Skip to content

deps: bump undici to 7.28.0 to fix Dependabot alerts#301

Merged
ksroda-sa merged 1 commit into
mainfrom
deps/bump-undici-7.28.0
Jul 9, 2026
Merged

deps: bump undici to 7.28.0 to fix Dependabot alerts#301
ksroda-sa merged 1 commit into
mainfrom
deps/bump-undici-7.28.0

Conversation

@ksroda-sa

Copy link
Copy Markdown
Collaborator

Summary

Resolves all 12 open Dependabot alerts, which were all the same package: undici locked at the vulnerable 7.25.0 in two Angular samples, pulled in transitively by jsdom@29.1.1.

Added a scoped resolution "jsdom/undici": "7.28.0" to package.json in both token-refresh and login-pkce (matching the existing scoped-resolution style, leaving node-gyp's out-of-range undici@6.27.0 untouched), then refreshed both lockfiles.

Alerts fixed

undici 7.28.0 is the first patched version for all 12 alerts (high/medium/low), including:

  • cross-origin request routing via SOCKS5 proxy pool reuse (high)
  • TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent (high)
  • HTTP header injection via Set-Cookie percent-decoding (medium)
  • cross-user information disclosure via shared cache whitespace bypass (medium)
  • Set-Cookie SameSite attribute downgrade + HTTP response queue poisoning (low)

Scope note

These alerts affect only test/dev tooling (jsdom → vitest), not the shipped sample apps.

🤖 Generated with Claude Code

Pin jsdom's transitive undici to 7.28.0 via resolutions in the Angular
token-refresh and login-pkce samples. Resolves 12 Dependabot alerts
(high/medium/low) where undici@7.25.0 was vulnerable.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ksroda-sa ksroda-sa marked this pull request as ready for review July 8, 2026 06:59
Copilot AI review requested due to automatic review settings July 8, 2026 06:59

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR aims to resolve Dependabot alerts by forcing the jsdom transitive dependency undici to use 7.28.0 (patched) in the two Angular samples, and updating the corresponding Yarn lockfiles.

Changes:

  • Added a scoped Yarn resolutions override jsdom/undici: 7.28.0 in both Angular sample package.json files.
  • Updated both sample yarn.lock files to include undici@npm:7.28.0 and remove the previously-locked undici@npm:^7.25.0 entry.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File Description
samples/angular/token-refresh/package.json Adds jsdom/undici scoped resolution to force patched undici version.
samples/angular/token-refresh/yarn.lock Updates undici lock entry to 7.28.0.
samples/angular/login-pkce/package.json Adds jsdom/undici scoped resolution to force patched undici version.
samples/angular/login-pkce/yarn.lock Updates undici lock entry to 7.28.0.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ksroda-sa ksroda-sa merged commit 8e20266 into main Jul 9, 2026
20 checks passed
@ksroda-sa ksroda-sa deleted the deps/bump-undici-7.28.0 branch July 9, 2026 09:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants