[Snyk] Security upgrade undici from 7.22.0 to 7.24.0

[kantorcodes]

Snyk has created this PR to fix 6 vulnerabilities in the pnpm dependencies of this project.

Snyk changed the following file(s):

• package.json

⚠️ Warning

Failed to update the pnpm-lock.yaml, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue
	HTTP Request Smuggling SNYK-JS-UNDICI-15518061
	Uncaught Exception SNYK-JS-UNDICI-15518064
	Allocation of Resources Without Limits or Throttling SNYK-JS-UNDICI-15518066
	Improper Handling of Highly Compressed Data (Data Amplification) SNYK-JS-UNDICI-15518068
	Uncaught Exception SNYK-JS-UNDICI-15518070
	CRLF Injection SNYK-JS-UNDICI-15518072

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Uncaught Exception
🦉 Allocation of Resources Without Limits or Throttling
🦉 CRLF Injection

[kilo-code-bot]

Code Review Summary

Status: 1 Issue Found | Recommendation: Fix before merge

Overview

Severity	Count
WARNING	1

Issue Details (click to expand)

WARNING

File	Line	Issue
package.json	45	Lock file not updated — pnpm-lock.yaml must be regenerated after the dependency bump to ensure reproducible builds. The PR description itself warns about this.

Other Observations (not in diff)

The PR description references 6 known vulnerabilities in undici 7.22.0 (HTTP Request Smuggling, Uncaught Exception, Resource Allocation, Data Amplification, CRLF Injection). The version bump to ^7.24.0 should address these, but the lock file update is required for the fix to take effect in CI/production builds.

Files Reviewed (1 file)

• package.json - 1 issue

---

_{Reviewed by mimo-v2-pro-20260318 · 60,767 tokens}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: db11aa0aad

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Update pnpm lockfile with the undici version bump

I checked .github/workflows/publish.yml and .github/workflows/publish-canary.yml, and both install dependencies with pnpm install --frozen-lockfile; with that mode, pnpm fails when package.json and pnpm-lock.yaml are out of sync. This change bumps undici to ^7.24.0, but pnpm-lock.yaml still pins specifier: ^7.22.0 and version: 7.22.0 (importer .), so CI/release workflows will fail at install and the intended security upgrade will not actually be applied.

Useful? React with 👍 / 👎.

[gemini-code-assist]

Warning

Gemini is experiencing higher than usual traffic and was unable to create the review. Please try again in a few hours by commenting /gemini review.

[internet-dot]

Ready to merge. undici update from 7.22.0 to 7.24.0 - all CI checks pass.