-
-
Notifications
You must be signed in to change notification settings - Fork 802
Comparing changes
Open a pull request
base repository: nodejs/undici
base: v8.6.0
head repository: nodejs/undici
compare: v8.7.0
- 16 commits
- 32 files changed
- 10 contributors
Commits on Jul 2, 2026
-
Configuration menu - View commit details
-
Copy full SHA for 5d1e53b - Browse repository at this point
Copy the full SHA 5d1e53bView commit details -
Configuration menu - View commit details
-
Copy full SHA for b39c77d - Browse repository at this point
Copy the full SHA b39c77dView commit details -
Configuration menu - View commit details
-
Copy full SHA for 838b6cd - Browse repository at this point
Copy the full SHA 838b6cdView commit details -
fix(eventsource): set use-URL-credentials flag (#5489)
Signed-off-by: Ram-blip <ramcruze2000@gmail.com>
Configuration menu - View commit details
-
Copy full SHA for 2dc7e18 - Browse repository at this point
Copy the full SHA 2dc7e18View commit details
Commits on Jul 3, 2026
-
test: deflake connect-timeout watchdog (#5197)
Co-authored-by: Carlos Fuentes <me@metcoder.dev>
Configuration menu - View commit details
-
Copy full SHA for 7ef4e84 - Browse repository at this point
Copy the full SHA 7ef4e84View commit details -
Configuration menu - View commit details
-
Copy full SHA for 3d78e1a - Browse repository at this point
Copy the full SHA 3d78e1aView commit details -
fix: reject non-ascii octets in validateCookiePath (#5452)
RFC 6265 section 4.1.1 defines path-value as <any CHAR except CTLs or ";">, where CHAR is a US-ASCII character (0x00-0x7F). validateCookiePath rejected control characters and ";" but accepted octets above 0x7E, unlike its sibling validators validateCookieName and validateCookieValue, which both reject code > 0x7E. Add the upper bound so non-ascii and C1 control octets are rejected too.
Configuration menu - View commit details
-
Copy full SHA for 4ea05a8 - Browse repository at this point
Copy the full SHA 4ea05a8View commit details
Commits on Jul 4, 2026
-
fix(readable): ignore late consume chunks (#5375)
Drop chunks that arrive after a body consume helper has already finished and cleared its buffer. This preserves the existing AbortError rejection path without an extra synchronous TypeError. Signed-off-by: marko1olo <barsukdana@gmail.com> Co-authored-by: OpenAI Codex <codex@openai.com>
Configuration menu - View commit details
-
Copy full SHA for db34f5f - Browse repository at this point
Copy the full SHA db34f5fView commit details -
fix(h2): destroy the stream on abort instead of relying on close() (#…
…5462) When an in-flight HTTP/2 request is aborted, the client sends RST_STREAM via `stream.close()` and otherwise leaves teardown to the stream's async 'close' event (which runs `onRequestStreamClose` to drop references and release the native handle). On a busy, long-lived multiplexed session that 'close' event can fail to fire, leaving the native Http2Stream pinned (a V8 global handle) along with the entire request object graph it references — an unbounded per-aborted-request leak on connections that never close. The abort path's own comment already states the intent ("the stream gets destroyed"); close() alone doesn't guarantee it. Destroy the stream after close() so the handle is released deterministically. Adds a regression test asserting the stream is destroyed synchronously on abort (fails on the current close()-only path). Assisted-By: devx/dc4e1318-0193-4805-81ac-82466879ab08
Configuration menu - View commit details
-
Copy full SHA for 754742c - Browse repository at this point
Copy the full SHA 754742cView commit details -
fix: ignore an unparseable Set-Cookie Expires attribute (#5488)
parseSetCookie assigned an Invalid Date to cookieAttributeList.expires when the Expires attribute failed to parse, instead of ignoring the attribute. RFC 6265bis 5.4.1 step 2 says to ignore the cookie-av when the date does not parse, which the adjacent code comment already stated. Only set expires when the parsed date is valid.
Configuration menu - View commit details
-
Copy full SHA for e529cab - Browse repository at this point
Copy the full SHA e529cabView commit details -
docs: add reproduction guide and update bug report template (#5451)
* docs: add reproduction guide to CONTRIBUTING.md and update bug report template This adds a comprehensive Reproduction section to CONTRIBUTING.md with: - Guidelines for creating good bug reproductions - Standalone server pattern using createServer + Client - Fetch-based reproduction examples - Pool/Agent reproduction examples - Checklist for bug reporters The bug report template is updated to prominently request a standalone reproduction script and include structured Environment fields. * docs: address reproduction review comments Signed-off-by: Matteo Collina <hello@matteocollina.com> --------- Signed-off-by: Matteo Collina <hello@matteocollina.com>
Configuration menu - View commit details
-
Copy full SHA for c0007f4 - Browse repository at this point
Copy the full SHA c0007f4View commit details -
fix(h2): guard onResponse against a 'response' event delivered after …
…completion (#5440) * fix(h2): guard onResponse against a 'response' event delivered after completion The HTTP/2 'response' handler (onResponse) only guarded request.aborted before calling request.onResponseStart, while its sibling handlers onEnd and onTrailers also guard request.completed. A 'response' frame delivered after the request has already completed (a stream-teardown race that shows up under load on shared h2 sessions with GOAWAY / refused-stream churn) therefore calls onResponseStart post-completion, tripping its assert(!this.completed). Because it throws on the http2 stream's event tick, it surfaces as an uncaught exception and crashes the process. Add the same request.completed guard the other handlers already use. Signed-off-by: Scott Taylor <scott.c.taylor@mac.com> Assisted-By: devx/26cd7e09-2a13-4e79-9cd0-8191fff4dc7a * test(h2): cover 'response' delivered after request completion Regression test for the onResponse completed-guard. Drives the real onResponse handler (via connectH2) against a fake stream — mirroring test/http2-late-data.js — and emits a 'response' event after the request has completed. Without the guard this invokes request.onResponseStart, whose assert(!this.completed) throws on the http2 event tick and crashes the process; with the guard the stream is released and the event ignored. Fails against the pre-fix handler with the exact assert(!this.completed) AssertionError and passes with the fix. Refs: #5440 Signed-off-by: Scott Taylor <scott.c.taylor@mac.com> Assisted-By: devx/26cd7e09-2a13-4e79-9cd0-8191fff4dc7a --------- Signed-off-by: Scott Taylor <scott.c.taylor@mac.com>
Configuration menu - View commit details
-
Copy full SHA for e5b3364 - Browse repository at this point
Copy the full SHA e5b3364View commit details -
fix(h2): requeue request on GOAWAY'd session instead of crashing (#5453)
When a request is dispatched onto an HTTP/2 session that has already received a GOAWAY frame, ClientHttp2Session.request() throws ERR_HTTP2_GOAWAY_SESSION. requestStream caught it and fell through to session.destroy(err) + util.destroy(socket, err) + abort(err); the destroy-with-error on a socket whose 'error' listener is already detached re-emits 'error' and crashes the process via uncaughtException (observed in production on a high-volume h2 client to servers that routinely GOAWAY to rotate connections). A GOAWAY'd session is the same situation as ERR_HTTP2_INVALID_SESSION — the peer won't accept new streams — so route it through the existing graceful branch (resetHttp2Session + requeueUnsentRequest) so the request retries on a fresh connection. Adds a regression test (stubs session.request to throw ERR_HTTP2_GOAWAY_SESSION); it fails on main and passes with the fix. Assisted-By: devx/86ca8ae7-2b51-4dd3-8382-dc6116301425 Signed-off-by: Scott Taylor <scott.c.taylor@mac.com>
Configuration menu - View commit details
-
Copy full SHA for 0c08579 - Browse repository at this point
Copy the full SHA 0c08579View commit details -
fix: add static buildDispatch method to RedirectHandler type definiti…
…on (#5442) * fix: add static buildDispatch method to RedirectHandler type definition * Fix lint * add handlers test
Configuration menu - View commit details
-
Copy full SHA for cb30e58 - Browse repository at this point
Copy the full SHA cb30e58View commit details -
fix: auto-detect HTTP proxy tunneling (#5116)
* fix: auto-detect HTTP proxy tunneling Signed-off-by: Matteo Collina <hello@matteocollina.com> * test: enable proxy tunneling in bundle test Signed-off-by: Matteo Collina <hello@matteocollina.com> * fix: forward over HTTPS proxy per RFC 9112 §3.2.2 Tunnel decision now depends on the request protocol only. HTTP requests through an HTTPS proxy use absolute-form request-target over TLS to the proxy instead of CONNECT, matching Node's built-in http.request and RFC 9112. HTTPS requests still tunnel via CONNECT. Http1ProxyWrapper pins the proxy SNI so the inner Client does not derive it from the rewritten Host header, and wraps ERR_TLS_CERT_ALTNAME_INVALID into SecureProxyConnectionError for parity with the tunneling path. Signed-off-by: Matteo Collina <hello@matteocollina.com> * ci: disable shared-builtin job pending nodejs/node sync The forwarding fix from #5116 is in undici main but the embedded undici in nodejs/node still expects the old semantics, so the shared-builtin build fails until Node.js 26 ships a release embedding the updated undici. Comment is left in place to re-enable for Node.js 26 at that point. Node.js 24 stays off as the change is not being backported. Signed-off-by: Matteo Collina <hello@matteocollina.com> * fix: force HTTP/1.1 for proxy forwarding * test: force tunneling for CONNECT regression --------- Signed-off-by: Matteo Collina <hello@matteocollina.com>
Configuration menu - View commit details
-
Copy full SHA for a8d1a95 - Browse repository at this point
Copy the full SHA a8d1a95View commit details -
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for cb4c2f1 - Browse repository at this point
Copy the full SHA cb4c2f1View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v8.6.0...v8.7.0