Skip to content

fix(deps): upgrade undici dependency to v6.23.0 #2241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
roggervalf wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix(deps): upgrade undici dependency to v6.23.0 #2241

roggervalf wants to merge 2 commits into from
+40 −27

Conversation

@roggervalf
Copy link

@roggervalf roggervalf commented Jan 15, 2026

There is a vulnerability detected in undici v5, recommendation is to migrate at least to v6.23.0 https://osv.dev/vulnerability/GHSA-g9mf-h72j-4rw9

Copilot AI review requested due to automatic review settings January 15, 2026 06:10
@roggervalf roggervalf requested a review from a team as a code owner January 15, 2026 06:10
Copilot AI reviewed Jan 15, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the undici dependency from v5.28.5 to v6.23.0 to address a security vulnerability (GHSA-g9mf-h72j-4rw9). The upgrade includes updating the ProxyAgent configuration to use the new v6 API for handling SSL certificate rejection.

Changes:

  • Updated undici dependency from ^5.28.5 to ^6.23.0 in package.json
  • Refactored SSL error handling to use the new requestTls configuration option in ProxyAgent constructor
  • Removed the @fastify/busboy dependency (no longer required by undici v6)

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 3 comments.

File Description
packages/http-client/package.json Updated undici dependency version to ^6.23.0
packages/http-client/package-lock.json Updated lock file with undici v6.23.0 and removed @fastify/busboy dependency
packages/http-client/src/index.ts Refactored ProxyAgent SSL error handling to use requestTls configuration instead of post-construction property assignment
Files not reviewed (1)
  • packages/http-client/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

packages/http-client/package-lock.json
},
"engines": {
"node": ">=14.0"
"node": ">=18.17"
Copy link

Copilot AI Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Undici v6 requires Node.js >=18.17, but the CI/CD tests run on Node.js 20.x and 24.x. While these versions satisfy the requirement, older GitHub Actions runners may use Node.js 16.x. Consider documenting this breaking change as it increases the minimum Node.js version requirement from v14 (undici v5) to v18.17 (undici v6).

Copilot uses AI. Check for mistakes.
Copy link
Author

@roggervalf roggervalf Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it should be confirmes by maintainers as if node versiones below 18 are not listed in unit tests, it could be expected to not support them

@MikeMcC399 MikeMcC399 mentioned this pull request Jan 15, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@roggervalf