Skip to content

Bump undici from 5.29.0 to 7.25.0#1474

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/undici-7.25.0
Open

Bump undici from 5.29.0 to 7.25.0#1474
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/undici-7.25.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 20, 2026

Bumps undici from 5.29.0 to 7.25.0.

Release notes

Sourced from undici's releases.

v7.25.0

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

What's Changed

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

What's Changed

New Contributors

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump undici from 5.29.0 to 7.25.0
1cb91c5 
Bumps [undici](https://github.com/nodejs/undici) from 5.29.0 to 7.25.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.29.0...v7.25.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.25.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
Copilot AI review requested due to automatic review settings May 20, 2026 10:04
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels May 20, 2026
Copilot AI reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

cursor[bot]
cursor Bot reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stale comment

Findings

  1. yarn.lock: this PR does not fully remove the older undici line the title implies. The actual diff only updates the jsdom-scoped undici@^7.21.0 entry from 7.24.4 to 7.25.0; the lockfile still contains undici@5.29.0 via jest-github-actions-reporter -> @actions/core -> @actions/http-client. yarn npm audit --recursive still reports the current undici advisories on that remaining 5.x copy, so the security benefit here is limited to the already-7.x path.

Security / compatibility notes

  • I did not find any new advisories introduced by undici@7.25.0.
  • The changed path was already on 7.24.4, which is already past the January/March 2026 undici fixes such as GHSA-g9mf-h72j-4rw9, GHSA-2mjp-6q6p-2qxm, and GHSA-vrm6-8vpv-qv8q.
  • There are no direct undici imports in this repository, so the main possible impact area is the Jest jsdom environment rather than shipped application code.
  • undici@7.25.0 requires Node >=20.18.1, but that is not a new regression here because the repository already uses jsdom@28.1.0, which itself requires Node 20+.

Test results

  • yarn install --immutable
  • yarn lint
  • CI=true yarn test --runInBand ✅ (92 suites / 835 tests passed)
  • Cypress: not runnable from this cloud environment. The dev server started successfully, but yarn exec cypress run failed because the Cypress desktop binary was not present, and cypress install could not download it from download.cypress.io (SSL_ERROR_SYSCALL).

Recommendation

Merge with caution.

Behaviorally this looks safe to merge: the diff is lockfile-only, there is no direct app/runtime use of undici, and the full lint + unit/Jest suite passed locally. The caution is that this should not be treated as a complete undici security remediation; if the alert behind this PR is expected to disappear, verify that after merge, or plan a follow-up update for the remaining @actions/http-client / jest-github-actions-reporter path.

Open in Web View Automation 

Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs

Comment thread yarn.lock
version: 7.24.4
resolution: "undici@npm:7.24.4"
checksum: 10/747e76e0fd685ae1bb6fc1a2ebce0caca4ee8bd5599a77da36a3f94eac146987a9547bdbec7a74d18c0776df8ad348dccb4209901ca83fc4076f560de0d5dc7a
version: 7.25.0
Copy link
Copy Markdown

@cursor cursor Bot May 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This hunk only upgrades the jsdom copy of undici from 7.24.4 to 7.25.0. The lockfile still retains undici@5.29.0 a few lines above via jest-github-actions-reporter -> @actions/core -> @actions/http-client, and yarn npm audit --recursive still reports the 2026 undici advisories on that dev-only path. So the change is low-risk, but it is not a full 5.x -> 7.x remediation despite the PR title.

cursor[bot]
cursor Bot reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No blocking issues found.

Security

  • This PR is a yarn.lock-only change. The effective change in this repo is the jsdom transitive copy of undici moving from 7.24.4 to 7.25.0; it does not remove the separate undici@5.29.0 entry that is still present via @actions/http-client.
  • undici@7.24.4 was already on the patched side of the March 2026 undici advisories fixed in v7.24.0 and later, including request smuggling (GHSA-2mjp-6q6p-2qxm / CVE-2026-1525), WebSocket crash/DoS issues (GHSA-f269-vfmq-vjvj, GHSA-v9p9-hfj2-hcw8, GHSA-vrm6-8vpv-qv8q), deduplication-buffer DoS (GHSA-phc3-fgpg-7m6h / CVE-2026-2581), and CRLF injection (GHSA-4992-7rv2-5pvq / CVE-2026-1527). So this PR does not materially change the known security posture versus the current lockfile.
  • The remaining undici@5.29.0 copy is unchanged by this PR. That version is already the patched release for GHSA-cxrh-j4jr-qwg3 / CVE-2025-47279.
  • Dependabot flags maintainer/install-script changes when comparing 5.29.0 to 7.25.0, but for the actual version step this PR applies (7.24.4 -> 7.25.0), npm metadata is unchanged: same engines.node (>=20.18.1) and same prepare script.

Safety of merging

  • I found no direct undici imports in this repository.
  • The updated undici copy is pulled in by jsdom@28.1.0, so the practical impact is on the Jest/jsdom test environment rather than the shipped browser bundle.
  • The 7.24.4 -> 7.25.0 delta is patch-level and consists mainly of bug fixes around fetch/header handling, cache/auth behavior, connection handling, and streamed request bodies. In this repo, that would only matter if tests were sensitive to jsdom/fetch behavior. The full Jest suite passed, which is a good signal that nothing observable regressed here.

Tests

  • yarn install --immutable
  • yarn lint
  • CI=true yarn run test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter ✅ (92 suites, 835 tests)
  • Local Cypress: could not complete in this cloud environment because the Cypress binary was not installed and repeated cypress install attempts did not leave a local binary. The PR's GitHub test-cypress check has passed remotely, so e2e coverage is still green in CI.

Recommendation

  • Merge. This looks safe: no app code changes, no direct undici usage in the repo, no new advisory exposure introduced, and the relevant local + remote test signals are green.
  • One nuance worth keeping in mind: the PR title/body overstates the effective change a bit. In this repo it is not a full 5.29.0 -> 7.25.0 replacement; it is a transitive jsdom lockfile refresh from 7.24.4 to 7.25.0, while the separate 5.29.0 tooling copy remains.
Open in Web View Automation 

Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant