Skip to content

Bump undici from 7.16.0 to 7.18.2 #51

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
luisaugusto merged 1 commit into from
Jan 15, 2026
Merged

Bump undici from 7.16.0 to 7.18.2 #51

luisaugusto merged 1 commit into from
Jan 15, 2026

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 12, 2026
edited
Loading

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

Bumps undici from 7.16.0 to 7.18.2.

Release notes

Sourced from undici's releases.

v7.18.2

What's Changed

Full Changelog: nodejs/undici@v7.18.1...v7.18.2

v7.18.1

What's Changed

Full Changelog: nodejs/undici@v7.18.0...v7.18.1

v7.18.0

What's Changed

Full Changelog: nodejs/undici@v7.17.0...v7.18.0

v7.17.0

What's Changed

... (truncated)

Commits
  • 7e5cb2d Bumped v7.18.2 (#4730)
  • b04e3cb fix(decompress): limit Content-Encoding chain to 5 to prevent resource exhaus...
  • 2bcb77b Bumped v7.18.1 (#4728)
  • 58a12b7 build(deps): bump actions/checkout from 6.0.0 to 6.0.1 (#4719)
  • 5fa2930 build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 (#4718)
  • fbbe283 docs: add security warning for strictContentLength option (#4726)
  • ce12d9e fix: do not crash if Node.js is compiled without SSL (#4727)
  • ebe3e33 Bumped v7.18.0 (#4725)
  • 4e9b88b fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
  • d560767 Bumped v7.17.0 (#4724)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump undici from 7.16.0 to 7.18.2
2ec54b7 
Bumps [undici](https://github.com/nodejs/undici) from 7.16.0 to 7.18.2.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.16.0...v7.18.2)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.18.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jan 12, 2026
@vercel
Copy link

vercel bot commented Jan 12, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
api Ready Ready Preview, Comment Jan 12, 2026 7:46pm

@dependabot dependabot bot added the javascript Pull requests that update javascript code label Jan 12, 2026
@dependabot dependabot bot mentioned this pull request Jan 12, 2026
Closed
@claude
Copy link

claude bot commented Jan 12, 2026

PR Review: Bump undici from 7.16.0 to 7.18.2

Summary

This is a dependency update PR that bumps the undici HTTP client library from version 7.16.0 to 7.18.2 (a minor version update). The PR also includes some cleanup of peer dependency flags in the lock file.

✅ Positive Aspects

  1. Security Fix Included: The update includes v7.18.2 which contains a critical fix: fix(decompress): limit Content-Encoding chain to 5 to prevent resource exhaustion (fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… nodejs/undici#4729). This prevents potential DoS attacks via decompression bombs.

  2. Bug Fixes: Several important bug fixes are included:

    • Fixed Node.js crash when compiled without SSL (v7.18.1)
    • Fixed promise chain integrity issues
    • Fixed proxy-agent missing return statement

  3. Compatible Version Range: The caret (^) in package.json allows this update within the minor version range, which is appropriate for a stable library like undici.

  4. No Direct Code Changes Required: The update is backward compatible - no application code modifications are needed.

⚠️ Areas for Consideration

  1. Peer Dependency Flag Changes: The lock file shows removal of "peer": true flags from several dev dependencies:

    • @types/node
    • @typescript-eslint/parser
    • acorn
    • eslint
    • typescript
    • zod

    This appears to be a side effect of the dependency resolution, which typically occurs when npm/node-modules resolves dependencies differently. This is normal but worth noting to ensure the dev environment still works correctly.

  2. Testing Verification Needed: While this is a minor version update with good release notes, it would be prudent to:

    • Run the lint checks (npm run lint and npm run lint:fix)
    • Verify any HTTP client functionality in the codebase still works correctly
    • Check if there are any CI/CD tests that pass with the new version

  3. Breaking Changes Check: While undici v7.17.0 → v7.18.2 is a minor version bump, the release notes mention some feature additions (e.g., "add runtime feature detection"). Ensure these don't affect the application.

🔒 Security Notes

The update includes an important security improvement:

  • Resource Exhaustion Protection: The Content-Encoding chain is now limited to a maximum of 5 levels, preventing potential resource exhaustion attacks via compressed response headers.

This is a beneficial security update.

📋 Recommendations

  1. Merge Confidence: This is a safe update with good security and bug fixes. Dependabot's compatibility score should indicate whether there are any known issues.

  2. Post-Merge: After merging, consider:

    • Running the full lint and any integration tests
    • Monitoring for any unexpected behavior related to HTTP requests

  3. Lock File Cleanup: The removal of peer dependency flags is normal behavior and shouldn't cause issues, but verify dev dependencies resolve correctly after merge.

✨ Final Assessment

This is a recommended update. It includes important security and bug fixes with no breaking changes to the public API. The update appears safe to merge once CI passes.

@luisaugusto luisaugusto merged commit 90d4349 into main Jan 15, 2026
5 checks passed
@luisaugusto luisaugusto deleted the dependabot/npm_and_yarn/undici-7.18.2 branch January 15, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@luisaugusto