Skip to content

fix(deps): update undici (high)#895

Open
claude[bot] wants to merge 1 commit intomainfrom
claude/dependabot-sweep-undici
Open

fix(deps): update undici (high)#895
claude[bot] wants to merge 1 commit intomainfrom
claude/dependabot-sweep-undici

Conversation

@claude
Copy link
Copy Markdown
Contributor

@claude claude bot commented Apr 13, 2026

Summary

  • Adds npm overrides for undici to >=6.24.0 in root package.json and examples/node/package.json
  • @connectrpc/connect-node 1.x depends on undici: ^5.28.4 — no 1.x release pulls in undici >=6.24.0
  • Upgrading to @connectrpc/connect-node 2.x is a breaking change (requires @connectrpc/connect@2.x and @bufbuild/protobuf@^2.x), so npm overrides are used as the least-invasive fix
  • The override should be removed when @connectrpc/connect-node is upgraded to 2.x or when a 1.x release depends on undici >=6.24.0

Advisories resolved

GHSA ID CVE Severity Summary
GHSA-2mjp-6q6p-2qxm CVE-2026-1525 medium HTTP Request/Response Smuggling
GHSA-4992-7rv2-5pvq CVE-2026-1527 medium CRLF Injection via upgrade option
GHSA-g9mf-h72j-4rw9 CVE-2026-22036 medium Unbounded decompression chain
GHSA-v9p9-hfj2-hcw8 CVE-2026-2229 high Unhandled Exception in WebSocket Client
GHSA-vrm6-8vpv-qv8q CVE-2026-1526 high Unbounded Memory Consumption in WebSocket

Lockfiles modified

  • package-lock.json
  • examples/node/package-lock.json

Unresolved alerts

None — all 7 alerts are resolved.

Test plan

  • make lint passes (includes eslint, prettier, typecheck)
  • CI tests pass

Resolves #891

🤖 Generated with Claude Code

@github-actions @claude
fix(deps): override undici to >=6.24.0 to resolve security advisories
4106428 
@connectrpc/connect-node 1.x depends on undici ^5.28.4, and no 1.x
release pulls in undici >=6.24.0. Upgrading to connect-node 2.x is a
breaking change (requires @connectrpc/connect 2.x and @bufbuild/protobuf
2.x). Using npm overrides as the least-invasive fix.

Resolves: GHSA-2mjp-6q6p-2qxm, GHSA-4992-7rv2-5pvq,
GHSA-g9mf-h72j-4rw9, GHSA-v9p9-hfj2-hcw8, GHSA-vrm6-8vpv-qv8q

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@claude claude bot requested a review from a team as a code owner April 13, 2026 09:46
@claude claude bot requested review from njooma and stuqdog April 13, 2026 09:46
claude[bot]
claude bot commented Apr 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor Author

@claude claude bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review

This is a dependency-only change; no TypeScript source files or src/gen/ were modified.

Correctness

The override approach is sound. @connectrpc/connect-node 1.x declares undici: ^5.28.4 but the only actual runtime usage is in node-headers-polyfill.js, which imports Headers from undici to polyfill globalThis.Headers on Node < 18. Two things make the version jump safe:

  1. Headers is still exported from undici 7.x (module.exports.Headers = require('./lib/web/fetch/headers').Headers).
  2. The polyfill's if (major < 18) guard means it never executes on Node 18+, which is what this project targets — so even a hypothetical API break in that import would be a dead code path at runtime.

The lockfiles in both package-lock.json and examples/node/package-lock.json are consistent: undici resolves to 7.24.8 in both, @fastify/busboy (which undici 5.x carried) is correctly removed.

Minor observation: open semver range

"undici": ">=6.24.0" will always resolve to the absolute latest undici on any fresh npm install (npm's resolution picks the highest satisfying version). For a security override the open range is defensible — the lockfile is what actually pins the installed version — but a reviewer should know that the resolved version will drift upward over time until this override is removed (once connect-node 2.x is adopted).

Security advisories

All 5 advisories listed in the PR description (GHSA-2mjp-6q6p-2qxm, GHSA-4992-7rv2-5pvq, GHSA-g9mf-h72j-4rw9, GHSA-v9p9-hfj2-hcw8, GHSA-vrm6-8vpv-qv8q) are resolved by pinning to undici ≥6.24.0.

Summary

The change is correct and safe for this codebase. The flatted entry appearing in examples/node/package-lock.json's ../.. snapshot is expected lockfile drift (it was already in the root package.json before this PR). No action needed beyond what the PR description already flags: remove the override when upgrading to @connectrpc/connect-node 2.x.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@njooma njooma Awaiting requested review from njooma njooma is a code owner automatically assigned from viamrobotics/sdk

@stuqdog stuqdog Awaiting requested review from stuqdog stuqdog is a code owner automatically assigned from viamrobotics/sdk

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

fix(deps): update undici (high, 7 alerts)

0 participants