Skip to content

fix(deps): bump undici override to ^6.27.0 to fix CVE-2026-11525#31

Merged
davidkonigsberg merged 2 commits into
mainfrom
dependabot-alert-29-devin
Jun 24, 2026
Merged

fix(deps): bump undici override to ^6.27.0 to fix CVE-2026-11525#31
davidkonigsberg merged 2 commits into
mainfrom
dependabot-alert-29-devin

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 24, 2026
edited by devin-ai-integration Bot
Loading

Copy link
Copy Markdown
Contributor

Summary

Bumps the undici override from ^6.24.1 to ^6.27.0 to fix GHSA-g8m3-5g58-fq7m (CVE-2026-11525) — Set-Cookie SameSite attribute downgrade via permissive substring matching.

undici is a transitive dependency pulled in by @actions/github (via @octokit) and @actions/http-client, both of which declare undici ^5.x. The existing override already hoisted it to 6.24.1; this PR simply raises the floor to 6.27.0 which is the patched version.

No override was added — only the existing one was updated. dist/index.js rebuilt. Scaffold file removed.

Link to Devin session: https://app.devin.ai/sessions/49efa6d4889940eba96ab6c7f3f17ad0
Requested by: @davidkonigsberg

github-actions Bot and others added 2 commits June 24, 2026 10:27
@github-actions
[Dependabot Alert #29] Scaffold PR for undici
d4eb9b6
@devin-ai-integration @davidkonigsberg
fix(deps): bump undici override to ^6.27.0 to fix CVE-2026-11525
f8d584d 
Bump the undici override from ^6.24.1 to ^6.27.0 to resolve
GHSA-g8m3-5g58-fq7m (Set-Cookie SameSite attribute downgrade via
permissive substring matching). Rebuild dist and remove scaffold file.

Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>
@devin-ai-integration devin-ai-integration Bot changed the title [Dependabot Alert #29] LOW: undici vulnerability fix(deps): bump undici override to ^6.27.0 to fix CVE-2026-11525 Jun 24, 2026
@davidkonigsberg davidkonigsberg marked this pull request as ready for review June 24, 2026 10:59
@davidkonigsberg davidkonigsberg merged commit 50f4cce into main Jun 24, 2026
1 check passed
@davidkonigsberg davidkonigsberg deleted the dependabot-alert-29-devin branch June 24, 2026 10:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@davidkonigsberg davidkonigsberg davidkonigsberg approved these changes
@patrickthornton patrickthornton Awaiting requested review from patrickthornton patrickthornton is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@davidkonigsberg