turbo
e761238c - fix: Upgrade @vercel/blob and @actions packages to fix undici vulnerability (#11608)

Commit

24 days ago

fix: Upgrade @vercel/blob and @actions packages to fix undici vulnerability (#11608) ## Summary Fixes TURBO-5163: undici Unbounded decompression chain DoS vulnerability (CVE-2025-XXXX). - Upgrades `@vercel/blob` from `^0.27.0` to `^2.0.1` in `packages/coverage-reporter` - Upgrades `@actions/core` from `1.10.1` to `^3.0.0` in `packages/top-issues` - Upgrades `@actions/github` from `5.1.1` to `^9.0.0` in `packages/top-issues` All transitive `undici` dependencies are now at `6.23.0` (patched version). ## Breaking changes review - `@vercel/blob@2.0.1`: Patch release specifically to upgrade undici, API unchanged - `@actions/core@3.0.0`: ESM-only (top-issues already uses ESM with `.mjs`) - `@actions/github@9.0.0`: API compatible - uses same `getOctokit`, `context.repo` patterns Both packages are private/internal, so these major version bumps have minimal risk.

References

#11608 - fix: Upgrade @vercel/blob and @actions packages to fix undici vulnerability

Author

anthonyshew

Parents

50b5337b

turbo e761238c - fix: Upgrade @vercel/blob and @actions packages to fix undici vulnerability (#11608)

turbo
e761238c - fix: Upgrade @vercel/blob and @actions packages to fix undici vulnerability (#11608)