chore(deps): bump undici and @sanity/template-validator

[dependabot]

Bumps undici and @sanity/template-validator. These dependencies needed to be updated together.
Updates undici from 5.29.0 to 6.24.1

Release notes

Sourced from undici's releases.

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

... (truncated)

Commits

• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• a444e4f test: stabilize h2 and tls-cert-leak under current test runner
• dc032a1 fix: h2 CI (#4395)
• 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
• 7df6442 fix: adapt websocket frame-limit handling for v6 parser
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @sanity/template-validator from 2.4.3 to 2.4.6

Release notes

Sourced from @​sanity/template-validator's releases.

v2.4.6

2.4.6 (2026-02-04)

Bug Fixes

• add missing @types/node package (#18) (3489d8d)
• update @actions/core to v3 to resolve undici vulnerability (#17) (613875a)

---

This release is also available on:

• npm package (@​latest dist-tag)

sr-v2.4.6-rc.2

2.4.6-rc.2 (2026-02-03)

Bug Fixes

• duplicate copyright year in license (a34ebe3)

---

This release is also available on:

• npm package (@​rc dist-tag)

sr-v2.4.6-rc.1

2.4.6-rc.1 (2026-02-03)

Bug Fixes

• format with prettier (28ac5fa)

---

This release is also available on:

• npm package (@​rc dist-tag)

v2.4.5

No release notes provided.

v2.4.4

No release notes provided.

Changelog

Sourced from @​sanity/template-validator's changelog.

📓 Changelog

All notable changes to this project will be documented in this file. See Conventional Commits for commit guidelines.

3.1.0 (2026-03-19)

Features

• ci: setup pkr.pr new workflow (3ca28ff)

3.0.1 (2026-03-18)

Bug Fixes

• update undici to resolve npm audit vulnerabilities (ba6e128)

3.0.0 (2026-02-04)

⚠ BREAKING CHANGES

• note: @​actions/core@​3.0.0 is ESM-only, but this package already uses ESM ("type": "module"), so no code changes are required.

Ref: GHSA-g9mf-h72j-4rw9

Bug Fixes

• add missing @types/node package (#18) (3489d8d)
• update @actions/core to v3 to resolve undici vulnerability (#17) (613875a)

2.4.6-rc.1 (2026-02-03)

Bug Fixes

• format with prettier (28ac5fa)

Commits

• 3489d8d fix: add missing @types/node package (#18)
• 613875a fix: update @actions/core to v3 to resolve undici vulnerability (#17)
• f40c3c5 ci: handle npm + github action publishing in same workflow (#16)
• 7ac6d12 2.4.5
• 6bfbe22 chore: upgrade to typescript 5.9.3, align with strictest tsconfig
• 4dbd154 chore: version 2.4.4
• fdb2ce9 chore: update lockfile, add missing dependency
• cff6492 fix: update @​actions/github to v9 to resolve undici vulnerability (#15)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by rexxars, a new releaser for @​sanity/template-validator since your current version.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
asanka-portfolio	Ready	Preview, Comment	Apr 11, 2026 8:10pm