Skip to content

Bump undici, @actions/artifact and @actions/github#1119

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-a703c13ff7
Closed

Bump undici, @actions/artifact and @actions/github#1119
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-a703c13ff7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps undici to 8.6.0 and updates ancestor dependencies undici, @actions/artifact and @actions/github. These dependencies need to be updated together.

Updates undici from 6.25.0 to 8.6.0

Release notes

Sourced from undici's releases.

v8.6.0

What's Changed

New Contributors

Full Changelog: nodejs/undici@v8.5.0...v8.6.0

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

... (truncated)

Commits
  • 6f86196 Bumped v8.6.0 (#5491)
  • 61ddd8e fix: requeue h2 requests after goaway (#5473)
  • c5085ef feat: support HTTP QUERY method (RFC 10008) (#5459)
  • c144fd6 build(deps): bump github/codeql-action/analyze from 4.36.1 to 4.36.2 (#5477)
  • 782ad38 build(deps): bump github/codeql-action from 4.36.1 to 4.36.2 (#5484)
  • c4e045a build(deps): bump actions/checkout from 6.0.3 to 7.0.0 (#5482)
  • de960db build(deps): bump codecov/codecov-action from 6.0.1 to 7.0.0 (#5478)
  • 1132de8 build(deps): bump fastify/github-action-merge-dependabot (#5480)
  • 3acb7ba build(deps): bump github/codeql-action/upload-sarif (#5481)
  • 88c4254 build(deps): bump github/codeql-action/init from 4.36.1 to 4.36.2 (#5476)
  • Additional commits viewable in compare view

Updates @actions/artifact from 5.0.3 to 6.2.1

Changelog

Sourced from @​actions/artifact's changelog.

6.2.1

  • Support the RFC 5987 filename* field in the content-disposition header. This allows us to correctly download files and artifacts with Chinese/Japanese/Korean (among other) characters in their name.

6.2.0

  • Support uploading single un-archived files (not zipped). Direct uploads are only supported for artifacts version 7+ (based on the major version of actions/upload-artifact). Callers must pass the skipArchive option to uploadArtifact. Only single files can be uploaded at a time right now. Default behavior should remain unchanged if skipArchive = false. When skipArchive = true, the name of the file is used as the name of the artifact for consistency with the downloads: you upload artifact.txt, you download artifact.txt.

6.1.0

  • Support downloading non-zip artifacts. Zipped artifacts will be decompressed automatically (with an optional override). Un-zipped artifacts will be downloaded as-is.

6.0.0

  • Breaking change: Package is now ESM-only
    • CommonJS consumers must use dynamic import() instead of require()
Commits

Updates @actions/github from 6.0.1 to 9.1.1

Changelog

Sourced from @​actions/github's changelog.

9.1.1

  • Bump undici from 6.23.0 to 6.24.0 #2346

9.1.0

  • Append actions_orchestration_id to user-agent when the ACTIONS_ORCHESTRATION_ID environment variable is set #2364

9.0.0

  • Breaking change: Package is now ESM-only
    • CommonJS consumers must use dynamic import() instead of require()
    • Example: const { getOctokit, context } = await import('@actions/github')
  • Fix TypeScript compilation by migrating to ESM, enabling proper imports from @octokit/core/types

8.0.1

  • Update undici to 6.23.0
  • Update @actions/http-client to 3.0.2

8.0.0

  • Update @​octokit dependencies
    • @octokit/core ^7.0.6
    • @octokit/plugin-paginate-rest ^14.0.0
    • @octokit/plugin-rest-endpoint-methods ^17.0.0
    • @octokit/request ^10.0.7
    • @octokit/request-error ^7.1.0
  • Breaking change: Minimum Node.js version is now 20 (previously 18)

7.0.0

  • Update to v3.0.1 of @actions/http-client
Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​actions/github since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 23, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 23, 2026 14:47
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 23, 2026
Bumps [undici](https://github.com/nodejs/undici) to 8.6.0 and updates ancestor dependencies [undici](https://github.com/nodejs/undici), [@actions/artifact](https://github.com/actions/toolkit/tree/HEAD/packages/artifact) and [@actions/github](https://github.com/actions/toolkit/tree/HEAD/packages/github). These dependencies need to be updated together.


Updates `undici` from 6.25.0 to 8.6.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.25.0...v8.6.0)

Updates `@actions/artifact` from 5.0.3 to 6.2.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/artifact/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/artifact)

Updates `@actions/github` from 6.0.1 to 9.1.1
- [Changelog](https://github.com/actions/toolkit/blob/main/packages/github/RELEASES.md)
- [Commits](https://github.com/actions/toolkit/commits/HEAD/packages/github)

---
updated-dependencies:
- dependency-name: "@actions/artifact"
  dependency-version: 6.2.1
  dependency-type: direct:production
- dependency-name: "@actions/github"
  dependency-version: 9.1.1
  dependency-type: direct:production
- dependency-name: undici
  dependency-version: 8.5.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-a703c13ff7 branch from c5a33d7 to 3d717d6 Compare July 3, 2026 14:37
@dependabot @github

dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #1130.

@dependabot dependabot Bot closed this Jul 16, 2026
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-a703c13ff7 branch July 16, 2026 11:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants