fix(deps): update dependency undici to v5.28.5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	5.28.4 -> 5.28.5

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

• https://hackerone.com/reports/2913312
• https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

---

Release Notes

nodejs/undici (undici)

v5.28.5

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 92.78%. Comparing base (0f6c17d) to head (00463af).
Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1821   +/-   ##
=======================================
  Coverage   92.78%   92.78%           
=======================================
  Files          36       36           
  Lines        1358     1358           
  Branches      273      273           
=======================================
  Hits         1260     1260           
  Misses         68       68           
  Partials       30       30           

Flag	Coverage Δ
aarch64	92.56% <ø> (ø)
aarch64-without-git	92.56% <ø> (ø)
alpine	92.78% <ø> (ø)
alpine-proxy	92.56% <ø> (ø)
alpine-without-git	92.78% <ø> (ø)
linux	92.56% <ø> (ø)
linux-without-git	92.56% <ø> (ø)
macos	92.56% <ø> (ø)
macos-arm64	92.56% <ø> (ø)
macos-arm64-without-git	92.56% <ø> (ø)
macos-without-git	92.56% <ø> (ø)
macos-x64	92.56% <ø> (ø)
macos-x64-without-git	92.56% <ø> (ø)
windows	92.56% <ø> (ø)
windows-without-git	92.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.