core
core copied to clipboard
microfleet
chore(deps): update dependency undici to v7.5.0 [security]
This PR contains the following updates:
| Package | Change | Age | Confidence |
|---|---|---|---|
| undici (source) | 7.3.0 -> 7.5.0 |
GitHub Vulnerability Alerts
CVE-2025-47279
Impact
Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.
Patches
This has been patched in https://github.com/nodejs/undici/pull/4088.
Workarounds
If a webhook fails, avoid keep calling it repeatedly.
References
Reported as: https://github.com/nodejs/undici/issues/3895
Release Notes
nodejs/undici (undici)
v7.5.0
What's Changed
- feat(docs): button to switch dark and light mode by @shivarm in #4044
- feat: add mock call history to access request configuration in test by @blephy in #4029
- fix: Fix retry-handler.js when retry-after header is a Date by @fgiova in #4084
- Update Cache Tests by @github-actions in #4027
- Allow disabling autoSelectFamily in an Agent by @hitsthings in #4070
- Removed clients with unrecoverable errors from the Pool by @mcollina in #4088
New Contributors
- @blephy made their first contribution in #4029
- @fgiova made their first contribution in #4084
- @hitsthings made their first contribution in #4070
Full Changelog: https://github.com/nodejs/undici/compare/v7.4.0...v7.5.0
v7.4.0
What's Changed
- fix: apply byte offset on Buffer.from by @ronag in #4019
- fix: fetch body fallback random number generation by @Uzlopak in #4023
- Add release instructions by @mcollina in #4022
- Update Cache Tests by @github-actions in #4020
- Update WPT by @github-actions in #4011
- docs: document about global dispatcher and errors (#3987) by @zuozp8 in #4014
- docs: fix incorrect method signature of
onResponseErrorby @tmair in #4030 - feat(docs): copy to clipboard button by @shivarm in #4037
- don't check AbortSignal maxListeners on some node versions by @KhafraDev in #4045
- feat: mark
EnvHttpProxyAgentas stable by @aduh95 in #4049 - test: fix windows wpt by @metcoder95 in #4050
- fix: do not throw unhandled exception when data is undefined in interceptor.reply by @frederikprijck in #4036
- fix: handle missing vary header values by @gurgunday in #4031
- Update WPT by @github-actions in #4028
- Update WPT by @github-actions in #4062
- fix: fix EnvHttpProxyAgent for the Node.js bundle by @joyeecheung in #4064
New Contributors
- @zuozp8 made their first contribution in #4014
- @tmair made their first contribution in #4030
- @shivarm made their first contribution in #4037
- @frederikprijck made their first contribution in #4036
- @joyeecheung made their first contribution in #4064
Full Changelog: https://github.com/nodejs/undici/compare/v7.3.0...v7.4.0
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
| Diff | Package | Supply Chain Security |
Vulnerability | Quality | Maintenance | License |
|---|---|---|---|---|---|---|
 | lodash.merge@4.6.2 |  | |  |  | |
| js-yaml@4.1.0 | | | |  | |
| split2@4.2.0 | | |  | | |
| rfdc@1.4.1 | | | | | |
| qs@6.14.0 | | | |  | |
| yargs-parser@21.1.1 |  | | |  | |
| readable-stream@4.7.0 | | | |  | |
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}