Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/undici
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v7.27.2
Choose a base ref
...
head repository: nodejs/undici
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v7.28.0
Choose a head ref
  • 14 commits
  • 34 files changed
  • 10 contributors

Commits on Jun 8, 2026

  1. fix: guard idle socket validation to skip fresh sockets

    References: GHSA-35p6-xmwp-9g52
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    mcollina and UlisesGascon committed Jun 8, 2026
    Configuration menu
    Copy the full SHA
    ea8930c View commit details
    Browse the repository at this point in the history
  2. fix: keep idle validation on native timers (#5397)

    * fix: keep idle validation on native timers
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    * test: wait for poisoned idle socket disconnect
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    ---------
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    (cherry picked from commit c9fbe9d)
    mcollina committed Jun 8, 2026
    Configuration menu
    Copy the full SHA
    8e4046e View commit details
    Browse the repository at this point in the history

Commits on Jun 10, 2026

  1. fix: keep idle validation on global timers

    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    (cherry picked from commit 9290322)
    mcollina committed Jun 10, 2026
    Configuration menu
    Copy the full SHA
    0fa8086 View commit details
    Browse the repository at this point in the history

Commits on Jun 11, 2026

  1. fix(cookies): preserve values and parse SameSite strictly

    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    (cherry picked from commit 5655ea4)
    mcollina committed Jun 11, 2026
    Configuration menu
    Copy the full SHA
    d0574cc View commit details
    Browse the repository at this point in the history
  2. fix(cache): trim qualified field names

    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    (cherry picked from commit cb105d7)
    mcollina committed Jun 11, 2026
    Configuration menu
    Copy the full SHA
    85a2405 View commit details
    Browse the repository at this point in the history

Commits on Jun 12, 2026

  1. fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin…

    … routing (#5041)
    
    The Socks5ProxyAgent stored a single Pool keyed implicitly to the first
    origin it saw and reused it for every subsequent request. When a second
    request targeted a different origin, it was dispatched through the
    existing pool whose connect callback tunnelled to the original origin,
    causing the request to reach the wrong host (and potentially leaking
    headers/credentials intended for origin B to origin A).
    
    Track pools in a Map keyed by origin so each origin gets its own pool
    and SOCKS5 tunnel.
    
    Signed-off-by: Nikita Skovoroda <chalkerx@gmail.com>
    Co-authored-by: Claude <noreply@anthropic.com>
    Co-authored-by: Nikita Skovoroda <chalkerx@gmail.com>
    (cherry picked from commit a516f87)
    3 people authored and mcollina committed Jun 12, 2026
    Configuration menu
    Copy the full SHA
    3805b8f View commit details
    Browse the repository at this point in the history
  2. fix(socks5): enforce authenticated state before CONNECT (#5097)

    (cherry picked from commit 1dec881)
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    trivikr authored and mcollina committed Jun 12, 2026
    Configuration menu
    Copy the full SHA
    376c8be View commit details
    Browse the repository at this point in the history
  3. fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#…

    …5099)
    
    Assisted-by: openai:gpt-5.4
    
    Signed-off-by: Kamat, Trivikram <16024985+trivikr@users.noreply.github.com>
    (cherry picked from commit d76f932)
    trivikr authored and mcollina committed Jun 12, 2026
    Configuration menu
    Copy the full SHA
    9e1c743 View commit details
    Browse the repository at this point in the history
  4. fix(socks5): use configured connector in Socks5ProxyAgent (#5168)

    * fix: use configured connector in Socks5ProxyAgent
    
    Assisted-by: openai:gpt-5.5
    Signed-off-by: Kamat, Trivikram <16024985+trivikr@users.noreply.github.com>
    
    * test: use t.after in Socks5ProxyAgent custom connector test
    
    ---------
    
    Signed-off-by: Kamat, Trivikram <16024985+trivikr@users.noreply.github.com>
    (cherry picked from commit 1a45226)
    trivikr authored and mcollina committed Jun 12, 2026
    Configuration menu
    Copy the full SHA
    bc98c97 View commit details
    Browse the repository at this point in the history
  5. fix(socks5): preserve dispatch backpressure return value (#5166)

    Assited-by: openai:gpt-5.5
    
    Signed-off-by: Kamat, Trivikram <16024985+trivikr@users.noreply.github.com>
    (cherry picked from commit e2bc508)
    trivikr authored and mcollina committed Jun 12, 2026
    Configuration menu
    Copy the full SHA
    fcd642f View commit details
    Browse the repository at this point in the history
  6. fix: honor requestTls when proxy is SOCKS5

    ProxyAgent silently dropped opts.requestTls when the configured proxy
    URI was socks5:// (or socks://). Socks5ProxyAgent also lacked any
    equivalent of requestTls, so even constructed directly it had no way to
    configure target HTTPS TLS settings (ca, cert, key, rejectUnauthorized,
    servername).
    
    The inner connect callback called tls.connect with
    ...connectOpts.tls || {} but undici's internal connectOpts never
    populates a .tls field, so the spread was a dead expression.
    
    This change:
    - Forwards opts.requestTls from ProxyAgent to Socks5ProxyAgent.
    - Adds a requestTls constructor option on Socks5ProxyAgent stored in
      the kRequestTls symbol.
    - Applies it on the inner tls.connect for the target HTTPS upgrade,
      with socket overriding (must point at the SOCKS5 tunnel) and
      servername defaulting to targetHost but allowing user override
      to match the HTTP-proxy path semantics.
    - Documents the new option in Socks5ProxyAgent.md.
    - Adds two regression tests covering both the direct Socks5ProxyAgent
      path and the ProxyAgent forwarding path.
    
    Refs GHSA-vmh5-mc38-953g
    
    (cherry picked from commit 42d4955)
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    tonghuaroot authored and mcollina committed Jun 12, 2026
    Configuration menu
    Copy the full SHA
    04201f8 View commit details
    Browse the repository at this point in the history

Commits on Jun 13, 2026

  1. websocket: limit the number of fragments in a message

    Introduce the `maxFragments` option to limit the  number of fragments in
    a message. Without this limit, a remote peer could exploit structural
    wrapper overhead by sending many tiny fragments, consuming far more
    memory than the payload itself and crashing the process due to OOM. When
    the limit is hit, the connection is closed with close code 1008.
    
    Signed-off-by: Luigi Pinca <luigipinca@gmail.com>
    (cherry picked from commit 32dbf0b)
    lpinca authored and mcollina committed Jun 13, 2026
    Configuration menu
    Copy the full SHA
    8cb10f9 View commit details
    Browse the repository at this point in the history

Commits on Jun 15, 2026

  1. Backport WebSocket maxPayloadSize fixes to v7.x (#5423)

    * feat: add configurable maxPayloadSize for WebSocket (#4955)
    
    (cherry picked from commit bd91f86)
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    * test: fix flaky permessage-deflate limit timeout (#5229)
    
    (cherry picked from commit 9d82667)
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    * fix(websocket): enforce max payload size across fragments
    
    Account for previously received fragment bytes when checking WebSocket payload size limits, so fragmented messages cannot exceed maxPayloadSize by splitting the payload across frames.
    
    Add coverage for cumulative fragmented payload size enforcement.
    
    Co-authored-by: Matthew Aitken <maitken033380023@gmail.com>
    (cherry picked from commit b4c287b)
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    * websocket: handle empty fragments and stream limits
    
    Treat zero-byte frames as real fragments so fragmented messages can start
    with an empty frame and empty continuations still count toward
    maxFragments.
    
    Pass dispatcher WebSocket limits through to WebSocketStream's parser, add
    regression coverage for WebSocket and WebSocketStream fragment limits, make
    the fragment close tests wait for both endpoints, and fix the Client docs
    typo for maxFragments.
    
    Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>
    (cherry picked from commit c5ed787)
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    ---------
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    Co-authored-by: Matthew Aitken <maitken033380023@gmail.com>
    Co-authored-by: Luigi Pinca <luigipinca@gmail.com>
    Co-authored-by: Ulises Gascon <ulisesgascongonzalez@gmail.com>
    4 people authored Jun 15, 2026
    Configuration menu
    Copy the full SHA
    a027a4a View commit details
    Browse the repository at this point in the history
  2. Bumped v7.28.0 (#5430)

    Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
    github-actions[bot] authored Jun 15, 2026
    Configuration menu
    Copy the full SHA
    f9eba0a View commit details
    Browse the repository at this point in the history
Loading