diff --git a/HISTORY.md b/HISTORY.md
index 5fa84f6..19aa34b 100644
--- a/HISTORY.md
+++ b/HISTORY.md
@@ -1,3 +1,9 @@
+unreleased
+==========
+
+  * deps: on-headers@~1.1.0
+    - Fix [CVE-2025-7339](https://www.cve.org/CVERecord?id=CVE-2025-7339) ([GHSA-76c9-3jph-rj3q](https://github.com/expressjs/on-headers/security/advisories/GHSA-76c9-3jph-rj3q))
+
 1.8.0 / 2025-02-10
 ==================
 
diff --git a/package.json b/package.json
index 096f506..d20b14d 100644
--- a/package.json
+++ b/package.json
@@ -14,7 +14,7 @@
     "compressible": "~2.0.18",
     "debug": "2.6.9",
     "negotiator": "~0.6.4",
-    "on-headers": "~1.0.2",
+    "on-headers": "~1.1.0",
     "safe-buffer": "5.2.1",
     "vary": "~1.1.2"
   },