RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

The Wire · Showcase

UNDICI FIXES SOCKET CRASH AND HTTP/2 HANG BUGS THAT BREAK PRODUCTION

By RepoJournal · Filed · About Node.js

Undici shipped two critical parser fixes overnight that prevent process crashes on socket close and eliminate request hangs on early HTTP/2 responses.

The first fix addresses a crash in HTTP/1 parsing when a response body applies backpressure [1]. When the socket closes while the llhttp parser is paused, the finish() call would assert and crash the entire process with an uncatchable error from the socket 'end' handler. This now resumes the paused parser and drains it correctly, letting responses complete across all body framings. The second fix tackles HTTP/2 request hangs when a server returns a final response (like 401) instead of 100 Continue on Expect: 100-continue requests [2]. The body write was bound to a 'continue' event that never fires, leaving the stream half-open and the response never delivered. Both fixes are in the queue and address scenarios that silently break production applications. Separately, Node core is tightening HTTP request validation around absolute-form paths [3] to prevent proxy confusion attacks where mismatched Host headers route requests to unintended destinations. The core team also added TLS group reporting for post-quantum cryptography [4], letting getEphemeralKeyInfo() identify ML-KEM and hybrid groups. And a new stress-test workflow [5] lets you manually dispatch test runs on any PR to catch flaky tests before merge.

Action items

References

  1. [1] fix(h1): complete paused parser on socket end instead of crashing ↗ nodejs/undici
  2. [2] fix(h2): deliver an early final response to an Expect: 100-continue request ↗ nodejs/undici
  3. [3] http: document and validate options.path when it's in absolute-form ↗ nodejs/node
  4. [4] tls: report negotiated TLS groups ↗ nodejs/node
  5. [5] build: add manually-dispatched stress-test workflow ↗ nodejs/node

FAQ

What changed in Node.js on July 2, 2026?
Undici shipped two critical parser fixes overnight that prevent process crashes on socket close and eliminate request hangs on early HTTP/2 responses.
What should Node.js teams do about it?
Patch undici to the latest version before next deploy - both fixes prevent crashes and hangs • Review HTTP request code using absolute-form paths with proxy servers for potential misrouting • If using TLS 1.3 with post-quantum groups, verify getEphemeralKeyInfo() now returns group names
Which Node.js repositories shipped on July 2, 2026?
nodejs/undici, nodejs/node

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.