Skip to content

Fix undici and flatted security vulnerabilities#248

Merged
Bulzan Sergiu (busec0) merged 4 commits intomainfrom
sergiubulzan/fix-undici-flatted-vulnerabilities
Mar 18, 2026
Merged

Fix undici and flatted security vulnerabilities#248
Bulzan Sergiu (busec0) merged 4 commits intomainfrom
sergiubulzan/fix-undici-flatted-vulnerabilities

Conversation

@busec0
Copy link
Member

@busec0 Bulzan Sergiu (busec0) commented Mar 18, 2026

Summary

  • Bump undici 6.23.0 → 6.24.1 — fixes 3 WebSocket CVEs (unbounded memory consumption, 64-bit length overflow, invalid server_max_window_bits validation)
  • Bump flatted 3.3.3 → 3.4.2 — fixes unbounded recursion DoS in parse() revive phase

Affected quickstart apps:

  • react-native-expo (undici + flatted)
  • javascript-tui (undici + flatted)
  • javascript-web (flatted)

Resolves: SPO-218, SPO-219, SPO-220, SPO-221, SPO-222, SPO-223, SPO-224, SPO-225, SPO-226, SPO-227, SPO-228, SPO-229, SPO-230, SPO-231, SPO-232, SPO-233

Test plan

  • Verify npm audit shows no new high/critical vulnerabilities in affected lock files
  • Verify each quickstart app builds and runs correctly

🤖 Generated with Claude Code

@busec0 @claude
Fix undici and flatted security vulnerabilities
493028a 
Bump vulnerable transitive dependencies:
- undici 6.23.0 → 6.24.1 (3 WebSocket CVEs: memory, overflow, validation)
- flatted 3.3.3 → 3.4.2 (unbounded recursion DoS in parse())

Resolves: SPO-218, SPO-219, SPO-220, SPO-221, SPO-222, SPO-223,
SPO-224, SPO-225, SPO-226, SPO-227, SPO-228, SPO-229, SPO-230,
SPO-231, SPO-232, SPO-233

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings March 18, 2026 11:11
Copilot AI reviewed Mar 18, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR pins transitive dependency versions (via overrides) to ensure specific versions of tar, undici, and/or flatted are used across the sample projects, and updates the relevant npm lockfiles where included.

Changes:

  • Add/update overrides entries to pin undici and flatted (and keep tar pinned where already present).
  • Update package-lock.json files to reflect the new resolved versions (React Native Expo + JavaScript Web).

Reviewed changes

Copilot reviewed 3 out of 6 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
react-native-expo/package.json Adds npm overrides for undici and flatted alongside existing pins.
react-native-expo/package-lock.json Updates resolved dependency graph to match the pinned versions.
javascript-web/package.json Adds npm overrides for flatted.
javascript-web/package-lock.json Updates flatted resolution and related lockfile entries.
javascript-tui/package.json Adds npm overrides for undici and flatted alongside existing tar pin.
Files not reviewed (2)
  • javascript-web/package-lock.json: Language not supported
  • react-native-expo/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Bulzan Sergiu (busec0) and others added 3 commits March 18, 2026 13:21
@busec0 @claude
Add undici and flatted to yarn resolutions for react-native-expo
12c13ce 
The overrides field is npm-only. Since this project uses yarn, the
pins must also be in resolutions to take effect with yarn install
--frozen-lockfile in CI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@busec0
update yarn.lock
ff2c5af
@busec0 @claude
Regenerate javascript-web package-lock.json to fix CI
ea4193c 
The lock file was previously generated with --legacy-peer-deps which
produced a dependency tree out of sync with package.json, causing
`npm ci` to fail in CI.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@busec0 Bulzan Sergiu (busec0) merged commit 774f06e into main Mar 18, 2026
18 of 19 checks passed
@busec0 Bulzan Sergiu (busec0) deleted the sergiubulzan/fix-undici-flatted-vulnerabilities branch March 18, 2026 18:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@kristopherjohnson Kristopher Johnson (kristopherjohnson) kristopherjohnson approved these changes

@phatblat Ben Chatelain (phatblat) phatblat approved these changes

@nickrobinson Nick Robinson (nickrobinson) nickrobinson approved these changes

@alycda Alyssa Evans (alycda) alycda approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@busec0 @kristopherjohnson @phatblat @nickrobinson @alycda