fix(deps): bump undici#887
Conversation
Bumps and [undici](https://github.com/nodejs/undici). These dependencies needed to be updated together. Updates `undici` from 7.21.0 to 7.28.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.21.0...v7.28.0) Updates `undici` from 6.23.0 to 6.27.0 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.21.0...v7.28.0) --- updated-dependencies: - dependency-name: undici dependency-version: 7.28.0 dependency-type: indirect - dependency-name: undici dependency-version: 6.27.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
✅ Deploy Preview for phillips-seldon ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Important Testing in progress…🟢 UI Tests: 464 tests unchanged |
|
Tip All tests passed and all changes approved!🟢 UI Tests: 464 tests unchanged |
|
🚀 Storybook preview is ready. • Preview: https://68b9f094608b90f3cfec5a06-wajoihdrhm.chromatic.com/ |
🏷️ Dependency Upgrade Risk Assessment:
|
| Severity | Issue |
|---|---|
| High | WebSocket DoS via unbounded fragment count |
| High | SOCKS5 ProxyAgent TLS certificate validation bypass |
| High | Cross-origin request routing via shared connection pool |
| Moderate (×2) | HTTP cache field name handling |
| Low (×2) | SOCKS5 connection state issues |
All fixes are internal to undici's network handling. No API-breaking changes — the public interface is unchanged across this entire range.
Risk Rationale
This is rated low because:
- undici is not a direct dependency of seldon and does not appear in
package.json. It exists only in the lock file as a transitive dependency of build/test tooling. - seldon is a React UI component library — it does not make HTTP calls. Its components run in the browser; undici is a Node.js-only HTTP client. There is no runtime overlap.
- All changes are targeted security patches to internal HTTP transport behaviors (WebSocket frame handling, SOCKS5 proxy auth, connection pooling logic) that are entirely irrelevant to a UI component library.
- No API surface changes across the bumped range.
Regression Test Checklist
Since undici is a transitive tooling dependency, the focus is confirming the build and test pipeline remain functional:
- Run the full seldon test suite:
npm test - Build the seldon package and verify clean output:
npm run build - Verify the full CI pipeline passes (lint, typecheck, unit tests)
- Confirm that MSW (Mock Service Worker) and any other HTTP mocking used in tests still intercepts correctly — MSW uses undici internals in Node.js test environments
- Run
npm auditpost-merge to confirm no newly introduced vulnerabilities in the dependency tree
Generated by Claude Code
Bumps and undici. These dependencies needed to be updated together.
Updates
undicifrom 7.21.0 to 7.28.0Release notes
Sourced from undici's releases.
... (truncated)
Commits
f9eba0aBumped v7.28.0 (#5430)a027a4aBackport WebSocket maxPayloadSize fixes to v7.x (#5423)8cb10f9websocket: limit the number of fragments in a message04201f8fix: honor requestTls when proxy is SOCKS5fcd642ffix(socks5): preserve dispatch backpressure return value (#5166)bc98c97fix(socks5): use configured connector in Socks5ProxyAgent (#5168)9e1c743fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)376c8befix(socks5): enforce authenticated state before CONNECT (#5097)3805b8ffix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...85a2405fix(cache): trim qualified field namesUpdates
undicifrom 6.23.0 to 6.27.0Release notes
Sourced from undici's releases.
... (truncated)
Commits
f9eba0aBumped v7.28.0 (#5430)a027a4aBackport WebSocket maxPayloadSize fixes to v7.x (#5423)8cb10f9websocket: limit the number of fragments in a message04201f8fix: honor requestTls when proxy is SOCKS5fcd642ffix(socks5): preserve dispatch backpressure return value (#5166)bc98c97fix(socks5): use configured connector in Socks5ProxyAgent (#5168)9e1c743fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)376c8befix(socks5): enforce authenticated state before CONNECT (#5097)3805b8ffix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...85a2405fix(cache): trim qualified field namesDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.