[v24.x] deps: update undici to 7.28.0#63703
Closed
nodejs-github-bot wants to merge 60 commits into
Closed
Conversation
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63113 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: RenΓ© <contact.9a5d6388@renegade334.me.uk> Reviewed-By: MichaΓ«l Zasso <targos@protonmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Signed-off-by: Marco Ippolito <marcoippolito54@gmail.com> PR-URL: #63033 Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62673 Reviewed-By: Daniel Lemire <daniel@lemire.me> Reviewed-By: Tobias NieΓen <tniessen@tnie.de> Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
- For imported CJS, if it's not customized by asynchronous hooks, make sure it won't use the quirky re-invented require in all cases. - When the imported CJS module is customized by synchronous hooks, in the synthetic module evalutation step, avoid calling the respective default step again. - Make the branching of loadCJSModuleWithModuleLoad() and loadCJSModuleWithSpecialRequire() more explicit, and fold the tentative fs read in the 'commonjs' translator into the share createCJSModuleWrap() helper instead of checking it twice in the same path. Signed-off-by: Joyee Cheung <joyeec9h3@gmail.com> PR-URL: #62920 Fixes: #63060 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: GΓΌrgΓΌn DayΔ±oΔlu <hey@gurgun.day>
Signed-off-by: geeksilva97 <edigleyssonsilva@gmail.com> PR-URL: #63152 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: RenΓ© <contact.9a5d6388@renegade334.me.uk>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #63131 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Map BoringSSL's native renegotiation failure to ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is called. This avoids exposing an implementation-specific OpenSSL error when the TLS backend does not support caller-initiated renegotiation. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63161 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: #63177 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
The Platform support section of the single-executable-applications doc listed `macOS` without qualifying which architecture is supported. SEA on x64 macOS is not supported and is skipped in CI; only arm64 macOS is exercised. Refs: #62893 Signed-off-by: mokashang <64570909+mokashang@users.noreply.github.com> PR-URL: #63181 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63200 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Jacob Smith <jacob@frende.me> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Ulises GascΓ³n <ulisesgascongonzalez@gmail.com>
Ignore CLAUDE.md and AGENTS.md in .gitignore, and exclude them from markdown and ESLint linting. Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62612 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Ulises GascΓ³n <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Follow WHATWG streams spec update: whatwg/streams#1367 ReadableStreamBYOBRequest.view is always constructed as a Uint8Array. This changes the documented return type from ArrayBufferView to Uint8Array per the updated spec. Fixes: #62952 Signed-off-by: Jah-yee <166608075+Jah-yee@users.noreply.github.com> PR-URL: #63017 Reviewed-By: Mattias Buelens <mattias@buelens.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com>
- Exclude routine dependency/WPT/bot PRs from the policy - Replace design document requirement with detailed PR description - Clarify dependency commit ordering for squash landing - Remove splitting strategies that contradict self-contained PRs - Add links from CONTRIBUTING.md, pull-requests.md, collaborator-guide.md Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62829 Fixes: #62752 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: GΓΌrgΓΌn DayΔ±oΔlu <hey@gurgun.day> Reviewed-By: Ruy Adorno <ruy@vlt.sh>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63110 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
- Add `--help` / `-h` to `node inspect` covering both interactive and non-interactive probe modes. The help text is printed when `--help`/`-h` appears before any positional argument to avoid hijacking `--help` passed to a child script. - Improve the documentation of probe mode and add examples, explain same-location probe coalescing, TDZ caveat for let/const bindings, basename matching and exit code behavior. Also move it to a section parallel to interactive mode. Remove recommendation of evaluating structured expressions as that is prone to missing info in JSON mode. Drive-by: When probe mode exits due to invalid arguments, exit with `kInvalidCommandLineArgument` (9) instead of `kGenericUserError` (1). Signed-off-by: Joyee Cheung <joyeec9h3@gmail.com> PR-URL: #63201 Reviewed-By: Jan Martin <jan.krems@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Aviv Keller <me@aviv.sh>
Original commit message:
unix: fix pedantic compiler warnings (#5052)
Fixes: libuv/libuv#5051
Fixes: #63196
Refs: libuv/libuv#5052
Refs: libuv/libuv@a43e543
PR-URL: #63222
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Juan JosΓ© Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: RenΓ© <contact.9a5d6388@renegade334.me.uk>
Signed-off-by: geeksilva97 <edigleyssonsilva@gmail.com> PR-URL: #63204 Reviewed-By: RenΓ© <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Original commit message:
[wasm] Update WebAssembly.Exception JS API
WebIDL specifies the existence of a
`WebAssembly.Exception.prototype.stack` getter.
WebIDL also expects the constructor to have 2 parameters (plus an
optional one).
https://webassembly.github.io/spec/js-api/#exceptions
Bug: 336347912, 42204334
Change-Id: I128e976a84f942dcf9b93a157534b15fad0f9215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7697976
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#106215}
Refs: v8/v8@435a2cd
PR-URL: #63136
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Mattias Buelens <mattias@buelens.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
1) Fixed macOS default for missing kSecTrustSettingsResult When kSecTrustSettingsResult is absent from a trust settings dictionary, Apple specifies kSecTrustSettingsResultTrustRoot as the default value. Previously, the trust result evaluation (deny check, self-issued check, TrustAsRoot check) was inside the block that only executed when kSecTrustSettingsResult was explicitly present. When the key was absent, the function fell through to return UNSPECIFIED, incorrectly rejecting self-signed certificates that should have been trusted via the default. Move the trust result evaluation outside the conditional block so the default value of kSecTrustSettingsResultTrustRoot flows through the same code path as explicit values. This aligns with Chromium's trust_store_mac.cc implementation. 2) Fix CFRelease leak in IsTrustDictionaryTrustedForPolicy: the CFDictionaryRef returned by SecPolicyCopyProperties(policy_ref) was not released when the policy OID matched kSecPolicyAppleSSL. 3) Deduplicate certificates: SecItemCopyMatching can return the same certificate from multiple keychains. 4) Filter expired certificates. Signed-off-by: deepak1556 <hop2deep@gmail.com> PR-URL: #62576 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: GΓΌrgΓΌn DayΔ±oΔlu <hey@gurgun.day>
PR-URL: #63232 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Juan JosΓ© Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ulises GascΓ³n <ulisesgascongonzalez@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
PR-URL: #62823 Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #63112 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: MichaΓ«l Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Aviv Keller <me@aviv.sh>
Signed-off-by: umuoy1 <burningdian@gmail.com> PR-URL: #62710 Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Vladimir Morozov <vmorozov@microsoft.com>
PR-URL: #63235 Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Signed-off-by: Mike McCready <66998419+MikeMcC399@users.noreply.github.com> PR-URL: #63187 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: MichaΓ«l Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Mike McCready <66998419+MikeMcC399@users.noreply.github.com> PR-URL: #63211 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stefan Stojanovic <stefan.stojanovic@janeasystems.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63165 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Robin Malfait <malfait.robin@gmail.com> PR-URL: #63247 Reviewed-By: RenΓ© <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
nodejs-github-bot
force-pushed
the
actions/v24.x-staging/tools-update-undici
branch
from
d50871d to
f0175ee
Compare
github-actions
Bot
removed
the
request-ci
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
aduh95
changed the title
aduh95
removed
the
commit-queue
Collaborator
Author
trivikr
added
the
author ready
nodejs-github-bot
changed the title
nodejs-github-bot
force-pushed
the
actions/v24.x-staging/tools-update-undici
branch
from
f0175ee to
4664362
Compare
aduh95
changed the title
github-actions
Bot
removed
the
request-ci
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Collaborator
Author
aduh95
pushed a commit
that referenced
this pull request
Jun 16, 2026
PR-URL: #63703 Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Contributor
|
Landed in cf44df3 |
panva
pushed a commit
to panva/node
that referenced
this pull request
Jun 19, 2026
PR-URL: nodejs#63703 Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
rohitkumarankam
pushed a commit
to rohitkumarankam/forgejo
that referenced
this pull request
Jun 20, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | minor | `24.16.0` β `24.17.0` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v24.17.0`](https://github.com/nodejs/node/releases/tag/v24.17.0): 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95 [Compare Source](nodejs/node@v24.16.0...v24.17.0) This is a security release. ##### Notable Changes - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) β High - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) β High - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) β Medium - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) β Medium - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) β Medium - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) β Medium - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) β Medium - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 β Medium - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) β Low - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) β Low - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) β Low ##### Commits - \[[`9e4dfc7bba`](nodejs/node@9e4dfc7bba)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878) - \[[`cb2aed980c`](nodejs/node@cb2aed980c)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890) - \[[`a8a0d12875`](nodejs/node@a8a0d12875)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#​62891](nodejs/node#62891) - \[[`66e6203c1c`](nodejs/node@66e6203c1c)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#​62891](nodejs/node#62891) - \[[`dd627ced27`](nodejs/node@dd627ced27)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#​63820](nodejs/node#63820) - \[[`684bae568f`](nodejs/node@684bae568f)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#​63820](nodejs/node#63820) - \[[`3a631e7f83`](nodejs/node@3a631e7f83)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#​62656](nodejs/node#62656) - \[[`cf44df3996`](nodejs/node@cf44df3996)] - **deps**: update undici to 7.28.0 (Node.js GitHub Bot) [#​63703](nodejs/node#63703) - \[[`138c70294b`](nodejs/node@138c70294b)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868) - \[[`be7e719c3f`](nodejs/node@be7e719c3f)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846) - \[[`cc7c11b4d1`](nodejs/node@cc7c11b4d1)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855) - \[[`9224427b92`](nodejs/node@9224427b92)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867) - \[[`cf85d54839`](nodejs/node@cf85d54839)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873) - \[[`a1bbc24f96`](nodejs/node@a1bbc24f96)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870) - \[[`e3723ff2d6`](nodejs/node@e3723ff2d6)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) - \[[`a77af4867b`](nodejs/node@a77af4867b)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) - \[[`31beb4f707`](nodejs/node@31beb4f707)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857) - \[[`8e75c73f91`](nodejs/node@8e75c73f91)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869) </details> --- ### Configuration π **Schedule**: (UTC) - Branch creation - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIyMi4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13144 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated update of undici to 7.28.0.