Update dependency undici to v8

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	^7.24.2 → ^8.0.0

---

Release Notes

nodejs/undici (undici)

v8.0.2

Compare Source

v8.0.1

Compare Source

What's Changed

• Remove legacy handler wrappers by @​mcollina in #​4786
• fix: isolate global dispatcher v2 and add Dispatcher1Wrapper bridge by @​mcollina in #​4827
• fix: preserve request statusText and update h2 dispatch tests by @​mcollina in #​4830
• feat!: enable h2 by default by @​metcoder95 in #​4828
• fix(cache): preserve short-lived entries for revalidation by @​mcollina in #​4934
• fix: remove support for non-real Blob objects by @​mcollina in #​4937
• build(deps): bump github/codeql-action from 4.32.3 to 4.35.1 by @​dependabot[bot] in #​4953
• Undici 8 by @​mcollina in #​4916
• build(deps): bump hendrikmuhs/ccache-action from 1.2.19 to 1.2.22 by @​dependabot[bot] in #​4954
• doc: remove duplicate listItem of RetryHandler.md & RetryHandler.md by @​samuel871211 in #​4948
• fix: mirror the legacy global dispatcher for built-in fetch by @​mcollina in #​4962
• fix(websocket/stream): only enqueue parsed messages in WebSocketStream by @​colinaaa in #​4959

New Contributors

• @​colinaaa made their first contribution in #​4959

Full Changelog: nodejs/undici@v7.24.7...v8.0.1

v8.0.0

Compare Source

What's Changed

• Remove legacy handler wrappers by @​mcollina in #​4786
• fix: isolate global dispatcher v2 and add Dispatcher1Wrapper bridge by @​mcollina in #​4827
• fix: preserve request statusText and update h2 dispatch tests by @​mcollina in #​4830
• feat!: enable h2 by default by @​metcoder95 in #​4828
• fix(cache): preserve short-lived entries for revalidation by @​mcollina in #​4934
• fix: remove support for non-real Blob objects by @​mcollina in #​4937
• build(deps): bump github/codeql-action from 4.32.3 to 4.35.1 by @​dependabot[bot] in #​4953
• Undici 8 by @​mcollina in #​4916

Full Changelog: nodejs/undici@v7.24.7...v8.0.0

v7.24.7

Compare Source

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in #​4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in #​4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in #​4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in #​4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in #​4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in #​4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in #​4938
• ignore AGENTS.md by @​mcollina in #​4942

New Contributors

• @​samuel871211 made their first contribution in #​4924
• @​mistval made their first contribution in #​4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

Compare Source

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in #​4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in #​4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in #​4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in #​4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in #​4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in #​4834
• docs: clarify fetch and FormData pairing by @​mcollina in #​4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in #​4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in #​4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in #​4926
• test: auto-init WPT submodule by @​mcollina in #​4930

New Contributors

• @​rozzilla made their first contribution in #​4909
• @​veeceey made their first contribution in #​4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

Compare Source

What's Changed

• Formdata tests by @​KhafraDev in #​4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in #​4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in #​4913

New Contributors

• @​metalix2 made their first contribution in #​4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

Compare Source

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in #​4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

Compare Source

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in #​4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7dd57aa

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​undici@​7.24.2 ⏵ 8.0.2				-2

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm undici is 68.0% likely to have a medium risk anomaly Notes: The code performs an in-place re-encoding of a local file (undici-fetch.js) and overwrites it with latin1-encoded data. There is no evidence of exfiltration, backdoors, or network activity. However, the lack of validation, error handling, and the fact that it can corrupt or permanently alter a source file constitutes a nontrivial risk. In a supply-chain or extension context, such a script could be misused to tamper with code. It is not inherently malicious by itself but is risky and should be restricted or audited before typical usage in a build or runtime environment. Confidence: 0.68 Severity: 0.60 From: package-lock.json → npm/undici@8.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@8.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report