RobinTail / express-zod-api / 28051844260
100%

DEFAULT BRANCH: master
Ran
Jobs 6
Files 51
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 100.0%. Remained the same
28051844260

push

github

web-flow 
chore(deps): update dependency undici to v8.5.0 [security] (#3477)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [undici](https://undici.nodejs.org)
([source](https://redirect.github.com/nodejs/undici)) | [`8.4.1` →
`8.5.0`](https://renovatebot.com/diffs/npm/undici/8.4.1/8.5.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/undici/8.5.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/undici/8.4.1/8.5.0?slim=true)
|

---

### undici WebSocket client vulnerable to denial of service via
cumulative fragment bypass
[CVE-2026-9675](https://nvd.nist.gov/vuln/detail/CVE-2026-9675) /
[GHSA-38rv-x7px-6hhq](https://redirect.github.com/advisories/GHSA-38rv-x7px-6hhq)

<details>
<summary>More information</summary>

#### Details
##### Impact

The undici WebSocket client enforces `maxPayloadSize` per-frame but does
not enforce the cumulative size of fragmented uncompressed messages. A
malicious WebSocket server can stream many small fragments that each
pass per-frame validation but collectively exceed the configured limit,
causing unbounded memory growth in the client process. The result is
memory exhaustion and a denial of service.

Affected applications are those using the undici WebSocket client (`new
WebSocket(...)`) that can be induced to connect to an
attacker-controlled or compromised WebSocket endpoint.

This is a regression specific to undici 8.1.0. The 6.25.0 line shipped
the equivalent cumulative check from the start and is unaffected. The
7.x line never had the `maxPayloadSize` feature and is also unaffected.

##### Patches

Upgrade to undici >= 8.5.0.

##### Workarounds

No workaround is available. The fix must be applied through an upgrade.

#### Severity
- CVSS Score: 7.5 / 10 (High)
- Vector String: `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`

#### Re... (continued)

1021 of 1065 branches covered (95.87%)

1486 of 1486 relevant lines covered (100.0%)

432.78 hits per line

Jobs
ID Job ID Ran Files Coverage
1 run-26.0.0 - 28051844260.1 51
100.0
 GitHub Action Run
2 run-24.0.0 - 28051844260.2 51
100.0
 GitHub Action Run
3 run-24.x - 28051844260.3 51
100.0
 GitHub Action Run
4 run-22.x - 28051844260.4 51
100.0
 GitHub Action Run
5 run-26.x - 28051844260.5 51
100.0
 GitHub Action Run
6 run-22.19.0 - 28051844260.6 51
100.0
 GitHub Action Run
Source Files on build 28051844260