Fix GHSA-vrm6-8vpv-qv8q: override undici to ^6.24.0

[Copilot]

Transitive dependency undici@5.29.0 (via @actions/core and @actions/github) is vulnerable to unbounded memory consumption in WebSocket permessage-deflate decompression.

Changes

• Added npm overrides to pin undici to ^6.24.0 across all transitive consumers

"overrides": {
  "undici": "^6.24.0"
}

Why overrides instead of bumping direct dependencies

@actions/github@9.0.0 is the first version shipping undici@^6.23.0, but it's ESM-only ("type": "module"), incompatible with this project's CommonJS toolchain (tsc module: "commonjs", Jest CJS). Overrides update the transitive dep without a full ESM migration.

Reachability

Not reachable (high confidence). The vulnerability is in PerMessageDeflate.decompress() — the WebSocket client path. This codebase only uses undici indirectly via @actions/http-client for HTTP fetch/ProxyAgent. No WebSocket connections are established. Update satisfies scanners rather than mitigating active risk.

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression</alert_title>
<alert_description>## Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

Impact

• Remote denial of service against any Node.js application using undici's WebSocket client
• A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
• Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
• No application-level mitigation is possible as decompression occurs before message delivery

Patches

Users should upgrade to fixed versions.

Workarounds

No workaround are possible.</alert_description>

high
GHSA-vrm6-8vpv-qv8q, CVE-2026-1526
undici
npm
<vulnerable_versions>5.29.0</vulnerable_versions>
<patched_version>6.24.0</patched_version>
<manifest_path>package-lock.json</manifest_path>

https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q https://nvd.nist.gov/vuln/detail/CVE-2026-1526 https://hackerone.com/reports/3481206 https://cna.openjsf.org/security-advisories.html https://datatracker.ietf.org/doc/html/rfc7692 https://owasp.org/www-community/attacks/Denial_of_Service https://github.com/advisories/GHSA-vrm6-8vpv-qv8q

<agent_instructions>please open a PR to update the following dependencies in order to update undici

@actions/core 2.0.0
@actions/github 6.0.1

we want to transitively import undici 6.24.0 or higher</agent_instructions>

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage patterns that mitigate the vulnerability without a version update. If a workaround is available, apply it and leave a code comment referencing the advisory identifier explaining it is a temporary mitigation. If neither a patch nor a workaround is available, explain in the PR description why the alert cannot be resolved automatically so a human reviewer can take over. Inspect the repository to determine which package manager is used (e.g. lock files, config files, build scripts) and use that tooling to perform the update — do not edit lock files directly. If the version constraint in the manifest (e.g. package.json, Gemfile, pyproject.toml) caps the version below the fix, update the constraint first. For transitive dependencies, determine whether it is simpler to update the direct dependency that pulls in the vulnerable package or to update the transitive dependency directly, and choose the least disruptive approach. If upgrading to fix the vulnerability forces a major version bump or known breaking changes, review the changelog or release notes, then audit t...

• Resolves github/webpack-bundlesize-compare-action alert Bump prettier from 2.5.1 to 2.6.0 #57

[github-actions]

Bundle Stats — With chunk and module information

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
2	1.98 MB	0%

Changeset

File	Δ	Size
src/client/this/file/has/a/long/name/so-that-it-will-hopefully-wrap.tsx	🆕 +2.72 kB	0 B → 2.72 kB
src/client/this-file-was-added.ts	🆕 +1.46 kB	0 B → 1.46 kB
src/client/this-is-another-file-with-a-long-name-to-test-the-table-sizing.tsx	🆕 +1.04 kB	0 B → 1.04 kB
src/client/helpers/this-file-is-much-larger.ts	📈 +11.66 kB (+865.77%)	1.35 kB → 13.01 kB
src/client/this-file-grew-larger.tsx	📈 +200 B (+35.59%)	562 B → 762 B
src/client/helpers/this-file-grew-smaller.ts	📉 -200 B (-7.94%)	2.46 kB → 2.26 kB
src/client/this-file-is-much-smaller.tsx	📉 -11.66 kB (-99.92%)	11.67 kB → 10 B
src/client/routes.tsx	🔥 -2.72 kB (-100%)	2.72 kB → 0 B
src/client/this-file-will-be-deleted.ts	🔥 -1.46 kB (-100%)	1.46 kB → 0 B
src/client/render-memex.tsx	🔥 -1.04 kB (-100%)	1.04 kB → 0 B

View detailed bundle breakdown

Added

No assets were added

Removed

No assets were removed

Bigger

No assets were bigger

Smaller

No assets were smaller

Unchanged

Asset	File Size	% Changed
app.bundle.js	1.98 MB	0%
manifest.json	91 B	0%

[github-actions]

Bundle Stats

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
7 → 2	1.34 MB → 1.29 MB (-53.65 kB) 386.44 kB → N/A (gzip)	-3.91%

View detailed bundle breakdown

Added

No assets were added

Removed

Asset	File Size	% Changed
296.chunk.js	124.57 kB → 0 B (-124.57 kB) 35.05 kB → 0 B (gzip)	-100%
288.chunk.js	57.24 kB → 0 B (-57.24 kB) 16.33 kB → 0 B (gzip)	-100%
920.chunk.js	54.98 kB → 0 B (-54.98 kB) 17.08 kB → 0 B (gzip)	-100%
912.chunk.js	44.37 kB → 0 B (-44.37 kB) 14.31 kB → 0 B (gzip)	-100%
699.chunk.js	26.39 kB → 0 B (-26.39 kB) 6.14 kB → 0 B (gzip)	-100%

Bigger

Asset	File Size	% Changed
app.bundle.js	1.04 MB → 1.29 MB (+254.35 kB) 297.38 kB → N/A (gzip)	+23.91%

Smaller

Asset	File Size	% Changed
manifest.json	551 B → 91 B (-460 B) 151 B → N/A (gzip)	-83.48%

Unchanged

No assets were unchanged

[github-actions]

Bundle Stats — Flipped around

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
2 → 7	1.29 MB → 1.34 MB (+53.65 kB) N/A → 386.44 kB (gzip)	+4.07%

View detailed bundle breakdown

Added

Asset	File Size	% Changed
296.chunk.js	0 B → 124.57 kB (+124.57 kB) 0 B → 35.05 kB (gzip)	-
288.chunk.js	0 B → 57.24 kB (+57.24 kB) 0 B → 16.33 kB (gzip)	-
920.chunk.js	0 B → 54.98 kB (+54.98 kB) 0 B → 17.08 kB (gzip)	-
912.chunk.js	0 B → 44.37 kB (+44.37 kB) 0 B → 14.31 kB (gzip)	-
699.chunk.js	0 B → 26.39 kB (+26.39 kB) 0 B → 6.14 kB (gzip)	-

Removed

No assets were removed

Bigger

Asset	File Size	% Changed
manifest.json	91 B → 551 B (+460 B) N/A → 151 B (gzip)	+505.49%

Smaller

Asset	File Size	% Changed
app.bundle.js	1.29 MB → 1.04 MB (-254.35 kB) N/A → 297.38 kB (gzip)	-19.29%

Unchanged

No assets were unchanged

[github-actions]

Bundle Stats — Non existent

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
0	0 B	0%

View detailed bundle breakdown

Added

No assets were added

Removed

No assets were removed

Bigger

No assets were bigger

Smaller

No assets were smaller

Unchanged

No assets were unchanged

[github-actions]

Bundle Stats — No changes

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
7	1.34 MB 386.44 kB	0%

View detailed bundle breakdown

Added

No assets were added

Removed

No assets were removed

Bigger

No assets were bigger

Smaller

No assets were smaller

Unchanged

Asset	File Size	% Changed
app.bundle.js	1.04 MB 297.38 kB	0%
296.chunk.js	124.57 kB 35.05 kB	0%
288.chunk.js	57.24 kB 16.33 kB	0%
920.chunk.js	54.98 kB 17.08 kB	0%
912.chunk.js	44.37 kB 14.31 kB	0%
699.chunk.js	26.39 kB 6.14 kB	0%
manifest.json	551 B 151 B	0%

[github-actions]

Bundle Stats — With describe-assets: 'none'

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
7 → 2	1.34 MB → 1.29 MB (-53.65 kB) 386.44 kB → N/A (gzip)	-3.91%

View detailed bundle breakdown

[github-actions]

Bundle Stats — With describe-assets: 'changed-only'

Hey there, this message comes from a GitHub action that helps you and reviewers to understand how these changes affect the size of this project's bundle.

As this PR is updated, I'll keep you updated on how the bundle size is impacted.

Total

Files count	Total bundle size	% Changed
7	1.34 MB 386.44 kB	0%

View detailed bundle breakdown

Added

No assets were added

Removed

No assets were removed

Bigger

No assets were bigger

Smaller

No assets were smaller

[Copilot]

Pull request overview

This PR addresses the GHSA-vrm6-8vpv-qv8q security advisory by ensuring the repository no longer installs vulnerable undici@5.29.0, without requiring an upgrade to ESM-only @actions/github@9+ (keeping the project’s CommonJS toolchain intact).

Changes:

• Added an npm overrides rule to force undici to ^6.24.0 across transitive dependents.
• Regenerated package-lock.json to resolve to undici@6.24.1 and update the dependency tree accordingly.
• Updated the generated third-party license bundle to reflect the new dependency graph.

Show a summary per file

File	Description
package.json	Adds npm overrides to force patched undici across transitive dependencies.
package-lock.json	Refreshes the lockfile to install undici@6.24.1 and remove vulnerable/unused transitive entries.
dist/licenses.txt	Updates the bundled license attributions to match the new resolved dependencies.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/5 changed files
• Comments generated: 0