T19:01:15Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: b0814580-c1a4-4f34-b1bd-a2d901eb5ab7

📥 Commits

Reviewing files that changed from the base of the PR and between 7a1a939 and 8a2a1fa.

📒 Files selected for processing (1)

package-lock.json

📝 Walkthrough

Walkthrough

Updated undici dependency versions in package-lock.json. The root undici dependency moved from version 6.23.0 to 6.24.1, and the nested undici dependency under @semantic-release/github moved from 7.16.0 to 7.24.6. Corresponding resolved URLs and integrity hashes were updated accordingly.

Changes

Cohort / File(s)	Summary
Dependency updates `package-lock.json`	Updated `undici` from `6.23.0` → `6.24.1` and nested `@semantic-release/github/node_modules/undici` from `7.16.0` → `7.24.6`, with corresponding tarball URLs and integrity hashes updated.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping the undici dependency from version 6.23.0 to 6.24.1, which aligns with the package-lock.json modifications shown in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch dependabot/npm_and_yarn/undici-6.24.1

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 30, 2026

dependabot Bot mentioned this pull request Mar 30, 2026

refactor: Bump undici #811

Closed

dependabot Bot force-pushed the dependabot/npm_and_yarn/undici-6.24.1 branch 2 times, most recently from 0270d1d to 2f8b0fa Compare March 30, 2026 17:50

dependabot Bot force-pushed the dependabot/npm_and_yarn/undici-6.24.1 branch from 2f8b0fa to 8a2a1fa Compare March 30, 2026 17:54

coderabbitai Bot approved these changes Mar 30, 2026

View reviewed changes

mtrezza merged commit 154008d into master Mar 30, 2026
3 checks passed

mtrezza deleted the dependabot/npm_and_yarn/undici-6.24.1 branch March 30, 2026 19:04

coderabbitai Bot mentioned this pull request Mar 31, 2026

refactor: Bump @types/node from 25.2.3 to 25.5.0 #840

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

refactor: Bump undici from 6.23.0 to 6.24.1#820

refactor: Bump undici from 6.23.0 to 6.24.1#820
mtrezza merged 1 commit intomasterfrom
dependabot/npm_and_yarn/undici-6.24.1

dependabot Bot commented on behalf of github Mar 30, 2026 •

edited by coderabbitai Bot

Loading

Uh oh!

mtrezza commented Mar 30, 2026

Uh oh!

coderabbitai Bot commented Mar 30, 2026

Uh oh!

coderabbitai Bot commented Mar 30, 2026 •

edited

Loading

Walkthrough

Changes

Estimated code review effort

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot Bot commented on behalf of github Mar 30, 2026 • edited by coderabbitai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

Upgrade guidance

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

Summary by CodeRabbit

Uh oh!

mtrezza commented Mar 30, 2026

Uh oh!

coderabbitai Bot commented Mar 30, 2026

Uh oh!

coderabbitai Bot commented Mar 30, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

dependabot Bot commented on behalf of github Mar 30, 2026 •

edited by coderabbitai Bot

Loading

coderabbitai Bot commented Mar 30, 2026 •

edited

Loading