Skip to content

build(deps): bump undici and testcontainers in /typescript-test-samples/step-functions-local/src#530

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/typescript-test-samples/step-functions-local/src/multi-4cecd0f22c
Open

build(deps): bump undici and testcontainers in /typescript-test-samples/step-functions-local/src#530
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/typescript-test-samples/step-functions-local/src/multi-4cecd0f22c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 23, 2026

Copy link
Copy Markdown
Contributor

Bumps undici to 8.5.0 and updates ancestor dependency testcontainers. These dependencies need to be updated together.

Updates undici from 5.29.0 to 8.5.0

Release notes

Sourced from undici's releases.

v8.5.0

⚠️ Security Release

This release line addresses 8 security advisories. Most are fixed in v8.5.0; the SOCKS5 pool-reuse issue was fixed earlier in v8.2.0.

Action required: Upgrade to undici 8.5.0 or later.

npm install undici@^8.5.0

Summary

Advisory CVE Severity (CVSS) Fixed in Fix commit
GHSA-vxpw-j846-p89q CVE-2026-12151 High (7.5) 8.5.0 32dbf0b3
GHSA-38rv-x7px-6hhq CVE-2026-9675 High (7.5) 8.5.0 b4c287b3
GHSA-vmh5-mc38-953g CVE-2026-9697 High (7.4) 8.5.0 42d49559
GHSA-hm92-r4w5-c3mj CVE-2026-6734 High (7.5) 8.2.0 a516f870
GHSA-pr7r-676h-xcf6 CVE-2026-9678 Moderate (5.9) 8.5.0 cb105d7c
GHSA-p88m-4jfj-68fv CVE-2026-9679 Moderate (5.9) 8.5.0 5655ea43
GHSA-g8m3-5g58-fq7m CVE-2026-11525 Low (3.7) 8.5.0 5655ea43
GHSA-35p6-xmwp-9g52 CVE-2026-6733 Low (3.7) 8.5.0 6ea54ef8

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 32dbf0b3 websocket: limit the number of fragments in a message (also c5ed7875 handle empty fragments and stream limits)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

  • Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
  • Workaround: none — upgrade is required.

WebSocket DoS via cumulative fragment bypass — CVE-2026-9675

GHSA-38rv-x7px-6hhq · CWE-400, CWE-770 Fix: b4c287b3 fix(websocket): enforce max payload size across fragments

Undici validated the size of individual frames but did not track cumulative size across a fragmented message. An attacker could send many small fragments that each pass per-frame validation but collectively exceed the configured limit, causing memory exhaustion. This is a regression introduced in 8.1.0 (the

... (truncated)

Commits
  • a0806e1 Bumped v8.5.0 (#5429)
  • 8a0392c test: detect available python command in wpt runner (#5427)
  • f4045b9 ci: increase Node.js workflow timeout (#5426)
  • 363e44f chore: removed repro-h2-pipelining-default.mjs and lint (#5420)
  • c5ed787 websocket: handle empty fragments and stream limits
  • e114e77 align EventSource with spec (#5418)
  • 6df53c5 fix: preserve h2 queue on out-of-order completion (#5410)
  • 32dbf0b websocket: limit the number of fragments in a message
  • 0d6ecc5 add bodymixin.textStream() (#5416)
  • 42d4955 fix: honor requestTls when proxy is SOCKS5
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates testcontainers from 10.23.0 to 12.0.3

Release notes

Sourced from testcontainers's releases.

v12.0.3

Changes

🐛 Bug Fixes

📦 Dependency Updates

v12.0.2

Changes

🐛 Bug Fixes

📦 Dependency Updates

v12.0.1

Changes

🐛 Bug Fixes

🧹 Maintenance

📦 Dependency Updates

... (truncated)

Commits
  • a7fc211 Downgrade archiver to restore Jest CJS compatibility (#1366)
  • 79f9707 Bump testcontainers/sshd image from 1.3.0 to 1.4.0 (#1364)
  • d4c3ee1 v12.0.2
  • 549bfa5 Bump the dependencies group across 11 directories with 10 updates (#1362)
  • 6e7b6c8 Bump the dependencies group across 1 directory with 27 updates (#1363)
  • 4ad504f Reset stateful regex log waits between matches (#1352)
  • a1b87ed Fix Couchbase service configuration (#1356)
  • 84aba48 Configure Azurite custom service ports (#1354)
  • 1a32238 Preserve protocol-specific port bindings when filtering (#1350)
  • 3286470 Apply custom MSSQL wait messages (#1351)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [undici](https://github.com/nodejs/undici) to 8.5.0 and updates ancestor dependency [testcontainers](https://github.com/testcontainers/testcontainers-node). These dependencies need to be updated together.


Updates `undici` from 5.29.0 to 8.5.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.29.0...v8.5.0)

Updates `testcontainers` from 10.23.0 to 12.0.3
- [Release notes](https://github.com/testcontainers/testcontainers-node/releases)
- [Commits](testcontainers/testcontainers-node@v10.23.0...v12.0.3)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 8.5.0
  dependency-type: indirect
- dependency-name: testcontainers
  dependency-version: 12.0.3
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 23, 2026
@dependabot dependabot Bot requested a review from brnkrygs as a code owner June 23, 2026 09:21
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants