Skip to content

deps: update undici to 8.4.0#63779

Merged
nodejs-github-bot merged 1 commit into
mainfrom
actions/truetools-update-undici
Jun 9, 2026
Merged

deps: update undici to 8.4.0#63779
nodejs-github-bot merged 1 commit into
mainfrom
actions/truetools-update-undici

Conversation

@nodejs-github-bot

@nodejs-github-bot nodejs-github-bot commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator

This is an automated update of undici to 8.4.0.

@nodejs-github-bot nodejs-github-bot added the dependencies Pull requests that update a dependency file. label Jun 7, 2026
@nodejs-github-bot

nodejs-github-bot commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator Author

Review requested:

  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Jun 7, 2026
mcollina
mcollina approved these changes Jun 7, 2026
View reviewed changes

@mcollina mcollina left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@Renegade334 Renegade334 added dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. labels Jun 7, 2026
@mcollina mcollina added semver-minor PRs that contain new features and should be released in the next minor version. commit-queue Add this label to land a pull request using GitHub Actions. labels Jun 7, 2026
@trivikr trivikr added the request-ci Add this label to start a Jenkins CI on a PR. label Jun 7, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jun 7, 2026
@nodejs-github-bot

nodejs-github-bot commented Jun 7, 2026

Copy link
Copy Markdown
Collaborator Author

CI: https://ci.nodejs.org/job/node-test-pull-request/73956/

@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 9, 2026
@nodejs-github-bot nodejs-github-bot merged commit c64f6af into main Jun 9, 2026
102 of 103 checks passed
@nodejs-github-bot

nodejs-github-bot commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator Author

Landed in c64f6af

@nodejs-github-bot nodejs-github-bot deleted the actions/truetools-update-undici branch June 9, 2026 02:07
aduh95 pushed a commit that referenced this pull request Jun 16, 2026
@nodejs-github-bot @aduh95
deps: update undici to 8.4.0
2e6d039 
PR-URL: #63779
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Ulises GascΓ³n <ulisesgascongonzalez@gmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Matthew Aitken <maitken033380023@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
@aduh95 aduh95 removed the semver-minor PRs that contain new features and should be released in the next minor version. label Jun 17, 2026
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Jun 18, 2026
build(deps): update node.js to v26.3.1
9df51fd 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | patch | `26.3.0` β†’ `26.3.1` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>nodejs/node (node)</summary>

### [`v26.3.1`](https://github.com/nodejs/node/releases/tag/v26.3.1): 2026-06-18, Version 26.3.1 (Current), @&#8203;aduh95

[Compare Source](nodejs/node@v26.3.0...v26.3.1)

This is a security release.

##### Notable Changes

- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
- (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low

##### Commits

- \[[`98fbc89211`](nodejs/node@98fbc89211)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878)
- \[[`110840f2c7`](nodejs/node@110840f2c7)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890)
- \[[`8d36d522b2`](nodejs/node@8d36d522b2)] - **deps**: update undici to 8.5.0 (Node.js GitHub Bot) [#&#8203;63903](nodejs/node#63903)
- \[[`2e6d03993a`](nodejs/node@2e6d03993a)] - **deps**: update undici to 8.4.0 (Node.js GitHub Bot) [#&#8203;63779](nodejs/node#63779)
- \[[`5a17d5b07a`](nodejs/node@5a17d5b07a)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#&#8203;63820](nodejs/node#63820)
- \[[`362725d4e5`](nodejs/node@362725d4e5)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#&#8203;63820](nodejs/node#63820)
- \[[`bd1214ab01`](nodejs/node@bd1214ab01)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868)
- \[[`bc0b53813e`](nodejs/node@bc0b53813e)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846)
- \[[`87d847bc70`](nodejs/node@87d847bc70)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855)
- \[[`9308084fcb`](nodejs/node@9308084fcb)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867)
- \[[`a67dd46891`](nodejs/node@a67dd46891)] - **(CVE-2026-48936)** **permission**: guard pipe open and chmod with net scope (RafaelGSS) [nodejs-private/node-private#885](https://github.com/nodejs-private/node-private/pull/885)
- \[[`7057c3f16c`](nodejs/node@7057c3f16c)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873)
- \[[`6bc17a6b51`](nodejs/node@6bc17a6b51)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870)
- \[[`c8668beff8`](nodejs/node@c8668beff8)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
- \[[`d1be630415`](nodejs/node@d1be630415)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
- \[[`a14c158bb3`](nodejs/node@a14c158bb3)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857)
- \[[`ebda73470d`](nodejs/node@ebda73470d)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869)

</details>

---

### Configuration

πŸ“… **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Enabled.

β™» **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox.

πŸ”• **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjcuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIyNy4xIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiLCJhdXRvbWF0aW9uOmJvdC1hdXRob3JlZCIsImRlcGVuZGVuY3ktdHlwZTo6cGF0Y2giXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mcollina mcollina mcollina approved these changes

@UlisesGascon UlisesGascon UlisesGascon approved these changes

@trivikr trivikr trivikr approved these changes

@RafaelGSS RafaelGSS RafaelGSS approved these changes

@KhafraDev KhafraDev KhafraDev approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file. dont-land-on-v22.x PRs that should not land on the v22.x-staging branch and should not be released in v22.x. dont-land-on-v24.x PRs that should not land on the v24.x-staging branch and should not be released in v24.x. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@nodejs-github-bot @mcollina @UlisesGascon @trivikr @RafaelGSS @KhafraDev @Renegade334 @aduh95