From 0ea8a6b0001bdd69152d5e7e1d721d5b9d9eb0d7 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]"
 <41898282+github-actions[bot]@users.noreply.github.com>
Date: Fri, 19 Jun 2026 13:29:48 +0000
Subject: [PATCH] chore(deps): upgrade undici to 7.28.0 via overrides
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds an npm overrides entry to pin undici >= 7.28.0.

cheerio@1.2.0 (the direct dependent) declares undici ^7.19.0 and the
latest cheerio release has not shipped a new range that resolves to
the patched undici. The override is therefore used as a fallback to
force resolution to a safe version.

Fixes:
- GHSA-vmh5-mc38-953g / CVE-2026-9697 (high) – TLS certificate
  validation bypass in SOCKS5 ProxyAgent (alert #282)
- GHSA-pr7r-676h-xcf6 / CVE-2026-9678 (medium) – cross-user info
  disclosure via shared cache whitespace bypass (alert #281)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
---
 package-lock.json | 13 ++++++-------
 package.json      |  3 +++
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 58fe65c9..42837f61 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -27259,9 +27259,9 @@
       }
     },
     "node_modules/undici": {
-      "version": "7.25.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz",
-      "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ==",
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz",
+      "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA==",
       "license": "MIT",
       "engines": {
         "node": ">=20.18.1"
@@ -41242,7 +41242,7 @@
         "parse5": "^7.3.0",
         "parse5-htmlparser2-tree-adapter": "^7.1.0",
         "parse5-parser-stream": "^7.1.2",
-        "undici": "^7.19.0",
+        "undici": ">=7.28.0",
         "whatwg-mimetype": "^4.0.0"
       }
     },
@@ -52267,9 +52267,8 @@
       }
     },
     "undici": {
-      "version": "7.25.0",
-      "resolved": "https://registry.npmjs.org/undici/-/undici-7.25.0.tgz",
-      "integrity": "sha512-xXnp4kTyor2Zq+J1FfPI6Eq3ew5h6Vl0F/8d9XU5zZQf1tX9s2Su1/3PiMmUANFULpmksxkClamIZcaUqryHsQ=="
+      "version": "https://registry.npmjs.org/undici/-/undici-7.28.0.tgz",
+      "integrity": "sha512-cRZYrTDwWznlnRiPjggAGxZXanty6M8RV1ff8Wm4LWXBp7/IG8v5DnOm74DtUBp9OONpK75YlPnIjQqX0dBDtA=="
     },
     "undici-types": {
       "version": "5.26.5",
diff --git a/package.json b/package.json
index 2edbe4b8..7d2f5d18 100644
--- a/package.json
+++ b/package.json
@@ -42,6 +42,9 @@
     "where": "node ./scripts/src/where.js",
     "request-npm-token": "request-npm-token"
   },
+  "overrides": {
+    "undici": ">=7.28.0"
+  },
   "dependencies": {
     "@mongodb-js/monorepo-tools": "^1.2.3"
   },