fix(deps): update dependency undici to v6 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
undici (source)	5.28.4 → 6.24.0

GitHub Vulnerability Alerts

CVE-2025-22150

Impact

Undici fetch() uses Math.random() to choose the boundary for a multipart/form-data request. It is known that the output of Math.random() can be predicted if several of its generated values are known.

If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, An attacker can tamper with the requests going to the backend APIs if certain conditions are met.

Patches

This is fixed in 5.28.5; 6.21.1; 7.2.3.

Workarounds

Do not issue multipart requests to attacker controlled servers.

References

• https://hackerone.com/reports/2913312
• https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f

CVE-2025-47279

Impact

Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak.

Patches

This has been patched in https://github.com/nodejs/undici/pull/4088.

Workarounds

If a webhook fails, avoid keep calling it repeatedly.

References

Reported as: https://github.com/nodejs/undici/issues/3895

CVE-2026-22036

Impact

The fetch() API supports chained HTTP encoding algorithms for response content according to RFC 9110 (e.g., Content-Encoding: gzip, br). This is also supported by the undici decompress interceptor.

However, the number of links in the decompression chain is unbounded and the default maxHeaderSize allows a malicious server to insert thousands compression steps leading to high CPU usage and excessive memory allocation.

Patches

Upgrade to 7.18.2 or 6.23.0.

Workarounds

It is possible to apply an undici interceptor and filter long Content-Encoding sequences manually.

References

• https://hackerone.com/reports/3456148
• GHSA-gm62-xv2j-4w53
• https://curl.se/docs/CVE-2022-32206.html

CVE-2026-1525

Impact

Undici allows duplicate HTTP Content-Length headers when they are provided in an array with case-variant names (e.g., Content-Length and content-length). This produces malformed HTTP/1.1 requests with multiple conflicting Content-Length values on the wire.

Who is impacted:

• Applications using undici.request(), undici.Client, or similar low-level APIs with headers passed as flat arrays
• Applications that accept user-controlled header names without case-normalization

Potential consequences:

• Denial of Service: Strict HTTP parsers (proxies, servers) will reject requests with duplicate Content-Length headers (400 Bad Request)
• HTTP Request Smuggling: In deployments where an intermediary and backend interpret duplicate headers inconsistently (e.g., one uses the first value, the other uses the last), this can enable request smuggling attacks leading to ACL bypass, cache poisoning, or credential hijacking

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

If upgrading is not immediately possible:

1. Validate header names: Ensure no duplicate Content-Length headers (case-insensitive) are present before passing headers to undici
2. Use object format: Pass headers as a plain object ({ 'content-length': '123' }) rather than an array, which naturally deduplicates by key
3. Sanitize user input: If headers originate from user input, normalize header names to lowercase and reject duplicates

CVE-2026-1527

Impact

When an application passes user-controlled input to the upgrade option of client.request(), an attacker can inject CRLF sequences (\r\n) to:

1. Inject arbitrary HTTP headers
2. Terminate the HTTP request prematurely and smuggle raw data to non-HTTP services (Redis, Memcached, Elasticsearch)

The vulnerability exists because undici writes the upgrade value directly to the socket without validating for invalid header characters:

// lib/dispatcher/client-h1.js:1121
if (upgrade) {
  header += `connection: upgrade\r\nupgrade: ${upgrade}\r\n`
}

Patches

Patched in the undici version v7.24.0 and v6.24.0. Users should upgrade to this version or later.

Workarounds

Sanitize the upgrade option string before passing to undici:

function sanitizeUpgrade(value) {
  if (/[\r\n]/.test(value)) {
    throw new Error('Invalid upgrade value')
  }
  return value
}

client.request({
  upgrade: sanitizeUpgrade(userInput)
})

CVE-2026-2229

Impact

The undici WebSocket client is vulnerable to a denial-of-service attack due to improper validation of the server_max_window_bits parameter in the permessage-deflate extension. When a WebSocket client connects to a server, it automatically advertises support for permessage-deflate compression. A malicious server can respond with an out-of-range server_max_window_bits value (outside zlib's valid range of 8-15). When the server subsequently sends a compressed frame, the client attempts to create a zlib InflateRaw instance with the invalid windowBits value, causing a synchronous RangeError exception that is not caught, resulting in immediate process termination.

The vulnerability exists because:

1. The isValidClientWindowBits() function only validates that the value contains ASCII digits, not that it falls within the valid range 8-15
2. The createInflateRaw() call is not wrapped in a try-catch block
3. The resulting exception propagates up through the call stack and crashes the Node.js process

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

CVE-2026-1526

Description

The undici WebSocket client is vulnerable to a denial-of-service attack via unbounded memory consumption during permessage-deflate decompression. When a WebSocket connection negotiates the permessage-deflate extension, the client decompresses incoming compressed frames without enforcing any limit on the decompressed data size. A malicious WebSocket server can send a small compressed frame (a "decompression bomb") that expands to an extremely large size in memory, causing the Node.js process to exhaust available memory and crash or become unresponsive.

The vulnerability exists in the PerMessageDeflate.decompress() method, which accumulates all decompressed chunks in memory and concatenates them into a single Buffer without checking whether the total size exceeds a safe threshold.

Impact

• Remote denial of service against any Node.js application using undici's WebSocket client
• A single compressed WebSocket frame of ~6 MB can decompress to ~1 GB or more
• Memory exhaustion occurs in native/external memory, bypassing V8 heap limits
• No application-level mitigation is possible as decompression occurs before message delivery

Patches

Users should upgrade to fixed versions.

Workarounds

No workaround are possible.

---

Release Notes

nodejs/undici (undici)

v6.24.0

Compare Source

What's Changed

• fetch: fix content-encoding order by @​tsctx in #​3343
• Add regression test for broken body by @​mcollina in #​3346
• build(deps): bump node from 075a5cc to 9af472b in /build by @​dependabot[bot] in #​3355
• fix: post request signal by @​Gigioliva in #​3354
• Revert "fix: post request signal (#​3354)" by @​ronag in #​3359
• websocket: don't use pooled buffer in mask pool by @​tsctx in #​3357
• fix: consider bytes read when dumping by @​ronag in #​3360
• refactor: simplify signal handling by @​ronag in #​3362
• fix: use explicit flag for when use has interacted with stream by @​ronag in #​3361
• Refactor example documentation structure and add CacheableLookup example by @​DarkGL in #​3363
• refactor: simplify request error handling by @​ronag in #​3364
• fix: ensure onConnect is always called by @​ronag in #​3327
• Refactor responseHeader to responseHeaders by @​DarkGL in #​3375
• fix: don't override user defined MaxListeners by @​fawazahmed0 in #​3372
• fix: forward dispatch return value by @​ronag in #​3368
• build(deps): bump github/codeql-action from 3.25.7 to 3.25.11 by @​dependabot[bot] in #​3382
• build(deps): bump codecov/codecov-action from 4.4.1 to 4.5.0 by @​dependabot[bot] in #​3384
• build(deps): bump actions/dependency-review-action from 4.3.2 to 4.3.3 by @​dependabot[bot] in #​3383
• build(deps): bump step-security/harden-runner from 2.8.0 to 2.8.1 by @​dependabot[bot] in #​3381
• fix: throw on retry when payload is consume by downstream by @​climba03003 in #​3389
• Remove file by @​KhafraDev in #​3367
• build(deps): bump node from 9af472b to 138d0b5 in /build by @​dependabot[bot] in #​3392
• feat!: upgrade llhttp to 9.2.0 (#​2705) by @​metcoder95 in #​3388
• websocket: reduce memory usage by @​tsctx in #​3393
• feat: implement BodyReadable.bytes by @​tsctx in #​3391
• websocket: avoid using Buffer.byteLength by @​tsctx in #​3394
• separate whatwg websocket logic from rfc 6455 by @​KhafraDev in #​3396
• websocket: add fast-path for string input by @​tsctx in #​3395
• Add generic type for opaque object by @​jfhr in #​3385
• build(deps): bump node from 138d0b5 to 67225d4 in /build by @​dependabot[bot] in #​3398
• interceptors: move throwOnError to interceptor by @​mertcanaltin in #​3331
• chore!: drop interceptors by @​metcoder95 in #​3399
• build(deps-dev): bump @​fastify/busboy from 2.1.1 to 3.0.0 by @​dependabot[bot] in #​3404
• fix: don't call onConnect automatically by @​ronag in #​3407
• In CITGM, skip tests that are flaky there by @​mcollina in #​3413
• Update esbuild to 0.19.10 by @​mcollina in #​3415
• Fix signature of RetryHandler by @​JbIPS in #​3416
• docs: fix ToC in CONTRIBUTING.md by @​richardlau in #​3420
• Fix fetch duplex docs by @​Ethan-Arrowood in #​3422
• fix: restore externalized Node.js dep compatibility by @​richardlau in #​3421
• fix: cast falsy servername to null to avoid falsy inequality by @​ronag in #​3426
• Add backport action by @​mcollina in #​3427
• build(deps): bump node from 67225d4 to 858234a in /build by @​dependabot[bot] in #​3411
• build(deps): bump github/codeql-action from 3.25.11 to 3.25.15 by @​dependabot[bot] in #​3432
• build(deps): bump actions/dependency-review-action from 4.3.3 to 4.3.4 by @​dependabot[bot] in #​3431
• build(deps): bump actions/upload-artifact from 4.3.3 to 4.3.4 by @​dependabot[bot] in #​3430
• build(deps): bump ossf/scorecard-action from 2.3.3 to 2.4.0 by @​dependabot[bot] in #​3428
• build(deps): bump step-security/harden-runner from 2.8.1 to 2.9.0 by @​dependabot[bot] in #​3429
• build(deps): bump superagent from 9.0.2 to 10.0.0 in /benchmarks by @​dependabot[bot] in #​3439
• build(deps): bump node from 17e6738 to 30c5be9 in /build by @​dependabot[bot] in #​3443
• docs: use default link of Web Streams API by @​trivikr in #​3446
• fix: increased memory in finalization first appearing in v6.16.0 by @​snyamathi in #​3445
• test: add test for memory leak by @​snyamathi in #​3450
• build: parametrize the location of wasm-opt by @​khardix in #​3454
• test: streamline test scripts in regard of without-intl and run more tests for without-intl case by @​Uzlopak in #​3453
• feat!: drop throwOnError by @​metcoder95 in #​3451
• types: allow non strict HTTPMethod by @​Uzlopak in #​3457
• build(deps-dev): bump borp from 0.15.0 to 0.17.0 by @​dependabot[bot] in #​3424
• remove core isErrored and isReadable by @​KhafraDev in #​3459
• use bodyUnusable to check if body is unusable by @​KhafraDev in #​3460
• perf: non-recursive implementation of euclidian gcd in balanced pool by @​Uzlopak in #​3461
• fix: do validation first before actual business logic, like super() by @​Uzlopak in #​3463
• use FinalizationRegistry for cloned response body by @​KhafraDev in #​3458
• perf: use isIPv6 for checking if hostname is isIPv6 by @​Uzlopak in #​3466
• fix: stripURLForReferrer jsdoc in fetch logic by @​Uzlopak in #​3471
• fix: remove kInterceptors in ProxyAgent by @​Uzlopak in #​3474
• fix: fix codesmells in retry-handler by @​Uzlopak in #​3475
• add autocompletable header types by @​KhafraDev in #​3462
• fix: add missing kOriginalDispatch Symbol in mock-logic by @​Uzlopak in #​3470
• fix: fix jsdoc in cookies/parse.js by @​Uzlopak in #​3469
• fix: remove unnecessary parameters in USVString calls by @​Uzlopak in #​3467
• fix: add jsdoc in tree.js, avoiding codesmells by @​Uzlopak in #​3476
• perf: set isLowerCase param on all calls of HeadersList.append by @​Uzlopak in #​3468
• fix: instantiation of ResponseError, pass headers and data correctly by @​Uzlopak in #​3472
• ci: add WPT updater by @​Uzlopak in #​3482
• meta: move nightly comment body to issue body by @​avivkeller in #​3484
• chore: improve jsdoc in cookies by @​Uzlopak in #​3478
• chore: improve jsdoc and minor changes in EventSource by @​Uzlopak in #​3480
• types: add Autocomplete utility type by @​Uzlopak in #​3479
• fix: instantiation of SecureProxyConnectionError should pass options to parent class by @​Uzlopak in #​3473
• chore: replace standard and snazzy with neostandard by @​Uzlopak in #​3485
• fix: workflow commit user by @​tsctx in #​3491
• build(deps): bump node from 30c5be9 to a20e858 in /build by @​dependabot[bot] in #​3496
• chore: add --noEmit for typescript tests by @​Uzlopak in #​3498
• perf: only create wasm buffer if requested by @​Uzlopak in #​3499
• fix(types): MockAgent accepts ProxyAgent, EnvHttpProxyAgent and RetryAgent for agent option by @​Uzlopak in #​3497
• stricter Headers brand checks in cookies by @​KhafraDev in #​3500
• Update WPT by @​github-actions[bot] in #​3488
• fix: setEncoding should not throw on body #​1125 by @​Uzlopak in #​3505
• websocket: set websocket readyState on fail by @​KhafraDev in #​3507
• build(deps-dev): bump jsdom from 24.1.3 to 25.0.0 by @​dependabot[bot] in #​3511
• build(deps): bump wait-on from 7.2.0 to 8.0.0 in /benchmarks by @​dependabot[bot] in #​3513
• Update WPT by @​github-actions[bot] in #​3515
• fix: reduce memory usage in client-h1 by @​Uzlopak in #​3510
• fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @​Uzlopak in #​3495
• ci: make autobahn workflow reusable workflow, run the autobahn on nightly tests by @​Uzlopak in #​3503
• remove third party everything support in fetch by @​KhafraDev in #​3502
• remove double validation in webidl by @​KhafraDev in #​3516
• test: improve gc detection by @​Uzlopak in #​3504
• Update WPT by @​github-actions[bot] in #​3519
• populate defaultValues in webidl dict. converter when passing null or undefined by @​KhafraDev in #​3518
• change webidl.util.Type return to an enum value by @​KhafraDev in #​3520
• set default argument values to undefined instead of {} by @​KhafraDev in #​3521
• ci: fix nightly workflow by @​Uzlopak in #​3525
• Update WPT by @​github-actions[bot] in #​3527
• remove unused symbol by @​KhafraDev in #​3530
• fix formdata arg validation by @​KhafraDev in #​3529
• build(deps): bump github/codeql-action from 3.25.15 to 3.26.6 by @​dependabot[bot] in #​3534
• build(deps): bump hendrikmuhs/ccache-action from 1.2.13 to 1.2.14 by @​dependabot[bot] in #​3536
• build(deps): bump step-security/harden-runner from 2.9.0 to 2.9.1 by @​dependabot[bot] in #​3535
• build(deps): bump actions/upload-artifact from 4.3.4 to 4.4.0 by @​dependabot[bot] in #​3537
• Remove patched DOM types by @​eXhumer in #​3533
• chore: minor changes in client-h1, use subarray instead of slice by @​Uzlopak in #​3538
• fix: run asserts first if possible by @​Uzlopak in #​3541
• build(deps): bump node from a20e858 to a17f484 in /build by @​dependabot[bot] in #​3542
• chore: noop per file by @​Uzlopak in #​3544
• build(deps): bump node from a17f484 to ef7b4bb in /build by @​dependabot[bot] in #​3547
• chore: rename buildUrl to serializePathWithQuery + jsdoc by @​Uzlopak in #​3545
• fix: add jsdoc and do minor changes in utils.js by @​Uzlopak in #​3550
• Update WPT by @​github-actions[bot] in #​3556
• Update WPT by @​github-actions[bot] in #​3561
• feat: jsdoc and minor optimizations in client-h1.js by @​Uzlopak in #​3551
• fix: handle websocket closed correctly by @​KhafraDev in #​3565
• fix: extract noop everywhere by @​Uzlopak in #​3559
• chore: add jsdoc for lib/web/websocket/util.js, minor rewrite of utf8Decode by @​Uzlopak in #​3563
• jsdoc: lib/api/readable.js, fix some types by @​Uzlopak in #​3567
• fix: use fasttimers for all connection timeouts by @​Uzlopak in #​3552
• chore: use 'use strict' in cjs files by @​Uzlopak in #​3568
• chore: update typescript testing deps by @​Uzlopak in #​3571
• build(deps)!: bump concurrently from 8.2.2 to 9.0.0 in /benchmarks (node < 18 unsupported) by @​dependabot[bot] in #​3574
• build(deps): bump node from ef7b4bb to 3cb4748 in /build by @​dependabot[bot] in #​3573
• chore: improve jsdoc of lib/core/tree.js by @​Uzlopak in #​3572
• Update WPT by @​github-actions[bot] in #​3576
• jsdoc: improve typing of deepClone by @​Uzlopak in #​3575
• chore: improve jsdoc of lib/core/constants.js by @​Uzlopak in #​3570
• chore: upgrade fixed queue, lint accordingly, add jsdoc by @​Uzlopak in #​3577
• Update WPT by @​github-actions[bot] in #​3581
• ci: less flaky test/request-timeout.js test by @​Uzlopak in #​3580
• chore: remove pluralizer by @​Uzlopak in #​3586
• util: rename validateHandler to assertRequestHandler, minor changes in util.js by @​Uzlopak in #​3583
• mock: remove Error.captureStackTrace in MockNotMatchedError by @​Uzlopak in #​3587
• fix: DRY up lib/core/diagnostics.js by @​Uzlopak in #​3585
• fix: husky deprecation warning by @​eXhumer in #​3593
• Update WPT by @​github-actions[bot] in #​3598
• chore: remove unused pre-commit dependency by @​eXhumer in #​3599
• diagnostics-channel: use not deprecated subscribe fn by @​Uzlopak in #​3600
• Update WPT by @​github-actions[bot] in #​3607
• fetch: make fullyReadBody sync by @​Uzlopak in #​3603
• jsdoc: add jsdoc to lib/web/fetch/constants.js by @​Uzlopak in #​3597
• fetch: pullAlgorithm passes the async resume function through by @​Uzlopak in #​3604
• fix: typo in Client.md by @​SkeLLLa in #​3612
• Update WPT by @​github-actions[bot] in #​3615
• Update WPT by @​github-actions[bot] in #​3622
• fetch: avoid async function in mainFetch to generate response by @​Uzlopak in #​3605
• Update WPT by @​github-actions[bot] in #​3626
• append crlf to formdata body by @​KhafraDev in #​3625
• fix: fire close on failed WebSocket connection by @​eXhumer in #​3566
• fix: fire close on failed WebSocket connection by @​KhafraDev in #​3628
• handle body errors by @​KhafraDev in #​3632
• make cloned request inherit dispatcher by @​KhafraDev in #​3631
