chore(deps): update dependency undici@>=5.0.0 to v6 [security] #3433

renovate · 2025-05-15T17:12:19Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici@>=5.0.0 (source)	`^5.28.5` -> `^6.21.2`

GitHub Vulnerability Alerts

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

Release Notes

nodejs/undici (undici@>=5.0.0)

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

fix(#3736): back-port 183f8e9 to v6.x by @ggoodman in https://github.com/nodejs/undici/pull/3855
fix(#3817): send servername for SNI on TLS (#3821) [backport] by @metcoder95 in https://github.com/nodejs/undici/pull/3864
fix: sending formdata bodies with http2 (#3863) [backport] by @metcoder95 in https://github.com/nodejs/undici/pull/3866
[Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @github-actions in https://github.com/nodejs/undici/pull/3877
types: [backport] Update return type of RetryCallback (#3851) by @metcoder95 in https://github.com/nodejs/undici/pull/3876

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

`v6.21.0`

Compare Source

What's Changed

[Backport v6.x] web: mark as uncloneable when possible (#3709) by @jazelly in https://github.com/nodejs/undici/pull/3744
[Backport v6.x] fetch: fix content-encoding order by @github-actions in https://github.com/nodejs/undici/pull/3764
[Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by @github-actions in https://github.com/nodejs/undici/pull/3822
[Backport v6.x] fix: range end is zero-indexed by @github-actions in https://github.com/nodejs/undici/pull/3827

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

`v6.20.1`

Compare Source

What's Changed

[Backport v6.x] jsdoc: add jsdoc to lib/web/fetch/constants.js by @github-actions in https://github.com/nodejs/undici/pull/3710
[Backport v6.x] feat: implement BodyReadable.bytes by @github-actions in https://github.com/nodejs/undici/pull/3711
fix: add more expectsPayload methods by @ronag in https://github.com/nodejs/undici/pull/3715
[Backport v6.x] chore(H2): onboard H2 into Undici queueing system (#3707) by @Uzlopak in https://github.com/nodejs/undici/pull/3724
[Backport v6.x] fix: PoolBase kClose and kDestroy should await and not return the Promise by @github-actions in https://github.com/nodejs/undici/pull/3723
[Backport v6.x] fix: extract noop everywhere by @Uzlopak in https://github.com/nodejs/undici/pull/3727

Full Changelog: nodejs/undici@v6.20.0...v6.20.1

`v6.20.0`

Compare Source

What's Changed

Remove patched dom types (v6.x branch) by @eXhumer in https://github.com/nodejs/undici/pull/3531
docs(Backport v6.x): Fix signature of RetryHandler by @github-actions in https://github.com/nodejs/undici/pull/3594
deps(dev): update @types/node by @metcoder95 in https://github.com/nodejs/undici/pull/3618
fix: throw on retry when payload is consume by downstream by @github-actions in https://github.com/nodejs/undici/pull/3596
feat(Backport v6.x): move throwOnError to interceptor by @github-actions in https://github.com/nodejs/undici/pull/3595
[Backport v6.x] fix: reduce memory usage in client-h1 by @github-actions in https://github.com/nodejs/undici/pull/3672
[Backport v6.x] fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @github-actions in https://github.com/nodejs/undici/pull/3673
[Backport v6.x] fix: run asserts first if possible by @github-actions in https://github.com/nodejs/undici/pull/3674
[Backport v6.x] fix: use fasttimers for all connection timeouts by @github-actions in https://github.com/nodejs/undici/pull/3675
[Backport v6.x] ci: less flaky test/request-timeout.js test by @github-actions in https://github.com/nodejs/undici/pull/3678
[Backport v6.x] test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @github-actions in https://github.com/nodejs/undici/pull/3679
[Backport v6.x] ignore leading and trailing crlfs in formdata body by @github-actions in https://github.com/nodejs/undici/pull/3681
[Backport v6.x] mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @github-actions in https://github.com/nodejs/undici/pull/3689
[Backport v6.x] handle body errors by @Uzlopak in https://github.com/nodejs/undici/pull/3700

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

`v6.19.8`

Compare Source

Full Changelog: nodejs/undici@v6.19.7...v6.19.8

`v6.19.7`

Compare Source

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

`v6.19.6`

Compare Source

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

`v6.19.5`

Compare Source

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

`v6.19.4`

Compare Source

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

`v6.19.3`

Compare Source

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

`v6.19.2`

Compare Source

What's Changed

fix #3337 by @KhafraDev in https://github.com/nodejs/undici/pull/3338
build: use husky as husky install is deprecated by @jazelly in https://github.com/nodejs/undici/pull/3340
fix: interceptors.d.ts has no default export by @Uzlopak in https://github.com/nodejs/undici/pull/3332

Full Changelog: nodejs/undici@v6.19.1...v6.19.2

`v6.19.1`

Compare Source

What's Changed

don't append empty origin by @KhafraDev in https://github.com/nodejs/undici/pull/3335

Full Changelog: nodejs/undici@v6.19.0...v6.19.1

`v6.19.0`

Compare Source

What's Changed

build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @dependabot in https://github.com/nodejs/undici/pull/3305
build(deps): bump codecov/codecov-action from 4.3.1 to 4.4.1 by @dependabot in https://github.com/nodejs/undici/pull/3303
build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by @dependabot in https://github.com/nodejs/undici/pull/3304
build(deps): bump github/codeql-action from 3.25.3 to 3.25.7 by @dependabot in https://github.com/nodejs/undici/pull/3306
build(deps): bump node from 9e8f45f to dd7e693 in /build by @dependabot in https://github.com/nodejs/undici/pull/3309
build(deps): bump node from dd7e693 to e6d4495 in /build by @dependabot in https://github.com/nodejs/undici/pull/3313
remove websocket experimental warning by @KhafraDev in https://github.com/nodejs/undici/pull/3311
perf: optimization of request instantiation by @tsctx in https://github.com/nodejs/undici/pull/3107
perf: convert object to params by @DarkGL in https://github.com/nodejs/undici/pull/3302
build(deps-dev): bump borp from 0.14.0 to 0.15.0 by @dependabot in https://github.com/nodejs/undici/pull/3320
build(deps-dev): bump c8 from 9.1.0 to 10.0.0 by @dependabot in https://github.com/nodejs/undici/pull/3321
fix: add missing error classes to types by @maxbeatty in https://github.com/nodejs/undici/pull/3316
export interceptor to type def file by @jakecastelli in https://github.com/nodejs/undici/pull/3318
build(deps): bump node from e6d4495 to 075a5cc in /build by @dependabot in https://github.com/nodejs/undici/pull/3326
doc: clearify the behaviour of bodyTimeout in the request by @jakecastelli in https://github.com/nodejs/undici/pull/3324
feature: support pre-shared sessions by @tastypackets in https://github.com/nodejs/undici/pull/3325

New Contributors

@maxbeatty made their first contribution in https://github.com/nodejs/undici/pull/3316
@jakecastelli made their first contribution in https://github.com/nodejs/undici/pull/3318

Full Changelog: nodejs/undici@v6.18.2...v6.19.0

`v6.18.2`

Compare Source

What's Changed

don't use internal header state for cookies by @KhafraDev in https://github.com/nodejs/undici/pull/3295
build(deps-dev): bump borp from 0.13.0 to 0.14.0 by @dependabot in https://github.com/nodejs/undici/pull/3298
fix: retry on body support by @metcoder95 in https://github.com/nodejs/undici/pull/3294

Full Changelog: nodejs/undici@v6.18.1...v6.18.2

`v6.18.1`

Compare Source

What's Changed

docs: Update references to dispatcher in docs by @haikyuu in https://github.com/nodejs/undici/pull/3281
fix: compatibility for global headers by @tsctx in https://github.com/nodejs/undici/pull/3286
websocket: pre-calculated length by @tsctx in https://github.com/nodejs/undici/pull/3284
ci: fix autobahn workflow by @Uzlopak in https://github.com/nodejs/undici/pull/3291
revert: "websocket: pre-calculated length" by @KhafraDev in https://github.com/nodejs/undici/pull/3290
websocket: use FixedQueue instead of Set by @tsctx in https://github.com/nodejs/undici/pull/3283

New Contributors

@haikyuu made their first contribution in https://github.com/nodejs/undici/pull/3281

Full Changelog: nodejs/undici@v6.18.0...v6.18.1

`v6.18.0`

Compare Source

What's Changed

permessage-deflate decompression support in websocket by @KhafraDev in https://github.com/nodejs/undici/pull/3263
fix: Fix server closing in tests. by @ShogunPanda in https://github.com/nodejs/undici/pull/3279

Full Changelog: nodejs/undici@v6.17.0...v6.18.0

`v6.17.0`

Compare Source

What's Changed

fetch: fix captureStackTrace by @Uzlopak in https://github.com/nodejs/undici/pull/3227
fetch: fix wpt test request-upload.any.js by @Uzlopak in https://github.com/nodejs/undici/pull/3234
websocket: don't clone buffer by @tsctx in https://github.com/nodejs/undici/pull/3240
Remove unecessary async from writeBuffer by @DarkGL in https://github.com/nodejs/undici/pull/3245
refactor websocket control frame handling by @KhafraDev in https://github.com/nodejs/undici/pull/3241
fix parsing continuation frames in websocket by @KhafraDev in https://github.com/nodejs/undici/pull/3247
ci: node nightly test should use node 23 by @Uzlopak in https://github.com/nodejs/undici/pull/3248
Add test to verify if the connection is correctly aborted on cancel by @mcollina in https://github.com/nodejs/undici/pull/3219
Autobahn suite by @KhafraDev in https://github.com/nodejs/undici/pull/3251
websocket: fix 6 autobahn tests by @KhafraDev in https://github.com/nodejs/undici/pull/3254
websocket: checkout correct commit in autobahn workflow by @Uzlopak in https://github.com/nodejs/undici/pull/3258
Cleanup websocket by @KhafraDev in https://github.com/nodejs/undici/pull/3257
websocket: autobahn workflow should fail on error by @Uzlopak in https://github.com/nodejs/undici/pull/3259
add bodymixin bytes by @KhafraDev in https://github.com/nodejs/undici/pull/3262
perf: avoid buffer cloning by @tsctx in https://github.com/nodejs/undici/pull/3264
feat: dump interceptor by @metcoder95 in https://github.com/nodejs/undici/pull/3118
use private properties in Headers by @KhafraDev in https://github.com/nodejs/undici/pull/3269
Revert "websocket: autobahn workflow should fail on error" by @Uzlopak in https://github.com/nodejs/undici/pull/3270
build(deps): bump node from 487dc5d to 9e8f45f in /build by @dependabot in https://github.com/nodejs/undici/pull/3271

New Contributors

@DarkGL made their first contribution in https://github.com/nodejs/undici/pull/3245

Full Changelog: nodejs/undici@v6.16.1...v6.17.0

`v6.16.1`

Compare Source

What's Changed

fix some typos by @Uzlopak in https://github.com/nodejs/undici/pull/3217
websocket: move codeblock in parseCloseBody by @Uzlopak in https://github.com/nodejs/undici/pull/3215
fetch: enable wpt test request-referrer.any.js by @Uzlopak in https://github.com/nodejs/undici/pull/3223
fetch: wpt add /fetch/api/resources/cache.py to server.mjs by @Uzlopak in https://github.com/nodejs/undici/pull/3225
add pipe support for wpt server by @KhafraDev in https://github.com/nodejs/undici/pull/3228
test: reduce the number of requests in fire-and-forget.js by @tsctx in https://github.com/nodejs/undici/pull/3229
ci: add node 22 in ci test matrix, use 22 for coverage by @Uzlopak in https://github.com/nodejs/undici/pull/3226
fetch: don't set an invalid origin header by @KhafraDev in https://github.com/nodejs/undici/pull/3235
fail wpt runner if expected failures does not match actual by @KhafraDev in https://github.com/nodejs/undici/pull/3236
fix: ignore content-length when dumping HEAD by @ronag in https://github.com/nodejs/undici/pull/3222

Full Changelog: nodejs/undici@v6.16.0...v6.16.1

`v6.16.0`

Compare Source

What's Changed

add index to sequence converter errors by @KhafraDev in https://github.com/nodejs/undici/pull/3178
build(deps-dev): bump borp from 0.12.0 to 0.13.0 by @dependabot in https://github.com/nodejs/undici/pull/3179
build(deps): bump node from 21-alpine3.19 to 22-alpine3.19 in /build by @dependabot in https://github.com/nodejs/undici/pull/3180
build(deps): bump superagent from 8.1.2 to 9.0.2 in /benchmarks by @dependabot in https://github.com/nodejs/undici/pull/3181
fix: keep raw header name by @tsctx in https://github.com/nodejs/undici/pull/3183
fix(fetch): improve Headers and Request type-compatibility by @kettanaito in https://github.com/nodejs/undici/pull/1964
fix 3 mimesniff tests by @KhafraDev in https://github.com/nodejs/undici/pull/3185
build(deps): bump hendrikmuhs/ccache-action from 1.2.12 to 1.2.13 by @dependabot in https://github.com/nodejs/undici/pull/3187
build(deps): bump codecov/codecov-action from 4.1.1 to 4.3.1 by @dependabot in https://github.com/nodejs/undici/pull/3191
build(deps): bump github/codeql-action from 3.24.9 to 3.25.3 by @dependabot in https://github.com/nodejs/undici/pull/3192
build(deps): bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @dependabot in https://github.com/nodejs/undici/pull/3189
build(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 by @dependabot in https://github.com/nodejs/undici/pull/3188
build(deps): bump actions/upload-artifact from 4.3.1 to 4.3.3 by @dependabot in https://github.com/nodejs/undici/pull/3190
build(deps): bump node from 9459e24 to 487dc5d in /build by @dependabot in https://github.com/nodejs/undici/pull/3195
perf: avoid spread in makeRequest() by @gunjam in https://github.com/nodejs/undici/pull/3193
refactor: code cleanup by @tsctx in https://github.com/nodejs/undici/pull/3194
fix parsing when receiving empty body websocket by @KhafraDev in https://github.com/nodejs/undici/pull/3205
fix: MockResponseCallbackOptions type by @merojosa in https://github.com/nodejs/undici/pull/2951
docs(proxy): fix typo by @kanadgupta in https://github.com/nodejs/undici/pull/3207
fix websocket receiving an invalid utf-8 in close frame by @KhafraDev in https://github.com/nodejs/undici/pull/3206
perf: avoid setImmediate if body is reading by @ronag in https://github.com/nodejs/undici/pull/3210
fix: request abort signal by @ronag in https://github.com/nodejs/undici/pull/3209
fix: remove abort handler on close by @ronag in https://github.com/nodejs/undici/pull/3211
fix: pass abort function by @tsctx in https://github.com/nodejs/undici/pull/3212
websocket: 200x faster generate mask by @tsctx in https://github.com/nodejs/undici/pull/3204
use FinalizationRegistry to cancel the body if response is collected by @mcollina in https://github.com/nodejs/undici/pull/3199
websocket: don't clone buffer if it's not needed. by @tsctx in https://github.com/nodejs/undici/pull/3214
websocket: use FastBuffer by @tsctx in https://github.com/nodejs/undici/pull/3213

New Contributors

@kettanaito made their first contribution in https://github.com/nodejs/undici/pull/1964
@gunjam made their first contribution in https://github.com/nodejs/undici/pull/3193
@merojosa made their first contribution in https://github.com/nodejs/undici/pull/2951
@kanadgupta made their first contribution in https://github.com/nodejs/undici/pull/3207

Full Changelog: nodejs/undici@v6.15.0...v6.16.0

`v6.15.0`

Compare Source

What's Changed

Expose EnvHttpProxyAgent to Node.js core bundle, so it can be turned … by @mcollina in https://github.com/nodejs/undici/pull/3148
test: add headerslist copy check by @tsctx in https://github.com/nodejs/undici/pull/3156
chore: ensure automated v6 release compared to v6 by @mweberxyz in https://github.com/nodejs/undici/pull/3149
fetch: do not leak signal listeners by @mcollina in https://github.com/nodejs/undici/pull/3158
fix: request cache mode is not the same as request mode by @tsibley in https://github.com/nodejs/undici/pull/3151
fetch: don't re-lowercase HeadersList by @tsctx in https://github.com/nodejs/undici/pull/3159
fix casing issue when cloning Headers object by @KhafraDev in https://github.com/nodejs/undici/pull/3160
build(deps): bump node from 6d0f18a to db8772d in /build by @dependabot in https://github.com/nodejs/undici/pull/3163
fix header cloning bug by @tsctx in https://github.com/nodejs/undici/pull/3162
chore: change bench naming for h2 by @metcoder95 in https://github.com/nodejs/undici/pull/3165
expose WebSocket related events in node bundle by @KhafraDev in https://github.com/nodejs/undici/pull/3167
feat: add support for if-match on retry handler by @metcoder95 in https://github.com/nodejs/undici/pull/3144
fix: correct firing order of abort events by @tsctx in https://github.com/nodejs/undici/pull/3169
create fast MessageEvent by @KhafraDev in https://github.com/nodejs/undici/pull/3170
chore: add explicitly @fastify/busboy by @Uzlopak in https://github.com/nodejs/undici/pull/3172
chore: remove sinon as dev dependency by @Uzlopak in https://github.com/nodejs/undici/pull/3171
webidl changes by @KhafraDev in https://github.com/nodejs/undici/pull/3175
preserve dictionary key name in webidl errors by @KhafraDev in https://github.com/nodejs/undici/pull/3176

