Skip to content

[VULN-1563] Bump undici and shell-quote for security fixes#1327

Closed
aaronmars wants to merge 1 commit into
masterfrom
fix/VULN-1563-VULN-1544-security-deps
Closed

[VULN-1563] Bump undici and shell-quote for security fixes#1327
aaronmars wants to merge 1 commit into
masterfrom
fix/VULN-1563-VULN-1544-security-deps

Conversation

@aaronmars

@aaronmars aaronmars commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Bumps undici 6.25.0 -> 6.27.0 (transitive, via node-gyp), patching a WebSocket client DoS via fragment count bypass: GHSA-vxpw-j846-p89q / CVE-2026-12151.
  • Bumps shell-quote 1.7.3 -> 1.9.0 (transitive, via concurrently), patching a newline-escaping vulnerability in quote()'s .op handling: GHSA-w7jw-789q-3m8p / CVE-2026-9277.
  • Both packages were already declared with semver ranges (^6.25.0 and ^1.7.3 respectively) that permit the patched versions; the lockfile was just stale. Fixed via yarn up -R undici shell-quote, a lockfile-only change. No package.json edits, no overrides/resolutions needed.

Tickets

Test plan

  • yarn install completed cleanly.
  • Confirmed via yarn why undici and yarn why shell-quote that both now resolve to the patched versions.

@aaronmars

Copy link
Copy Markdown
Contributor Author

Closing in favor of #1328. The branch name here (fix/VULN-1563-VULN-1544-security-deps) contains a slash, which breaks this repo's prerelease CI job. Same fix, renamed branch.

@aaronmars aaronmars closed this Jul 1, 2026
@aaronmars aaronmars deleted the fix/VULN-1563-VULN-1544-security-deps branch July 1, 2026 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant