Update bundled undici to address CVE-2026-12151 (DoS via WebSocket fragment count bypass)

[NauhcNoohc]

🏷️ Discussion Type

Question

Body

Hello npm CLI maintainers,
I would like to report that the current npm CLI release v11.17.0 bundles a vulnerable version of undici (6.26.x), which is affected by:

CVE-2026-12151 – WebSocket client DoS via fragment count bypass

According to the official advisory, the vulnerability is fixed in:

undici >= 6.27.0 (6.x line)
undici >= 7.28.0
undici >= 8.5.0 [undici.nodejs.org]

However, npm CLI 11.17.0 still includes undici 6.26.x, which falls within the vulnerable range.

[NauhcNoohc]

Environment
npm: 11.17.0
Node.js: v24.17.0
OS Name: MacOS

Current Behavior

npm audit | grep 'undici'


undici  <=6.26.0
undici vulnerable to HTTP header injection via Set-Cookie percent-decoding - https://github.com/advisories/GHSA-p88m-4jfj-68fv
undici WebSocket client vulnerable to denial of service via fragment count bypass - https://github.com/advisories/GHSA-vxpw-j846-p89q
undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse - https://github.com/advisories/GHSA-35p6-xmwp-9g52
undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching - https://github.com/advisories/GHSA-g8m3-5g58-fq7m
node_modules/undici

Undici Version

npm ls undici
└─┬ node-gyp@13.0.0
  └── undici@6.26.0

[NauhcNoohc]

Thanks @GARJE-01 for resolving my question.

It looks like the fix is still in progress here:
nodejs/node-gyp#3332

I think this will simply require npm CLI to pull in the updated dependency set once the node-gyp update.