[hotfix-1.83] Update undici to v7.24.6

[petersutter]

What this PR does / why we need it:
Update undici to v7.24.6

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

Updated `undici` to `v7.24.6` to fix CVE-2026-1525 (Critical), CVE-2026-1526, CVE-2026-1528, CVE-2026-2229 (High)

[coderabbitai]

Caution

Review failed

Failed to post review comments

📝 Walkthrough

Walkthrough

Updated Node.js runtime from 22.18.0 to 22.22.0 across CI, Docker, and package configurations. Replaced Showdown with Unified/Remark/Rehype for markdown processing. Added SecretBinding-to-CredentialsBinding migration feature with new API endpoints, components, and documentation. Updated credentials handling for optional secret bindings.

Changes

Cohort / File(s)	Summary
Node.js Runtime Updates .github/actions/prepare-release/action.yaml, .github/workflows/build.yaml, .github/workflows/dependency-diagrams.yml, Dockerfile, package.json, charts/package.json, packages/kube-client/package.json, packages/kube-config/package.json, packages/logger/package.json, packages/monitor/package.json, packages/polling-watcher/package.json, packages/request/package.json, packages/test-utils/package.json, yarn.config.cjs	Updated Node.js engine version from 22.18.0 to 22.22.0 across CI workflows, Docker base image, package manifests, and configuration files.
Markdown Engine Replacement backend/lib/markdown.js, backend/lib/markdown.engine.mjs, backend/lib/routes/config.js, backend/__mocks__/@gardener-dashboard/markdown.cjs	Migrated markdown rendering from Showdown to Unified/Remark/Rehype stack. Replaced synchronous sanitization with async ESM engine. Updated config route to handle async sanitization. Added mock for testing.
Markdown Package Dependencies .pnp.cjs, backend/package.json	Updated dependency snapshot and added rehype/remark/unified packages. Removed Showdown, upgraded sanitize-html to 2.17.0, and updated undici to 7.24.6.
Backend Markdown Tests & Config backend/__tests__/markdown.spec.cjs, backend/jest.config.cjs, backend/rollup.config.js	Added comprehensive markdown sanitization test suite. Updated Jest config to reduce function coverage threshold and map markdown module to mock. Extended Rollup config to preserve markdown.engine.mjs as external and copy it to dist.
Credentials & SecretBinding Migration backend/__fixtures__/shoots.cjs, backend/lib/services/shoots.js, backend/lib/services/cloudProviderCredentials.js, backend/lib/services/tickets.js	Made secretBindingName optional, added credentialsBindingName parameter. New patchCredentialsBindingName endpoint. Conditional secret creation. Converted ticket/issue functions to async for markdown sanitization.
Credential Migration Endpoints backend/lib/routes/shoots.js, frontend/src/composables/useApi/api.js	Updated shoot routes to use hyphenated paths (seed-name, credentials-binding-name, admin-kubeconfig). Added new updateShootCredentialName API function.
Frontend Credential Components frontend/src/components/Credentials/GBindingRowActions.vue, frontend/src/components/Credentials/GBindingRowInfra.vue, frontend/src/components/Credentials/GCredentialRowActions.vue, frontend/src/components/Credentials/GSelectCredential.vue, frontend/src/components/Credentials/GSecretDialog.vue, frontend/src/components/Credentials/GSecretDialogDelete.vue, frontend/src/components/Credentials/GSecretDialogMigration.vue, frontend/src/components/Credentials/GSecretDialogWrapper.vue	Added SecretBinding migration UI. New migration dialog component. Updated row actions to emit migration events. Changed credential filtering from name-based exclusion to predicate-based filterFn. Refactored binding reference display from lists to chips.
Shoot Credential Configuration frontend/src/components/ShootDetails/GShootInfrastructureCard.vue, frontend/src/components/ShootDetails/GShootCredentialConfiguration.vue, frontend/src/components/Credentials/GSelectCredential.vue	New credential configuration component for shoots. Updated infrastructure card to support migration mode. Integrated credential selection with filtering.
Version Constraints frontend/src/components/NewShoot/GNewShootDetails.vue, frontend/src/components/ShootVersion/GShootVersionUpdate.vue, frontend/src/components/ShootVersion/GShootVersionConfiguration.vue	Added Kubernetes 1.34+ validation disallowing SecretBinding for non-workerless clusters. Added migration warning when upgrading to 1.34+. Improved version selection UI.
Frontend Credential Store & Composables frontend/src/store/credential.js, frontend/src/composables/credential/useCloudProviderBinding.js, frontend/src/composables/useShootContext.js	Reordered credentials/secrets composition. Added credentialsBindingNamesForSecretBinding computed. Added shootsUsingThisCredential tracking. Fixed addon normalization to remove spec.addons when no addons enabled.
Project Selection Refactoring frontend/src/components/GMainNavigation.vue, frontend/src/components/GMainProjectSelection.vue	Extracted project-selection dropdown into dedicated component with virtualization, filtering, keyboard navigation. Simplified navigation to use router navigation with stale/ready status warnings.
Credentials Dialog & Views frontend/src/views/GCredentials.vue	Added migrate-secret-binding event handler for infrastructure bindings row.
Vuetify Configuration frontend/src/plugins/vuetify.js	Added default configuration for VTooltip component with eager: false.
Repository Metadata VERSION, OWNERS, OWNERS_ALIASES, REUSE.toml, .yarnrc.yml	Updated version to 1.83.11-dev. Added OWNERS and OWNERS_ALIASES configuration. Extended REUSE.toml annotations. Added changesetBaseRefs to yarn config.
Documentation docs/README.md, docs/usage/migrate-secret-bindings.md	Added migration guide for SecretBinding to CredentialsBinding with step-by-step workflow and version compatibility notes.
Test Updates backend/__tests__/acceptance/api.cloudProviderCredentials.spec.cjs, backend/__tests__/acceptance/api.shoots.spec.cjs, backend/__tests__/docker.spec.cjs, backend/__tests__/watches.spec.cjs, frontend/__tests__/composables/useShootContext.spec.js	Added tests for credentials-only binding creation. Added tests for credentials-binding-name endpoint. Updated Node.js version extraction regex. Converted async mocks and fixtures. Added addon handling tests.
Authorization & Logging backend/lib/github/octokit.js	Added redaction of authorization headers in debug logging.

