Skip to content

tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc#64031

Merged
aduh95 merged 1 commit into
mainfrom
dependabot/npm_and_yarn/tools/doc/undici-6.27.0
Jul 2, 2026
Merged

tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc#64031
aduh95 merged 1 commit into
mainfrom
dependabot/npm_and_yarn/tools/doc/undici-6.27.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor

Bumps undici from 6.24.1 to 6.27.0.

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [undici](https://github.com/nodejs/undici) from 6.24.1 to 6.27.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.24.1...v6.27.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file. javascript Pull requests that update Javascript code labels Jun 20, 2026
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/web-infra

@nodejs-github-bot nodejs-github-bot added doc Issues and PRs related to the documentations. tools Issues and PRs related to the tools directory. labels Jun 20, 2026
@Renegade334 Renegade334 added the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 21, 2026
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Jun 22, 2026
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator
Commit Queue failed
- Loading data for nodejs/node/pull/64031
✔  Done loading data for nodejs/node/pull/64031
----------------------------------- PR info ------------------------------------
Title      tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc (#64031)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     undefined:dependabot/npm_and_yarn/tools/doc/undici-6.27.0 -> nodejs:main
Labels     doc, tools, dependencies, javascript
Commits    1
 - tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc
Committers 1
 - GitHub <noreply@github.com>
PR-URL: https://github.com/nodejs/node/pull/64031
Fixes: https://github.com/nodejs/undici/commit/b7f252e7
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/64031
Fixes: https://github.com/nodejs/undici/commit/b7f252e7
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Sat, 20 Jun 2026 15:48:43 GMT
   ✔  Approvals: 1
   ✔  - René (@Renegade334): https://github.com/nodejs/node/pull/64031#pullrequestreview-4540204026
   ✘  This PR needs to wait 119 more hours to land (or 0 minutes if there is one more approval)
   ✔  Last GitHub CI successful
   ℹ  Green GitHub CI is sufficient
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu
https://github.com/nodejs/node/actions/runs/27970612172

@aduh95 aduh95 added commit-queue Add this label to land a pull request using GitHub Actions. and removed commit-queue-failed An error occurred while landing this pull request using GitHub Actions. labels Jul 2, 2026
@nodejs-github-bot nodejs-github-bot added commit-queue-failed An error occurred while landing this pull request using GitHub Actions. and removed commit-queue Add this label to land a pull request using GitHub Actions. labels Jul 2, 2026
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator
Commit Queue failed
- Loading data for nodejs/node/pull/64031
✔  Done loading data for nodejs/node/pull/64031
----------------------------------- PR info ------------------------------------
Title      tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc (#64031)
   ⚠  Could not retrieve the email or name of the PR author's from user's GitHub profile!
Branch     undefined:dependabot/npm_and_yarn/tools/doc/undici-6.27.0 -> nodejs:main
Labels     doc, tools, dependencies, javascript
Commits    1
 - tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc
Committers 1
 - GitHub <noreply@github.com>
PR-URL: https://github.com/nodejs/node/pull/64031
Fixes: https://github.com/nodejs/undici/commit/b7f252e7
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/64031
Fixes: https://github.com/nodejs/undici/commit/b7f252e7
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Sat, 20 Jun 2026 15:48:43 GMT
   ✔  Approvals: 1
   ✔  - René (@Renegade334): https://github.com/nodejs/node/pull/64031#pullrequestreview-4540204026
   ✔  Last GitHub CI successful
   ℹ  Green GitHub CI is sufficient
--------------------------------------------------------------------------------
   ✔  No git cherry-pick in progress
   ✔  No git am in progress
   ✔  No git rebase in progress
--------------------------------------------------------------------------------
- Bringing origin/main up to date...
From https://github.com/nodejs/node
 * branch                  main       -> FETCH_HEAD
✔  origin/main is now up-to-date
- Downloading patch for 64031
From https://github.com/nodejs/node
 * branch                  refs/pull/64031/merge -> FETCH_HEAD
✔  Fetched commits as b2e83150cb54..dd808b4257a1
--------------------------------------------------------------------------------
Auto-merging tools/doc/package-lock.json
[main 78aa4adc13] tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc
 Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 Date: Sat Jun 20 15:48:41 2026 +0000
 1 file changed, 3 insertions(+), 3 deletions(-)
   ✔  Patches applied
--------------------------------------------------------------------------------
--------------------------------- New Message ----------------------------------
tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc

Bumps undici from 6.24.1 to 6.27.0.


updated-dependencies:

  • dependency-name: undici
    dependency-version: 6.27.0
    dependency-type: indirect
    ...

Signed-off-by: dependabot[bot] <support@github.com>
PR-URL: #64031
Fixes: nodejs/undici@b7f252e7
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>

[main 71bd8ed122] tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat Jun 20 15:48:41 2026 +0000
1 file changed, 3 insertions(+), 3 deletions(-)
✖ 71bd8ed12279bc9d579d5fd5a42bee24423c5cdb
✔ 0:0 no Assisted-by metadata assisted-by-is-trailer
✔ 0:0 no Co-authored-by metadata co-authored-by-is-trailer
✖ 14:7 Fixes must be a GitHub URL. fixes-url
✔ 0:0 blank line after title line-after-title
✔ 0:0 line-lengths are valid line-length
✔ 0:0 metadata is at end of message metadata-end
✔ 13:8 PR-URL is valid. pr-url
✔ 0:0 reviewers are valid reviewers
⚠ 12:0 bot commit should not have a "Signed-off-by" trailer signed-off-by
✔ 0:0 valid subsystems subsystem
✔ 0:0 Title is formatted correctly. title-format
⚠ 0:50 Title should be <= 50 columns. title-length

ℹ Please fix the commit message and try again.
Please manually ammend the commit message, by running
git commit --amend
Once commit message is fixed, finish the landing command running
git node land --continue

https://github.com/nodejs/node/actions/runs/28576287827

@aduh95 aduh95 merged commit 7828395 into main Jul 2, 2026
56 checks passed
@aduh95

aduh95 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Landed in 7828395

@aduh95 aduh95 deleted the dependabot/npm_and_yarn/tools/doc/undici-6.27.0 branch July 2, 2026 08:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

commit-queue-failed An error occurred while landing this pull request using GitHub Actions. dependencies Pull requests that update a dependency file. doc Issues and PRs related to the documentations. javascript Pull requests that update Javascript code tools Issues and PRs related to the tools directory.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants