chore(deps-dev): bump undici from 7.22.0 to 7.24.1 by dependabot[bot] · Pull Request #1105 · scality/zenko-ui

dependabot · 2026-03-13T23:49:40Z

Bumps undici from 7.22.0 to 7.24.1.

Release notes

v7.24.1

What's Changed

fix: proto pollution by @rahulyadav5524 in nodejs/undici#4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0

CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

... (truncated)

Commits

23e3cd3 Bumped v7.24.1
3aedaa8 remove PLAN.md
0d7ec33 fix: proto pollution (#4885)
07a3906 Bumped v7.24.0 (#4887)
74495c6 fix: reject duplicate content-length and host headers
84235c6 Fix websocket 64-bit length overflow
77594f9 fix: validate upgrade header to prevent CRLF injection
cb79c57 fix: validate server_max_window_bits range in permessage-deflate
4147ce2 Merge commit '2ee00cb3'
2ee00cb fix(websocket): add maxDecompressedMessageSize limit for permessage-deflate
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [undici](https://github.com/nodejs/undici) from 7.22.0 to 7.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 7.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

bert-e · 2026-03-13T23:49:43Z

Hello dependabot[bot],

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options

name	description	privileged	authored
`/after_pull_request`	Wait for the given pull request id to be merged before continuing with the current one.
`/bypass_author_approval`	Bypass the pull request author's approval	⭐
`/bypass_build_status`	Bypass the build and test status	⭐
`/bypass_commit_size`	Bypass the check on the size of the changeset `TBA`	⭐
`/bypass_incompatible_branch`	Bypass the check on the source branch prefix	⭐
`/bypass_jira_check`	Bypass the Jira issue check	⭐
`/bypass_peer_approval`	Bypass the pull request peers' approval	⭐
`/bypass_leader_approval`	Bypass the pull request leaders' approval	⭐
`/approve`	Instruct Bert-E that the author has approved the pull request.		✍️
`/create_pull_requests`	Allow the creation of integration pull requests.
`/create_integration_branches`	Allow the creation of integration branches.
`/no_octopus`	Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
`/unanimity`	Change review acceptance criteria from `one reviewer at least` to `all reviewers`
`/wait`	Instruct Bert-E not to run until further notice.

Available commands

name	description	privileged
`/help`	Print Bert-E's manual in the pull request.
`/status`	Print Bert-E's current status in the pull request `TBA`
`/clear`	Remove all comments from Bert-E from the history `TBA`
`/retry`	Re-start a fresh build `TBA`
`/build`	Re-start a fresh build `TBA`
`/force_reset`	Delete integration branches & pull requests, and restart merge process from the beginning.
`/reset`	Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

The following options are set: bypass_author_approval, bypass_jira_check

bert-e · 2026-03-13T23:49:49Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
one peer

Peer approvals must include at least 1 approval from the following list:

The following options are set: bypass_author_approval, bypass_jira_check

bert-e · 2026-03-13T23:55:12Z

Waiting for approval

The following approvals are needed before I can proceed with the merge:

the author
one peer

Peer approvals must include at least 1 approval from the following list:

The following options are set: bypass_author_approval, bypass_jira_check

dependabot · 2026-03-16T09:51:58Z

Superseded by #1107.

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 13, 2026

dependabot Bot mentioned this pull request Mar 13, 2026

Bump undici from 6.21.0 to 6.21.3 #872

Closed

dependabot Bot closed this Mar 16, 2026

dependabot Bot deleted the dependabot/npm_and_yarn/undici-7.24.1 branch March 16, 2026 09:52

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps-dev): bump undici from 7.22.0 to 7.24.1#1105

chore(deps-dev): bump undici from 7.22.0 to 7.24.1#1105
dependabot[bot] wants to merge 1 commit into
development/4.2from
dependabot/npm_and_yarn/undici-7.24.1

dependabot Bot commented on behalf of github Mar 13, 2026

Uh oh!

bert-e commented Mar 13, 2026

Uh oh!

bert-e commented Mar 13, 2026

Uh oh!

bert-e commented Mar 13, 2026

Uh oh!

dependabot Bot commented on behalf of github Mar 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Mar 13, 2026

v7.24.1

What's Changed

v7.24.0

Undici v7.24.0 Security Release Notes

Upgrade guidance

Fixed advisories

Affected and patched ranges

References

Uh oh!

bert-e commented Mar 13, 2026

Hello dependabot[bot],

Uh oh!

bert-e commented Mar 13, 2026

Waiting for approval

Uh oh!

bert-e commented Mar 13, 2026

Waiting for approval

Uh oh!

dependabot Bot commented on behalf of github Mar 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant