Skip to content

fix(security): force undici@^6.24.0 via npm override (clears 5 advisories)#20

Merged
colek42 merged 1 commit into
mainfrom
nk/undici-cve-fix
May 26, 2026
Merged

fix(security): force undici@^6.24.0 via npm override (clears 5 advisories)#20
colek42 merged 1 commit into
mainfrom
nk/undici-cve-fix

Conversation

@colek42

@colek42 colek42 commented May 26, 2026

Copy link
Copy Markdown
Contributor

Summary

Clears the undici advisories npm audit flags in shim/ — replaces the stale #10 with the same fix on current main.

undici 5.29.0 (pulled transitively by @actions/http-client) is vulnerable to 5 advisories (4 high / 1 moderate): unbounded decompression, request/response smuggling, WebSocket permessage-deflate memory exhaustion, invalid server_max_window_bits handling, CRLF injection. Fix requires undici ≥ 6.24.0.

What

  • Add "overrides": { "undici": "^6.24.0" } to shim/package.json.
  • Regenerate the committed shim/node_modules (this action runs shim/index.js directly per action.yml, so the tree ships resolved). undici resolves to 6.26.0; the undici-5-only @fastify/busboy transitive dep drops out.

Verification

  • npm audit0 vulnerabilities (was 2: 1 high + 1 moderate aggregate)
  • npm ls undiciundici@6.26.0 overridden
  • shim require-graph resolves (node -e "require('./shim/index.js')" runs to the expected RUNNER_TEMP guard)
  • CI (incl. self-test)

Why not #10

#10 was cut 2026-05-13, its Self-test check is red, and it predates the active v1.0.5-rc work. This is the same override on current main with a fresh, minimal lock. Closing #10 in favor of this.

🤖 Generated with Claude Code

…ries)

npm audit flagged undici 5.29.0 (pulled transitively by
@actions/http-client) for 5 high/moderate advisories: unbounded
decompression, request/response smuggling, WebSocket memory exhaustion,
invalid server_max_window_bits handling, and CRLF injection. Fix
requires undici >= 6.24.0.

Add an `overrides: { undici: ^6.24.0 }` to shim/package.json and
regenerate the committed node_modules (the action runs shim/index.js
directly, so the tree must ship resolved). undici resolves to 6.26.0;
the undici-5-only @fastify/busboy dep drops out. `npm audit` now clean.

Replaces the stale #10 (cut 2026-05-13, red self-test) — same fix on
current main with a fresh, minimal lock.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@colek42 colek42 merged commit 490f178 into main May 26, 2026
1 of 9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants