[Snyk] Upgrade undici from 5.25.4 to 7.16.0 #244

nerdy-tech-com-gitub · 2025-10-10T05:21:48Z

Snyk has created this PR to upgrade undici from 5.25.4 to 7.16.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

The recommended version is 94 versions ahead of your current version.
The recommended version was released a month ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Insecure Randomness SNYK-JS-UNDICI-8641354	76	Proof of Concept
Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	76	Proof of Concept
Information Exposure SNYK-JS-UNDICI-5962466	76	No Known Exploit
Permissive Cross-domain Policy with Untrusted Domains SNYK-JS-UNDICI-6252336	76	No Known Exploit
Improper Access Control SNYK-JS-UNDICI-6564963	76	No Known Exploit
Improper Authorization SNYK-JS-UNDICI-6564964	76	No Known Exploit

Release notes

Package name: undici

7.16.0 - 2025-09-09
What's Changed
- Drop npm token, use OIDC instead by @ mcollina in #4447
- fetch: instantiate readableStream in extractBody with sync methods by @ Uzlopak in #4350
- fix: remove async on [kClose] and [kDestroy], only return Promise by @ Uzlopak in #4450
- fetch: make consumeBody sync by @ Uzlopak in #4449
- perf: make client.connect() sync by @ Uzlopak in #4455
- fetch: remove promise in exported fetch by @ Uzlopak in #4452
- fix(#4451): implement http2 cookie support by @ metcoder95 in #4453
- test: cache store tests should properly be skipped by @ Uzlopak in #4463
- test: fix IPv6 skip check for test/client.js by @ Uzlopak in #4466
- test: remove skip check for AbortSignal.timeout, as it exists since node18 by @ Uzlopak in #4464
- test: investigate macos failing by @ Uzlopak in #4467
- test: remove obsolete < node v18 test case for http2 by @ Uzlopak in #4461
- perf: avoid intermediate promise on BodyReadable.dump by @ Uzlopak in #4459
- test: remove skip check for long-lived-abort-controller test (was flaky 10 months ago) by @ Uzlopak in #4465
- test: remove skip checks for existance of global available Blob and File by @ Uzlopak in #4460
- perf (fetch): use less promises for ReadableStream by @ Uzlopak in #4457
- fix: catch synchronous errors in request callbacks by @ mcollina in #4443
- fix: avoid instanceof MockNotMatchedError by @ Uzlopak in #4474
- eventsource: remove promise for #reconnect method by @ Uzlopak in #4469
- feat: make UndiciErrors reliable to instanceof by @ Uzlopak in #4472
- chore: call super() after type checks by @ Uzlopak in #4475
- chore: FixedQueue does not need special constructor by @ Uzlopak in #4476
- fix: buildAndValidateMockOptions should always get an object passed and always return an object by @ Uzlopak in #4479
- fix: remove unused ResponseStatusCodeError by @ Uzlopak in #4473
- chore: pool and dispatcherbase dont need constructor, use no array helper functions by @ Uzlopak in #4477
- lint: avoid unintented use of globals in code and tests, improve test for installing/overwriting globals by @ Uzlopak in #4478
- test: fix macos flakyness by @ Uzlopak in #4468
- fix: 'no-referrer-when-downgrade' in determineRequestsReferrer should return referrerURL by @ Uzlopak in #4482
- fix: deflake cache-fastimers-fix.js by @ Uzlopak in #4491
- fix: improve validation of IP addresses as trustworthy, correct ipv4 check by @ Uzlopak in #4489
- test (pool.js): fix flakyness of clientTtl test by @ Uzlopak in #4494
- test (eventsource): refactor tests for eventsource, speed them up by @ Uzlopak in #4493
- fix: remove useless catch in client-h1.js by @ Uzlopak in #4481
- test: skip flaky encoding test on macos and node20 by @ Uzlopak in #4497
- fix: implement proper stale-while-revalidate behavior per RFC 5861 by @ mcollina in #4492
- test (websocket): speed up test/websocket/issue-2679.js by @ Uzlopak in #4501
- webidl: fix existing and add missing buffer source converters by @ Renegade334 in #4503
- use real wpt test server by @ KhafraDev in #4486
- test: another try to fix flaky macos and node 20 by @ Uzlopak in #4490
- build(deps): bump actions/checkout from 4 to 5 by @ dependabot[bot] in #4507
- build(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.3 by @ dependabot[bot] in #4509
- fix writing to websocketstream with SharedArrayBuffer/SharedArrayBuff… by @ KhafraDev in #4504
- test: use faketimers for test/client-keep-alive, refactor a little by @ Uzlopak in #4499
- build(deps): bump github/codeql-action from 3.29.7 to 3.30.0 by @ dependabot[bot] in #4510
- build(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 by @ dependabot[bot] in #4508
- fix(h2): adjust :scheme on h2 requests by @ metcoder95 in #4454
- chore: use lowercase filenames, remove unused verifyVersion.js by @ Uzlopak in #4514
- chore: refactor workflows by @ Uzlopak in #4513
- chore: use [] instead of new Array(0) by @ Uzlopak in #4435
- change webidl attribute to bitwise flag by @ KhafraDev in #4505
- chore: make also cache-tests integrated as a submodule by @ Uzlopak in #4517
- ci: fine grained test nodejs workflow by @ Uzlopak in #4516
- feat: Support for capping the number of origins in Agent by @ JoshMock in #4365
- wpt: properly handle write permissions errors in wpt-runner setup by @ Uzlopak in #4518
- fetch: process content-encoding header only if relevant by @ Uzlopak in #4496
- websocket: always emit error event by @ KhafraDev in #4521
- refactor: parseHttpDate by @ Uzlopak in #4421
- fix: wpt should use master branch by @ Uzlopak in #4524
- fix: shell command built from environment values by @ ptrgits in #4392
- example: use metcoders https-pem for the example by @ Uzlopak in #4436
- Disable SIMD for PPC64 architecture, add UNDICI_NO_WASM_SIMD env to facilitate testing by @ mcollina in #4530
- fix: make error symbols non enumerable by @ Uzlopak in #4531
New Contributors
- @ Renegade334 made their first contribution in #4503
- @ JoshMock made their first contribution in #4365
- @ ptrgits made their first contribution in #4392
Full Changelog: v7.15.0...v7.16.0
7.15.0 - 2025-08-22
What's Changed
- feat: extract sri from fetch, upgrade to latest spec by @ Uzlopak in #4307
- Update WPT by @ github-actions[bot] in #4422
- build(deps-dev): bump @ fastify/busboy from 3.1.1 to 3.2.0 by @ dependabot[bot] in #4428
- fix: memory leak in Agent by @ hexchain in #4425
- chore: remove lib/api/util.js by @ Uzlopak in #3578
- ci: reenable shared builtin CI tests by @ richardlau in #4426
- Decompression Interceptor by @ FelixVaughan in #4317
- chore: update llhttp by @ Uzlopak in #4431
- chore: remove unused exceptions in try catch blocks by @ Uzlopak in #4440
- types: remove type Error = unknown for diagnostic-channels by @ Uzlopak in #4438
- chore: avoid overriding global escape and unescape by @ Uzlopak in #4437
- cache : serialize Query only if needed, avoid throwing error by @ Uzlopak in #4441
- types: add SnapshotRecorderMode by @ Uzlopak in #4442
New Contributors
- @ hexchain made their first contribution in #4425
Full Changelog: v7.14.0...v7.15.0
7.14.0 - 2025-08-17
What's Changed
- Fix flaky snapshot-testing by @ mcollina in #4367
- Actually flush the file in lib/mock/snapshot-recorder.js by @ mcollina in #4378
- docs: clarify Node.js version support in LTS table by @ mcollina in #4375
- cache: fix excessive caching and some other lack of caching by @ fredericDelaporte in #4335
- feat(websocket): add handshake response info to undici:websocket:open diagnostic event by @ tawseefnabi in #4396
- feat: add install() function to type definitions by @ jsaguet in #4384
- build(deps): bump github/codeql-action from 3.29.2 to 3.29.5 by @ dependabot[bot] in #4380
- build(deps): bump cronometro from 4.0.3 to 5.3.0 in /benchmarks by @ dependabot[bot] in #4171
- build(deps): bump step-security/harden-runner from 2.12.0 to 2.13.0 by @ dependabot[bot] in #4379
- fix: h2 CI by @ metcoder95 in #4395
- feat: EventSource can be configured with reconnectionTime by @ Uzlopak in #4260
- build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @ dependabot[bot] in #4404
- eventsource: deflake reconnectionTime tests by @ Uzlopak in #4406
- cache: change normaliseHeaders to normalizeHeaders by @ Uzlopak in #4408
- build(deps-dev): bump jest from 29.7.0 to 30.0.5 by

Snyk has created this PR to upgrade undici from 5.25.4 to 7.16.0. See this package in npm: undici See this project in Snyk: https://app.snyk.io/org/nerds-github/project/b5cdf2ad-2b8a-4186-9f27-57d3c2adaf21?utm_source=github&utm_medium=referral&page=upgrade-pr

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

[Snyk] Upgrade undici from 5.25.4 to 7.16.0 #244

[Snyk] Upgrade undici from 5.25.4 to 7.16.0 #244

Uh oh!

nerdy-tech-com-gitub commented Oct 10, 2025

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

[Snyk] Upgrade undici from 5.25.4 to 7.16.0 #244

Are you sure you want to change the base?

[Snyk] Upgrade undici from 5.25.4 to 7.16.0 #244

Uh oh!

Conversation

nerdy-tech-com-gitub commented Oct 10, 2025

Snyk has created this PR to upgrade undici from 5.25.4 to 7.16.0.

Issues fixed by the recommended upgrade:

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants