Replace undici with headers-polyfill in connect-node

[danwsong]

Undici v5 is affected by CVE-2026-1526 and CVE-2026-2229 (WebSocket permessage-deflate vulnerabilities). Since connect-node only uses undici for the Headers class polyfill on Node < 18, this replaces it with the lightweight headers-polyfill package. No engine requirement changes — Node >= 16 continues to work.

[danwsong]

Hi @timostamm, would you be open to backporting CVE fixes to v1 like this?

[timostamm]

Hey @danwsong, thanks for the PR.

The CVEs are about the WebSocket client in undici. There is no usage of the WebSocket client in connect-es.

I assume the problem is that the dependency is flagged regardless?

[danwsong]

@timostamm Yes, precisely. It's true that this library doesn't use undici for the WebSocket client, but it's still getting flagged. I looked at a few options before landing on this:

• Upgrading undici to version 6
  • Version 6 drops support for Node.js versions < 18, but those versions are the ones that required the Headers polyfill
• Dropping support for Node.js versions < 18
  • This is technically a breaking change, and probably wouldn't be feasible for a backport
• Removing undici as a dependency
  • This would require manually writing a polyfill, which led me ultimately to:
• Replacing undici with headers-polyfill
  • The package is actively maintained by the MSW team and is significantly lighter at 113 KB vs. undici at 1.6 MB

[danwsong]

@timostamm Are any of these checks of concern?

[danwsong]

@timostamm I'd like to follow up on this, would you have any concerns with this change in principle?