Bumps [undici](https://github.com/nodejs/undici) from 5.29.0 to 7.24.1. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/nodejs/undici/releases">undici's releases</a>.</em></p> <blockquote> <h2>v7.24.1</h2> <h2>What's Changed</h2> <ul> <li>fix: <strong>proto</strong> pollution by <a href="https://github.com/rahulyadav5524"><code>@rahulyadav5524</code></a> in <a href="https://redirect.github.com/nodejs/undici/pull/4885">nodejs/undici#4885</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1">https://github.com/nodejs/undici/compare/v7.24.0...v7.24.1</a></p> <h2>v7.24.0</h2> <h1>Undici v7.24.0 Security Release Notes</h1> <p>This release addresses multiple security vulnerabilities in Undici.</p> <h2>Upgrade guidance</h2> <p>All users on v7 should upgrade to <strong>v7.24.0</strong> or later.</p> <h2>Fixed advisories</h2> <ul> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm">GHSA-2mjp-6q6p-2qxm</a> / CVE-2026-1525 (Medium)<br /> Inconsistent interpretation of HTTP requests (request/response smuggling class issue).</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj">GHSA-f269-vfmq-vjvj</a> / CVE-2026-1528 (High)<br /> Malicious WebSocket 64-bit frame length handling could crash the client.</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h">GHSA-phc3-fgpg-7m6h</a> / CVE-2026-2581 (Medium)<br /> Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq">GHSA-4992-7rv2-5pvq</a> / CVE-2026-1527 (Medium)<br /> CRLF injection via the <code>upgrade</code> option.</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8">GHSA-v9p9-hfj2-hcw8</a> / CVE-2026-2229 (High)<br /> Unhandled exception from invalid <code>server_max_window_bits</code> in WebSocket permessage-deflate negotiation.</p> </li> <li> <p><a href="https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q">GHSA-vrm6-8vpv-qv8q</a> / CVE-2026-1526 (High)<br /> Unbounded memory consumption in WebSocket permessage-deflate decompression.</p> </li> </ul> <h2>Affected and patched ranges</h2> <ul> <li>CVE-2026-1525: affected <code>7.0.0 < 7.24.0</code>, patched <code>7.24.0</code></li> <li>CVE-2026-1528: affected <code>7.0.0 < 7.24.0</code>, patched <code>7.24.0</code></li> <li>CVE-2026-2581: affected <code>>= 7.17.0 < 7.24.0</code>, patched <code>7.24.0</code></li> <li>CVE-2026-1527: affected <code>7.0.0 < 7.24.0</code>, patched <code>7.24.0</code></li> <li>CVE-2026-2229: affected <code>7.0.0 < 7.24.0</code>, patched <code>7.24.0</code></li> <li>CVE-2026-1526: affected <code>7.0.0 < 7.24.0</code>, patched <code>7.24.0</code></li> </ul> <h2>References</h2> <ul> <li>GitHub Security Advisories: <a href="https://github.com/nodejs/undici/security/advisories">https://github.com/nodejs/undici/security/advisories</a></li> <li>NVD CVE-2026-1525: <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-1525">https://nvd.nist.gov/vuln/detail/CVE-2026-1525</a></li> <li>NVD CVE-2026-1528: <a href="https://nvd.nist.gov/vuln/detail/CVE-2026-1528">https://nvd.nist.gov/vuln/detail/CVE-2026-1528</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/nodejs/undici/commit/23e3cd362ba6beb3988e6a9a63000336dd219591"><code>23e3cd3</code></a> Bumped v7.24.1</li> <li><a href="https://github.com/nodejs/undici/commit/3aedaa8d5f701da767616df2dced7d4daa7c1566"><code>3aedaa8</code></a> remove PLAN.md</li> <li><a href="https://github.com/nodejs/undici/commit/0d7ec33ff37563d3e7c98d11d7bca736f330d156"><code>0d7ec33</code></a> fix: <strong>proto</strong> pollution (<a href="https://redirect.github.com/nodejs/undici/issues/4885">#4885</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/07a39067a0485c1953196f500d945fe09378a176"><code>07a3906</code></a> Bumped v7.24.0 (<a href="https://redirect.github.com/nodejs/undici/issues/4887">#4887</a>)</li> <li><a href="https://github.com/nodejs/undici/commit/74495c63ab23ef39be99983ed6de81df5d203d45"><code>74495c6</code></a> fix: reject duplicate content-length and host headers</li> <li><a href="https://github.com/nodejs/undici/commit/84235c62e0fe7494cec13f81d5732db0859df417"><code>84235c6</code></a> Fix websocket 64-bit length overflow</li> <li><a href="https://github.com/nodejs/undici/commit/77594f923cef4c27ee0bad365e7b4c44a199edae"><code>77594f9</code></a> fix: validate upgrade header to prevent CRLF injection</li> <li><a href="https://github.com/nodejs/undici/commit/cb79c5704ac47e42ce01a72269994fc70e377536"><code>cb79c57</code></a> fix: validate server_max_window_bits range in permessage-deflate</li> <li><a href="https://github.com/nodejs/undici/commit/4147ce21277b3566d02d3be789e5f7a490089db2"><code>4147ce2</code></a> Merge commit '2ee00cb3'</li> <li><a href="https://github.com/nodejs/undici/commit/2ee00cb322c76b0bf56829462d7c1dc53d1cbe3d"><code>2ee00cb</code></a> fix(websocket): add maxDecompressedMessageSize limit for permessage-deflate</li> <li>Additional commits viewable in <a href="https://github.com/nodejs/undici/compare/v5.29.0...v7.24.1">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by [GitHub Actions](<a href="https://www.npmjs.com/~GitHub">https://www.npmjs.com/~GitHub</a> Actions), a new releaser for undici since your current version.</p> </details> <details> <summary>Install script changes</summary> <p>This version modifies <code>prepare</code> script that runs during installation. Review the package contents before updating.</p> </details> <br /> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>