Sync high-value bug fixes from upstream undici#1
Merged
Conversation
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
opts.dispatcher was passed through to instance dispatch(), which now throws InvalidArgumentError. Strip dispatcher and agent from the spread so they don't leak to the underlying dispatcher.dispatch(). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Security: - parseHeaders: prevent __proto__ prototype pollution in response headers [upstream nodejs#4923] - trailers: preserve trailers that shadow Object.prototype via defineProperty [upstream 90a1609] - request: use hasSafeIterator to guard against polluted Object.prototype[Symbol.iterator] [upstream nodejs#4824] Correctness: - request: accept RFC 7230 comma-separated Connection header tokens (close, keep-alive, custom) [upstream nodejs#4775] - client-h1: validate EOF for chunked h1 responses; surface ResponseContentLengthMismatchError and HTTPParserError instead of silently completing on truncated bodies [upstream nodejs#5273] - client-h1: pre-increment kCounter so maxRequestsPerClient enforces exactly N requests per socket (was N+1) [upstream nodejs#5034] - client-h1: reuse parser WeakRef across setTimeout calls instead of allocating a new one per call [upstream nodejs#5125] Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Cherry-picks (with adaptation) high-value upstream bug fixes that were still missing from this fork. This PR is the subset that actually applies to the fork's slim feature set (HTTP/1 client + agent + pool, no fetch/h2/cache/socks/websocket).
Security
__proto__prototype pollution in response headers (upstream #4923)Object.prototypeviadefinePropertyinstead ofObject.assign(upstream 90a1609d)hasSafeIteratorto guard against pollutedObject.prototype[Symbol.iterator](upstream #4824)Correctness
Connectionheader tokens (close,keep-alive,upgrade, custom names) — was rejecting valid values (upstream #4775)ResponseContentLengthMismatchError/HTTPParserErrorinstead of silently completing on truncated bodies (upstream #5273)kCountersomaxRequestsPerClient: Nenforces exactly N requests per socket (was N+1 due to post-increment) (upstream #5034)WeakRefacrosssetTimeoutcalls instead of allocating a fresh one each time (upstream #5125)Also included (from prior local fixes on this branch)
Skipped after investigation
Test plan
🤖 Generated with Claude Code