Skip to content

chore(deps): update dependency undici to v6.23.0 [security] #10739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency undici to v6.23.0 [security] #10739

renovate wants to merge 1 commit into from
+61 −10

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Jan 15, 2026

This PR contains the following updates:

Package Change Age Confidence
undici (source) 6.21.36.23.0 age confidence

GitHub Vulnerability Alerts

CVE-2026-22036

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

Release Notes

nodejs/undici (undici)

v6.23.0

Compare Source

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from mrubens as a code owner January 15, 2026 02:05
@renovate renovate bot requested review from cte and jr as code owners January 15, 2026 02:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mrubens mrubens Awaiting requested review from mrubens mrubens is a code owner

@cte cte Awaiting requested review from cte cte is a code owner

@jr jr Awaiting requested review from jr jr is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Roo Code Roadmap
Status: Triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant