undici 8.0.2 → 8.0.3

package/docs/docs/api/Dispatcher.md

@@ -533,7 +533,7 @@ The `RequestOptions.method` property should not be value `'CONNECT'`.
 
 `body` contains the following additional extensions:
 
-- `dump({ limit: Integer })`, dump the response by reading up to `limit` bytes without killing the socket (optional) - Default: 262144.
+- `dump({ limit: Integer })`, dump the response by reading up to `limit` bytes without killing the socket (optional) - Default: 131072.
 
 Note that body will still be a `Readable` even if it is empty, but attempting to deserialize it with `json()` will result in an exception. Recommended way to ensure there is a body to deserialize is to check if status code is not 204, and `content-type` header starts with `application/json`.
 
@@ -1031,7 +1031,7 @@ const client = new Client("http://service.example").compose(
 The `dump` interceptor enables you to dump the response body from a request upon a given limit.
 
 **Options**
-- `maxSize` - The maximum size (in bytes) of the response body to dump. If the size of the request's body exceeds this value then the connection will be closed. Default: `1048576`.
+- `maxSize` - The maximum size (in bytes) of the response body to dump. If the size of the response's body exceeds this value then the connection will be closed. Default: `1048576`.
 
 > The `Dispatcher#options` also gets extended with the options `dumpMaxSize`, `abortOnDumped`, and `waitForTrailers` which can be used to configure the interceptor at a request-per-request basis.
 

package/docs/docs/best-practices/migrating-from-v7-to-v8.md

@@ -0,0 +1,231 @@
+# Migrating from Undici 7 to 8
+
+This guide covers the changes you are most likely to hit when upgrading an
+application or library from Undici v7 to v8.
+
+## Before you upgrade
+
+- Make sure your runtime is Node.js `>= 22.19.0`.
+- If you have custom dispatchers, interceptors, or handlers, review the
+  handler API changes before updating.
+- If you rely on HTTP/1.1-only behavior, plan to set `allowH2: false`
+  explicitly.
+
+## 1. Update your Node.js version
+
+Undici v8 requires Node.js `>= 22.19.0`.
+
+If you are still on Node.js 20 or an older Node.js 22 release, upgrade Node.js
+first:
+
+```bash
+node -v
+```
+
+If that command prints a version lower than `v22.19.0`, upgrade Node.js before
+installing Undici v8.
+
+## 2. Migrate custom dispatcher handlers to the v2 API
+
+Undici v8 uses the newer dispatcher handler API consistently.
+
+If you implemented custom dispatchers, interceptors, or wrappers around
+`dispatch()`, update legacy callbacks such as `onConnect`, `onHeaders`, and
+`onComplete` to the newer callback names.
+
+### Old handler callbacks vs. v8 callbacks
+
+| Undici 7 style | Undici 8 style |
+|---|---|
+| `onConnect(abort, context)` | `onRequestStart(controller, context)` |
+| `onHeaders(statusCode, rawHeaders, resume, statusText)` | `onResponseStart(controller, statusCode, headers, statusText)` |
+| `onData(chunk)` | `onResponseData(controller, chunk)` |
+| `onComplete(trailers)` | `onResponseEnd(controller, trailers)` |
+| `onError(err)` | `onResponseError(controller, err)` |
+| `onUpgrade(statusCode, rawHeaders, socket)` | `onRequestUpgrade(controller, statusCode, headers, socket)` |
+
+### Example
+
+Before:
+
+```js
+client.dispatch(options, {
+  onConnect (abort) {
+    this.abort = abort
+  },
+  onHeaders (statusCode, headers, resume) {
+    this.resume = resume
+    return true
+  },
+  onData (chunk) {
+    chunks.push(chunk)
+    return true
+  },
+  onComplete (trailers) {
+    console.log(trailers)
+  },
+  onError (err) {
+    console.error(err)
+  }
+})
+```
+
+After:
+
+```js
+client.dispatch(options, {
+  onRequestStart (controller) {
+    this.controller = controller
+  },
+  onResponseStart (controller, statusCode, headers, statusText) {
+    console.log(statusCode, statusText, headers)
+  },
+  onResponseData (controller, chunk) {
+    chunks.push(chunk)
+  },
+  onResponseEnd (controller, trailers) {
+    console.log(trailers)
+  },
+  onResponseError (controller, err) {
+    console.error(err)
+  }
+})
+```
+
+### Pause, resume, and abort now go through the controller
+
+In Undici v7, legacy handlers could return `false` or keep references to
+`abort()` and `resume()` callbacks. In Undici v8, use the controller instead:
+
+```js
+onRequestStart (controller) {
+  this.controller = controller
+}
+
+onResponseData (controller, chunk) {
+  controller.pause()
+  setImmediate(() => controller.resume())
+}
+
+onResponseError (controller, err) {
+  controller.abort(err)
+}
+```
+
+### Raw headers and trailers moved to the controller
+
+If you need the raw header arrays, read them from the controller:
+
+- `controller.rawHeaders`
+- `controller.rawTrailers`
+
+## 3. Update `onBodySent()` handlers
+
+If you implemented `onBodySent()`, note that its signature changed.
+
+Before, handlers received counters:
+
+```js
+onBodySent (chunkSize, totalBytesSent) {}
+```
+
+In Undici v8, handlers receive the actual chunk:
+
+```js
+onBodySent (chunk) {}
+```
+
+If you need a notification that the whole body has been sent, use
+`onRequestSent()`:
+
+```js
+onRequestSent () {
+  console.log('request body fully sent')
+}
+```
+
+## 4. If you need HTTP/1.1 only, disable HTTP/2 explicitly
+
+Undici v8 enables HTTP/2 by default when a TLS server negotiates it via ALPN.
+
+If your application depends on HTTP/1.1-specific behavior, set `allowH2: false`
+explicitly.
+
+Before:
+
+```js
+const client = new Client('https://example.com')
+```
+
+After, to keep HTTP/1.1 only:
+
+```js
+const client = new Client('https://example.com', {
+  allowH2: false
+})
+```
+
+The same applies when you configure an `Agent`:
+
+```js
+const agent = new Agent({
+  allowH2: false
+})
+```
+
+## 5. Use real `Blob` and `File` instances
+
+Undici v8 no longer accepts fake Blob-like values that only imitate `Blob` or
+`File` via properties such as `Symbol.toStringTag`.
+
+If you were passing custom objects that looked like `Blob`s, replace them with
+actual `Blob` or `File` instances:
+
+```js
+const body = new Blob(['hello'])
+```
+
+## 6. Avoid depending on the internal global dispatcher symbol
+
+`setGlobalDispatcher()` and `getGlobalDispatcher()` remain the public APIs and
+should continue to be used.
+
+Internally, Undici v8 stores its dispatcher under
+`Symbol.for('undici.globalDispatcher.2')` and mirrors a v1-compatible wrapper
+for legacy consumers such as Node.js built-in `fetch`.
+
+If your code was reading or writing `Symbol.for('undici.globalDispatcher.1')`
+directly, migrate to the public APIs instead:
+
+```js
+import { setGlobalDispatcher, getGlobalDispatcher, Agent } from 'undici'
+
+setGlobalDispatcher(new Agent())
+const dispatcher = getGlobalDispatcher()
+```
+
+If you must expose a dispatcher to legacy v1 handler consumers, wrap it with
+`Dispatcher1Wrapper`:
+
+```js
+import { Agent, Dispatcher1Wrapper } from 'undici'
+
+const legacyCompatibleDispatcher = new Dispatcher1Wrapper(new Agent())
+```
+
+## 7. Verify the upgrade
+
+After moving to Undici v8, it is worth checking these paths in your test suite:
+
+- requests that use a custom `dispatcher`
+- `setGlobalDispatcher()` behavior
+- any custom interceptor or retry handler
+- uploads that use `Blob`, `File`, or `FormData`
+- integrations that depend on HTTP/1.1-only behavior
+
+## Related documentation
+
+- [Dispatcher](/docs/api/Dispatcher.md)
+- [Client](/docs/api/Client.md)
+- [Global Installation](/docs/api/GlobalInstallation.md)
+- [Undici Module vs. Node.js Built-in Fetch](/docs/best-practices/undici-vs-builtin-fetch.md)

package/index.js

@@ -105,14 +105,14 @@ function makeDispatcher (fn) {
       url = util.parseURL(url)
     }
 
-    const { agent, dispatcher = getGlobalDispatcher() } = opts
+    const { agent, dispatcher = getGlobalDispatcher(), ...restOpts } = opts
 
     if (agent) {
       throw new InvalidArgumentError('unsupported opts.agent. Did you mean opts.client?')
     }
 
     return fn.call(dispatcher, {
-      ...opts,
+      ...restOpts,
       origin: url.origin,
       path: url.search ? `${url.pathname}${url.search}` : url.pathname,
       method: opts.method || (opts.body ? 'PUT' : 'GET')

package/lib/core/util.js

@@ -12,8 +12,6 @@ const { InvalidArgumentError, ConnectTimeoutError } = require('./errors')
 const { headerNameLowerCasedRecord } = require('./constants')
 const { tree } = require('./tree')
 
-const [nodeMajor, nodeMinor] = process.versions.node.split('.', 2).map(v => Number(v))
-
 class BodyAsyncIterable {
   constructor (body) {
     this[kBody] = body
@@ -323,7 +321,7 @@ function isIterable (obj) {
  */
 function hasSafeIterator (obj) {
   const prototype = Object.getPrototypeOf(obj)
-  const ownIterator = Object.prototype.hasOwnProperty.call(obj, Symbol.iterator)
+  const ownIterator = Object.hasOwn(obj, Symbol.iterator)
   return ownIterator || (prototype != null && prototype !== Object.prototype && typeof obj[Symbol.iterator] === 'function')
 }
 
@@ -989,8 +987,6 @@ module.exports = {
   normalizedMethodRecords,
   isValidPort,
   isHttpOrHttpsPrefixed,
-  nodeMajor,
-  nodeMinor,
   safeHTTPMethods: Object.freeze(['GET', 'HEAD', 'OPTIONS', 'TRACE']),
   wrapRequestBody,
   setupConnectTimeout,

package/lib/dispatcher/balanced-pool.js

@@ -57,9 +57,6 @@ class BalancedPool extends PoolBase {
     super()
 
     this[kOptions] = { ...util.deepClone(opts) }
-    this[kOptions].interceptors = opts.interceptors
-      ? { ...opts.interceptors }
-      : undefined
     this[kIndex] = -1
     this[kCurrentWeight] = 0
 

package/lib/dispatcher/dispatcher-base.js

@@ -138,6 +138,10 @@ class DispatcherBase extends Dispatcher {
         throw new InvalidArgumentError('opts must be an object.')
       }
 
+      if (opts.dispatcher) {
+        throw new InvalidArgumentError('opts.dispatcher is not supported by instance methods. Pass opts.dispatcher to the top-level undici functions or call the dispatcher instance method directly.')
+      }
+
       if (this[kDestroyed] || this[kOnDestroyed]) {
         throw new ClientDestroyedError()
       }

package/lib/dispatcher/dispatcher1-wrapper.js

@@ -86,6 +86,12 @@ class Dispatcher1Wrapper extends Dispatcher {
   }
 
   dispatch (opts, handler) {
+    // Legacy (v1) consumers do not support HTTP/2, so force HTTP/1.1.
+    // See https://github.com/nodejs/undici/issues/4989
+    if (opts.allowH2 !== false) {
+      opts = { ...opts, allowH2: false }
+    }
+
     return this.#dispatcher.dispatch(opts, Dispatcher1Wrapper.wrapHandler(handler))
   }
 

package/lib/dispatcher/h2c-client.js

@@ -15,7 +15,7 @@ class H2CClient extends Client {
       )
     }
 
-    const { connect, maxConcurrentStreams, pipelining, ...opts } =
+    const { maxConcurrentStreams, pipelining, ...opts } =
             clientOpts ?? {}
     let defaultMaxConcurrentStreams = 100
     let defaultPipelining = 100