New Contributors

@tsibley made their first contribution in https://github.com/nodejs/undici/pull/3151

Full Changelog: nodejs/undici@v6.14.1...v6.15.0

`v6.14.1`

Compare Source

What's Changed

fix: tweak keep-alive timeout implementation by @mweberxyz in https://github.com/nodejs/undici/pull/3145
build(deps-dev): bump borp from 0.11.0 to 0.12.0 by @dependabot in https://github.com/nodejs/undici/pull/3153
build(deps): bump node from ad255c6 to 6d0f18a in /build by @dependabot in https://github.com/nodejs/undici/pull/3154
fix(EnvHttpProxyAgent): prefer lowercase env vars by @10xLaCroixDrinker in https://github.com/nodejs/undici/pull/3152

Full Changelog: nodejs/undici@v6.14.0...v6.14.1

`v6.14.0`

Compare Source

What's Changed

bench: enable benchmarks for h2 by @metcoder95 in https://github.com/nodejs/undici/pull/3100
perf: improve performance of isomorphicEncode by @tsctx in https://github.com/nodejs/undici/pull/3101
util: remove isReadableAborted by @Uzlopak in https://github.com/nodejs/undici/pull/3104
fix(types): The second parameter of EventSource is optional by @zbinlin in https://github.com/nodejs/undici/pull/3106
fix: onConnect types by @ronag in https://github.com/nodejs/undici/pull/3116
add dispatcher option to EventSource by @KhafraDev in https://github.com/nodejs/undici/pull/3119
core: improve parseURL by @Uzlopak in https://github.com/nodejs/undici/pull/3102
test: increase coverage by @Uzlopak in https://github.com/nodejs/undici/pull/3121
docs: add directions to run docs and benchmarks by @FatumaA in https://github.com/nodejs/undici/pull/3092
perf: avoid unnecessary clone by @tsctx in https://github.com/nodejs/undici/pull/3117
build(deps-dev): bump borp from 0.10.0 to 0.11.0 by @dependabot in https://github.com/nodejs/undici/pull/3126
drop node support for < v18.17.0 by @KhafraDev in https://github.com/nodejs/undici/pull/3125
test: improve test and ci performance by @Uzlopak in https://github.com/nodejs/undici/pull/3135
Added EnvHttpProxyAgent to support HTTP_PROXY by @10xLaCroixDrinker in https://github.com/nodejs/undici/pull/2994
fetch: Change wording of "Body is unusable" error by @nzakas in https://github.com/nodejs/undici/pull/3105
perf: use class instead of object literals with getters by @tsctx in https://github.com/nodejs/undici/pull/3138
fix: unhandled exception or failing error body by @ronag in https://github.com/nodejs/undici/pull/3137
reuse realm for Request/Response by @KhafraDev in https://github.com/nodejs/undici/pull/3142
fix(H2-#3140): abort requets upon GOAWAY by @metcoder95 in https://github.com/nodejs/undici/pull/3143
don't store realm on Request/Response by @KhafraDev in https://github.com/nodejs/undici/pull/3146
improve: wasm build by @Uzlopak in https://github.com/nodejs/undici/pull/3074

New Contributors

@10xLaCroixDrinker made their first contribution in https://github.com/nodejs/undici/pull/2994
@nzakas made their first contribution in https://github.com/nodejs/undici/pull/3105

Full Changelog: nodejs/undici@v6.13.0...v6.14.0

`v6.13.0`

Compare Source

What's Changed

build(deps): bump node from 9696b26 to ad255c6 in /build by @dependabot in https://github.com/nodejs/undici/pull/3073
test: remove only by @metcoder95 in https://github.com/nodejs/undici/pull/3077
fix: defer errors with setImmediate by @ronag in https://github.com/nodejs/undici/pull/3081
improve DecoratorHandler by @Uzlopak in https://github.com/nodejs/undici/pull/3079
chore: removed unused escapeFormDataName by @mcollina in https://github.com/nodejs/undici/pull/3084
Mention option to pass streams into FormData by @JaoodxD in https://github.com/nodejs/undici/pull/3086
fetch: improve performance of isValidEncodedURL by @Uzlopak in https://github.com/nodejs/undici/pull/3090
optimize utf8Decode by @Uzlopak in https://github.com/nodejs/undici/pull/3085
refactor: h2 refactoring by @metcoder95 in https://github.com/nodejs/undici/pull/3082
Skip the creation of a transform stream in fetch by @mcollina in https://github.com/nodejs/undici/pull/3093
fetch: improve performance of urlHasHttpsScheme by @Uzlopak in https://github.com/nodejs/undici/pull/3094
fetch: avoid creation of an intermediary ReadableStream by @KhafraDev in https://github.com/nodejs/undici/pull/3095
test: duplicate jest unspecific tests to native runner by @Uzlopak in https://github.com/nodejs/undici/pull/3075
build(deps): bump node from ad255c6 to 6d0f18a in /build by @dependabot in https://github.com/nodejs/undici/pull/3096
fetch: improve performance of isValidHeaderValue by @Uzlopak in https://github.com/nodejs/undici/pull/3098
chore: automate releases with pr by @mweberxyz in https://github.com/nodejs/undici/pull/3089

New Contributors

@github-actions made their first contribution in https://github.com/nodejs/undici/pull/3099

Full Changelog: nodejs/undici@v6.12.0...v6.13.0

`v6.12.0`

Compare Source

What's Changed

fix: broken test by @tsctx in https://github.com/nodejs/undici/pull/3045
fix: http2 header parsing by @climba03003 in https://github.com/nodejs/undici/pull/3047
types: fix Request.refererPolicy and RequestInit.refererPolicy are incompatible by @zbinlin in https://github.com/nodejs/undici/pull/3039
fix(types): onHeaders always takes headers as an array of buffer by @ronag in https://github.com/nodejs/undici/pull/3050
fix: ProxyAgent causes request.headers.host to be forcibly reset by @1zilc in https://github.com/nodejs/undici/pull/3026
fallback to Buffer.isUtf8 on platforms without icu by @KhafraDev in https://github.com/nodejs/undici/pull/3006
build(deps): bump github/codeql-action from 3.24.6 to 3.24.9 by @dependabot in https://github.com/nodejs/undici/pull/3037
build(deps): bump actions/dependency-review-action from 4.1.3 to 4.2.5 by @dependabot in https://github.com/nodejs/undici/pull/3035
build(deps): bump node from 577f8eb to 87524df in /build by @dependabot in https://github.com/nodejs/undici/pull/3055
build(deps): bump node from 87524df to 9696b26 in /build by @dependabot in https://github.com/nodejs/undici/pull/3058
fetch: Block ports 4190 & 6679 by @KhafraDev in https://github.com/nodejs/undici/pull/3059
test: activate testing for interceptors and cache by @Uzlopak in https://github.com/nodejs/undici/pull/3061
cache: improve test coverage by @Uzlopak in https://github.com/nodejs/undici/pull/3063
feat: modernize fuzzing by @Uzlopak in https://github.com/nodejs/undici/pull/3060
fix: request abort by @ronag in https://github.com/nodejs/undici/pull/3056
fix: signal handling by @ronag in https://github.com/nodejs/undici/pull/3053
fix(H2): handle goaway properly by @metcoder95 in https://github.com/nodejs/undici/pull/3057
test: client, set body to null if bigger than CHUNK_LIMIT by @Uzlopak in https://github.com/nodejs/undici/pull/3064
mock: improve mock interceptor by @Uzlopak in https://github.com/nodejs/undici/pull/3062
fix: bad client destroy on servername change by @ronag in https://github.com/nodejs/undici/pull/3066
perf: improve isBlobLike by @Uzlopak in https://github.com/nodejs/undici/pull/3070
test: add sanity check for llhttp wasm files by @Uzlopak in https://github.com/nodejs/undici/pull/3068

New Contributors

@zbinlin made their first contribution in https://github.com/nodejs/undici/pull/3039
@1zilc made their first contribution in https://github.com/nodejs/undici/pull/3026

Full Changelog: nodejs/undici@v6.11.1...v6.12.0

`v6.11.1`

Compare Source

⚠️ Security Release ⚠️

What's Changed

Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261
Revert "fix: don't leak internal class (#3024)" by @mcollina in https://github.com/nodejs/undici/pull/3044

Full Changelog: nodejs/undici@v6.11.0...v6.11.1

`v6.11.0`

Compare Source

What's Changed

refactor(#3023): Pass headers as array instead by @metcoder95 in https://github.com/nodejs/undici/pull/3025
fix: don't leak internal class by @ronag in https://github.com/nodejs/undici/pull/3024
build(deps): bump codecov/codecov-action from 4.1.0 to 4.1.1 by @dependabot in https://github.com/nodejs/undici/pull/3034
build(deps-dev): bump tsd from 0.30.7 to 0.31.0 by @dependabot in https://github.com/nodejs/undici/pull/3038
build(deps-dev): bump borp from 0.9.1 to 0.10.0 by @dependabot in https://github.com/nodejs/undici/pull/2947
missing commits by @ronag in https://github.com/nodejs/undici/pull/3040
build(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @dependabot in https://github.com/nodejs/undici/pull/3036
fix: regexp pattern by @tsctx in https://github.com/nodejs/undici/pull/3041

Full Changelog: nodejs/undici@v6.10.2...v6.11.0

`v6.10.2`

Compare Source

What's Changed

Do not fail test if streams support typed arrays by @mcollina in https://github.com/nodejs/undici/pull/2978
fix(fetch): properly redirect non-ascii location header url by @Xvezda in https://github.com/nodejs/undici/pull/2971
perf: Remove double-stringify in setCookie by @peterver in https://github.com/nodejs/undici/pull/2980
[fix #2982] use DispatcherInterceptor type for Dispatcher#Compose by @clovis-guillemot in https://github.com/nodejs/undici/pull/2983
fix: make EventSource properties enumerable by @MattBidewell in https://github.com/nodejs/undici/pull/2987
docs: ✏️ fixed benchmark links by @benhalverson in https://github.com/nodejs/undici/pull/2991
fix(#2986): bad start check by @metcoder95 in https://github.com/nodejs/undici/pull/2992
fix(H2 Client): bind stream 'data' listener only after received 'response' event by @St3ffGv4 in [https://github.com/fix(H2 Client): bind stream 'data' listener only after received 'response' event nodejs/undici#2985](https://redi

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

netlify · 2025-05-15T17:12:25Z

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Name	Link
🔨 Latest commit	`2836e59`
🔍 Latest deploy log	https://app.netlify.com/projects/brilliant-pasca-3e80ec/deploys/6858460f50c62b00084eeb3c

github-actions · 2025-05-15T17:16:47Z

🚀 Performance Test Results

Test Configuration:

VUs: 4
Duration: 1m0s

Test Metrics:

Requests/s: 44.23
Iterations/s: 14.76
Failed Requests: 0.00% (0 of 2661)

📜 Logs


> [email protected] run-tests:testenv /home/runner/work/rafiki/rafiki/test/performance
> ./scripts/run-tests.sh -e test "-k" "-q" "--vus" "4" "--duration" "1m"

Cloud Nine GraphQL API is up: http://localhost:3101/graphql
Cloud Nine Wallet Address is up: http://localhost:3100/
Happy Life Bank Address is up: http://localhost:4100/
cloud-nine-wallet-test-backend already set
cloud-nine-wallet-test-auth already set
happy-life-bank-test-backend already set
happy-life-bank-test-auth already set
     data_received..................: 928 kB 15 kB/s
     data_sent......................: 1.9 MB 31 kB/s
     http_req_blocked...............: avg=6.1µs    min=2.56µs  med=5µs      max=472.29µs p(90)=6.2µs    p(95)=6.62µs  
     http_req_connecting............: avg=409ns    min=0s      med=0s       max=441.85µs p(90)=0s       p(95)=0s      
     http_req_duration..............: avg=89.79ms  min=8.57ms  med=74.85ms  max=518.43ms p(90)=152.85ms p(95)=176.45ms
       { expected_response:true }...: avg=89.79ms  min=8.57ms  med=74.85ms  max=518.43ms p(90)=152.85ms p(95)=176.45ms
     http_req_failed................: 0.00%  ✓ 0         ✗ 2661
     http_req_receiving.............: avg=78.34µs  min=27.64µs med=71.54µs  max=1.02ms   p(90)=106.44µs p(95)=129.63µs
     http_req_sending...............: avg=33.24µs  min=10.47µs med=26.56µs  max=1.48ms   p(90)=39.1µs   p(95)=50.43µs 
     http_req_tls_handshaking.......: avg=0s       min=0s      med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=89.68ms  min=8.44ms  med=74.69ms  max=518.34ms p(90)=152.74ms p(95)=176.37ms
     http_reqs......................: 2661   44.232587/s
     iteration_duration.............: avg=270.63ms min=175.8ms med=257.77ms max=1.02s    p(90)=328.99ms p(95)=357.58ms
     iterations.....................: 888    14.760818/s
     vus............................: 4      min=4       max=4 
     vus_max........................: 4      min=4       max=4

renovate bot added the dependencies Pull requests that update a dependency label May 15, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 1ab9d89 to 188110b Compare May 19, 2025 18:00

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] May 19, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 188110b to 342c16d Compare May 20, 2025 00:06

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] May 20, 2025

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] May 28, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch 2 times, most recently from 573fbd1 to 14ab84d Compare May 28, 2025 18:45

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] May 28, 2025

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] May 28, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch 2 times, most recently from 00f2fe9 to 206e9aa Compare May 29, 2025 02:41

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] May 29, 2025

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 4, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch 2 times, most recently from 4a09574 to c263937 Compare June 4, 2025 11:51

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 4, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from c263937 to d1055ba Compare June 6, 2025 02:04

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 6, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from d1055ba to 1d7e00a Compare June 6, 2025 23:38

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 6, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 1d7e00a to 2bb744d Compare June 9, 2025 11:57

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 9, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 2bb744d to e69ee53 Compare June 9, 2025 15:05

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 9, 2025

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 9, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch 2 times, most recently from bb8eb47 to 6eeaf30 Compare June 9, 2025 22:36

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 9, 2025

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 10, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch 2 times, most recently from 97c56f8 to 18ace2f Compare June 10, 2025 12:25

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 10, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 18ace2f to a386793 Compare June 12, 2025 17:02

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 12, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from a386793 to 5bfdae5 Compare June 12, 2025 17:21

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 12, 2025

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 13, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch 2 times, most recently from a218dfb to bb33e83 Compare June 13, 2025 19:45

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 13, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from bb33e83 to 17f0399 Compare June 17, 2025 18:35

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 17, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 17f0399 to 97c0a26 Compare June 17, 2025 22:47

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 17, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 97c0a26 to 8cc8fdc Compare June 18, 2025 11:30

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 18, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 8cc8fdc to 8463443 Compare June 18, 2025 16:57

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 18, 2025

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from 8463443 to d7e4bdc Compare June 22, 2025 15:05

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to v6 [security]~~ chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security] Jun 22, 2025

chore(deps): update dependency undici@>=5.0.0 to v6 [security]

2836e59

renovate bot force-pushed the renovate-npm-undici>=5.0.0-vulnerability branch from d7e4bdc to 2836e59 Compare June 22, 2025 18:06

renovate bot changed the title ~~chore(deps): update dependency undici@>=5.0.0 to ^5.29.0 [security]~~ chore(deps): update dependency undici@>=5.0.0 to v6 [security] Jun 22, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency undici@>=5.0.0 to v6 [security] #3433

chore(deps): update dependency undici@>=5.0.0 to v6 [security] #3433

renovate bot commented May 15, 2025 •

edited

Loading

Uh oh!

netlify bot commented May 15, 2025 •

edited

Loading

Uh oh!

github-actions bot commented May 15, 2025 •

edited

Loading

Uh oh!

Uh oh!

chore(deps): update dependency undici@&gt;&#x3d;5.0.0 to v6 [security] #3433

Are you sure you want to change the base?

chore(deps): update dependency undici@&gt;&#x3d;5.0.0 to v6 [security] #3433

Conversation

renovate bot commented May 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

References

Release Notes

What's Changed

New Contributors

⚠️ Security Release ⚠️

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

⚠️ Security Release ⚠️

What's Changed

What's Changed

What's Changed

Configuration

Uh oh!

netlify bot commented May 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

✅ Deploy Preview for brilliant-pasca-3e80ec canceled.

Uh oh!

github-actions bot commented May 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🚀 Performance Test Results

Uh oh!

Uh oh!

chore(deps): update dependency undici@>=5.0.0 to v6 [security] #3433

chore(deps): update dependency undici@>=5.0.0 to v6 [security] #3433

renovate bot commented May 15, 2025 •

edited

Loading

netlify bot commented May 15, 2025 •

edited

Loading

github-actions bot commented May 15, 2025 •

edited

Loading