fix(deps): Bump undici to 6.27.0 to resolve security alerts#67
Conversation
Resolves four open Dependabot alerts for the transitive undici dependency (header injection, SameSite downgrade, WebSocket DoS, keep-alive response queue poisoning), all patched in 6.27.0. Rebuilds dist so the bundled action ships the fix. Closes INT-1891, INT-1892, INT-1893, INT-1894 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
@claude review |
|
| Experiment | Status | Actions |
|---|---|---|
| Uppercase (py) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Uppercase (ts) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (node) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Mixed dir (python) | ✅ Pass | View GitHub Action Run · View in Langfuse |
| Regression fixture | ❌ Regression | View GitHub Action Run · View in Langfuse |
Details
There was a problem hiding this comment.
LGTM — clean undici 6.25.0 → 6.27.0 bump with regenerated dist bundle to ship the security fixes.
Extended reasoning...
Overview
This PR bumps the transitive undici dependency from 6.25.0 → 6.27.0 in pnpm-lock.yaml to clear four Dependabot security alerts (header injection via Set-Cookie, SameSite downgrade, WebSocket DoS, response queue poisoning). The dist/index.js and dist/index.js.map diffs are entirely the regenerated ncc bundle — the meaningful changes are the lockfile bump plus the new undici source pulled in by the bundler.
Security risks
None introduced. This PR resolves security alerts rather than creating new risks. The bumped undici is within the existing ^6.23.0 semver range used by @actions/http-client, @actions/glob, and @octokit/request, so no override is needed.
Level of scrutiny
Low — this is a routine transitive dependency patch bump driven by Dependabot alerts. The repo's policy of rebuilding dist/ to ship bundled changes is correctly followed.
Other factors
No bugs were flagged by the bug hunting system. The author notes that typecheck, lint, check:schema, all 56 tests, and the build pass locally, and the recent commit history shows similar undici/dep bumps merged cleanly.
Summary
undici6.25.0 → 6.27.0 to clear four open Dependabot alerts.undiciships into the action only via@actions/http-client,@actions/glob, and@octokit/request; their^6.23.0range already permits 6.27.0, so this is a clean lockfile re-resolution with no override.dist/so the fix is actually shipped — the action bundles dependencies via ncc, so the lockfile bump alone wouldn't reach consumers.Linear
Major Decisions
esbuildis a transitive dev/test dep (vite/vitest) at the latest version0.28.1.GHSA-g7r4-m6w7-qqqr) is patched in0.28.1, which is already installed — Dependabot reports this alert as fixed.NPM_CONFIG_REGISTRY) is not among the repo's Dependabot alerts; it affects esbuild's Deno distribution (lib/deno/mod.ts), which this npm-based project never uses, and there is no newer patched version to move to.Review Focus
dist/index.jsdiff is generated output frompnpm run build; the meaningful change is thepnpm-lock.yamlundici bump (6.25.0 → 6.27.0). Verifiedtypecheck,lint,check:schema, all 56 tests, and the build pass, and that the installed/bundledundiciis 6.27.0.🤖 Generated with Claude Code