Skip to content

fix: update undici dependency path for CVE-2026 alerts#235

Merged
liliwilson merged 1 commit into
mainfrom
independabot/undici-cve-2026-1526
Jun 3, 2026
Merged

fix: update undici dependency path for CVE-2026 alerts#235
liliwilson merged 1 commit into
mainfrom
independabot/undici-cve-2026-1526

Conversation

@dannyneira

Copy link
Copy Markdown
Member

Summary

  • Updates @actions/core from ^1.6.0 to ^2.0.3, which pulls @actions/http-client@3.0.2 and patched undici@6.25.0.
  • Rebuilds the checked-in dist/ bundle with ncc.
  • Updates CI Node setup from 16.x to 20.x to match action.yml and the patched dependency engine requirements.

Dependabot alerts resolved

Notes

  • These were transitive runtime alerts for undici through @actions/core -> @actions/http-client.
  • Dependabot reported alert 41 could not be fixed on the old @actions/http-client@2.2.3 path because it required undici@^5.25.4; this PR moves to the upstream @actions/core@2.0.3 path instead of forcing an override.

Verification

  • npm audit --json: undici, @actions/core, and @actions/http-client are no longer reported as vulnerable.
  • npm --prefix /workspace/generate-changelog run all
  • npx --yes npm@8 ci --prefix /workspace/generate-changelog

Conversation: https://staging.warp.dev/conversation/8004f084-5693-4f77-9267-be632984a3c4
Run: https://oz.staging.warp.dev/runs/019e3184-22d2-71d7-a0cd-719bd9ee2224
This PR was generated with Oz.

@dannyneira
dannyneira requested a review from zachbai May 16, 2026 16:05
@dannyneira
dannyneira marked this pull request as ready for review May 26, 2026 21:46
Co-Authored-By: Oz <oz-agent@warp.dev>
@liliwilson
liliwilson force-pushed the independabot/undici-cve-2026-1526 branch from 8c22d81 to 0a83c4a Compare June 3, 2026 05:27
@liliwilson
liliwilson merged commit e96cd5f into main Jun 3, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants