[Snyk] Upgrade undici from 5.25.4 to 7.12.0

[snyk-io]

Snyk has created this PR to upgrade undici from 5.25.4 to 7.12.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 89 versions ahead of your current version.

• The recommended version was released 21 days ago.

Issues fixed by the recommended upgrade:

	Issue	Score	Exploit Maturity
	Insecure Randomness SNYK-JS-UNDICI-8641354	76	Proof of Concept
	Missing Release of Memory after Effective Lifetime SNYK-JS-UNDICI-10176064	76	Proof of Concept
	Information Exposure SNYK-JS-UNDICI-5962466	76	No Known Exploit
	Permissive Cross-domain Policy with Untrusted Domains SNYK-JS-UNDICI-6252336	76	No Known Exploit
	Improper Access Control SNYK-JS-UNDICI-6564963	76	No Known Exploit
	Improper Authorization SNYK-JS-UNDICI-6564964	76	No Known Exploit

Release notes

Package name: undici

• 7.12.0 - 2025-07-18
  

  What's Changed

  • test: remove tspl on 2283 test by @ Uzlopak in #4301
  • chore: reduce amount of intermediate functions by @ Uzlopak in #4298
  • ci: disable shared builtin CI tests by @ mcollina in #4276
  • webidl: remove unnecessary parameters from webidl.converters.RequestInfo and webidl.converters.RequestInit by @ Uzlopak in #4304
  • fetch: remove await, add jsdoc for some body read functions by @ Uzlopak in #4303
  • test: use assert and not testcontext in issue-2283.js by @ Uzlopak in #4306
  • chore: jsdoc use @ returns everywhere by @ Uzlopak in #4302
  • chore: fix typo by @ pimothyxd in #4312
  • build(deps): bump github/codeql-action from 3.28.18 to 3.29.2 by @ dependabot[bot] in #4315
  • feat: throw error when maxRedirections is used with undici.request() by @ mcollina in #4311
  • Clarify the type option of the cache interceptor by @ fredericDelaporte in #4299
  • cache: allow caching heuristically cacheable error status codes by @ mcollina in #4318
  • chore(doc): update undici vs fetch by @ styfle in #4319
  • don't set a finalizer on cloned request by @ tsctx in #4320
  • websocketstream: close readablestream properly by @ KhafraDev in #4322
  • add ping(websocket, payload) util by @ KhafraDev in #4325
  • fix sending ping with no payload by @ KhafraDev in #4329
  • refactor: eliminate eager llhttp promise creation by @ mcollina in #4337
  • Fix misleading cacheByDefault documentation by @ fredericDelaporte in #4338
  • add websocket to websocket diagnostic channels by @ KhafraDev in #4321
  • speed up flaky websocket test by @ KhafraDev in #4343
  • fetch: minor modifications by @ Uzlopak in #4347
  • fetch: make readable-stream methods sync by @ Uzlopak in #4346
  • remove creating an extra Promise just for common cleanup by @ bmeck in #4339
  • chore: extract createDeferredPromise from fetch/utils.js by @ Uzlopak in #4345

  New Contributors

  • @ pimothyxd made their first contribution in #4312
  • @ fredericDelaporte made their first contribution in #4299
  • @ bmeck made their first contribution in #4339

  Full Changelog: v7.11.0...v7.12.0

• 7.11.0 - 2025-06-26
  

  What's Changed

  • Update WPT by @ github-actions in #4214
  • feat(fetch): add zstandard decompression support by @ J3m5 in #4238
  • fix(debug): remove extra forward slash in logs by @ aidant in #4236
  • types: EventSource short handlers can be null by @ Uzlopak in #4246
  • remove finalizationregistry workaround by @ mcollina in #4250
  • build(deps): bump actions/dependency-review-action from 4.5.0 to 4.7.1 by @ dependabot in #4255
  • build(deps): bump github/codeql-action from 3.28.1 to 3.28.18 by @ dependabot in #4252
  • build(deps): bump codecov/codecov-action from 5.1.2 to 5.4.3 by @ dependabot in #4253
  • build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @ dependabot in #4254
  • Query unaware interceptors cache fix by @ FelixVaughan in #4240
  • docs: fix interceptor order description in compose method by @ mcollina in #4251
  • chore: require node native modules with node:-prefix by @ Uzlopak in #4256
  • fix: eventsource does not reconnect on network error by @ Uzlopak in #4247
  • fix: add guard by @ GeoffreyBooth in #4262
  • Extract webidl by @ Uzlopak in #4259
  • build(deps): bump peter-evans/create-pull-request from 7.0.6 to 7.0.8 by @ dependabot in #4132
  • build(deps-dev): bump fast-check from 3.23.2 to 4.1.1 by @ dependabot in #4167
  • build(deps): bump actions/upload-artifact from 4.5.0 to 4.6.2 by @ dependabot in #4137
  • build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @ dependabot in #4168
  • build(deps): bump hendrikmuhs/ccache-action from 1.2.14 to 1.2.18 by @ dependabot in #4190
  • build(deps): bump fastify/github-action-merge-dependabot from 3.11.0 to 3.11.1 by @ dependabot in #4135
  • build(deps): bump step-security/harden-runner from 2.11.1 to 2.12.0 by @ dependabot in #4188
  • build(deps-dev): bump borp from 0.19.0 to 0.20.0 by @ dependabot in #4194
  • Fix several WPT failures by @ tsctx in #4263
  • Update WPT by @ github-actions in #4235
  • node.js fetch is wrongly typed (#4271) by @ bpasero in #4272
  • Fix: Provide body on retry error, preserve socket by @ fatal10110 in #4228
  • add cause to WebSocket error by @ KhafraDev in #4274
  • doc: undici vs fetch by @ FelixVaughan in #4245
  • bench: add websockets by @ tsctx in #3203
  • webidl: remove fallback for USVString by @ Uzlopak in #4264
  • fix: Use correct Dispatcher.RequestOptions by @ IvanDimanov-OfficeRnD in #4281
  • feat: add install() function for global WHATWG fetch classes by @ mcollina in #4286
  • Fixed RedirectHandler type by @ rahulyadav5524 in #4278
  • feat(#4086): proxy keep alive by @ metcoder95 in #4128
  • Add cleanMocks to MockClient and MockPool by @ DemianParkhomenko in #4176
  • fetch: add missing new operator on TypeError instantiation in readAllBytes by @ Uzlopak in #4297
  • Skip failing wpts by @ mcollina in #4294
  • feat: add request body diagnostic channels by @ legendecas in #4289
  • Fix timer guards to avoid TypeError under fake‐timers and polyfilled … by @ 1ly4s0 in #4213
  • cache: update MemoryCacheStore default limits by @ mcollina in #4292
  • fix: EnvHttpProxyAgent.Options should accept ProxyAgent.Options by @ urugator in #4243

  New Contributors

  • @ J3m5 made their first contribution in #4238
  • @ aidant made their first contribution in #4236
  • @ bpasero made their first contribution in #4272
  • @ IvanDimanov-OfficeRnD made their first contribution in #4281
  • @ rahulyadav5524 made their first contribution in #4278
  • @ DemianParkhomenko made their first contribution in #4176
  • @ 1ly4s0 made their first contribution in #4213
  • @ urugator made their first contribution in #4243

  Full Changelog: v7.10.0...v7.11.0

• 7.10.0 - 2025-05-20
  

  What's Changed

  • Add "clientLifetime" option to close and remove connections from the pool after a specified time. by @ dhalbrook in #4175
  • remove spurious only by @ mcollina in #4207
  • add node v24 workflow by @ tsctx in #4206
  • Update WPT by @ github-actions in #4172
  • chore: add pnpm-lock.yaml to .gitignore by @ styfle in #4227
  • fix: agent memory leak by @ styfle in #4223
  • Add ability to detect when MemoryCacheStore reaches max size by @ FelixVaughan in #4224
  • feat(ProxyAgent): match Curl behavior in HTTP->HTTP Proxy connections by @ caitp in #4180
  • docs: correct example in FormData request by @ inyourtime in #4226

  New Contributors

  • @ dhalbrook made their first contribution in #4175
  • @ caitp made their first contribution in #4180
  • @ inyourtime made their first contribution in #4226

  Full Changelog: v7.9.0...v7.10.0

• 7.9.0 - 2025-05-10
  

  What's Changed

  • build(deps): bump step-security/harden-runner from 2.10.2 to 2.11.1 by @ dependabot in #4134
  • Update WPT by @ github-actions in #4155
  • Update WPT by @ github-actions in #4170
  • feat: add new acceptNonStandardSearchParameters MockAgent option by @ dario-piotrowicz in

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
packages/http-client/package.json	0% smaller

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)