The Wire · Showcase
UNDICI FIXES SOCKET CRASH AND HTTP/2 HANG BUGS THAT BREAK PRODUCTION
By RepoJournal · Filed · About Node.js
Undici shipped two critical parser fixes overnight that prevent process crashes on socket close and eliminate request hangs on early HTTP/2 responses.
The first fix addresses a crash in HTTP/1 parsing when a response body applies backpressure [1]. When the socket closes while the llhttp parser is paused, the finish() call would assert and crash the entire process with an uncatchable error from the socket 'end' handler. This now resumes the paused parser and drains it correctly, letting responses complete across all body framings. The second fix tackles HTTP/2 request hangs when a server returns a final response (like 401) instead of 100 Continue on Expect: 100-continue requests [2]. The body write was bound to a 'continue' event that never fires, leaving the stream half-open and the response never delivered. Both fixes are in the queue and address scenarios that silently break production applications. Separately, Node core is tightening HTTP request validation around absolute-form paths [3] to prevent proxy confusion attacks where mismatched Host headers route requests to unintended destinations. The core team also added TLS group reporting for post-quantum cryptography [4], letting getEphemeralKeyInfo() identify ML-KEM and hybrid groups. And a new stress-test workflow [5] lets you manually dispatch test runs on any PR to catch flaky tests before merge.
Action items
- → Patch undici to the latest version before next deploy - both fixes prevent crashes and hangs nodejs/undici [immediate]
- → Review HTTP request code using absolute-form paths with proxy servers for potential misrouting nodejs/node [plan]
- → If using TLS 1.3 with post-quantum groups, verify getEphemeralKeyInfo() now returns group names nodejs/node [monitor]
References
- [1] fix(h1): complete paused parser on socket end instead of crashing ↗ nodejs/undici
- [2] fix(h2): deliver an early final response to an Expect: 100-continue request ↗ nodejs/undici
- [3] http: document and validate options.path when it's in absolute-form ↗ nodejs/node
- [4] tls: report negotiated TLS groups ↗ nodejs/node
- [5] build: add manually-dispatched stress-test workflow ↗ nodejs/node
FAQ
- What changed in Node.js on July 2, 2026?
- Undici shipped two critical parser fixes overnight that prevent process crashes on socket close and eliminate request hangs on early HTTP/2 responses.
- What should Node.js teams do about it?
- Patch undici to the latest version before next deploy - both fixes prevent crashes and hangs • Review HTTP request code using absolute-form paths with proxy servers for potential misrouting • If using TLS 1.3 with post-quantum groups, verify getEphemeralKeyInfo() now returns group names
- Which Node.js repositories shipped on July 2, 2026?
- nodejs/undici, nodejs/node