Bump undici to 7.24.4 to fix npm audit vulnerabilities

[penalosa]

Fixes #12912.

Bumps undici from 7.18.2 to 7.24.4 and undici-types from 7.18.2 to 7.24.4 in the pnpm catalog. This resolves all 6 CVEs reported by npm audit:

• GHSA-f269-vfmq-vjvj — WebSocket 64-bit length overflow (high)
• GHSA-vrm6-8vpv-qv8q — WebSocket permessage-deflate memory DoS (high)
• GHSA-v9p9-hfj2-hcw8 — WebSocket server_max_window_bits exception (high)
• GHSA-2mjp-6q6p-2qxm — HTTP Request/Response Smuggling (moderate)
• GHSA-4992-7rv2-5pvq — CRLF Injection via upgrade option (moderate)
• GHSA-phc3-fgpg-7m6h — DeduplicationHandler memory DoS (moderate)

All APIs used by miniflare and wrangler (including Dispatcher subclassing, deep path type imports from undici/types/*, and MockAgent.isMockActive) are unchanged in 7.24.4.

---

• Tests
  • Tests included/updated
  • Automated tests not possible - manual testing has been completed as follows: covered by existing tests
• Public documentation
  • Cloudflare docs PR(s):
  • Documentation not necessary because: no user-facing API changes

---

[changeset-bot]

🦋 Changeset detected

Latest commit: cdb8efa

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[workers-devprod]

Codeowners approval required for this PR:

• ✅ @cloudflare/wrangler

Show detailed file reviewers

[github-actions]

⚠️ Issues found

.changeset/bump-undici.md

The description "Bump undici from 7.18.2 to 7.24.4" is too thin. The .changeset/README.md explicitly lists "update dependency" as a bad example and asks: "Which one? Why? Any user impact?"

The changeset names the dependency and versions, but omits:

• Why undici is being bumped (security fix? bug fix? required for a feature?)
• Any user-visible impact (e.g., "fixes a fetch hang", "resolves a CVE", "no user-facing changes")

Suggested fix: Add a brief sentence explaining the reason, for example:

---
"wrangler": patch
"miniflare": patch
---

Bump undici from 7.18.2 to 7.24.4

This updates the bundled undici HTTP client to pick up bug fixes and security patches released upstream. No user-facing behavior changes are expected.

The patch version type is appropriate for a dependency update of this nature.

[devin-ai-integration]

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

[pkg-pr-new]

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@12927

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@12927

miniflare

npm i https://pkg.pr.new/miniflare@12927

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@12927

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@12927

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@12927

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@12927

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@12927

wrangler

npm i https://pkg.pr.new/wrangler@12927

commit: cdb8efa