Vulnerabilities reported in `@codecov/webpack-plugin

[matthewtusker]

Our vulnerability scanner is reporting several vulnerabilties in packages installed via @codecov/webpack-plugin:

CVE-2025-25285: @octokit/endpoint:9.0.6
CVE-2025-25289: @octokit/request-error:5.1.1
CVE-2026-22036: undici:5.29.0

I'm not sure if there are packages that you can upgrade to mitigate this or whether your dependencies need to release upgrades first.

[matthewtusker]

There are another 4 vulnerabilties related to undici. An upgrade is desperately needed, or we're going to have to drop bundle analysis completely:

https://nvd.nist.gov/vuln/detail/CVE-2026-2229
https://nvd.nist.gov/vuln/detail/CVE-2026-1526
https://nvd.nist.gov/vuln/detail/CVE-2026-1527
https://nvd.nist.gov/vuln/detail/CVE-2026-1525

[matthewtusker]

The vulnerabilities exist in bundler-plugin-core, so they affect all Javascript bundle analysis tools, not just the Webpack plugin.

[mikebronner]

seeing this as well:

undici  <=6.23.0                                                                                                 
Severity: high                                                                                                   
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to 
 resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9                                         
Undici has an HTTP Request/Response Smuggling issue - https://github.com/advisories/GHSA-2mjp-6q6p-2qxm          
Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression -                          
https://github.com/advisories/GHSA-vrm6-8vpv-qv8q                                                                
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation -            
https://github.com/advisories/GHSA-v9p9-hfj2-hcw8                                                                
Undici has CRLF Injection in undici via `upgrade` option - https://github.com/advisories/GHSA-4992-7rv2-5pvq     
fix available via `npm audit fix`                                                                                
node_modules/undici                                                                                              
  @actions/github  6.0.0 - 8.0.0                                                                                 
  Depends on vulnerable versions of @actions/http-client                                                         
  Depends on vulnerable versions of undici                                                                       
  node_modules/@actions/github                                                                                   
  @actions/http-client  2.2.0 - 3.0.1                                                                            
  Depends on vulnerable versions of undici                                                                       
  node_modules/@actions/http-client  

My work-around for the time-being is:

{
    "private": true,
    "type": "module",
    "scripts": {
        "dev": "vite",
        "build": "vite build"
    },
    "devDependencies": {
        // ...
    },
    "overrides": {
        "undici": "^7.24.6"
    }
}

[jbaxendale-ut]

running into the same thing with undici, although I have attempted to scope it more narrowly than the entire app

(for yarn, targeting undici LTS)

  "resolutions": {
    "@actions/github/undici": "^6.24.0",
    "@actions/http-client/undici": "^6.24.0"
  },

[matthewtusker]

I've started discussions here and here, but appear to be getting radio silence from Codecov. There's a very similar repo for Sentry which gets regular updates, are we supposed to have switched across or something? It's unclear to me.

[kristof-mattei]

There is https://www.npmjs.com/package/@sentry/vite-plugin, which seems to have updated features.

But signing up seems to be paid only, with no free option for OSS.

Edit: there is a free version. But I don't think the plugin offers the same functionality.

[thomasrockhu-codecov]

Thanks for flagging, I'll be working on getting this repo up-to-date over this week and next, thanks for the patience

[matthewtusker]

Bumping @actions/github and @actions/core in @codecov/bundler-plugin-core should be enough to solve it.