chore(deps): update dependency undici to v7.5.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
undici (source)	7.3.0 -> 7.5.0

GitHub Vulnerability Alerts

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

---

Release Notes

nodejs/undici (undici)

v7.5.0

Compare Source

What's Changed

• feat(docs): button to switch dark and light mode by @​shivarm in #​4044
• feat: add mock call history to access request configuration in test by @​blephy in #​4029
• fix: Fix retry-handler.js when retry-after header is a Date by @​fgiova in #​4084
• Update Cache Tests by @​github-actions in #​4027
• Allow disabling autoSelectFamily in an Agent by @​hitsthings in #​4070
• Removed clients with unrecoverable errors from the Pool by @​mcollina in #​4088

New Contributors

• @​blephy made their first contribution in #​4029
• @​fgiova made their first contribution in #​4084
• @​hitsthings made their first contribution in #​4070

Full Changelog: nodejs/undici@v7.4.0...v7.5.0

v7.4.0

Compare Source

What's Changed

• fix: apply byte offset on Buffer.from by @​ronag in #​4019
• fix: fetch body fallback random number generation by @​Uzlopak in #​4023
• Add release instructions by @​mcollina in #​4022
• Update Cache Tests by @​github-actions in #​4020
• Update WPT by @​github-actions in #​4011
• docs: document about global dispatcher and errors (#​3987) by @​zuozp8 in #​4014
• docs: fix incorrect method signature of onResponseError by @​tmair in #​4030
• feat(docs): copy to clipboard button by @​shivarm in #​4037
• don't check AbortSignal maxListeners on some node versions by @​KhafraDev in #​4045
• feat: mark EnvHttpProxyAgent as stable by @​aduh95 in #​4049
• test: fix windows wpt by @​metcoder95 in #​4050
• fix: do not throw unhandled exception when data is undefined in interceptor.reply by @​frederikprijck in #​4036
• fix: handle missing vary header values by @​gurgunday in #​4031
• Update WPT by @​github-actions in #​4028
• Update WPT by @​github-actions in #​4062
• fix: fix EnvHttpProxyAgent for the Node.js bundle by @​joyeecheung in #​4064

New Contributors

• @​zuozp8 made their first contribution in #​4014
• @​tmair made their first contribution in #​4030
• @​shivarm made their first contribution in #​4037
• @​frederikprijck made their first contribution in #​4036
• @​joyeecheung made their first contribution in #​4064

Full Changelog: nodejs/undici@v7.3.0...v7.4.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	lodash.merge@​4.6.2
	js-yaml@​4.1.0
	split2@​4.2.0
	rfdc@​1.4.1
	qs@​6.14.0
	yargs-parser@​21.1.1
	readable-stream@​4.7.0

View full report