Bump undici from 7.20.0 to 7.24.1#676
Conversation
Bumps [undici](https://github.com/nodejs/undici) from 7.20.0 to 7.24.1. - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v7.20.0...v7.24.1) --- updated-dependencies: - dependency-name: undici dependency-version: 7.24.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
|
The files' contents are under analysis for test generation. |
Lack of Resources and Rate Limiting
DescriptionWhilst the internet may often seem as though it were boundless, it is still bound by a finite amount of computing resources and subject to limitations, with only so much bandwidth, CPU processing power, memory allocation, and storage to go around. At the individual level, for example, think of the last time you tried to spin up that third virtual machine while the host browser was feverishly feeding your multiple open tab habit... resource limitations in action! And although this illustration depicts a non-malicious - indeed, self-imposed - consequence of overload for an individual laptop, there are, unfortunately, attacks that leverage resource and rate limitations of web applications and APIs that have not been configured correctly. Application requests are pretty much what make the internet the internet, with some estimates suggesting that API requests alone make up over 83% of all web traffic. Applications perform day-to-day functions adequately when the request parameters governing the numbers of processes, size of payloads, etc., are set at the appropriate minimums and maximums. However, when the aforementioned resources are incorrectly assigned, applications are not only subject to poor or non-existent performance, but they can also be commandeered by malicious actors to disrupt and deny service. According to OWASP's API4:2023 Unrestricted Resource Consumption, APIs, for example, are vulnerable if even just one of the below limits is lacking or incorrectly set:
Bottom line: set one of the above too low or too high, and your application is at risk. Read moreImpactWhatever the type of application, inadequately configured resource allocation, and rate limits are routinely targeted by attackers. Attacks such as these undermine reliability and availability of entire ecosystems, inevitably resulting in financial and reputational loss. ScenariosSuppose an API is tasked with the retrieval of user-profiles and their corresponding details, providing, as most APIs do, access to its resources that take the form of lists of entities. A set limit of returnable items would typically confine a client filtering this list.
An astute observer will have noticed that the request here would return page 1 and the first 9000000 users, which certainly seems like an above-average number of users for just one page! This attack would succeed to overwhelm the API if the size parameter was improperly validated. PreventionAttacks targeting application misconfigurations that allow unbridled resources and limits are common - the exploitation is uncomplicated and requires minimal resources to execute. Fortunately, robust defense is reasonably straightforward to implement so long as attention is paid to limits that dictate finite resources, i.e., the abovementioned CPU processing power, memory allocation, number of processes and file descriptors, etc. Prevention strategies include:
TestingVerify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever-increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar.
ReferencesAkamai - State of Internet Security |
guibranco
left a comment
There was a problem hiding this comment.
Automatically approved by gstraccini[bot]
|
Infisical secrets check: ✅ No secrets leaked! 💻 Scan logs2026-03-13T22:42:54Z INF scanning for exposed secrets...
10:42PM INF 528 commits scanned.
2026-03-13T22:42:54Z INF scan completed in 447ms
2026-03-13T22:42:54Z INF no leaks found
|
|
Caution Review the following alerts detected in dependencies. According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.
|
|




Bumps undici from 7.20.0 to 7.24.1.
Release notes
Sourced from undici's releases.
... (truncated)
Commits
23e3cd3Bumped v7.24.13aedaa8remove PLAN.md0d7ec33fix: proto pollution (#4885)07a3906Bumped v7.24.0 (#4887)74495c6fix: reject duplicate content-length and host headers84235c6Fix websocket 64-bit length overflow77594f9fix: validate upgrade header to prevent CRLF injectioncb79c57fix: validate server_max_window_bits range in permessage-deflate4147ce2Merge commit '2ee00cb3'2ee00cbfix(websocket): add maxDecompressedMessageSize limit for permessage-deflateDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.