Skip to content

fix: update undici override to ^6.24.1 to resolve all security advisories#22

Merged
davidkonigsberg merged 2 commits intomainfrom
devin/1773485226-fix-undici-vulnerabilities
Mar 14, 2026
Merged

fix: update undici override to ^6.24.1 to resolve all security advisories#22
davidkonigsberg merged 2 commits intomainfrom
devin/1773485226-fix-undici-vulnerabilities

Conversation

@davidkonigsberg
Copy link
Copy Markdown
Contributor

@davidkonigsberg davidkonigsberg commented Mar 14, 2026

fix: update undici override to ^6.24.1 to fix all security advisories

Summary

Updates the undici npm override from ^6.23.0 to ^6.24.1, resolving all 5 open dependabot alerts:

  • CVE-2026-2229 (High): Unhandled Exception in WebSocket Client (invalid server_max_window_bits)
  • CVE-2026-1528 (High): Malicious WebSocket 64-bit length overflow crashes client
  • CVE-2026-1526 (High): Unbounded Memory Consumption in permessage-deflate decompression
  • CVE-2026-1525 (Moderate): HTTP Request/Response Smuggling
  • CVE-2026-1527 (Moderate): CRLF Injection via upgrade option

This replaces the approach in dependabot PR #21, which bumped @actions/github to v9.0.0 (ESM-only), breaking the ncc build. Instead, we keep @actions/github at v6.0.1 and only bump the undici override, which is simpler and avoids the ESM incompatibility.

Review & Testing Checklist for Human

  • After merging, verify all 5 dependabot alerts auto-close (they should, since npm audit reports 0 vulnerabilities with this change)
  • Close dependabot PR Bump undici and @actions/github #21 as superseded by this PR
  • Confirm dist/index.js rebuild looks correct (it reflects the undici security patches being bundled)

Notes

devin-ai-integration bot and others added 2 commits March 14, 2026 10:47
@devin-ai-integration @davidkonigsberg
fix: update undici override to ^6.24.1 to resolve all security adviso…
87f7e12 
…ries

Updates the undici override from ^6.23.0 to ^6.24.1, resolving:
- CVE-2026-2229: Unhandled Exception in WebSocket (server_max_window_bits)
- CVE-2026-1528: Malicious WebSocket 64-bit length overflow
- CVE-2026-1526: Unbounded Memory Consumption (permessage-deflate)
- CVE-2026-1525: HTTP Request/Response Smuggling
- CVE-2026-1527: CRLF Injection via upgrade option

Keeps @actions/github at v6.0.1 to avoid ESM-only breakage from v9.0.0.

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>
@devin-ai-integration @davidkonigsberg
chore: rebuild dist with updated undici
2fa7e96 
Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>
@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration bot commented Mar 14, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@davidkonigsberg davidkonigsberg merged commit 0ebdcd2 into main Mar 14, 2026
1 check passed
@davidkonigsberg davidkonigsberg deleted the devin/1773485226-fix-undici-vulnerabilities branch March 14, 2026 10:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fern-support fern-support fern-support approved these changes

@patrickthornton patrickthornton Awaiting requested review from patrickthornton patrickthornton is a code owner

Assignees

@davidkonigsberg davidkonigsberg

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidkonigsberg @fern-support