fix: Security upgrade transitive dependency undici#3229
Merged
mtrezza merged 4 commits intoparse-community:alphafrom Feb 20, 2026
Merged
fix: Security upgrade transitive dependency undici#3229mtrezza merged 4 commits intoparse-community:alphafrom
mtrezza merged 4 commits intoparse-community:alphafrom
Conversation
|
🚀 Thanks for opening this pull request! |
mtrezza
changed the title
📝 WalkthroughWalkthroughConvert CI tooling and scripts from CommonJS to ES Modules (.mjs), update two devDependencies in Changes
Estimated Code Review Effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly Related PRs
🚥 Pre-merge checks | ❌ 3❌ Failed checks (3 warnings)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Contributor
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
mtrezza
changed the title
mtrezza
changed the title
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
package.json (1)
85-97:⚠️ Potential issue | 🟡 MinorPR title contains a typo: "unidic" should be "undici".
"unidic" is an unrelated Japanese morphological dictionary package. The security vulnerability being addressed is in
undici(Node.js HTTP/1.1 client), which has two recent CVEs:
- CVE-2025-22150: information disclosure in multipart/form-data — attackers can predict boundary values to tamper with backend API requests.
- CVE-2026-22036: unbounded decompression chain via
Content-Encodingleading to high CPU and memory exhaustion.Correcting the title improves changelog traceability.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@package.json` around lines 85 - 97, The PR title mistakenly says "unidic" instead of the vulnerable package name "undici"; update the PR title and any changelog/release text to replace "unidic" with "undici", and ensure related commit messages or release notes generated via the semantic-release workflow (see package.json entries like "@semantic-release/changelog" and "@semantic-release/git") reference "undici" and the CVE details (CVE-2025-22150, CVE-2026-22036); also scan package.json and release scripts for any accidental misspelling of the package name and correct it if found.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@package.json`:
- Line 85: Convert the two CI scripts from CommonJS to ESM by replacing
require(...) calls with ES import syntax (e.g., import core from
'@actions/core'; import * as exec from '@actions/exec'; import { HttpClient }
from '@actions/http-client' or appropriate named imports), update any module
usage to match the imported symbols (replace module.exports/require-based
patterns with top-level exports or direct usage of imported objects, e.g., use
core.getInput(...) instead of destructuring from a require), and ensure the
project is configured to load ESM (add "type":"module" to package.json or rename
the scripts to .mjs) so `@actions/core`@3.0.0 and the bumped
`@actions/exec/`@actions/http-client ESM packages load correctly.
---
Outside diff comments:
In `@package.json`:
- Around line 85-97: The PR title mistakenly says "unidic" instead of the
vulnerable package name "undici"; update the PR title and any changelog/release
text to replace "unidic" with "undici", and ensure related commit messages or
release notes generated via the semantic-release workflow (see package.json
entries like "@semantic-release/changelog" and "@semantic-release/git")
reference "undici" and the CVE details (CVE-2025-22150, CVE-2026-22036); also
scan package.json and release scripts for any accidental misspelling of the
package name and correct it if found.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
ci/nodeEngineCheck.mjs (1)
1-7:__dirnameshim is correct; considernode:prefix for built-in imports.
path.dirname(fileURLToPath(import.meta.url))is the standard ESM substitute for__dirnameand is correct. Theimport * as core,import semver,import fs,import path, andimport { fileURLToPath }choices are all appropriate for their respective packages.As an optional improvement, prefer the
node:scheme for built-in module specifiers to unambiguously distinguish them from npm packages:♻️ Use `node:` prefix for built-in specifiers
import * as core from '@actions/core'; import semver from 'semver'; -import fs from 'fs/promises'; -import path from 'path'; -import { fileURLToPath } from 'url'; +import fs from 'node:fs/promises'; +import path from 'node:path'; +import { fileURLToPath } from 'node:url';(The same suggestion applies to
ci/CiVersionCheck.mjsline 4.)🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@ci/nodeEngineCheck.mjs` around lines 1 - 7, Switch the built-in module specifiers to the node: scheme so Node treats them as core modules: change imports that currently use 'fs/promises', 'path', and 'url' (the import of fileURLToPath) to use 'node:fs/promises', 'node:path', and 'node:url' respectively; keep the same imported symbols (fs, path, fileURLToPath) and the __dirname shim logic (path.dirname(fileURLToPath(import.meta.url))) unchanged, and mirror this change in the other module that imports core Node built-ins.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Duplicate comments:
In `@package.json`:
- Line 85: The package.json now pins "@actions/core": "3.0.0" but you must
ensure the CI scripts were migrated to ESM and their imports updated: rename the
scripts referenced (previously .js) to ciCheck.mjs and nodeEngineCheck.mjs,
update their module imports to use "import * as core from '@actions/core'" (and
any other CommonJS require -> import conversions), and verify package.json
script entries point to the new .mjs filenames so the ESM `@actions/core` v3
import works correctly.
---
Nitpick comments:
In `@ci/nodeEngineCheck.mjs`:
- Around line 1-7: Switch the built-in module specifiers to the node: scheme so
Node treats them as core modules: change imports that currently use
'fs/promises', 'path', and 'url' (the import of fileURLToPath) to use
'node:fs/promises', 'node:path', and 'node:url' respectively; keep the same
imported symbols (fs, path, fileURLToPath) and the __dirname shim logic
(path.dirname(fileURLToPath(import.meta.url))) unchanged, and mirror this change
in the other module that imports core Node built-ins.
There was a problem hiding this comment.
🧹 Nitpick comments (1)
eslint.config.js (1)
64-64: Consider adding**/*.test.mjsto the Jest config's files glob.The test-specific config block only targets
.test.js/.jsx/.ts/.tsx. If any.mjstest files are introduced later, they won't receiveglobals.jestand the Jest plugin rules. A forward-looking one-liner keeps this consistent:♻️ Proposed change
- files: ['**/*.test.js', '**/*.test.jsx', '**/*.test.ts', '**/*.test.tsx'], + files: ['**/*.test.js', '**/*.test.jsx', '**/*.test.mjs', '**/*.test.ts', '**/*.test.tsx'],🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@eslint.config.js` at line 64, The files glob in eslint.config.js (the files: [...] entry) omits .test.mjs, so any future MJS test files won't get the Jest-specific config (globals.jest and plugin rules); update the files array to include '**/*.test.mjs' alongside '**/*.test.js', '**/*.test.jsx', '**/*.test.ts', '**/*.test.tsx' so .mjs tests are matched and receive the Jest config and rules.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In `@eslint.config.js`:
- Line 64: The files glob in eslint.config.js (the files: [...] entry) omits
.test.mjs, so any future MJS test files won't get the Jest-specific config
(globals.jest and plugin rules); update the files array to include
'**/*.test.mjs' alongside '**/*.test.js', '**/*.test.jsx', '**/*.test.ts',
'**/*.test.tsx' so .mjs tests are matched and receive the Jest config and rules.
parseplatformorg
pushed a commit
that referenced
this pull request
Feb 20, 2026
## [9.0.1-alpha.4](9.0.1-alpha.3...9.0.1-alpha.4) (2026-02-20) ### Bug Fixes * Security upgrade transitive dependency undici ([#3229](#3229)) ([8e1be1f](8e1be1f))
Contributor
|
🎉 This change has been released in version 9.0.1-alpha.4 |
parseplatformorg
pushed a commit
that referenced
this pull request
Apr 7, 2026
# [9.1.0](9.0.0...9.1.0) (2026-04-07) ### Bug Fixes * Bump fast-xml-parser from 5.3.5 to 5.3.6 ([#3223](#3223)) ([aee458b](aee458b)) * Cell content not selected on double clicking data browser cell ([#3271](#3271)) ([9df3beb](9df3beb)) * Column resizing mouse cursor in data browser not visible in Safari browser ([#3246](#3246)) ([e6fb4d7](e6fb4d7)) * Date value cannot be pasted into date field in data browser ([#3243](#3243)) ([e902bea](e902bea)) * Edit icon does not disappear when hovering out of saved filter name in data browser sidebar ([#3245](#3245)) ([d3dcfce](d3dcfce)) * Layout issues when resizing Cloud Config parameter dialog ([#3241](#3241)) ([c6e95d9](c6e95d9)) * Remove unused dependencies ([#3227](#3227)) ([3ba250d](3ba250d)) * Security removal dependency null-loader ([#3230](#3230)) ([5e1b1fa](5e1b1fa)) * Security removal dependency svg-prep ([#3236](#3236)) ([abb08c6](abb08c6)) * Security upgrade transitive dependency ajv ([#3231](#3231)) ([d1e5e41](d1e5e41)) * Security upgrade transitive dependency qs ([#3228](#3228)) ([225c710](225c710)) * Security upgrade transitive dependency undici ([#3229](#3229)) ([8e1be1f](8e1be1f)) * Security upgrade undici ([#3265](#3265)) ([df23ef8](df23ef8)) ### Features * Add confirmation dialog when closing Cloud Config edit parameter dialog without saving changes ([#3247](#3247)) ([9ec03e0](9ec03e0)) * Add diff view to Cloud Config parameter dialog for better conflict handling ([#3239](#3239)) ([f007a68](f007a68)) * Add support for data import in data browser ([#3244](#3244)) ([16f60f4](16f60f4)) * Enforce remote access restrictions on `agent` endpoint ([#3255](#3255)) ([edef824](edef824)) * Graph support for nested Object field values ([#3326](#3326)) ([4562381](4562381)) * Highlight row of selected cell in data browser ([#3270](#3270)) ([298ae63](298ae63))
Contributor
|
🎉 This change has been released in version 9.1.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull Request
Issue
Security upgrade transitive dependency undici
Summary by CodeRabbit