RobinTail / express-zod-api / 23087175532
100%

DEFAULT BRANCH: master
Ran
Jobs 6
Files 45
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 100.0%. Remained the same
23087175532

push

github

web-flow 
chore(deps): update dependency undici to v7.24.0 [security] (#3257)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [undici](https://undici.nodejs.org)
([source](https://redirect.github.com/nodejs/undici)) | [`7.22.0` →
`7.24.0`](https://renovatebot.com/diffs/npm/undici/7.22.0/7.24.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/undici/7.24.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/7.22.0/7.24.0?slim=true)
|

### GitHub Vulnerability Alerts

####
[CVE-2026-1528](https://redirect.github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj)

### Impact
A server can reply with a WebSocket frame using the 64-bit length form
and an extremely large length. undici's ByteParser overflows internal
math, ends up in an invalid state, and throws a fatal TypeError that
terminates the process.

### Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade
to this version or later.

### Workarounds

There are no workarounds.

####
[CVE-2026-1525](https://redirect.github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm)

### Impact

Undici allows duplicate HTTP `Content-Length` headers when they are
provided in an array with case-variant names (e.g., `Content-Length` and
`content-length`). This produces malformed HTTP/1.1 requests with
multiple conflicting `Content-Length` values on the wire.

**Who is impacted:**
- Applications using `undici.request()`, `undici.Client`, or similar
low-level APIs with headers passed as flat arrays
- Applications that accept user-controlled header names without
case-normalization

**Potential consequences:**
- **Denial of Service**: Strict HTTP parsers (proxies, servers) will
reject requests with duplicate `Content-Length` headers (400 Bad
Request)
- **HTTP Request Smuggling**: In deploy... (continued)

943 of 985 branches covered (95.74%)

1368 of 1368 relevant lines covered (100.0%)

398.04 hits per line

Jobs
ID Job ID Ran Files Coverage
1 run-22.12.0 - 23087175532.1 45
100.0
 GitHub Action Run
2 run-22.x - 23087175532.2 45
100.0
 GitHub Action Run
3 run-20.x - 23087175532.3 45
100.0
 GitHub Action Run
4 run-20.19.0 - 23087175532.4 45
100.0
 GitHub Action Run
5 run-24.x - 23087175532.5 45
100.0
 GitHub Action Run
6 run-24.0.0 - 23087175532.6 45
100.0
 GitHub Action Run
Source Files on build 23087175532