Skip to content

fix(deps): vuln minor: jsonata, undici #714

Merged
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783380726
Jul 7, 2026
Merged

fix(deps): vuln minor: jsonata, undici #714
gh-worker-dd-mergequeue-cf854d[bot] merged 1 commit into
mainfrom
engraver-auto-version-upgrade/minorpatch/npm/0-1783380726

Conversation

@gh-worker-campaigns-3e9aa4

Copy link
Copy Markdown
Contributor

Summary: High-severity security update — 2 packages upgraded (MINOR changes included)

Manifests changed:

  • . (yarn)

✅ Action Required: Please review the changes below. If they look good, approve and merge this PR.


Updates

Package From To Type Dep Type Vulnerabilities Fixed
undici 7.25.0 7.28.0 minor Transitive 3 HIGH, 2 MEDIUM, 2 LOW
jsonata 2.1.0 2.2.1 minor Transitive 1 HIGH

Security Details

🚨 Critical & High Severity (4 fixed)
Package CVE Severity Summary Unsafe Version Fixed In Case
jsonata GHSA-86vw-mfpg-wwv9 HIGH jsonata: Malicious inputs to "$toMillis" function can cause resource exhaustion 2.1.0 2.2.0 -
undici GHSA-vxpw-j846-p89q HIGH undici WebSocket client vulnerable to denial of service via fragment count bypass 7.25.0 6.27.0 -
undici GHSA-hm92-r4w5-c3mj HIGH undici vulnerable to cross-origin request routing via SOCKS5 proxy pool reuse 7.25.0 7.28.0 -
undici GHSA-vmh5-mc38-953g HIGH undici vulnerable to TLS certificate validation bypass via dropped requestTls in SOCKS5 ProxyAgent 7.25.0 7.28.0 -
ℹ️ Other Vulnerabilities (4)
Package CVE Severity Summary Unsafe Version Fixed In Case
undici GHSA-pr7r-676h-xcf6 MODERATE undici vulnerable to cross-user information disclosure via shared cache whitespace bypass 7.25.0 7.28.0 -
undici GHSA-p88m-4jfj-68fv MODERATE undici vulnerable to HTTP header injection via Set-Cookie percent-decoding 7.25.0 6.27.0 -
undici GHSA-g8m3-5g58-fq7m LOW undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching 7.25.0 6.27.0 -
undici GHSA-35p6-xmwp-9g52 LOW undici vulnerable to HTTP response queue poisoning via keep-alive socket reuse 7.25.0 6.27.0 -

Review Checklist

Standard review:

  • Review changes for compatibility with your code
  • Check for breaking changes in release notes
  • Run tests locally or wait for CI
  • Approve and merge this PR

Update Mode: all_vulns

🤖 Generated by DataDog Automated Dependency Management System

@codecov-commenter

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.69%. Comparing base (e7ce4fe) to head (f4ad6d1).

Additional details and impacted files
@@           Coverage Diff           @@
##             main     #714   +/-   ##
=======================================
  Coverage   77.69%   77.69%           
=======================================
  Files          12       12           
  Lines        1112     1112           
  Branches      350      350           
=======================================
  Hits          864      864           
  Misses        118      118           
  Partials      130      130           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@campaigner-prod campaigner-prod Bot marked this pull request as ready for review July 7, 2026 13:18
@campaigner-prod campaigner-prod Bot requested a review from a team as a code owner July 7, 2026 13:18
@campaigner-prod campaigner-prod Bot requested a review from avangelillo July 7, 2026 13:18
@dd-prapprover-prod-77c48c

dd-prapprover-prod-77c48c Bot commented Jul 7, 2026

Copy link
Copy Markdown

PRApprover will approve and merge this PR, FAQ, #dx-source-code-management

🛠️ PRApproval Status

  • ✅ PR is eligible for auto-approval by rule dependency-management-version-updater - 2026-07-07T13:19:09Z
  • ✅ CI tests passed - 2026-07-07T13:19:13Z
  • ✅ Approved (commit: f4ad6d1) - 2026-07-07T13:19:15Z
  • ✅ Merge Started
  • ⬜ Merged

➡️ Current phase: merge in progress...

@dd-prapprover-prod-77c48c dd-prapprover-prod-77c48c Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This PR has been automatically approved by the DD PR Approver bot.

@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot merged commit d20c86e into main Jul 7, 2026
7 checks passed
@gh-worker-dd-mergequeue-cf854d gh-worker-dd-mergequeue-cf854d Bot deleted the engraver-auto-version-upgrade/minorpatch/npm/0-1783380726 branch July 7, 2026 13:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant