Skip to content

Comments

Update undici version to 6.23.0#177

Open
ljones140 wants to merge 1 commit intomainfrom
ljones140-bump-undici
Open

Update undici version to 6.23.0#177
ljones140 wants to merge 1 commit intomainfrom
ljones140-bump-undici

Conversation

@ljones140
Copy link
Contributor

@ljones140 ljones140 commented Feb 17, 2026

Purpose

Bump undici to non vulnerable version

Describe the purpose of this pull request

Related Issues

https://github.com/github/dependency-submission-toolkit/security/dependabot/62
What issues does this PR close or relate to?

Copilot AI review requested due to automatic review settings February 17, 2026 15:18
@ljones140 ljones140 requested a review from a team as a code owner February 17, 2026 15:18
Copilot AI reviewed Feb 17, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the undici dependency from version 5.29.0 to 6.23.0 to address a security vulnerability (Dependabot alert #62). The change uses npm's package overrides feature to force the newer version, as undici is a transitive dependency of @actions/http-client.

Changes:

  • Updated undici version override from 5.29.0 to 6.23.0 in package.json

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

package.json
"esbuild": ">=0.25.0",
"@octokit/request-error@5.1.0": "5.1.1",
"undici": "5.29.0"
"undici": "6.23.0"
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The package-lock.json file has not been updated in this PR. After changing the undici version in package.json overrides, you need to run npm install to regenerate package-lock.json. The lock file currently still references undici 5.29.0 (as seen in lines 2459-2460 of package-lock.json), which means the override won't take effect until the lock file is updated.

This PR should include the updated package-lock.json file generated by running npm install.

Suggested change
"undici": "6.23.0"
"undici": "5.29.0"

Copilot uses AI. Check for mistakes.
package.json
"esbuild": ">=0.25.0",
"@octokit/request-error@5.1.0": "5.1.1",
"undici": "5.29.0"
"undici": "6.23.0"
Copy link

Copilot AI Feb 17, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updating undici from 5.29.0 to 6.23.0 is a major version jump that may introduce breaking changes. The package @actions/http-client (which is a dependency of @actions/github) specifies "undici": "^5.25.4", meaning it expects version 5.x.x. Forcing version 6.23.0 through package overrides may cause compatibility issues.

While this upgrade addresses a security vulnerability, it would be safer to:

  1. Verify that @actions/http-client is compatible with undici 6.x
  2. Consider waiting for an updated version of @actions/http-client that officially supports undici 6.x
  3. If proceeding with the override, ensure comprehensive testing is performed to verify that @actions/http-client functions correctly with undici 6.x

The package-lock.json will also need to be regenerated with npm install to reflect this change.

Suggested change
"undici": "6.23.0"
"undici": "^5.29.0"

Copilot uses AI. Check for mistakes.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@ljones140