Skip to content

Bump undici and release-it#99

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-a500e4a4e3
Open

Bump undici and release-it#99
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-a500e4a4e3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps undici to 7.28.0 and updates ancestor dependency release-it. These dependencies need to be updated together.

Updates undici from 6.23.0 to 7.28.0

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 7.28.0 8cb10f98
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 7.28.0 04201f89
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 7.28.0 3805b8f8
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 7.28.0 85a24055
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 7.28.0 d0574cc4
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 7.28.0 d0574cc4
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 7.28.0 ea8930cf

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits
  • f9eba0a Bumped v7.28.0 (#5430)
  • a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
  • 8cb10f9 websocket: limit the number of fragments in a message
  • 04201f8 fix: honor requestTls when proxy is SOCKS5
  • fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
  • bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
  • 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
  • 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
  • 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
  • 85a2405 fix(cache): trim qualified field names
  • Additional commits viewable in compare view

Updates release-it from 19.2.4 to 20.2.1

Release notes

Sourced from release-it's releases.

Release 20.2.1

  • Document the draft flow for GitHub immutable releases (284e63c6d2022eaf87f9fa66373ca6ad6a942ea0)
  • Resolve dependency security alerts (3156203b614039b4e4cf63b1d4addb409606527f)

Release 20.2.0

  • Print staged-packages approval URL after stage publish (244d8112498d7283f6bdcfd25d487ecc833aff03)
  • Capture the stage id for the approval message (2476065893cfe3421cf54c02d73d280c8192b41d)

Release 20.1.0

  • feat: add --quiet flag to hide release previews (#1274) (ecefe4407351bc74a85e88355a2772ea8fb22396) - thanks @​Yeom-JinHo!
  • fix: ensure release body is an empty string instead of null (#1303) (5cc5ebd284673cb67b7897c3bd36c3ace6d54880) - thanks @​driiftkiing!
  • Add 'Accept-Encoding' header to GitLab API requests (#1301) (14a478e4c1db309a04babe7060f0d95fb2879134) - thanks @​KlausDerKleber!
  • Support npm staged publishing (npm.stage) (aa20f56587f0f5720e684d6b1d6b9bc594b3876e)
  • Run tests on Node 26 (29f079bf8a515f1fced7bde05902183b1e990b2d)
  • Use draft flow for immutable releases with assets (resolve #1295) (c63b4e46710564edf809ea688d12ecc4abc39d33)
  • Publish interactively under --only-version so passkey 2FA works (resolve #1234) (4ebb66ebc6cee1b5352aa0fdafc0fa80ad568645)
  • Format docs/npm.md (a2a262c524a14b040aa9cc50f3ea45f2e4ac78e3)
  • Dogfoodin' (0cb51a9c85cc7e91db57c251e216664197639565)

Release 20.0.1

  • fix: allow false as npm config value in types (#1289) (f783e825944cf8114305606116ca61542f0031c6) - thanks @​ahippler!
  • Bump actions/checkout from 5 to 6 (#1262) (19921fc2429b314912a139f66ed43ca12475ffd3) - thanks @​dependabot[bot]!
  • fix: Replace @​nodeutils/defaults-deep with defu for deep-default merging (#1297) (8616a216ccf2be474732b1aefbe47dce0e6b4eb0) - thanks @​rajnsunny!
  • Update dependencies (bee31380a2bbdda7aeaffe7658a3900290a1a181)

Release 20.0.0

  • fix: remove leading slashes from owner (#1288) (5585b720e9389fa857ba50f86161245ccb3b9589) - thanks @​driiftkiing!
  • Fix write: false guard in npm.bump (resolve #1267) (a2d1b99bfe52fff1b6768f904cae5c4aaa78cfb1)
  • Format (f427a85758999073a5ea4f666c6ddb4cd5586d61)

Release 20.0.0-1

  • Fix test (56cae4cd441e00a58d3d91fbc15b1503d423a775)
  • Update changelog & docs for v20 (509e50b043003f8adf3f347af949819e2954b639)
  • Improve guessPreReleaseTaggetRegistryDistTags (a62509e6c7374e3d6898b17ae9ec8c365296fe64)

Release 20.0.0-0

  • fix: upgrade undici from 6.23.0 to 7.24.3 to resolve security vulnerabilities (#1285) (cd100eb1368d084f5892a9a2bbad0c14d511125e) - thanks @​nbouvrette!
  • Fix Logger.info() on Node.js 25 (#1284) (dcc0b43fc6bb693b3ec176cd8d77bbb40f454164) - thanks @​bidord!
  • Update proxy-agent to fix DEP0169 (#1287) (c660ef5f34536988abd203807f53ec3ea5c1c742) - thanks @​risantos!
  • Update dependencies (9dc313e29e617af912ace05a5aaa5cc34fdf35a3)
  • Fix lint issues (a0522ff8777fc6877bf03f5f441e33561c9dc25b)
  • Bump engines.node (5654b9badae6dd08a3d654772d2f280f6b1d84c3)
  • Don't roll back if isReleased is set (resolve #1281) (f2a31231f587cb4809415f4eae81a99617177341)
  • Fix if not running test using npm (332f40536ec32bbd816f9872bb89bc864ee66136)
  • Migrate to @​inquirer/prompts (resolve #1260) (6c21e95c9188e88d41bb30840672cbd5fe99f5b6)
  • Pop it (c90c4c97e11da8f90b398f045e5337f8ec5e0439)
Changelog

Sourced from release-it's changelog.

Changelog

This document lists breaking changes for each major release.

See the GitHub Releases page for detailed changelogs: [https://github.com/release-it/release-it/releases][1]

v20 (2026-03-24)

  • Upgraded undici from v6 to v7 to resolve security vulnerabilities.
  • Upgraded proxy-agent from v6 to v7 to fix DEP0169 (url.parse() deprecation).
  • Migrated from deprecated inquirer to @inquirer/prompts.
  • Bumped engines.node to minimum Node.js v20.19.0 (was v20.12.0).

v19 (2025-04-18)

  • No breaking changes (dependency party)

v18 (2025-01-06)

  • Removed support for Node.js v18.

v17 (2023-11-11)

  • Removed support for Node.js v16.

v16 (2023-07-05)

  • Removed support for Node.js v14.

v15 (2022-04-30)

  • Removed support for Node.js v10 and v12.
  • Removed support for GitLab v12.4 and lower.
  • Removed anonymous metrics (and the option to disable it).
  • Programmatic usage and plugins only through ES Module syntax (import)

Use release-it v14 in legacy environments.

v14 (2020-09-03)

  • Removed global property from plugins. Use this.config[key] instead.
  • Removed deprecated npm.access option. Set this in package.json instead.

v13 (2020-03-07)

  • Dropped support for Node v8
  • Dropped support for GitLab v11.6 and lower.
  • Deprecated scripts are removed (in favor of [hooks][2]).
  • Removed deprecated --non-interactive (-n) argument. Use --ci instead.
  • Removed old %s and [REV_RANGE] syntax in command substitutions. Use ${version} and ${latestTag} instead.

... (truncated)

Commits
  • 23b18df Release 20.2.1
  • 3156203 Resolve dependency security alerts
  • 284e63c Document the draft flow for GitHub immutable releases
  • 3217e49 Release 20.2.0
  • 2476065 Capture the stage id for the approval message
  • 244d811 Print staged-packages approval URL after stage publish
  • 5a105f3 Release 20.1.0
  • 0cb51a9 Dogfoodin'
  • a2a262c Format docs/npm.md
  • 4ebb66e Publish interactively under --only-version so passkey 2FA works (resolve #1234)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
Bumps [undici](https://github.com/nodejs/undici) to 7.28.0 and updates ancestor dependency [release-it](https://github.com/release-it/release-it). These dependencies need to be updated together.


Updates `undici` from 6.23.0 to 7.28.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.23.0...v7.28.0)

Updates `release-it` from 19.2.4 to 20.2.1
- [Release notes](https://github.com/release-it/release-it/releases)
- [Changelog](https://github.com/release-it/release-it/blob/main/CHANGELOG.md)
- [Commits](release-it/release-it@19.2.4...20.2.1)

---
updated-dependencies:
- dependency-name: release-it
  dependency-version: 20.2.1
  dependency-type: direct:development
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-a500e4a4e3 branch from ae48933 to 5de29d7 Compare July 3, 2026 19:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants