fix(deps): update dependency undici to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
undici (source)	^5.28.4 -> ^6.0.0

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

• https://hackerone.com/reports/2913312
• https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

---

Release Notes

nodejs/undici (undici)

v6.21.2

Compare Source

What's Changed

• fix(types): add missing DNS interceptor by @​slagiewka in https://github.com/nodejs/undici/pull/4024
• [v6.x] fix wpts on windows by @​mcollina in https://github.com/nodejs/undici/pull/4093
• Removed clients with unrecoverable errors from the Pool https://github.com/nodejs/undici/pull/4088

New Contributors

• @​slagiewka made their first contribution in https://github.com/nodejs/undici/pull/4024

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

Compare Source

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

• fix(#​3736): back-port 183f8e9 to v6.x by @​ggoodman in https://github.com/nodejs/undici/pull/3855
• fix(#​3817): send servername for SNI on TLS (#​3821) [backport] by @​metcoder95 in https://github.com/nodejs/undici/pull/3864
• fix: sending formdata bodies with http2 (#​3863) [backport] by @​metcoder95 in https://github.com/nodejs/undici/pull/3866
• [Backport v6.x] fix: Fixed the issue that there is no running request when http2 goaway by @​github-actions in https://github.com/nodejs/undici/pull/3877
• types: [backport] Update return type of RetryCallback (#​3851) by @​metcoder95 in https://github.com/nodejs/undici/pull/3876

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

v6.21.0

Compare Source

What's Changed

• [Backport v6.x] web: mark as uncloneable when possible (#​3709) by @​jazelly in https://github.com/nodejs/undici/pull/3744
• [Backport v6.x] fetch: fix content-encoding order by @​github-actions in https://github.com/nodejs/undici/pull/3764
• [Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by @​github-actions in https://github.com/nodejs/undici/pull/3822
• [Backport v6.x] fix: range end is zero-indexed by @​github-actions in https://github.com/nodejs/undici/pull/3827

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

v6.20.1

Compare Source

What's Changed

• [Backport v6.x] jsdoc: add jsdoc to lib/web/fetch/constants.js by @​github-actions in https://github.com/nodejs/undici/pull/3710
• [Backport v6.x] feat: implement BodyReadable.bytes by @​github-actions in https://github.com/nodejs/undici/pull/3711
• fix: add more expectsPayload methods by @​ronag in https://github.com/nodejs/undici/pull/3715
• [Backport v6.x] chore(H2): onboard H2 into Undici queueing system (#​3707) by @​Uzlopak in https://github.com/nodejs/undici/pull/3724
• [Backport v6.x] fix: PoolBase kClose and kDestroy should await and not return the Promise by @​github-actions in https://github.com/nodejs/undici/pull/3723
• [Backport v6.x] fix: extract noop everywhere by @​Uzlopak in https://github.com/nodejs/undici/pull/3727

Full Changelog: nodejs/undici@v6.20.0...v6.20.1

v6.20.0

Compare Source

What's Changed

• Remove patched dom types (v6.x branch) by @​eXhumer in https://github.com/nodejs/undici/pull/3531
• docs(Backport v6.x): Fix signature of RetryHandler by @​github-actions in https://github.com/nodejs/undici/pull/3594
• deps(dev): update @​types/node by @​metcoder95 in https://github.com/nodejs/undici/pull/3618
• fix: throw on retry when payload is consume by downstream by @​github-actions in https://github.com/nodejs/undici/pull/3596
• feat(Backport v6.x): move throwOnError to interceptor by @​github-actions in https://github.com/nodejs/undici/pull/3595
• [Backport v6.x] fix: reduce memory usage in client-h1 by @​github-actions in https://github.com/nodejs/undici/pull/3672
• [Backport v6.x] fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @​github-actions in https://github.com/nodejs/undici/pull/3673
• [Backport v6.x] fix: run asserts first if possible by @​github-actions in https://github.com/nodejs/undici/pull/3674
• [Backport v6.x] fix: use fasttimers for all connection timeouts by @​github-actions in https://github.com/nodejs/undici/pull/3675
• [Backport v6.x] ci: less flaky test/request-timeout.js test by @​github-actions in https://github.com/nodejs/undici/pull/3678
• [Backport v6.x] test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @​github-actions in https://github.com/nodejs/undici/pull/3679
• [Backport v6.x] ignore leading and trailing crlfs in formdata body by @​github-actions in https://github.com/nodejs/undici/pull/3681
• [Backport v6.x] mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @​github-actions in https://github.com/nodejs/undici/pull/3689
• [Backport v6.x] handle body errors by @​Uzlopak in https://github.com/nodejs/undici/pull/3700

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

v6.19.8

Compare Source

Full Changelog: nodejs/undici@v6.19.7...v6.19.8

v6.19.7

Compare Source

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

v6.19.6

Compare Source

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

v6.19.5

Compare Source

Full Changelog: nodejs/undici@v6.19.4...v6.19.5

v6.19.4

Compare Source

Full Changelog: nodejs/undici@v6.19.3...v6.19.4

v6.19.3

Compare Source

Full Changelog: nodejs/undici@v6.19.2...v6.19.3

v6.19.2

Compare Source

What's Changed

• fix #​3337 by @​KhafraDev in https://github.com/nodejs/undici/pull/3338
• build: use husky as husky install is deprecated by @​jazelly in https://github.com/nodejs/undici/pull/3340
• fix: interceptors.d.ts has no default export by @​Uzlopak in https://github.com/nodejs/undici/pull/3332

Full Changelog: nodejs/undici@v6.19.1...v6.19.2

v6.19.1

Compare Source

What's Changed

• don't append empty origin by @​KhafraDev in https://github.com/nodejs/undici/pull/3335

Full Changelog: nodejs/undici@v6.19.0...v6.19.1

v6.19.0

Compare Source

What's Changed

• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.3.3 by @​dependabot in https://github.com/nodejs/undici/pull/3305
• build(deps): bump codecov/codecov-action from 4.3.1 to 4.4.1 by @​dependabot in https://github.com/nodejs/undici/pull/3303
• build(deps): bump step-security/harden-runner from 2.7.1 to 2.8.0 by @​dependabot in https://github.com/nodejs/undici/pull/3304
• build(deps): bump github/codeql-action from 3.25.3 to 3.25.7 by @​dependabot in https://github.com/nodejs/undici/pull/3306
• build(deps): bump node from 9e8f45f to dd7e693 in /build by @​dependabot in https://github.com/nodejs/undici/pull/3309
• build(deps): bump node from dd7e693 to e6d4495 in /build by @​dependabot in https://github.com/nodejs/undici/pull/3313
• remove websocket experimental warning by @​KhafraDev in https://github.com/nodejs/undici/pull/3311
• perf: optimization of request instantiation by @​tsctx in https://github.com/nodejs/undici/pull/3107
• perf: convert object to params by @​DarkGL in https://github.com/nodejs/undici/pull/3302
• build(deps-dev): bump borp from 0.14.0 to 0.15.0 by @​dependabot in https://github.com/nodejs/undici/pull/3320
• build(deps-dev): bump c8 from 9.1.0 to 10.0.0 by @​dependabot in https://github.com/nodejs/undici/pull/3321
• fix: add missing error classes to types by @​maxbeatty in https://github.com/nodejs/undici/pull/3316
• export interceptor to type def file by @​jakecastelli in https://github.com/nodejs/undici/pull/3318
• build(deps): bump node from e6d4495 to 075a5cc in /build by @​dependabot in https://github.com/nodejs/undici/pull/3326
• doc: clearify the behaviour of bodyTimeout in the request by @​jakecastelli in https://github.com/nodejs/undici/pull/3324
• feature: support pre-shared sessions by @​tastypackets in https://github.com/nodejs/undici/pull/3325

New Contributors

• @​maxbeatty made their first contribution in https://github.com/nodejs/undici/pull/3316
• @​jakecastelli made their first contribution in https://github.com/nodejs/undici/pull/3318

Full Changelog: nodejs/undici@v6.18.2...v6.19.0

v6.18.2

Compare Source

What's Changed

• don't use internal header state for cookies by @​KhafraDev in https://github.com/nodejs/undici/pull/3295
• build(deps-dev): bump borp from 0.13.0 to 0.14.0 by @​dependabot in https://github.com/nodejs/undici/pull/3298
• fix: retry on body support by @​metcoder95 in https://github.com/nodejs/undici/pull/3294

Full Changelog: nodejs/undici@v6.18.1...v6.18.2

v6.18.1

Compare Source

What's Changed

• docs: Update references to dispatcher in docs by @​haikyuu in https://github.com/nodejs/undici/pull/3281
• fix: compatibility for global headers by @​tsctx in https://github.com/nodejs/undici/pull/3286
• websocket: pre-calculated length by @​tsctx in https://github.com/nodejs/undici/pull/3284
• ci: fix autobahn workflow by @​Uzlopak in https://github.com/nodejs/undici/pull/3291
• revert: "websocket: pre-calculated length" by @​KhafraDev in https://github.com/nodejs/undici/pull/3290
• websocket: use FixedQueue instead of Set by @​tsctx in https://github.com/nodejs/undici/pull/3283

New Contributors

• @​haikyuu made their first contribution in https://github.com/nodejs/undici/pull/3281

Full Changelog: nodejs/undici@v6.18.0...v6.18.1

v6.18.0

Compare Source

What's Changed

• permessage-deflate decompression support in websocket by @​KhafraDev in https://github.com/nodejs/undici/pull/3263
• fix: Fix server closing in tests. by @​ShogunPanda in https://github.com/nodejs/undici/pull/3279

Full Changelog: nodejs/undici@v6.17.0...v6.18.0

v6.17.0

Compare Source

What's Changed

• fetch: fix captureStackTrace by @​Uzlopak in https://github.com/nodejs/undici/pull/3227
• fetch: fix wpt test request-upload.any.js by @​Uzlopak in https://github.com/nodejs/undici/pull/3234
• websocket: don't clone buffer by @​tsctx in https://github.com/nodejs/undici/pull/3240
• Remove unecessary async from writeBuffer by @​DarkGL in https://github.com/nodejs/undici/pull/3245
• refactor websocket control frame handling by @​KhafraDev in https://github.com/nodejs/undici/pull/3241
• fix parsing continuation frames in websocket by @​KhafraDev in https://github.com/nodejs/undici/pull/3247
• ci: node nightly test should use node 23 by @​Uzlopak in https://github.com/nodejs/undici/pull/3248
• Add test to verify if the connection is correctly aborted on cancel by @​mcollina in https://github.com/nodejs/undici/pull/3219
• Autobahn suite by @​KhafraDev in https://github.com/nodejs/undici/pull/3251
• websocket: fix 6 autobahn tests by @​KhafraDev in https://github.com/nodejs/undici/pull/3254
• websocket: checkout correct commit in autobahn workflow by @​Uzlopak in https://github.com/nodejs/undici/pull/3258
• Cleanup websocket by @​KhafraDev in https://github.com/nodejs/undici/pull/3257
• websocket: autobahn workflow should fail on error by @​Uzlopak in https://github.com/nodejs/undici/pull/3259
• add bodymixin bytes by @​KhafraDev in https://github.com/nodejs/undici/pull/3262
• perf: avoid buffer cloning by @​tsctx in https://github.com/nodejs/undici/pull/3264
• feat: dump interceptor by @​metcoder95 in https://github.com/nodejs/undici/pull/3118
• use private properties in Headers by @​KhafraDev in https://github.com/nodejs/undici/pull/3269
• Revert "websocket: autobahn workflow should fail on error" by @​Uzlopak in https://github.com/nodejs/undici/pull/3270
• build(deps): bump node from 487dc5d to 9e8f45f in /build by @​dependabot in https://github.com/nodejs/undici/pull/3271

New Contributors

• @​DarkGL made their first contribution in https://github.com/nodejs/undici/pull/3245

Full Changelog: nodejs/undici@v6.16.1...v6.17.0

v6.16.1

Compare Source

What's Changed

• fix some typos by @​Uzlopak in https://github.com/nodejs/undici/pull/3217
• websocket: move codeblock in parseCloseBody by @​Uzlopak in https://github.com/nodejs/undici/pull/3215
• fetch: enable wpt test request-referrer.any.js by @​Uzlopak in https://github.com/nodejs/undici/pull/3223
• fetch: wpt add /fetch/api/resources/cache.py to server.mjs by @​Uzlopak in https://github.com/nodejs/undici/pull/3225
• add pipe support for wpt server by @​KhafraDev in https://github.com/nodejs/undici/pull/3228
• test: reduce the number of requests in fire-and-forget.js by @​tsctx in https://github.com/nodejs/undici/pull/3229
• ci: add node 22 in ci test matrix, use 22 for coverage by @​Uzlopak in https://github.com/nodejs/undici/pull/3226
• fetch: don't set an invalid origin header by @​KhafraDev in https://github.com/nodejs/undici/pull/3235
• fail wpt runner if expected failures does not match actual by @​KhafraDev in https://github.com/nodejs/undici/pull/3236
• fix: ignore content-length when dumping HEAD by @​ronag in https://github.com/nodejs/undici/pull/3222

Full Changelog: nodejs/undici@v6.16.0...v6.16.1

v6.16.0

Compare Source

What's Changed

• add index to sequence converter errors by @​KhafraDev in https://github.com/nodejs/undici/pull/3178
• build(deps-dev): bump borp from 0.12.0 to 0.13.0 by @​dependabot in https://github.com/nodejs/undici/pull/3179
• build(deps): bump node from 21-alpine3.19 to 22-alpine3.19 in /build by @​dependabot in https://github.com/nodejs/undici/pull/3180
• build(deps): bump superagent from 8.1.2 to 9.0.2 in /benchmarks by @​dependabot in https://github.com/nodejs/undici/pull/3181
• fix: keep raw header name by @​tsctx in https://github.com/nodejs/undici/pull/3183
• fix(fetch): improve Headers and Request type-compatibility by @​kettanaito in https://github.com/nodejs/undici/pull/1964
• fix 3 mimesniff tests by @​KhafraDev in https://github.com/nodejs/undici/pull/3185
• build(deps): bump hendrikmuhs/ccache-action from 1.2.12 to 1.2.13 by @​dependabot in https://github.com/nodejs/undici/pull/3187
• build(deps): bump codecov/codecov-action from 4.1.1 to 4.3.1 by @​dependabot in https://github.com/nodejs/undici/pull/3191
• build(deps): bump github/codeql-action from 3.24.9 to 3.25.3 by @​dependabot in https://github.com/nodejs/undici/pull/3192
• build(deps): bump actions/dependency-review-action from 4.2.5 to 4.3.2 by @​dependabot in https://github.com/nodejs/undici/pull/3189
• build(deps): bump step-security/harden-runner from 2.7.0 to 2.7.1 by @​dependabot in https://github.com/nodejs/undici/pull/3188
• build(deps): bump actions/upload-artifact from 4.3.1 to 4.3.3 by @​dependabot in https://github.com/nodejs/undici/pull/3190
• build(deps): bump node from 9459e24 to 487dc5d in /build by @​dependabot in https://github.com/nodejs/undici/pull/3195
• perf: avoid spread in makeRequest() by @​gunjam in https://github.com/nodejs/undici/pull/3193
• refactor: code cleanup by @​tsctx in https://github.com/nodejs/undici/pull/3194
• fix parsing when receiving empty body websocket by @​KhafraDev in https://github.com/nodejs/undici/pull/3205
• fix: MockResponseCallbackOptions type by @​merojosa in https://github.com/nodejs/undici/pull/2951
• docs(proxy): fix typo by @​kanadgupta in https://github.com/nodejs/undici/pull/3207
• fix websocket receiving an invalid utf-8 in close frame by @​KhafraDev in https://github.com/nodejs/undici/pull/3206
• perf: avoid setImmediate if body is reading by @​ronag in https://github.com/nodejs/undici/pull/3210
• fix: request abort signal by @​ronag in https://github.com/nodejs/undici/pull/3209
• fix: remove abort handler on close by @​ronag in https://github.com/nodejs/undici/pull/3211
• fix: pass abort function by @​tsctx in https://github.com/nodejs/undici/pull/3212
• websocket: 200x faster generate mask by @​tsctx in https://github.com/nodejs/undici/pull/3204
• use FinalizationRegistry to cancel the body if response is collected by @​mcollina in https://github.com/nodejs/undici/pull/3199
• websocket: don't clone buffer if it's not needed. by @​tsctx in https://github.com/nodejs/undici/pull/3214
• websocket: use FastBuffer by @​tsctx in https://github.com/nodejs/undici/pull/3213

New Contributors

• @​kettanaito made their first contribution in https://github.com/nodejs/undici/pull/1964
• @​gunjam made their first contribution in https://github.com/nodejs/undici/pull/3193
• @​merojosa made their first contribution in https://github.com/nodejs/undici/pull/2951
• @​kanadgupta made their first contribution in https://github.com/nodejs/undici/pull/3207

Full Changelog: nodejs/undici@v6.15.0...v6.16.0

v6.15.0

Compare Source

What's Changed

• Expose EnvHttpProxyAgent to Node.js core bundle, so it can be turned … by @​mcollina in https://github.com/nodejs/undici/pull/3148
• test: add headerslist copy check by @​tsctx in https://github.com/nodejs/undici/pull/3156
• chore: ensure automated v6 release compared to v6 by @​mweberxyz in https://github.com/nodejs/undici/pull/3149
• fetch: do not leak signal listeners by @​mcollina in https://github.com/nodejs/undici/pull/3158
• fix: request cache mode is not the same as request mode by @​tsibley in https://github.com/nodejs/undici/pull/3151
• fetch: don't re-lowercase HeadersList by @​tsctx in https://github.com/nodejs/undici/pull/3159
• fix casing issue when cloning Headers object by @​KhafraDev in https://github.com/nodejs/undici/pull/3160
• build(deps): bump node from 6d0f18a to db8772d in /build by @​dependabot in https://github.com/nodejs/undici/pull/3163
• fix header cloning bug by @​tsctx in https://github.com/nodejs/undici/pull/3162
• chore: change bench naming for h2 by @​metcoder95 in https://github.com/nodejs/undici/pull/3165
• expose WebSocket related events in node bundle by @​KhafraDev in https://github.com/nodejs/undici/pull/3167
• feat: add support for if-match on retry handler by @​metcoder95 in https://github.com/nodejs/undici/pull/3144
• fix: correct firing order of abort events by @​tsctx in https://github.com/nodejs/undici/pull/3169
• create fast MessageEvent by @​KhafraDev in https://github.com/nodejs/undici/pull/3170
• chore: add explicitly @​fastify/busboy by @​Uzlopak in https://github.com/nodejs/undici/pull/3172
• chore: remove sinon as dev dependency by @​Uzlopak in https://github.com/nodejs/undici/pull/3171
• webidl changes by @​KhafraDev in https://github.com/nodejs/undici/pull/3175
• preserve dictionary key name in webidl errors by @​KhafraDev in https://github.com/nodejs/undici/pull/3176

New Contributors

• @​tsibley made their first contribution in https://github.com/nodejs/undici/pull/3151

Full Changelog: nodejs/undici@v6.14.1...v6.15.0

v6.14.1

Compare Source

What's Changed

• fix: tweak keep-alive timeout implementation by @​mweberxyz in https://github.com/nodejs/undici/pull/3145
• build(deps-dev): bump borp from 0.11.0 to 0.12.0 by @​dependabot in https://github.com/nodejs/undici/pull/3153
• build(deps): bump node from ad255c6 to 6d0f18a in /build by @​dependabot in https://github.com/nodejs/undici/pull/3154
• fix(EnvHttpProxyAgent): prefer lowercase env vars by @​10xLaCroixDrinker in https://github.com/nodejs/undici/pull/3152

Full Changelog: nodejs/undici@v6.14.0...v6.14.1

v6.14.0

Compare Source

What's Changed

• bench: enable benchmarks for h2 by @​metcoder95 in https://github.com/nodejs/undici/pull/3100
• perf: improve performance of isomorphicEncode by @​tsctx in https://github.com/nodejs/undici/pull/3101
• util: remove isReadableAborted by @​Uzlopak in https://github.com/nodejs/undici/pull/3104
• fix(types): The second parameter of EventSource is optional by @​zbinlin in https://github.com/nodejs/undici/pull/3106
• fix: onConnect types by @​ronag in https://github.com/nodejs/undici/pull/3116
• add dispatcher option to EventSource by @​KhafraDev in https://github.com/nodejs/undici/pull/3119
• core: improve parseURL by @​Uzlopak in https://github.com/nodejs/undici/pull/3102
• test: increase coverage by @​Uzlopak in https://github.com/nodejs/undici/pull/3121
• docs: add directions to run docs and benchmarks by @​FatumaA in https://github.com/nodejs/undici/pull/3092
• perf: avoid unnecessary clone by @​tsctx in https://github.com/nodejs/undici/pull/3117
• build(deps-dev): bump borp from 0.10.0 to 0.11.0 by @​dependabot in https://github.com/nodejs/undici/pull/3126
• drop node support for < v18.17.0 by @​KhafraDev in https://github.com/nodejs/undici/pull/3125
• test: improve test and ci performance by @​Uzlopak in https://github.com/nodejs/undici/pull/3135
• Added EnvHttpProxyAgent to support HTTP_PROXY by @​10xLaCroixDrinker in https://github.com/nodejs/undici/pull/2994
• fetch: Change wording of "Body is unusable" error by @​nzakas in https://github.com/nodejs/undici/pull/3105
• perf: use class instead of object literals with getters by @​tsctx in https://github.com/nodejs/undici/pull/3138
• fix: unhandled exception or failing error body by @​ronag in https://github.com/nodejs/undici/pull/3137
• reuse realm for Request/Response by @​KhafraDev in https://github.com/nodejs/undici/pull/3142
• fix(H2-#​3140): abort requets upon GOAWAY by @​metcoder95 in https://github.com/nodejs/undici/pull/3143
• don't store realm on Request/Response by @​KhafraDev in https://github.com/nodejs/undici/pull/3146
• improve: wasm build by @​Uzlopak in https://github.com/nodejs/undici/pull/3074

New Contributors

• @​10xLaCroixDrinker made their first contribution in https://github.com/nodejs/undici/pull/2994
• @​nzakas made their first contribution in https://github.com/nodejs/undici/pull/3105

Full Changelog: nodejs/undici@v6.13.0...v6.14.0

v6.13.0

Compare Source

What's Changed

• build(deps): bump node from 9696b26 to ad255c6 in /build by @​dependabot in https://github.com/nodejs/undici/pull/3073
• test: remove only by @​metcoder95 in https://github.com/nodejs/undici/pull/3077
• fix: defer errors with setImmediate by @​ronag in https://github.com/nodejs/undici/pull/3081
• improve DecoratorHandler by @​Uzlopak in https://github.com/nodejs/undici/pull/3079
• chore: removed unused escapeFormDataName by @​mcollina in https://github.com/nodejs/undici/pull/3084
• Mention option to pass streams into FormData by @​JaoodxD in https://github.com/nodejs/undici/pull/3086
• fetch: improve performance of isValidEncodedURL by @​Uzlopak in https://github.com/nodejs/undici/pull/3090
• optimize utf8Decode by @​Uzlopak in https://github.com/nodejs/undici/pull/3085
• refactor: h2 refactoring by @​metcoder95 in https://github.com/nodejs/undici/pull/3082
• Skip the creation of a transform stream in fetch by @​mcollina in https://github.com/nodejs/undici/pull/3093
• fetch: improve performance of urlHasHttpsScheme by @​Uzlopak in https://github.com/nodejs/undici/pull/3094
• fetch: avoid creation of an intermediary ReadableStream by @​KhafraDev in https://github.com/nodejs/undici/pull/3095
• test: duplicate jest unspecific tests to native runner by @​Uzlopak in https://github.com/nodejs/undici/pull/3075
• build(deps): bump node from ad255c6 to 6d0f18a in /build by @​dependabot in https://github.com/nodejs/undici/pull/3096
• fetch: improve performance of isValidHeaderValue by @​Uzlopak in https://github.com/nodejs/undici/pull/3098
• chore: automate releases with pr by @​mweberxyz in https://github.com/nodejs/undici/pull/3089

New Contributors

• @​github-actions made their first contribution in https://github.com/nodejs/undici/pull/3099

Full Changelog: nodejs/undici@v6.12.0...v6.13.0

v6.12.0

Compare Source

What's Changed

• fix: broken test by @​tsctx in https://github.com/nodejs/undici/pull/3045
• fix: http2 header parsing by @​climba03003 in https://github.com/nodejs/undici/pull/3047
• types: fix Request.refererPolicy and RequestInit.refererPolicy are incompatible by @​zbinlin in https://github.com/nodejs/undici/pull/3039
• fix(types): onHeaders always takes headers as an array of buffer by @​ronag in https://github.com/nodejs/undici/pull/3050
• fix: ProxyAgent causes request.headers.host to be forcibly reset by @​1zilc in https://github.com/nodejs/undici/pull/3026
• fallback to Buffer.isUtf8 on platforms without icu by @​KhafraDev in https://github.com/nodejs/undici/pull/3006
• build(deps): bump github/codeql-action from 3.24.6 to 3.24.9 by @​dependabot in https://github.com/nodejs/undici/pull/3037
• build(deps): bump actions/dependency-review-action from 4.1.3 to 4.2.5 by @​dependabot in https://github.com/nodejs/undici/pull/3035
• build(deps): bump node from 577f8eb to 87524df in /build by @​dependabot in https://github.com/nodejs/undici/pull/3055
• build(deps): bump node from 87524df to 9696b26 in /build by @​dependabot in https://github.com/nodejs/undici/pull/3058
• fetch: Block ports 4190 & 6679 by @​KhafraDev in https://github.com/nodejs/undici/pull/3059
• test: activate testing for interceptors and cache by @​Uzlopak in https://github.com/nodejs/undici/pull/3061
• cache: improve test coverage by @​Uzlopak in https://github.com/nodejs/undici/pull/3063
• feat: modernize fuzzing by @​Uzlopak in https://github.com/nodejs/undici/pull/3060
• fix: request abort by @​ronag in https://github.com/nodejs/undici/pull/3056
• fix: signal handling by @​ronag in https://github.com/nodejs/undici/pull/3053
• fix(H2): handle goaway properly by @​metcoder95 in https://github.com/nodejs/undici/pull/3057
• test: client, set body to null if bigger than CHUNK_LIMIT by @​Uzlopak in https://github.com/nodejs/undici/pull/3064
• mock: improve mock interceptor by @​Uzlopak in https://github.com/nodejs/undici/pull/3062
• fix: bad client destroy on servername change by @​ronag in https://github.com/nodejs/undici/pull/3066
• perf: improve isBlobLike by @​Uzlopak in https://github.com/nodejs/undici/pull/3070
• test: add sanity check for llhttp wasm files by @​Uzlopak in https://github.com/nodejs/undici/pull/3068

New Contributors

• @​zbinlin made their first contribution in https://github.com/nodejs/undici/pull/3039
• @​1zilc made their first contribution in https://github.com/nodejs/undici/pull/3026

Full Changelog: nodejs/undici@v6.11.1...v6.12.0

v6.11.1

Compare Source

⚠️ Security Release ⚠️

What's Changed

• Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260
• Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261
• Revert "fix: don't leak internal class (#​3024)" by @​mcollina in https://github.com/nodejs/undici/pull/3044

Full Changelog: nodejs/undici@v6.11.0...v6.11.1

v6.11.0

Compare Source

What's Changed

• refactor(#​3023): Pass headers as array instead by @​metcoder95 in https://github.com/nodejs/undici/pull/3025
• fix: don't leak internal class by @​ronag in https://github.com/nodejs/undici/pull/3024
• build(deps): bump codecov/codecov-action from 4.1.0 to 4.1.1 by @​dependabot in https://github.com/nodejs/undici/pull/3034
• build(deps-dev): bump tsd from 0.30.7 to 0.31.0 by @​dependabot in https://github.com/nodejs/undici/pull/3038
• build(deps-dev): bump borp from 0.9.1 to 0.10.0 by @​dependabot in https://github.com/nodejs/undici/pull/2947
• missing commits by @​ronag in https://github.com/nodejs/undici/pull/3040
• build(deps): bump actions/checkout from 4.1.1 to 4.1.2 by @​dependabot in https://github.com/nodejs/undici/pull/3036
• fix: regexp pattern by @​tsctx in https://github.com/nodejs/undici/pull/3041

Full Changelog: nodejs/undici@v6.10.2...v6.11.0

v6.10.2

Compare Source

What's Changed

• Do not fail test if streams support typed arrays by @​mcollina in https://github.com/nodejs/undici/pull/2978
• fix(fetch): properly redirect non-ascii location header url by @​Xvezda in https://github.com/nodejs/undici/pull/2971
• perf: Remove double-stringify

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 1963752

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Updated (UTC)
vercel-storage-next-integration-test-suite	✅ Ready (Inspect)	Visit Preview	May 23, 2025 0:00am