deps: update nghttp2 to 1.69.0#62891
Closed
nodejs-github-bot wants to merge 2 commits into
Closed
Conversation
Collaborator
Author
|
Review requested:
|
Member
|
This replaces #62867, implementing the same changes but kicked off via the automated dep update as a separate commit. See #62381 for context, this fixes #60661. Bringing the description from the previous PR for reference: This is a dep update with fixes due to changes in nghttp2 v1.67.0+ which now treats some stream-level errors as session errors, and internally sends GOAWAY frames to kill the connection (without calling the Some of these changes will result in user-visible differences to how protocol errors are exposed in Node, moving some error events from the stream to the session, and exposing some errors where previously they were swallowed. After the changes in 1.69.0 (as opposed to 1.67 & 1.68) this only applies to low-level protocol failures like broken flow control or compression failures, not to HTTP validation errors more generally. This is unfortunate, and in that context it's debatable whether this is a breaking change (new errors from the same traffic) or just a bugfix (we shouldn't silently swallow serious protocol errors) but we can't realistically avoid this if we want to keep nghttp2 up to date, and in some unbundled scenarios the latest nghttp2 will be used regardless. For anything non-trivial this shouldn't cause problems since session errors need to be handled by all applications to deal with existing common production issues like connection resets anyway. The changed behaviour only applies to connections that hit serious protocol errors, and doesn't change anything in normal expected flows. See the test changes for some examples of how this changes behaviour in practice - the vast majority of h2 tests are unchanged, it's just a couple of specific invalid traffic cases that change. I've also added a new test as well to confirm specifically that we cover the new internally triggered GOAWAYs correctly, and tightened up some checks on the existing tests to confirm everything is working correctly there. |
Codecov Reportβ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #62891 +/- ##
==========================================
+ Coverage 89.64% 89.66% +0.01%
==========================================
Files 706 707 +1
Lines 219394 219522 +128
Branches 42066 42087 +21
==========================================
+ Hits 196674 196827 +153
+ Misses 14629 14594 -35
- Partials 8091 8101 +10
π New features to boost your workflow:
|
lpinca
approved these changes
Apr 23, 2026
314cc5b to
66b5528
Compare
Qard
approved these changes
Apr 26, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com>
Member
|
The bot was triggered automatically by its schedule, and it's force pushed a commit here and removed my fix π Now updated - the same fix as before (314cc5b) on top of the new bot commit. |
aduh95
approved these changes
Apr 29, 2026
Contributor
|
@pimterry FYI it's perfectly fine to simply undo the bot's force push (via another force push), as it's sometimes no possible to get reivews and passing CI in a week |
Collaborator
Author
Collaborator
Author
Collaborator
Author
Collaborator
Author
|
Landed in 61db260...4a32c00 |
nodejs-github-bot
added a commit
that referenced
this pull request
Apr 29, 2026
PR-URL: #62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
nodejs-github-bot
pushed a commit
that referenced
this pull request
Apr 29, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: #62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
that referenced
this pull request
May 5, 2026
PR-URL: #62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
that referenced
this pull request
May 5, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: #62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
to mcollina/node
that referenced
this pull request
May 26, 2026
PR-URL: nodejs#62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
to mcollina/node
that referenced
this pull request
May 26, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: nodejs#62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
to mcollina/node
that referenced
this pull request
May 26, 2026
PR-URL: nodejs#62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
to mcollina/node
that referenced
this pull request
May 26, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: nodejs#62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
araujogui
pushed a commit
to araujogui/node
that referenced
this pull request
May 26, 2026
PR-URL: nodejs#62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
araujogui
pushed a commit
to araujogui/node
that referenced
this pull request
May 26, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: nodejs#62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
to mcollina/node
that referenced
this pull request
May 27, 2026
PR-URL: nodejs#62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
to mcollina/node
that referenced
this pull request
May 27, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: nodejs#62891 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
that referenced
this pull request
Jun 16, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: #62891 Backport-PR-URL: #63195 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
aduh95
pushed a commit
that referenced
this pull request
Jun 16, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: #62891 Backport-PR-URL: #63164 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
panva
pushed a commit
to panva/node
that referenced
this pull request
Jun 19, 2026
PR-URL: nodejs#62891 Backport-PR-URL: nodejs#63164 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
panva
pushed a commit
to panva/node
that referenced
this pull request
Jun 19, 2026
This is a set of src & tests fixes for nghttp2 due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src error handling and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com> PR-URL: nodejs#62891 Backport-PR-URL: nodejs#63164 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Refs: https://hackerone.com/reports/3658225 CVE-ID: CVE-2026-48937
rohitkumarankam
pushed a commit
to rohitkumarankam/forgejo
that referenced
this pull request
Jun 20, 2026
This PR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | minor | `24.16.0` β `24.17.0` | --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v24.17.0`](https://github.com/nodejs/node/releases/tag/v24.17.0): 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95 [Compare Source](nodejs/node@v24.16.0...v24.17.0) This is a security release. ##### Notable Changes - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) β High - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) β High - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) β Medium - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) β Medium - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) β Medium - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) β Medium - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) β Medium - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 β Medium - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) β Low - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) β Low - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) β Low ##### Commits - \[[`9e4dfc7bba`](nodejs/node@9e4dfc7bba)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878) - \[[`cb2aed980c`](nodejs/node@cb2aed980c)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890) - \[[`a8a0d12875`](nodejs/node@a8a0d12875)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#​62891](nodejs/node#62891) - \[[`66e6203c1c`](nodejs/node@66e6203c1c)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#​62891](nodejs/node#62891) - \[[`dd627ced27`](nodejs/node@dd627ced27)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#​63820](nodejs/node#63820) - \[[`684bae568f`](nodejs/node@684bae568f)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#​63820](nodejs/node#63820) - \[[`3a631e7f83`](nodejs/node@3a631e7f83)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#​62656](nodejs/node#62656) - \[[`cf44df3996`](nodejs/node@cf44df3996)] - **deps**: update undici to 7.28.0 (Node.js GitHub Bot) [#​63703](nodejs/node#63703) - \[[`138c70294b`](nodejs/node@138c70294b)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868) - \[[`be7e719c3f`](nodejs/node@be7e719c3f)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846) - \[[`cc7c11b4d1`](nodejs/node@cc7c11b4d1)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855) - \[[`9224427b92`](nodejs/node@9224427b92)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867) - \[[`cf85d54839`](nodejs/node@cf85d54839)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873) - \[[`a1bbc24f96`](nodejs/node@a1bbc24f96)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870) - \[[`e3723ff2d6`](nodejs/node@e3723ff2d6)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) - \[[`a77af4867b`](nodejs/node@a77af4867b)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854) - \[[`31beb4f707`](nodejs/node@31beb4f707)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857) - \[[`8e75c73f91`](nodejs/node@8e75c73f91)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869) </details> --- ### Configuration π **Schedule**: (UTC) - Branch creation - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) π¦ **Automerge**: Disabled by config. Please merge this manually once you are satisfied. β» **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. π **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjIuMSIsInVwZGF0ZWRJblZlciI6IjQzLjIyMi4xIiwidGFyZ2V0QnJhbmNoIjoiZm9yZ2VqbyIsImxhYmVscyI6WyJkZXBlbmRlbmN5LXVwZ3JhZGUiLCJ0ZXN0L25vdC1uZWVkZWQiXX0=--> Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/13144 Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated update of nghttp2 to 1.69.0.