Skip to content

build(deps): bump undici from 7.25.0 to 8.5.0#2886

Open
dependabot[bot] wants to merge 1 commit into
trunkfrom
dependabot/npm_and_yarn/undici-8.5.0
Open

build(deps): bump undici from 7.25.0 to 8.5.0#2886
dependabot[bot] wants to merge 1 commit into
trunkfrom
dependabot/npm_and_yarn/undici-8.5.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps undici from 7.25.0 to 8.5.0.

Release notes

Sourced from undici's releases.

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 8.5.0 32dbf0b3
GHSA-38rv-x7px-6hhq CVE-2026-9675 High (7.5) 8.5.0 b4c287b3
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 8.5.0 42d49559
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 8.2.0 a516f870
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 8.5.0 cb105d7c
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 8.5.0 5655ea43
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 8.5.0 5655ea43
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 8.5.0 6ea54ef8

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770 Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. This is a regression introduced in 8.1.0 (the

... (truncated)

Commits
  • a0806e1 Bumped v8.5.0 (#5429)
  • 8a0392c test: detect available python command in wpt runner (#5427)
  • f4045b9 ci: increase Node.js workflow timeout (#5426)
  • 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
  • c5ed787 websocket: handle empty fragments and stream limits
  • e114e77 align EventSource with spec (#5418)
  • 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
  • 32dbf0b websocket: limit the number of fragments in a message
  • 0d6ecc5 add bodymixin.textStream() (#5416)
  • 42d4955 fix: honor requestTls when proxy is SOCKS5
  • Additional commits viewable in compare view

@dependabot dependabot Bot mentioned this pull request Jun 16, 2026
Closed
@github-actions

github-actions Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Dependency Review

The following issues were found:
  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 1 package(s) with unknown licenses.
See the Details below.

License Issues

package.json

PackageVersionLicenseIssue Type
undici^8.5.0NullUnknown License

OpenSSF Scorecard

PackageVersionScoreDetails
npm/undici ^8.5.0 UnknownUnknown

Scanned Files

  • package.json

@dependabot
build(deps): bump undici from 7.25.0 to 8.5.0
70fd35b 
Bumps [undici](https://github.com/nodejs/undici) from 7.25.0 to 8.5.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.25.0...v8.5.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 8.5.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/undici-8.5.0 branch from 329a60d to 70fd35b Compare June 18, 2026 16:33
@sonarqubecloud

sonarqubecloud Bot commented Jun 18, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies [Status] Needs Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants