Skip to content

fix(deps): add overrides for flatted and undici vulnerabilities#477

Merged
7w1 merged 1 commit into
devfrom
fix/deps-vuln-flatted-undici
Mar 23, 2026
Merged

fix(deps): add overrides for flatted and undici vulnerabilities#477
7w1 merged 1 commit into
devfrom
fix/deps-vuln-flatted-undici

Conversation

@hazre

@hazre hazre commented Mar 22, 2026

Copy link
Copy Markdown
Member

Description

  • flatted >=3.4.2: fixes GHSA-rf6f-7fwh-wjgh (prototype pollution via parse())
  • undici >=7.24.0: fixes 6 CVEs like GHSA-v9p9-hfj2-hcw8 including DoS via WebSocket frame overflow,
    decompression bombs, request smuggling, and CRLF injection

Both affect dev dependencies only (vitest, jsdom, wrangler).

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • This change requires a documentation update

Checklist:

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings

- flatted >=3.4.2: fixes CVE-2026-33228 (prototype pollution via parse())
- undici >=7.24.0: fixes 6 CVEs including DoS via WebSocket frame overflow,
  decompression bombs, request smuggling, and CRLF injection
Both affect dev dependencies only (vitest, jsdom, wrangler).
@hazre hazre requested a review from 7w1 as a code owner March 22, 2026 17:39
@hazre hazre added the internal label Mar 22, 2026
@7w1 7w1 added this pull request to the merge queue Mar 23, 2026
Merged via the queue into dev with commit 6fb4f28 Mar 23, 2026
7 of 8 checks passed
@hazre hazre deleted the fix/deps-vuln-flatted-undici branch March 31, 2026 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants