Update dependency undici to v7.24.0

[gardener-ci-robot]

This PR contains the following updates:

Package	Change	Age	Confidence
undici (source)	7.22.0 → 7.24.0

---

Release Notes

nodejs/undici (undici)

v7.24.0

Compare Source

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

• CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0
• CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v7.23.0

Compare Source

What's Changed

• fix: prevent AbortController GC when redirect is 'error' by @​mcollina in #​4750
• docs: clarify UndiciHeaders validation guidance by @​mcollina in #​4832
• build(deps): bump actions/checkout from 5.0.0 to 6.0.2 by @​dependabot[bot] in #​4795
• build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by @​dependabot[bot] in #​4794
• build(deps): bump github/codeql-action from 4.31.2 to 4.32.0 by @​dependabot[bot] in #​4793
• test: add unexpected disconnect guards to client test files by @​samayer12 in #​4833
• fix fetch stripping trailing ? from url by @​KhafraDev in #​4837
• fix: forward onResponseStarted through WrapHandler and UnwrapHandler by @​7rulnik in #​4840
• webidl: access keys in lexicographical order by @​KhafraDev in #​4841
• ci: disable coverage on Node.js 25 by @​mcollina in #​4852
• build(deps): bump uWebSockets.js from v20.56.0 to v20.58.0 in /benchmarks by @​dependabot[bot] in #​4855
• fix(h2): TypeError: Cannot read properties of null (reading 'servername') in _resume when H2 stream completes by @​hxinhan in #​4847
• fix(h2): ignore late data frames after request completion by @​mcollina in #​4845
• fix(handler): preserve latin1 header encoding in WrapHandler by @​theamodhshetty in #​4859
• docs(examples): add cache interceptor example with fetch by @​nthbotast in #​4864
• docs(dispatcher): clarify onResponseStart return value is ignored by @​nthbotast in #​4865
• feat: add SOCKS5 proxy support to ProxyAgent by @​mcollina in #​4385
• fix: harden header iterable checks for prototype-pollution scenarios by @​mcollina in #​4824
• fix(interceptor): preserve tuple headers in dns interceptor by @​theamodhshetty in #​4863
• docs(dispatcher): use RFC 2606 domains in interceptor examples by @​nthbotast in #​4873
• feat: add IP prioritization hints for HTTP/1.1 and HTTP/2 by @​amyssnippet in #​4831
• docs: clarify when to install undici vs using Node's built-in fetch by @​travisbreaks in #​4868
• docs(dispatcher): add cache interceptor fetch example by @​nthbotast in #​4870
• fix(dispatcher): pass socketPath to custom connect callbacks by @​theamodhshetty in #​4857

New Contributors

• @​samayer12 made their first contribution in #​4833
• @​7rulnik made their first contribution in #​4840
• @​hxinhan made their first contribution in #​4847
• @​theamodhshetty made their first contribution in #​4859
• @​nthbotast made their first contribution in #​4864
• @​amyssnippet made their first contribution in #​4831
• @​travisbreaks made their first contribution in #​4868

Full Changelog: nodejs/undici@v7.22.0...v7.23.0

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[coderabbitai]

📝 Walkthrough

Walkthrough

The pull request updates the Undici library version from "npm:7.22.0" to "npm:7.24.0" within the .pnp.cjs file, adjusting package location paths and dependency references in the virtual module interface without changing control flow or functional logic.

Changes

Cohort / File(s)	Summary
Undici package version bump ./.pnp.cjs	Replaced ["undici","npm:7.22.0"] with ["undici","npm:7.24.0"] in RAW_RUNTIME_STATE and updated corresponding packageDependencies and file path keys in the makeInterface virtual module entries.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Update dependency undici to v7.22.0 #2787: Updated the undici version string in .pnp.cjs mappings (same code area), related by identical file-level changes.

Suggested reviewers

• holgerkoser
• klocke-io
• petersutter
• grolu

Poem

🐰 A tiny hop, a small new line,
Undici climbs from seven to fine.
Paths updated, no logic torn,
I twitch my whiskers — code reborn. ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description includes release notes and security advisories for undici v7.24.0, explaining the security fixes and affected versions, but lacks required template sections like 'What this PR does / why we need it', 'Which issue(s) this PR fixes', and 'Special notes for your reviewer'.	Add missing template sections: describe why the security update is needed, reference relevant issue(s), include special review notes, and properly categorize the release note as a security or bugfix for the dependency.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The PR title 'Update dependency undici to v7.24.0' clearly and concisely describes the main change in the changeset, matching the version bump in the dependency.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/undici-7.x-lockfile

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.pnp.cjs:
- Line 1729: The commit message claims "Update dependency undici to v7.23.0" but
the .pnp.cjs entry ["undici", "npm:7.24.0"] (and other occurrences of 7.24.0)
show the actual change; fix this by either updating the commit message to state
v7.24.0 or reverting the .pnp.cjs entries for "undici" (the ["undici",
"npm:7.24.0"] symbol) back to 7.23.0 so it matches the commit title and the
intended change; ensure the chosen version still satisfies the
backend/package.json ^7.22.0 constraint and keep commit and code consistent.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0c245318-5987-416d-925a-ae7ff4127d66

📥 Commits

Reviewing files that changed from the base of the PR and between caf1750 and 950b2d1.

⛔ Files ignored due to path filters (2)

• .yarn/cache/undici-npm-7.24.0-2d70a36f84-ccb2f3407a.zip is excluded by !**/.yarn/**, !**/*.zip
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• .pnp.cjs

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify undici v7.24.0 exists on npm and check the version in package.json

# Check if the version exists on npm
echo "Checking if undici@7.24.0 exists on npm..."
curl -s "https://registry.npmjs.org/undici/7.24.0" | jq -r '.version // "Version not found"'

# Check the semver range in backend/package.json
echo -e "\nChecking undici version constraint in backend/package.json..."
cat backend/package.json | jq -r '.dependencies.undici // "Not found"'

Repository: gardener/dashboard

Length of output: 182

---

🏁 Script executed:

#!/bin/bash
# Search for PR-related metadata or any references to the version in commit messages/PRs

# Check git log for recent commits mentioning undici versions
echo "Recent commits mentioning undici..."
git log --oneline --all -20 | grep -i undici || echo "No recent commits found with 'undici'"

# Look for any PR/pull request related files
echo -e "\nSearching for PR-related files..."
find . -maxdepth 2 -type f \( -name "*PR*" -o -name "*pull*" -o -name ".github*" \) 2>/dev/null | head -20

# Check if there's a CHANGELOG or similar that might mention this change
echo -e "\nSearching for CHANGELOG or version-related documentation..."
find . -maxdepth 2 -type f \( -name "CHANGELOG*" -o -name "HISTORY*" -o -name "RELEASES*" \) 2>/dev/null

# Check git diff or git status to understand context
echo -e "\nChecking recent git history..."
git log --oneline -10

Repository: gardener/dashboard

Length of output: 350

---

Update commit message to match actual version change.

The commit message states "Update dependency undici to v7.23.0", but the actual changes in .pnp.cjs show v7.24.0 at lines 1729 and 15332-15335. Either update the commit message to reflect v7.24.0, or correct the code to use v7.23.0. The version 7.24.0 is compatible with the ^7.22.0 constraint in backend/package.json, but the commit message must match the actual changes to avoid confusion during review and maintenance.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.pnp.cjs at line 1729, The commit message claims "Update dependency undici
to v7.23.0" but the .pnp.cjs entry ["undici", "npm:7.24.0"] (and other
occurrences of 7.24.0) show the actual change; fix this by either updating the
commit message to state v7.24.0 or reverting the .pnp.cjs entries for "undici"
(the ["undici", "npm:7.24.0"] symbol) back to 7.23.0 so it matches the commit
title and the intended change; ensure the chosen version still satisfies the
backend/package.json ^7.22.0 constraint and keep commit and code consistent.

[grolu]

/lgtm
/approve

[gardener-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grolu

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [grolu]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[gardener-prow]

LGTM label has been added.

Details

Git tree hash: aa2736d955bcc63c581971f2bc289ef5b8388350