Skip to content

build(deps): bump the npm_and_yarn group across 1 directory with 2 updates #245

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
guibranco merged 1 commit into from
Jan 29, 2026
Merged

build(deps): bump the npm_and_yarn group across 1 directory with 2 updates #245

guibranco merged 1 commit into from
Jan 29, 2026

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Jan 29, 2026

Bumps the npm_and_yarn group with 2 updates in the / directory: tar and undici.

Updates tar from 7.5.6 to 7.5.7

Commits
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.


Updates undici from 5.29.0 to 6.23.0

Release notes

Sourced from undici's releases.

v6.23.0

⚠️ Security Release

This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

What's Changed

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

v6.21.3

What's Changed

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

v6.21.2

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

... (truncated)

Commits
  • fbc31e2 Bumped v6.23.0
  • 3477c94 chore: release flow using provenance
  • d3aafea fix: limit Content-Encoding chain to 5 to prevent resource exhaustion
  • f9c9185 Bumped v6.22.0
  • f670f2a feat: make UndiciErrors reliable to instanceof (#4472) (#4480)
  • 422e397 feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#41...
  • 4a06ffe feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#4180)...
  • 4cb3974 fix: fix EnvHttpProxyAgent for the Node.js bundle (#4064) (#4432)
  • 44c23e5 fix: fix wrong stream canceled up after cloning (v6) (#4414)
  • da0e823 Bumped v6.21.4
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the npm_and_yarn group across 1 directory with 2 up…
c479a13 
…dates

Bumps the npm_and_yarn group with 2 updates in the / directory: [tar](https://github.com/isaacs/node-tar) and [undici](https://github.com/nodejs/undici).


Updates `tar` from 7.5.6 to 7.5.7
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.6...v7.5.7)

Updates `undici` from 5.29.0 to 6.23.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.29.0...v6.23.0)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 7.5.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 6.23.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code npm labels Jan 29, 2026
@github-actions github-actions bot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Jan 29, 2026
@guibranco guibranco enabled auto-merge (squash) January 29, 2026 14:04
@gstraccini gstraccini bot added the ☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) label Jan 29, 2026
guibranco
guibranco approved these changes Jan 29, 2026
View reviewed changes
Copy link
Owner

@guibranco guibranco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by gstraccini[bot]

@coderabbitai
Copy link

coderabbitai bot commented Jan 29, 2026

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review

Comment @coderabbitai help to get the list of available commands and usage tips.

@gstraccini gstraccini bot added the 🤖 bot Automated processes or integrations label Jan 29, 2026
@socket-security
Copy link

socket-security bot commented Jan 29, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​actions/​github@​7.0.0 ⏵ 9.0.099 +2100100 +195 +4100

View full report

@socket-security
Copy link

socket-security bot commented Jan 29, 2026

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Low
Embedded URLs or IPs: npm @octokit/plugin-rest-endpoint-methods

