fix(deps): update minor updates to ^6.25.0 by renovate[bot] · Pull Request #395 · anolilab/workflows

renovate · 2026-05-15T12:23:08Z

This PR contains the following updates:

Package	Change	Age	Confidence
undici@<6.23.0 (source)	`^6.23.0` → `^6.25.0`
undici@<6.24.0 (source)	`^6.24.0` → `^6.25.0`

Release Notes

nodejs/undici (undici@<6.23.0)

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
Inconsistent interpretation of HTTP requests (request/response smuggling class issue).
GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
Malicious WebSocket 64-bit frame length handling could crash the client.
GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
CRLF injection via the upgrade option.
GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.
GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

CVE-2026-1525: affected < 6.24.0, patched 6.24.0
CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
CVE-2026-1527: affected < 6.24.0, patched 6.24.0
CVE-2026-2229: affected < 6.24.0, patched 6.24.0
CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

Configuration

📅 Schedule: (in timezone Europe/Berlin)

Branch creation
- "after 10:00 before 19:00 every weekday except after 13:00 before 14:00"
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Signed-off-by: Renovate Bot <bot@renovateapp.com>

…2026-05-18) ### Bug Fixes * **deps:** update dependency lodash@>=4.0.0 <=4.17.22 to ^4.18.1 ([#394](#394)) ([b865d64](b865d64)) * **deps:** update minor updates to ^6.25.0 ([#395](#395)) ([cd6adeb](cd6adeb))

fix(deps): update minor updates to ^6.25.0

b6ed367

Signed-off-by: Renovate Bot <bot@renovateapp.com>

renovate Bot requested a review from prisis as a code owner May 15, 2026 12:23

renovate Bot added the c: dependencies Pull requests that adds/updates a dependency label May 15, 2026

prisis merged commit cd6adeb into main May 18, 2026
9 of 11 checks passed

prisis deleted the renovate/minor-updates branch May 18, 2026 06:58

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update minor updates to ^6.25.0#395

fix(deps): update minor updates to ^6.25.0#395
prisis merged 1 commit into
mainfrom
renovate/minor-updates

renovate Bot commented May 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

renovate Bot commented May 15, 2026

Release Notes

v6.25.0

What's Changed

v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

Upgrade guidance

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

Configuration

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

`v6.25.0`

`v6.24.1`

`v6.24.0`