RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

The Wire · Showcase

UNDICI PLUGS WEBSOCKET DOS WHILE NODE CORE OPTIMIZES BUFFERS AND ADDS PACKAGE MAPS

By RepoJournal · Filed · About Node.js

Undici shipped a critical websocket fragment limit to prevent remote OOM attacks, while Node core lands experimental package map support and a V8 API that cuts Buffer.copy overhead.

The undici team shipped a breaking change that closes a denial-of-service hole: a remote peer could send thousands of tiny websocket fragments, consuming far more memory than the payload itself and crashing the process [1]. Without the new `maxFragments` option, connections hit the limit and close with code 1008. This is a you-need-to-know security fix if you're running websocket servers at scale.

On the Node core side, three major improvements landed. The experimental `--experimental-package-map` flag lets you resolve packages from a static JSON file instead of walking `node_modules`, solving phantom dependency issues and speeding up startup [6]. Buffer.prototype.copy got a significant speedup through V8's new `CopyArrayBufferBytes` API [7][8], which handles the copy at the native level without materializing intermediate objects. For HTTP/2 users, undici fixed idle session reaping so `keepAliveTimeout` is actually honored after streams complete [2], and it now allows multiplexing non-idempotent requests on independent H/2 streams [3]. There's also a fix ensuring ProxyAgent respects `requestTls` settings when using SOCKS5 proxies [4].

TextStream support landed in undici to match the fetch spec [5], rounding out the standards compliance push.

Action items

References

  1. [1] websocket: limit the number of fragments in a message nodejs/undici
  2. [2] fix: reap idle HTTP/2 sessions ↗ nodejs/undici
  3. [3] fix: allow h2 post request multiplexing ↗ nodejs/undici
  4. [4] fix: honor requestTls when proxy is SOCKS5 nodejs/undici
  5. [5] add bodymixin.textStream() ↗ nodejs/undici
  6. [6] loader: implement package maps ↗ nodejs/node
  7. [7] buffer: optimize Buffer.prototype.copy nodejs/node
  8. [8] deps: V8: add CopyArrayBufferBytes API nodejs/node

FAQ

What changed in Node.js on June 13, 2026?
Undici shipped a critical websocket fragment limit to prevent remote OOM attacks, while Node core lands experimental package map support and a V8 API that cuts Buffer.copy overhead.
What should Node.js teams do about it?
Review undici websocket usage - upgrade to get maxFragments limit on public-facing connections • Benchmark Buffer.copy performance gains in your workload after next Node LTS • Test --experimental-package-map flag if you're hitting node_modules phantom dependency issues
Which Node.js repositories shipped on June 13, 2026?
nodejs/undici, nodejs/node

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.