Skip to content

fix: upgrade undici to >=7.28.0#303

Merged
mikkojamG merged 1 commit into
mainfrom
fix/LINK-2583-undici-update
Jul 2, 2026
Merged

fix: upgrade undici to >=7.28.0#303
mikkojamG merged 1 commit into
mainfrom
fix/LINK-2583-undici-update

Conversation

@tjgofore

@tjgofore tjgofore commented Jun 23, 2026

Copy link
Copy Markdown
Contributor

Description ✨

Upgrade undici to non-vulnerable version.

Resolves:
https://github.com/City-of-Helsinki/linkedregistrations-ui/security/dependabot/145
https://github.com/City-of-Helsinki/linkedregistrations-ui/security/dependabot/143
https://github.com/City-of-Helsinki/linkedregistrations-ui/security/dependabot/144
https://github.com/City-of-Helsinki/linkedregistrations-ui/security/dependabot/148
https://github.com/City-of-Helsinki/linkedregistrations-ui/security/dependabot/149
https://github.com/City-of-Helsinki/linkedregistrations-ui/security/dependabot/146

Issues 🐛

Closes 🙅‍♀️

LINK-2583

Related 🤝

Testing ⚗️

Automated tests ⚙️️

Manual testing 👷‍♂️

Screenshots 📸

Additional notes 🗒️

Summary by CodeRabbit

  • Chores
    • Bumped development dependency versions (dotenv, eslint, next-router-mock).
    • Updated workspace release-age enforcement by excluding selected package versions from the minimum release age check.

@tjgofore tjgofore requested a review from a team as a code owner June 23, 2026 06:02
@coderabbitai

coderabbitai Bot commented Jun 23, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3daea056-c059-4881-8d19-ed168357e7f8

📥 Commits

Reviewing files that changed from the base of the PR and between 83012c1 and 42988dc.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • package.json
  • pnpm-workspace.yaml
✅ Files skipped from review due to trivial changes (1)
  • package.json

📝 Walkthrough

Walkthrough

Three minor dependency version bumps in package.json (dotenv, eslint, next-router-mock) and a new minimumReleaseAgeExclude list in pnpm-workspace.yaml exempting four specific package versions from the existing minimumReleaseAge constraint.

Changes

Dependency Updates

Layer / File(s) Summary
Minor dependency version bumps
package.json
dotenv bumped to ^16.5.0, eslint to ^10.2.0, next-router-mock to ^0.9.13.
pnpm workspace release-age exclusions
pnpm-workspace.yaml
Adds minimumReleaseAgeExclude block listing js-yaml@4.2.0, @babel/core@7.29.7, @opentelemetry/core@2.8.0, and undici@7.28.0 to bypass the minimumReleaseAge: 10080 rule. Representational changes to surrounding overrides and allowBuilds blocks are retained.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hop, hop, versions leap ahead,
A tiny bump for each package thread.
Four friends excluded from the age delay,
The workspace rules now make their way.
Small steps forward, neat and bright —
The rabbit stamps the config right! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title directly addresses the main change: upgrading undici to a non-vulnerable version, which aligns with the primary objective of this PR.
Description check ✅ Passed The description covers the main purpose (upgrading undici for security), references multiple security alerts and the Jira issue, but Testing and Manual testing sections are empty.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/LINK-2583-undici-update

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Comment thread pnpm-workspace.yaml Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pnpm-workspace.yaml`:
- Around line 25-29: In the minimumReleaseAgeExclude list in
pnpm-workspace.yaml, correct the package versions to match the actual locked
versions in pnpm-lock.yaml. Change the js-yaml entry from version 4.1.2 to
4.2.0, and change the `@babel/core` entry from version 7.29.1 to 7.29.7. The
versions for `@opentelemetry/core`@2.8.0 and undici@7.28.0 are already correct and
do not need modification.
- Around line 24-29: Update the incorrect package versions in the
minimumReleaseAgeExclude list in pnpm-workspace.yaml. Change js-yaml@4.1.2 to
js-yaml@4.2.0 and `@babel/core`@7.29.1 to `@babel/core`@7.29.7, as the current
versions are typos that do not exist on npm and will cause install failures.
These versions should match the actual versions present in the lock file.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: cf76c43d-fdf6-4d55-953f-d398c6edd3c5

📥 Commits

Reviewing files that changed from the base of the PR and between 105d049 and 83012c1.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (2)
  • package.json
  • pnpm-workspace.yaml

Comment thread pnpm-workspace.yaml
Comment thread pnpm-workspace.yaml
@azure-pipelines

Copy link
Copy Markdown

LINKEDREGISTRATIONS-UI branch is deployed to platta: https://linkedregistrations-pr303-ui.dev.hel.ninja 🚀🚀🚀

@azure-pipelines

Copy link
Copy Markdown

e2e tests result is success for https://linkedregistrations-pr303-ui.dev.hel.ninja 😆🎉🎉🎉

@tjgofore tjgofore force-pushed the fix/LINK-2583-undici-update branch from 83012c1 to 42988dc Compare June 23, 2026 09:10
@azure-pipelines

Copy link
Copy Markdown

LINKEDREGISTRATIONS-UI branch is deployed to platta: https://linkedregistrations-pr303-ui.dev.hel.ninja 🚀🚀🚀

@azure-pipelines

Copy link
Copy Markdown

e2e tests result is success for https://linkedregistrations-pr303-ui.dev.hel.ninja 😆🎉🎉🎉

@sonarqubecloud

sonarqubecloud Bot commented Jul 2, 2026

Copy link
Copy Markdown

@mikkojamG mikkojamG merged commit 64489d7 into main Jul 2, 2026
33 checks passed
@mikkojamG mikkojamG deleted the fix/LINK-2583-undici-update branch July 2, 2026 11:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants