Build(deps): Bump undici from 7.22.0 to 7.24.1 by dependabot[bot] · Pull Request #273 · github/local-action

dependabot · 2026-03-13T23:48:45Z

Bumps undici from 7.22.0 to 7.24.1.

Release notes

v7.24.1

What's Changed

fix: proto pollution by @rahulyadav5524 in nodejs/undici#4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.

GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0

CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0

CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525

NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528

... (truncated)

Commits

23e3cd3 Bumped v7.24.1
3aedaa8 remove PLAN.md
0d7ec33 fix: proto pollution (#4885)
07a3906 Bumped v7.24.0 (#4887)
74495c6 fix: reject duplicate content-length and host headers
84235c6 Fix websocket 64-bit length overflow
77594f9 fix: validate upgrade header to prevent CRLF injection
cb79c57 fix: validate server_max_window_bits range in permessage-deflate
4147ce2 Merge commit '2ee00cb3'
2ee00cb fix(websocket): add maxDecompressedMessageSize limit for permessage-deflate
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [undici](https://github.com/nodejs/undici) from 7.22.0 to 7.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.22.0...v7.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 7.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-03-13T23:52:10Z

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5	0	0	0.76s
✅ JAVASCRIPT	prettier	19	0	0	3.31s
✅ JSON	npm-package-json-lint	yes	no	no	0.7s
✅ JSON	prettier	29	0	0	1.09s
✅ MARKDOWN	markdownlint	10	0	0	1.19s
✅ REPOSITORY	checkov	yes	no	no	28.26s
✅ REPOSITORY	gitleaks	yes	no	no	1.81s
✅ REPOSITORY	git_diff	yes	no	no	0.02s
❌ REPOSITORY	grype	yes	10	no	59.19s
✅ REPOSITORY	secretlint	yes	no	no	1.36s
✅ REPOSITORY	syft	yes	no	no	4.38s
❌ REPOSITORY	trivy	yes	1	no	20.24s
✅ REPOSITORY	trivy-sbom	yes	no	no	4.08s
✅ REPOSITORY	trufflehog	yes	no	no	47.46s
✅ TYPESCRIPT	prettier	108	0	0	3.6s
✅ YAML	prettier	25	0	0	0.86s
✅ YAML	yamllint	25	0	0	0.81s

Detailed Issues

❌ REPOSITORY / grype - 10 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME             INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
minimatch        3.1.2      3.1.3     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (16th)  < 0.1  
minimatch        5.1.6      5.1.7     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (16th)  < 0.1  
minimatch        9.0.5      9.0.6     npm   GHSA-3ppc-4f35-3m26  High      < 0.1% (16th)  < 0.1  
minimatch        3.1.2      3.1.3     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (16th)  < 0.1  
minimatch        5.1.6      5.1.8     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (16th)  < 0.1  
minimatch        9.0.5      9.0.7     npm   GHSA-7r86-cg39-jmmj  High      < 0.1% (16th)  < 0.1  
minimatch        3.1.2      3.1.4     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (16th)  < 0.1  
minimatch        5.1.6      5.1.8     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (16th)  < 0.1  
minimatch        9.0.5      9.0.7     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (16th)  < 0.1  
fast-xml-parser  5.3.6      5.3.8     npm   GHSA-fj3w-jwp8-x2g3  Low       < 0.1% (15th)  < 0.1
[0059] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / trivy - 1 error

2026-03-13T23:51:07Z	INFO	[vulndb] Need to update DB
2026-03-13T23:51:07Z	INFO	[vulndb] Downloading vulnerability DB...
2026-03-13T23:51:07Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
4.91 MiB / 87.73 MiB [--->___________________________________________________________] 5.59% ? p/s ?30.44 MiB / 87.73 MiB [--------------------->_______________________________________] 34.69% ? p/s ?55.05 MiB / 87.73 MiB [-------------------------------------->______________________] 62.75% ? p/s ?77.19 MiB / 87.73 MiB [----------------------------------------->_____] 87.98% 119.69 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [--------------------------------------------->] 100.00% 119.69 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [--------------------------------------------->] 100.00% 119.69 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [--------------------------------------------->] 100.00% 113.11 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [--------------------------------------------->] 100.00% 113.11 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [--------------------------------------------->] 100.00% 113.11 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [--------------------------------------------->] 100.00% 105.82 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [--------------------------------------------->] 100.00% 105.82 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [--------------------------------------------->] 100.00% 105.82 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 98.99 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 98.99 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 98.99 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 92.60 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 92.60 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 92.60 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 86.63 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 86.63 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 86.63 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 81.04 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 81.04 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 81.04 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 75.81 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 75.81 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [---------------------------------------------->] 100.00% 75.81 MiB p/s ETA 0s87.73 MiB / 87.73 MiB [-------------------------------------------------] 100.00% 16.40 MiB p/s 5.5s2026-03-13T23:51:14Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-03-13T23:51:14Z	INFO	[vuln] Vulnerability scanning is enabled
2026-03-13T23:51:14Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-03-13T23:51:14Z	INFO	[checks-client] Need to update the checks bundle
2026-03-13T23:51:14Z	INFO	[checks-client] Downloading the checks bundle...
235.65 KiB / 235.65 KiB [--------------------------------------------------------->] 100.00% ? p/s ?235.65 KiB / 235.65 KiB [-----------------------------------------------] 100.00% 4.78 MiB p/s 200ms2026-03-13T23:51:25Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-03-13T23:51:25Z	INFO	Number of language-specific files	num=1
2026-03-13T23:51:25Z	INFO	[npm] Detecting vulnerabilities...
2026-03-13T23:51:25Z	INFO	Detected config files	num=0

Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │
├───────────────────┼──────┼─────────────────┼───────────────────┤
│ package-lock.json │ npm  │       10        │         -         │
└───────────────────┴──────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.69/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 10 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 9, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────────────────────────────────────────┬───────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │                      Fixed Version                      │                           Title                           │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ fast-xml-parser │ CVE-2026-27942 │ LOW      │ fixed  │ 5.3.6             │ 5.3.8, 4.5.4                                            │ fast-xml-parser: fast-xml-parser: Stack overflow leads to │
│                 │                │          │        │                   │                                                         │ Denial of Service                                         │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27942                │
├─────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│ minimatch       │ CVE-2026-26996 │ HIGH     │        │ 3.1.2             │ 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 │ minimatch: minimatch: Denial of Service via specially     │
│                 │                │          │        │                   │                                                         │ crafted glob patterns                                     │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-26996                │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                 │ CVE-2026-27903 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 │ minimatch: minimatch: Denial of Service due to unbounded  │
│                 │                │          │        │                   │                                                         │ recursive backtracking via crafted...                     │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27903                │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                 │ CVE-2026-27904 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 │ minimatch: Minimatch: Denial of Service via catastrophic  │
│                 │                │          │        │                   │                                                         │ backtracking in glob expressions                          │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27904                │
│                 ├────────────────┤          │        ├───────────────────┼─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                 │ CVE-2026-26996 │          │        │ 5.1.6             │ 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 │ minimatch: minimatch: Denial of Service via specially     │
│                 │                │          │        │                   │                                                         │ crafted glob patterns                                     │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-26996                │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                 │ CVE-2026-27903 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 │ minimatch: minimatch: Denial of Service due to unbounded  │
│                 │                │          │        │                   │                                                         │ recursive backtracking via crafted...                     │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27903                │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                 │ CVE-2026-27904 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 │ minimatch: Minimatch: Denial of Service via catastrophic  │
│                 │                │          │        │                   │                                                         │ backtracking in glob expressions                          │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27904                │
│                 ├────────────────┤          │        ├───────────────────┼─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                 │ CVE-2026-26996 │          │        │ 9.0.5             │ 10.2.1, 9.0.6, 8.0.5, 7.4.7, 6.2.1, 5.1.7, 4.2.4, 3.1.3 │ minimatch: minimatch: Denial of Service via specially     │
│                 │                │          │        │                   │                                                         │ crafted glob patterns                                     │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-26996                │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                 │ CVE-2026-27903 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.3 │ minimatch: minimatch: Denial of Service due to unbounded  │
│                 │                │          │        │                   │                                                         │ recursive backtracking via crafted...                     │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27903                │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼───────────────────────────────────────────────────────────┤
│                 │ CVE-2026-27904 │          │        │                   │ 10.2.3, 9.0.7, 8.0.6, 7.4.8, 6.2.2, 5.1.8, 4.2.5, 3.1.4 │ minimatch: Minimatch: Denial of Service via catastrophic  │
│                 │                │          │        │                   │                                                         │ backtracking in glob expressions                          │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-27904                │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────────┴───────────────────────────────────────────────────────────┘

📣 Notices:
  - Version 0.69.3 of Trivy is now available, current version is 0.69.1

To suppress version checks, run Trivy scans with the --skip-version-check flag

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

dependabot bot added dependabot Dependabot issues and PRs npm Node.js issues and PRs labels Mar 13, 2026

dependabot bot requested a review from ncalteen as a code owner March 13, 2026 23:48

dependabot bot added dependabot Dependabot issues and PRs npm Node.js issues and PRs labels Mar 13, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build(deps): Bump undici from 7.22.0 to 7.24.1#273

Build(deps): Bump undici from 7.22.0 to 7.24.1#273
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/undici-7.24.1

dependabot bot commented on behalf of github Mar 13, 2026

Uh oh!

github-actions bot commented Mar 13, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 13, 2026

v7.24.1

What's Changed

v7.24.0

Undici v7.24.0 Security Release Notes

Upgrade guidance

Fixed advisories

Affected and patched ranges

References

Uh oh!

github-actions bot commented Mar 13, 2026

❌MegaLinter analysis: Error

Detailed Issues

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants