[agent] chore(deps): upgrade undici to 7.28.0 via overrides#791
Draft
github-actions[bot] wants to merge 1 commit into
Draft
[agent] chore(deps): upgrade undici to 7.28.0 via overrides#791github-actions[bot] wants to merge 1 commit into
github-actions[bot] wants to merge 1 commit into
Conversation
Adds an npm overrides entry to pin undici >= 7.28.0. cheerio@1.2.0 (the direct dependent) declares undici ^7.19.0 and the latest cheerio release has not shipped a new range that resolves to the patched undici. The override is therefore used as a fallback to force resolution to a safe version. Fixes: - GHSA-vmh5-mc38-953g / CVE-2026-9697 (high) – TLS certificate validation bypass in SOCKS5 ProxyAgent (alert #282) - GHSA-pr7r-676h-xcf6 / CVE-2026-9678 (medium) – cross-user info disclosure via shared cache whitespace bypass (alert #281) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an
overridesentry in the rootpackage.jsonto pinundicito>=7.28.0, and updatespackage-lock.jsonaccordingly.Why an override?
undiciis a transitive dependency pulled in bycheerio@1.2.0(declared inpackages/mongodb-cloud-info/package.json).cheerio@1.2.0specifies"undici": "^7.19.0". The latestcheeriorelease (1.2.0) has not shipped an updated range that resolves to a patchedundici, so there is no manifest-first bump available. Theoverridesentry is used as the appropriate fallback.Advisories addressed
Alert #282 (High):
undici'sProxyAgentsilently droppedrequestTlsoptions when using a SOCKS5 proxy, causing TLS certificate validation bypass.Alert #281 (Medium):
undici's cache interceptor incorrectly cached responses with whitespace-paddedprivate/no-cachefield names, enabling cross-user information disclosure in shared-cache mode.