Skip to content
This repository was archived by the owner on Jun 25, 2026. It is now read-only.

chore(deps-npm): bump undici and rdme#2781

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-101fbff64d
Open

chore(deps-npm): bump undici and rdme#2781
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-101fbff64d

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps undici to 6.27.0 and updates ancestor dependency rdme. These dependencies need to be updated together.

Updates undici from 6.23.0 to 6.27.0

Release notes

Sourced from undici's releases.

v6.27.0

⚠️ Security Release

This release line addresses 4 security advisories.

Action required: Upgrade to undici 6.27.0 or later.

npm install undici@^6.27.0

Note on patched version: the v6 fixes shipped in v6.27.0, not 6.26.0v6.26.0 contains only the chunked-EOF fix (#5308) and the version bump, none of the security fixes below.

The v6 line is not affected by the SOCKS5 advisories (GHSA-vmh5-mc38-953g, GHSA-hm92-r4w5-c3mj), the shared-cache disclosure (GHSA-pr7r-676h-xcf6), or the 8.x-only WebSocket regression (GHSA-38rv-x7px-6hhq).

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 6.27.0 b7f252e7
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 6.27.0 25efa447
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 6.27.0 25efa447
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 6.27.0 f4c31d60

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: b7f252e7 Backport WebSocket maxPayloadSize fixes (#5423, backported to v6 in #5428)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service. All releases from 6.17.0 onward are affected.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

Moderate severity

HTTP header injection via Set-Cookie percent-decoding — CVE-2026-9679

... (truncated)

Commits

Updates rdme from 10.6.0 to 10.9.1

Release notes

Sourced from rdme's releases.

v10.9.1

10.9.1 (2026-06-06)

Bug Fixes

v10.9.1-next.2

10.9.1-next.2 (2026-06-06)

Bug Fixes

  • export: sanitize URIs before using them as directory paths (#1471) (ce2568c)

v10.9.1-next.1

10.9.1-next.1 (2026-05-22)

Bug Fixes

v10.9.0

10.9.0 (2026-05-18)

Bug Fixes

  • empty commit to trigger a release (7b960c5)

Features

  • creation of a new export command for rdme-compatible files (#1468) (2ab6109)

v10.9.0-next.1

10.9.0-next.1 (2026-05-18)

Features

  • creation of a new export command for rdme-compatible files (#1468) (2ab6109)

v10.8.0

10.8.0 (2026-05-13)

... (truncated)

Changelog

Sourced from rdme's changelog.

10.9.1 (2026-06-06)

Bug Fixes

10.9.1-next.2 (2026-06-06)

Bug Fixes

  • export: sanitize URIs before using them as directory paths (#1471) (ce2568c)

10.9.1-next.1 (2026-05-22)

Bug Fixes

10.9.0 (2026-05-18)

Bug Fixes

  • empty commit to trigger a release (7b960c5)

Features

  • creation of a new export command for rdme-compatible files (#1468) (2ab6109)

10.9.0-next.1 (2026-05-18)

Features

  • creation of a new export command for rdme-compatible files (#1468) (2ab6109)

10.8.0 (2026-05-13)

Bug Fixes

  • gha: argument parsing when using quotations (#1461) (ed4a6ed), closes #1374
  • improving our error messages when API keys aren't supplied (#1463) (a381af0)
  • mistyped type guard (25fde5c)
  • updating our transitive ip-address dependency (#1459) (ec04846)

... (truncated)

Commits
  • 7b543cf build(release): 🚀 v10.9.1 🦉
  • 9a1f34d chore(deps): upgrading out of date deps (#1479)
  • 1e8b2c3 build(release): 🚀 v10.9.1-next.2 🦉
  • ce2568c fix(export): sanitize URIs before using them as directory paths (#1471)
  • d427b68 chore: refreshing our GHA schemas
  • 84b803c build(release): 🚀 v10.9.1-next.1 🦉
  • 893f158 fix(gha): move from node 20 to node 24 (#1470)
  • ec5cd68 build(release): 🚀 v10.9.0 🦉
  • 7b960c5 fix: empty commit to trigger a release
  • 36c0ad5 build(release): 🚀 v10.9.0-next.1 🦉
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for rdme since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [undici](https://github.com/nodejs/undici) to 6.27.0 and updates ancestor dependency [rdme](https://github.com/readmeio/rdme). These dependencies need to be updated together.


Updates `undici` from 6.23.0 to 6.27.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.23.0...v6.27.0)

Updates `rdme` from 10.6.0 to 10.9.1
- [Release notes](https://github.com/readmeio/rdme/releases)
- [Changelog](https://github.com/readmeio/rdme/blob/next/CHANGELOG.md)
- [Commits](readmeio/rdme@10.6.0...10.9.1)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 6.27.0
  dependency-type: indirect
- dependency-name: rdme
  dependency-version: 10.9.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 23, 2026
@dependabot
dependabot Bot requested a review from a team as a code owner June 23, 2026 13:30
@dependabot
dependabot Bot requested a review from jordanbuschman June 23, 2026 13:30
@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
docs Ready Ready Preview, Comment Jun 23, 2026 1:34pm

Request Review

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants