Skip to content

build(deps): bump undici from 8.5.0 to 8.7.0#2937

Open
dependabot[bot] wants to merge 1 commit into
trunkfrom
dependabot/npm_and_yarn/undici-8.7.0
Open

build(deps): bump undici from 8.5.0 to 8.7.0#2937
dependabot[bot] wants to merge 1 commit into
trunkfrom
dependabot/npm_and_yarn/undici-8.7.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps undici from 8.5.0 to 8.7.0.

Release notes

Sourced from undici's releases.

v8.7.0

What's Changed

New Contributors

Full Changelog: nodejs/undici@v8.6.0...v8.7.0

v8.6.0

What's Changed

... (truncated)

Commits
  • cb4c2f1 Bumped v8.7.0 (#5501)
  • a8d1a95 fix: auto-detect HTTP proxy tunneling (#5116)
  • cb30e58 fix: add static buildDispatch method to RedirectHandler type definition (#5442)
  • 0c08579 fix(h2): requeue request on GOAWAY'd session instead of crashing (#5453)
  • e5b3364 fix(h2): guard onResponse against a 'response' event delivered after completi...
  • c0007f4 docs: add reproduction guide and update bug report template (#5451)
  • e529cab fix: ignore an unparseable Set-Cookie Expires attribute (#5488)
  • 754742c fix(h2): destroy the stream on abort instead of relying on close() (#5462)
  • db34f5f fix(readable): ignore late consume chunks (#5375)
  • 4ea05a8 fix: reject non-ascii octets in validateCookiePath (#5452)
  • Additional commits viewable in compare view

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/undici 8.7.0 🟢 8.2
Details
CheckScoreReason
Dependency-Update-Tool🟢 10update tool detected
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Maintained🟢 1030 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 8binaries present in source code
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
License🟢 10license file detected
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ -1internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md
Vulnerabilities🟢 73 existing vulnerabilities detected
Packaging🟢 10packaging workflow detected
SAST🟢 10SAST tool is run on all commits
Fuzzing🟢 10project is fuzzed
CI-Tests🟢 1030 out of 30 merged PRs checked by a CI test -- score normalized to 10
Contributors🟢 10project has 76 contributing companies or organizations

Scanned Files

  • package-lock.json

Bumps [undici](https://github.com/nodejs/undici) from 8.5.0 to 8.7.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v8.5.0...v8.7.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 8.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/undici-8.7.0 branch from 31d7bf7 to eda4d89 Compare July 10, 2026 18:45
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants