RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

UNDICI PATCHES CHUNKED RESPONSE VALIDATION ACROSS MAJOR VERSIONS

By RepoJournal · Filed · About Node.js

Undici shipped critical fixes for HTTP/1.1 chunked transfer encoding validation in both v6.26.0 and v7.26.0, closing a parsing gap that could affect streaming responses.

Both release lines patched the same vulnerability: validate EOF for chunked h1 responses [2] [3]. The v7 release also backported safe main fixes from the development branch [3], ensuring consistency across the active version tree. On the Node.js core side, WebCrypto spec alignment landed in two complementary PRs covering both nomenclature [5] and systematic regression test coverage [4]. The test suite tightened protections around prototype pollution in cryptographic operations and aligned operation parameters with W3C spec terminology. A streaming regression also shipped: duplex channels now properly handle end() calls after failed endSync() buffering [7], preventing deadlocks when readable side drains queued data. Minor cleanup removed the test-node-output-v8-warning test [6] since asm.js validation is deprecated in V8. Across the ecosystem, semver bumped to 7.8.1 [1] with bug fixes for the npm dependency resolution engine.

Action items

References

  1. [1] build(deps): bump semver from 7.8.0 to 7.8.1 in the prod group ↗ nodejs/remark-preset-lint-node
  2. [2] v6.26.0 ↗ nodejs/undici
  3. [3] v7.26.0 ↗ nodejs/undici
  4. [4] test: cover webcrypto prototype pollution systematically ↗ nodejs/node
  5. [5] doc,lib: align WebCrypto names with spec ↗ nodejs/node
  6. [6] test: remove test-node-output-v8-warning nodejs/node
  7. [7] stream: wait for push writer end fallback to drain nodejs/node

FAQ

What changed in Node.js on May 26, 2026?
Undici shipped critical fixes for HTTP/1.1 chunked transfer encoding validation in both v6.26.0 and v7.26.0, closing a parsing gap that could affect streaming responses.
What should Node.js teams do about it?
Upgrade undici to v6.26.0 or v7.26.0 depending on your version line • If you're on Node core, sync WebCrypto usage with the spec-aligned naming in your cryptographic operations • Test duplex streams with end() calls after buffering edge cases if you maintain stream-heavy code
Which Node.js repositories shipped on May 26, 2026?
nodejs/remark-preset-lint-node, nodejs/undici, nodejs/node

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.