Skip to content

Commit d175aab

Browse files
Copilotarelia
Copilot
and
arelia
authored
fix: override undici to ^6.24.0 to resolve GHSA-vrm6-8vpv-qv8q
Add npm overrides to force undici to ^6.24.0, fixing the WebSocket permessage-deflate decompression bomb vulnerability (CVE-2026-1526). This updates undici from 5.29.0 to 6.24.1 across all transitive dependencies (@actions/core and @actions/github). Agent-Logs-Url: https://github.com/github/webpack-bundlesize-compare-action/sessions/83dc3a69-3a72-415b-837e-dafd4cb7c840 Co-authored-by: arelia <2359538+arelia@users.noreply.github.com>
1 parent a8b488d commit d175aab

2 files changed

Lines changed: 85 additions & 84 deletions

File tree

package-lock.json

Lines changed: 82 additions & 84 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,9 @@
2929
"@actions/github": "^6.0.1",
3030
"@discoveryjs/json-ext": "^0.6.3"
3131
},
32+
"overrides": {
33+
"undici": "^6.24.0"
34+
},
3235
"devDependencies": {
3336
"@stylistic/eslint-plugin": "^5.6.1",
3437
"@types/node": "^25.0.0",

0 commit comments

Comments
 (0)