The Wire · Showcase
NODE.JS CRYPTO TIGHTENS HMAC RULES, UNDICI SHIPS TRIPLE RELEASE
By RepoJournal · Filed · About Node.js
Node.js runtime-deprecates calling Hmac.digest() multiple times in the same session, aligning its behavior with Hash.digest() and closing a consistency gap that has quietly shipped code across production.
The crypto module now emits a DEP0206 deprecation warning when Hmac.digest() is called on an already-finalized instance [1], a breaking-change warning that fixes the inconsistency where Hash.digest() throws ERR_CRYPTO_HASH_FINALIZED under the same conditions. This catches a class of subtle bugs where callers don't realize they've already finalized the state. Separately, the dgram module adds Socket.prototype.bindSync() [2], a synchronous bind operation that unblocks WebAssembly embeddings and POSIX compatibility layers that need to avoid async patterns. The debugger CLI also fixes a race condition [3] where the REPL prompt would appear before the debuggee actually released from --inspect-brk, and stream handling now fixes a dropped first chunk bug in Utf8Stream buffer mode [4]. On the HTTP client side, undici shipped three releases in quick succession: v6.27.0 [5] and v7.28.0 [6] both fix idle socket validation to skip fresh connections, while v8.5.0 [7] adds native timer support and fixes HTTP/2 stream rewinding past in-flight requests. All three releases converge on the same stability improvements across major versions.
Action items
- → Scan HMAC usage in your codebase for repeated digest() calls and plan upgrade path before DEP0206 becomes breaking nodejs/node [plan]
- → Upgrade undici to v6.27.0, v7.28.0, or v8.5.0 depending on your current major version nodejs/undici [plan]
- → If using WebAssembly UDP binding, test Socket.bindSync() as a non-JSPI alternative nodejs/node [monitor]
References
- [1] crypto: runtime-deprecate calling Hmac.digest() more than once ↗ nodejs/node
- [2] dgram: add synchronous Socket.prototype.bindSync() ↗ nodejs/node
- [3] debugger: await initialization after run and restart ↗ nodejs/node
- [4] stream: fix dropped first chunk in Utf8Stream buffer mode nodejs/node
- [5] v6.27.0 ↗ nodejs/undici
- [6] v7.28.0 ↗ nodejs/undici
- [7] v8.5.0 ↗ nodejs/undici
FAQ
- What changed in Node.js on June 16, 2026?
- Node.js runtime-deprecates calling Hmac.digest() multiple times in the same session, aligning its behavior with Hash.digest() and closing a consistency gap that has quietly shipped code across production.
- What should Node.js teams do about it?
- Scan HMAC usage in your codebase for repeated digest() calls and plan upgrade path before DEP0206 becomes breaking • Upgrade undici to v6.27.0, v7.28.0, or v8.5.0 depending on your current major version • If using WebAssembly UDP binding, test Socket.bindSync() as a non-JSPI alternative
- Which Node.js repositories shipped on June 16, 2026?
- nodejs/node, nodejs/undici