Skip to content

chore(deps): bump undici from 6.26.0 to 6.27.0 in /econoflow-mobile#883

Closed
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/econoflow-mobile/undici-6.27.0
Closed

chore(deps): bump undici from 6.26.0 to 6.27.0 in /econoflow-mobile#883
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/econoflow-mobile/undici-6.27.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 24, 2026

Copy link
Copy Markdown
Contributor

Bumps undici from 6.26.0 to 6.27.0.

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 24, 2026
Bumps [undici](https://github.com/nodejs/undici) from 6.26.0 to 6.27.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.26.0...v6.27.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/econoflow-mobile/undici-6.27.0 branch from 71ac0e2 to 4faafba Compare July 1, 2026 06:56
@FelipePSoares

Copy link
Copy Markdown
Owner

Superseded by PR #895 (batch dependency update)

@dependabot @github

dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@FelipePSoares FelipePSoares deleted the dependabot/npm_and_yarn/econoflow-mobile/undici-6.27.0 branch July 3, 2026 18:32
FelipePSoares added a commit that referenced this pull request Jul 3, 2026
* chore: batch dependency updates + .NET 10 migration

Closes: PR #894, #893, #892, #891, #890, #889, #887, #886, #885, #884, #883, #880, #879, #877, #876, #875, #874, #873, #872, #871, #870, #868, #866, #864, #862, #861

Updates:
- .NET 8 -> .NET 10 (TFM net8.0 -> net10.0, all Microsoft.* packages -> 10.0.9)
- Swashbuckle.AspNetCore 7.2.0 -> 10.2.3 (with OpenApi namespace fix)
- Microsoft.NET.Test.Sdk 18.6.0 -> 18.7.0
- Serilog.Sinks.Http, WebPush, Jwt packages
- EF Core 8.0.12 -> 10.0.9
- Angular 22.0.1 -> 22.0.4 (cdk/material 22.0.2)
- eslint frontend 9.x -> 10.6.0
- expo 56 -> 57
- expo-notifications 56 -> 57
- react-native 0.85.3 -> 0.86.0
- react 19.2.3 -> 19.2.7
- React Navigation, i18next, axios, react-query, etc.
- GitHub Actions (checkout v6->v7, cache v5->v6)
- dotnet-version 8.0.x -> 10.0.x in CI

* fix: upgrade jest-expo to 57.0.1 for expo 57 compatibility

jest-expo@56 required @react-native/jest-preset@^0.85.0,
conflicting with react-native 0.86 that needs @react-native/jest-preset@0.86.0

* fix: regenerate lockfiles without --legacy-peer-deps for npm ci compatibility

---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant