@azure/functions v4.8.0 package brings vulnerable undici transitive dependency (v5.29.0)

Hello team,

While reviewing dependencies of the @azure/functions npm package v4.8.0, I noticed that it brings in undici@5.29.0 as a transitive dependency.
This version of undici has known security vulnerabilities:

[GHSA-c76h-2ccp-4975](https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975)

[GHSA-3g92-w8c5-73pq](https://github.com/nodejs/undici/security/advisories/GHSA-3g92-w8c5-73pq)

Details:

Package: @azure/functions@4.8.0

Vulnerable dependency: undici@5.29.0

Impact: Projects consuming @azure/functions inherit the vulnerable undici version.

Expected:
@azure/functions should update its dependency chain to pull in a latest version of undici (7.16.0).

Could you please review and update the dependency to mitigate this security issue?

Thanks!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

@azure/functions v4.8.0 package brings vulnerable undici transitive dependency (v5.29.0) #367

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

@azure/functions v4.8.0 package brings vulnerable undici transitive dependency (v5.29.0) #367

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions