RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

UNDICI PATCHES CHUNKED RESPONSE VALIDATION HOLE AS NODE-GYP PIVOTS TO v26

By RepoJournal · Filed · About Node.js

Undici fixed a critical gap where EOF on chunked HTTP/1.1 responses could slip through without validating the terminating chunk, while node-gyp simultaneously dropped v20 from CI and landed full v26 support.

The undici team closed a real vulnerability in response parsing [1]—EOF-delimited responses were passing validation without checking for proper chunked encoding termination, a gap that could allow truncated responses to be treated as complete. That fix arrives alongside performance wins: stream handler overhead cuts [2] by replacing stream.finished() with targeted writable lifecycle tracking, and HTTP/2 client improvements [3] through handler reuse. Meanwhile, a type correctness fix [4] removes throwOnError from Dispatcher.RequestOptions, aligning the type signatures with v7's actual API. On the build side, node-gyp killed v20 from its test matrix [5] and added v26 support [6], with undici's fetch import wired in [7]. The dist-indexer bumped semver to 7.8.0 [8], bringing new features to version parsing across the ecosystem.

Action items

References

  1. [1] fix: validate EOF for chunked h1 responses ↗ nodejs/undici
  2. [2] fix: replace finished() with writable lifecycle tracking ↗ nodejs/undici
  3. [3] perf(client-h2): reuse request stream handlers ↗ nodejs/undici
  4. [4] fix(types): remove throwOnError from Dispatcher.RequestOptions (#5279) nodejs/undici
  5. [5] fix: stop testing end-of-life Node.js v20 (#3315) nodejs/node-gyp
  6. [6] support Node.js 26 (#3311) nodejs/node-gyp
  7. [7] fix: test on Node.js v26 (#3314) nodejs/node-gyp
  8. [8] chore(deps): bump semver from 7.7.4 to 7.8.0 ↗ nodejs/nodejs-dist-indexer

FAQ

What changed in Node.js on May 12, 2026?
Undici fixed a critical gap where EOF on chunked HTTP/1.1 responses could slip through without validating the terminating chunk, while node-gyp simultaneously dropped v20 from CI and landed full v26 support.
What should Node.js teams do about it?
Upgrade undici to the latest patch — the chunked response validation fix prevents malformed responses from being accepted • Update node-gyp to pick up Node.js v26 support for native module builds • If you maintain TypeScript definitions for undici, remove throwOnError from Dispatcher.RequestOptions
Which Node.js repositories shipped on May 12, 2026?
nodejs/undici, nodejs/node-gyp, nodejs/nodejs-dist-indexer

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.