Skip to content

Bump undici from 7.20.0 to 7.24.6#644

Merged
guibranco merged 2 commits intomainfrom
dependabot/npm_and_yarn/undici-7.24.6
Mar 26, 2026
Merged

Bump undici from 7.20.0 to 7.24.6#644
guibranco merged 2 commits intomainfrom
dependabot/npm_and_yarn/undici-7.24.6

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 26, 2026
edited
Loading

Bumps undici from 7.20.0 to 7.24.6.

Release notes

Sourced from undici's releases.

v7.24.6

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

What's Changed

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

What's Changed

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

What's Changed

... (truncated)

Commits
  • 38eab36 Bumped v7.24.6 (#4931)
  • 993609d test: auto-init WPT submodule (#4930)
  • 1eacc49 build(deps-dev): bump typescript from 5.9.3 to 6.0.2 (#4926)
  • b64e7e4 fix: avoid prototype collisions in parseHeaders (#4923)
  • deba679 Revert "fix: assume http/https scheme for scheme-less proxy env vars (#4914)"
  • feef62b fix: support Connection header with connection-specific header names per RFC ...
  • a613d9a docs: clarify fetch and FormData pairing (#4922)
  • 2ba99a3 fix: wrap kConnector call in try/catch to prevent client hang (#4834)
  • a7398c0 fix(cache): check Authorization on request headers per RFC 9111 §3.5 (#4911)
  • 2b2afbc fix: assume http/https scheme for scheme-less proxy env vars (#4914)
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github Mar 26, 2026

Labels

The following labels could not be found: dependencies, npm. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions github-actions Bot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Mar 26, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 26, 2026
edited
Loading

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Low
Embedded URLs or IPs: npm undici

URLs: https://tools.ietf.org/html/rfc7231#section-6.4.2, https://fetch.spec.whatwg.org/#http-redirect-fetch, https://tools.ietf.org/html/rfc7231#section-6.4.4, https://tools.ietf.org/html/rfc7231#section-6.4, https://datatracker.ietf.org/doc/html/rfc8441#section-4, https://tools.ietf.org/html/rfc7540#section-8.3, https://tools.ietf.org/html/rfc7231#section-4.3.1, https://tools.ietf.org/html/rfc7231#section-4.3.2, https://tools.ietf.org/html/rfc7231#section-4.3.5, https://tools.ietf.org/html/rfc7230#section-3.3.2, https://www.rfc-editor.org/rfc/rfc9111.html#name-max-stale, https://www.rfc-editor.org/rfc/rfc9111.html#section-5.2.1.3, https://www.rfc-editor.org/rfc/rfc9111.html#section-5.2.1.1, https://github.com/node-fetch/fetch-blob/blob/8ab587d34080de94140b54f07168451e7d0b655e/index.js#L229-L241, https://developer.mozilla.org/en-US/docs/Web/API/URL/URL:, https://github.com/nodejs/node/pull/38505/files, https://github.com/nodejs/undici/pull/319, https://tools.ietf.org/html/rfc7230#section-3.2.6, https://github.com/nodejs/node/blob/main/lib/_http_common.js, https://www.rfc-editor.org/rfc/rfc9110#field.content-range, https://www.rfc-editor.org/rfc/rfc9111.html#name-validation, https://www.rfc-editor.org/rfc/rfc9111.html#name-handling-a-validation-respo, https://datatracker.ietf.org/doc/html/rfc5861#section-4, https://www.rfc-editor.org/rfc/rfc7230#section-3.3.2, https://github.com/nodejs/undici/issues/2046, https://github.com/nodejs/undici/issues/258, https://mimesniff.spec.whatwg.org/#http-quoted-string-token-code-point, https://fetch.spec.whatwg.org/#data-url-processor, https://fetch.spec.whatwg.org/#data-url-struct, https://url.spec.whatwg.org/#concept-url-serializer, https://url.spec.whatwg.org/#string-percent-decode, https://url.spec.whatwg.org/#percent-decode, https://mimesniff.spec.whatwg.org/#parse-a-mime-type, https://mimesniff.spec.whatwg.org/#http-token-code-point, https://mimesniff.spec.whatwg.org/#mime-type, https://mimesniff.spec.whatwg.org/#mime-type-essence, https://fetch.spec.whatwg.org/#http-whitespace, https://fetch.spec.whatwg.org/#collect-an-http-quoted-string, https://fetch.spec.whatwg.org/#example-http-quoted-string, https://mimesniff.spec.whatwg.org/#serialize-a-mime-type, https://mimesniff.spec.whatwg.org/#minimize-a-supported-mime-type, https://developer.mozilla.org/en-US/docs/Web/HTTP/Status, https://fetch.spec.whatwg.org/#enumdef-requestduplex, http://fetch.spec.whatwg.org/#forbidden-method, https://fetch.spec.whatwg.org/#concept-method-normalize, https://dom.spec.whatwg.org/#dom-abortsignal-any, https://github.com/nodejs/undici/issues/1926., https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/FinalizationRegistry, https://github.com/curl/curl/blob/3434c6b46e682452973972e8313613dfa58cd690/lib/mime.c#L1029-L1030, https://github.com/form-data/form-data/issues/63, https://fetch.spec.whatwg.org/#bodyinit-safely-extract, https://fetch.spec.whatwg.org/#concept-body-clone, https://fetch.spec.whatwg.org/#concept-body-consume-body, https://fetch.spec.whatwg.org/#body-unusable, https://fetch.spec.whatwg.org/#concept-body-mime-type, https://github.com/denoland/deno/blob/6fbce91e40cc07fc6da74068e5cc56fdd40f7b4c/ext/fetch/proxy.rs#L485, https://www.rfc-editor.org/rfc/rfc9111.html#name-storing-responses-to-authen, https://www.rfc-editor.org/rfc/rfc9111.html#section-3, https://www.rfc-editor.org/rfc/rfc9111.html#section-4.1-5, https://www.rfc-editor.org/rfc/rfc9111.html#section-5.2.2.10-3, https://www.rfc-editor.org/rfc/rfc9111.html#section-5.3, https://www.rfc-editor.org/rfc/rfc9111.html#name-calculating-heuristic-fresh, https://www.rfc-editor.org/rfc/rfc8246.html#section-2.2, https://whatpr.org/websockets/48.html#close-the-websocket, https://httpwg.org/specs/rfc9110.html#preferred.date.format, https://httpwg.org/specs/rfc9110.html#obsolete.date.formats, https://datatracker.ietf.org/doc/html/rfc6265#section-5.1.1, https://github.com/web-platform-tests/wpt/commit/e4c5cc7a5e48093220528dfdd1c4012dc3837a0e, https://www.rfc-editor.org/rfc/rfc7231#section-7.1.1.1, https://www.rfc-editor.org/rfc/rfc6265#section-4.1.1, https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.1, https://datatracker.ietf.org/doc/html/draft-ietf-httpbis-cookie-prefixes-00#section-3.2, https://www.rfc-editor.org/rfc/rfc9111.html#section-3-5, https://github.com/nodejs/undici/issues/2630, https://www.rfc-editor.org/rfc/rfc9111.html#section-5.2.3-1, https://www.rfc-editor.org/rfc/rfc9110.html#name-etag, CacheStorage.open, https://dom.spec.whatwg.org/#concept-event-fire, https://websockets.spec.whatwg.org/#feedback-from-the-protocol, https://andreubotella.github.io/multipart-form-data/#multipart-form-data-parser, https://andreubotella.github.io/multipart-form-data/#parse-multipart-form-data-headers, https://html.spec.whatwg.org/multipage/webappapis.html#environment-settings-object, https://html.spec.whatwg.org/multipage/server-sent-events.html#sse-processing-model, https://github.com/nodejs/undici/issues/4627, https://fetch.spec.whatwg.org/#finalize-and-report-timing, https://w3c.github.io/resource-timing/#dfn-mark-resource-timing, https://fetch.spec.whatwg.org/#abort-fetch, https://fetch.spec.whatwg.org/#fetching, https://fetch.spec.whatwg.org/#concept-main-fetch, https://fetch.spec.whatwg.org/#concept-scheme-fetch, https://github.com/nodejs/undici/issues/1776, https://github.com/web-platform-tests/wpt/blob/7b0ebaccc62b566a1965396e5be7bb2bc06f841f/FileAPI/url/resources/fetch-tests.js#L52-L56, https://github.com/nodejs/undici/issues/1193., https://fetch.spec.whatwg.org/#cors-non-wildcard-request-header-name, https://fetch.spec.whatwg.org/#authentication-entries, https://github.com/whatwg/fetch/issues/1293, https://fetch.spec.whatwg.org/#http-network-fetch, https://fetch.spec.whatwg.org/#concept-response-clone, https://fetch.spec.whatwg.org/#concept-network-error, https://fetch.spec.whatwg.org/#concept-filtered-response, https://fetch.spec.whatwg.org/#appropriate-network-error, https://whatpr.org/fetch/1392.html#initialize-a-response, https://datatracker.ietf.org/doc/html/rfc7230#section-3.1.2:, https://fetch.spec.whatwg.org/#typedefdef-xmlhttprequestbodyinit, https://fetch.spec.whatwg.org/#bodyinit, https://tools.ietf.org/html/rfc2616, https://tools.ietf.org/html/rfc7230, https://github.com/chromium/chromium/blob/94.0.4604.1/third_party/blink/renderer/core/fetch/response.cc#L116, https://fetch.spec.whatwg.org/#header-name, https://fetch.spec.whatwg.org/#header-value, https://w3c.github.io/webappsec-referrer-policy/#parse-referrer-policy-from-header, https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy#specify_a_fallback_policy, https://w3c.github.io/webappsec-referrer-policy/#set-requests-referrer-policy-on-redirect, https://fetch.spec.whatwg.org/#cross-origin-resource-policy-check, https://fetch.spec.whatwg.org/#concept-cors-check, https://fetch.spec.whatwg.org/#concept-tao-check, https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-dest-header, https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-mode-header, https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-site-header, https://w3c.github.io/webappsec-fetch-metadata/#sec-fetch-user-header, https://fetch.spec.whatwg.org/#append-a-request-origin-header, https://html.spec.whatwg.org/multipage/origin.html#clone-a-policy-container, https://w3c.github.io/webappsec-referrer-policy/#determine-requests-referrer, https://webidl.spec.whatwg.org/#iterator-result, https://webidl.spec.whatwg.org/#dfn-iterator-prototype-object, https://fetch.spec.whatwg.org/#body-fully-read, https://streams.spec.whatwg.org/#readablestreamdefaultreader-read-all-bytes, https://streams.spec.whatwg.org/#read-loop, https://fetch.spec.whatwg.org/#is-local, https://fetch.spec.whatwg.org/#simple-range-header-value, https://fetch.spec.whatwg.org/#build-a-content-range, https://datatracker.ietf.org/doc/html/rfc6455#section-6.1, https://datatracker.ietf.org/doc/html/rfc6455#section-5.2, https://datatracker.ietf.org/doc/html/rfc6455#section-7.1.4, https://websockets.spec.whatwg.org/#dom-websocket-connecting, https://websockets.spec.whatwg.org/#dom-websocket-open, https://websockets.spec.whatwg.org/#dom-websocket-closing, https://websockets.spec.whatwg.org/#dom-websocket-closed, https://github.com/whatwg/websockets/issues/42, https://tools.ietf.org/html/rfc7230#section-6.3.2, https://developer.mozilla.org/en-US/docs/Web/API/Blob, https://developer.mozilla.org/en-US/docs/Web/API/File

Location: Package overview

From: package-lock.jsonnpm/jsdom@28.0.0npm/undici@7.24.6

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.24.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@deepsource-io
Copy link
Copy Markdown

deepsource-io Bot commented Mar 26, 2026
edited
Loading

DeepSource Code Review

We reviewed changes in f1ab730...67dc195 on this pull request. Below is the summary for the review, and you can see the individual issues we found as inline review comments.

See full review on DeepSource ↗

PR Report Card

Overall Grade   Security  

Reliability  

Complexity  

Hygiene  

Code Review Summary

Analyzer Status Updated (UTC) Details
JavaScript Mar 26, 2026 1:24p.m. Review ↗
Secrets Mar 26, 2026 1:24p.m. Review ↗

@guibranco guibranco enabled auto-merge (squash) March 26, 2026 13:22
@gstraccini gstraccini Bot added the ☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) label Mar 26, 2026
@dependabot
Bump undici from 7.20.0 to 7.24.6
766902c 
Bumps [undici](https://github.com/nodejs/undici) from 7.20.0 to 7.24.6.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v7.20.0...v7.24.6)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.24.6
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/undici-7.24.6 branch from f5f2fca to 766902c Compare March 26, 2026 13:22
guibranco
guibranco approved these changes Mar 26, 2026
View reviewed changes
Copy link
Copy Markdown
Owner

@guibranco guibranco left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Automatically approved by gstraccini[bot]

@gstraccini gstraccini Bot added the 🤖 bot Automated processes or integrations label Mar 26, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Mar 26, 2026

Infisical secrets check: ✅ No secrets leaked!

💻 Scan logs 
2026-03-26T13:23:43Z INF scanning for exposed secrets...
1:23PM INF 547 commits scanned.
2026-03-26T13:23:44Z INF scan completed in 637ms
2026-03-26T13:23:44Z INF no leaks found

@guibranco guibranco merged commit 51627ff into main Mar 26, 2026
11 of 13 checks passed
@guibranco guibranco deleted the dependabot/npm_and_yarn/undici-7.24.6 branch March 26, 2026 13:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@guibranco guibranco guibranco approved these changes

@gstraccini gstraccini[bot] gstraccini[bot] approved these changes

Assignees

@guibranco guibranco

Labels

☑️ auto-merge Automatic merging of pull requests (gstraccini-bot) 🤖 bot Automated processes or integrations size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@guibranco