chore(deps): update undici to v8

[have-renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
undici (source)	^7.16.0 -> ^8.0.0

---

Release Notes

nodejs/undici (undici)

v8.3.0

Compare Source

What's Changed

• fix: preserve pool capacity after removing stale client by @​trivikr in #​5151
• build(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @​dependabot[bot] in #​5157
• build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.1 by @​dependabot[bot] in #​5162
• build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in #​5156
• chore(http2): collapse duplicate request stream setup by @​trivikr in #​5140
• perf(client): cache HTTP/2 authority by @​trivikr in #​5141
• build(deps-dev): bump borp from 0.20.2 to 1.0.0 by @​dependabot[bot] in #​4819
• types: add TOpaque to client connect options by @​samuel871211 in #​4928
• build(deps): bump tinybench from 5.1.0 to 6.0.1 in /benchmarks by @​dependabot[bot] in #​4688
• build(deps): bump codecov/codecov-action from 5.5.1 to 6.0.0 by @​dependabot[bot] in #​4950
• build(deps): bump actions/dependency-review-action from 4.8.1 to 4.9.0 by @​dependabot[bot] in #​4951
• test(fetch): add userinfo coverage for issue-4897 URLs by @​mcollina in #​4901
• perf: avoid duplicate pool dispatcher selection on backpressure by @​trivikr in #​5149
• build(deps): bump actions/setup-node from 6.2.0 to 6.4.0 by @​dependabot[bot] in #​5163
• build(deps): bump step-security/harden-runner from 2.14.1 to 2.19.1 by @​dependabot[bot] in #​5160
• build(deps): bump cronometro from 5.3.0 to 6.0.3 in /benchmarks by @​dependabot[bot] in #​4687
• build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 by @​dependabot[bot] in #​5161
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in #​4853
• build(deps): bump hendrikmuhs/ccache-action from 1.2.22 to 1.2.23 by @​dependabot[bot] in #​5158
• build(deps): bump fastify/github-action-merge-dependabot from 3.11.2 to 3.12.0 by @​dependabot[bot] in #​5159
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in #​4854
• build(deps): bump uWebSockets.js from v20.64.0 to v20.66.0 in /benchmarks by @​dependabot[bot] in #​5130
• docs: mention install() also installs WebSocket globals by @​mcollina in #​5174
• types: stop interfering with @​types/node by @​Renegade334 in #​5173
• fix: align h2 empty body content-length methods with h1 by @​trivikr in #​5172
• build(deps-dev): bump fast-check from 4.6.0 to 4.7.0 by @​dependabot[bot] in #​5192
• build(deps-dev): bump typescript from 6.0.2 to 6.0.3 by @​dependabot[bot] in #​5191
• test: move cleanup from finally to after hooks by @​trivikr in #​5194
• test: resolve flaky timeout in issue-3356 by @​trivikr in #​5188
• SnapshotAgent: Add normalizeBody and normalizeQuery by @​GeoffreyBooth in #​5121
• fix(socks5): use configured connector in Socks5ProxyAgent by @​trivikr in #​5168
• perf(http2): avoid isArray checks for common headers by @​trivikr in #​5170
• fix(test): make deduplicate body-streaming test non-flaky by @​mcollina in #​5196
• test(retry): add regression test for RetryAgent + HTTP/2 stream timeout (#​5137) by @​mcollina in #​5176
• fix(socks5): preserve dispatch backpressure return value by @​trivikr in #​5166
• perf(http2): end zero-length request bodies with headers by @​trivikr in #​5169
• fix(test): make issue-2898-comment.js assertion robust against flakiness by @​mcollina in #​5208
• test: disable timeouts in h2 high concurrency regression by @​trivikr in #​5205
• test: deflake stream compat coverage by @​mcollina in #​5209
• fix(dispatcher): remove unreachable assert in writeBlob by @​SAY-5 in #​5231
• fix: clean up benchmark resources before worker exit by @​trivikr in #​5225
• test: avoid per-chunk assertions in diagnostics get by @​trivikr in #​5224
• test: capture cache test worker stderr and preserve failures by @​trivikr in #​5206
• chore: gitignore benchmarks/package-lock.json by @​trivikr in #​5228
• perf(proxy-agent): avoid extra header allocations in auth guard by @​trivikr in #​5164
• test(wpt): retry WPT server startup on port conflicts or timeout by @​trivikr in #​5215
• test: make websocket diagnostics ping-pong ordering deterministic by @​trivikr in #​5222
• test(websocket): fix flaky send test by @​mcollina in #​5232
• fix: prevent node-fetch test server close from hanging on Windows by @​mcollina in #​5246
• test: wait for cache test server to listen by @​trivikr in #​5242
• fix: accept unknown-size Content-Range values by @​trivikr in #​5120
• test: avoid global dispatcher state in mock client tests by @​trivikr in #​5258
• test: fix flaky permessage-deflate limit timeout by @​mcollina in #​5229
• test: drain request bodies in request tests by @​trivikr in #​5247
• test: reduce retry-after invalid date timing flake by @​trivikr in #​5250
• test: drive request timeout ticks after connect by @​trivikr in #​5251
• test: only fail max-listener checks on max-listener warnings by @​trivikr in #​5253
• test: avoid double-closing server in client-request test by @​trivikr in #​5255
• fix(retry-handler): validate response body length against Content-Range by @​mcollina in #​4975
• test: wait for inflight-and-close body cleanup by @​trivikr in #​5261
• fix(test): make http2-pseudo-headers test order-independent by @​mcollina in #​5234
• fix: preserve fetch multipart body on MockAgent fallback by @​mcollina in #​5269
• ci: build Node FFI fixtures for shared-builtin tests by @​trivikr in #​5275
• test: deflake issue-5137 stream count assertion by @​trivikr in #​5243
• fix: replace finished() with writable lifecycle tracking by @​trivikr in #​5001
• perf(client-h2): reuse request stream handlers by @​trivikr in #​5280
• fix: prevent pipeline body replay on redirect by @​mcollina in #​5274
• fix(types): remove throwOnError from Dispatcher.RequestOptions by @​Zelys-DFKH in #​5279
• fix: validate EOF for chunked h1 responses by @​mcollina in #​5273
• test: deflake parser-issues teardown by @​mcollina in #​5278
• test: make http2-alpn control requests explicit by @​trivikr in #​5252
• test: include cache-test worker metadata on failure by @​trivikr in #​5276
• test: include after in parser-issues by @​trivikr in #​5284
• cache formdata boundary by @​KhafraDev in #​5292
• build(deps-dev): bump fast-check from 4.7.0 to 4.8.0 by @​dependabot[bot] in #​5298
• test: retry crashed cache-test workers once by @​trivikr in #​5294
• Add Node 26 to the matrix by @​mcollina in #​5271
• perf(client-h2): reuse request upgrade stream handlers by @​trivikr in #​5293
• build(deps-dev): bump jest from 30.3.0 to 30.4.2 by @​dependabot[bot] in #​5297
• build(deps): bump uWebSockets.js from v20.66.0 to v20.67.0 in /benchmarks by @​dependabot[bot] in #​5299
• test: fix flaky http2-dispatcher WebSocket upgrade tests by @​mcollina in #​5304

New Contributors

• @​Zelys-DFKH made their first contribution in #​5279

Full Changelog: nodejs/undici@v8.2.0...v8.3.0

v8.2.0

Compare Source

What's Changed

• chore: use native addAbortListener by @​trivikr in #​5021
• fix: fix the logic for the UNDICI_NO_WASM_SIMD environment variable by @​ShenHongFei in #​5026
• fix(http2): send body for non-expectsPayload methods with content by @​mcollina in #​5030
• fix(fetch): correct 'navigator' typo to 'navigate' in fetchFinale by @​deepview-autofix in #​5044
• fix(webidl): correct signed integer bounds in ConvertToInt by @​deepview-autofix in #​5038
• fix(fetch): use || for CRLF check in multipart formdata-parser by @​deepview-autofix in #​5049
• fix(websocket): correct argument order in WebSocketStream UTF-8 failure by @​deepview-autofix in #​5050
• fix(pool): propagate useH2c to connector when connections > 1 by @​SAY-5 in #​5031
• fix(cache): return immutable staleAt in milliseconds by @​deepview-autofix in #​5048
• fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing by @​deepview-autofix in #​5041
• fix(cache): evict oldest entries first in SqliteCacheStore prune by @​deepview-autofix in #​5039
• fix(socks5): correctly expand IPv6 '::' compressed notation by @​deepview-autofix in #​5046
• Remove unused func and unnecessary shim by @​tsctx in #​5053
• fix: reject malformed content-length request headers by @​trivikr in #​5060
• fix(request): reject NaN highWaterMark during option validation by @​trivikr in #​5062
• docs: fix broken links in docsify sidebar by @​maruthang in #​5065
• fix(fetch): prefer filename* over filename in multipart form-data by @​maruthang in #​5068
• fix(http2): reject websocket upgrades on non-200 responses by @​trivikr in #​5072
• feat: support username-only proxy authentication in ProxyAgent by @​rossilor95 in #​4935
• build(deps): bump uWebSockets.js from v20.58.0 to v20.64.0 in /benchmarks by @​dependabot[bot] in #​5083
• fix(client-h2): stop double-decrementing kOpenStreams on stream timeout by @​SAY-5 in #​5076
• fix(http2): reject upgrade streams closed before response headers by @​trivikr in #​5069
• fix(http2): allow GET and HEAD request bodies over h2 by @​trivikr in #​5058
• fix(cache): include query in cache key when opts.path is undefined by @​maruthang in #​5081
• fix: avoid premature cleanup of dispatcher in Agent by @​bienzaaron in #​5034
• fix(http2): record ping failures on the socket by @​trivikr in #​5075
• add undici security policy by @​mcollina in #​5056
• fix(mock): make filterCalls AND operator actually intersect results by @​deepview-autofix in #​5045
• fix(socks5): enforce authenticated state before CONNECT by @​trivikr in #​5097
• fix(cache): skip expired sqlite vary entries during lookup by @​trivikr in #​5095
• fix: enforce maxCachedSessions in TLS session cache by @​trivikr in #​5102
• fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly by @​trivikr in #​5099
• fix: handle invalid HTTP/2 connection headers (#​4356) by @​mcollina in #​5101
• fix(interceptor): add throwOnMaxRedirect to types and interceptor opts by @​maruthang in #​5066
• fix(websocket): avoid double-closing canceled stream readers by @​colinaaa in #​5105
• fix(cache): persist vary when updating sqlite cache entries by @​trivikr in #​5109
• refactor(h1): track HEAD keep-alive override as boolean by @​trivikr in #​5110
• client: cache llhttp wasm buffer view by @​trivikr in #​5115
• deps: update llhttp to 9.3.1 by @​mcollina in #​5113
• fix(http2): preserve accepted streams after GOAWAY by @​trivikr in #​5090
• fix: reuse parser WeakRef for timeout callbacks by @​trivikr in #​5125
• fix: stop buffering data after SOCKS5 connect by @​trivikr in #​5118
• perf(http2): avoid response header reserialization by @​trivikr in #​5085
• fix(cache): enforce sqlite maxCount after insert by @​trivikr in #​5112
• perf: reduce EventSourceStream parser allocations by @​trivikr in #​5032
• types(dispatcher): use OutgoingHttpHeaders for request headers by @​maruthang in #​5067
• cleanup: delete redundant .gitkeep file by @​shivarm in #​5133
• fix(http2): respect peer max concurrent streams by @​trivikr in #​5135
• test(http2): ensure websocket upgrade resumes queued requests by @​trivikr in #​5132
• test(mock): cover SnapshotAgent excludeUrls playback by @​maruthang in #​5080
• perf(client): parse h1 content-length statelessly by @​trivikr in #​5124
• perf(http2): reduce writeH2 per-request callback allocations by @​trivikr in #​5138
• chore(deps): add lockfile by @​aduh95 in #​5139
• perf: use byteLength property for binary body chunks by @​trivikr in #​5126
• fix(cache): allow streamed entries at maxEntrySize limit by @​trivikr in #​5129
• perf(http2): avoid cloning headers when removing status by @​trivikr in #​5127
• fix: validate H2CClient maxConcurrentStreams option by @​trivikr in #​5143
• perf: avoid redundant scans in BalancedPool dispatcher selection by @​trivikr in #​5146
• fix: replace stale pool clients under connection limit by @​trivikr in #​5145

New Contributors

• @​deepview-autofix made their first contribution in #​5044
• @​SAY-5 made their first contribution in #​5031
• @​maruthang made their first contribution in #​5065
• @​bienzaaron made their first contribution in #​5034

Full Changelog: nodejs/undici@v8.1.0...v8.2.0

v8.1.0

Compare Source

What's Changed

• feat: add configurable maxPayloadSize for WebSocket by @​mcollina in #​4955

Full Changelog: nodejs/undici@v8.0.3...v8.1.0

v8.0.3

Compare Source

What's Changed

• docs: add an Undici 7 to 8 migration guide by @​mcollina in #​4963
• chore: switch deferred promise with Promise.withResolvers() by @​trivikr in #​4972
• chore: remove zstd and markAsUncloneable feature probes by @​trivikr in #​4968
• test: remove obsolete nodeMajor/nodeMinor util exports by @​trivikr in #​4976
• chore: use Promise.withResolvers in SOCKS5 proxy agent by @​trivikr in #​4978
• build(deps-dev): bump esbuild from 0.27.7 to 0.28.0 by @​dependabot[bot] in #​4985
• build(deps-dev): bump proxy from 2.2.0 to 4.0.0 by @​dependabot[bot] in #​4987
• build(deps): bump got from 14.6.6 to 15.0.0 in /benchmarks by @​dependabot[bot] in #​4988
• chore: use Object.hasOwn for iterator checks by @​trivikr in #​4979
• doc: Update dump({ limit: Integer }) default value by @​samuel871211 in #​4981
• fix: avoid 401 failures for stream-backed request bodies by @​mcollina in #​4941
• test: remove unsupported Node version checks from fetch tests by @​trivikr in #​4977
• types: remove legacy AbortSignal alias now provided by @​types/node by @​trivikr in #​4995
• fix: remove stale constructor interceptors from types and pool options by @​trivikr in #​4994
• doc: update incorrect description of dump.maxSize by @​samuel871211 in #​4982
• ci: enable coverage for node.js 25 by @​shivarm in #​4980
• refactor: reuse wrapRequestBody in RedirectHandler by @​trivikr in #​4992
• fix: preserve connect option in H2CClient by @​trivikr in #​5000
• types: document Client and H2CClient option declarations by @​trivikr in #​4998
• fix: native WebSocket over H2 server after undici import by @​mcollina in #​4990
• chore(test): issue 3969 by @​rozzilla in #​5005
• fix(1270): throw descriptive error when opts.dispatcher–passed instance methods by @​rozzilla in #​5007
• docs: Change the default value of allowH2 in JSDoc by @​7hokerz in #​5009
• chore(test): cover issue 5014 by @​rozzilla in #​5015
• fix: prevent cache dedup key collision via unescaped delimiters by @​eddieran in #​5013
• fix(proxy agent): respect connectTimeout by @​rozzilla in #​5011

New Contributors

• @​7hokerz made their first contribution in #​5009
• @​eddieran made their first contribution in #​5013

Full Changelog: nodejs/undici@v8.0.2...v8.0.3

v8.0.2

Compare Source

What's Changed

• fix(websocket): fallback to HTTP/1.1 when H2 CONNECT is unavailable by @​mcollina in #​4966
• fix: release ref by @​mcollina in #​4965
• ci: reenable shared builtin CI tests by @​mcollina in #​4967

Full Changelog: nodejs/undici@v8.0.1...v8.0.2

v8.0.1

Compare Source

What's Changed

• Remove legacy handler wrappers by @​mcollina in #​4786
• fix: isolate global dispatcher v2 and add Dispatcher1Wrapper bridge by @​mcollina in #​4827
• fix: preserve request statusText and update h2 dispatch tests by @​mcollina in #​4830
• feat!: enable h2 by default by @​metcoder95 in #​4828
• fix(cache): preserve short-lived entries for revalidation by @​mcollina in #​4934
• fix: remove support for non-real Blob objects by @​mcollina in #​4937
• build(deps): bump github/codeql-action from 4.32.3 to 4.35.1 by @​dependabot[bot] in #​4953
• Undici 8 by @​mcollina in #​4916
• build(deps): bump hendrikmuhs/ccache-action from 1.2.19 to 1.2.22 by @​dependabot[bot] in #​4954
• doc: remove duplicate listItem of RetryHandler.md & RetryHandler.md by @​samuel871211 in #​4948
• fix: mirror the legacy global dispatcher for built-in fetch by @​mcollina in #​4962
• fix(websocket/stream): only enqueue parsed messages in WebSocketStream by @​colinaaa in #​4959

New Contributors

• @​colinaaa made their first contribution in #​4959

Full Changelog: nodejs/undici@v7.24.7...v8.0.1

v8.0.0

Compare Source

What's Changed

• Remove legacy handler wrappers by @​mcollina in #​4786
• fix: isolate global dispatcher v2 and add Dispatcher1Wrapper bridge by @​mcollina in #​4827
• fix: preserve request statusText and update h2 dispatch tests by @​mcollina in #​4830
• feat!: enable h2 by default by @​metcoder95 in #​4828
• fix(cache): preserve short-lived entries for revalidation by @​mcollina in #​4934
• fix: remove support for non-real Blob objects by @​mcollina in #​4937
• build(deps): bump github/codeql-action from 4.32.3 to 4.35.1 by @​dependabot[bot] in #​4953
• Undici 8 by @​mcollina in #​4916

Full Changelog: nodejs/undici@v7.24.7...v8.0.0

v7.26.0

Compare Source

What's Changed

• fix: backport safe main fixes to v7.x by @​mcollina in #​5136
• fix: validate EOF for chunked h1 responses by @​mcollina in #​5307

Full Changelog: nodejs/undici@v7.25.0...v7.26.0

v7.25.0

Compare Source

What's Changed

Full Changelog: nodejs/undici@v7.24.8...v7.25.0

v7.24.8

Compare Source

What's Changed

• fix: backport 401 stream-backed body fix to v7.x by @​mcollina in #​5006

Full Changelog: nodejs/undici@v7.24.7...v7.24.8

v7.24.7

Compare Source

What's Changed

• docs: update broken links in file "Dispatcher.md" by @​samuel871211 in #​4924
• doc: remove unused parameter redirectionLimitReached by @​samuel871211 in #​4933
• test: skip flaky macOS Node 20 cookie fetch cases by @​mcollina in #​4932
• fix(types): align Response with DOM fetch types by @​theamodhshetty in #​4867
• fix(types): Fix clone method type declaration to be an instance method rather than instance property by @​mistval in #​4925
• test: skip IPv6 tests when IPv6 is not available by @​mcollina in #​4939
• fix: correctly handle multi-value rawHeaders in fetch by @​mcollina in #​4938
• ignore AGENTS.md by @​mcollina in #​4942

New Contributors

• @​samuel871211 made their first contribution in #​4924
• @​mistval made their first contribution in #​4925

Full Changelog: nodejs/undici@v7.24.6...v7.24.7

v7.24.6

Compare Source

What's Changed

• fix(test): client wasm compatible with clang 22 by @​rozzilla in #​4909
• fix(mock): improve error message when intercepts are exhausted by @​travisbreaks in #​4912
• fix(websocket): support open diagnostics over h2 by @​mcollina in #​4921
• fix: assume http/https scheme for scheme-less proxy env vars by @​travisbreaks in #​4914
• fix(cache): check Authorization on request headers per RFC 9111 §3.5 by @​metalix2 in #​4911
• fix: wrap kConnector call in try/catch to prevent client hang by @​veeceey in #​4834
• docs: clarify fetch and FormData pairing by @​mcollina in #​4922
• fix: support Connection header with connection-specific header names per RFC 7230 by @​mcollina in #​4775
• fix: avoid prototype collisions in parseHeaders by @​mcollina in #​4923
• build(deps-dev): bump typescript from 5.9.3 to 6.0.2 by @​dependabot[bot] in #​4926
• test: auto-init WPT submodule by @​mcollina in #​4930

New Contributors

• @​rozzilla made their first contribution in #​4909
• @​veeceey made their first contribution in #​4834

Full Changelog: nodejs/undici@v7.24.5...v7.24.6

v7.24.5

Compare Source

What's Changed

• Formdata tests by @​KhafraDev in #​4902
• test: add unexpected disconnect guards to more client test files by @​samayer12 in #​4844
• fix(cache): only apply 1-year deleteAt for immutable responses by @​metalix2 in #​4913

New Contributors

• @​metalix2 made their first contribution in #​4913

Full Changelog: nodejs/undici@v7.24.4...v7.24.5

v7.24.4

Compare Source

What's Changed

• fix(fetch): handle URL credentials in dispatch path extraction by @​mcollina in #​4892

Full Changelog: nodejs/undici@v7.24.3...v7.24.4

v7.24.3

Compare Source

What's Changed

• fix(h2): TypeError: Cannot read properties of null (reading 'push') i… by @​hxinhan in #​4881

Full Changelog: nodejs/undici@v7.24.2...v7.24.3

v7.24.2

Compare Source

What's Changed

• fix fetch path logic by @​KhafraDev in #​4890
• remove maxDecompressedMessageSize by @​KhafraDev in #​4891

Full Changelog: nodejs/undici@v7.24.1...v7.24.2

v7.24.1

Compare Source

What's Changed

• fix: proto pollution by @​rahulyadav5524 in #​4885

Full Changelog: nodejs/undici@v7.24.0...v7.24.1

v7.24.0

Compare Source

Undici v7.24.0 Security Release Notes

This release addresses multiple security vulnerabilities in Undici.

Upgrade guidance

All users on v7 should upgrade to v7.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 (Medium)
  Unbounded memory consumption in deduplication interceptor response buffering (DoS risk).

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Affected and patched ranges

• CVE-2026-1525: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1528: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2581: affected >= 7.17.0 < 7.24.0, patched 7.24.0
• CVE-2026-1527: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-2229: affected 7.0.0 < 7.24.0, patched 7.24.0
• CVE-2026-1526: affected 7.0.0 < 7.24.0, patched 7.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-2581: https://nvd.nist.gov/vuln/detail/CVE-2026-2581
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

v7.23.0

Compare Source

What's Changed

• fix: prevent AbortController GC when redirect is 'error' by @​mcollina in #​4750
• docs: clarify UndiciHeaders validation guidance by @​mcollina in #​4832
• build(deps): bump actions/checkout from 5.0.0 to 6.0.2 by @​dependabot[bot] in #​4795
• build(deps): bump step-security/harden-runner from 2.14.0 to 2.14.1 by @​dependabot[bot] in #​4794
• build(deps): bump github/codeql-action from 4.31.2 to 4.32.0 by @​dependabot[bot] in #​4793
• test: add unexpected disconnect guards to client test files by @​samayer12 in #​4833
• fix fetch stripping trailing ? from url by @​KhafraDev in #​4837
• fix: forward onResponseStarted through WrapHandler and UnwrapHandler by @​7rulnik in #​4840
• webidl: access keys in lexicographical order by @​KhafraDev in #​4841
• ci: disable coverage on Node.js 25 by @​mcollina in #​4852
• build(deps): bump uWebSockets.js from v20.56.0 to v20.58.0 in /benchmarks by @​dependabot[bot] in #​4855
• fix(h2): TypeError: Cannot read properties of null (reading 'servername') in _resume when H2 stream completes by @​hxinhan in #​4847
• fix(h2): ignore late data frames after request completion by @​mcollina in #​4845
• fix(handler): preserve latin1 header encoding in WrapHandler by @​theamodhshetty in #​4859
• docs(examples): add cache interceptor example with fetch by @​nthbotast in #​4864
• docs(dispatcher): clarify onResponseStart return value is ignored by @​nthbotast in #​4865
• feat: add SOCKS5 proxy support to ProxyAgent by @​mcollina in #​4385
• fix: harden header iterable checks for prototype-pollution scenarios by @​mcollina in #​4824
• fix(interceptor): preserve tuple headers in dns interceptor by @​theamodhshetty in #​4863
• docs(dispatcher): use RFC 2606 domains in interceptor examples by @​nthbotast in #​4873
• feat: add IP prioritization hints for HTTP/1.1 and HTTP/2 by @​amyssnippet in #​4831
• docs: clarify when to install undici vs using Node's built-in fetch by @​travisbreaks in #​4868
• docs(dispatcher): add cache interceptor fetch example by @​nthbotast in #​4870
• fix(dispatcher): pass socketPath to custom connect callbacks by @​theamodhshetty in #​4857

New Contributors

• @​samayer12 made their first contribution in #​4833
• @​7rulnik made their first contribution in #​4840
• @​hxinhan made their first contribution in #​4847
• @​theamodhshetty made their first contr

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.