[Snyk] Upgrade undici from 4.12.0 to 7.16.0

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade undici from 4.12.0 to 7.16.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 152 versions ahead of your current version.

• The recommended version was released 2 months ago.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Insecure Randomness SNYK-JS-UNDICI-8641354	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UNDICI-3323845	63	Proof of Concept
	Insecure Randomness SNYK-JS-UNDICI-8641354	63	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	63	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	63	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	63	Proof of Concept
	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	63	No Known Exploit
	Improper Link Resolution Before File Access ('Link Following') SNYK-JS-TARFS-10293725	63	No Known Exploit
	Symlink Attack SNYK-JS-TARFS-9535930	63	Mature
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	63	No Known Exploit
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	63	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	63	Proof of Concept
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GETFUNCNAME-5923417	63	Proof of Concept
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	63	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-3244450	63	Proof of Concept
	Improper Certificate Validation SNYK-JS-UNDICI-2928996	63	Proof of Concept
	CRLF Injection SNYK-JS-UNDICI-2953389	63	Proof of Concept
	CRLF Injection SNYK-JS-UNDICI-2980276	63	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-UNDICI-2980286	63	No Known Exploit
	CRLF Injection SNYK-JS-UNDICI-3323844	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	63	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITENDPOINT-8730856	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITPLUGINPAGINATEREST-8730855	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUEST-8730853	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUESTERROR-8730854	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	63	Proof of Concept
	Improper Input Validation SNYK-JS-POSTCSS-5926692	63	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	63	Proof of Concept
	Symlink Following SNYK-JS-TARFS-13045213	63	No Known Exploit
	Symlink Attack SNYK-JS-TMP-11501554	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	63	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	63	No Known Exploit
	Improper Control of Dynamically-Managed Code Resources SNYK-JS-EJS-6689533	63	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	63	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	63	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	63	No Known Exploit
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	63	No Known Exploit
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	63	Proof of Concept
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	63	Proof of Concept
	Information Exposure SNYK-JS-UNDICI-2957529	63	Proof of Concept
	Information Exposure SNYK-JS-UNDICI-5962466	63	No Known Exploit
	Permissive Cross-domain Policy with Untrusted Domains SNYK-JS-UNDICI-6252336	63	No Known Exploit
	Improper Access Control SNYK-JS-UNDICI-6564963	63	No Known Exploit
	Improper Authorization SNYK-JS-UNDICI-6564964	63	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-2429795	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	63	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	63	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	63	No Known Exploit

Release notes

Package name: undici

• 7.16.0 - 2025-09-09
  

  What's Changed

  • Drop npm token, use OIDC instead by @ mcollina in #4447
  • fetch: instantiate readableStream in extractBody with sync methods by @ Uzlopak in #4350
  • fix: remove async on [kClose] and [kDestroy], only return Promise by @ Uzlopak in #4450
  • fetch: make consumeBody sync by @ Uzlopak in #4449
  • perf: make client.connect() sync by @ Uzlopak in #4455
  • fetch: remove promise in exported fetch by @ Uzlopak in #4452
  • fix(#4451): implement http2 cookie support by @ metcoder95 in #4453
  • test: cache store tests should properly be skipped by @ Uzlopak in #4463
  • test: fix IPv6 skip check for test/client.js by @ Uzlopak in #4466
  • test: remove skip check for AbortSignal.timeout, as it exists since node18 by @ Uzlopak in #4464
  • test: investigate macos failing by @ Uzlopak in #4467
  • test: remove obsolete < node v18 test case for http2 by @ Uzlopak in #4461
  • perf: avoid intermediate promise on BodyReadable.dump by @ Uzlopak in #4459
  • test: remove skip check for long-lived-abort-controller test (was flaky 10 months ago) by @ Uzlopak in #4465
  • test: remove skip checks for existance of global available Blob and File by @ Uzlopak in #4460
  • perf (fetch): use less promises for ReadableStream by @ Uzlopak in #4457
  • fix: catch synchronous errors in request callbacks by @ mcollina in #4443
  • fix: avoid instanceof MockNotMatchedError by @ Uzlopak in #4474
  • eventsource: remove promise for #reconnect method by @ Uzlopak in #4469
  • feat: make UndiciErrors reliable to instanceof by @ Uzlopak in #4472
  • chore: call super() after type checks by @ Uzlopak in #4475
  • chore: FixedQueue does not need special constructor by @ Uzlopak in #4476
  • fix: buildAndValidateMockOptions should always get an object passed and always return an object by @ Uzlopak in #4479
  • fix: remove unused ResponseStatusCodeError by @ Uzlopak in #4473
  • chore: pool and dispatcherbase dont need constructor, use no array helper functions by @ Uzlopak in #4477
  • lint: avoid unintented use of globals in code and tests, improve test for installing/overwriting globals by @ Uzlopak in #4478
  • test: fix macos flakyness by @ Uzlopak in #4468
  • fix: 'no-referrer-when-downgrade' in determineRequestsReferrer should return referrerURL by @ Uzlopak in #4482
  • fix: deflake cache-fastimers-fix.js by @ Uzlopak in #4491
  • fix: improve validation of IP addresses as trustworthy, correct ipv4 check by @ Uzlopak in #4489
  • test (pool.js): fix flakyness of clientTtl test by @ Uzlopak in #4494
  • test (eventsource): refactor tests for eventsource, speed them up by @ Uzlopak in #4493
  • fix: remove useless catch in client-h1.js by @ Uzlopak in #4481
  • test: skip flaky encoding test on macos and node20 by @ Uzlopak in #4497
  • fix: implement proper stale-while-revalidate behavior per RFC 5861 by @ mcollina in #4492
  • test (websocket): speed up test/websocket/issue-2679.js by @ Uzlopak in #4501
  • webidl: fix existing and add missing buffer source converters by @ Renegade334 in #4503
  • use real wpt test server by @ KhafraDev in #4486
  • test: another try to fix flaky macos and node 20 by @ Uzlopak in #4490
  • build(deps): bump actions/checkout from 4 to 5 by @ dependabot[bot] in #4507
  • build(deps): bump actions/dependency-review-action from 4.7.1 to 4.7.3 by @ dependabot[bot] in #4509
  • fix writing to websocketstream with SharedArrayBuffer/SharedArrayBuff… by @ KhafraDev in #4504
  • test: use faketimers for test/client-keep-alive, refactor a little by @ Uzlopak in #4499
  • build(deps): bump github/codeql-action from 3.29.7 to 3.30.0 by @ dependabot[bot] in #4510
  • build(deps): bump codecov/codecov-action from 5.4.3 to 5.5.0 by @ dependabot[bot] in #4508
  • fix(h2): adjust :scheme on h2 requests by @ metcoder95 in #4454
  • chore: use lowercase filenames, remove unused verifyVersion.js by @ Uzlopak in #4514
  • chore: refactor workflows by @ Uzlopak in #4513
  • chore: use [] instead of new Array(0) by @ Uzlopak in #4435
  • change webidl attribute to bitwise flag by @ KhafraDev in #4505
  • chore: make also cache-tests integrated as a submodule by @ Uzlopak in #4517
  • ci: fine grained test nodejs workflow by @ Uzlopak in #4516
  • feat: Support for capping the number of origins in Agent by @ JoshMock in #4365
  • wpt: properly handle write permissions errors in wpt-runner setup by @ Uzlopak in #4518
  • fetch: process content-encoding header only if relevant by @ Uzlopak in #4496
  • websocket: always emit error event by @ KhafraDev in #4521
  • refactor: parseHttpDate by @ Uzlopak in #4421
  • fix: wpt should use master branch by @ Uzlopak in #4524
  • fix: shell command built from environment values by @ ptrgits in #4392
  • example: use metcoders https-pem for the example by @ Uzlopak in #4436
  • Disable SIMD for PPC64 architecture, add UNDICI_NO_WASM_SIMD env to facilitate testing by @ mcollina in #4530
  • fix: make error symbols non enumerable by @ Uzlopak in #4531

  New Contributors

  • @ Renegade334 made their first contribution in #4503
  • @ JoshMock made their first contribution in #4365
  • @ ptrgits made their first contribution in #4392

  Full Changelog: v7.15.0...v7.16.0

• 7.15.0 - 2025-08-22
  

  What's Changed

  • feat: extract sri from fetch, upgrade to latest spec by @ Uzlopak in #4307
  • Update WPT by @ github-actions[bot] in #4422
  • build(deps-dev): bump @ fastify/busboy from 3.1.1 to 3.2.0 by @ dependabot[bot] in #4428
  • fix: memory leak in Agent by @ hexchain in #4425
  • chore: remove lib/api/util.js by @ Uzlopak in #3578
  • ci: reenable shared builtin CI tests by @ richardlau in #4426
  • Decompression Interceptor by @ FelixVaughan in #4317
  • chore: update llhttp by @ Uzlopak in #4431
  • chore: remove unused exceptions in try catch blocks by @ Uzlopak in