[Snyk] Upgrade undici from 5.28.4 to 7.18.2

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade undici from 5.28.4 to 7.18.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 85 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	57	Proof of Concept
	Command Injection SNYK-JS-GLOB-14040952	57	Proof of Concept
	Insecure Randomness SNYK-JS-UNDICI-8641354	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITENDPOINT-8730856	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITPLUGINPAGINATEREST-8730855	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUEST-8730853	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUESTERROR-8730854	57	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	57	Proof of Concept
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	57	Proof of Concept

Release notes

Package name: undici

• 7.18.2 - 2026-01-06
  

  ⚠️ Security Release

  This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

  What's Changed

  • fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… by @ mcollina in #4729

  Full Changelog: v7.18.1...v7.18.2

• 7.18.1 - 2026-01-06
  

  What's Changed

  • Test and Fix running without SSL by @ mcollina in #4727
  • docs: add security warning for strictContentLength option by @ mcollina in #4726
  • build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 by @ dependabot[bot] in #4718
  • build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @ dependabot[bot] in #4719

  Full Changelog: v7.18.0...v7.18.1

• 7.18.0 - 2026-01-05
  

  What's Changed

  Full Changelog: v7.17.0...v7.18.0

• 7.17.0 - 2026-01-05
  

  What's Changed

  • chore: extract infra and encoding methods by @ Uzlopak in #4523
  • ci: remove h2 by @ Uzlopak in #4534
  • ci: make nodejs-shared wf reusable, install binaryen for wasm-opt, test on node-nightly by @ Uzlopak in #4535
  • ci: fix nightly shared library case by @ Uzlopak in #4543
  • test: consume bodies of fetch responses to fix failing macos 20 ci by @ Uzlopak in #4528
  • docs: add Cache Interceptor example to README by @ tawseefnabi in #4393
  • test: remove node20 version check by @ Uzlopak in #4544
  • types: use MessagePort instance type in MessageEvent by @ Renegade334 in #4546
  • ci: set write permissions on job level by @ Uzlopak in #4537
  • lint: activate n/no-process-exit by @ Uzlopak in #4548
  • ci: run benchmarks on pull_requests and by pushing on specific branches only by @ Uzlopak in #4536
  • chore: activate n/prefer-node-protocol to enforce 'node:' prefix for requiring node built-ins by @ Uzlopak in #4547
  • feat(H2): correct CONNECT behaviour by @ metcoder95 in #4541
  • test: fix plans by @ Uzlopak in #4550
  • feat: add runtime feature "detection" by @ Uzlopak in #4545
  • perf: use less promises in extractBody by @ Uzlopak in #4458
  • fix(proxy-agent): add missing return after callback-call by @ Uzlopak in #4553
  • fix: remove redundant line in retry-handler by @ Uzlopak in #4554
  • ci: add no-wasm-simd option by @ Uzlopak in #4533
  • fix: use lazyloaders for runtime feature detection by @ Uzlopak in #4557
  • fix: minor changes in dispatcher-base.js and types for Dispatcher by @ Uzlopak in #4556
  • http2: refactor and split tests of http2.js into multiple files by @ Uzlopak in #4561
  • fix: dns-interceptor test should await plan to complete by @ Uzlopak in #4560
  • chore: remove istanbul instructions by @ Uzlopak in #4559
  • fix: keep promise chains intact by @ Uzlopak in #4558
  • build(deps): bump wait-on from 8.0.5 to 9.0.1 in /benchmarks by @ dependabot[bot] in #4567
  • chore: remove tspl from eventsource by @ Uzlopak in #4569
  • chore: remove tspl from fetch by @ Uzlopak in #4570
  • feat: add getUpstream() method to BalancedPool by @ mcollina in #4586
  • fetch: handle invalid priority values properly by @ Uzlopak in #4522
  • ci: fix test coverage for codecov by @ Uzlopak in #4520
  • types: optional status in Response.redirect by @ gineika in #4591
  • docs: unix socket add-on by @ FelixVaughan in #4587
  • build(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 by @ dependabot[bot] in #4601
  • build(deps): bump hendrikmuhs/ccache-action from 1.2.18 to 1.2.19 by @ dependabot[bot] in #4600
  • build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @ dependabot[bot] in #4603
  • build(deps): bump actions/setup-node from 4.0.2 to 5.0.0 by @ dependabot[bot] in #4604
  • build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @ dependabot[bot] in #4602
  • build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @ dependabot[bot] in #4598
  • build(deps): bump github/codeql-action from 3.30.0 to 3.30.5 by @ dependabot[bot] in #4599
  • build(deps): bump actions/dependency-review-action from 4.7.3 to 4.8.0 by @ dependabot[bot] in #4597
  • fix: cacheStores types and usage in README by @ lucalooz in #4605
  • Feat dns interceptor storage by @ SuperOleg39 in #4589
  • docs: add crawling best practices by @ Uzlopak in #4590
  • fix: 304 not modified reply upon revalidation did not update cache. by @ daan944 in #4617
  • chore: use testcontext for test:infra by @ Uzlopak in #4579
  • fetch: improve regexes in data-uri.js by @ Uzlopak in #4483
  • perf: optimize validate http token by @ PandaWorker in #4608
  • test: improve long-lived-abort-controller test by @ Uzlopak in #4621
  • ci: add node.js 25 to test matrix by @ shivarm in #4626
  • chore: use testcontext for test/utils tests by @ Uzlopak in #4577
  • chore: remove tspl from websocket by @ Uzlopak in #4568
  • fix(ws) onSocketClose being called multiple times by @ KhafraDev in #4632
  • fix: prevent duplicate debug logs when multiple undici instances exist by @ mcollina in #4630
  • chore: use testcontext for busboy tests by @ Uzlopak in #4572
  • test: fix flaky http2-dispatcher test by @ mcollina in #4633
  • build(deps): bump uWebSockets.js from v20.52.0 to v20.54.0 in /benchmarks by @ dependabot[bot] in #4635
  • Run the gc() in long-lived-abort-controller test by @ mcollina in #4638
  • Do not destroy the HTTP2 stream twice in tests by @ mcollina in #4637
  • Fix http2-dispatcher test by @ mcollina in #4640
  • fix: fetch blob with range off-by-one error by @ platypii in #4643
  • fix: ensure HTTP/2 sends Content-Length for empty POST requests by @ mcollina in #4613
  • build(deps): bump uWebSockets.js from v20.54.0 to v20.55.0 in /benchmarks by @ dependabot[bot] in #4645
  • feat(#2458): WebSocket through HTTP/2 by @ metcoder95 in #4540
  • docs(README): correct the example code for the consumption of respons… by @ tenkirin in #4658
  • build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by @ dependabot[bot] in #4653
  • build(deps): bump fastify/github-action-merge-dependabot from 3.11.1 to 3.11.2 by @ dependabot[bot] in #4655
  • build(deps): bump actions/setup-node from 5.0.0 to 6.0.0 by @ dependabot[bot] in #4652
  • build(deps): bump actions/upload-artifact from 4.6.2 to 5.0.0 by @ dependabot[bot] in #4651
  • build(deps): bump actions/dependency-review-action from 4.8.0 to 4.8.1 by @ dependabot[bot] in #4654
  • don't freeze urlList for opaque filtered responses by @ KhafraDev in #4656
  • fix fd parsing unquoted attribute values by @ KhafraDev in #4662
  • build(deps): bump uWebSockets.js from v20.55.0 to v20.56.0 in /benchmarks by @ dependabot[bot] in #4665
  • feat(dispatcher/proxy-agent): new diagnostics event 'undici:proxy:connected' by @ SuperOleg39 in #4659
  • Feat/round robin pool by @ FelixVaughan in #4650
  • Formdata ignore epilogue preamble by @ KhafraDev in #4672
  • build(deps): bump actions/checkout from 5.0.0 to 6.0.0 by @ dependabot[bot] in #4682
  • fix: snapshot url exclusion by @ FelixVaughan in #4670
  • feat: support h2c over unix domain sockets by @ chrros95 in #4690
  • fix(docs): remove unused TypeScript example code block by @ kerolloz in #4701
  • feat: add deduplicate interceptor for request deduplication by @ mcollina in #4679
  • chore: use testcontext for mock tests by @ Uzlopak in #4582
  • fix(test): remove hardcoded folder name in client-error-stack-trace test by @ mcollina in #4707

  New Contributors

  • @ gineika made their first contribution in #4591
  • @ lucalooz made their first contribution in