Skip to content

[Bug]: Security vulnerability GHSA-g9mf-h72j-4rw9 in undici dependency #187

New issue
New issue
Closed
#188
Closed
[Bug]: Security vulnerability GHSA-g9mf-h72j-4rw9 in undici dependency#187
#188
Labels
bugSomething isn't workingdependenciesDependency updatessecuritySecurity-related changes or concerns
@WilliamBerryiii

Description

@WilliamBerryiii
WilliamBerryiii
opened on Jan 16, 2026

Component

Other

Bug Description

Security vulnerability GHSA-g9mf-h72j-4rw9 (CVE-2026-22036) affects the undici npm package used transitively in this project.

Attribute Value
CVE CVE-2026-22036
GHSA GHSA-g9mf-h72j-4rw9
Severity Low (CVSS 3.7/10)
CWE CWE-770 (Allocation of Resources Without Limits)
Affected undici >= 7.0.0, < 7.18.2
Fixed undici 7.18.2

The vulnerability allows unbounded decompression chains in HTTP responses, potentially causing high CPU usage and memory allocation.

Expected Behavior

npm audit should report no vulnerabilities for GHSA-g9mf-h72j-4rw9.

Steps to Reproduce

  1. Run npm audit
  2. Observe vulnerability reported for undici@7.16.0

Dependency chain:

markdown-link-check@3.14.2 → cheerio@1.1.2 → undici@7.16.0 (vulnerable)

Additional Context

Risk Assessment: Low - undici is only used transitively by markdown-link-check for CI/CD link validation.

Remediation: Add npm overrides to force undici to patched version 7.18.2.

References:

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingdependenciesDependency updatessecuritySecurity-related changes or concerns

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions