Security Vulnerability: High-severity vulnerabilities in undici dependency (EOL branch)

[mattdelashaw]

Description
I'm here because of Snyk and my own npm audit that caused me to dig. The current version of @iamtraction/google-translate (v2.0.1) depends on undici@^5.12.0. The 5.x branch of undici is now end-of-life (EOL) and contains several high-severity security vulnerabilities that will not be patched in that branch.

Specifically, undici@5.29.0 (the latest in 5.x) is vulnerable to:

• GHSA-g9mf-h72j-4rw9 / CVE-2024-30260: Unbounded decompression chain in HTTP responses (Denial of Service).
• GHSA-2mjp-6q6p-2qxm / CVE-2024-30261: HTTP Request/Response Smuggling.
• GHSA-vrm6-8vpv-qv8q: Unbounded Memory Consumption in WebSocket decompression.
• GHSA-4992-7rv2-5pvq: CRLF Injection via upgrade option.

Impact
Applications using this library are flagged by security scanners (like npm audit or Snyk) due to these transitive dependencies. Since
the 5.x branch of undici is EOL, the only way to resolve these is to upgrade undici to a supported version (v6.23.1+ or v7.x+).

Proposed Solution
Update the package.json to use a newer version of undici.

• Minimum Fix: undici@^6.23.1
• Recommended: undici@^7.0.0 (or the latest stable version)

Note: undici@6.x and above require Node.js 18.17+, which matches the current industry standard for LTS. If maintaining support for older Node versions is required, a custom interceptor workaround would be needed, but upgrading the dependency is the standard path.

Verification
I have verified that forcing undici@6.x via overrides in my local project does not break the core translation functionality of this library.

---

Notes for you:

• Repository URL: https://github.com/iamtraction/google-translate (https://github.com/iamtraction/google-translate)
• Node.js Requirement: undici@6.x requires Node 18.17+. Since your project is already using Node 24, this won't affect you, but it's worth mentioning in the issue in case the maintainer wants to keep support for older Node versions.