RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

The Wire · Showcase

UNDICI PATCHES FAKE TIMER BYPASS BREAKING TEST ISOLATION

By RepoJournal · Filed · About Node.js

Undici restored socket validation to respect global timers instead of sneaking around fake timer mocks, fixing a footgun that silently broke test suites relying on clock control.

The fix [1] restores idle socket validation to use standard Node timer APIs, reversing a bypass that let validation run even when tests faked timers. This matters because cache interceptor tests were forced to fake the entire Date object just to control one clock behavior, and the workaround left poisoned sockets undetected in isolation. Node-gyp tightened its release machinery in parallel: commit-lint now gates changelog generation [2], LTO is disabled for Windows addon builds to prevent linker issues [3], and the CI pipeline updated to immutable GitHub action versions [4]. These changes ensure native modules build reproducibly across platforms without surprises in release automation.

Action items

References

  1. [1] fix: keep idle validation on global timers ↗ nodejs/undici
  2. [2] chore: add commit-lint ↗ nodejs/node-gyp
  3. [3] fix: disable LTO for addon builds on Windows ↗ nodejs/node-gyp
  4. [4] fix(ci): update ruff-action version to v4.0.0 (#3324) nodejs/node-gyp

FAQ

What changed in Node.js on June 11, 2026?
Undici restored socket validation to respect global timers instead of sneaking around fake timer mocks, fixing a footgun that silently broke test suites relying on clock control.
What should Node.js teams do about it?
Review test suite for undici cache interceptor mocks - may simplify after this lands • Upgrade node-gyp to pick up commit-lint and LTO fixes if you maintain native bindings
Which Node.js repositories shipped on June 11, 2026?
nodejs/undici, nodejs/node-gyp

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.