deps: update undici to 7.24.3 by nodejs-github-bot · Pull Request #62233 · nodejs/node

nodejs-github-bot · 2026-03-12T18:18:19Z

This is an automated update of undici to 7.24.3.

nodejs-github-bot · 2026-03-12T18:18:25Z

Review requested:

@nodejs/security-wg

codecov · 2026-03-12T19:40:56Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.67%. Comparing base (1989f4d) to head (1a989c7).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #62233      +/-   ##
==========================================
+ Coverage   89.65%   89.67%   +0.01%     
==========================================
  Files         676      676              
  Lines      206555   206555              
  Branches    39547    39555       +8     
==========================================
+ Hits       185195   185230      +35     
+ Misses      13495    13448      -47     
- Partials     7865     7877      +12

see 36 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

nodejs-github-bot · 2026-03-12T21:59:06Z

CI: https://ci.nodejs.org/job/node-test-pull-request/71735/

mcollina

lgtm

aduh95 · 2026-03-13T11:18:52Z

@mcollina please don't add the request-ci Add this label to start a Jenkins CI on a PR. label when there's already a passing CI

mcollina · 2026-03-13T11:31:20Z

oops.

nodejs-github-bot · 2026-03-13T13:14:20Z

CI: https://ci.nodejs.org/job/node-test-pull-request/71745/

mcollina · 2026-03-13T14:26:40Z

I would need to update this, sorry. We are going to land v7.24.1.

github-actions · 2026-03-13T21:18:35Z

Failed to start CI

   ⚠  Commits were pushed since the last approving review:
   ⚠  - deps: update undici to 7.24.1
   ✘  Refusing to run CI on potentially unsafe PR

https://github.com/nodejs/node/actions/runs/23070905272

mcollina

lgtm

mcollina

lgtm

nodejs-github-bot · 2026-03-15T14:49:34Z

CI: https://ci.nodejs.org/job/node-test-pull-request/71773/

nodejs-github-bot · 2026-03-15T23:59:23Z

Landed in 4579957

voxik · 2026-03-16T05:34:39Z

Could this please be backported into stable branches up to the 20?

PR-URL: #62233 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>

This MR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | patch | `25.8.1` → `25.8.2` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v25.8.2`](https://github.com/nodejs/node/releases/tag/v25.8.2): 2026-03-24, Version 25.8.2 (Current), @RafaelGSS [Compare Source](nodejs/node@v25.8.1...v25.8.2) This is a security release. ##### Notable Changes - (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High - (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High - (CVE-2026-21711) include permission check to `pipe_wrap.cc` (RafaelGSS) - Medium - (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium - (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium - (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium - (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low - (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low ##### Commits - \[[`2086b7477b`](nodejs/node@2086b7477b)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834) - \[[`0f9332a40a`](nodejs/node@0f9332a40a)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) - \[[`2b6937ddb2`](nodejs/node@2b6937ddb2)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](nodejs/node#62271) - \[[`bfb8ad5787`](nodejs/node@bfb8ad5787)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](nodejs/node#62233) - \[[`be6384727f`](nodejs/node@be6384727f)] - **deps**: upgrade npm to 11.11.1 (npm team) [#62216](nodejs/node#62216) - \[[`2feea5bb97`](nodejs/node@2feea5bb97)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](nodejs/node#62344) - \[[`86c04784dd`](nodejs/node@86c04784dd)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) - \[[`5197a56a34`](nodejs/node@5197a56a34)] - **(CVE-2026-21711)** **permission**: include permission check to pipe\_wrap.cc (RafaelGSS) [nodejs-private/node-private#820](https://github.com/nodejs-private/node-private/pull/820) - \[[`04a886c735`](nodejs/node@04a886c735)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) - \[[`9a7f80f2b0`](nodejs/node@9a7f80f2b0)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) - \[[`d9c9b628cf`](nodejs/node@d9c9b628cf)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) - \[[`45b55dc786`](nodejs/node@45b55dc786)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816) - \[[`4bfda307c0`](nodejs/node@4bfda307c0)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

nodejs-github-bot added the dependencies Pull requests that update a dependency file. label Mar 12, 2026

nodejs-github-bot added the needs-ci PRs that need a full CI run. label Mar 12, 2026

aduh95 approved these changes Mar 12, 2026

View reviewed changes

aduh95 added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Mar 12, 2026

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 12, 2026

KhafraDev approved these changes Mar 12, 2026

View reviewed changes

trivikr approved these changes Mar 13, 2026

View reviewed changes

mcollina added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 13, 2026

mcollina approved these changes Mar 13, 2026

View reviewed changes

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 13, 2026

This comment was marked as duplicate.

Sign in to view

cjihrig approved these changes Mar 13, 2026

View reviewed changes

nodejs-github-bot changed the title ~~deps: update undici to 7.24.0~~ deps: update undici to 7.24.1 Mar 13, 2026

nodejs-github-bot force-pushed the actions/tools-update-undici branch from eb6d588 to c360a38 Compare March 13, 2026 18:30

mcollina added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 13, 2026

github-actions bot added request-ci-failed An error occurred while starting CI via request-ci label, and manual interventon is needed. and removed request-ci Add this label to start a Jenkins CI on a PR. labels Mar 13, 2026

aduh95 removed the request-ci-failed An error occurred while starting CI via request-ci label, and manual interventon is needed. label Mar 13, 2026

This comment was marked as outdated.

Sign in to view

mcollina approved these changes Mar 14, 2026

View reviewed changes

nodejs-github-bot force-pushed the actions/tools-update-undici branch from c360a38 to 4e311ff Compare March 14, 2026 08:31

nodejs-github-bot changed the title ~~deps: update undici to 7.24.1~~ deps: update undici to 7.24.2 Mar 14, 2026

mcollina approved these changes Mar 14, 2026

View reviewed changes

nodejs-github-bot force-pushed the actions/tools-update-undici branch from 4e311ff to c91c6ab Compare March 14, 2026 20:47

nodejs-github-bot changed the title ~~deps: update undici to 7.24.2~~ deps: update undici to 7.24.3 Mar 14, 2026

deps: update undici to 7.24.3

1a989c7

nodejs-github-bot force-pushed the actions/tools-update-undici branch from c91c6ab to 1a989c7 Compare March 15, 2026 00:56

aduh95 approved these changes Mar 15, 2026

View reviewed changes

aduh95 added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 15, 2026

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 15, 2026

aduh95 added the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 15, 2026

nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 15, 2026

nodejs-github-bot merged commit 4579957 into main Mar 15, 2026
76 of 77 checks passed

nodejs-github-bot deleted the actions/tools-update-undici branch March 15, 2026 23:59

Uh oh!

Conversation

nodejs-github-bot commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 12, 2026

Uh oh!

codecov bot commented Mar 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

nodejs-github-bot commented Mar 12, 2026

Uh oh!

mcollina left a comment

Choose a reason for hiding this comment

Uh oh!

This comment was marked as duplicate.

aduh95 commented Mar 13, 2026

Uh oh!

mcollina commented Mar 13, 2026

Uh oh!

nodejs-github-bot commented Mar 13, 2026

Uh oh!

mcollina commented Mar 13, 2026

Uh oh!

github-actions bot commented Mar 13, 2026

Uh oh!

This comment was marked as outdated.

mcollina left a comment

Choose a reason for hiding this comment

Uh oh!

mcollina left a comment

Choose a reason for hiding this comment

Uh oh!

nodejs-github-bot commented Mar 15, 2026

Uh oh!

Uh oh!

nodejs-github-bot commented Mar 15, 2026

Uh oh!

voxik commented Mar 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

nodejs-github-bot commented Mar 12, 2026 •

edited

Loading

codecov bot commented Mar 12, 2026 •

edited

Loading