Skip to content

security: override undici to 6.24.1 to resolve GHSA-v9p9-hfj2-hcw8#69

Merged
ryancragun merged 1 commit intomainfrom
ryan/undo-undici
Mar 16, 2026
Merged

security: override undici to 6.24.1 to resolve GHSA-v9p9-hfj2-hcw8#69
ryancragun merged 1 commit intomainfrom
ryan/undo-undici

Conversation

@ryancragun
Copy link
Copy Markdown
Contributor

@ryancragun ryancragun commented Mar 16, 2026

How to read this pull request

It appears that our usage of @action/http-client transitively "depends" (from what I can see, it's not actually used and probably ought to be a dev dependency in the http-client module) on undici 6.23.00. The upstream hasn't been updated yet so we add an override for it here. Since we're doing a security release I also updated all of our outdated deps.

Checklist

  • The commit message includes an explanation of the changes
  • Manual validation of the changes have been performed (if possible)
  • New or modified code has requisite test coverage (if possible)
  • I have performed a self-review of the changes
  • I have made necessary changes and/or pull requests for documentation
  • I have written useful comments in the code

PCI review checklist

  • I have documented a clear reason for, and description of, the change I am making.
  • If applicable, I've documented a plan to revert these changes if they require more than reverting the pull request.
  • If applicable, I've documented the impact of any changes to security controls.

@ryancragun
security: override undici to 6.24.0 to resolve GHSA-v9p9-hfj2-hcw8
224dd05 
It appears that our usage of @action/http-client transitively
"depends" (from what I can see, it's not actually used and probably
ought to be a dev dependency in the http-client module) on undici
6.23.0[0]. The upstream hasn't been updated yet so we add an
override for it here. Since we're doing a security release I also
updated all of our outdated deps.

[0]: https://github.com/actions/toolkit/blob/main/packages/http-client/package-lock.json#L235

Signed-off-by: Ryan Cragun <me@ryan.ec>
@ryancragun ryancragun requested a review from a team as a code owner March 16, 2026 16:32
@ryancragun ryancragun requested review from brewgator and tvo0813 March 16, 2026 16:32
ryancragun
ryancragun commented Mar 16, 2026
View reviewed changes
src/enos.js
} catch (err) {
throw new Error(`error executing ${executableName}: ${err}`);
throw new Error(`error executing ${executableName}: ${err}`, {
cause: err,
Copy link
Copy Markdown
Contributor Author

@ryancragun ryancragun Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since we updated eslint this was required to please the linter

@ryancragun ryancragun changed the title security: override undici to 6.24.0 to resolve GHSA-v9p9-hfj2-hcw8 security: override undici to 6.24.1 to resolve GHSA-v9p9-hfj2-hcw8 Mar 16, 2026
@ryancragun ryancragun merged commit 6ec106c into main Mar 16, 2026
8 checks passed
@ryancragun ryancragun deleted the ryan/undo-undici branch March 16, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brewgator brewgator brewgator approved these changes

@tvo0813 tvo0813 Awaiting requested review from tvo0813 tvo0813 is a code owner automatically assigned from hashicorp/team-vault-quality

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ryancragun @brewgator