Dependency "undici" flagged as vulnerable package by code scan

[vegardei]

Hi,

We had to bump the referenced package "undici" to version 5.28.5 in order to pass Snyk's vulnarability tests:
https://security.snyk.io/vuln/SNYK-JS-UNDICI-8641354

It would be nice if this project also did the same.

[MrCNeale]

We have the same issue flagged by github enterprise dependabot.

[hallvictoria]

Thanks for reporting! We bumped the version in #328 and will do a new release soon. The fix will be in @azure/functions 4.6.1, and ETA is early-mid next week.

[timtucker]

This seems like a pretty short-term fix.

Undici V5 EOL is slated for April 30, 2025:
https://blog.platformatic.dev/undici-v7-is-here

Moving ahead with #305 would help here, although pushing Node 22 as a dependency when support for 22 in Azure Functions hasn't gone to GA yet is an issue.

[timtucker-dte]

@hallvictoria -- we're only a week away from EOL for Undici 5. Is there a plan for updating (or removing) the dependency?

[hallvictoria]

Hey, sorry for the delay. We are actively tracking this -- the plan currently is to remove this dependency, but this will require more investigation and testing. I don't have an ETA for that now

[Toritos01]

@hallvictoria, in the meantime, would it be possible to bump Undici from 5.28.5 -> 5.29.0?
We are getting some vulnerability alerts from the current version.
Thanks!

[hallvictoria]

New release 4.7.2 has the updated undici version! Please let me know if you're still facing issues.