The Wire · Showcase
Node crypto backend split lands, HTTP/3 callbacks corrected
By RepoJournal · Filed · About Node.js
The core team shipped major refactoring across crypto and QUIC while npm 11.18.0 tightens registry handling, and undici's benchmarks catch up to got v15.
The most consequential change is the crypto backend split [1], which isolates OpenSSL 3, BoringSSL, and legacy OpenSSL into separate code paths. The OpenSSL 3 path now builds with strict deprecation flags, moving away from APIs marked deprecated in 3.0.0 while keeping ENGINE support in its own compatibility layer. This matters because it unblocks Node from using the latest OpenSSL without forcing every consumer to deal with deprecation warnings. In parallel, the HTTP/3 implementation got a critical callback fix [2] that corrects how the application interprets nghttp3 stopSending and ResetStream callbacks, which the team discovered actually request actions rather than reporting peer events. The discovery also surfaced test failures around header state management during graceful shutdown, now fixed. Less visible but steady work: npm upgraded to 11.18.0 [3] with improved registry host matching via URL prefix support, and undici's benchmarks have been adjusted [4] to account for got v15's removal of the url and isStream parameters. The web team logged meeting notes [5] and reliability published fresh metrics [6].
Action items
- → Review the crypto backend split for any custom ENGINE usage in your build nodejs/node [plan]
- → Watch for HTTP/3 session shutdown behavior changes if you're testing QUIC nodejs/node [monitor]
- → Update benchmarks if you're comparing against got post-v15 nodejs/undici [plan]
References
- [1] crypto: split OpenSSL 3, BoringSSL, and legacy backends nodejs/node
- [2] quic: correct http3 callback and fix revealed errs nodejs/node
- [3] deps: upgrade npm to 11.18.0 ↗ nodejs/node
- [4] fix(benchmarks): adjust got after v15 upgrade (#5526) nodejs/undici
- [5] Add meeting notes for Node.js Web Team on 2026-07-06 (#162) nodejs/web-team
- [6] Add report for 2026-07-09 nodejs/reliability
FAQ
- What changed in Node.js on July 9, 2026?
- The core team shipped major refactoring across crypto and QUIC while npm 11.18.0 tightens registry handling, and undici's benchmarks catch up to got v15.
- What should Node.js teams do about it?
- Review the crypto backend split for any custom ENGINE usage in your build • Watch for HTTP/3 session shutdown behavior changes if you're testing QUIC • Update benchmarks if you're comparing against got post-v15
- Which Node.js repositories shipped on July 9, 2026?
- nodejs/node, nodejs/undici, nodejs/web-team, nodejs/reliability