🚨 Low-severity security fix in undici (6.26.0, 7.28.0, 8.5.0) just released!
Patches CVE-2026-11525. undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching.
github.com/nodejs/undic...
## Impact
When undici parses a `Set-Cookie` header, it accepts any `SameSite` attribute value that contains `Strict`, `Lax`, or `None` as a substring, rather than the case-insensitive exact matc...
