Skip to content

fix: loosen undici version to resolve npm audit warnings #334

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Cherry wants to merge 1 commit into
base: master
Choose a base branch
from
Open

fix: loosen undici version to resolve npm audit warnings #334

Cherry wants to merge 1 commit into from

Conversation

@Cherry
Copy link

@Cherry Cherry commented Nov 9, 2025

Currently, installing a lot of packages here result in npm audit warnings like this:

undici  7.0.0 - 7.4.0
undici Denial of Service attack via bad certificate data - https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
fix available via `npm audit fix --force`
Will install @xmcl/modrinth@2.3.1, which is a breaking change
node_modules/undici
  @xmcl/modrinth  >=2.3.2
  Depends on vulnerable versions of undici
  node_modules/@xmcl/modrinth

While these specifically vulnerabilities are very unlikely to impact packages here, some companies have policies that prevent the use of packages with any npm audit warnings.

I've bumped the undici version to resolve these, and also loosened it a little. This should help reduce package sizes for large applications that all rely on undici, by allowing any compatible version with ^7.16.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Cherry