URLs: https://docs.github.com/actions/managing-workflow-runs/approving-workflow-runs-from-public-forks, https://docs.github.com/rest/guides/encrypting-secrets-for-the-rest-api, https://pynacl.readthedocs.io/en/latest/public/#nacl-public-sealedbox, https://www.nuget.org/packages/Sodium.Core/, https://github.com/RubyCrypto/rbnacl, https://libsodium.gitbook.io/doc/bindings_for_other_languages, https://github.com/octo-org, https://docs.github.com/organizations/managing-organization-settings/disabling-or-limiting-github-actions-for-your-organization#setting-the-permissions-of-the-github_token-for-your-organization, https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#setting-the-permissions-of-the-github_token-for-your-repository, https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#allowing-access-to-components-in-a-private-repository, https://github.blog/changelog/2025-02-02-actions-get-workflow-usage-and-get-workflow-run-usage-endpoints-closing-down/, https://docs.github.com/github/setting-up-and-managing-billing-and-payments-on-github/managing-billing-for-github-actions, https://docs.github.com/actions/deployment/targeting-different-environments/using-environments-for-deployment, https://docs.github.com/rest/using-the-rest-api/getting-started-with-the-rest-api#hypermedia, https://docs.github.com/rest/using-the-rest-api/getting-started-with-the-rest-api#media-types, https://docs.github.com/rest/activity/notifications#list-notifications-for-the-authenticated-user, https://docs.github.com/rest/activity/notifications#list-repository-notifications-for-the-authenticated-user, https://github.com/notifications., https://docs.github.com/rest/guides/getting-started-with-the-rest-api#http-method, https://docs.github.com/apps/building-github-apps/creating-github-apps-from-a-manifest/, https://github.com/settings/applications#authorized, https://docs.github.com/rest/apps/apps#suspend-an-app-installation, https://docs.github.com/apps/building-github-apps/authenticating-with-github-apps/#authenticating-as-a-github-app, https://docs.github.com/rest/apps/apps#list-installations-for-the-authenticated-app, https://github.com/settings/apps/:app_slug, https://docs.github.com/rest/authentication/authenticating-to-the-rest-api#using-basic-authentication, https://docs.github.com/rest/apps/apps#create-an-installation-access-token-for-an-app, https://docs.github.com/billing/using-the-new-billing-platform, https://docs.github.com/github/setting-up-and-managing-billing-and-payments-on-github/managing-billing-for-github-packages, https://docs.github.com/rest/checks/runs, https://docs.github.com/rest/checks/suites#update-repository-preferences-for-check-suites, https://docs.github.com/rest/actions/workflow-runs#re-run-a-job-from-a-workflow-run, https://docs.oasis-open.org/sarif/sarif/v2.1.0/cs01/sarif-v2.1.0-cs01.html, https://docs.github.com/organizations/managing-peoples-access-to-your-organization-with-roles/managing-security-managers-in-your-organization, https://docs.github.com/code-security/code-scanning/troubleshooting-sarif, https://docs.github.com/code-security/code-scanning/troubleshooting-sarif/results-exceed-limit, https://docs.github.com/rest/codespaces/organization-secrets#create-or-update-an-organization-secret, https://docs.github.com/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-the-copilot-subscription-for-your-organization/about-billing-for-github-copilot-in-your-organization, https://docs.github.com/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-the-copilot-subscription-for-your-organization/subscribing-to-copilot-for-your-organization, https://docs.github.com/copilot/managing-copilot/managing-github-copilot-in-your-organization/setting-policies-for-copilot-in-your-organization/managing-policies-for-copilot-in-your-organization#policies-for-suggestion-matching, https://docs.github.com/copilot/managing-copilot/managing-github-copilot-in-your-organization/managing-access-to-github-copilot-in-your-organization/revoking-access-to-copilot-for-members-of-your-organization, https://docs.github.com/copilot/managing-copilot/managing-policies-for-copilot-business-in-your-organization, https://docs.github.com/copilot/reference/metrics-data, https://docs.github.com/rest/dependabot/secrets#create-or-update-an-organization-secret, https://github.com/github/tweetsodium, https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-security-and-analysis-settings-for-your-repository#granting-access-to-security-alerts, https://docs.github.com/rest/guides/using-pagination-in-the-rest-api, https://git-scm.com/book/en/v2/Git-Internals-Git-Objects, https://docs.github.com/rest/git/refs#create-a-reference, https://docs.github.com/rest/git/commits#create-a-commit, https://docs.github.com/rest/git/refs#update-a-reference, https://docs.github.com/rest/guides/getting-started-with-the-git-database-api#checking-mergeability-of-pull-requests, https://docs.github.com/rest/pulls/pulls#get-a-pull-request, https://git-scm.com/book/en/v2/Git-Internals-Git-References, https://docs.github.com/rest/using-the-rest-api/rate-limits-for-the-rest-api#about-secondary-rate-limits, https://docs.github.com/rest/guides/best-practices-for-using-the-rest-api, https://docs.github.com/github/managing-subscriptions-and-notifications-on-github/about-notifications, https://docs.github.com/rest/pulls/pulls#list-pull-requests, https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/licensing-a-repository, https://docs.github.com/articles/about-github-s-ip-addresses/, https://docs.github.com/rest/migrations/users#start-a-user-migration, https://docs.github.com/rest/repos/repos#delete-a-repository, https://docs.github.com/rest/orgs/organization-roles, https://docs.github.com/rest/orgs/security-managers#add-a-security-manager-team, https://docs.github.com/organizations/managing-peoples-access-to-your-organization-with-roles/using-organization-roles, https://docs.github.com/articles/converting-an-organization-member-to-an-outside-collaborator/, https://docs.github.com/admin/policies/enforcing-policies-for-your-enterprise/enforcing-repository-management-policies-in-your-enterprise#enforcing-a-policy-for-inviting-outside-collaborators-to-repositories, https://docs.github.com/site-policy/github-terms/github-terms-of-service, https://docs.github.com/issues/tracking-your-work-with-issues/configuring-issues/managing-issue-types-in-an-organization, https://docs.github.com/articles/securing-your-account-with-two-factor-authentication-2fa/, https://docs.github.com/rest/guides/using-pagination-in-the-rest-api#using-link-headers, https://cli.github.com/manual/gh_attestation_verify, https://docs.github.com/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds, https://docs.github.com/articles/publicizing-or-concealing-organization-membership, https://docs.github.com/rest/orgs/orgs#list-organizations-for-the-authenticated-user, https://docs.github.com/rest/orgs/security-managers#list-security-manager-teams, https://docs.github.com/webhooks/#ping-event, https://docs.github.com/rest/orgs/security-managers#remove-a-security-manager-team, https://docs.github.com/rest/orgs/members#get-organization-membership-for-a-user, https://developer.github.com/changes/2019-12-03-internal-visibility-changes, https://docs.github.com/rest/code-security/configurations#set-a-code-security-configuration-as-a-default-for-an-organization, https://github.blog/changelog/2024-07-09-sunsetting-security-settings-defaults-parameters-in-the-organizations-rest-api/, https://docs.github.com/packages/learn-github-packages/about-permissions-for-github-packages#permissions-for-repository-scoped-packages, https://docs.github.com/packages/learn-github-packages/about-permissions-for-github-packages#granular-permissions-for-userorganization-scoped-packages, https://docs.github.com/github/getting-started-with-github/githubs-products, https://docs.github.com/rest/pulls/reviews#submit-a-review-for-a-pull-request, https://docs.github.com/rest/branches/branch-protection, https://docs.github.com/rest/pulls/pulls/#create-a-pull-request, https://docs.github.com/rest/pulls/pulls#update-a-pull-request, https://docs.github.com/articles/about-merge-methods-on-github/, https://docs.github.com/articles/about-merge-methods-on-github/#squashing-your-merge-commits, https://docs.github.com/articles/about-merge-methods-on-github/#rebasing-and-merging-your-commits, https://git-scm.com/docs/git-diff, https://support.github.com/, https://docs.github.com/rest/commits/commits#list-commits, https://docs.github.com/rest/pulls/reviews#list-reviews-for-a-pull-request, https://docs.github.com/rest/overview/resources-in-the-rest-api#secondary-rate-limits, https://docs.github.com/rest/guides/best-practices-for-integrators#dealing-with-secondary-rate-limits, https://docs.github.com/rest/pulls/reviews#create-a-review-for-a-pull-request, https://docs.github.com/rest/search/search, https://docs.github.com/rest/search/search#search-code, https://docs.github.com/graphql/overview/resource-limitations#rate-limit, https://docs.github.com/apps/creating-github-apps/setting-up-a-github-app/creating-a-github-app-from-a-manifest#3-you-exchange-the-temporary-code-to-retrieve-the-app-configuration, https://docs.github.com/rest/dependency-graph, https://docs.github.com/code-security/code-scanning/integrating-with-code-scanning/uploading-a-sarif-file-to-github, https://docs.github.com/rest/actions/self-hosted-runners, https://docs.github.com/rest/about-the-rest-api/api-versions, https://docs.github.com/rest/commits/comments#get-a-commit-comment, https://docs.github.com/rest/issues/issues#get-an-issue, https://docs.github.com/rest/issues/comments#get-an-issue-comment, https://docs.github.com/rest/pulls/comments#get-a-review-comment-for-a-pull-request, https://docs.github.com/rest/releases/releases#get-a-release, https://docs.github.com/rest/teams/discussion-comments#get-a-discussion-comment, https://docs.github.com/rest/teams/discussions#get-a-discussion, https://docs.github.com/organizations/managing-user-access-to-your-organizations-repositories/managing-outside-collaborators/adding-outside-collaborators-to-repositories-in-your-organization, https://docs.github.com/organizations/managing-organization-settings/setting-permissions-for-adding-outside-collaborators, https://docs.github.com/github/setting-up-and-managing-organizations-and-teams/repository-permission-levels-for-an-organization#permission-levels-for-repositories-owned-by-an-organization, https://docs.github.com/rest/collaborators/invitations, https://docs.github.com/rest/overview/media-types/#commits-commit-comparison-and-pull-requests, https://docs.github.com/repositories/viewing-activity-and-data-for-your-repository/understanding-connections-between-repositories, https://github.com/actions/attest, https://docs.github.com/rest/commits/statuses, https://docs.github.com/rest/apps/apps#get-an-app, https://docs.github.com/actions/managing-workflow-runs-and-deployments/managing-deployments/creating-custom-deployment-protection-rules, https://docs.github.com/webhooks/event-payloads/#repository_dispatch, https://support.github.com/contact?tags=dotcom-rest-api, https://docs.github.com/rest/repos/contents/#delete-a-file, https://docs.github.com/rest/repos/repos#get-a-repository, https://docs.github.com/articles/configuring-automated-security-fixes, https://docs.github.com/code-security/security-advisories/guidance-on-reporting-and-writing/privately-reporting-a-security-vulnerability, https://docs.github.com/articles/about-security-alerts-for-vulnerable-dependencies, https://docs.github.com/articles/signing-commits-with-gpg, https://docs.github.com/communities/setting-up-your-project-for-healthy-contributions/about-community-profiles-for-public-repositories, https://github.com/github/markup, https://git.io/v1YCW, https://docs.github.com/rest/git/trees#get-a-tree, https://docs.github.com/organizations/managing-organization-settings/managing-rulesets-for-repositories-in-your-organization#viewing-insights-for-rulesets, https://docs.github.com/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/managing-rulesets-for-a-repository#viewing-insights-for-rulesets, https://docs.github.com/repositories/viewing-activity-and-data-for-your-repository, https://docs.github.com/pull-requests/collaborating-with-pull-requests/working-with-forks/about-permissions-and-visibility-of-forks, https://docs.github.com/github/administering-a-repository/renaming-a-branch, https://docs.github.com/articles/about-repository-transfers/, https://docs.github.com/rest/releases/releases#create-a-release, http://en.wikipedia.org/wiki/Server_Name_Indication, https://www.iana.org/assignments/media-types/media-types.xhtml, https://docs.github.com/rest/releases/releases#get-the-latest-release, https://docs.github.com/rest/search/search#text-match-metadata, https://github.com/jquery/jquery, https://github.com/search?utf8=%E2%9C%93&q=language%3Ago&type=Code, https://github.com/search?utf8=%E2%9C%93&q=amazing+language%3Ago&type=Code, https://github.com/octocat/Spoon-Knife, https://github.com/topics., https://docs.github.com/get-started/learning-about-github/about-github-advanced-security, https://docs.github.com/code-security/security-advisories/repository-security-advisories/publishing-a-repository-security-advisory#requesting-a-cve-identification-number-optional, https://docs.github.com/code-security/security-advisories/global-security-advisories/about-the-github-advisory-database#about-types-of-security-advisories, https://docs.github.com/articles/synchronizing-teams-between-your-identity-provider-and-github/, https://docs.github.com/articles/setting-team-creation-permissions-in-your-organization, https://docs.github.com/github/setting-up-and-managing-organizations-and-teams/about-teams, https://docs.github.com/rest/teams/teams#create-a-team, https://docs.github.com/enterprise-cloud@latest/admin/managing-iam/understanding-iam-for-enterprises/about-enterprise-managed-users, https://github.com/settings/profile, https://docs.github.com/rest/guides/getting-started-with-the-rest-api#authentication, https://docs.github.com/rest/users/emails, https://uploads.github.com

Location: Package overview

From: package-lock.jsonnpm/@actions/github@9.0.0npm/@octokit/plugin-rest-endpoint-methods@17.0.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@octokit/plugin-rest-endpoint-methods@17.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm tar

URLs: tar.br, http://npm.im/minipass, https://github.com/isaacs/node-tar/issues/183

Location: Package overview

From: package-lock.jsonnpm/ava@6.4.1npm/tar@7.5.7

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Embedded URLs or IPs: npm undici

URLs: https://github.com/node-fetch/fetch-blob/blob/8ab587d34080de94140b54f07168451e7d0b655e/index.js#L229-L241, https://developer.mozilla.org/en-US/docs/Web/API/URL/URL:, https://github.com/nodejs/node/pull/38505/files, https://github.com/nodejs/node/pull/46528, https://github.com/nodejs/undici/pull/319, https://tools.ietf.org/html/rfc7230#section-3.2.6, https://github.com/nodejs/node/blob/main/lib/_http_common.js, https://www.rfc-editor.org/rfc/rfc9110#field.content-range, https://tools.ietf.org/html/rfc7540#section-8.3, https://tools.ietf.org/html/rfc7231#section-4.3.1, https://tools.ietf.org/html/rfc7231#section-4.3.2, https://tools.ietf.org/html/rfc7231#section-4.3.5, https://tools.ietf.org/html/rfc7230#section-3.3.2, https://github.com/nodejs/undici/issues/2046, https://github.com/nodejs/undici/issues/2630, CacheStorage.open, https://tools.ietf.org/html/rfc2616, https://tools.ietf.org/html/rfc7230, https://github.com/chromium/chromium/blob/94.0.4604.1/third_party/blink/renderer/core/fetch/response.cc#L116, https://fetch.spec.whatwg.org/#header-name, https://fetch.spec.whatwg.org/#header-value, https://w3c.github.io/webappsec-referrer-policy/#set-requests-referrer-policy-on-redirect, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#specify_a_fallback_policy, https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check, https://fetch.spec.whatwg.org/#concept-cors-check, https://fetch.spec.whatwg.org/#concept-tao-check, https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-dest-header, https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-mode-header, https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header, https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-user-header, https://fetch.spec.whatwg.org/#append-a-request-origin-header, https://html.spec.whatwg.org/multipage/origin.html#clone-a-policy-container, https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer, https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e, https://webidl.spec.whatwg.org/#iterator-result, https://webidl.spec.whatwg.org/#dfn-iterator-prototype-object, https://fetch.spec.whatwg.org/#body-fully-read, https://infra.spec.whatwg.org/#isomorphic-encode, https://streams.spec.whatwg.org/#readablestreamdefaultreader-read-all-bytes, https://streams.spec.whatwg.org/#read-loop, https://fetch.spec.whatwg.org/#is-local, https://fetch.spec.whatwg.org/#simple-range-header-value, https://fetch.spec.whatwg.org/#build-a-content-range, https://fetch.spec.whatwg.org/#concept-header-list-get-decode-split, https://encoding.spec.whatwg.org/#utf-8-decode, https://websockets.spec.whatwg.org/#feedback-from-the-protocol, https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.4, https://tools.ietf.org/html/rfc7230#section-6.3.2, https://mimesniff.spec.whatwg.org/#parse-a-mime-type, https://fetch.spec.whatwg.org/#body-mixin, https://developer.mozilla.org/en-US/docs/Web/API/Blob, https://developer.mozilla.org/en-US/docs/Web/API/File, https://fetch.spec.whatwg.org/#concept-main-fetch, https://fetch.spec.whatwg.org/#concept-scheme-fetch, https://github.com/nodejs/undici/issues/1776, https://github.com/web-platform-tests/wpt/blob/7b0ebaccc62b566a1965396e5be7bb2bc06f841f/FileAPI/url/resources/fetch-tests.js#L52-L56, https://github.com/nodejs/undici/issues/1193., https://fetch.spec.whatwg.org/#http-redirect-fetch, https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name, https://fetch.spec.whatwg.org/#authentication-entries, https://github.com/whatwg/fetch/issues/1293, https://fetch.spec.whatwg.org/#http-network-fetch, https://fetch.spec.whatwg.org/#response-create, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/FinalizationRegistry, https://fetch.spec.whatwg.org/#typedefdef-xmlhttprequestbodyinit, https://fetch.spec.whatwg.org/#bodyinit, https://github.com/curl/curl/blob/3434c6b46e682452973972e8313613dfa58cd690/lib/mime.c#L1029-L1030, https://github.com/form-data/form-data/issues/63, https://fetch.spec.whatwg.org/#bodyinit-safely-extract, https://fetch.spec.whatwg.org/#concept-body-clone, https://fetch.spec.whatwg.org/#concept-body-consume-body, https://fetch.spec.whatwg.org/#body-unusable, https://infra.spec.whatwg.org/#parse-json-bytes-to-a-javascript-value, https://fetch.spec.whatwg.org/#concept-body-mime-type

Location: Package overview

From: package-lock.jsonnpm/@actions/core@2.0.2npm/@actions/github@9.0.0npm/undici@6.23.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.23.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly

Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/@actions/core@2.0.2npm/@actions/github@9.0.0npm/undici@6.23.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.23.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly

Notes: The script performs an in-place, lossy re-encoding of a local file from UTF-8 to Latin-1 and rewrites it without backups or validation. This is unsafe due to potential data loss and code corruption, and could be exploited to tamper with source files in a supply chain. It does not exhibit active malware behavior, but its destructive nature warrants removal or strict safeguards (backups, explicit intent, error handling).

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/@actions/core@2.0.2npm/@actions/github@9.0.0npm/undici@6.23.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.23.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@sonarqubecloud
Copy link

sonarqubecloud bot commented Jan 29, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@guibranco guibranco merged commit bcd18ea into main Jan 29, 2026
23 of 24 checks passed
@guibranco guibranco deleted the dependabot/npm_and_yarn/npm_and_yarn-76c5531c6a branch January 29, 2026 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guibranco guibranco guibranco approved these changes

@gstraccini gstraccini[bot] gstraccini[bot] approved these changes

Assignees

@guibranco guibranco

Labels

☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) 🤖 bot Automated processes or integrations dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code npm size/L Denotes a PR that changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@guibranco