Security: transitive undici@5.29.0 vulnerabilities via @github/local-action@7.0.1

## Summary

`@github/local-action@7.0.1` pulls in a vulnerable `undici@5.29.0` through several `@actions/*` dependencies. Snyk reports **10 transitive issues** (Risk Score MAX **170**), of which **9 have no supported fix** in the current dependency tree (0 fixable via a direct bump).

All high-severity findings trace back to a single package: **`undici@5.29.0`**.

## Affected package

- **Direct dependency:** `@github/local-action@7.0.1`
- **Vulnerable transitive package:** `undici@5.29.0`
- **Fixed in:** `undici@6.24.0`, `undici@7.24.0`

## Vulnerabilities

| Issue | CWE | CVE | CVSS | Snyk ID |
|-------|-----|-----|------|---------|
| Uncaught Exception | [CWE-248](https://cwe.mitre.org/data/definitions/248.html) | CVE-2026-2229 | 8.7 (High) | SNYK-JS-UNDICI-15518070 |
| CRLF Injection | [CWE-93](https://cwe.mitre.org/data/definitions/93.html) | — | 9.2 (Critical) | — |
| Permissive List of Allowed Inputs | [CWE-183](https://cwe.mitre.org/data/definitions/183.html) | — | 8.3 (High) | — |

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Security: transitive undici@5.29.0 vulnerabilities via @github/local-action@7.0.1 #295

Summary

Affected package

Vulnerabilities

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue	CWE	CVE	CVSS	Snyk ID
Uncaught Exception	CWE-248	CVE-2026-2229	8.7 (High)	SNYK-JS-UNDICI-15518070
CRLF Injection	CWE-93	—	9.2 (Critical)	—
Permissive List of Allowed Inputs	CWE-183	—	8.3 (High)	—

Security: transitive undici@5.29.0 vulnerabilities via @github/local-action@7.0.1 #295

Description

Summary

Affected package

Vulnerabilities

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions