Skip to content

fix: Resolve undici security vulnerability (CVE)#6966

Merged
BYK merged 1 commit into
mainfrom
fix/undici-security-vulnerability
Jan 21, 2026
Merged

fix: Resolve undici security vulnerability (CVE)#6966
BYK merged 1 commit into
mainfrom
fix/undici-security-vulnerability

Conversation

@BYK

@BYK BYK commented Jan 21, 2026

Copy link
Copy Markdown
Member

Summary

Fixes Dependabot alert #36 (low severity) - unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion.

Changes

  • Added yarn resolutions to force undici@^6.23.0 (patched version)
  • Updated yarn.lock to resolve undici to 6.23.0

Root Cause

The vulnerable undici@5.x was a transitive dependency from @actions/github and @actions/http-client, which pin to ^5.28.5 and won't accept 6.x without an upstream update.

Testing

Add yarn resolutions to force undici@^6.23.0, fixing Dependabot alert #36
for unbounded decompression chain vulnerability in HTTP responses.

The vulnerable undici@5.x was a transitive dependency from @actions/github
and @actions/http-client which pin to ^5.28.5.
@BYK BYK marked this pull request as ready for review January 21, 2026 15:43
@BYK BYK requested a review from a team as a code owner January 21, 2026 15:43
@BYK BYK merged commit bc8133e into main Jan 21, 2026
7 checks passed
@BYK BYK deleted the fix/undici-security-vulnerability branch January 21, 2026 15:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant