[v24.x] deps: update undici to 7.28.0#63703
Closed
nodejs-github-bot wants to merge 60 commits into
Closed
Conversation
Signed-off-by: Antoine du Hamel <[email protected]> PR-URL: #63113 Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: René <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Paolo Insogna <[email protected]>
Signed-off-by: Marco Ippolito <[email protected]> PR-URL: #63033 Reviewed-By: Pietro Marchini <[email protected]> Reviewed-By: James M Snell <[email protected]>
Signed-off-by: anshikakalpana <[email protected]> PR-URL: #63121 Refs: #62838 Reviewed-By: René <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: James M Snell <[email protected]>
Signed-off-by: Matteo Collina <[email protected]> PR-URL: #62673 Reviewed-By: Daniel Lemire <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: Edy Silva <[email protected]> Reviewed-By: James M Snell <[email protected]>
- For imported CJS, if it's not customized by asynchronous hooks, make sure it won't use the quirky re-invented require in all cases. - When the imported CJS module is customized by synchronous hooks, in the synthetic module evalutation step, avoid calling the respective default step again. - Make the branching of loadCJSModuleWithModuleLoad() and loadCJSModuleWithSpecialRequire() more explicit, and fold the tentative fs read in the 'commonjs' translator into the share createCJSModuleWrap() helper instead of checking it twice in the same path. Signed-off-by: Joyee Cheung <[email protected]> PR-URL: #62920 Fixes: #63060 Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Gürgün Dayıoğlu <[email protected]>
Signed-off-by: Renegade334 <[email protected]> PR-URL: #63076 Refs: #63052 Reviewed-By: Chemi Atlow <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Edy Silva <[email protected]>
Signed-off-by: geeksilva97 <[email protected]> PR-URL: #63152 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: René <[email protected]>
Signed-off-by: RafaelGSS <[email protected]> PR-URL: #63131 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
Map BoringSSL's native renegotiation failure to ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is called. This avoids exposing an implementation-specific OpenSSL error when the TLS backend does not support caller-initiated renegotiation. Signed-off-by: Filip Skokan <[email protected]> PR-URL: #63161 Reviewed-By: Tim Perry <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]>
Signed-off-by: James M Snell <[email protected]> PR-URL: #63177 Reviewed-By: Tim Perry <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
The Platform support section of the single-executable-applications doc listed `macOS` without qualifying which architecture is supported. SEA on x64 macOS is not supported and is skipped in CI; only arm64 macOS is exercised. Refs: #62893 Signed-off-by: mokashang <[email protected]> PR-URL: #63181 Reviewed-By: Joyee Cheung <[email protected]> Reviewed-By: Chemi Atlow <[email protected]>
Signed-off-by: Antoine du Hamel <[email protected]> PR-URL: #63200 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Filip Skokan <[email protected]> Reviewed-By: Jacob Smith <[email protected]> Reviewed-By: Chemi Atlow <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
Ignore CLAUDE.md and AGENTS.md in .gitignore, and exclude them from markdown and ESLint linting. Signed-off-by: Matteo Collina <[email protected]> PR-URL: #62612 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Ulises Gascón <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Daijiro Wachi <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]>
Follow WHATWG streams spec update: whatwg/streams#1367 ReadableStreamBYOBRequest.view is always constructed as a Uint8Array. This changes the documented return type from ArrayBufferView to Uint8Array per the updated spec. Fixes: #62952 Signed-off-by: Jah-yee <[email protected]> PR-URL: #63017 Reviewed-By: Mattias Buelens <[email protected]> Reviewed-By: Jason Zhang <[email protected]>
- Exclude routine dependency/WPT/bot PRs from the policy - Replace design document requirement with detailed PR description - Clarify dependency commit ordering for squash landing - Remove splitting strategies that contradict self-contained PRs - Add links from CONTRIBUTING.md, pull-requests.md, collaborator-guide.md Signed-off-by: Matteo Collina <[email protected]> PR-URL: #62829 Fixes: #62752 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Gürgün Dayıoğlu <[email protected]> Reviewed-By: Ruy Adorno <[email protected]>
Signed-off-by: Antoine du Hamel <[email protected]> PR-URL: #63110 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
- Add `--help` / `-h` to `node inspect` covering both interactive and non-interactive probe modes. The help text is printed when `--help`/`-h` appears before any positional argument to avoid hijacking `--help` passed to a child script. - Improve the documentation of probe mode and add examples, explain same-location probe coalescing, TDZ caveat for let/const bindings, basename matching and exit code behavior. Also move it to a section parallel to interactive mode. Remove recommendation of evaluating structured expressions as that is prone to missing info in JSON mode. Drive-by: When probe mode exits due to invalid arguments, exit with `kInvalidCommandLineArgument` (9) instead of `kGenericUserError` (1). Signed-off-by: Joyee Cheung <[email protected]> PR-URL: #63201 Reviewed-By: Jan Martin <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Aviv Keller <[email protected]>
Original commit message:
unix: fix pedantic compiler warnings (#5052)
Fixes: libuv/libuv#5051
Fixes: #63196
Refs: libuv/libuv#5052
Refs: libuv/libuv@a43e543
PR-URL: #63222
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
Reviewed-By: René <[email protected]>
Signed-off-by: geeksilva97 <[email protected]> PR-URL: #63204 Reviewed-By: René <[email protected]> Reviewed-By: Chemi Atlow <[email protected]> Reviewed-By: Jake Yuesong Li <[email protected]>
Original commit message:
[wasm] Update WebAssembly.Exception JS API
WebIDL specifies the existence of a
`WebAssembly.Exception.prototype.stack` getter.
WebIDL also expects the constructor to have 2 parameters (plus an
optional one).
https://webassembly.github.io/spec/js-api/#exceptions
Bug: 336347912, 42204334
Change-Id: I128e976a84f942dcf9b93a157534b15fad0f9215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7697976
Commit-Queue: Matthias Liedtke <[email protected]>
Auto-Submit: Matthias Liedtke <[email protected]>
Commit-Queue: Clemens Backes <[email protected]>
Reviewed-by: Clemens Backes <[email protected]>
Cr-Commit-Position: refs/heads/main@{#106215}
Refs: v8/v8@435a2cd
PR-URL: #63136
Reviewed-By: Filip Skokan <[email protected]>
Reviewed-By: Mattias Buelens <[email protected]>
Reviewed-By: Joyee Cheung <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
1) Fixed macOS default for missing kSecTrustSettingsResult When kSecTrustSettingsResult is absent from a trust settings dictionary, Apple specifies kSecTrustSettingsResultTrustRoot as the default value. Previously, the trust result evaluation (deny check, self-issued check, TrustAsRoot check) was inside the block that only executed when kSecTrustSettingsResult was explicitly present. When the key was absent, the function fell through to return UNSPECIFIED, incorrectly rejecting self-signed certificates that should have been trusted via the default. Move the trust result evaluation outside the conditional block so the default value of kSecTrustSettingsResultTrustRoot flows through the same code path as explicit values. This aligns with Chromium's trust_store_mac.cc implementation. 2) Fix CFRelease leak in IsTrustDictionaryTrustedForPolicy: the CFDictionaryRef returned by SecPolicyCopyProperties(policy_ref) was not released when the policy OID matched kSecPolicyAppleSSL. 3) Deduplicate certificates: SecItemCopyMatching can return the same certificate from multiple keychains. 4) Filter expired certificates. Signed-off-by: deepak1556 <[email protected]> PR-URL: #62576 Reviewed-By: Joyee Cheung <[email protected]> Reviewed-By: Gürgün Dayıoğlu <[email protected]>
PR-URL: #63232 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]> Reviewed-By: Gireesh Punathil <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ulises Gascón <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: #62823 Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #63112 Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Aviv Keller <[email protected]>
Signed-off-by: umuoy1 <[email protected]> PR-URL: #62710 Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Vladimir Morozov <[email protected]>
PR-URL: #63235 Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
Signed-off-by: Mike McCready <[email protected]> PR-URL: #63187 Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Signed-off-by: Mike McCready <[email protected]> PR-URL: #63211 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Stefan Stojanovic <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
Signed-off-by: Antoine du Hamel <[email protected]> PR-URL: #63165 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Signed-off-by: Robin Malfait <[email protected]> PR-URL: #63247 Reviewed-By: René <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
d50871d to
f0175ee
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Collaborator
Author
f0175ee to
4664362
Compare
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
Collaborator
Author
aduh95
pushed a commit
that referenced
this pull request
Jun 16, 2026
PR-URL: #63703 Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
Contributor
|
Landed in cf44df3 |
panva
pushed a commit
to panva/node
that referenced
this pull request
Jun 19, 2026
PR-URL: nodejs#63703 Reviewed-By: Trivikram Kamat <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]>
rohitkumarankam
pushed a commit
to rohitkumarankam/forgejo
that referenced
this pull request
Jun 20, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | minor | `24.16.0` → `24.17.0` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v24.17.0`](https://github.com/nodejs/node/releases/tag/v24.17.0): 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95 [Compare Source](nodejs/node@v24.16.0...v24.17.0) This is a security release. ##### Notable Changes - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low ##### Commits - \[[`9e4dfc7bba`](nodejs/node@9e4dfc7bba)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878) - \[[`cb2aed980c`](nodejs/node@cb2aed980c)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890) - \[[`a8a0d12875`](nodejs/node@a8a0d12875)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#​62891](nodejs/node#62891) - \[[`66e6203c1c`](nodejs/node@66e6203c1c)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#​62891](nodejs/node#62891) - \[[`dd627ced27`](nodejs/node@dd627ced27)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#​63820](nodejs/node#63820) - \[[`684bae568f`](nodejs/node@684bae568f)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#​63820](nodejs/node#63820) - \[[`3a631e7f83`](nodejs/node@3a631e7f83)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#​62656](nodejs/node#62656) - \[[`cf44df3996`](nodejs/node@cf44df3996)] - **deps**: update undici to 7.28.0 (Node.js GitHub Bot) [#​63703](nodejs/node#63703) - \[[`138c70294b`](nodejs/node@138c70294b)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868) - \[[`be7e719c3f`](nodejs/node@be7e719c3f)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846) - \[[`cc7c11b4d1`](nodejs/node@cc7c11b4d1)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855) - \[[`9224427b92`](nodejs/node@9224427b92)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867) - \[[`cf85d54839`](nodejs/node@cf85d54839)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873) - \[[`a1bbc24f96`](nodejs/node@a1bbc24f96)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870) - \[[`e3723ff2d6`](nodejs/node@e3723ff2d6)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) - \[[`a77af4867b`](nodejs/node@a77af4867b)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) - \[[`31beb4f707`](nodejs/node@31beb4f707)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857) - \[[`8e75c73f91`](nodejs/node@8e75c73f91)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIyMi4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13144 Reviewed-by: Mathieu Fenniak <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated update of undici to 7.28.0.