Skip to content

Bump the npm_and_yarn group across 1 directory with 2 updates#43353

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-b9a3ed2ddb
Closed

Bump the npm_and_yarn group across 1 directory with 2 updates#43353
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/npm_and_yarn-b9a3ed2ddb

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 14, 2026

Bumps the npm_and_yarn group with 2 updates in the / directory: file-type and undici.

Updates file-type from 21.3.1 to 21.3.2

Release notes

Sourced from file-type's releases.

v21.3.2

  • Fix ZIP bomb in known-size ZIP probing (GHSA-j47w-4g3g-c36v) a155cd7
  • Fix bound recursive BOM and ID3 detection 370ed91

sindresorhus/file-type@v21.3.1...v21.3.2

Commits

Updates undici from 6.23.0 to 6.24.0

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

Commits
  • 8873c94 Bumped v6.24.0
  • 411bd01 test(websocket): use node:assert for Node 18 compatibility
  • 844bf59 test: fix http2 lint regressions in backport
  • a444e4f test: stabilize h2 and tls-cert-leak under current test runner
  • dc032a1 fix: h2 CI (#4395)
  • 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
  • 7df6442 fix: adapt websocket frame-limit handling for v6 parser
  • 4e0179a fix: reject duplicate content-length and host headers
  • 5a97f08 Fix websocket 64-bit length overflow
  • e43e898 fix: validate upgrade header to prevent CRLF injection
  • Additional commits viewable in compare view

Updates undici from 7.22.0 to 7.24.1

Release notes

Sourced from undici's releases.

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

Not applicable to v6

Affected and patched ranges (v6)

References

Commits
  • 8873c94 Bumped v6.24.0
  • 411bd01 test(websocket): use node:assert for Node 18 compatibility
  • 844bf59 test: fix http2 lint regressions in backport
  • a444e4f test: stabilize h2 and tls-cert-leak under current test runner
  • dc032a1 fix: h2 CI (#4395)
  • 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
  • 7df6442 fix: adapt websocket frame-limit handling for v6 parser
  • 4e0179a fix: reject duplicate content-length and host headers
  • 5a97f08 Fix websocket 64-bit length overflow
  • e43e898 fix: validate upgrade header to prevent CRLF injection
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 1 directory with 2 updates
daa6e56 
Bumps the npm_and_yarn group with 2 updates in the / directory: [file-type](https://github.com/sindresorhus/file-type) and [undici](https://github.com/nodejs/undici).


Updates `file-type` from 21.3.1 to 21.3.2
- [Release notes](https://github.com/sindresorhus/file-type/releases)
- [Commits](sindresorhus/file-type@v21.3.1...v21.3.2)

Updates `undici` from 6.23.0 to 6.24.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.23.0...v6.24.0)

Updates `undici` from 7.22.0 to 7.24.1
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v6.23.0...v6.24.0)

---
updated-dependencies:
- dependency-name: file-type
  dependency-version: 21.3.2
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 6.24.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 7.24.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update JavaScript code labels Mar 14, 2026
@github-actions github-actions bot closed this Mar 14, 2026
@github-actions github-actions bot deleted the dependabot/npm_and_yarn/npm_and_yarn-b9a3ed2ddb branch March 14, 2026 03:59
@github-actions
Copy link
Contributor

github-actions bot commented Mar 14, 2026

This dependency update will be handled internally by our engineering team.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 14, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Mar 14, 2026
@github-actions github-actions bot added the triage Do not begin working on this issue until triaged by the team label Mar 14, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update JavaScript code triage Do not begin working on this issue until triaged by the team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants