chore(deps): bump undici and @astrojs/cloudflare

[dependabot]

Bumps undici to 7.28.0 and updates ancestor dependency @astrojs/cloudflare. These dependencies need to be updated together.

Updates undici from 7.14.0 to 7.28.0

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	7.28.0	8cb10f98
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	7.28.0	04201f89
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	7.28.0	3805b8f8
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	7.28.0	85a24055
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	7.28.0	d0574cc4
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	7.28.0	d0574cc4
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	7.28.0	ea8930cf

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits

• f9eba0a Bumped v7.28.0 (#5430)
• a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
• 8cb10f9 websocket: limit the number of fragments in a message
• 04201f8 fix: honor requestTls when proxy is SOCKS5
• fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
• bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
• 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
• 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
• 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
• 85a2405 fix(cache): trim qualified field names
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Updates @astrojs/cloudflare from 12.6.12 to 13.7.0

Release notes

Sourced from @​astrojs/cloudflare's releases.

@​astrojs/cloudflare@​13.7.0

Minor Changes

• #16571 d4b0cd1 Thanks @​MA2153! - Sets immutable cache headers for static assets

  Static assets under _astro can be cached to improve performance. The adapter now automatically injects a Cache-Control header at build time when possible.

Patch Changes

• #16968 7a5c001 Thanks @​astrobot-houston! - Fixes a build crash when using experimental.advancedRouting with a custom fetchFile that statically imports cf from @astrojs/cloudflare/fetch. The circular dependency between @astrojs/cloudflare/fetch and astro/app/entrypoint caused createApp or createGetEnv to be undefined at module evaluation time. Initialization is now deferred to the first cf() call, breaking the cycle.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

@​astrojs/cloudflare@​13.6.1

Patch Changes

• #16914 4bdd240 Thanks @​matthewp! - Fixes astro/fetch and astro/hono being discovered at runtime during dev instead of pre-bundled

• #16693 9e6edc2 Thanks @​ArmandPhilippot! - Fixes a link in the documentation specifying where to open an issue for the adapter.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

@​astrojs/cloudflare@​13.6.0

13.6.0

Minor Changes

• #16729 01aa164 Thanks @​matthewp! - Adds @astrojs/cloudflare/fetch and @astrojs/cloudflare/hono exports for composing Cloudflare-specific setup with Astro's advanced routing handlers.

  @astrojs/cloudflare/fetch

  For use with astro/fetch in a custom fetch handler:

  import { astro, FetchState } from 'astro/fetch';
  import { cf } from '@astrojs/cloudflare/fetch';
  export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
  const state = new FetchState(request);
  const asset = await cf(state, env, ctx);
  if (asset) return asset;
  return astro(state);
  },
  };

  @astrojs/cloudflare/hono

... (truncated)

Changelog

Sourced from @​astrojs/cloudflare's changelog.

13.7.0

Minor Changes

• #16571 d4b0cd1 Thanks @​MA2153! - Sets immutable cache headers for static assets

  Static assets under _astro can be cached to improve performance. The adapter now automatically injects a Cache-Control header at build time when possible.

Patch Changes

• #16968 7a5c001 Thanks @​astrobot-houston! - Fixes a build crash when using experimental.advancedRouting with a custom fetchFile that statically imports cf from @astrojs/cloudflare/fetch. The circular dependency between @astrojs/cloudflare/fetch and astro/app/entrypoint caused createApp or createGetEnv to be undefined at module evaluation time. Initialization is now deferred to the first cf() call, breaking the cycle.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

13.6.1

Patch Changes

• #16914 4bdd240 Thanks @​matthewp! - Fixes astro/fetch and astro/hono being discovered at runtime during dev instead of pre-bundled

• #16693 9e6edc2 Thanks @​ArmandPhilippot! - Fixes a link in the documentation specifying where to open an issue for the adapter.

• Updated dependencies []:

  • @​astrojs/underscore-redirects@​1.0.3

13.6.0

Minor Changes

• #16729 01aa164 Thanks @​matthewp! - Adds @astrojs/cloudflare/fetch and @astrojs/cloudflare/hono exports for composing Cloudflare-specific setup with Astro's advanced routing handlers.

  @astrojs/cloudflare/fetch

  For use with astro/fetch in a custom fetch handler:

  import { astro, FetchState } from 'astro/fetch';
  import { cf } from '@astrojs/cloudflare/fetch';
  export default {
  async fetch(request: Request, env: Env, ctx: ExecutionContext) {
  const state = new FetchState(request);
  const asset = await cf(state, env, ctx);
  if (asset) return asset;
  return astro(state);
  },
  };

... (truncated)

Commits

• 0b879fb [ci] release (#16972)
• ca26d0e [ci] format
• d4b0cd1 fix(cloudflare): inject headers for caching the assets folder (#16571)
• 7a5c001 fix(cloudflare): defer createApp/setGetEnv in fetch.ts to avoid circular impo...
• 75ae5df [ci] release (#16912)
• 272ca61 chore(deps): update pnpm to v11.5.0 (#16903)
• 4bdd240 Pre-bundle astro/fetch and astro/hono in Cloudflare optimizeDeps (#16914)
• 17a0fbd chore(deps): update devalue (#16900)
• 9e6edc2 fix(docs): replace last occurrences of withastro/adapters (#16693)
• da10b9e chore(deps): resolve peer dependency issues (#16894)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Updated (UTC)
❌ Deployment failed View logs	rustlings	a612382	Jun 20 2026, 10:43 AM