Added undici override to clear 5 advisories (2 high, 3 mod)

[9larsons]

Summary

Adds a single override to root pnpm.overrides:

"undici@<6.24.0": "^6.24.0"

The vulnerable undici@5.29.0 was being pulled in via:

ghost/core > @tryghost/metrics > @tryghost/elasticsearch
  > @elastic/transport > undici@5.29.0

After the override, the chain resolves to undici@6.24.1 (caret-pinned within the 6.x major). Other undici versions in the tree (6.24.1 from @actions/http-client, 7.x from jsdom) are unaffected — those consumers were already on safe ranges.

On the 5 → 6 major bump

This forces @elastic/transport@8.4.1 to use undici 6 instead of 5. @elastic/transport is a runtime path — it executes when @tryghost/metrics ships log/metric data to elasticsearch.

• @elastic/transport loads cleanly under undici 6 in unit tests (no require-time / load-time errors surfaced).
• The undici 5 → 6 changes that affect consumers are mostly the removal of deprecated APIs and a Node-version bump (10+ → 18+); ghost/core requires Node 22+ so the engine constraint is satisfied.
• @elastic/transport uses standard request/response APIs that haven't changed across the bump.

The residual unknown is actual elasticsearch traffic in production. Local tests don't exercise live ES requests; staging / CI integration coverage is the place to catch this.

The override is removable when @tryghost/metrics or @elastic/transport ships a release that declares undici >= 6.24.0 directly.

Audit delta

pnpm audit: 114 → 109 (−2 high, −3 moderate).

Test plan

• pnpm install clean
• undici@5.29.0 removed; elastic chain resolves to undici@6.24.1
• ghost/core full unit suite — 6200 / 6200 passing
• CI green
• Staging / production validation that elasticsearch metrics still ship correctly

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3a70182d-0c5f-46cf-aa84-3bd162cedab2

📥 Commits

Reviewing files that changed from the base of the PR and between db0d897 and 419590b.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• package.json

---

Walkthrough

The change adds an entry to pnpm.overrides in package.json that overrides any resolved undici version below 6.24.0 to ^6.24.0. No source code or exported/public API declarations were modified.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Added undici override to clear 5 advisories (2 high, 3 mod)' accurately and specifically describes the main change in the pull request.
Description check	✅ Passed	The description is comprehensive and directly related to the changeset, detailing the override addition, its rationale, dependency chain, testing, and audit delta.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dep-bumps/undici-override

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.14%. Comparing base (b119490) to head (419590b).
⚠️ Report is 11 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main   #27581   +/-   ##
=======================================
  Coverage   73.14%   73.14%           
=======================================
  Files        1557     1557           
  Lines      126189   126189           
  Branches    15309    15309           
=======================================
+ Hits        92301    92303    +2     
+ Misses      32909    32908    -1     
+ Partials      979      978    -1     

Flag	Coverage Δ
admin-tests	49.79% <ø> (+0.01%)	⬆️
e2e-tests	73.14% <ø> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.