Sequence Diagram(s)

sequenceDiagram
    participant User as User/Frontend
    participant API as Backend API
    participant Markdown as Markdown Engine
    participant Sanitizer as Sanitize HTML
    participant DB as Kubernetes API

    User->>API: Request with HTML content<br/>(config, tickets, etc)
    activate API
    API->>Markdown: convertAndSanitize(text)
    activate Markdown
    Markdown->>Markdown: Parse with remark-parse<br/>Apply remark-gfm, remark-emoji
    Markdown->>Markdown: Convert to HAST<br/>with remark-rehype
    Markdown->>Sanitizer: Pass HTML string
    activate Sanitizer
    Sanitizer->>Sanitizer: Filter tags/attributes<br/>Enforce target="_blank"
    Sanitizer-->>Markdown: Sanitized HTML
    deactivate Sanitizer
    Markdown-->>API: Promise<sanitized HTML>
    deactivate Markdown
    API-->>User: Response with<br/>sanitized HTML
    deactivate API

Loading

sequenceDiagram
    participant User as User/Frontend
    participant Dialog as Migration Dialog
    participant API as Backend API
    participant K8s as Kubernetes API
    participant Store as Credential Store

    User->>Dialog: Open migrate dialog<br/>for SecretBinding
    activate Dialog
    Dialog->>Dialog: Load existing<br/>CredentialsBindings
    Dialog->>User: Show create step or<br/>completion step
    User->>Dialog: Confirm migration
    Dialog->>API: createInfraCredential<br/>(new CredentialsBinding)
    activate API
    API->>K8s: Create CredentialsBinding
    activate K8s
    K8s-->>API: Binding created
    deactivate K8s
    API-->>Dialog: Success
    deactivate API
    Dialog->>User: Show shoots needing<br/>credential update
    User->>Dialog: (Optional) Update shoots<br/>to use new binding
    Dialog->>API: updateShootCredentialName
    activate API
    API->>K8s: Patch shoot credential-binding-name
    K8s-->>API: Updated
    deactivate API
    API-->>Dialog: Success
    Dialog->>Store: Refresh credential list
    Dialog-->>User: Close dialog
    deactivate Dialog

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• feat(frontend): Migrate SecretBindings / Change CredentialsBindings #2779: Directly related with overlapping SecretBinding-to-CredentialsBinding migration changes across backend services, frontend components, and fixtures.
• feat: Seed List #2776: Related through frontend component modifications to GMainNavigation.vue and project selection routing logic.
• chore(node): upgrade Node to v24.14.0 everywhere #2802: Related through coordinated Node.js version updates across package.json files, Docker, and CI workflows.

Suggested labels

size/M, cla: yes

Suggested reviewers

• holgerkoser
• grolu
• klocke-io

Poem

🐰 A dash of migration, from Secret to Cred,
Markdown now unified, oh what's ahead!
Node twenty-two-point-two hops along,
Async and awaited, the database sings strong! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title directly describes the main change—updating undici to v7.24.6—matching the primary focus of the changeset.
Description check	✅ Passed	The PR description follows the template with 'What this PR does' and 'Release note' sections completed. However, the 'Which issue(s) this PR fixes' section is incomplete with only 'Fixes #' and no issue number, and 'Special notes for your reviewer' is missing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hf/bump-undici

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[grolu]

/lgtm
/approve

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: d8d0bb451adc6631b90f83a012f7f0f36124da53

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grolu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [grolu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Caution

Review failed

An error occurred during the review process. Please try again later.

📝 Walkthrough

Walkthrough

Updated Node.js runtime from 22.18.0 to 22.22.0 across CI, Docker, and package configurations. Replaced Showdown with Unified/Remark/Rehype for markdown processing. Added SecretBinding-to-CredentialsBinding migration feature with new API endpoints, components, and documentation. Updated credentials handling for optional secret bindings.

Changes

Cohort / File(s)	Summary
Node.js Runtime Updates .github/actions/prepare-release/action.yaml, .github/workflows/build.yaml, .github/workflows/dependency-diagrams.yml, Dockerfile, package.json, charts/package.json, packages/kube-client/package.json, packages/kube-config/package.json, packages/logger/package.json, packages/monitor/package.json, packages/polling-watcher/package.json, packages/request/package.json, packages/test-utils/package.json, yarn.config.cjs	Updated Node.js engine version from 22.18.0 to 22.22.0 across CI workflows, Docker base image, package manifests, and configuration files.
Markdown Engine Replacement backend/lib/markdown.js, backend/lib/markdown.engine.mjs, backend/lib/routes/config.js, backend/__mocks__/@gardener-dashboard/markdown.cjs	Migrated markdown rendering from Showdown to Unified/Remark/Rehype stack. Replaced synchronous sanitization with async ESM engine. Updated config route to handle async sanitization. Added mock for testing.
Markdown Package Dependencies .pnp.cjs, backend/package.json	Updated dependency snapshot and added rehype/remark/unified packages. Removed Showdown, upgraded sanitize-html to 2.17.0, and updated undici to 7.24.6.
Backend Markdown Tests & Config backend/__tests__/markdown.spec.cjs, backend/jest.config.cjs, backend/rollup.config.js	Added comprehensive markdown sanitization test suite. Updated Jest config to reduce function coverage threshold and map markdown module to mock. Extended Rollup config to preserve markdown.engine.mjs as external and copy it to dist.
Credentials & SecretBinding Migration backend/__fixtures__/shoots.cjs, backend/lib/services/shoots.js, backend/lib/services/cloudProviderCredentials.js, backend/lib/services/tickets.js	Made secretBindingName optional, added credentialsBindingName parameter. New patchCredentialsBindingName endpoint. Conditional secret creation. Converted ticket/issue functions to async for markdown sanitization.
Credential Migration Endpoints backend/lib/routes/shoots.js, frontend/src/composables/useApi/api.js	Updated shoot routes to use hyphenated paths (seed-name, credentials-binding-name, admin-kubeconfig). Added new updateShootCredentialName API function.
Frontend Credential Components frontend/src/components/Credentials/GBindingRowActions.vue, frontend/src/components/Credentials/GBindingRowInfra.vue, frontend/src/components/Credentials/GCredentialRowActions.vue, frontend/src/components/Credentials/GSelectCredential.vue, frontend/src/components/Credentials/GSecretDialog.vue, frontend/src/components/Credentials/GSecretDialogDelete.vue, frontend/src/components/Credentials/GSecretDialogMigration.vue, frontend/src/components/Credentials/GSecretDialogWrapper.vue	Added SecretBinding migration UI. New migration dialog component. Updated row actions to emit migration events. Changed credential filtering from name-based exclusion to predicate-based filterFn. Refactored binding reference display from lists to chips.
Shoot Credential Configuration frontend/src/components/ShootDetails/GShootInfrastructureCard.vue, frontend/src/components/ShootDetails/GShootCredentialConfiguration.vue, frontend/src/components/Credentials/GSelectCredential.vue	New credential configuration component for shoots. Updated infrastructure card to support migration mode. Integrated credential selection with filtering.
Version Constraints frontend/src/components/NewShoot/GNewShootDetails.vue, frontend/src/components/ShootVersion/GShootVersionUpdate.vue, frontend/src/components/ShootVersion/GShootVersionConfiguration.vue	Added Kubernetes 1.34+ validation disallowing SecretBinding for non-workerless clusters. Added migration warning when upgrading to 1.34+. Improved version selection UI.
Frontend Credential Store & Composables frontend/src/store/credential.js, frontend/src/composables/credential/useCloudProviderBinding.js, frontend/src/composables/useShootContext.js	Reordered credentials/secrets composition. Added credentialsBindingNamesForSecretBinding computed. Added shootsUsingThisCredential tracking. Fixed addon normalization to remove spec.addons when no addons enabled.
Project Selection Refactoring frontend/src/components/GMainNavigation.vue, frontend/src/components/GMainProjectSelection.vue	Extracted project-selection dropdown into dedicated component with virtualization, filtering, keyboard navigation. Simplified navigation to use router navigation with stale/ready status warnings.
Credentials Dialog & Views frontend/src/views/GCredentials.vue	Added migrate-secret-binding event handler for infrastructure bindings row.
Vuetify Configuration frontend/src/plugins/vuetify.js	Added default configuration for VTooltip component with eager: false.
Repository Metadata VERSION, OWNERS, OWNERS_ALIASES, REUSE.toml, .yarnrc.yml	Updated version to 1.83.11-dev. Added OWNERS and OWNERS_ALIASES configuration. Extended REUSE.toml annotations. Added changesetBaseRefs to yarn config.
Documentation docs/README.md, docs/usage/migrate-secret-bindings.md	Added migration guide for SecretBinding to CredentialsBinding with step-by-step workflow and version compatibility notes.
Test Updates backend/__tests__/acceptance/api.cloudProviderCredentials.spec.cjs, backend/__tests__/acceptance/api.shoots.spec.cjs, backend/__tests__/docker.spec.cjs, backend/__tests__/watches.spec.cjs, frontend/__tests__/composables/useShootContext.spec.js	Added tests for credentials-only binding creation. Added tests for credentials-binding-name endpoint. Updated Node.js version extraction regex. Converted async mocks and fixtures. Added addon handling tests.
Authorization & Logging backend/lib/github/octokit.js	Added redaction of authorization headers in debug logging.

Sequence Diagram(s)

sequenceDiagram
    participant User as User/Frontend
    participant API as Backend API
    participant Markdown as Markdown Engine
    participant Sanitizer as Sanitize HTML
    participant DB as Kubernetes API

    User->>API: Request with HTML content<br/>(config, tickets, etc)
    activate API
    API->>Markdown: convertAndSanitize(text)
    activate Markdown
    Markdown->>Markdown: Parse with remark-parse<br/>Apply remark-gfm, remark-emoji
    Markdown->>Markdown: Convert to HAST<br/>with remark-rehype
    Markdown->>Sanitizer: Pass HTML string
    activate Sanitizer
    Sanitizer->>Sanitizer: Filter tags/attributes<br/>Enforce target="_blank"
    Sanitizer-->>Markdown: Sanitized HTML
    deactivate Sanitizer
    Markdown-->>API: Promise<sanitized HTML>
    deactivate Markdown
    API-->>User: Response with<br/>sanitized HTML
    deactivate API

Loading

sequenceDiagram
    participant User as User/Frontend
    participant Dialog as Migration Dialog
    participant API as Backend API
    participant K8s as Kubernetes API
    participant Store as Credential Store

    User->>Dialog: Open migrate dialog<br/>for SecretBinding
    activate Dialog
    Dialog->>Dialog: Load existing<br/>CredentialsBindings
    Dialog->>User: Show create step or<br/>completion step
    User->>Dialog: Confirm migration
    Dialog->>API: createInfraCredential<br/>(new CredentialsBinding)
    activate API
    API->>K8s: Create CredentialsBinding
    activate K8s
    K8s-->>API: Binding created
    deactivate K8s
    API-->>Dialog: Success
    deactivate API
    Dialog->>User: Show shoots needing<br/>credential update
    User->>Dialog: (Optional) Update shoots<br/>to use new binding
    Dialog->>API: updateShootCredentialName
    activate API
    API->>K8s: Patch shoot credential-binding-name
    K8s-->>API: Updated
    deactivate API
    API-->>Dialog: Success
    Dialog->>Store: Refresh credential list
    Dialog-->>User: Close dialog
    deactivate Dialog

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

Possibly related PRs

• feat(frontend): Migrate SecretBindings / Change CredentialsBindings #2779: Directly related with overlapping SecretBinding-to-CredentialsBinding migration changes across backend services, frontend components, and fixtures.
• feat: Seed List #2776: Related through frontend component modifications to GMainNavigation.vue and project selection routing logic.
• chore(node): upgrade Node to v24.14.0 everywhere #2802: Related through coordinated Node.js version updates across package.json files, Docker, and CI workflows.

Suggested labels

size/M, cla: yes

Suggested reviewers

• holgerkoser
• grolu
• klocke-io

Poem

🐰 A dash of migration, from Secret to Cred,
Markdown now unified, oh what's ahead!
Node twenty-two-point-two hops along,
Async and awaited, the database sings strong! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title directly describes the main change—updating undici to v7.24.6—matching the primary focus of the changeset.
Description check	✅ Passed	The PR description follows the template with 'What this PR does' and 'Release note' sections completed. However, the 'Which issue(s) this PR fixes' section is incomplete with only 'Fixes #' and no issue number, and 'Special notes for your reviewer' is missing.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch hf/bump-undici

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}