chore(deps): update dependency undici@>=6.0.0 to ^6.23.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
undici@>=6.0.0 (source)	^6.21.2 → ^6.23.0

GitHub Vulnerability Alerts

CVE-2026-22036

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

• https://hackerone.com/reports/3456148
• GHSA-gm62-xv2j-4w53
• https://curl.se/docs/CVE-2022-32206.html

---

Release Notes

nodejs/undici (undici@>=6.0.0)

v6.23.0

Compare Source

Full Changelog: nodejs/undici@v6.22.0...v6.23.0

v6.22.0

Compare Source

What's Changed

• fix: fix wrong stream canceled up after cloning (v6) by @​snyamathi in #​4414
• [Backport v6.x] fix: fix EnvHttpProxyAgent for the Node.js bundle by @​github-actions[bot] in #​4432
• feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections (#​4180) by @​metcoder95 in #​4433
• feat(ProxyAgent) improve Curl-y behavior in HTTP->HTTP Proxy connections (#​4180) (#​4340) by @​metcoder95 in #​4445
• Backport 4472 to v6.x by @​Uzlopak in #​4480

Full Changelog: nodejs/undici@v6.21.3...v6.22.0

v6.21.3

Compare Source

What's Changed

• [Backport v6.x] append crlf to formdata body by @​github-actions in #​4210

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	cbe7b4a
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/6991aa101bd08d00085b8b4a

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 40.31
• Iterations/s: 13.43
• Failed Requests: 0.00% (0 of 2425)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 875 kB 15 kB/s
     data_sent......................: 1.9 MB 31 kB/s
     http_req_blocked...............: avg=7.93µs   min=2.47µs   med=5.8µs    max=1.08ms   p(90)=6.9µs    p(95)=7.58µs  
     http_req_connecting............: avg=879ns    min=0s       med=0s       max=1.01ms   p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=98.53ms  min=7.15ms   med=81.64ms  max=557.61ms p(90)=171.15ms p(95)=195.13ms
       { expected_response:true }...: avg=98.53ms  min=7.15ms   med=81.64ms  max=557.61ms p(90)=171.15ms p(95)=195.13ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2425
     http_req_receiving.............: avg=102.54µs min=30.3µs   med=83.82µs  max=3.79ms   p(90)=128.95µs p(95)=175.16µs
     http_req_sending...............: avg=42.06µs  min=10.61µs  med=29.77µs  max=4.56ms   p(90)=43.06µs  p(95)=60.06µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=98.39ms  min=7.01ms   med=81.54ms  max=557.5ms  p(90)=171.03ms p(95)=195.02ms
     http_reqs......................: 2425   40.309157/s
     iteration_duration.............: avg=297.43ms min=187.47ms med=279.27ms max=1.13s    p(90)=364.48ms p(95)=393.07ms
     iterations.....................: 808    13.430845/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4