RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

UNDICI PATCHES CRITICAL SOCKET VALIDATION BUG AS NODE CORE DEPENDENCY UPDATES SHIP

By RepoJournal · Filed · About Node.js

Undici 8.4.0 lands in Node core with three production fixes that prevent socket assertion crashes, TLS hostname rejections, and parser hangs under backpressure.

The headline story is a guard on idle socket validation that was silently failing fresh sockets [1], paired with a critical parser fix that removes an uncatchable assertion when the HTTP/1 parser is paused and the socket ends [2]. That second fix matters because backpressured requests (body not consumed) were throwing AssertionErrors from the socket 'end' handler - a silent killer in production. A third fix ensures pipelined TLS altname errors reject requests instead of tripping queue assertions [3]. Node core already shipped undici 8.4.0 [4], so you're getting these fixes in your next Node release. Separately, Node bumped ngtcp2 to 1.23.0 [5], nghttp3 to 1.16.0 [6], and sqlite to 3.53.2 [7], all routine but worth monitoring for QUIC/HTTP/3 behavior changes. Node-gyp broke compatibility with versions below Node 22.22.2 [8], aligned with npm's upcoming engine range [9], so if you're on 20.x you're on borrowed time for native module builds.

Action items

References

  1. [1] fix: guard idle socket validation to skip fresh sockets nodejs/undici
  2. [2] fix: handle paused parser on socket end (issue #5360) (#5389) nodejs/undici
  3. [3] fix(client): reject pipelined TLS altname errors (#5373) nodejs/undici
  4. [4] deps: update undici to 8.4.0 ↗ nodejs/node
  5. [5] deps: update ngtcp2 to 1.23.0 ↗ nodejs/node
  6. [6] deps: update nghttp3 to 1.16.0 ↗ nodejs/node
  7. [7] deps: update sqlite to 3.53.2 ↗ nodejs/node
  8. [8] feat!: bump to new node engine range nodejs/node-gyp
  9. [9] Bump engine version ↗ nodejs/node-gyp

FAQ

What changed in Node.js on June 9, 2026?
Undici 8.4.0 lands in Node core with three production fixes that prevent socket assertion crashes, TLS hostname rejections, and parser hangs under backpressure.
What should Node.js teams do about it?
Review undici socket and parser fixes before deploying HTTP/1 workloads under backpressure • Update node-gyp if you're shipping native modules; drop support for Node <22.22.2 • Monitor ngtcp2 and nghttp3 updates for QUIC/H3 edge cases in your infrastructure
Which Node.js repositories shipped on June 9, 2026?
nodejs/undici, nodejs/node, nodejs/node-gyp

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.