LTS-4005: bump undici override 7.24.0 -> 7.28.0 (SOCKS5 TLS bypass CVE)#13
LTS-4005: bump undici override 7.24.0 -> 7.28.0 (SOCKS5 TLS bypass CVE)#13dheeren-gaud wants to merge 1 commit into
Conversation
) Patches SOCKS5 ProxyAgent TLS bypass (CVSS 7.4). The repo's existing overrides block pinned cheerio's undici to ^7.24.0, narrower than cheerio's own ^7.19.0 range. Raising the override floor to ^7.28.0 forces npm to pick the patched version while keeping intent documented. webdriver's nested undici stays on 6.x (not affected by the CVE; SOCKS5 support was introduced in undici 7.23.0). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Claude Code Review — LTS-4005 undici CVE bumpVerdict: PASS — correct, complete for the stated CVE, safe to merge. Correctness — verified against the advisoryTargets GHSA-vmh5-mc38-953g / CVE-2026-9697 — ProxyAgent silently drops
The v6 instance is correctly left aloneThe lockfile carries two undici copies:
Leaving v6 alone is correct, not an oversight: the SOCKS5/ Findings[Low] Lockfile regeneration churn beyond the stated change. The diff adds/removes many [Low / informational] Other 2026 undici advisories exist (e.g. CVE-2026-12151, WebSocket-fragment DoS). [Info] Real-world exposure here is minimal. undici is Bottom lineCorrect fix, correct version, sound scoping. Only nits are lockfile-hygiene confirmation. Safe to merge. 🤖 Reviewed with Claude Code |
Summary
ProxyAgentsilently dropsrequestTlsoptions under SOCKS5, enabling MITM when cert pinning is in use.cheerio.undicioverride floor from^7.24.0to^7.28.0inpackage.json.undiciunder cheerio resolves to7.28.0(patched).webdriver's nested undici (6.x) is not affected — SOCKS5 support was added in undici7.23.0, so all6.xversions are immune.Why a package.json change (vs lock-only)
Unlike sister ticket LTS-4006, this repo has an
overridesblock that explicitly pinnedundicito a narrower range than cheerio itself declares. Updating the lock alone wouldn't suffice — npm respects the override boundary. Raising the floor to^7.28.0documents the security intent: anything below this is CVE-vulnerable.Exposure
Low in practice — this is example/sample code for customers. It doesn't run undici's
ProxyAgentwith SOCKS5 + custom CA pinning. Patching to satisfy the security SLA.Jira: https://browserstack.atlassian.net/browse/LTS-4005
Test plan
npm ls undicishowscheerio -> undici@7.28.0andwebdriver -> undici@6.27.0npm installfrom a clean state regenerates the same lock🤖 Generated with Claude Code