Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/undici
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v8.6.0
Choose a base ref
...
head repository: nodejs/undici
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v8.7.0
Choose a head ref
  • 16 commits
  • 32 files changed
  • 10 contributors

Commits on Jul 2, 2026

  1. Configuration menu
    Copy the full SHA
    5d1e53b View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    b39c77d View commit details
    Browse the repository at this point in the history
  3. Configuration menu
    Copy the full SHA
    838b6cd View commit details
    Browse the repository at this point in the history
  4. fix(eventsource): set use-URL-credentials flag (#5489)

    Signed-off-by: Ram-blip <ramcruze2000@gmail.com>
    Ram-blip authored Jul 2, 2026
    Configuration menu
    Copy the full SHA
    2dc7e18 View commit details
    Browse the repository at this point in the history

Commits on Jul 3, 2026

  1. test: deflake connect-timeout watchdog (#5197)

    Co-authored-by: Carlos Fuentes <me@metcoder.dev>
    mcollina and metcoder95 authored Jul 3, 2026
    Configuration menu
    Copy the full SHA
    7ef4e84 View commit details
    Browse the repository at this point in the history
  2. Configuration menu
    Copy the full SHA
    3d78e1a View commit details
    Browse the repository at this point in the history
  3. fix: reject non-ascii octets in validateCookiePath (#5452)

    RFC 6265 section 4.1.1 defines path-value as <any CHAR except CTLs or
    ";">, where CHAR is a US-ASCII character (0x00-0x7F). validateCookiePath
    rejected control characters and ";" but accepted octets above 0x7E,
    unlike its sibling validators validateCookieName and validateCookieValue,
    which both reject code > 0x7E. Add the upper bound so non-ascii and C1
    control octets are rejected too.
    spokodev authored Jul 3, 2026
    Configuration menu
    Copy the full SHA
    4ea05a8 View commit details
    Browse the repository at this point in the history

Commits on Jul 4, 2026

  1. fix(readable): ignore late consume chunks (#5375)

    Drop chunks that arrive after a body consume helper has already finished and cleared its buffer. This preserves the existing AbortError rejection path without an extra synchronous TypeError.
    
    Signed-off-by: marko1olo <barsukdana@gmail.com>
    Co-authored-by: OpenAI Codex <codex@openai.com>
    marko1olo and codex authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    db34f5f View commit details
    Browse the repository at this point in the history
  2. fix(h2): destroy the stream on abort instead of relying on close() (#…

    …5462)
    
    When an in-flight HTTP/2 request is aborted, the client sends RST_STREAM via
    `stream.close()` and otherwise leaves teardown to the stream's async 'close'
    event (which runs `onRequestStreamClose` to drop references and release the
    native handle). On a busy, long-lived multiplexed session that 'close' event
    can fail to fire, leaving the native Http2Stream pinned (a V8 global handle)
    along with the entire request object graph it references — an unbounded
    per-aborted-request leak on connections that never close. The abort path's own
    comment already states the intent ("the stream gets destroyed"); close() alone
    doesn't guarantee it.
    
    Destroy the stream after close() so the handle is released deterministically.
    
    Adds a regression test asserting the stream is destroyed synchronously on abort
    (fails on the current close()-only path).
    
    Assisted-By: devx/dc4e1318-0193-4805-81ac-82466879ab08
    staylor authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    754742c View commit details
    Browse the repository at this point in the history
  3. fix: ignore an unparseable Set-Cookie Expires attribute (#5488)

    parseSetCookie assigned an Invalid Date to cookieAttributeList.expires when
    the Expires attribute failed to parse, instead of ignoring the attribute.
    RFC 6265bis 5.4.1 step 2 says to ignore the cookie-av when the date does not
    parse, which the adjacent code comment already stated. Only set expires when
    the parsed date is valid.
    spokodev authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    e529cab View commit details
    Browse the repository at this point in the history
  4. docs: add reproduction guide and update bug report template (#5451)

    * docs: add reproduction guide to CONTRIBUTING.md and update bug report template
    
    This adds a comprehensive Reproduction section to CONTRIBUTING.md with:
    - Guidelines for creating good bug reproductions
    - Standalone server pattern using createServer + Client
    - Fetch-based reproduction examples
    - Pool/Agent reproduction examples
    - Checklist for bug reporters
    
    The bug report template is updated to prominently request a standalone
    reproduction script and include structured Environment fields.
    
    * docs: address reproduction review comments
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    ---------
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    mcollina authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    c0007f4 View commit details
    Browse the repository at this point in the history
  5. fix(h2): guard onResponse against a 'response' event delivered after …

    …completion (#5440)
    
    * fix(h2): guard onResponse against a 'response' event delivered after completion
    
    The HTTP/2 'response' handler (onResponse) only guarded request.aborted
    before calling request.onResponseStart, while its sibling handlers onEnd
    and onTrailers also guard request.completed. A 'response' frame delivered
    after the request has already completed (a stream-teardown race that shows
    up under load on shared h2 sessions with GOAWAY / refused-stream churn)
    therefore calls onResponseStart post-completion, tripping its
    assert(!this.completed). Because it throws on the http2 stream's event
    tick, it surfaces as an uncaught exception and crashes the process.
    
    Add the same request.completed guard the other handlers already use.
    
    Signed-off-by: Scott Taylor <scott.c.taylor@mac.com>
    Assisted-By: devx/26cd7e09-2a13-4e79-9cd0-8191fff4dc7a
    
    * test(h2): cover 'response' delivered after request completion
    
    Regression test for the onResponse completed-guard. Drives the real
    onResponse handler (via connectH2) against a fake stream — mirroring
    test/http2-late-data.js — and emits a 'response' event after the request
    has completed. Without the guard this invokes request.onResponseStart,
    whose assert(!this.completed) throws on the http2 event tick and crashes
    the process; with the guard the stream is released and the event ignored.
    
    Fails against the pre-fix handler with the exact assert(!this.completed)
    AssertionError and passes with the fix.
    
    Refs: #5440
    Signed-off-by: Scott Taylor <scott.c.taylor@mac.com>
    Assisted-By: devx/26cd7e09-2a13-4e79-9cd0-8191fff4dc7a
    
    ---------
    
    Signed-off-by: Scott Taylor <scott.c.taylor@mac.com>
    staylor authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    e5b3364 View commit details
    Browse the repository at this point in the history
  6. fix(h2): requeue request on GOAWAY'd session instead of crashing (#5453)

    When a request is dispatched onto an HTTP/2 session that has already received
    a GOAWAY frame, ClientHttp2Session.request() throws ERR_HTTP2_GOAWAY_SESSION.
    requestStream caught it and fell through to session.destroy(err) +
    util.destroy(socket, err) + abort(err); the destroy-with-error on a socket
    whose 'error' listener is already detached re-emits 'error' and crashes the
    process via uncaughtException (observed in production on a high-volume h2
    client to servers that routinely GOAWAY to rotate connections).
    
    A GOAWAY'd session is the same situation as ERR_HTTP2_INVALID_SESSION — the
    peer won't accept new streams — so route it through the existing graceful
    branch (resetHttp2Session + requeueUnsentRequest) so the request retries on a
    fresh connection. Adds a regression test (stubs session.request to throw
    ERR_HTTP2_GOAWAY_SESSION); it fails on main and passes with the fix.
    
    
    Assisted-By: devx/86ca8ae7-2b51-4dd3-8382-dc6116301425
    
    Signed-off-by: Scott Taylor <scott.c.taylor@mac.com>
    staylor authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    0c08579 View commit details
    Browse the repository at this point in the history
  7. fix: add static buildDispatch method to RedirectHandler type definiti…

    …on (#5442)
    
    * fix: add static buildDispatch method to RedirectHandler type definition
    
    * Fix lint
    
    * add handlers test
    matthieusieben authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    cb30e58 View commit details
    Browse the repository at this point in the history
  8. fix: auto-detect HTTP proxy tunneling (#5116)

    * fix: auto-detect HTTP proxy tunneling
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    * test: enable proxy tunneling in bundle test
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    * fix: forward over HTTPS proxy per RFC 9112 §3.2.2
    
    Tunnel decision now depends on the request protocol only. HTTP requests
    through an HTTPS proxy use absolute-form request-target over TLS to the
    proxy instead of CONNECT, matching Node's built-in http.request and
    RFC 9112. HTTPS requests still tunnel via CONNECT.
    
    Http1ProxyWrapper pins the proxy SNI so the inner Client does not derive
    it from the rewritten Host header, and wraps ERR_TLS_CERT_ALTNAME_INVALID
    into SecureProxyConnectionError for parity with the tunneling path.
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    * ci: disable shared-builtin job pending nodejs/node sync
    
    The forwarding fix from #5116 is in undici main but the embedded undici
    in nodejs/node still expects the old semantics, so the shared-builtin
    build fails until Node.js 26 ships a release embedding the updated
    undici. Comment is left in place to re-enable for Node.js 26 at that
    point. Node.js 24 stays off as the change is not being backported.
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    
    * fix: force HTTP/1.1 for proxy forwarding
    
    * test: force tunneling for CONNECT regression
    
    ---------
    
    Signed-off-by: Matteo Collina <hello@matteocollina.com>
    mcollina authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    a8d1a95 View commit details
    Browse the repository at this point in the history
  9. Bumped v8.7.0 (#5501)

    Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
    github-actions[bot] authored Jul 4, 2026
    Configuration menu
    Copy the full SHA
    cb4c2f1 View commit details
    Browse the repository at this point in the history
Loading