build(deps): bump undici, @rdfjs/serializer-jsonld-ext and jsonld

[dependabot]

Bumps undici to 6.24.1 and updates ancestor dependencies undici, @rdfjs/serializer-jsonld-ext and jsonld. These dependencies need to be updated together.

Updates undici from 5.29.0 to 6.24.1

Release notes

Sourced from undici's releases.

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

... (truncated)

Commits

• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• a444e4f test: stabilize h2 and tls-cert-leak under current test runner
• dc032a1 fix: h2 CI (#4395)
• 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
• 7df6442 fix: adapt websocket frame-limit handling for v6 parser
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @rdfjs/serializer-jsonld-ext from 4.0.1 to 4.0.2

Commits

• e804ce3 4.0.2
• f628c57 Merge pull request #19 from rdfjs-base/dependabot/npm_and_yarn/jsonld-9.0.0
• b7d9fab Merge pull request #18 from rdfjs-base/dependabot/github_actions/actions/chec...
• 5517316 Bump jsonld from 8.3.3 to 9.0.0
• d406194 Bump actions/checkout from 5 to 6
• 897b40a Merge pull request #17 from rdfjs-base/dependabot/github_actions/actions/setu...
• 90a1710 Bump actions/setup-node from 5 to 6
• fc0148e Merge pull request #16 from rdfjs-base/dependabot/github_actions/actions/setu...
• c0a48c9 Bump actions/setup-node from 4 to 5
• 7cd9a4b Merge pull request #15 from rdfjs-base/dependabot/github_actions/actions/chec...
• Additional commits viewable in compare view

Updates jsonld from 8.3.3 to 9.0.0

Changelog

Sourced from jsonld's changelog.

9.0.0 - 2025-11-20

Added

• Add minimal support for React Native.
  • Add react-native section to package.json.
  • Add instructions to README.md.

Changed

• BREAKING: Drop support for Node.js < 18.
• BREAKING: Upgrade dependencies.
  • @digitalbazaar/http-client@4.
  • canonicalize@2.
  • rdf-canonize@5: See the [rdf-canonize][] 4.x and 5.x changelog for important changes and upgrade notes. Of note:
    • The URDNA2015 default algorithm has been changed to RDFC-1.0 from [rdf-canon][].
    • Complexity control defaults maxWorkFactor or maxDeepIterations may need to be adjusted to process graphs with certain blank node constructs.
    • A signal option is available to use an AbortSignal to limit resource usage.
    • The internal digest algorithm can be changed.
    • Support for [rdf-canonize-native][] was removed.
• BREAKING: Only the JavaScript implementation of [rdf-canon][] from [rdf-canonize][] is supported. The API here can be updated to allow implementation switching if support for native or other [rdf-canon][] implementations is needed.
• Update development dependencies.
• Update karma testing.
  • Remove older fixes in favor of more default behavior.
• Update bundle build.
  • Use newer corejs version.
  • Build with modern browserslist defaults and no IE support.
  • Support for older browsers requires a custom build.
• Refactor test framework.
  • Test runtime loads test files from a web server.
  • Allows testing of manifests on remote web servers.
  • Trading off some performance to align node and browser testing.
  • Moves some test setup code into config data and manifest.

Fixed

• Fix fromRdf#t0027 and useNativeTypes handling.

Removed

• BREAKING: Remove application/nquads alias for application/n-quads.

Commits

• 27a2b81 Release 9.0.0.
• 0a7f6da Update changelog.
• 44ed43a Fix codespell issues.
• 8793d07 Add fix to changelog.
• ded42f7 Add minimal support for React Native.
• f2d39a1 Update workflow.
• 84b1b33 Use rdf-canonize@5.
• ae1d6db Update dev dependencies.
• d31aa17 Fix useNativeTypes handling.
• 5e4dcbe Fix conditional.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[changeset-bot]

⚠️ No Changeset found

Latest commit: b1e85c7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR