RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

The Wire · Showcase

NODE.JS CRYPTO TIGHTENS HMAC RULES, UNDICI SHIPS TRIPLE RELEASE

By RepoJournal · Filed · About Node.js

Node.js runtime-deprecates calling Hmac.digest() multiple times in the same session, aligning its behavior with Hash.digest() and closing a consistency gap that has quietly shipped code across production.

The crypto module now emits a DEP0206 deprecation warning when Hmac.digest() is called on an already-finalized instance [1], a breaking-change warning that fixes the inconsistency where Hash.digest() throws ERR_CRYPTO_HASH_FINALIZED under the same conditions. This catches a class of subtle bugs where callers don't realize they've already finalized the state. Separately, the dgram module adds Socket.prototype.bindSync() [2], a synchronous bind operation that unblocks WebAssembly embeddings and POSIX compatibility layers that need to avoid async patterns. The debugger CLI also fixes a race condition [3] where the REPL prompt would appear before the debuggee actually released from --inspect-brk, and stream handling now fixes a dropped first chunk bug in Utf8Stream buffer mode [4]. On the HTTP client side, undici shipped three releases in quick succession: v6.27.0 [5] and v7.28.0 [6] both fix idle socket validation to skip fresh connections, while v8.5.0 [7] adds native timer support and fixes HTTP/2 stream rewinding past in-flight requests. All three releases converge on the same stability improvements across major versions.

Action items

References

  1. [1] crypto: runtime-deprecate calling Hmac.digest() more than once ↗ nodejs/node
  2. [2] dgram: add synchronous Socket.prototype.bindSync() ↗ nodejs/node
  3. [3] debugger: await initialization after run and restart ↗ nodejs/node
  4. [4] stream: fix dropped first chunk in Utf8Stream buffer mode nodejs/node
  5. [5] v6.27.0 ↗ nodejs/undici
  6. [6] v7.28.0 ↗ nodejs/undici
  7. [7] v8.5.0 ↗ nodejs/undici

FAQ

What changed in Node.js on June 16, 2026?
Node.js runtime-deprecates calling Hmac.digest() multiple times in the same session, aligning its behavior with Hash.digest() and closing a consistency gap that has quietly shipped code across production.
What should Node.js teams do about it?
Scan HMAC usage in your codebase for repeated digest() calls and plan upgrade path before DEP0206 becomes breaking • Upgrade undici to v6.27.0, v7.28.0, or v8.5.0 depending on your current major version • If using WebAssembly UDP binding, test Socket.bindSync() as a non-JSPI alternative
Which Node.js repositories shipped on June 16, 2026?
nodejs/node, nodejs/undici

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.