Low severity vulnerability CVE-2026-22036 in `undici` for @actions/cache

[MikeMcC399]

Situation

npm audit and Dependabot report CVE-2026-22036 (Low severity) in the transient dependency undici (GHSA-g9mf-h72j-4rw9)

This affects @actions/cache@5.0.2 (current latest).

Steps to reproduce

cd $(mktemp -d)
npm install @actions/cache
npm audit

Logs

$ npm audit
# npm audit report

undici  <6.23.0
Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion - https://github.com/advisories/GHSA-g9mf-h72j-4rw9
fix available via `npm audit fix --force`
Will install @actions/cache@4.1.0, which is a breaking change
node_modules/undici
  @actions/http-client  >=2.2.0
  Depends on vulnerable versions of undici
  node_modules/@actions/glob/node_modules/@actions/http-client
  node_modules/@actions/http-client
    @actions/cache  >=5.0.0
    Depends on vulnerable versions of @actions/core
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/cache
    @actions/core  >=2.0.0
    Depends on vulnerable versions of @actions/http-client
    node_modules/@actions/core

4 low severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

$ npm ls undici
tmp.DnFp4ZKpWi@ /tmp/tmp.DnFp4ZKpWi
└─┬ @actions/cache@5.0.2
  ├─┬ @actions/glob@0.5.0
  │ └─┬ @actions/core@1.11.1
  │   └─┬ @actions/http-client@2.2.3
  │     └── undici@5.29.0 deduped
  └─┬ @actions/http-client@3.0.1
    └── undici@5.29.0

Related

• @actions/glob@0.5.0 (dependency of @actions/cache) missing Node.js 24 update #2217

[MikeMcC399]

• Apart from the proposed PR fix(deps): upgrade undici dependency to v6.23.0 #2241 the whole hierarchy of @actions/* toolkit versions needs to be reviewed and updated.