chore(deps): update dependency undici to v6.21.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	6.21.0 -> 6.21.2

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

• https://hackerone.com/reports/2913312
• https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

---

Release Notes

nodejs/undici (undici)

v6.21.2

Compare Source

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in https://github.com/nodejs/undici/pull/4024
• [v6.x] fix wpts on windows by @​mcollina in https://github.com/nodejs/undici/pull/4093
• Removed clients with unrecoverable errors from the Pool https://github.com/nodejs/undici/pull/4088

New Contributors

• @​slagiewka made their first contribution in https://github.com/nodejs/undici/pull/4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

• fix(#​3736): back-port 183f8e9 to v6.x by @​ggoodman in https://github.com/nodejs/undici/pull/3855
• fix(#​3817): send servername for SNI on TLS (#​3821) [backport] by @​metcoder95 in https://github.com/nodejs/undici/pull/3864
• fix: sending formdata bodies with http2 (#​3863) [backport] by @​metcoder95 in https://github.com/nodejs/undici/pull/3866
• [Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @​github-actions in https://github.com/nodejs/undici/pull/3877
• types: [backport] Update return type of RetryCallback (#​3851) by @​metcoder95 in https://github.com/nodejs/undici/pull/3876

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 08cd452

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[netlify]

✅ Deploy Preview for graphql-testing-library canceled.

Name	Link
🔨 Latest commit	08cd452
🔍 Latest deploy log	https://app.netlify.com/projects/graphql-testing-library/deploys/682614404cf3260008635f27