Bump undici to 7.27.0 to fix three open Dependabot alerts in extension/#17868
Merged
Conversation
The extension/ workspace currently pins undici to 7.21.0 via the `resolutions` block in extension/package.json. That release is in the vulnerable range for three open advisories filed against extension/yarn.lock: - GHSA-cxjh-pqwp-8mfp (#1182, medium) - CRLF Injection via `upgrade` - GHSA-f269-vfmq-vjvj (#1180, high) - WebSocket 64-bit length overflow - GHSA-9f74-3xc5-r7g4 (#1179, medium) - HTTP Request/Response Smuggling All three are first patched in undici 7.24.0. Bump the resolution to 7.27.0 (the latest 7.x mirrored to the internal dotnet-public-npm feed) and regenerate extension/yarn.lock through that feed so the lockfile guard in CI (`extension/yarn.lock contains resolved entries outside the internal dotnet-public-npm feed`) keeps passing. cheerio's `undici ^7.19.0` constraint is still satisfied, so no other package versions change. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Contributor
|
🚀 Dogfood this PR with:
curl -fsSL https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.sh | bash -s -- 17868Or
iex "& { $(irm https://raw.githubusercontent.com/microsoft/aspire/main/eng/scripts/get-aspire-cli-pr.ps1) } 17868" |
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the VS Code extension’s Yarn resolution pin for undici to a patched 7.x version to address the three open Dependabot security alerts affecting extension/yarn.lock.
Changes:
- Bump
undiciresolution from7.21.0to7.27.0inextension/package.json. - Regenerate the corresponding
undicientry inextension/yarn.lockwhile keeping the internaldotnet-public-npmregistry URL.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| extension/package.json | Updates the resolutions pin for undici to 7.27.0. |
| extension/yarn.lock | Updates the lock entry for undici to 7.27.0 using the internal feed URL. |
The 'installs the E2E runner dependencies from the internal npm feed' test pins the expected undici version. Update both the package.json resolution assertion and the yarn.lock substring check to match the new 7.27.0 pin. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Member
Author
|
The only remaining red check is This is pre-existing on The Linux counterpart All 327 other checks are green. Happy to dig further if anyone has reason to think the bump is implicated. |
Contributor
|
❓ CLI E2E Tests unknown — 112 passed, 0 failed, 2 unknown (commit View all recordings
📹 Recordings uploaded automatically from CI run #26881288945 |
Member
|
Nit: two GHSA IDs in the table look stale/mismatched. The Dependabot alert API shows:
The alert numbers, severities, summaries, and |
radical
approved these changes
Jun 3, 2026
Member
radical
left a comment
radical
left a comment
There was a problem hiding this comment.
LGTM. The dependency bump itself is consistent: package.json, yarn.lock, and the guard test all agree on undici@7.27.0, the lockfile stays on the internal feed, and 7.27.0 is above the 7.24.0 patched floor for the three open alerts.
I left one PR-description nit for the advisory IDs, but that does not affect the correctness of the fix.
Contributor
|
Pull request created: #1205
|
Contributor
|
📝 Documentation has been drafted in microsoft/aspire.dev#1205 targeting Added a security patch note to Files modified:
Signal triggered: Note This draft PR needs human review before merging. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the three open
undiciDependabot alerts filed againstextension/yarn.lock:upgradeoptionAll three are first patched in
undici@7.24.0.What changed
extension/package.jsonpinsundicivia theresolutionsblock (currently at7.21.0, which is in the vulnerable range). This PR bumps the pin to7.27.0- the latest 7.x release mirrored to the internaldotnet-public-npmfeed - and regeneratesextension/yarn.lockthrough that feed.extension/package.json:"undici": "7.21.0"->"undici": "7.27.0"extension/yarn.lock: correspondingundici@7.27.0entry,resolvedURL stays on the internalpkgs.dev.azure.com/dnceng/public/_packaging/dotnet-public-npmregistry.cheerio'sundici "^7.19.0"constraint is still satisfied, so nothing else moves and the lockfile diff is minimal (3 lines per file). The pre-restore lockfile guard introduced in #17474 (no public registry URLs inextension/yarn.lock) still passes - I ran the same node one-liner the CI uses.Note on versions available in the internal feed
I checked the internal mirror before picking a target:
7.24.0- 303 (available)7.25.0- 303 (available)7.26.0- 303 (available)7.27.0- 303 (available, latest 7.x)8.x- mostly 401 (not mirrored), so kept on the 7.x line thatcheerioalready wants.Other open alerts
The other six open Dependabot alerts (ws, @nevware21/ts-utils, fast-uri x2, qs, vitest) are already addressed by Dependabot's group PR #17854.
Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com