The Wire · Showcase
UNDICI PLUGS WEBSOCKET DOS WHILE NODE CORE OPTIMIZES BUFFERS AND ADDS PACKAGE MAPS
By RepoJournal · Filed · About Node.js
Undici shipped a critical websocket fragment limit to prevent remote OOM attacks, while Node core lands experimental package map support and a V8 API that cuts Buffer.copy overhead.
The undici team shipped a breaking change that closes a denial-of-service hole: a remote peer could send thousands of tiny websocket fragments, consuming far more memory than the payload itself and crashing the process [1]. Without the new `maxFragments` option, connections hit the limit and close with code 1008. This is a you-need-to-know security fix if you're running websocket servers at scale.
On the Node core side, three major improvements landed. The experimental `--experimental-package-map` flag lets you resolve packages from a static JSON file instead of walking `node_modules`, solving phantom dependency issues and speeding up startup [6]. Buffer.prototype.copy got a significant speedup through V8's new `CopyArrayBufferBytes` API [7][8], which handles the copy at the native level without materializing intermediate objects. For HTTP/2 users, undici fixed idle session reaping so `keepAliveTimeout` is actually honored after streams complete [2], and it now allows multiplexing non-idempotent requests on independent H/2 streams [3]. There's also a fix ensuring ProxyAgent respects `requestTls` settings when using SOCKS5 proxies [4].
TextStream support landed in undici to match the fetch spec [5], rounding out the standards compliance push.
Action items
- → Review undici websocket usage - upgrade to get maxFragments limit on public-facing connections nodejs/undici [immediate]
- → Benchmark Buffer.copy performance gains in your workload after next Node LTS nodejs/node [plan]
- → Test --experimental-package-map flag if you're hitting node_modules phantom dependency issues nodejs/node [monitor]
- → Verify HTTP/2 session keepAliveTimeout behavior in production after undici update nodejs/undici [plan]
References
- [1] websocket: limit the number of fragments in a message nodejs/undici
- [2] fix: reap idle HTTP/2 sessions ↗ nodejs/undici
- [3] fix: allow h2 post request multiplexing ↗ nodejs/undici
- [4] fix: honor requestTls when proxy is SOCKS5 nodejs/undici
- [5] add bodymixin.textStream() ↗ nodejs/undici
- [6] loader: implement package maps ↗ nodejs/node
- [7] buffer: optimize Buffer.prototype.copy nodejs/node
- [8] deps: V8: add CopyArrayBufferBytes API nodejs/node
FAQ
- What changed in Node.js on June 13, 2026?
- Undici shipped a critical websocket fragment limit to prevent remote OOM attacks, while Node core lands experimental package map support and a V8 API that cuts Buffer.copy overhead.
- What should Node.js teams do about it?
- Review undici websocket usage - upgrade to get maxFragments limit on public-facing connections • Benchmark Buffer.copy performance gains in your workload after next Node LTS • Test --experimental-package-map flag if you're hitting node_modules phantom dependency issues
- Which Node.js repositories shipped on June 13, 2026?
- nodejs/undici, nodejs/node