chore(deps): update dependency undici@>=5.0.0 to v8 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
undici@>=5.0.0 (source)	^5.29.0 → ^8.2.0

---

Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion

CVE-2026-22036 / GHSA-g9mf-h72j-4rw9

More information

Details

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

• https://hackerone.com/reports/3456148
• GHSA-gm62-xv2j-4w53
• https://curl.se/docs/CVE-2022-32206.html

Severity

• CVSS Score: 5.9 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9
• https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3
• https://nvd.nist.gov/vuln/detail/CVE-2026-22036
• https://github.com/advisories/GHSA-g9mf-h72j-4rw9

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Undici has an HTTP Request/Response Smuggling issue

CVE-2026-1525 / GHSA-2mjp-6q6p-2qxm

More information

Details

Impact

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

• Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
• Applications that accept user-controlled header names without case-normalization

Potential consequences:

• Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
• HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

If upgrading is not immediately possible:

1. Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
2. Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
3. Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

References

• https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm
• https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• https://hackerone.com/reports/3556037
• https://cna.openjsf.org/security-advisories.html
• https://cwe.mitre.org/data/definitions/444.html
• https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6
• https://github.com/advisories/GHSA-2mjp-6q6p-2qxm

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation

CVE-2026-2229 / GHSA-v9p9-hfj2-hcw8

More information

Details

Impact

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

1. The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
2. The createInflateRaw() call is not wrapped in a try-catch block
3. The resulting exception propagates up through the call stack and crashes the Node.js process

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8
• https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• https://hackerone.com/reports/3487486
• https://cna.openjsf.org/security-advisories.html
• https://datatracker.ietf.org/doc/html/rfc7692
• https://nodejs.org/api/zlib.html#class-zlibinflateraw
• https://github.com/advisories/GHSA-v9p9-hfj2-hcw8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Undici has CRLF Injection in undici via upgrade option

CVE-2026-1527 / GHSA-4992-7rv2-5pvq

More information

Details

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

1. Inject arbitrary HTTP headers
2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})

Severity

• CVSS Score: 4.6 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

References

• https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq
• https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• https://hackerone.com/reports/3487198
• https://cna.openjsf.org/security-advisories.html
• https://github.com/advisories/GHSA-4992-7rv2-5pvq

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression

CVE-2026-1526 / GHSA-vrm6-8vpv-qv8q

More information

Details

Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

Impact

• Remote denial of service against any Node.js application using undici's WebSocket client
• A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
• Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
• No application-level mitigation is possible as decompression occurs before message delivery

Patches

Users should upgrade to fixed versions.

Workarounds

No workaround are possible.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q
• https://nvd.nist.gov/vuln/detail/CVE-2026-1526
• https://hackerone.com/reports/3481206
• https://cna.openjsf.org/security-advisories.html
• https://datatracker.ietf.org/doc/html/rfc7692
• https://owasp.org/www-community/attacks/Denial_of_Service
• https://github.com/advisories/GHSA-vrm6-8vpv-qv8q

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nodejs/undici (undici@>=5.0.0)

v8.2.0

Compare Source

What's Changed

• chore: use native addAbortListener by @​trivikr in #​5021
• fix: fix the logic for the UNDICI_NO_WASM_SIMD environment variable by @​ShenHongFei in #​5026
• fix(http2): send body for non-expectsPayload methods with content by @​mcollina in #​5030
• fix(fetch): correct 'navigator' typo to 'navigate' in fetchFinale by @​deepview-autofix in #​5044
• fix(webidl): correct signed integer bounds in ConvertToInt by @​deepview-autofix in #​5038
• fix(fetch): use || for CRLF check in multipart formdata-parser by @​deepview-autofix in #​5049
• fix(websocket): correct argument order in WebSocketStream UTF-8 failure by @​deepview-autofix in #​5050
• fix(pool): propagate useH2c to connector when connections > 1 by @​SAY-5 in #​5031
• fix(cache): return immutable staleAt in milliseconds by @​deepview-autofix in #​5048
• fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing by @​deepview-autofix in #​5041
• fix(cache): evict oldest entries first in SqliteCacheStore prune by @​deepview-autofix in #​5039
• fix(socks5): correctly expand IPv6 '::' compressed notation by @​deepview-autofix in #​5046
• Remove unused func and unnecessary shim by @​tsctx in #​5053
• fix: reject malformed content-length request headers by @​trivikr in #​5060
• fix(request): reject NaN highWaterMark during option validation by @​trivikr in #​5062
• docs: fix broken links in docsify sidebar by @​maruthang in #​5065
• fix(fetch): prefer filename* over filename in multipart form-data by @​maruthang in #​5068
• fix(http2): reject websocket upgrades on non-200 responses by @​trivikr in #​5072
• feat: support username-only proxy authentication in ProxyAgent by @​rossilor95 in #​4935
• build(deps): bump uWebSockets.js from v20.58.0 to v20.64.0 in /benchmarks by @​dependabot[bot] in #​5083
• fix(client-h2): stop double-decrementing kOpenStreams on stream timeout by @​SAY-5 in #​5076
• fix(http2): reject upgrade streams closed before response headers by @​trivikr in #​5069
• fix(http2): allow GET and HEAD request bodies over h2 by @​trivikr in #​5058
• fix(cache): include query in cache key when opts.path is undefined by @​maruthang in #​5081
• fix: avoid premature cleanup of dispatcher in Agent by @​bienzaaron in #​5034
• fix(http2): record ping failures on the socket by @​trivikr in #​5075
• add undici security policy by @​mcollina in #​5056
• fix(mock): make filterCalls AND operator actually intersect results by @​deepview-autofix in #​5045
• fix(socks5): enforce authenticated state before CONNECT by @​trivikr in #​5097
• fix(cache): skip expired sqlite vary entries during lookup by @​trivikr in #​5095
• fix: enforce maxCachedSessions in TLS session cache by @​trivikr in #​5102
• fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly by @​trivikr in #​5099
• fix: handle invalid HTTP/2 connection headers (#​4356) by @​mcollina in #​5101
• fix(interceptor): add throwOnMaxRedirect to types and interceptor opts by @​maruthang in #​5066
• fix(websocket): avoid double-closing canceled stream readers by @​colinaaa in #​5105
• fix(cache): persist vary when updating sqlite cache entries by @​trivikr in #​5109
• refactor(h1): track HEAD keep-alive override as boolean by @​trivikr in #​5110
• client: cache llhttp wasm buffer view by @​trivikr in #​5115
• deps: update llhttp to 9.3.1 by @​mcollina in #​5113
• fix(http2): preserve accepted streams after GOAWAY by @​trivikr in #​5090
• fix: reuse parser WeakRef for timeout callbacks by @​trivikr in #​5125
• fix: stop buffering data after SOCKS5 connect by @​trivikr in #​5118
• perf(http2): avoid response header reserialization by @​trivikr in #​5085
• fix(cache): enforce sqlite maxCount after insert by @​trivikr in #​5112
• perf: reduce EventSourceStream parser allocations by @​trivikr in #​5032
• types(dispatcher): use OutgoingHttpHeaders for request headers by @​maruthang in #​5067
• cleanup: delete redundant .gitkeep file by @​shivarm in #​5133
• fix(http2): respect peer max concurrent streams by @​trivikr in #​5135
• test(http2): ensure websocket upgrade resumes queued requests by @​trivikr in #​5132
• test(mock): cover SnapshotAgent excludeUrls playback by @​maruthang in #​5080
• perf(client): parse h1 content-length statelessly by @​trivikr in #​5124
• perf(http2): reduce writeH2 per-request callback allocations by @​trivikr in #​5138
• chore(deps): add lockfile by @​aduh95 in #​5139
• perf: use byteLength property for binary body chunks by @​trivikr in #​5126
• fix(cache): allow streamed entries at maxEntrySize limit by @​trivikr in #​5129
• perf(http2): avoid cloning headers when removing status by @​trivikr in #​5127
• fix: validate H2CClient maxConcurrentStreams option by @​trivikr in #​5143
• perf: avoid redundant scans in BalancedPool dispatcher selection by @​trivikr in #​5146
• fix: replace stale pool clients under connection limit by @​trivikr in #​5145

New Contributors

• @​deepview-autofix made their first contribution in #​5044
• @​SAY-5 made their first contribution in #​5031
• @​maruthang made their first contribution in #​5065
• @​bienzaaron made their first contribution in #​5034

Full Changelog: nodejs/undici@v8.1.0...v8.2.0

v8.1.0

Compare Source

What's Changed

• feat: add configurable maxPayloadSize for WebSocket by @​mcollina in #​4955

Full Changelog: nodejs/undici@v8.0.3...v8.1.0

v8.0.3

Compare Source

What's Changed

• docs: add an Undici 7 to 8 migration guide by @​mcollina in #​4963
• chore: switch deferred promise with Promise.withResolvers() by @​trivikr in #​4972
• chore: remove zstd and markAsUncloneable feature probes by @​trivikr in #​4968
• test: remove obsolete nodeMajor/nodeMinor util exports by @​trivikr in #​4976
• chore: use Promise.withResolvers in SOCKS5 proxy agent by @​trivikr in #​4978
• build(deps-dev): bump esbuild from 0.27.7 to 0.28.0 by @​dependabot[bot] in #​4985
• build(deps-dev): bump proxy from 2.2.0 to 4.0.0 by @​dependabot[bot] in #​4987
• build(deps): bump got from 14.6.6 to 15.0.0 in /benchmarks by @​dependabot[bot] in #​4988
• chore: use Object.hasOwn for iterator checks by @​trivikr in #​4979
• doc: Update dump({ limit: Integer }) default value by @​samuel871211 in #​4981
• fix: avoid 401 failures for stream-backed request bodies by @​mcollina in #​4941
• test: remove unsupported Node version checks from fetch tests by @​trivikr in #​4977
• types: remove legacy AbortSignal alias now provided by @​types/node by @​trivikr in #​4995
• fix: remove stale constructor interceptors from types and pool options by @​trivikr in #​4994
• doc: update incorrect description of dump.maxSize by @​samuel871211 in #​4982
• ci: enable coverage for node.js 25 by @​shivarm in #​4980
• refactor: reuse wrapRequestBody in RedirectHandler by @​trivikr in #​4992
• fix: preserve connect option in H2CClient by @​trivikr in #​5000
• types: document Client and H2CClient option declarations by @​trivikr in #​4998
• fix: native WebSocket over H2 server after undici import by @​mcollina in #​4990
• chore(test): issue 3969 by @​rozzilla in #​5005
• fix(1270): throw descriptive error when opts.dispatcher–passed instance methods by @​rozzilla in #​5007
• docs: Change the default value of allowH2 in JSDoc by @​7hokerz in #​5009
• chore(test): cover issue 5014 by @​rozzilla in #​5015
• fix: prevent cache dedup key collision via unescaped delimiters by @​eddieran in #​5013
• fix(proxy agent): respect connectTimeout by @​rozzilla in #​5011

New Contributors

• @​7hokerz made their first contribution in #​5009
• @​eddieran made their first contribution in #​5013

Full Changelog: nodejs/undici@v8.0.2...v8.0.3

v8.0.2

Compare Source

What's Changed

• fix(websocket): fallback to HTTP/1.1 when H2 CONNECT is unavailable by @​mcollina in #​4966
• fix: release ref by @​mcollina in #​4965
• ci: reenable shared builtin CI tests by @​mcollina in #​4967

Full Changelog: nodejs/undici@v8.0.1...v8.0.2

v8.0.1

Compare Source

What's Changed

• Remove legacy handler wrappers by @​mcollina in #​4786
• fix: isolate global dispatcher v2 and add Dispatcher1Wrapper bridge by @​mcollina in #​4827
• fix: preserve request statusText and update h2 dispatch tests by @​mcollina in #​4830
• feat!: enable h2 by default by @​metcoder95 in #​4828
• fix(cache): preserve short-lived entries for revalidation by @​mcollina in #​4934
• fix: remove support for non-real Blob objects by @​mcollina in #​4937
• build(deps): bump github/codeql-action from 4.32.3 to 4.35.1 by @​dependabot[bot] in #​4953
• Undici 8 by @​mcollina in #​4916
• build(deps): bump hendrikmuhs/ccache-action from 1.2.19 to 1.2.22 by @​dependabot[bot] in #​4954
• doc: remove duplicate listItem of RetryHandler.md & RetryHandler.md by @​samuel871211 in #​4948
• fix: mirror the legacy global dispatcher for built-in fetch by @​mcollina in #​4962
• fix(websocket/stream): only enqueue parsed messages in WebSocketStream by @​colinaaa in #​4959

New Contributors

• @​colinaaa made their first contribution in #​4959

Full Changelog: nodejs/undici@v7.24.7...v8.0.1

v8.0.0

Compare Source

What's Changed

• Remove legacy handler wrappers by @​mcollina in #​4786
• fix: isolate global dispatcher v2 and add Dispatcher1Wrapper bridge by @​mcollina in #​4827
• fix: preserve request statusText and update h2 dispatch tests by @​mcollina in #​4830
• feat!: enable h2 by default by @​metcoder95 in #​4828
• fix(cache): preserve short-lived entries for revalidation by @​mcollina in #​4934
• fix: remove support for non-real Blob objects by @​mcollina in #​4937
• build(deps): bump github/codeql-action from 4.32.3 to 4.35.1 by @​dependabot[bot] in #​4953
• Undici 8 by @​mcollina in #​4916

Full Changelog: nodejs/undici@v7.24.7...v8.0.0

v7.25.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

Compare Source

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in #​5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

Compare Source

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in #​4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in #​4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in #​4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in #​4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in #​4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in #​4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in #​4938
• ignore AGENTS.md by @​mcollina in #​4942

New Contributors

• @​samuel871211 made their first contribution in #​4924
• @​mistval made their first contribution in #​4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

Compare Source

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in #​4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in #​4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in #​4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in #​4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in #​4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in #​4834
• docs: clarify fetch and FormData pairing by @​mcollina in #​4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in #​4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in #​4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in #​4926
• test: auto-init WPT submodule by @​mcollina in #​4930

New Contributors

• @​rozzilla made their first contribution in #​4909
• @​veeceey made their first contribution in #​4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

Compare Source

What's Changed

• Formdata tests by @​KhafraDev in #​4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in #​4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in #​4913

New Contributors

• @​metalix2 made their first contribution in #​4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

Compare Source

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in #​4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

Compare Source

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in #​4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

Compare Source

What's Changed

• fix fetch path logic by @​KhafraDev in #​4890
• remove maxDecompressedMessageSize by @​KhafraDev in #​4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

Compare Source

v7.24.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.23.0...v7.24.0

v7.23.0

Compare Source

v7.22.0

Compare Source

What's Changed

• docs: fix syntax highlighting in WebSocket.md by @​styfle in #​4814
• fix: use OR operator in includesCredentials per WHATWG URL Standard by @​jackhax in #​4816
• feat(dispatcher/env-http-proxy-agent): strip leading dot and asterisk by @​SuperOleg39 in #​4676
• fix: route WebSocket upgrades through onRequestUpgrade by @​mcollina in #​4787
• build(deps-dev): bump esbuild from 0.25.12 to 0.27.3 by @​dependabot[bot] in #​4821
• fix(deduplicate): do not deduplicate non-safe methods by default by @​mcollina in #​4818
• feat: Support async cache stores in revalidation by @​marcopiraccini in #​4826

New Contributors

• @​jackhax made their first contribution in #​4816
• @​marcopiraccini made their first contribution in #​4826

Full Changelog: nodejs/undici@v7.21.0...v7.22.0

v7.21.0

Compare Source

What's Changed

• build(deps): bump actions/setup-node from 6.0.0 to 6.2.0 by @​dependabot[bot] in #​4796
• test: restore global dispatcher after fetch tests by @​mcollina in #​4790
• Add missing close method to WebSocketStream interface by @​piotr-cz in #​4802
• fix: error stream instead of canceling by @​KhafraDev in #​4804
• Fix clientTtl cleanup race in Agent by @​mcollina in #​4807
• feat(#​4230): Implement pingInterval for dispatching PING frames by @​metcoder95 in #​4296
• fix: handle undefined __filename in bundled environments by @​mcollina in #​4812
• fix: set finalizer only for fetch responses by @​tsctx in #​4803

New Contributors

• @​piotr-cz made their first contribution in #​4802

Full Changelog: nodejs/undici@v7.20.0...v7.21.0

v7.20.0

Compare Source

What's Changed

• fix: preserve fetch stack traces by @​mcollina in #​4778
• Fix error handling in MockPool example by @​dave-kennedy in #​4781
• feat: expose statusText in request() ResponseData by @​domenic in #​4784
• test: reduce retry-after invalid date flake by @​mcollina in #​4788
• extractBody fixes by @​KhafraDev in #​4791
• fix: MockAgent delayed response with AbortSignal (#​4693) by @​mcollina in #​4772
• fix: onParserTimeout potentially accessing undefined by @​vbfox in #​4758

New Contributors

• @​dave-kennedy made their first contribution in #​4781
• @​vbfox made their first contribution in #​4758

Full Changelog: nodejs/undici@v7.19.2...v7.20.0

v7.19.2

Compare Source

What's Changed

• Minor code cleanups to decompress interceptor by @​domenic in #​4754
• fix(h2): fix flaky stream end handling on macOS by @​mcollina in #​4762
• return response when receiving 401 instead of network error by @​KhafraDev in #​4769
• fix: properly close idle connections in test server cleanup by @​mcollina in #​4764
• fix: decode HTTP headers as latin1 instead of utf8 by @​mcollina in #​4768
• fix: submodule update by @​Uzlopak in #​4648
• build(deps): bump peter-evans/create-pull-request from 7.0.8 to 8.0.0 by @​dependabot[bot] in #​4720

New Contributors

• @​domenic made their first contribution in #​4754

Full Changelog: nodejs/undici@v7.19.1...v7.19.2

v7.19.1

Compare Source

What's Changed

• fix: use commit hash when generating release (#​4757) by @​fenichelar in #​4759
• fix fetch 401 loop by @​KhafraDev in #​4761

New Contributors

• @​fenichelar made their first contribution in #​4759

Full Changelog: nodejs/undici@v7.19.0...v7.19.1

v7.19.0

Compare Source

What's Changed

• fix: Handle FormData body type correctly in RetryAgent retried requests by @​eliotschu in #​4692
• feat(client): expose HTTP/2 flow-control options by @​pabloelisseo in #​4706
• Implement origin normalization in MockAgent for case-insensitivity and URL handling by @​SksOp in #​4731
• fix websocket basic auth by @​KhafraDev in #​4747
• fix(cache): regenerate stream from source when cache.match is called after GC by @​mcollina in #​4713
• chore: use testcontext for test:cache by @​Uzlopak in #​4571
• chore: use testcontext for subresource integrity tests by @​Uzlopak in #​4575
• feat(cache): add origins option for whitelist filtering by @​mcollina in #​4739
• ci: test shared-builtin only on Node.js 24 and 25 by @​mcollina in #​4746
• fix websocketstream open error by @​KhafraDev in #​4748

New Contributors

• @​eliotschu made their first contribution in #​4692
• @​pabloelisseo made their first contribution in #​4706
• @​SksOp made their first contribution in #​4731

Full Changelog: nodejs/undici@v7.18.2...v7.19.0

v7.18.2

Compare Source

What's Changed

• fix(decompress): limit Content-Encoding chain to 5 to prevent resourc… by @​mcollina in #​4729

Full Changelog: nodejs/undici@v7.18.1...v7.18.2

v7.18.1

[Compare

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	d060568
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/69ffc8439a02710008f1a3ac

[github-actions]

🚀 Performance Test Results

Test Configuration:

• VUs: 4
• Duration: 1m0s

Test Metrics:

• Requests/s: 52.71
• Iterations/s: 17.58
• Failed Requests: 0.00% (0 of 3170)

📜 Logs

> performance@1.0.0 run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test -k -q --vus 4 --duration 1m

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 1.1 MB 19 kB/s
     data_sent......................: 2.4 MB 41 kB/s
     http_req_blocked...............: avg=6µs      min=1.77µs   med=4.85µs   max=611µs    p(90)=6.01µs   p(95)=6.55µs  
     http_req_connecting............: avg=342ns    min=0s       med=0s       max=481.57µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=75.32ms  min=7.29ms   med=60.67ms  max=389.31ms p(90)=126.38ms p(95)=149.27ms
       { expected_response:true }...: avg=75.32ms  min=7.29ms   med=60.67ms  max=389.31ms p(90)=126.38ms p(95)=149.27ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 3170
     http_req_receiving.............: avg=79.35µs  min=25.94µs  med=71.92µs  max=2.03ms   p(90)=103.53µs p(95)=127.31µs
     http_req_sending...............: avg=33.85µs  min=8.52µs   med=25.64µs  max=1.79ms   p(90)=38.83µs  p(95)=52.14µs 
     http_req_tls_handshaking.......: avg=0s       min=0s       med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=75.21ms  min=7.14ms   med=60.59ms  max=389.15ms p(90)=126.29ms p(95)=149.16ms
     http_reqs......................: 3170   52.710847/s
     iteration_duration.............: avg=227.43ms min=154.86ms med=217.16ms max=804.82ms p(90)=279.66ms p(95)=310.08ms
     iterations.....................: 1057   17.575825/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4