-
-
Notifications
You must be signed in to change notification settings - Fork 802
Comparing changes
Open a pull request
base repository: nodejs/undici
base: v7.27.2
head repository: nodejs/undici
compare: v7.28.0
- 14 commits
- 34 files changed
- 10 contributors
Commits on Jun 8, 2026
-
fix: guard idle socket validation to skip fresh sockets
References: GHSA-35p6-xmwp-9g52 Signed-off-by: Matteo Collina <hello@matteocollina.com> Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com> Signed-off-by: Matteo Collina <hello@matteocollina.com>
Configuration menu - View commit details
-
Copy full SHA for ea8930c - Browse repository at this point
Copy the full SHA ea8930cView commit details -
fix: keep idle validation on native timers (#5397)
* fix: keep idle validation on native timers Signed-off-by: Matteo Collina <hello@matteocollina.com> * test: wait for poisoned idle socket disconnect Signed-off-by: Matteo Collina <hello@matteocollina.com> --------- Signed-off-by: Matteo Collina <hello@matteocollina.com> (cherry picked from commit c9fbe9d)
Configuration menu - View commit details
-
Copy full SHA for 8e4046e - Browse repository at this point
Copy the full SHA 8e4046eView commit details
Commits on Jun 10, 2026
-
fix: keep idle validation on global timers
Signed-off-by: Matteo Collina <hello@matteocollina.com> (cherry picked from commit 9290322)
Configuration menu - View commit details
-
Copy full SHA for 0fa8086 - Browse repository at this point
Copy the full SHA 0fa8086View commit details
Commits on Jun 11, 2026
-
fix(cookies): preserve values and parse SameSite strictly
Signed-off-by: Matteo Collina <hello@matteocollina.com> (cherry picked from commit 5655ea4)
Configuration menu - View commit details
-
Copy full SHA for d0574cc - Browse repository at this point
Copy the full SHA d0574ccView commit details -
fix(cache): trim qualified field names
Signed-off-by: Matteo Collina <hello@matteocollina.com> (cherry picked from commit cb105d7)
Configuration menu - View commit details
-
Copy full SHA for 85a2405 - Browse repository at this point
Copy the full SHA 85a2405View commit details
Commits on Jun 12, 2026
-
fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin…
… routing (#5041) The Socks5ProxyAgent stored a single Pool keyed implicitly to the first origin it saw and reused it for every subsequent request. When a second request targeted a different origin, it was dispatched through the existing pool whose connect callback tunnelled to the original origin, causing the request to reach the wrong host (and potentially leaking headers/credentials intended for origin B to origin A). Track pools in a Map keyed by origin so each origin gets its own pool and SOCKS5 tunnel. Signed-off-by: Nikita Skovoroda <chalkerx@gmail.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Nikita Skovoroda <chalkerx@gmail.com> (cherry picked from commit a516f87)
Configuration menu - View commit details
-
Copy full SHA for 3805b8f - Browse repository at this point
Copy the full SHA 3805b8fView commit details -
fix(socks5): enforce authenticated state before CONNECT (#5097)
(cherry picked from commit 1dec881) Signed-off-by: Matteo Collina <hello@matteocollina.com>
Configuration menu - View commit details
-
Copy full SHA for 376c8be - Browse repository at this point
Copy the full SHA 376c8beView commit details -
fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#…
Configuration menu - View commit details
-
Copy full SHA for 9e1c743 - Browse repository at this point
Copy the full SHA 9e1c743View commit details -
fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
* fix: use configured connector in Socks5ProxyAgent Assisted-by: openai:gpt-5.5 Signed-off-by: Kamat, Trivikram <16024985+trivikr@users.noreply.github.com> * test: use t.after in Socks5ProxyAgent custom connector test --------- Signed-off-by: Kamat, Trivikram <16024985+trivikr@users.noreply.github.com> (cherry picked from commit 1a45226)
Configuration menu - View commit details
-
Copy full SHA for bc98c97 - Browse repository at this point
Copy the full SHA bc98c97View commit details -
fix(socks5): preserve dispatch backpressure return value (#5166)
Assited-by: openai:gpt-5.5 Signed-off-by: Kamat, Trivikram <16024985+trivikr@users.noreply.github.com> (cherry picked from commit e2bc508)
Configuration menu - View commit details
-
Copy full SHA for fcd642f - Browse repository at this point
Copy the full SHA fcd642fView commit details -
fix: honor requestTls when proxy is SOCKS5
ProxyAgent silently dropped opts.requestTls when the configured proxy URI was socks5:// (or socks://). Socks5ProxyAgent also lacked any equivalent of requestTls, so even constructed directly it had no way to configure target HTTPS TLS settings (ca, cert, key, rejectUnauthorized, servername). The inner connect callback called tls.connect with ...connectOpts.tls || {} but undici's internal connectOpts never populates a .tls field, so the spread was a dead expression. This change: - Forwards opts.requestTls from ProxyAgent to Socks5ProxyAgent. - Adds a requestTls constructor option on Socks5ProxyAgent stored in the kRequestTls symbol. - Applies it on the inner tls.connect for the target HTTPS upgrade, with socket overriding (must point at the SOCKS5 tunnel) and servername defaulting to targetHost but allowing user override to match the HTTP-proxy path semantics. - Documents the new option in Socks5ProxyAgent.md. - Adds two regression tests covering both the direct Socks5ProxyAgent path and the ProxyAgent forwarding path. Refs GHSA-vmh5-mc38-953g (cherry picked from commit 42d4955) Signed-off-by: Matteo Collina <hello@matteocollina.com>Configuration menu - View commit details
-
Copy full SHA for 04201f8 - Browse repository at this point
Copy the full SHA 04201f8View commit details
Commits on Jun 13, 2026
-
websocket: limit the number of fragments in a message
Introduce the `maxFragments` option to limit the number of fragments in a message. Without this limit, a remote peer could exploit structural wrapper overhead by sending many tiny fragments, consuming far more memory than the payload itself and crashing the process due to OOM. When the limit is hit, the connection is closed with close code 1008. Signed-off-by: Luigi Pinca <luigipinca@gmail.com> (cherry picked from commit 32dbf0b)
Configuration menu - View commit details
-
Copy full SHA for 8cb10f9 - Browse repository at this point
Copy the full SHA 8cb10f9View commit details
Commits on Jun 15, 2026
-
Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
* feat: add configurable maxPayloadSize for WebSocket (#4955) (cherry picked from commit bd91f86) Signed-off-by: Matteo Collina <hello@matteocollina.com> * test: fix flaky permessage-deflate limit timeout (#5229) (cherry picked from commit 9d82667) Signed-off-by: Matteo Collina <hello@matteocollina.com> * fix(websocket): enforce max payload size across fragments Account for previously received fragment bytes when checking WebSocket payload size limits, so fragmented messages cannot exceed maxPayloadSize by splitting the payload across frames. Add coverage for cumulative fragmented payload size enforcement. Co-authored-by: Matthew Aitken <maitken033380023@gmail.com> (cherry picked from commit b4c287b) Signed-off-by: Matteo Collina <hello@matteocollina.com> * websocket: handle empty fragments and stream limits Treat zero-byte frames as real fragments so fragmented messages can start with an empty frame and empty continuations still count toward maxFragments. Pass dispatcher WebSocket limits through to WebSocketStream's parser, add regression coverage for WebSocket and WebSocketStream fragment limits, make the fragment close tests wait for both endpoints, and fix the Client docs typo for maxFragments. Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com> (cherry picked from commit c5ed787) Signed-off-by: Matteo Collina <hello@matteocollina.com> --------- Signed-off-by: Matteo Collina <hello@matteocollina.com> Co-authored-by: Matthew Aitken <maitken033380023@gmail.com> Co-authored-by: Luigi Pinca <luigipinca@gmail.com> Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for a027a4a - Browse repository at this point
Copy the full SHA a027a4aView commit details -
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for f9eba0a - Browse repository at this point
Copy the full SHA f9eba0aView commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v7.27.2...v7.28.0