chore(deps): update dependency undici to v6.21.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	6.19.2 -> 6.21.2

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

• https://hackerone.com/reports/2913312
• https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

---

Release Notes

nodejs/undici (undici)

v6.21.2

Compare Source

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in https://github.com/nodejs/undici/pull/4024
• [v6.x] fix wpts on windows by @​mcollina in https://github.com/nodejs/undici/pull/4093
• Removed clients with unrecoverable errors from the Pool https://github.com/nodejs/undici/pull/4088

New Contributors

• @​slagiewka made their first contribution in https://github.com/nodejs/undici/pull/4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

• fix(#​3736): back-port 183f8e9 to v6.x by @​ggoodman in https://github.com/nodejs/undici/pull/3855
• fix(#​3817): send servername for SNI on TLS (#​3821) [backport] by @​metcoder95 in https://github.com/nodejs/undici/pull/3864
• fix: sending formdata bodies with http2 (#​3863) [backport] by @​metcoder95 in https://github.com/nodejs/undici/pull/3866
• [Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @​github-actions in https://github.com/nodejs/undici/pull/3877
• types: [backport] Update return type of RetryCallback (#​3851) by @​metcoder95 in https://github.com/nodejs/undici/pull/3876

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

v6.21.0

Compare Source

What's Changed

• [Backport v6.x] web: mark as uncloneable when possible (#​3709) by @​jazelly in https://github.com/nodejs/undici/pull/3744
• [Backport v6.x] fetch: fix content-encoding order by @​github-actions in https://github.com/nodejs/undici/pull/3764
• [Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by @​github-actions in https://github.com/nodejs/undici/pull/3822
• [Backport v6.x] fix: range end is zero-indexed by @​github-actions in https://github.com/nodejs/undici/pull/3827

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

v6.20.1

Compare Source

What's Changed

• [Backport v6.x] jsdoc: add jsdoc to lib/web/fetch/constants.js by @​github-actions in https://github.com/nodejs/undici/pull/3710
• [Backport v6.x] feat: implement BodyReadable.bytes by @​github-actions in https://github.com/nodejs/undici/pull/3711
• fix: add more expectsPayload methods by @​ronag in https://github.com/nodejs/undici/pull/3715
• [Backport v6.x] chore(H2): onboard H2 into Undici queueing system (#​3707) by @​Uzlopak in https://github.com/nodejs/undici/pull/3724
• [Backport v6.x] fix: PoolBase kClose and kDestroy should await and not return the Promise by @​github-actions in https://github.com/nodejs/undici/pull/3723
• [Backport v6.x] fix: extract noop everywhere by @​Uzlopak in https://github.com/nodejs/undici/pull/3727

Full Changelog: nodejs/undici@v6.20.0...v6.20.1

v6.20.0

Compare Source

What's Changed

• Remove patched dom types (v6.x branch) by @​eXhumer in https://github.com/nodejs/undici/pull/3531
• docs(Backport v6.x): Fix signature of RetryHandler by @​github-actions in https://github.com/nodejs/undici/pull/3594
• deps(dev): update @​types/node by @​metcoder95 in https://github.com/nodejs/undici/pull/3618
• fix: throw on retry when payload is consume by downstream by @​github-actions in https://github.com/nodejs/undici/pull/3596
• feat(Backport v6.x): move throwOnError to interceptor by @​github-actions in https://github.com/nodejs/undici/pull/3595
• [Backport v6.x] fix: reduce memory usage in client-h1 by @​github-actions in https://github.com/nodejs/undici/pull/3672
• [Backport v6.x] fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @​github-actions in https://github.com/nodejs/undici/pull/3673
• [Backport v6.x] fix: run asserts first if possible by @​github-actions in https://github.com/nodejs/undici/pull/3674
• [Backport v6.x] fix: use fasttimers for all connection timeouts by @​github-actions in https://github.com/nodejs/undici/pull/3675
• [Backport v6.x] ci: less flaky test/request-timeout.js test by @​github-actions in https://github.com/nodejs/undici/pull/3678
• [Backport v6.x] test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @​github-actions in https://github.com/nodejs/undici/pull/3679
• [Backport v6.x] ignore leading and trailing crlfs in formdata body by @​github-actions in https://github.com/nodejs/undici/pull/3681
• [Backport v6.x] mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @​github-actions in https://github.com/nodejs/undici/pull/3689
• [Backport v6.x] handle body errors by @​Uzlopak in https://github.com/nodejs/undici/pull/3700

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

v6.19.8

Compare Source

Full Changelog: nodejs/undici@v6.19.7...v6.19.8

v6.19.7

Compare Source

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

v6.19.6

Compare Source

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

v6.19.5

Compare Source

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

v6.19.4

Compare Source

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

v6.19.3

Compare Source

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[alvaromateo]

Addressed by: PR-28

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (6.21.2). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.