[Snyk] Upgrade undici from 4.12.0 to 7.18.2

[nerdy-tech-com-gitub]

Snyk has created this PR to upgrade undici from 4.12.0 to 7.18.2.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 157 versions ahead of your current version.

• The recommended version was released a month ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Remote Code Execution (RCE) SNYK-JS-SHELLQUOTE-1766506	177	No Known Exploit
	Improper Link Resolution Before File Access ('Link Following') SNYK-JS-TARFS-10293725	177	No Known Exploit
	Symlink Attack SNYK-JS-TARFS-9535930	177	Mature
	Insecure Randomness SNYK-JS-UNDICI-8641354	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UNDICI-3323845	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-ANSIREGEX-1583908	177	Proof of Concept
	Insecure Randomness SNYK-JS-UNDICI-8641354	177	Proof of Concept
	Denial of Service (DoS) SNYK-JS-WS-7266574	177	Proof of Concept
	Asymmetric Resource Consumption (Amplification) SNYK-JS-BODYPARSER-7926860	177	No Known Exploit
	Excessive Platform Resource Consumption within a Loop SNYK-JS-BRACES-6838727	177	Proof of Concept
	Denial of Service (DoS) SNYK-JS-DECODEURICOMPONENT-3149970	177	Proof of Concept
	Improper Handling of Extra Parameters SNYK-JS-FOLLOWREDIRECTS-6141137	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-GETFUNCNAME-5923417	177	Proof of Concept
	Prototype Pollution SNYK-JS-JSONSCHEMA-1920922	177	No Known Exploit
	Prototype Poisoning SNYK-JS-QS-3153490	177	Proof of Concept
	Prototype Poisoning SNYK-JS-QS-3153490	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-SEMVER-3247795	177	Proof of Concept
	Symlink Following SNYK-JS-TARFS-13045213	177	No Known Exploit
	Symlink Attack SNYK-JS-TMP-11501554	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-UAPARSERJS-3244450	177	Proof of Concept
	Improper Certificate Validation SNYK-JS-UNDICI-2928996	177	Proof of Concept
	CRLF Injection SNYK-JS-UNDICI-2953389	177	Proof of Concept
	CRLF Injection SNYK-JS-UNDICI-2980276	177	No Known Exploit
	Server-side Request Forgery (SSRF) SNYK-JS-UNDICI-2980286	177	No Known Exploit
	CRLF Injection SNYK-JS-UNDICI-3323844	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELHELPERS-9397697	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BABELRUNTIME-10044504	177	Proof of Concept
	Cross-site Scripting (XSS) SNYK-JS-COOKIE-8163060	177	No Known Exploit
	Improper Control of Dynamically-Managed Code Resources SNYK-JS-EJS-6689533	177	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2332181	177	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-6444610	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3042992	177	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-LOADERUTILS-3105943	177	No Known Exploit
	Prototype Pollution SNYK-JS-LODASH-15053838	177	No Known Exploit
	Inefficient Regular Expression Complexity SNYK-JS-MICROMATCH-6838728	177	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-3050818	177	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITENDPOINT-8730856	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITPLUGINPAGINATEREST-8730855	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUEST-8730853	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-OCTOKITREQUESTERROR-8730854	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-PATHTOREGEXP-7925106	177	Proof of Concept
	Improper Input Validation SNYK-JS-POSTCSS-5926692	177	No Known Exploit
	Cross-site Scripting (XSS) SNYK-JS-ROLLUP-8073097	177	Proof of Concept
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	177	Proof of Concept
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	177	Proof of Concept
	Information Exposure SNYK-JS-UNDICI-2957529	177	Proof of Concept
	Information Exposure SNYK-JS-UNDICI-5962466	177	No Known Exploit
	Permissive Cross-domain Policy with Untrusted Domains SNYK-JS-UNDICI-6252336	177	No Known Exploit
	Improper Access Control SNYK-JS-UNDICI-6564963	177	No Known Exploit
	Improper Authorization SNYK-JS-UNDICI-6564964	177	No Known Exploit
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	177	Proof of Concept
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	177	Proof of Concept
	Information Exposure SNYK-JS-FOLLOWREDIRECTS-2396346	177	No Known Exploit
	Prototype Pollution SNYK-JS-MINIMIST-2429795	177	Proof of Concept

Release notes

Package name: undici

• 7.18.2 - 2026-01-06
  

  ⚠️ Security Release

  This fixes GHSA-g9mf-h72j-4rw9 and CVE-2026-22036.

  What's Changed

  • fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… by @ mcollina in #4729

  Full Changelog: v7.18.1...v7.18.2

• 7.18.1 - 2026-01-06
  

  What's Changed

  • Test and Fix running without SSL by @ mcollina in #4727
  • docs: add security warning for strictContentLength option by @ mcollina in #4726
  • build(deps): bump step-security/harden-runner from 2.13.1 to 2.14.0 by @ dependabot[bot] in #4718
  • build(deps): bump actions/checkout from 6.0.0 to 6.0.1 by @ dependabot[bot] in #4719

  Full Changelog: v7.18.0...v7.18.1

• 7.18.0 - 2026-01-05
  

  What's Changed

  Full Changelog: v7.17.0...v7.18.0

• 7.17.0 - 2026-01-05
  

  What's Changed

  • chore: extract infra and encoding methods by @ Uzlopak in #4523
  • ci: remove h2 by @ Uzlopak in #4534
  • ci: make nodejs-shared wf reusable, install binaryen for wasm-opt, test on node-nightly by @ Uzlopak in #4535
  • ci: fix nightly shared library case by @ Uzlopak in #4543
  • test: consume bodies of fetch responses to fix failing macos 20 ci by @ Uzlopak in #4528
  • docs: add Cache Interceptor example to README by @ tawseefnabi in #4393
  • test: remove node20 version check by @ Uzlopak in #4544
  • types: use MessagePort instance type in MessageEvent by @ Renegade334 in #4546
  • ci: set write permissions on job level by @ Uzlopak in #4537
  • lint: activate n/no-process-exit by @ Uzlopak in #4548
  • ci: run benchmarks on pull_requests and by pushing on specific branches only by @ Uzlopak in #4536
  • chore: activate n/prefer-node-protocol to enforce 'node:' prefix for requiring node built-ins by @ Uzlopak in #4547
  • feat(H2): correct CONNECT behaviour by @ metcoder95 in #4541
  • test: fix plans by @ Uzlopak in #4550
  • feat: add runtime feature "detection" by @ Uzlopak in #4545
  • perf: use less promises in extractBody by @ Uzlopak in #4458
  • fix(proxy-agent): add missing return after callback-call by @ Uzlopak in #4553
  • fix: remove redundant line in retry-handler by @ Uzlopak in #4554
  • ci: add no-wasm-simd option by @ Uzlopak in #4533
  • fix: use lazyloaders for runtime feature detection by @ Uzlopak in #4557
  • fix: minor changes in dispatcher-base.js and types for Dispatcher by @ Uzlopak in #4556
  • http2: refactor and split tests of http2.js into multiple files by @ Uzlopak in #4561
  • fix: dns-interceptor test should await plan to complete by @ Uzlopak in #4560
  • chore: remove istanbul instructions by @ Uzlopak in #4559
  • fix: keep promise chains intact by @ Uzlopak in #4558
  • build(deps): bump wait-on from 8.0.5 to 9.0.1 in /benchmarks by @ dependabot[bot] in #4567
  • chore: remove tspl from eventsource by @ Uzlopak in #4569
  • chore: remove tspl from fetch by @ Uzlopak in #4570
  • feat: add getUpstream() method to BalancedPool by @ mcollina in #4586
  • fetch: handle invalid priority values properly by @ Uzlopak in #4522
  • ci: fix test coverage for codecov by @ Uzlopak in #4520
  • types: optional status in Response.redirect by @ gineika in #4591
  • docs: unix socket add-on by @ FelixVaughan in #4587
  • build(deps): bump codecov/codecov-action from 5.5.0 to 5.5.1 by @ dependabot[bot] in #4601
  • build(deps): bump hendrikmuhs/ccache-action from 1.2.18 to 1.2.19 by @ dependabot[bot] in #4600
  • build(deps): bump ossf/scorecard-action from 2.4.2 to 2.4.3 by @ dependabot[bot] in #4603
  • build(deps): bump actions/setup-node from 4.0.2 to 5.0.0 by @ dependabot[bot] in #4604
  • build(deps): bump actions/github-script from 7.0.1 to 8.0.0 by @ dependabot[bot] in #4602
  • build(deps): bump step-security/harden-runner from 2.13.0 to 2.13.1 by @ dependabot[bot] in #4598
  • build(deps): bump github/codeql-action from 3.30.0 to 3.30.5 by @ dependabot[bot] in #4599
  • build(deps): bump actions/dependency-review-action from 4.7.3 to 4.8.0 by @ dependabot[bot] in #4597
  • fix: cacheStores types and usage in README by @ lucalooz in #4605
  • Feat dns interceptor storage by @ SuperOleg39 in #4589
  • docs: add crawling best practices by @ Uzlopak in #4590
  • fix: 304 not modified reply upon revalidation did not update cache. by @ daan944 in #4617
  • chore: use testcontext for test:infra by @ Uzlopak in #4579
  • fetch: improve regexes in data-uri.js by @ Uzlopak in #4483
  • perf: optimize validate http token by @ PandaWorker in #4608
  • test: improve long-lived-abort-controller test by @ Uzlopak in #4621
  • ci: add node.js 25 to test matrix by @ shivarm in #4626
  • chore: use testcontext for test/utils tests by @ Uzlopak in #4577
  • chore: remove tspl from websocket by @ Uzlopak in #4568
  • fix(ws) onSocketClose being called multiple times by @ KhafraDev in #4632
  • fix: prevent duplicate debug logs when multiple undici instances exist by @ mcollina in #4630
  • chore: use testcontext for busboy tests by @ Uzlopak in #4572
  • test: fix flaky http2-dispatcher test by @ mcollina in #4633
  • build(deps): bump uWebSockets.js from v20.52.0 to v20.54.0 in /benchmarks by @ dependabot[bot] in #4635
  • Run the gc() in long-lived-abort-controller test by @ mcollina in #4638
  • Do not destroy the HTTP2 stream twice in tests by @ mcollina in #4637
  • Fix http2-dispatcher test by @ mcollina in #4640
  • fix: fetch blob with range off-by-one error by @ platypii in #4643
  • fix: ensure HTTP/2 sends Content-Length for empty POST requests by @ mcollina in #4613
  • build(deps): bump uWebSockets.js from v20.54.0 to v20.55.0 in /benchmarks by @ dependabot[bot] in #4645
  • feat(#2458): WebSocket through HTTP/2 by @ metcoder95 in #4540
  • docs(README): correct the example code for the consumption of respons… by @ tenkirin in #4658
  • build(deps): bump github/codeql-action from 3.30.5 to 4.31.2 by