chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
undici@>=5.0.0 (source)	^5.28.5 → ^5.29.0

GitHub Vulnerability Alerts

CVE-2026-22036

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

• https://hackerone.com/reports/3456148
• GHSA-gm62-xv2j-4w53
• https://curl.se/docs/CVE-2022-32206.html

---

Release Notes

nodejs/undici (undici@>=5.0.0)

v5.29.0

Compare Source

What's Changed

• Fix tests in v5.x for Node 20 by @​mcollina in #​4104
• Removed clients with unrecoverable errors from the Pool #​4088

Full Changelog: nodejs/undici@v5.28.5...v5.29.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	54c5f90
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/6991a9f3c0b17c0008195d89

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 43.59
• Iterations/s: 14.55
• Failed Requests: 0.00% (0 of 2619)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 945 kB 16 kB/s
     data_sent......................: 2.0 MB 34 kB/s
     http_req_blocked...............: avg=7.51µs   min=2.05µs   med=5.38µs   max=673.09µs p(90)=6.63µs   p(95)=7.28µs  
     http_req_connecting............: avg=506ns    min=0s       med=0s       max=406.41µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=91.14ms  min=6.23ms   med=74.42ms  max=655.41ms p(90)=157.1ms  p(95)=180.55ms
       { expected_response:true }...: avg=91.14ms  min=6.23ms   med=74.42ms  max=655.41ms p(90)=157.1ms  p(95)=180.55ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2619
     http_req_receiving.............: avg=90.5µs   min=24.67µs  med=78.68µs  max=2.72ms   p(90)=119.9µs  p(95)=152.06µs
     http_req_sending...............: avg=35.62µs  min=8.73µs   med=27.99µs  max=1.26ms   p(90)=40.54µs  p(95)=54.91µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=91.01ms  min=6.11ms   med=74.24ms  max=655.34ms p(90)=157.01ms p(95)=180.45ms
     http_reqs......................: 2619   43.592133/s
     iteration_duration.............: avg=274.76ms min=180.13ms med=261.09ms max=1.18s    p(90)=332.19ms p(95)=372.03ms
     iterations.....................: 874    14.547355/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4