chore(deps): bump undici from 7.24.7 to 7.28.0

[dependabot]

Bumps undici from 7.24.7 to 7.28.0.

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	7.28.0	8cb10f98
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	7.28.0	04201f89
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	7.28.0	3805b8f8
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	7.28.0	85a24055
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	7.28.0	d0574cc4
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	7.28.0	d0574cc4
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	7.28.0	ea8930cf

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits

• f9eba0a Bumped v7.28.0 (#5430)
• a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
• 8cb10f9 websocket: limit the number of fragments in a message
• 04201f8 fix: honor requestTls when proxy is SOCKS5
• fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
• bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
• 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
• 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
• 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
• 85a2405 fix(cache): trim qualified field names
• Additional commits viewable in compare view

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Overview

Dependabot bump of undici from 7.24.7 → 7.28.0. The diff touches a single file (package-lock.json, +3/−3): only the version, resolved, and integrity fields of the node_modules/undici entry change. No source files, no package.json manifest, and no other dependencies are affected. undici is a transitive/build-time HTTP client in the docs tooling, so the runtime blast radius for this docs repo is minimal.

Code quality / style

Nothing to review — this is a machine-generated lockfile update with correct, well-formed JSON. The engines.node: >=20.18.1 constraint is unchanged between the two versions, so no Node baseline shift is introduced.

Specific suggestions

• Verify CI (lockfile install + docs build) passes green before merge; that is the only meaningful gate for a lockfile-only change.
• Confirm the new integrity hash resolves against the npm registry (it will, if CI install succeeds).

Potential issues / risks

Low risk — and this is a recommended security upgrade. Per the upstream release notes, v7.28.0 is an explicit security release addressing 7 advisories, all of which land in 7.28.0 (the bump range 7.24.7 → 7.28.0 therefore plausibly does include security fixes — confirmed). Notable items:

• CVE-2026-12151 (GHSA-vxpw-j846-p89q, High 7.5) — WebSocket DoS via unbounded fragment count.
• CVE-2026-9697 (GHSA-vmh5-mc38-953g, High 7.4) — TLS certificate validation bypass in SOCKS5 ProxyAgent.
• CVE-2026-6734 (GHSA-hm92-r4w5-c3mj, High 7.5) — fixed in 7.28.0 (note: the per-origin pool fix was not in the earlier 7.2x line; vulnerable code persisted through 7.27.2).
• Plus 4 moderate/low advisories (CVE-2026-9678, -9679, -11525, -6733).

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression, so staying on the v7 line here is appropriate.

This is a patch/minor bump within the same major (7.x), so no breaking API changes are expected. Given the High-severity advisories addressed, merging is encouraged once CI is green.

[DeepDiver1975]

@dependabot rebase