RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

UNDICI PATCHES HTTP/2 SESSION COLLAPSE, NODE CORE HARDENS BUFFER ENCODING

By RepoJournal · Filed · About Node.js

Undici's HTTP/2 client now auto-recovers from invalid sessions instead of failing hard, while Node core plugs a race condition that could corrupt SharedArrayBuffer-backed buffers during encoding.

The undici team shipped a critical fix that resets cached HTTP/2 session state when `session.request()` throws `ERR_HTTP2_INVALID_SESSION`, then requeues the unsent request on a fresh connection [1]. This prevents cascading failures in production where a single bad session could take down an entire client. In parallel, they're landing a connector feature that lets you prefer HTTP/2 in ALPN negotiation via a new `preferH2` option [2], solving interop headaches with load balancers that follow client preference. Over in Node core, Antoine du Hamel closed a TOCTOU race condition in SAB-backed buffer encoding that could lead to memory corruption [3], a quiet but serious fix tracked on HackerOne. The core team also cleaned up unused util functions [4] and fixed duplicated build conditions around sqlite and ffi [5]. HTTP header validation is getting more flexible too: the `insecureHTTPParser` option now gates lenient control-character handling to match the Fetch spec, letting Node interop with non-compliant servers without going fully permissive [6]. On the documentation front, undici's HTTP/2 trailers test is being refactored to use async/await patterns and shared fixtures instead of callbacks, eliminating flakiness [7].

Action items

References

  1. [1] fix: reset invalid HTTP/2 sessions ↗ nodejs/undici
  2. [2] feat(connect): add `preferH2` connector option to offer h2 first in ALPN ↗ nodejs/undici
  3. [3] src: remove TOCTOU race condition when encoding SAB-backed `Buffer`s nodejs/node
  4. [4] util: remove unused functions nodejs/node
  5. [5] build: remove duplicated node_use_sqlite and node_use_ffi conditions nodejs/node
  6. [6] http: align header value validation with Fetch spec ↗ nodejs/node
  7. [7] test: fix flaky http2 trailers test ↗ nodejs/undici

FAQ

What changed in Node.js on May 31, 2026?
Undici's HTTP/2 client now auto-recovers from invalid sessions instead of failing hard, while Node core plugs a race condition that could corrupt SharedArrayBuffer-backed buffers during encoding.
What should Node.js teams do about it?
If you're running undici in production with HTTP/2, verify your error handling works with the session reset behavior [ref:1] • Review SAB usage in your codebase if you're encoding SharedArrayBuffer-backed buffers; update Node when this ships [ref:9] • Test your HTTP header parsing with the new validation rules if you rely on `insecureHTTPParser` [ref:12]
Which Node.js repositories shipped on May 31, 2026?
nodejs/undici, nodejs/node

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.