Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/undici
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v7.23.0
Choose a base ref
...
head repository: nodejs/undici
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v7.24.0
Choose a head ref
  • 8 commits
  • 23 files changed
  • 3 contributors

Commits on Mar 12, 2026

  1. fix(deduplicate): stream response chunks to waiting handlers

    @mcollina
    mcollina committed Mar 12, 2026
    Configuration menu
    Copy the full SHA
    5890c7b View commit details
    Browse the repository at this point in the history

  2. fix(websocket): add maxDecompressedMessageSize limit for permessage-d… 

    …eflate

Add protection against decompression bomb attacks in WebSocket
permessage-deflate extension. A malicious server could send a small
compressed payload that expands to an extremely large size, causing
memory exhaustion.

Changes:
- Add maxDecompressedMessageSize option to WebSocket constructor
- Default limit: 4 MB
- Abort decompression immediately when limit exceeded
- Close connection with status code 1009 (Message Too Big)
- Add MessageSizeExceededError (UND_ERR_WS_MESSAGE_SIZE_EXCEEDED)
- Add comprehensive tests for the new limit behavior
- Update TypeScript types and documentation

Signed-off-by: Matteo Collina <hello@matteocollina.com>
    @mcollina
    mcollina committed Mar 12, 2026
    2 Configuration menu
    Copy the full SHA
    2ee00cb View commit details
    Browse the repository at this point in the history

  3. Merge commit '2ee00cb3'

    @mcollina
    mcollina committed Mar 12, 2026
    Configuration menu
    Copy the full SHA
    4147ce2 View commit details
    Browse the repository at this point in the history

  4. fix: validate server_max_window_bits range in permessage-deflate 

    The isValidClientWindowBits() function only checked for ASCII digits,
allowing out-of-range values like "1000" to pass validation. When these
values were passed to zlib's createInflateRaw(), it threw an unhandled
RangeError that crashed the process.

Changes:
- Update isValidClientWindowBits() to validate range 8-15 (per RFC 7692)
- Add try-catch around createInflateRaw() as defense in depth
- Add comprehensive tests for windowBits validation
    @mcollina
    mcollina committed Mar 12, 2026
    Configuration menu
    Copy the full SHA
    cb79c57 View commit details
    Browse the repository at this point in the history

  5. fix: validate upgrade header to prevent CRLF injection 

    Add validation for the upgrade option in Request constructor using
isValidHeaderValue() to prevent CRLF injection attacks that could
enable protocol smuggling to internal services.

Signed-off-by: Matteo Collina <hello@matteocollina.com>
Co-Authored-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Signed-off-by: Ulises Gascón <ulisesgascongonzalez@gmail.com>
    @mcollina @UlisesGascon
    mcollina and UlisesGascon committed Mar 12, 2026
    Configuration menu
    Copy the full SHA
    77594f9 View commit details
    Browse the repository at this point in the history

  6. Fix websocket 64-bit length overflow 

    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    @mcollina
    mcollina committed Mar 12, 2026
    Configuration menu
    Copy the full SHA
    84235c6 View commit details
    Browse the repository at this point in the history

  7. fix: reject duplicate content-length and host headers 

    When headers are passed as an array, reject duplicate content-length
and host headers regardless of casing. This prevents malformed HTTP/1.1
requests with multiple Content-Length values from being sent on the wire.

Previously, case-variant duplicates (e.g., 'Content-Length' and
'content-length') would bypass the duplicate check, resulting in
ambiguous HTTP requests that could be interpreted inconsistently
by proxies and backends.

Signed-off-by: Matteo Collina <hello@matteocollina.com>
    @mcollina
    mcollina committed Mar 12, 2026
    Configuration menu
    Copy the full SHA
    74495c6 View commit details
    Browse the repository at this point in the history

  8. Bumped v7.24.0 (#4887) 

    Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
    @github-actions
    github-actions[bot] authored Mar 12, 2026
    Configuration menu
    Copy the full SHA
    07a3906 View commit details
    Browse the repository at this point in the history
Loading