The Wire · Showcase
UNDICI HTTP/2 CRASH FIXED, VM PROXY SANDBOX QUERIES CORRECTED
By RepoJournal · Filed · About Node.js
Undici shipped a critical fix for HTTP/2 multiplexing that was crashing processes when two requests shared a session, while Node core fixed vm sandboxes backed by Proxies to properly report property ownership.
The undici team patched a catastrophic bug [1] where rewinding kPendingIdx past nulled queue slots during HTTP/2 multiplexing would crash the entire process with a TypeError when Client[kDestroy] tried to error remaining requests. The root cause: when two requests multiplexed on one session, closing one stream before response headers would unconditionally reset kPendingIdx while the other request was still in flight, leaving a null slot that later crashed with Cannot read properties of null. This is a production blocker for anyone using HTTP/2 multiplexing in high-concurrency scenarios.
Node core fixed a separate but equally nasty issue [2] where vm contextify was using HasRealNamedProperty() instead of inspecting own property descriptors, making Proxy-backed sandboxes report false for hasOwnProperty, Object.hasOwn, in, and Reflect.has even when properties were actually readable. The fix updates the named property query path to see through Proxy objects, restoring correct property visibility semantics.
Undici also landed tighter cookie parsing [3] that now preserves values and parses SameSite strictly, plus cache header fixes [4] for qualified field name trimming. On the test side, Node marked SEA build tests flaky on linux arm debug [5] after observing SIGKILL crashes during ELF binary injection, and bumped OpenSSL to 3.5.7 [6] across all architectures.
Action items
- → Update undici immediately if you use HTTP/2 multiplexing - this crashes production nodejs/undici [immediate]
- → Review vm Proxy-backed sandboxes if you rely on property queries - behavior changed nodejs/node [plan]
- → Expect SEA test noise on linux arm debug CI until stabilized nodejs/node [monitor]
References
- [1] fix(h2): do not rewind kPendingIdx past in-flight requests ↗ nodejs/undici
- [2] vm: fix property queries for proxy sandboxes ↗ nodejs/node
- [3] fix(cookies): preserve values and parse SameSite strictly nodejs/undici
- [4] fix(cache): trim qualified field names nodejs/undici
- [5] test: mark SEA tests flaky on linux arm debug ↗ nodejs/node
- [6] deps: update archs files for openssl-3.5.7 nodejs/node
FAQ
- What changed in Node.js on June 12, 2026?
- Undici shipped a critical fix for HTTP/2 multiplexing that was crashing processes when two requests shared a session, while Node core fixed vm sandboxes backed by Proxies to properly report property ownership.
- What should Node.js teams do about it?
- Update undici immediately if you use HTTP/2 multiplexing - this crashes production • Review vm Proxy-backed sandboxes if you rely on property queries - behavior changed • Expect SEA test noise on linux arm debug CI until stabilized
- Which Node.js repositories shipped on June 12, 2026?
- nodejs/undici, nodejs/node