Skip to content

fix(deps): Bump undici to 6.27.0 to resolve security alerts#67

Merged
wochinge merged 1 commit into
mainfrom
implement-int-issues-dependabot
Jun 23, 2026
Merged

fix(deps): Bump undici to 6.27.0 to resolve security alerts#67
wochinge merged 1 commit into
mainfrom
implement-int-issues-dependabot

Conversation

@wochinge

Copy link
Copy Markdown
Collaborator

Summary

  • Bump transitive dependency undici 6.25.0 → 6.27.0 to clear four open Dependabot alerts. undici ships into the action only via @actions/http-client, @actions/glob, and @octokit/request; their ^6.23.0 range already permits 6.27.0, so this is a clean lockfile re-resolution with no override.
  • Rebuild dist/ so the fix is actually shipped — the action bundles dependencies via ncc, so the lockfile bump alone wouldn't reach consumers.
  • No code change for the two esbuild tickets: they are already resolved (see Major Decisions).

Linear

  • INT-1894 — undici HTTP header injection via Set-Cookie percent-decoding (medium) — fixed by bump
  • INT-1893 — undici Set-Cookie SameSite downgrade (low) — fixed by bump
  • INT-1892 — undici WebSocket DoS via fragment count bypass (high) — fixed by bump
  • INT-1891 — undici HTTP response queue poisoning (low) — fixed by bump
  • INT-1785 — esbuild Deno-module RCE — not applicable (see below)
  • INT-1782 — esbuild Windows dev-server path traversal — already fixed (see below)

Major Decisions

  • esbuild tickets resolved without a code change. esbuild is a transitive dev/test dep (vite/vitest) at the latest version 0.28.1.
    • INT-1782 (GHSA-g7r4-m6w7-qqqr) is patched in 0.28.1, which is already installed — Dependabot reports this alert as fixed.
    • INT-1785 (Deno-module RCE via NPM_CONFIG_REGISTRY) is not among the repo's Dependabot alerts; it affects esbuild's Deno distribution (lib/deno/mod.ts), which this npm-based project never uses, and there is no newer patched version to move to.
    • Recommend closing these two as resolved / won't-fix with this rationale rather than tying them to a code change.

Review Focus

  • The large dist/index.js diff is generated output from pnpm run build; the meaningful change is the pnpm-lock.yaml undici bump (6.25.0 → 6.27.0). Verified typecheck, lint, check:schema, all 56 tests, and the build pass, and that the installed/bundled undici is 6.27.0.

🤖 Generated with Claude Code

Resolves four open Dependabot alerts for the transitive undici
dependency (header injection, SameSite downgrade, WebSocket DoS,
keep-alive response queue poisoning), all patched in 6.27.0.
Rebuilds dist so the bundled action ships the fix.

Closes INT-1891, INT-1892, INT-1893, INT-1894

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

@claude review

@github-actions

github-actions Bot commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Experiment Results: 2fa0eba

Experiment Status Actions
Uppercase (py) ✅ Pass View GitHub Action Run · View in Langfuse
Uppercase (ts) ✅ Pass View GitHub Action Run · View in Langfuse
Mixed dir (node) ✅ Pass View GitHub Action Run · View in Langfuse
Mixed dir (python) ✅ Pass View GitHub Action Run · View in Langfuse
Regression fixture ❌ Regression View GitHub Action Run · View in Langfuse

Details

✅ Uppercase (py) (Source)
Score Value
avg_accuracy 1.000
Item results (3)
Item Input Expected Output exact_match
1 langfuse LANGFUSE LANGFUSE 1.000
2 world WORLD WORLD 1.000
3 hello HELLO HELLO 1.000
✅ Uppercase (ts) (Source)
Score Value
avg_accuracy 1.000
Item results (3)
Item Input Expected Output exact_match
1 langfuse LANGFUSE LANGFUSE 1.000
2 world WORLD WORLD 1.000
3 hello HELLO HELLO 1.000
✅ Mixed dir (node) (Source)
Score Value
avg_accuracy 1.000
Item results (3)
Item Input Expected Output exact_match
1 langfuse LANGFUSE LANGFUSE 1.000
2 world WORLD WORLD 1.000
3 hello HELLO HELLO 1.000
✅ Mixed dir (python) (Source)
Score Value
avg_accuracy 1.000
Item results (3)
Item Input Expected Output exact_match
1 langfuse LANGFUSE LANGFUSE 1.000
2 world WORLD WORLD 1.000
3 hello HELLO HELLO 1.000
❌ Regression fixture (Source)

RegressionError: synthetic regression triggered by e2e fixture

Item results (3)
Item Input Expected Output exact_match
1 langfuse LANGFUSE LANGFUSE 1.000
2 world WORLD WORLD 1.000
3 hello HELLO HELLO 1.000

@claude claude Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM — clean undici 6.25.0 → 6.27.0 bump with regenerated dist bundle to ship the security fixes.

Extended reasoning...

Overview

This PR bumps the transitive undici dependency from 6.25.0 → 6.27.0 in pnpm-lock.yaml to clear four Dependabot security alerts (header injection via Set-Cookie, SameSite downgrade, WebSocket DoS, response queue poisoning). The dist/index.js and dist/index.js.map diffs are entirely the regenerated ncc bundle — the meaningful changes are the lockfile bump plus the new undici source pulled in by the bundler.

Security risks

None introduced. This PR resolves security alerts rather than creating new risks. The bumped undici is within the existing ^6.23.0 semver range used by @actions/http-client, @actions/glob, and @octokit/request, so no override is needed.

Level of scrutiny

Low — this is a routine transitive dependency patch bump driven by Dependabot alerts. The repo's policy of rebuilding dist/ to ship bundled changes is correctly followed.

Other factors

No bugs were flagged by the bug hunting system. The author notes that typecheck, lint, check:schema, all 56 tests, and the build pass locally, and the recent commit history shows similar undici/dep bumps merged cleanly.

@wochinge wochinge merged commit 377da5a into main Jun 23, 2026
12 checks passed
@wochinge wochinge deleted the implement-int-issues-dependabot branch June 23, 2026 10:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant