Bump undici and jsonld in /packages/legacy-workbench

[dependabot]

Bumps undici to 6.24.1 and updates ancestor dependency jsonld. These dependencies need to be updated together.

Updates undici from 5.29.0 to 6.24.1

Release notes

Sourced from undici's releases.

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

... (truncated)

Commits

• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• a444e4f test: stabilize h2 and tls-cert-leak under current test runner
• dc032a1 fix: h2 CI (#4395)
• 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
• 7df6442 fix: adapt websocket frame-limit handling for v6 parser
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates jsonld from 8.3.3 to 9.0.0

Changelog

Sourced from jsonld's changelog.

9.0.0 - 2025-11-20

Added

• Add minimal support for React Native.
  • Add react-native section to package.json.
  • Add instructions to README.md.

Changed

• BREAKING: Drop support for Node.js < 18.
• BREAKING: Upgrade dependencies.
  • @digitalbazaar/http-client@4.
  • canonicalize@2.
  • rdf-canonize@5: See the [rdf-canonize][] 4.x and 5.x changelog for important changes and upgrade notes. Of note:
    • The URDNA2015 default algorithm has been changed to RDFC-1.0 from [rdf-canon][].
    • Complexity control defaults maxWorkFactor or maxDeepIterations may need to be adjusted to process graphs with certain blank node constructs.
    • A signal option is available to use an AbortSignal to limit resource usage.
    • The internal digest algorithm can be changed.
    • Support for [rdf-canonize-native][] was removed.
• BREAKING: Only the JavaScript implementation of [rdf-canon][] from [rdf-canonize][] is supported. The API here can be updated to allow implementation switching if support for native or other [rdf-canon][] implementations is needed.
• Update development dependencies.
• Update karma testing.
  • Remove older fixes in favor of more default behavior.
• Update bundle build.
  • Use newer corejs version.
  • Build with modern browserslist defaults and no IE support.
  • Support for older browsers requires a custom build.
• Refactor test framework.
  • Test runtime loads test files from a web server.
  • Allows testing of manifests on remote web servers.
  • Trading off some performance to align node and browser testing.
  • Moves some test setup code into config data and manifest.

Fixed

• Fix fromRdf#t0027 and useNativeTypes handling.

Removed

• BREAKING: Remove application/nquads alias for application/n-quads.

Commits

• 27a2b81 Release 9.0.0.
• 0a7f6da Update changelog.
• 44ed43a Fix codespell issues.
• 8793d07 Add fix to changelog.
• ded42f7 Add minimal support for React Native.
• f2d39a1 Update workflow.
• 84b1b33 Use rdf-canonize@5.
• ae1d6db Update dev dependencies.
• d31aa17 Fix useNativeTypes handling.
• 5e4dcbe Fix conditional.
• Additional commits viewable in compare view

[sonarqubecloud]

Quality Gate passed for 'Shared-components'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud