Dependabot reports CVE-2025-22150 for undici <`5.28.5`

[MikeMcC399]

Dependabot is reporting CVE-2025-22150 for undici <5.28.5.

It would be helpful if actions/toolkit updated to a patched undici version, such as 5.28.5 to force installation of a non-vulnerable version of undici.

The following shows usage in this repo:

• toolkit/packages/attest/package.json

  Line 42 in 1f7c2c7

  "undici": "^5.28.4"

• toolkit/packages/http-client/package.json

  Line 49 in 1f7c2c7

  "undici": "^5.25.4"

[yshi-parasoft]

Please update to a patch version that does not have CVE-2024-24750 vulnerability.

[MikeMcC399]

@yshi-parasoft

• I see you also opened a separate issue for this CVE-2024-24750 for undici < 6.6.1 #1967

From (including)6.0.0 | Up to (excluding)6.6.1

[mislav]

Looks like this was fixed in 95e7473

[MikeMcC399]

@mislav

Thank you very much for pointing out this is now fixed 🚀 !

It was mainly this one, which was important:

toolkit/packages/http-client/package.json

Line 49 in ec9716b

"undici": "^5.28.5"

This one (devDependencies) is also fixed:

toolkit/packages/attest/package.json

Line 42 in ec9716b

"undici": "^5.28.5"