Skip to content

Bump undici from 8.3.0 to 8.5.0#2854

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/undici-7.28.0
Closed

Bump undici from 8.3.0 to 8.5.0#2854
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/undici-7.28.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps undici from 8.3.0 to 8.5.0.

Release notes

Sourced from undici's releases.

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 8.5.0 32dbf0b3
GHSA-38rv-x7px-6hhq CVE-2026-9675 High (7.5) 8.5.0 b4c287b3
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 8.5.0 42d49559
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 8.2.0 a516f870
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 8.5.0 cb105d7c
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 8.5.0 5655ea43
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 8.5.0 5655ea43
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 8.5.0 6ea54ef8

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770 Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. This is a regression introduced in 8.1.0 (the

... (truncated)

Commits
  • a0806e1 Bumped v8.5.0 (#5429)
  • 8a0392c test: detect available python command in wpt runner (#5427)
  • f4045b9 ci: increase Node.js workflow timeout (#5426)
  • 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
  • c5ed787 websocket: handle empty fragments and stream limits
  • e114e77 align EventSource with spec (#5418)
  • 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
  • 32dbf0b websocket: limit the number of fragments in a message
  • 0d6ecc5 add bodymixin.textStream() (#5416)
  • 42d4955 fix: honor requestTls when proxy is SOCKS5
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown
Contributor Author

Labels

The following labels could not be found: npm. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 20, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 20, 2026 11:22
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 20, 2026
@dependabot dependabot Bot temporarily deployed to ESS PodSpaces June 20, 2026 11:22 Inactive
@dependabot dependabot Bot temporarily deployed to ESS PodSpaces June 20, 2026 11:22 Inactive
@dependabot dependabot Bot temporarily deployed to ESS PodSpaces June 20, 2026 11:22 Inactive
@dependabot dependabot Bot temporarily deployed to ESS PodSpaces June 20, 2026 11:22 Inactive
@dependabot dependabot Bot temporarily deployed to ESS PodSpaces June 20, 2026 11:22 Inactive
@dependabot dependabot Bot mentioned this pull request Jun 20, 2026
Closed
@dependabot
Bump undici from 8.3.0 to 8.5.0
26497a8 
Bumps [undici](https://github.com/nodejs/undici) from 8.3.0 to 8.5.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v8.3.0...v8.5.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump undici from 7.12.0 to 7.28.0 Bump undici from 8.3.0 to 8.5.0 Jun 22, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/undici-7.28.0 branch from 0b002a8 to 26497a8 Compare June 22, 2026 18:39
@dependabot dependabot Bot temporarily deployed to ESS PodSpaces June 22, 2026 18:40 Inactive
@dependabot dependabot Bot temporarily deployed to ESS PodSpaces June 22, 2026 18:40 Inactive
@dependabot dependabot Bot temporarily deployed to ESS PodSpaces June 22, 2026 18:40 Inactive
@dependabot @github

dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #2858.

@dependabot dependabot Bot closed this Jun 22, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/undici-7.28.0 branch June 22, 2026 18:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants