Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: nodejs/undici
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v6.22.0
Choose a base ref
...
head repository: nodejs/undici
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v6.23.0
Choose a head ref
  • 3 commits
  • 5 files changed
  • 1 contributor

Commits on Jan 5, 2026

  1. fix: limit Content-Encoding chain to 5 to prevent resource exhaustion 

    A malicious server could send responses with thousands of Content-Encoding
layers, causing high CPU usage and memory allocation when decompressing.

This fix limits the number of content-encodings to 5, matching the approach
used by urllib3 (GHSA-gm62-xv2j-4w53) and curl (CVE-2022-32206).

Fixes CWE-770: Allocation of Resources Without Limits or Throttling

Signed-off-by: Matteo Collina <[email protected]>
    @mcollina
    mcollina committed Jan 5, 2026
    Configuration menu
    Copy the full SHA
    d3aafea View commit details
    Browse the repository at this point in the history

  2. chore: release flow using provenance 

    Signed-off-by: Matteo Collina <[email protected]>
    @mcollina
    mcollina committed Jan 5, 2026
    Configuration menu
    Copy the full SHA
    3477c94 View commit details
    Browse the repository at this point in the history

  3. Bumped v6.23.0 

    Signed-off-by: Matteo Collina <[email protected]>
    @mcollina
    mcollina committed Jan 5, 2026
    Configuration menu
    Copy the full SHA
    fbc31e2 View commit details
    Browse the repository at this point in the history
Loading