node-undici - Debian Package Tracker

general

source: node-undici (main)
version: 7.3.0+dfsg1+~cs24.12.11-2
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Yadd [DMD]
arch: all any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4
stable-sec: 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3
testing: 7.3.0+dfsg1+~cs24.12.11-1
unstable: 7.3.0+dfsg1+~cs24.12.11-2

versioned links

5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.3.0+dfsg1+~cs24.12.11-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
7.3.0+dfsg1+~cs24.12.11-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libllhttp-dev (1 bugs: 0, 1, 0, 0)
libllhttp9.2
node-llhttp
node-undici

action needed

Debci reports failed tests high

unstable: pass (log)
The tests ran in 0:02:52
Last run: 2025-06-11T13:43:57.000Z
Previous status: unknown

testing: pass (log)
The tests ran in 0:03:05
Last run: 2025-05-17T18:20:37.000Z
Previous status: unknown

stable: fail (log)
The tests ran in 0:02:42
Last run: 2025-03-24T21:47:06.000Z
Previous status: unknown

Created: 2024-07-29 Last update: 2025-06-14 17:03

A new upstream version is available: 7.10.0+~cs24.15.9 high

A new upstream version 7.10.0+~cs24.15.9 is available, you should consider packaging it.

Created: 2025-03-03 Last update: 2025-06-14 15:00

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Created: 2025-05-16 Last update: 2025-05-19 11:34

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2025-23167: A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

Created: 2025-05-16 Last update: 2025-05-19 11:34

Multiarch hinter reports 1 issue(s) normal

There are issues with the multiarch metadata for this package.

libllhttp9.2 could be marked Multi-Arch: same

Created: 2024-01-21 Last update: 2025-06-14 17:01

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 20-day delay is over. Check why.

Created: 2025-06-03 Last update: 2025-06-14 16:02

2 bugs tagged patch in the BTS normal

The BTS contains patches fixing 2 bugs, consider including or untagging them.

Created: 2025-01-06 Last update: 2025-06-14 16:01

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 7.3.0+dfsg2+~cs3.1.1-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit e5179bab852b9166d9a88b356316c684c8fc0001
Merge: 7366381 9c6010d
Author: Yadd <yadd@debian.org>
Date:   Tue May 13 22:48:16 2025 +0200

    Merge branch 'trixie'

commit 7366381f7c2921492c5b9f635376399dc9a5fdc4
Author: Yadd <yadd@debian.org>
Date:   Mon Apr 14 10:21:51 2025 +0200

    Declare compliance with policy 4.7.2

commit ed5694e83f5aad3b2d98917fd09e167a75f04d91
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 21:59:05 2025 +0100

    Update changelog

commit faebfb7439c0675baccf78852cb3dc4d1d02dacf
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 21:40:07 2025 +0100

    Those are dealt with by dh-nodejs

commit 654672eb1b4f5669d18e5df245c3b946f32a841b
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 21:39:47 2025 +0100

    Ensure new llhttp version is used

commit 7d67b0d916388bc6a13dde3bcb32e847e63889ad
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 18:22:02 2025 +0100

    Tighten node-llhttp dep

commit ac1c72a943a32d5ea592447ffec76f58de190970
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 18:17:25 2025 +0100

    Fix wasm-chunk

commit c8c685d8044020db2ba05ee3f9be9351b128adaa
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 17:36:16 2025 +0100

    Build from llhttp

commit d99cf20c6b20f150ffa8666ab8b09c2616f7c1b3
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 17:28:00 2025 +0100

    Build wasm chunks from node-llhttp

commit 1e4d22b9ff23a8257f668a0d80641a902e33c9b4
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 17:11:42 2025 +0100

    llhttp cleaning

commit 51062036a3436cf5af4e36fc955a436527d2fed3
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 17:11:28 2025 +0100

    No longer multi-arch: foreign ?

commit 0baafd32df3214c3f2cc1d6a851dda4f36e8af28
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 17:07:59 2025 +0100

    Move to single nodejs package

commit 4a812ecc72d7175a300ab8e05ff28e308660e0db
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 17:03:17 2025 +0100

    Update changelog

commit ed4958fb5a9f98baf80007c08e6d6340832d8f07
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 17:02:06 2025 +0100

    Drop all patches

commit 7b48869de350002e5ab02fa1c8a51a6dabfc388d
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 17:00:54 2025 +0100

    New upstream version 7.3.0+dfsg2+~cs3.1.1

commit c2d2c7468955e3c6c492f7a05dbb27c9364ca916
Author: Jérémy Lal <kapouer@melix.org>
Date:   Tue Feb 18 16:57:11 2025 +0100

    B-D node-llhttp
    
    Further exclude built files

Created: 2025-02-18 Last update: 2025-06-10 20:00

6 low-priority security issues in bookworm low

There are 6 open security issues in bookworm.

6 issues left for the package maintainer to handle:

CVE-2024-24758: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Proxy-Authentication` headers. This issue has been patched in versions 5.28.3 and 6.6.1. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVE-2024-30260: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. Undici cleared Authorization and Proxy-Authorization headers for `fetch()`, but did not clear them for `undici.request()`. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2024-30261: (needs triaging) Undici is an HTTP/1.1 client, written from scratch for Node.js. An attacker can alter the `integrity` option passed to `fetch()`, allowing `fetch()` to accept requests as valid even if they have been tampered. This vulnerability was patched in version(s) 5.28.4 and 6.11.1.
CVE-2025-22150: (needs triaging) Undici is an HTTP/1.1 client. Starting in version 4.5.0 and prior to versions 5.28.5, 6.21.1, and 7.2.3, undici uses `Math.random()` to choose the boundary for a multipart/form-data request. It is known that the output of `Math.random()` can be predicted if several of its generated values are known. If there is a mechanism in an app that sends multipart requests to an attacker-controlled website, they can use this to leak the necessary values. Therefore, an attacker can tamper with the requests going to the backend APIs if certain conditions are met. This is fixed in versions 5.28.5, 6.21.1, and 7.2.3. As a workaround, do not issue multipart requests to attacker controlled servers.
CVE-2025-23167: (needs triaging) A flaw in Node.js 20's HTTP parser allows improper termination of HTTP/1 headers using `\r\n\rX` instead of the required `\r\n\r\n`. This inconsistency enables request smuggling, allowing attackers to bypass proxy-based access controls and submit unauthorized requests. The issue was resolved by upgrading `llhttp` to version 9, which enforces correct header termination. Impact: * This vulnerability affects only Node.js 20.x users prior to the `llhttp` v9 upgrade.
CVE-2025-47279: (needs triaging) Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. This has been patched in versions 5.29.0, 6.21.2, and 7.5.0. As a workaound, avoid calling a webhook repeatedly if the webhook fails.

You can find information about how to handle these issues in the security team's documentation.

Created: 2024-02-19 Last update: 2025-05-19 11:34

debian/patches: 2 patches to forward upstream low

Among the 7 debian patches available in version 7.3.0+dfsg1+~cs24.12.11-2 of the package, we noticed the following issues:

2 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2025-05-14 06:30

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-05-14 05:01

testing migrations

excuses:
- Migration status for node-undici (7.3.0+dfsg1+~cs24.12.11-1 to 7.3.0+dfsg1+~cs24.12.11-2): BLOCKED: Needs an approval (either due to a freeze, the source suite or a manual hint)
- Issues preventing migration:
- ∙ ∙ blocked by freeze: is a key package (Follow the freeze policy when applying for an unblock)
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-undici.html
- ∙ ∙ autopkgtest for node-undici/7.3.0+dfsg1+~cs24.12.11-2: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, riscv64: Pass, s390x: Pass
- ∙ ∙ Reproducible on amd64 - info ♻
- ∙ ∙ Reproducible on arm64 - info ♻
- ∙ ∙ Waiting for reproducibility test results on armhf - info ♻
- ∙ ∙ 31 days old (needed 20 days)
- Not considered

news

[rss feed]

[2025-05-13] Accepted node-undici 7.3.0+dfsg1+~cs24.12.11-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2025-02-02] node-undici 7.3.0+dfsg1+~cs24.12.11-1 MIGRATED to testing (Debian testing watch)
[2025-01-26] Accepted node-undici 7.3.0+dfsg1+~cs24.12.11-1 (source) into unstable (Jérémy Lal)
[2025-01-25] Accepted node-undici 7.2.3+dfsg1+~cs24.12.11-2 (source) into experimental (Jérémy Lal)
[2025-01-22] Accepted node-undici 7.2.3+dfsg1+~cs24.12.11-1 (source amd64 all) into experimental (Debian FTP Masters) (signed by: Jérémy Lal)
[2024-12-10] Accepted node-undici 7.1.0+dfsg1+~cs24.12.10-1 (source) into experimental (Jérémy Lal)
[2024-06-16] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u4 (source) into proposed-updates (Debian FTP Masters) (signed by: Jérémy Lal)
[2024-04-15] node-undici 5.28.4+dfsg1+~cs23.12.11-2 MIGRATED to testing (Debian testing watch)
[2024-04-12] Accepted node-undici 5.28.4+dfsg1+~cs23.12.11-2 (source) into unstable (Jérémy Lal)
[2024-04-05] Accepted node-undici 5.28.4+dfsg1+~cs23.12.11-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-24] node-undici 5.28.2+dfsg1+~cs23.11.12.3-6 MIGRATED to testing (Debian testing watch)
[2024-01-22] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-21] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2024-01-20] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-4 (source amd64 all) into unstable (Debian FTP Masters) (signed by: Xavier Guimard)
[2024-01-20] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 (source all) into proposed-updates (Debian FTP Masters) (signed by: Jérémy Lal)
[2023-12-27] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u3 (source all) into stable-security (Debian FTP Masters) (signed by: Jérémy Lal)
[2023-12-05] node-undici 5.28.2+dfsg1+~cs23.11.12.3-3 MIGRATED to testing (Debian testing watch)
[2023-12-03] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.15.0+dfsg1+~cs20.10.9.3-1+deb12u2 (source) into proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-2 (source all) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-12-02] Accepted node-undici 5.28.2+dfsg1+~cs23.11.12.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-29] node-undici 5.28.0+dfsg1+~cs23.11.12.3-2 MIGRATED to testing (Debian testing watch)
[2023-11-27] Accepted node-undici 5.28.0+dfsg1+~cs23.11.12.3-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-26] Accepted node-undici 5.28.0+dfsg1+~cs23.11.12.3-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-11-23] Accepted node-undici 5.26.3+dfsg1+~cs23.10.12-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-10-16] node-undici 5.26.3+dfsg1+~cs23.10.12-2 MIGRATED to testing (Debian testing watch)
[2023-10-14] Accepted node-undici 5.26.3+dfsg1+~cs23.10.12-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-10-13] Accepted node-undici 5.26.3+dfsg1+~cs23.10.12-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-07-11] node-undici 5.22.1+dfsg1+~cs20.10.10.2-1 MIGRATED to testing (Debian testing watch)
[2023-07-09] Accepted node-undici 5.22.1+dfsg1+~cs20.10.10.2-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 6 7
RC: 1
I&N: 5 6
M&W: 0
F&P: 0
patch: 2

links

homepage
lintian
buildd: logs, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 7.3.0+dfsg1+~cs24.12.11-2