fix(deps): update dependency undici to v6.21.2 [security]

[svc-secops]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	6.21.1 -> 6.21.2

GitHub Vulnerability Alerts

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

---

undici Denial of Service attack via bad certificate data

CVE-2025-47279 / GHSA-cxrh-j4jr-qwg3

More information

Details

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

Severity

• CVSS Score: 3.1 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3
• https://nvd.nist.gov/vuln/detail/CVE-2025-47279
• https://github.com/nodejs/undici/issues/3895
• https://github.com/nodejs/undici/pull/4088
• https://github.com/nodejs/undici

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nodejs/undici (undici)

v6.21.2

Compare Source

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in https://github.com/nodejs/undici/pull/4024
• [v6.x] fix wpts on windows by @​mcollina in https://github.com/nodejs/undici/pull/4093
• Removed clients with unrecoverable errors from the Pool https://github.com/nodejs/undici/pull/4088

New Contributors

• @​slagiewka made their first contribution in https://github.com/nodejs/undici/pull/4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - "after 8am and before 4pm on tuesday" in timezone America/Los_Angeles.

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

This PR has been generated by Renovate Bot.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 812cfd7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

You can download the latest build of the extension for this PR here:
vscode-apollo-0.0.0-build-1752665574.pr-291.commit-4b8d45a.zip.

To install the extension, download the file, unzip it and install it in VS Code by selecting "Install from VSIX..." in the Extensions view.

Alternatively, run

code --install-extension vscode-apollo-0.0.0-build-1752665574.pr-291.commit-4b8d45a.vsix --force

from the command line.

For older builds, please see the edit history of this comment.