Skip to content

[v24.x] deps: update undici to 7.28.0#63703

Closed
nodejs-github-bot wants to merge 60 commits into
v24.x-stagingfrom
actions/v24.x-staging/tools-update-undici
Closed

[v24.x] deps: update undici to 7.28.0#63703
nodejs-github-bot wants to merge 60 commits into
v24.x-stagingfrom
actions/v24.x-staging/tools-update-undici

Conversation

@nodejs-github-bot

@nodejs-github-bot nodejs-github-bot commented Jun 1, 2026

Copy link
Copy Markdown
Collaborator

This is an automated update of undici to 7.28.0.

aduh95 and others added 30 commits May 23, 2026 00:28
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: #63113
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Signed-off-by: Marco Ippolito <marcoippolito54@gmail.com>
PR-URL: #63033
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Signed-off-by: anshikakalpana <anshikajain196872@gmail.com>
PR-URL: #63121
Refs: #62838
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Signed-off-by: Matteo Collina <hello@matteocollina.com>
PR-URL: #62673
Reviewed-By: Daniel Lemire <daniel@lemire.me>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
- For imported CJS, if it's not customized by asynchronous hooks,
  make sure it won't use the quirky re-invented require in all
  cases.
- When the imported CJS module is customized by synchronous hooks,
  in the synthetic module evalutation step, avoid calling the
  respective default step again.
- Make the branching of loadCJSModuleWithModuleLoad() and
  loadCJSModuleWithSpecialRequire() more explicit, and fold
  the tentative fs read in the 'commonjs' translator into the
  share createCJSModuleWrap() helper instead of checking it
  twice in the same path.

Signed-off-by: Joyee Cheung <joyeec9h3@gmail.com>
PR-URL: #62920
Fixes: #63060
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
Signed-off-by: Renegade334 <contact.9a5d6388@renegade334.me.uk>
PR-URL: #63076
Refs: #63052
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com>
Signed-off-by: geeksilva97 <edigleyssonsilva@gmail.com>
PR-URL: #63152
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: #63131
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Map BoringSSL's native renegotiation failure to
ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is
called. This avoids exposing an implementation-specific OpenSSL error
when the TLS backend does not support caller-initiated renegotiation.

Signed-off-by: Filip Skokan <panva.ip@gmail.com>
PR-URL: #63161
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: James M Snell <jasnell@gmail.com>
PR-URL: #63177
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
The Platform support section of the single-executable-applications doc
listed `macOS` without qualifying which architecture is supported.
SEA on x64 macOS is not supported and is skipped in CI; only arm64
macOS is exercised.

Refs: #62893
Signed-off-by: mokashang <64570909+mokashang@users.noreply.github.com>
PR-URL: #63181
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
@nodejs-github-bot nodejs-github-bot force-pushed the actions/v24.x-staging/tools-update-undici branch from d50871d to f0175ee Compare June 7, 2026 12:37

@mcollina mcollina left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm

@mcollina mcollina added the request-ci Add this label to start a Jenkins CI on a PR. label Jun 7, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jun 7, 2026
@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@aduh95 aduh95 changed the title deps: update undici to 7.27.2 Jun 8, 2026
@aduh95 aduh95 removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 8, 2026
@nodejs-github-bot

Copy link
Copy Markdown
Collaborator Author
@trivikr trivikr added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jun 9, 2026
@nodejs-github-bot nodejs-github-bot changed the title [v24.x] deps: update undici to 7.27.2 Jun 15, 2026
@nodejs-github-bot nodejs-github-bot force-pushed the actions/v24.x-staging/tools-update-undici branch from f0175ee to 4664362 Compare June 15, 2026 16:43
@aduh95 aduh95 changed the title deps: update undici to 7.28.0 Jun 15, 2026

@aduh95 aduh95 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

RSLGTM

@aduh95 aduh95 added the request-ci Add this label to start a Jenkins CI on a PR. label Jun 15, 2026
@github-actions github-actions Bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jun 15, 2026
@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

Copy link
Copy Markdown
Collaborator Author
aduh95 pushed a commit that referenced this pull request Jun 16, 2026
PR-URL: #63703
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
@aduh95

aduh95 commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Landed in cf44df3

@aduh95 aduh95 closed this Jun 18, 2026
@aduh95 aduh95 deleted the actions/v24.x-staging/tools-update-undici branch June 18, 2026 05:06
panva pushed a commit to panva/node that referenced this pull request Jun 19, 2026
PR-URL: nodejs#63703
Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
rohitkumarankam pushed a commit to rohitkumarankam/forgejo that referenced this pull request Jun 20, 2026
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | minor | `24.16.0` → `24.17.0` |

---

### Release Notes

<details>
<summary>nodejs/node (node)</summary>

### [`v24.17.0`](https://github.com/nodejs/node/releases/tag/v24.17.0): 2026-06-18, Version 24.17.0 'Krypton' (LTS), @&#8203;aduh95

[Compare Source](nodejs/node@v24.16.0...v24.17.0)

This is a security release.

##### Notable Changes

- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

##### Commits

- \[[`9e4dfc7bba`](nodejs/node@9e4dfc7bba)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878)
- \[[`cb2aed980c`](nodejs/node@cb2aed980c)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890)
- \[[`a8a0d12875`](nodejs/node@a8a0d12875)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#&#8203;62891](nodejs/node#62891)
- \[[`66e6203c1c`](nodejs/node@66e6203c1c)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#&#8203;62891](nodejs/node#62891)
- \[[`dd627ced27`](nodejs/node@dd627ced27)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#&#8203;63820](nodejs/node#63820)
- \[[`684bae568f`](nodejs/node@684bae568f)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#&#8203;63820](nodejs/node#63820)
- \[[`3a631e7f83`](nodejs/node@3a631e7f83)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#&#8203;62656](nodejs/node#62656)
- \[[`cf44df3996`](nodejs/node@cf44df3996)] - **deps**: update undici to 7.28.0 (Node.js GitHub Bot) [#&#8203;63703](nodejs/node#63703)
- \[[`138c70294b`](nodejs/node@138c70294b)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868)
- \[[`be7e719c3f`](nodejs/node@be7e719c3f)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846)
- \[[`cc7c11b4d1`](nodejs/node@cc7c11b4d1)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855)
- \[[`9224427b92`](nodejs/node@9224427b92)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867)
- \[[`cf85d54839`](nodejs/node@cf85d54839)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873)
- \[[`a1bbc24f96`](nodejs/node@a1bbc24f96)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870)
- \[[`e3723ff2d6`](nodejs/node@e3723ff2d6)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
- \[[`a77af4867b`](nodejs/node@a77af4867b)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
- \[[`31beb4f707`](nodejs/node@31beb4f707)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857)
- \[[`8e75c73f91`](nodejs/node@8e75c73f91)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869)

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
- Automerge
  - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIyMi4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=-->

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13144
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

author ready PRs that have at least one approval, no pending requests for changes, and a CI started. dependencies Pull requests that update a dependency file. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. v24.x Issues that can be reproduced on v24.x or PRs targeting the v24.x-staging branch.