• Remove symbols from web specs by @​KhafraDev in #​3633
• cleanup web symbol removal by @​KhafraDev in #​3638
• build(deps): bump mitata from 0.1.14 to 1.0.4 in /benchmarks by @​dependabot[bot] in #​3641
• feat: implement WebSocketStream by @​KhafraDev in #​3560
• export WebSocketStream, add docs and types by @​KhafraDev in #​3645
• build(deps): bump node from 3cb4748 to 83b4d7b in /build by @​dependabot[bot] in #​3621
• feat: add DNS interceptor by @​metcoder95 in #​3490
• prefer fail over close the websocket connection in error cases by @​KhafraDev in #​3651
• fix: various typos by @​NathanBaulch in #​3640
• Update WPT by @​github-actions[bot] in #​3634
• test: increase bitness in test/fixtures/*.pem by @​LiviaMedeiros in #​3659
• mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @​Uzlopak in #​3662
• test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @​Uzlopak in #​3656
• build(deps): bump github/codeql-action from 3.26.6 to 3.26.10 by @​dependabot[bot] in #​3664
• build(deps): bump peter-evans/create-pull-request from 6.1.0 to 7.0.5 by @​dependabot[bot] in #​3665
• build(deps): bump fastify/github-action-merge-dependabot from 3.10.1 to 3.10.2 by @​dependabot[bot] in #​3667
• build(deps): bump codecov/codecov-action from 4.5.0 to 4.6.0 by @​dependabot[bot] in #​3668
• ws: move implementation agnostic onFail logic to shared function by @​KhafraDev in #​3663
• build(deps): bump step-security/harden-runner from 2.9.1 to 2.10.1 by @​dependabot[bot] in #​3666
• Update WPT by @​github-actions[bot] in #​3669
• fix: add option ignoreTrailingSlash to MockAgent and .intercept() by @​Uzlopak in #​3655
• fix: ignore leading and trailing crlfs in formdata body by @​KhafraDev in #​3677
• test: add test to ensure full type when parsing multipart/form-data' by @​Uzlopak in #​3683
• test: use globalThis.Headers and skip if is missing by @​Uzlopak in #​3684
• jsdoc: adds some jsdoc to fetch headers implementation, minor changes by @​Uzlopak in #​3687
• feat: check maxHeadersSize on client instantiation and not on Parser instantion by @​Uzlopak in #​3654
• test: remove test for issue 1670 by @​Uzlopak in #​3690
• replace instanceof in brand checks with isPrototypeOf by @​KhafraDev in #​3692
• test: make fetch test independent from internet connection by @​Uzlopak in #​3691
• build(deps-dev): bump esbuild from 0.19.12 to 0.24.0 by @​dependabot[bot] in #​3698
• fix: restructure determineRequestsReferrer to match better spec by @​Uzlopak in #​3699
• set ws readyState if closed before connection could be established by @​KhafraDev in #​3701
• types: fix return type of WebidlUtil.Type by @​Uzlopak in #​3685
• fetch: refactor referrer policy util functions by @​Uzlopak in #​3706
• fix: PoolBase kClose and kDestroy should await and not return the Promise by @​Uzlopak in #​3716
• fix: data-url set extractValue of collectAnHTTPQuotedString by default to false by @​Uzlopak in #​3717
• faster brand check by @​tsctx in #​3720
• web: mark as uncloneable when possible by @​jazelly in #​3709
• chore(H2): onboard H2 into Undici queueing system by @​metcoder95 in #​3707
• http: extract listeners from client-h1 by @​Uzlopak in #​3725
• http2: extract listenHandlers and one bugfix by @​Uzlopak in #​3722
• feat: http caching by @​flakey5 in #​3562
• build(deps-dev): bump borp from 0.17.0 to 0.18.0 by @​dependabot[bot] in #​3734
• docs: fix broken link in readme by @​pastelsky in #​3591
• chore: add jsdoc to lib/web/websocket/constants.js by @​Uzlopak in #​3564
• chore: remove redundant async in readable.js by @​Uzlopak in #​3643
• fix(types): add missing cache prop to RequestInit by @​rindeal in #​3569
• [http-cache] follow up by @​Uzlopak in #​3733
• fix(#​3736): leaked error event on response body by @​metcoder95 in #​3740
• fix: unsafe methods not causing cache purge by @​flakey5 in #​3739
• build(deps): bump node from 83b4d7b to f1b4315 in /build by @​dependabot[bot] in #​3756
• fix filename* parsing by @​KhafraDev in #​3768
• fix http2 test by @​KhafraDev in #​3769
• add unsafe-url referrerPolicy test by @​KhafraDev in #​3772
• chore(docs): add request() example for conditionally reading the body by @​styfle in #​3743
• fix: dns interceptor ip ttl by @​luddd3 in #​3770
• add node v23 workflow by @​tsctx in #​3780
• fix: dns interceptor affinity by @​luddd3 in #​3778
• fix aborting Streams by @​epistemancering in #​3754
• add tests from cookie package by @​KhafraDev in #​3789
• disable failing test by @​ronag in #​3782
• fix: http2 queueing by @​metcoder95 in #​3761
• test(interceptors): fix dns testing on windows by @​metcoder95 in #​3793
• feat: use resolved ports in dns interceptor by @​luddd3 in #​3786
• fix: cache by @​ronag in #​3804
• fix: assume blocking unless HEAD by @​ronag in #​3771
• chore: use common WASM builder by @​mhdawson in #​3791
• refactor: silence neostandard import rules error by @​jerome-benoit in #​3776
• build(deps): bump actions/dependency-review-action from 4.3.4 to 4.4.0 by @​dependabot[bot] in #​3797
• build(deps): bump github/codeql-action from 3.26.10 to 3.27.0 by @​dependabot[bot] in #​3796
• build(deps): bump fastify/github-action-merge-dependabot from 3.10.2 to 3.11.0 by @​dependabot[bot] in #​3795
• docs: add example using proxy with fetch by @​dancastillo in #​3800
• fix: handle Headers in RedirectHandler by @​iiAku in #​3777
• Skip debuglog tests by @​mcollina in #​3810
• build(deps): bump actions/upload-artifact from 4.4.0 to 4.4.3 by @​dependabot[bot] in #​3794
• h2: do not emit data after goaway by @​mcollina in #​3811
• fix redirect interceptor with FormData body by @​KhafraDev in #​3815
• docs: fix broken links in undici webpage by @​dancastillo in #​3807
• fix: handle undici Headers and Maps in redirect-handler by @​iiAku in #​3819
• fix: handle undefined deref() of WeakRef(socket) by @​hochoy in #​3751
• build(deps-dev): bump @​sinonjs/fake-timers from 11.3.1 to 12.0.0 by @​dependabot[bot] in #​3823
• fix: range end is zero-indexed by @​DTrombett in #​3826
• lib: more cache fixes by @​flakey5 in #​3816
• fix: cache fixes by @​ronag in #​3830
• Headers webidl errors by @​KhafraDev in #​3833
• Fix goaway by @​mcollina in #​3835
• refactor: maxEntriesCount by @​ronag in #​3832
• Update WPT by @​github-actions[bot] in #​3693
• docs: fix broken links by using absolute path by @​dancastillo in #​3820
• fix: memory store by @​ronag in #​3834
• Update Dispatch.md to Dispatcher.md by @​bcomnes in #​3839
• lib: add nowAbsolute to fast timers by @​flakey5 in #​3749
• feat: cache etag support by @​flakey5 in #​3758
• feat: support request cache control directives by @​flakey5 in #​3658
• Bench updates prior to release by @​mcollina in #​3845
• fix(#​3817): send servername for SNI on TLS by @​metcoder95 in #​3821
• Revert nowAbsolute, add regression test by @​mcollina in #​3850
• fix: missing error handler by @​ronag in #​3859
• fix: 301 and 302 change method to GET by @​DTrombett in #​3862
• feat: sqlite cache store by @​flakey5 in #​3657
• fix: sending formdata bodies with http2 by @​KhafraDev in #​3863
• Update return type of RetryCallback by @​mqayyuum in #​3851
• fix: cleanup sqlite store by @​ronag in #​3868
• refactor: sqlite versioning by @​ronag in #​3870
• fix: pass down context in onConnect by @​DTrombett in #​3858
• fix: cache fixes by @​ronag in #​3871
• fix: we can redirect disturbed request body if it's not going to be used by @​ronag in #​3873
• perf: only prune if

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

Branch automerge failure

This PR was configured for branch automerge. However, this is not possible, so it has been raised as a PR instead.

---

• Branch has one or more failed status checks