fix(deps): update dependency undici to v6 [security]

[renovate]

Note

Mend has cancelled the proposed renaming of the Renovate GitHub app being renamed to mend[bot].

This notice will be removed on 2025-10-07.

---

This PR contains the following updates:

Package	Change	Age	Confidence
undici (source)	^5.28.4 -> ^6.0.0

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

• https://hackerone.com/reports/2913312
• https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

---

Release Notes

nodejs/undici (undici)

v6.21.2

Compare Source

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in #​4024
• [v6.x] fix wpts on windows by @​mcollina in #​4093
• Removed clients with unrecoverable errors from the Pool #​4088

New Contributors

• @​slagiewka made their first contribution in #​4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

• fix(#​3736): back-port 183f8e9 to v6.x by @​ggoodman in #​3855
• fix(#​3817): send servername for SNI on TLS (#​3821) [backport] by @​metcoder95 in #​3864
• fix: sending formdata bodies with http2 (#​3863) [backport] by @​metcoder95 in #​3866
• [Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @​github-actions in #​3877
• types: [backport] Update return type of RetryCallback (#​3851) by @​metcoder95 in #​3876

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

v6.21.0

Compare Source

What's Changed

• [Backport v6.x] web: mark as uncloneable when possible (#​3709) by @​jazelly in #​3744
• [Backport v6.x] fetch: fix content-encoding order by @​github-actions in #​3764
• [Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by @​github-actions in #​3822
• [Backport v6.x] fix: range end is zero-indexed by @​github-actions in #​3827

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

v6.20.1

Compare Source

What's Changed

• [Backport v6.x] jsdoc: add jsdoc to lib/web/fetch/constants.js by @​github-actions in #​3710
• [Backport v6.x] feat: implement BodyReadable.bytes by @​github-actions in #​3711
• fix: add more expectsPayload methods by @​ronag in #​3715
• [Backport v6.x] chore(H2): onboard H2 into Undici queueing system (#​3707) by @​Uzlopak in #​3724
• [Backport v6.x] fix: PoolBase kClose and kDestroy should await and not return the Promise by @​github-actions in #​3723
• [Backport v6.x] fix: extract noop everywhere by @​Uzlopak in #​3727

Full Changelog: nodejs/undici@v6.20.0...v6.20.1

v6.20.0

Compare Source

What's Changed

• Remove patched dom types (v6.x branch) by @​eXhumer in #​3531
• docs(Backport v6.x): Fix signature of RetryHandler by @​github-actions in #​3594
• deps(dev): update @​types/node by @​metcoder95 in #​3618
• fix: throw on retry when payload is consume by downstream by @​github-actions in #​3596
• feat(Backport v6.x): move throwOnError to interceptor by @​github-actions in #​3595
• [Backport v6.x] fix: reduce memory usage in client-h1 by @​github-actions in #​3672
• [Backport v6.x] fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @​github-actions in #​3673
• [Backport v6.x] fix: run asserts first if possible by @​github-actions in #​3674
• [Backport v6.x] fix: use fasttimers for all connection timeouts by @​github-actions in #​3675
• [Backport v6.x] ci: less flaky test/request-timeout.js test by @​github-actions in #​3678
• [Backport v6.x] test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @​github-actions in #​3679
• [Backport v6.x] ignore leading and trailing crlfs in formdata body by @​github-actions in #​3681
• [Backport v6.x] mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @​github-actions in #​3689
• [Backport v6.x] handle body errors by @​Uzlopak in #​3700

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

v6.19.8

Compare Source

Full Changelog: nodejs/undici@v6.19.7...v6.19.8

v6.19.7

Compare Source

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

v6.19.6

Compare Source

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

v6.19.5

Compare Source

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

v6.19.4

Compare Source

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

v6.19.3

Compare Source

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

v6.19.2

Compare Source

What's Changed

• fix #​3337 by @​KhafraDev in #​3338
• build: use husky as husky install is deprecated by @​jazelly in #​3340
• fix: interceptors.d.ts has no default export by @​Uzlopak in #​3332

Full Changelog: nodejs/undici@v6.19.1...v6.19.2

v6.19.1

Compare Source

What's Changed

• don't append empty origin by @​KhafraDev in #​3335

Full Changelog: nodejs/undici@v6.19.0...v6.19.1

v6.19.0

Compare Source

What's Changed

• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @​dependabot in #​3305
• build(deps): bump codecov/codecov-action from 4.3.1 to 4.4.1 by @​dependabot in #​3303
• build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by @​dependabot in #​3304
• build(deps): bump github/codeql-action from 3.25.3 to 3.25.7 by @​dependabot in #​3306
• build(deps): bump node from 9e8f45f to dd7e693 in /build by @​dependabot in #​3309
• build(deps): bump node from dd7e693 to e6d4495 in /build by @​dependabot in #​3313
• remove websocket experimental warning by @​KhafraDev in #​3311
• perf: optimization of request instantiation by @​tsctx in #​3107
• perf: convert object to params by @​DarkGL in #​3302
• build(deps-dev): bump borp from 0.14.0 to 0.15.0 by @​dependabot in #​3320
• build(deps-dev): bump c8 from 9.1.0 to 10.0.0 by @​dependabot in #​3321
• fix: add missing error classes to types by @​maxbeatty in #​3316
• export interceptor to type def file by @​jakecastelli in #​3318
• build(deps): bump node from e6d4495 to 075a5cc in /build by @​dependabot in #​3326
• doc: clearify the behaviour of bodyTimeout in the request by @​jakecastelli in #​3324
• feature: support pre-shared sessions by @​tastypackets in #​3325

New Contributors

• @​maxbeatty made their first contribution in #​3316
• @​jakecastelli made their first contribution in #​3318

Full Changelog: nodejs/undici@v6.18.2...v6.19.0

v6.18.2

Compare Source

What's Changed

• don't use internal header state for cookies by @​KhafraDev in #​3295
• build(deps-dev): bump borp from 0.13.0 to 0.14.0 by @​dependabot in #​3298
• fix: retry on body support by @​metcoder95 in #​3294

Full Changelog: nodejs/undici@v6.18.1...v6.18.2

v6.18.1

Compare Source

What's Changed

• docs: Update references to dispatcher in docs by @​haikyuu in #​3281
• fix: compatibility for global headers by @​tsctx in #​3286
• websocket: pre-calculated length by @​tsctx in #​3284
• ci: fix autobahn workflow by @​Uzlopak in #​3291
• revert: "websocket: pre-calculated length" by @​KhafraDev in #​3290
• websocket: use FixedQueue instead of Set by @​tsctx in #​3283

New Contributors

• @​haikyuu made their first contribution in #​3281

Full Changelog: nodejs/undici@v6.18.0...v6.18.1

v6.18.0

Compare Source

What's Changed

• permessage-deflate decompression support in websocket by @​KhafraDev in #​3263
• fix: Fix server closing in tests. by @​ShogunPanda in #​3279

Full Changelog: nodejs/undici@v6.17.0...v6.18.0

v6.17.0

Compare Source

What's Changed

• fetch: fix captureStackTrace by @​Uzlopak in #​3227
• fetch: fix wpt test request-upload.any.js by @​Uzlopak in #​3234
• websocket: don't clone buffer by @​tsctx in #​3240
• Remove unecessary async from writeBuffer by @​DarkGL in #​3245
• refactor websocket control frame handling by @​KhafraDev in #​3241
• fix parsing continuation frames in websocket by @​KhafraDev in #​3247
• ci: node nightly test should use node 23 by @​Uzlopak in #​3248
• Add test to verify if the connection is correctly aborted on cancel by @​mcollina in #​3219
• Autobahn suite by @​KhafraDev in #​3251
• websocket: fix 6 autobahn tests by @​KhafraDev in #​3254
• websocket: checkout correct commit in autobahn workflow by @​Uzlopak in #​3258
• Cleanup websocket by @​KhafraDev in #​3257
• websocket: autobahn workflow should fail on error by @​Uzlopak in #​3259
• add bodymixin bytes by @​KhafraDev in #​3262
• perf: avoid buffer cloning by @​tsctx in #​3264
• feat: dump interceptor by @​metcoder95 in #​3118
• use private properties in Headers by @​KhafraDev in #​3269
• Revert "websocket: autobahn workflow should fail on error" by @​Uzlopak in #​3270
• build(deps): bump node from 487dc5d to 9e8f45f in /build by @​dependabot in #​3271

New Contributors

• @​DarkGL made their first contribution in #​3245

Full Changelog: nodejs/undici@v6.16.1...v6.17.0

v6.16.1

Compare Source

What's Changed

• fix some typos by @​Uzlopak in #​3217
• websocket: move codeblock in parseCloseBody by @​Uzlopak in #​3215
• fetch: enable wpt test request-referrer.any.js by @​Uzlopak in #​3223
• fetch: wpt add /fetch/api/resources/cache.py to server.mjs by @​Uzlopak in #​3225
• add pipe support for wpt server by @​KhafraDev in #​3228
• test: reduce the number of requests in fire-and-forget.js by @​tsctx in #​3229
• ci: add node 22 in ci test matrix, use 22 for coverage by @​Uzlopak in #​3226
• fetch: don't set an invalid origin header by @​KhafraDev in #​3235
• fail wpt runner if expected failures does not match actual by @​KhafraDev in #​3236
• fix: ignore content-length when dumping HEAD by @​ronag in #​3222

Full Changelog: nodejs/undici@v6.16.0...v6.16.1

v6.16.0

Compare Source

What's Changed

• add index to sequence converter errors by @​KhafraDev in #​3178
• build(deps-dev): bump borp from 0.12.0 to 0.13.0 by @​dependabot in #​3179
• build(deps): bump node from 21-alpine3.19 to 22-alpine3.19 in /build by @​dependabot in #​3180
• build(deps): bump superagent from 8.1.2 to 9.0.2 in /benchmarks by @​dependabot in #​3181
• fix: keep raw header name by @​tsctx in #​3183
• fix(fetch): improve Headers and Request type-compatibility by @​kettanaito in #​1964
• fix 3 mimesniff tests by @​KhafraDev in #​3185
• build(deps): bump hendrikmuhs/ccache-action from 1.2.12 to 1.2.13 by @​dependabot in #​3187
• build(deps): bump codecov/codecov-action from 4.1.1 to 4.3.1 by @​dependabot in #​3191
• build(deps): bump github/codeql-action from 3.24.9 to 3.25.3 by @​dependabot in #​3192
• build(deps): bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @​dependabot in #​3189
• build(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 by @​dependabot in #​3188
• build(deps): bump actions/upload-artifact from 4.3.1 to 4.3.3 by @​dependabot in #​3190
• build(deps): bump node from 9459e24 to 487dc5d in /build by @​dependabot in #​3195
• perf: avoid spread in makeRequest() by @​gunjam in #​3193
• refactor: code cleanup by @​tsctx in #​3194
• fix parsing when receiving empty body websocket by @​KhafraDev in #​3205
• fix: MockResponseCallbackOptions type by @​merojosa in #​2951
• docs(proxy): fix typo by @​kanadgupta in #​3207
• fix websocket receiving an invalid utf-8 in close frame by @​KhafraDev in #​3206
• perf: avoid setImmediate if body is reading by @​ronag in #​3210
• fix: request abort signal by @​ronag in #​3209
• fix: remove abort handler on close by @​ronag in #​3211
• fix: pass abort function by @​tsctx in #​3212
• websocket: 200x faster generate mask by @​tsctx in #​3204
• use FinalizationRegistry to cancel the body if response is collected by @​mcollina in #​3199
• websocket: don't clone buffer if it's not needed. by @​tsctx in #​3214
• websocket: use FastBuffer by @​tsctx in #​3213

New Contributors

• @​kettanaito made their first contribution in #​1964
• @​gunjam made their first contribution in #​3193
• @​merojosa made their first contribution in #​2951
• @​kanadgupta made their first contribution in #​3207

Full Changelog: nodejs/undici@v6.15.0...v6.16.0

v6.15.0

Compare Source

What's Changed

• Expose EnvHttpProxyAgent to Node.js core bundle, so it can be turned … by @​mcollina in #​3148
• test: add headerslist copy check by @​tsctx in #​3156
• chore: ensure automated v6 release compared to v6 by @​mweberxyz in #​3149
• fetch: do not leak signal listeners by @​mcollina in #​3158
• fix: request cache mode is not the same as request mode by @​tsibley in #​3151
• fetch: don't re-lowercase HeadersList by @​tsctx in #​3159
• fix casing issue when cloning Headers object by @​KhafraDev in #​3160
• build(deps): bump node from 6d0f18a to db8772d in /build by @​dependabot in #​3163
• fix header cloning bug by @​tsctx in #​3162
• chore: change bench naming for h2 by @​metcoder95 in #​3165
• expose WebSocket related events in node bundle by @​KhafraDev in #​3167
• feat: add support for if-match on retry handler by @​metcoder95 in #​3144
• fix: correct firing order of abort events by @​tsctx in #​3169
• create fast MessageEvent by @​KhafraDev in #​3170
• chore: add explicitly @​fastify/busboy by @​Uzlopak in #​3172
• chore: remove sinon as dev dependency by @​Uzlopak in #​3171
• webidl changes by @​KhafraDev in #​3175
• preserve dictionary key name in webidl errors by @​KhafraDev in #​3176

New Contributors

• @​tsibley made their first contribution in #​3151

Full Changelog: nodejs/undici@v6.14.1...v6.15.0

v6.14.1

Compare Source

What's Changed

• fix: tweak keep-alive timeout implementation by @​mweberxyz in #​3145
• build(deps-dev): bump borp from 0.11.0 to 0.12.0 by @​dependabot in #​3153
• build(deps): bump node from ad255c6 to 6d0f18a in /build by @​dependabot in #​3154
• fix(EnvHttpProxyAgent): prefer lowercase env vars by @​10xLaCroixDrinker in #​3152

Full Changelog: nodejs/undici@v6.14.0...v6.14.1

v6.14.0

Compare Source

What's Changed

• bench: enable benchmarks for h2 by @​metcoder95 in #​3100
• perf: improve performance of isomorphicEncode by @​tsctx in #​3101
• util: remove isReadableAborted by @​Uzlopak in #​3104
• fix(types): The second parameter of EventSource is optional by @​zbinlin in #​3106
• fix: onConnect types by @​ronag in #​3116
• add dispatcher option to EventSource by @​KhafraDev in #​3119
• core: improve parseURL by @​Uzlopak in #​3102
• test: increase coverage by @​Uzlopak in #​3121
• docs: add directions to run docs and benchmarks by @​FatumaA in #​3092
• perf: avoid unnecessary clone by @​tsctx in #​3117
• build(deps-dev): bump borp from 0.10.0 to 0.11.0 by @​dependabot in #​3126
• drop node support for < v18.17.0 by @​KhafraDev in #​3125
• test: improve test and ci performance by @​Uzlopak in #​3135
• Added EnvHttpProxyAgent to support HTTP_PROXY by @​10xLaCroixDrinker in #​2994
• fetch: Change wording of "Body is unusable" error by @​nzakas in #​3105
• perf: use class instead of object literals with getters by @​tsctx in #​3138
• fix: unhandled exception or failing error body by @​ronag in #​3137
• reuse realm for Request/Response by @​KhafraDev in #​3142
• fix(H2-#​3140): abort requets upon GOAWAY by @​metcoder95 in #​3143
• don't store realm on Request/Response by @​KhafraDev in #​3146
• improve: wasm build by @​Uzlopak in #​3074

New Contributors

• @​10xLaCroixDrinker made their first contribution in #​2994
• @​nzakas made their first contribution in #​3105

Full Changelog: nodejs/undici@v6.13.0...v6.14.0

v6.13.0

Compare Source

What's Changed

• build(deps): bump node from 9696b26 to ad255c6 in /build by @​dependabot in #​3073
• test: remove only by @​metcoder95 in #​3077
• fix: defer errors with setImmediate by @​ronag in #​3081
• improve DecoratorHandler by @​Uzlopak in #​3079
• chore: removed unused escapeFormDataName by @​mcollina in #​3084
• Mention option to pass streams into FormData by @​JaoodxD in #​3086
• fetch: improve performance of isValidEncodedURL by @​Uzlopak in #​3090
• optimize utf8Decode by @​Uzlopak in #​3085
• refactor: h2 refactoring by @​metcoder95 in #​3082
• Skip the creation of a transform stream in fetch by @​mcollina in #​3093
• fetch: improve performance of urlHasHttpsScheme by @​Uzlopak in #​3094
• fetch: avoid creation of an intermediary ReadableStream by @​KhafraDev in #​3095
• test: duplicate jest unspecific tests to native runner by @​Uzlopak in #​3075
• build(deps): bump node from ad255c6 to 6d0f18a in /build by @​dependabot in #​3096
• fetch: improve performance of isValidHeaderValue by @​Uzlopak in #​3098
• chore: automate releases with pr by @​mweberxyz in #​3089

New Contributors

• @​github-actions made their first contribution in #​3099

Full Changelog: nodejs/undici@v6.12.0...v6.13.0

v6.12.0

Compare Source

What's Changed

• fix: broken test by @​tsctx in #​3045
• fix: http2 header parsing by @​climba03003 in #​3047
• types: fix Request.refererPolicy and RequestInit.refererPolicy are incompatible by @​zbinlin in #​3039
• fix(types): onHeaders always takes headers as an array of buffer by @​ronag in #​3050
• fix: ProxyAgent causes request.headers.host to be forcibly reset by @​1zilc in #​3026
• fallback to Buffer.isUtf8 on platforms without icu by @​KhafraDev in #​3006
• build(deps): bump github/codeql-action from 3.24.6 to 3.24.9 by @​dependabot in #​3037
• build(deps): bump actions/dependency-review-action from 4.1.3 to 4.2.5 by @​dependabot in #​3035
• build(deps): bump node from 577f8eb to 87524df in /build by @​dependabot in #​3055
• build(deps): bump node from 87524df to 9696b26 in /build by @​dependabot in #​3058
• fetch: Block ports 4190 & 6679 by @​KhafraDev in #​3059
• test: activate testing for interceptors and cache by @​Uzlopak in #​3061
• cache: improve test coverage by @​Uzlopak in #​3063
• feat: modernize fuzzing by @​Uzlopak in #​3060
• fix: request abort by @​ronag in #​3056
• fix: signal handling by @​ronag in #​3053
• fix(H2): handle goaway properly by @​metcoder95 in #​3057
• test: client, set body to null if bigger than CHUNK_LIMIT by @​Uzlopak in #​3064
• mock: improve mock interceptor by @​Uzlopak in #​3062
• fix: bad client destroy on servername change by @​ronag in #​3066
• perf: improve isBlobLike by @​Uzlopak in #​3070
• test: add sanity check for llhttp wasm files by @​Uzlopak in #​3068

New Contributors

• @​zbinlin made their first contribution in #​3039
• @​1zilc made their first contribution in #​3026

Full Changelog: nodejs/undici@v6.11.1...v6.12.0

v6.11.1

Compare Source

⚠️ Security Release ⚠️

What's Changed

• Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
• Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261
• Revert "fix: don't leak internal class (#​3024)" by @​mcollina in #​3044

Full Changelog: nodejs/undici@v6.11.0...v6.11.1

v6.11.0

Compare Source

What's Changed

• refactor(#​3023): Pass headers as array instead by @​metcoder95 in #​3025
• fix: don't leak internal class by @​ronag in #​3024
• build(deps): bump codecov/codecov-action from 4.1.0 to 4.1.1 by @​dependabot in #​3034
• build(deps-dev): bump tsd from 0.30.7 to 0.31.0 by @​dependabot in #​3038
• build(deps-dev): bump borp from 0.9.1 to 0.10.0 by @​dependabot in #​2947
• missing commits by @​ronag in #​3040
• build(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @​dependabot in #​3036
• fix: regexp pattern by @​tsctx in #​3041

Full Changelog: nodejs/undici@v6.10.2...v6.11.0

v6.10.2

Compare Source

What's Changed

• Do not fail test if streams support typed arrays by @​mcollina in #​2978
• fix(fetch): properly redirect non-ascii location header url by @​Xvezda in #​2971
• perf: Remove double-stringify in setCookie by @​peterver in #​2980
• [fix #​2982] use DispatcherInterceptor type for Dispatcher#Compose by @​clovis-guillemot in #​2983
• fix: make EventSource properties enumerable by @​MattBidewell in #​2987
• docs: ✏️ fixed benchmark links by @​benhalverson in #​2991
• fix(#​2986): bad start check by @​metcoder95 in #​2992
• fix(H2 Client): bind stream 'data' listener only after received 'response' event by @​St3ffGv4 in #​2985
• feat: added search input by @​benhalverson in #​2993
• chore: validate responses can be consumed without a Content-Length or… by @​jacob-ebey in #​2995
• fix error message by @​KhafraDev in #​2998
• Revert "perf: reuse TextDecoder instance (#​2863)" by @​panva in #​2999
• test: remove only by @​metcoder95 in #​3001

New Contributors

• @​Xvezda made their first contribution in #​2971
• @​peterver made their first contribution in #​2980
• @​clovis-guillemot made their first contribution in #​2983
• @​MattBidewell made their first contribution in #​2987
• @​benhalverson made their first contribution in #​2991
• @​St3ffGv4 made their first contribution in #​2985
• @​jacob-ebey made their first contribution in #​2995

Full Changelog: nodejs/undici@v6.10.0...v6.10.2

v6.10.1

Compare Source

Full Changelog: nodejs/undici@v6.10.0...v6.10.1

v6.10.0

Compare Source

What's Changed

• test: fix flakyness of issue-803 test by @​Uzlopak in #​2960
• Cleanup format by @​KhafraDev in #​2959
• Chore: run tests daily against node nightly by @​mweberxyz in #​2969
• fix: fix retry handler option by @​acommodari in #​2962
• build(deps): bump node from 4999fa1 to 577f8eb in /build by @​dependabot in #​2974
• feat(TS): add types for composed dispatchers by @​metcoder95 in #​2967
• fix: count for error response and network errors by @​metcoder95 in #​2966

New Contributors

• @​mweberxyz made their first contribution in #​2969
• [@​acommodari](https://

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: a599512

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Updated (UTC)
vercel-storage-next-integration-test-suite	Ready	Preview	Sep 29, 2025 2:51pm

[vercel]

The undici upgrade installs version 6.20.1, which is below the required 6.21.1 version needed to fix the security vulnerabilities mentioned in the PR.

View Details

📝 Patch Details

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 12cc5f8..ee17665 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -37,7 +37,7 @@ importers:
         version: 0.3.7
       ts-jest:
         specifier: 29.2.6
-        version: 29.2.6(@babel/[email protected])(@jest/[email protected])(@jest/[email protected])([email protected](@babel/[email protected]))([email protected](@types/[email protected])([email protected](@types/[email protected])([email protected])))([email protected])
+        version: 29.2.6(@babel/[email protected])(@jest/[email protected])(@jest/[email protected])([email protected](@babel/[email protected]))([email protected](@types/[email protected])([email protected](@types/[email protected])([email protected])))([email protected])
       turbo:
         specifier: 2.4.4
         version: 2.4.4
@@ -60,8 +60,8 @@ importers:
         specifier: ^2.1.0
         version: 2.1.0
       undici:
-        specifier: ^6.0.0
-        version: 6.20.1
+        specifier: ^6.21.3
+        version: 6.21.3
     devDependencies:
       '@edge-runtime/jest-environment':
         specifier: 2.3.10
@@ -371,7 +371,7 @@ importers:
         version: 2.1.3
       next:
         specifier: ^15.2.0
-        version: 15.2.0(@babel/[email protected])(@opentelemetry/[email protected])(@playwright/[email protected])([email protected]([email protected]))([email protected])
+        version: 15.2.0(@babel/[email protected])(@opentelemetry/[email protected])(@playwright/[email protected])([email protected]([email protected]))([email protected])
       postcss:
         specifier: ^8.5.3
         version: 8.5.3
@@ -5484,6 +5484,10 @@ packages:
     resolution: {integrity: sha512-AjQF1QsmqfJys+LXfGTNum+qw4S88CojRInG/6t31W/1fk6G59s92bnAvGz5Cmur+kQv2SURXEvvudLmbrE8QA==}
     engines: {node: '>=18.17'}
 
+  [email protected]:
+    resolution: {integrity: sha512-gBLkYIlEnSp8pFbT64yFgGE6UIB9tAkhukC23PmMDCe5Nd+cRqKxSjw5y54MK2AZMgZfJWMaNE4nYUHgi1XEOw==}
+    engines: {node: '>=18.17'}
+
   [email protected]:
     resolution: {integrity: sha512-rBJeI5CXAlmy1pV+617WB9J63U6XcazHHF2f2dbJix4XzpUF0RS3Zbj0FGIOCAva5P/d/GBOYaACQ1w+0azUkg==}
     engines: {node: '>= 4.0.0'}
@@ -5957,6 +5961,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -5968,6 +5978,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -5979,6 +5995,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -5990,6 +6012,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -6001,6 +6029,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -6017,6 +6051,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -6028,6 +6068,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -6039,6 +6085,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -6050,6 +6102,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -6061,6 +6119,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -6072,6 +6136,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -6083,6 +6153,12 @@ snapshots:
       '@babel/core': 7.23.2
       '@babel/helper-plugin-utils': 7.20.2
 
+  '@babel/[email protected](@babel/[email protected])':
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/helper-plugin-utils': 7.20.2
+    optional: true
+
   '@babel/[email protected](@babel/[email protected])':
     dependencies:
       '@babel/core': 7.26.0
@@ -7245,10 +7321,10 @@ snapshots:
     dependencies:
       '@types/yargs-parser': 21.0.0
 
-  '@typescript-eslint/[email protected](@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])':
+  '@typescript-eslint/[email protected](@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])':
     dependencies:
       '@eslint-community/regexpp': 4.10.0
-      '@typescript-eslint/parser': 8.25.0([email protected])([email protected])
+      '@typescript-eslint/parser': 6.21.0([email protected])([email protected])
       '@typescript-eslint/scope-manager': 6.21.0
       '@typescript-eslint/type-utils': 6.21.0([email protected])([email protected])
       '@typescript-eslint/utils': 6.21.0([email protected])([email protected])
@@ -7460,7 +7536,7 @@ snapshots:
       '@babel/core': 7.23.9
       '@babel/eslint-parser': 7.23.10(@babel/[email protected])([email protected])
       '@rushstack/eslint-patch': 1.7.2
-      '@typescript-eslint/eslint-plugin': 6.21.0(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])
+      '@typescript-eslint/eslint-plugin': 6.21.0(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])
       '@typescript-eslint/parser': 6.21.0([email protected])([email protected])
       eslint-config-prettier: 9.1.0([email protected])
       eslint-import-resolver-alias: 1.1.2([email protected])
@@ -7774,6 +7850,20 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  [email protected](@babel/[email protected]):
+    dependencies:
+      '@babel/core': 7.23.9
+      '@jest/transform': 29.7.0
+      '@types/babel__core': 7.20.0
+      babel-plugin-istanbul: 6.1.1
+      babel-preset-jest: 29.6.3(@babel/[email protected])
+      chalk: 4.1.2
+      graceful-fs: 4.2.11
+      slash: 3.0.0
+    transitivePeerDependencies:
+      - supports-color
+    optional: true
+
   [email protected](@babel/[email protected]):
     dependencies:
       '@babel/core': 7.26.0
@@ -7821,6 +7911,23 @@ snapshots:
       '@babel/plugin-syntax-optional-chaining': 7.8.3(@babel/[email protected])
       '@babel/plugin-syntax-top-level-await': 7.14.5(@babel/[email protected])
 
+  [email protected](@babel/[email protected]):
+    dependencies:
+      '@babel/core': 7.23.9
+      '@babel/plugin-syntax-async-generators': 7.8.4(@babel/[email protected])
+      '@babel/plugin-syntax-bigint': 7.8.3(@babel/[email protected])
+      '@babel/plugin-syntax-class-properties': 7.12.13(@babel/[email protected])
+      '@babel/plugin-syntax-import-meta': 7.10.4(@babel/[email protected])
+      '@babel/plugin-syntax-json-strings': 7.8.3(@babel/[email protected])
+      '@babel/plugin-syntax-logical-assignment-operators': 7.10.4(@babel/[email protected])
+      '@babel/plugin-syntax-nullish-coalescing-operator': 7.8.3(@babel/[email protected])
+      '@babel/plugin-syntax-numeric-separator': 7.10.4(@babel/[email protected])
+      '@babel/plugin-syntax-object-rest-spread': 7.8.3(@babel/[email protected])
+      '@babel/plugin-syntax-optional-catch-binding': 7.8.3(@babel/[email protected])
+      '@babel/plugin-syntax-optional-chaining': 7.8.3(@babel/[email protected])
+      '@babel/plugin-syntax-top-level-await': 7.14.5(@babel/[email protected])
+    optional: true
+
   [email protected](@babel/[email protected]):
     dependencies:
       '@babel/core': 7.26.0
@@ -7844,6 +7951,13 @@ snapshots:
       babel-plugin-jest-hoist: 29.6.3
       babel-preset-current-node-syntax: 1.0.1(@babel/[email protected])
 
+  [email protected](@babel/[email protected]):
+    dependencies:
+      '@babel/core': 7.23.9
+      babel-plugin-jest-hoist: 29.6.3
+      babel-preset-current-node-syntax: 1.0.1(@babel/[email protected])
+    optional: true
+
   [email protected](@babel/[email protected]):
     dependencies:
       '@babel/core': 7.26.0
@@ -8666,7 +8780,7 @@ snapshots:
       debug: 4.3.7
       enhanced-resolve: 5.15.0
       eslint: 8.56.0
-      eslint-module-utils: 2.8.0(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])([email protected])
+      eslint-module-utils: 2.8.0(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected](@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected]))([email protected])
       eslint-plugin-import: 2.29.1(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])
       fast-glob: 3.3.2
       get-tsconfig: 4.7.2
@@ -8704,7 +8818,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  [email protected](@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])([email protected]):
+  [email protected](@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected](@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected]))([email protected]):
     dependencies:
       debug: 3.2.7
     optionalDependencies:
@@ -8731,7 +8845,7 @@ snapshots:
       doctrine: 2.1.0
       eslint: 8.56.0
       eslint-import-resolver-node: 0.3.9
-      eslint-module-utils: 2.8.0(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])([email protected])
+      eslint-module-utils: 2.8.0(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected](@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected]))([email protected])
       hasown: 2.0.1
       is-core-module: 2.13.1
       is-glob: 4.0.3
@@ -8782,7 +8896,7 @@ snapshots:
       '@typescript-eslint/utils': 5.62.0([email protected])([email protected])
       eslint: 8.56.0
     optionalDependencies:
-      '@typescript-eslint/eslint-plugin': 6.21.0(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])
+      '@typescript-eslint/eslint-plugin': 6.21.0(@typescript-eslint/[email protected]([email protected])([email protected]))([email protected])([email protected])
       jest: 29.7.0(@types/[email protected])([email protected](@types/[email protected])([email protected]))
     transitivePeerDependencies:
       - supports-color
@@ -10558,7 +10672,7 @@ snapshots:
 
   [email protected]: {}
 
-  [email protected](@babel/[email protected])(@opentelemetry/[email protected])(@playwright/[email protected])([email protected]([email protected]))([email protected]):
+  [email protected](@babel/[email protected])(@opentelemetry/[email protected])(@playwright/[email protected])([email protected]([email protected]))([email protected]):
     dependencies:
       '@next/env': 15.2.0
       '@swc/counter': 0.1.3
@@ -10568,7 +10682,7 @@ snapshots:
       postcss: 8.4.31
       react: 19.0.0
       react-dom: 19.0.0([email protected])
-      styled-jsx: 5.1.6(@babel/[email protected])([email protected])
+      styled-jsx: 5.1.6(@babel/[email protected])([email protected])
     optionalDependencies:
       '@next/swc-darwin-arm64': 15.2.0
       '@next/swc-darwin-x64': 15.2.0
@@ -11547,12 +11661,12 @@ snapshots:
 
   [email protected]: {}
 
-  [email protected](@babel/[email protected])([email protected]):
+  [email protected](@babel/[email protected])([email protected]):
     dependencies:
       client-only: 0.0.1
       react: 19.0.0
     optionalDependencies:
-      '@babel/core': 7.23.9
+      '@babel/core': 7.26.0
 
   [email protected]:
     dependencies:
@@ -11728,6 +11842,25 @@ snapshots:
       babel-jest: 29.7.0(@babel/[email protected])
       esbuild: 0.25.0
 
+  [email protected](@babel/[email protected])(@jest/[email protected])(@jest/[email protected])([email protected](@babel/[email protected]))([email protected](@types/[email protected])([email protected](@types/[email protected])([email protected])))([email protected]):
+    dependencies:
+      bs-logger: 0.2.6
+      ejs: 3.1.10
+      fast-json-stable-stringify: 2.1.0
+      jest: 29.7.0(@types/[email protected])([email protected](@types/[email protected])([email protected]))
+      jest-util: 29.7.0
+      json5: 2.2.3
+      lodash.memoize: 4.1.2
+      make-error: 1.3.6
+      semver: 7.7.1
+      typescript: 5.7.3
+      yargs-parser: 21.1.1
+    optionalDependencies:
+      '@babel/core': 7.23.9
+      '@jest/transform': 29.7.0
+      '@jest/types': 29.6.3
+      babel-jest: 29.7.0(@babel/[email protected])
+
   [email protected](@babel/[email protected])(@jest/[email protected])(@jest/[email protected])([email protected](@babel/[email protected]))([email protected](@types/[email protected])([email protected](@types/[email protected])([email protected])))([email protected]):
     dependencies:
       bs-logger: 0.2.6
@@ -11989,6 +12122,8 @@ snapshots:
 
   [email protected]: {}
 
+  [email protected]: {}
+
   [email protected]: {}
 
   [email protected]: {}

Analysis

Security vulnerability in undici 6.20.1 - CVE-2025-22150 and CVE-2025-47279

What fails: Package @vercel/blob uses undici 6.20.1, which contains two security vulnerabilities: CVE-2025-22150 (predictable multipart boundaries using Math.random()) and CVE-2025-47279 (memory leak with invalid certificates).

How to reproduce:

cd packages/blob
pnpm list undici  # Shows version 6.20.1 before fix

Result: Version 6.20.1 installed despite package.json constraint "undici": "^6.0.0" allowing newer patched versions.

Expected: Should use version 6.21.1 or higher, which contains the security fixes per CVE-2025-22150 advisory. The caret constraint should automatically resolve to the latest compatible version with security patches.

Fixed: Updated pnpm-lock.yaml to use undici 6.21.3, which includes fixes for both CVEs.