Skip to content

fix: Security upgrade undici#3265

Merged
mtrezza merged 1 commit intoalphafrom
dependabot/npm_and_yarn/multi-119993c759
Mar 14, 2026
Merged

fix: Security upgrade undici#3265
mtrezza merged 1 commit intoalphafrom
dependabot/npm_and_yarn/multi-119993c759

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 14, 2026

Bumps and undici. These dependencies needed to be updated together.
Updates undici from 6.23.0 to 6.24.0

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

Commits
  • 8873c94 Bumped v6.24.0
  • 411bd01 test(websocket): use node:assert for Node 18 compatibility
  • 844bf59 test: fix http2 lint regressions in backport
  • a444e4f test: stabilize h2 and tls-cert-leak under current test runner
  • dc032a1 fix: h2 CI (#4395)
  • 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
  • 7df6442 fix: adapt websocket frame-limit handling for v6 parser
  • 4e0179a fix: reject duplicate content-length and host headers
  • 5a97f08 Fix websocket 64-bit length overflow
  • e43e898 fix: validate upgrade header to prevent CRLF injection
  • Additional commits viewable in compare view

Updates undici from 7.22.0 to 7.24.2

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

Commits
  • 8873c94 Bumped v6.24.0
  • 411bd01 test(websocket): use node:assert for Node 18 compatibility
  • 844bf59 test: fix http2 lint regressions in backport
  • a444e4f test: stabilize h2 and tls-cert-leak under current test runner
  • dc032a1 fix: h2 CI (#4395)
  • 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
  • 7df6442 fix: adapt websocket frame-limit handling for v6 parser
  • 4e0179a fix: reject duplicate content-length and host headers
  • 5a97f08 Fix websocket 64-bit length overflow
  • e43e898 fix: validate upgrade header to prevent CRLF injection
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
refactor: bump undici
4c05710 
Bumps  and [undici](https://github.com/nodejs/undici). These dependencies needed to be updated together.

Updates `undici` from 6.23.0 to 6.24.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.23.0...v6.24.0)

Updates `undici` from 7.22.0 to 7.24.2
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.23.0...v6.24.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.24.0
  dependency-type: indirect
- dependency-name: undici
  dependency-version: 7.24.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Bot label; pull requests that updates a dependency file javascript Pull requests that update javascript code labels Mar 14, 2026
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant Bot commented Mar 14, 2026

I will reformat the title to use the proper commit message syntax.

@parse-github-assistant parse-github-assistant Bot changed the title refactor: bump undici refactor: Bump undici Mar 14, 2026
@dependabot dependabot Bot mentioned this pull request Mar 14, 2026
Closed
@parseplatformorg
Copy link
Copy Markdown
Contributor

parseplatformorg commented Mar 14, 2026

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@mtrezza mtrezza merged commit df23ef8 into alpha Mar 14, 2026
10 checks passed
@mtrezza mtrezza deleted the dependabot/npm_and_yarn/multi-119993c759 branch March 14, 2026 11:52
@mtrezza mtrezza changed the title refactor: Bump undici fix: Security upgrade undici Mar 14, 2026
@parse-github-assistant
Copy link
Copy Markdown

parse-github-assistant Bot commented Mar 14, 2026

🚀 Thanks for opening this pull request! We appreciate your effort in improving the project. Please let us know once your pull request is ready for review.

Note

Please respond to review comments from AI agents just like you would to comments from a human reviewer. Let the reviewer resolve their own comments, unless they have reviewed and accepted your commit, or agreed with your explanation for why the feedback was incorrect.

Caution

Pull requests must be written using an AI agent with human supervision. Pull requests written entirely by a human will likely be rejected, because of lower code quality, higher review effort and the higher risk of introducing bugs. Please note that AI review comments on this pull request alone do not satisfy this requirement.

parseplatformorg pushed a commit that referenced this pull request Mar 14, 2026
@semantic-release-bot
chore(release): 9.1.0-alpha.9 [skip ci]
ec4234d 
# [9.1.0-alpha.9](9.1.0-alpha.8...9.1.0-alpha.9) (2026-03-14)

### Bug Fixes

* Security upgrade undici ([#3265](#3265)) ([df23ef8](df23ef8))
@parseplatformorg
Copy link
Copy Markdown
Contributor

parseplatformorg commented Mar 14, 2026

🎉 This change has been released in version 9.1.0-alpha.9

@parseplatformorg parseplatformorg added the state:released-alpha Released as alpha version label Mar 14, 2026
parseplatformorg pushed a commit that referenced this pull request Apr 7, 2026
@semantic-release-bot
chore(release): 9.1.0 [skip ci]
12a1db0 
# [9.1.0](9.0.0...9.1.0) (2026-04-07)

### Bug Fixes

* Bump fast-xml-parser from 5.3.5 to 5.3.6 ([#3223](#3223)) ([aee458b](aee458b))
* Cell content not selected on double clicking data browser cell ([#3271](#3271)) ([9df3beb](9df3beb))
* Column resizing mouse cursor in data browser not visible in Safari browser ([#3246](#3246)) ([e6fb4d7](e6fb4d7))
* Date value cannot be pasted into date field in data browser ([#3243](#3243)) ([e902bea](e902bea))
* Edit icon does not disappear when hovering out of saved filter name in data browser sidebar ([#3245](#3245)) ([d3dcfce](d3dcfce))
* Layout issues when resizing Cloud Config parameter dialog ([#3241](#3241)) ([c6e95d9](c6e95d9))
* Remove unused dependencies ([#3227](#3227)) ([3ba250d](3ba250d))
* Security removal dependency null-loader ([#3230](#3230)) ([5e1b1fa](5e1b1fa))
* Security removal dependency svg-prep ([#3236](#3236)) ([abb08c6](abb08c6))
* Security upgrade transitive dependency ajv ([#3231](#3231)) ([d1e5e41](d1e5e41))
* Security upgrade transitive dependency qs ([#3228](#3228)) ([225c710](225c710))
* Security upgrade transitive dependency undici ([#3229](#3229)) ([8e1be1f](8e1be1f))
* Security upgrade undici ([#3265](#3265)) ([df23ef8](df23ef8))

### Features

* Add confirmation dialog when closing Cloud Config edit parameter dialog without saving changes ([#3247](#3247)) ([9ec03e0](9ec03e0))
* Add diff view to Cloud Config parameter dialog for better conflict handling ([#3239](#3239)) ([f007a68](f007a68))
* Add support for data import in data browser ([#3244](#3244)) ([16f60f4](16f60f4))
* Enforce remote access restrictions on `agent` endpoint ([#3255](#3255)) ([edef824](edef824))
* Graph support for nested Object field values ([#3326](#3326)) ([4562381](4562381))
* Highlight row of selected cell in data browser ([#3270](#3270)) ([298ae63](298ae63))
@parseplatformorg
Copy link
Copy Markdown
Contributor

parseplatformorg commented Apr 7, 2026

🎉 This change has been released in version 9.1.0

@parseplatformorg parseplatformorg added the state:released Released as stable version label Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Bot label; pull requests that updates a dependency file javascript Pull requests that update javascript code state:released Released as stable version state:released-alpha Released as alpha version

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@parseplatformorg @mtrezza