fix: undici を脆弱性修正版へ更新(#134, v0.72.1)#146
Merged
Merged
Conversation
web-content-extraction skill の undici を直接 8.4.1→8.5.0、jsdom 経由の 推移依存 7.27.2→7.28.0 に更新。Wiz #134 が報告した脆弱性(TLS 証明書検証 バイパス / Set-Cookie HTTP ヘッダーインジェクション / レスポンスキュー汚染 / WebSocket DoS 等)を解消し npm audit を 0 件にした。undici は update-deps.mjs の自動更新対象外(手動レビュー必須の HTTP 層)のため手動更新。skill テスト 40 件 pass・npm ci 整合確認済み。
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概要
Wiz
mainブランチスキャン #134 が報告したundici脆弱性を解消する。web-content-extractionskill のundiciを以下に更新した。^8.5.0)jsdom@29.1.1経由,undici@^7.25.0)解消した advisory(undici)
方針
undiciは自動更新スクリプトupdate-deps.mjsのTARGETS(defuddle / jsdom / pdfjs-dist)に含まれない=手動レビュー必須の HTTP 層という設計のため、手動で更新した。jsdomは既に最新(29.1.1)でundici@^7.25.0を許容するため、推移依存は lockfile 再生成で 7.28.0 に解決され、override は不要。検証
npm audit→ found 0 vulnerabilities(修正前は undici high 1 件)node --test→ 40 件 pass / 0 fail.mjsoknpm ci --ignore-scripts(CI の install 手順)→ lockfile / package.json 整合 OKバージョン
動作変更を伴わないセキュリティ依存 bump = patch(0.72.1)。CHANGELOG 追記済み。
Closes #134