Skip to content

fix: pin undici >=6.27.0 to resolve CVE-2026-12151 and related (alerts #65-68)#262

Closed
liliwilson wants to merge 1 commit into
mainfrom
independabot/undici-CVE-2026-12151
Closed

fix: pin undici >=6.27.0 to resolve CVE-2026-12151 and related (alerts #65-68)#262
liliwilson wants to merge 1 commit into
mainfrom
independabot/undici-CVE-2026-12151

Conversation

@liliwilson

Copy link
Copy Markdown
Contributor

Pin undici to >=6.27.0 via npm overrides to resolve 4 open Dependabot alerts.

Vulnerabilities fixed:

Root cause: undici 6.25.0 is a transitive dep via @actions/http-client@3.0.2 (^6.23.0). Dependabot couldn't auto-update due to constraint conflicts. npm overrides forces resolution to >=6.27.0 (resolved to 8.5.0).

Verification: npm audit shows no undici vulnerabilities; npm run build passes.

Adds npm overrides to force undici to >=6.27.0, resolving:
- CVE-2026-12151 (high): WebSocket DoS via fragment count bypass
- CVE-2026-9679 (moderate): HTTP header injection via Set-Cookie percent-decoding
- CVE-2026-6733 (low): HTTP response queue poisoning via keep-alive socket reuse
- CVE-2026-11525 (low): Set-Cookie SameSite attribute downgrade

undici is a transitive dependency via @actions/http-client@3.0.2.
Dependabot could not auto-update due to constraint conflicts;
npm overrides forces the resolution.

Co-Authored-By: Oz <oz-agent@warp.dev>
@liliwilson liliwilson requested a review from dannyneira June 24, 2026 13:05
@liliwilson

Copy link
Copy Markdown
Contributor Author

Closing this independabot PR because the same dependency update is already covered by dependabot PR #261, which updates undici to 6.27.0.

@liliwilson liliwilson closed this Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants