Skip to content

[2025-10 back-fix] Bump undici to 7.24.0 (security)#3589

Closed
fredericoo wants to merge 3 commits into2025-10from
2025-10-backfix-undici
Closed

[2025-10 back-fix] Bump undici to 7.24.0 (security)#3589
fredericoo wants to merge 3 commits into2025-10from
2025-10-backfix-undici

Conversation

@fredericoo
Copy link
Copy Markdown
Contributor

@fredericoo fredericoo commented Mar 16, 2026

Summary

CVEs addressed

Test plan

  • CI passes on the PR
  • package-lock.json reflects undici 7.24.0

@fredericoo
chore: scaffold 2025-10 back-fix branch
921c409 
Add 2025-10 to the release workflow's branch list so that
changesets merged into this branch trigger back-fix releases.
@shopify
Copy link
Copy Markdown
Contributor

shopify bot commented Mar 16, 2026
edited
Loading

Oxygen deployed a preview of your 2025-10-backfix-undici branch. Details:

Storefront Status Preview link Deployment details Last update (UTC)
Skeleton (skeleton.hydrogen.shop) ✅ Successful (Logs) Preview deployment Inspect deployment March 16, 2026 5:26 PM

Learn more about Hydrogen's GitHub integration.

@fredericoo fredericoo mentioned this pull request Mar 16, 2026
Merged
Base automatically changed from 2025-10 to main March 16, 2026 15:26
@fredericoo fredericoo marked this pull request as ready for review March 16, 2026 17:22
@fredericoo fredericoo requested a review from a team as a code owner March 16, 2026 17:22
kdaviduik
kdaviduik requested changes Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@kdaviduik kdaviduik left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Branch needs to be JUST "2025-10" for the dev docs automation workflow to work

@fredericoo
chore(deps): bump undici to 7.24.0
b0a1c9e 
Bumps undici from 7.5.0 to 7.24.0 in @shopify/mini-oxygen to address
6 security CVEs (3 High, 3 Medium) including HTTP request smuggling,
WebSocket frame length crash, unbounded memory in dedup interceptor,
CRLF injection, invalid server_max_window_bits exception, and
unbounded memory in WebSocket decompression.

Back-ported to the 2025-10 release branch.
@fredericoo fredericoo force-pushed the 2025-10-backfix-undici branch from 701916d to b0a1c9e Compare March 16, 2026 17:24
@fredericoo fredericoo requested a review from kdaviduik March 16, 2026 17:38
@fredericoo fredericoo changed the base branch from main to 2025-10 March 17, 2026 15:00
@fredericoo
Copy link
Copy Markdown
Contributor Author

fredericoo commented Mar 17, 2026

Superseded by #3599 which correctly follows the back-fix process (branch created from the @shopify/hydrogen@2025.10.1 tag).

@fredericoo fredericoo closed this Mar 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kdaviduik kdaviduik Awaiting requested review from kdaviduik

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fredericoo @kdaviduik