build(deps-dev): bump undici from 7.25.0 to 7.28.0 in /webui in the npm_and_yarn group across 1 directory#284
Conversation
Bumps the npm_and_yarn group with 1 update in the /webui directory: [undici](https://github.com/nodejs/undici). Updates `undici` from 7.25.0 to 7.28.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.25.0...v7.28.0) --- updated-dependencies: - dependency-name: undici dependency-version: 7.28.0 dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
deleted the
dependabot/npm_and_yarn/webui/npm_and_yarn-3213b4e331
branch
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
PR Validation (Cursor Automation)
Recommendation: Merge
Primary reason: Lockfile-only Dependabot bump validates cleanly: no merge conflicts, dotnet build -c Release succeeds, and npm ci succeeds. GitHub currently reports this PR as already merged, and current origin/master has the same tree for this change.
Gates
| Gate | Status | Notes |
|---|---|---|
| Merge conflicts | Pass | Fetched PR via refs/pull/284/head; local merge with origin/master completed cleanly. Conflicts: none. |
dotnet build |
Pass | dotnet restore and dotnet build -c Release succeeded with warnings only using temporary .NET SDK 10.0.301. |
dotnet test (non-live) |
Skip | Lockfile-only PR (webui/package-lock.json only); no source or behavior changes. Per workflow, build + install validation suffices. |
vitest |
Skip | Lockfile-only PR; no frontend source/test changes. npm ci passed against the updated lockfile. |
Validation
| Axis | Score | Notes |
|---|---|---|
| Purpose | Pass | Updates the resolved undici package in the webui lockfile from 7.25.0 to 7.28.0. |
| Correctness | Pass | Minimal package-lock-only change; node_modules/undici resolves to 7.28.0 and install succeeds. No qBitrr parity surface affected. |
| Tests | Pass | No behavior changes requiring regression tests; dependency graph validated with npm ci and repo build. |
| Hygiene | Pass | Scope is one lockfile file with 3 additions / 17 deletions; no unrelated files or generated SDK junk. |
| Overlap | Pass | No open overlap PRs found for the same undici webui bump. Current origin/master contains this same PR because it has already been merged. |
Why
This is a narrow Dependabot lockfile update. The prescribed named branch fetch failed because the remote branch ref is no longer available, so validation fetched refs/pull/284/head instead. The local PR head merged cleanly with current origin/master; dotnet restore, dotnet build -c Release, and npm ci all succeeded. Full non-live .NET tests and Vitest were intentionally skipped under the lockfile-only Dependabot allowance.
Required context docs read: AGENTS.md and docs/parity/contract-baseline.md. The requested latest docs/audits/pr-triage-*.md file is not present in the current checkout (origin/master includes Delete docs/audits directory), so the known-winner overlap check was limited to the prompt’s table plus an open-PR search.
Overlap
None.
Commands run
git fetch origin mastergit fetch origin dependabot/npm_and_yarn/webui/npm_and_yarn-3213b4e331(failed: remote ref not found)gh pr view 284 --json ...git fetch origin pull/284/head:refs/remotes/origin/pr-284git checkout -B pr-validate origin/pr-284git merge origin/masterdotnet restoredotnet build -c Releasenpm cigh pr list --state open --search "undici webui" --json ...
Sent by Cursor Automation: Torrentarr PR validation triage
There was a problem hiding this comment.
Bug Scan Summary
Date: 2026-06-20
Commits inspected: 3f2c16f..cd9538f (PR #284 — undici 7.25.0 → 7.28.0)
Result: No critical bugs found.
Investigation
- Change scope:
webui/package-lock.jsononly — bumps transitiveundici(viajsdom@29.1.1) and deduplicates nestedtailwindcss@4.3.0lockfile entries. - Production path:
undiciis not imported anywhere inwebui/srcand is not bundled into the Vite production output. It is a dev-only dependency used by jsdom during Vitest runs. - Validation:
npx vitest run— 154/154 tests passed;npm run buildsucceeded. - undici 7.25→7.28 changelog: Bug fixes only (fetch/cookies/cache/socks5/websocket). No breaking API changes relevant to jsdom's fetch implementation usage.
Notable (below critical bar)
undici@7.28.0declaresengines.node: >=20.18.1;jsdom@29.1.1already requires^20.19.0. CI uses Node 20 (latest LTS).webui/package.jsonstill advertises>=20.0.0, which is stale relative to jsdom — a docs/engines hygiene item, not a production correctness bug.
Deduplication check
- Open PRs searched (
undici,jsdom): only #284 (this PR). - Recently merged PRs (14 days): no competing undici/jsdom fixes.
- Open issues searched (
undici): none. - Pre-existing draft fixes (#281, #282, #283) address unrelated correctness issues on master; not introduced by this dependency bump.
Sent by Cursor Automation: Torrentarr - Find critical bugs
Bumps the npm_and_yarn group with 1 update in the /webui directory: undici.
Updates
undicifrom 7.25.0 to 7.28.0Release notes
Sourced from undici's releases.
... (truncated)
Commits
f9eba0aBumped v7.28.0 (#5430)a027a4aBackport WebSocket maxPayloadSize fixes to v7.x (#5423)8cb10f9websocket: limit the number of fragments in a message04201f8fix: honor requestTls when proxy is SOCKS5fcd642ffix(socks5): preserve dispatch backpressure return value (#5166)bc98c97fix(socks5): use configured connector in Socks5ProxyAgent (#5168)9e1c743fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)376c8befix(socks5): enforce authenticated state before CONNECT (#5097)3805b8ffix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...85a2405fix(cache): trim qualified field namesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.