package/lib/dispatcher/pool.js

@@ -68,9 +68,6 @@ class Pool extends PoolBase {
     this[kConnections] = connections || null
     this[kUrl] = util.parseOrigin(origin)
     this[kOptions] = { ...util.deepClone(options), connect, allowH2, clientTtl, socketPath }
-    this[kOptions].interceptors = options.interceptors
-      ? { ...options.interceptors }
-      : undefined
     this[kFactory] = factory
 
     this.on('connect', (origin, targets) => {

package/lib/dispatcher/proxy-agent.js

@@ -104,7 +104,7 @@ class ProxyAgent extends DispatcherBase {
       throw new InvalidArgumentError('Proxy opts.clientFactory must be a function.')
     }
 
-    const { proxyTunnel = true } = opts
+    const { proxyTunnel = true, connectTimeout } = opts
 
     super()
 
@@ -128,9 +128,9 @@ class ProxyAgent extends DispatcherBase {
       this[kProxyHeaders]['proxy-authorization'] = `Basic ${Buffer.from(`${decodeURIComponent(username)}:${decodeURIComponent(password)}`).toString('base64')}`
     }
 
-    const connect = buildConnector({ ...opts.proxyTls })
-    this[kConnectEndpoint] = buildConnector({ ...opts.requestTls })
-    this[kConnectEndpointHTTP1] = buildConnector({ ...opts.requestTls, allowH2: false })
+    const connect = buildConnector({ timeout: connectTimeout, ...opts.proxyTls })
+    this[kConnectEndpoint] = buildConnector({ timeout: connectTimeout, ...opts.requestTls })
+    this[kConnectEndpointHTTP1] = buildConnector({ timeout: connectTimeout, ...opts.requestTls, allowH2: false })
 
     const agentFactory = opts.factory || defaultAgentFactory
     const factory = (origin, options) => {

package/lib/dispatcher/round-robin-pool.js

@@ -69,9 +69,6 @@ class RoundRobinPool extends PoolBase {
     this[kConnections] = connections || null
     this[kUrl] = util.parseOrigin(origin)
     this[kOptions] = { ...util.deepClone(options), connect, allowH2, clientTtl, socketPath }
-    this[kOptions].interceptors = options.interceptors
-      ? { ...options.interceptors }
-      : undefined
     this[kFactory] = factory
     this[kIndex] = -1
 

package/lib/dispatcher/socks5-proxy-agent.js

@@ -79,26 +79,28 @@ class Socks5ProxyAgent extends DispatcherBase {
     debug('creating SOCKS5 connection to', proxyHost, proxyPort)
 
     // Connect to the SOCKS5 proxy
-    const socket = await new Promise((resolve, reject) => {
-      const onConnect = () => {
-        socket.removeListener('error', onError)
-        resolve(socket)
-      }
+    const socketReady = Promise.withResolvers()
 
-      const onError = (err) => {
-        socket.removeListener('connect', onConnect)
-        reject(err)
-      }
+    const onSocketConnect = () => {
+      socket.removeListener('error', onSocketError)
+      socketReady.resolve(socket)
+    }
 
-      const socket = net.connect({
-        host: proxyHost,
-        port: proxyPort
-      })
+    const onSocketError = (err) => {
+      socket.removeListener('connect', onSocketConnect)
+      socketReady.reject(err)
+    }
 
-      socket.once('connect', onConnect)
-      socket.once('error', onError)
+    const socket = net.connect({
+      host: proxyHost,
+      port: proxyPort
     })
 
+    socket.once('connect', onSocketConnect)
+    socket.once('error', onSocketError)
+
+    await socketReady.promise
+
     // Create SOCKS5 client
     const socks5Client = new Socks5Client(socket, this[kProxyAuth])
 
@@ -112,58 +114,62 @@ class Socks5ProxyAgent extends DispatcherBase {
     await socks5Client.handshake()
 
     // Wait for authentication (if required)
-    await new Promise((resolve, reject) => {
-      const timeout = setTimeout(() => {
-        reject(new Error('SOCKS5 authentication timeout'))
-      }, 5000)
-
-      const onAuthenticated = () => {
-        clearTimeout(timeout)
-        socks5Client.removeListener('error', onError)
-        resolve()
-      }
+    const authenticationReady = Promise.withResolvers()
 
-      const onError = (err) => {
-        clearTimeout(timeout)
-        socks5Client.removeListener('authenticated', onAuthenticated)
-        reject(err)
-      }
+    const authenticationTimeout = setTimeout(() => {
+      authenticationReady.reject(new Error('SOCKS5 authentication timeout'))
+    }, 5000)
 
-      // Check if already authenticated (for NO_AUTH method)
-      if (socks5Client.state === 'authenticated') {
-        clearTimeout(timeout)
-        resolve()
-      } else {
-        socks5Client.once('authenticated', onAuthenticated)
-        socks5Client.once('error', onError)
-      }
-    })
+    const onAuthenticated = () => {
+      clearTimeout(authenticationTimeout)
+      socks5Client.removeListener('error', onAuthenticationError)
+      authenticationReady.resolve()
+    }
+
+    const onAuthenticationError = (err) => {
+      clearTimeout(authenticationTimeout)
+      socks5Client.removeListener('authenticated', onAuthenticated)
+      authenticationReady.reject(err)
+    }
+
+    // Check if already authenticated (for NO_AUTH method)
+    if (socks5Client.state === 'authenticated') {
+      clearTimeout(authenticationTimeout)
+      authenticationReady.resolve()
+    } else {
+      socks5Client.once('authenticated', onAuthenticated)
+      socks5Client.once('error', onAuthenticationError)
+    }
+
+    await authenticationReady.promise
 
     // Send CONNECT command
     await socks5Client.connect(targetHost, targetPort)
 
     // Wait for connection
-    await new Promise((resolve, reject) => {
-      const timeout = setTimeout(() => {
-        reject(new Error('SOCKS5 connection timeout'))
-      }, 5000)
-
-      const onConnected = (info) => {
-        debug('SOCKS5 tunnel established to', targetHost, targetPort, 'via', info)
-        clearTimeout(timeout)
-        socks5Client.removeListener('error', onError)
-        resolve()
-      }
+    const connectionReady = Promise.withResolvers()
 
-      const onError = (err) => {
-        clearTimeout(timeout)
-        socks5Client.removeListener('connected', onConnected)
-        reject(err)
-      }
+    const connectionTimeout = setTimeout(() => {
+      connectionReady.reject(new Error('SOCKS5 connection timeout'))
+    }, 5000)
 
-      socks5Client.once('connected', onConnected)
-      socks5Client.once('error', onError)
-    })
+    const onConnected = (info) => {
+      debug('SOCKS5 tunnel established to', targetHost, targetPort, 'via', info)
+      clearTimeout(connectionTimeout)
+      socks5Client.removeListener('error', onConnectionError)
+      connectionReady.resolve()
+    }
+
+    const onConnectionError = (err) => {
+      clearTimeout(connectionTimeout)
+      socks5Client.removeListener('connected', onConnected)
+      connectionReady.reject(err)
+    }
+
+    socks5Client.once('connected', onConnected)
+    socks5Client.once('error', onConnectionError)
+
+    await connectionReady.promise
 
     return socket
   }
@@ -206,10 +212,10 @@ class Socks5ProxyAgent extends DispatcherBase {
                   ...connectOpts.tls || {}
                 })
 
-                await new Promise((resolve, reject) => {
-                  finalSocket.once('secureConnect', resolve)
-                  finalSocket.once('error', reject)
-                })
+                const tlsReady = Promise.withResolvers()
+                finalSocket.once('secureConnect', tlsReady.resolve)
+                finalSocket.once('error', tlsReady.reject)
+                await tlsReady.promise
               }
 
               callback(null, finalSocket)

package/lib/handler/redirect-handler.js

@@ -1,30 +1,13 @@
 'use strict'
 
 const util = require('../core/util')
-const { kBodyUsed } = require('../core/symbols')
 const assert = require('node:assert')
 const { InvalidArgumentError } = require('../core/errors')
-const EE = require('node:events')
 
 const redirectableStatusCodes = [300, 301, 302, 303, 307, 308]
 
-const kBody = Symbol('body')
-
 const noop = () => {}
 
-class BodyAsyncIterable {
-  constructor (body) {
-    this[kBody] = body
-    this[kBodyUsed] = false
-  }
-
-  async * [Symbol.asyncIterator] () {
-    assert(!this[kBodyUsed], 'disturbed')
-    this[kBodyUsed] = true
-    yield * this[kBody]
-  }
-}
-
 class RedirectHandler {
   static buildDispatch (dispatcher, maxRedirections) {
     if (maxRedirections != null && (!Number.isInteger(maxRedirections) || maxRedirections < 0)) {
@@ -44,43 +27,10 @@ class RedirectHandler {
     this.location = null
     const { maxRedirections: _, ...cleanOpts } = opts
     this.opts = cleanOpts // opts must be a copy, exclude maxRedirections
+    this.opts.body = util.wrapRequestBody(this.opts.body)
     this.maxRedirections = maxRedirections
     this.handler = handler
     this.history = []
-
-    if (util.isStream(this.opts.body)) {
-      // TODO (fix): Provide some way for the user to cache the file to e.g. /tmp
-      // so that it can be dispatched again?
-      // TODO (fix): Do we need 100-expect support to provide a way to do this properly?
-      if (util.bodyLength(this.opts.body) === 0) {
-        this.opts.body
-          .on('data', function () {
-            assert(false)
-          })
-      }
-
-      if (typeof this.opts.body.readableDidRead !== 'boolean') {
-        this.opts.body[kBodyUsed] = false
-        EE.prototype.on.call(this.opts.body, 'data', function () {
-          this[kBodyUsed] = true
-        })
-      }
-    } else if (this.opts.body && typeof this.opts.body.pipeTo === 'function') {
-      // TODO (fix): We can't access ReadableStream internal state
-      // to determine whether or not it has been disturbed. This is just
-      // a workaround.
-      this.opts.body = new BodyAsyncIterable(this.opts.body)
-    } else if (
-      this.opts.body &&
-      typeof this.opts.body !== 'string' &&
-      !ArrayBuffer.isView(this.opts.body) &&
-      util.isIterable(this.opts.body) &&
-      !util.isFormDataLike(this.opts.body)
-    ) {
-      // TODO: Should we allow re-using iterable if !this.opts.idempotent
-      // or through some other flag?
-      this.opts.body = new BodyAsyncIterable(this.opts.body)
-    }
   }
 
   onRequestStart (controller, context) {

package/lib/interceptor/decompress.js

@@ -3,7 +3,6 @@
 const { createInflate, createGunzip, createBrotliDecompress, createZstdDecompress } = require('node:zlib')
 const { pipeline } = require('node:stream')
 const DecoratorHandler = require('../handler/decorator-handler')
-const { runtimeFeatures } = require('../util/runtime-features')
 
 /** @typedef {import('node:stream').Transform} Transform */
 /** @typedef {import('node:stream').Transform} Controller */
@@ -17,7 +16,7 @@ const supportedEncodings = {
   deflate: createInflate,
   compress: createInflate,
   'x-compress': createInflate,
-  ...(runtimeFeatures.has('zstd') ? { zstd: createZstdDecompress } : {})
+  zstd: createZstdDecompress
 }
 
 const defaultSkipStatusCodes = /** @type {const} */ ([204, 304])

package/lib/interceptor/dns.js

@@ -7,7 +7,7 @@ const maxInt = Math.pow(2, 31) - 1
 
 function hasSafeIterator (headers) {
   const prototype = Object.getPrototypeOf(headers)
-  const ownIterator = Object.prototype.hasOwnProperty.call(headers, Symbol.iterator)
+  const ownIterator = Object.hasOwn(headers, Symbol.iterator)
   return ownIterator || (prototype != null && prototype !== Object.prototype && typeof headers[Symbol.iterator] === 'function')
 }
 

package/lib/util/cache.js

@@ -374,9 +374,11 @@ function assertCacheMethods (methods, name = 'CacheMethods') {
  * @returns {string}
  */
 function makeDeduplicationKey (cacheKey, excludeHeaders) {
-  // Create a deterministic string key from the cache key
-  // Include origin, method, path, and sorted headers
-  let key = `${cacheKey.origin}:${cacheKey.method}:${cacheKey.path}`
+  // Use JSON.stringify to produce a collision-resistant key.
+  // Previous format used `:` and `=` delimiters without escaping, which
+  // allowed different header sets to produce identical keys (e.g.
+  // {a:"x:b=y"} vs {a:"x", b:"y"}). See: https://github.com/nodejs/undici/issues/5012
+  const headers = {}
 
   if (cacheKey.headers) {
     const sortedHeaders = Object.keys(cacheKey.headers).sort()
@@ -385,12 +387,11 @@ function makeDeduplicationKey (cacheKey, excludeHeaders) {
       if (excludeHeaders?.has(header.toLowerCase())) {
         continue
       }
-      const value = cacheKey.headers[header]
-      key += `:${header}=${Array.isArray(value) ? value.join(',') : value}`
+      headers[header] = cacheKey.headers[header]
     }
   }
 
-  return key
+  return JSON.stringify([cacheKey.origin, cacheKey.method, cacheKey.path, headers])
 }
 
 module.exports = {

package/lib/util/runtime-features.js

@@ -6,9 +6,7 @@
 const lazyLoaders = {
   __proto__: null,
   'node:crypto': () => require('node:crypto'),
-  'node:sqlite': () => require('node:sqlite'),
-  'node:worker_threads': () => require('node:worker_threads'),
-  'node:zlib': () => require('node:zlib')
+  'node:sqlite': () => require('node:sqlite')
 }
 
 /**
@@ -27,35 +25,9 @@ function detectRuntimeFeatureByNodeModule (moduleName) {
   }
 }
 
-/**
- * @param {NodeModuleName} moduleName
- * @param {string} property
- * @returns {boolean}
- */
-function detectRuntimeFeatureByExportedProperty (moduleName, property) {
-  const module = lazyLoaders[moduleName]()
-  return typeof module[property] !== 'undefined'
-}
-
-const runtimeFeaturesByExportedProperty = /** @type {const} */ (['markAsUncloneable', 'zstd'])
-
-/** @type {Record<RuntimeFeatureByExportedProperty, [NodeModuleName, string]>} */
-const exportedPropertyLookup = {
-  markAsUncloneable: ['node:worker_threads', 'markAsUncloneable'],
-  zstd: ['node:zlib', 'createZstdDecompress']
-}
-
-/** @typedef {typeof runtimeFeaturesByExportedProperty[number]} RuntimeFeatureByExportedProperty */
-
 const runtimeFeaturesAsNodeModule = /** @type {const} */ (['crypto', 'sqlite'])
 /** @typedef {typeof runtimeFeaturesAsNodeModule[number]} RuntimeFeatureByNodeModule */
-
-const features = /** @type {const} */ ([
-  ...runtimeFeaturesAsNodeModule,
-  ...runtimeFeaturesByExportedProperty
-])
-
-/** @typedef {typeof features[number]} Feature */
+/** @typedef {RuntimeFeatureByNodeModule} Feature */
 
 /**
  * @param {Feature} feature
@@ -64,9 +36,6 @@ const features = /** @type {const} */ ([
 function detectRuntimeFeature (feature) {
   if (runtimeFeaturesAsNodeModule.includes(/** @type {RuntimeFeatureByNodeModule} */ (feature))) {
     return detectRuntimeFeatureByNodeModule(`node:${feature}`)
-  } else if (runtimeFeaturesByExportedProperty.includes(/** @type {RuntimeFeatureByExportedProperty} */ (feature))) {
-    const [moduleName, property] = exportedPropertyLookup[feature]
-    return detectRuntimeFeatureByExportedProperty(moduleName, property)
   }
   throw new TypeError(`unknown feature: ${feature}`)
 }
@@ -101,7 +70,7 @@ class RuntimeFeatures {
    * @param {boolean} value
    */
   set (feature, value) {
-    if (features.includes(feature) === false) {
+    if (runtimeFeaturesAsNodeModule.includes(feature) === false) {
       throw new TypeError(`unknown feature: ${feature}`)
     }
     this.#map.set(feature, value)

package/lib/web/cache/cache.js

@@ -10,8 +10,6 @@ const { cloneResponse, fromInnerResponse, getResponseState } = require('../fetch
 const { Request, fromInnerRequest, getRequestState } = require('../fetch/request')
 const { fetching } = require('../fetch/index')
 const { urlIsHttpHttpsScheme, readAllBytes } = require('../fetch/util')
-const { createDeferredPromise } = require('../../util/promise')
-
 /**
  * @see https://w3c.github.io/ServiceWorker/#dfn-cache-batch-operation
  * @typedef {Object} CacheBatchOperation
@@ -153,7 +151,7 @@ class Cache {
       requestList.push(r)
 
       // 5.6
-      const responsePromise = createDeferredPromise()
+      const responsePromise = Promise.withResolvers()
 
       // 5.7
       fetchControllers.push(fetching({
@@ -231,7 +229,7 @@ class Cache {
     }
 
     // 7.5
-    const cacheJobPromise = createDeferredPromise()
+    const cacheJobPromise = Promise.withResolvers()
 
     // 7.6.1
     let errorData = null
@@ -325,7 +323,7 @@ class Cache {
     const clonedResponse = cloneResponse(innerResponse)
 
     // 10.
-    const bodyReadPromise = createDeferredPromise()
+    const bodyReadPromise = Promise.withResolvers()
 
     // 11.
     if (innerResponse.body != null) {
@@ -364,7 +362,7 @@ class Cache {
     }
 
     // 19.1
-    const cacheJobPromise = createDeferredPromise()
+    const cacheJobPromise = Promise.withResolvers()
 
     // 19.2.1
     let errorData = null
@@ -427,7 +425,7 @@ class Cache {
 
     operations.push(operation)
 
-    const cacheJobPromise = createDeferredPromise()
+    const cacheJobPromise = Promise.withResolvers()
 
     let errorData = null
     let requestResponses
@@ -483,7 +481,7 @@ class Cache {
     }
 
     // 4.
-    const promise = createDeferredPromise()
+    const promise = Promise.withResolvers()
 
     // 5.
     // 5.1

package/lib/web/fetch/body.js

@@ -14,7 +14,6 @@ const { isErrored, isDisturbed } = require('node:stream')
 const { isUint8Array } = require('node:util/types')
 const { serializeAMimeType } = require('./data-url')
 const { multipartFormDataParser } = require('./formdata-parser')
-const { createDeferredPromise } = require('../../util/promise')
 const { parseJSONFromBytes } = require('../infra')
 const { utf8DecodeBytes } = require('../../encoding')
 const { runtimeFeatures } = require('../../util/runtime-features.js')
@@ -431,7 +430,7 @@ function consumeBody (object, convertBytesToJSValue, instance, getInternalState)
   }
 
   // 2. Let promise be a new promise.
-  const promise = createDeferredPromise()
+  const promise = Promise.withResolvers()
 
   // 3. Let errorSteps given error be to reject promise with error.
   const errorSteps = promise.reject

package/lib/web/fetch/index.js

@@ -64,12 +64,7 @@ const { getGlobalDispatcher } = require('../../global')
 const { webidl } = require('../webidl')
 const { STATUS_CODES } = require('node:http')
 const { bytesMatch } = require('../subresource-integrity/subresource-integrity')
-const { createDeferredPromise } = require('../../util/promise')
 const { isomorphicEncode } = require('../infra')
-const { runtimeFeatures } = require('../../util/runtime-features')
-
-// Node.js v23.8.0+ and v22.15.0+ supports Zstandard
-const hasZstd = runtimeFeatures.has('zstd')
 
 const GET_OR_HEAD = ['GET', 'HEAD']
 
@@ -136,7 +131,7 @@ function fetch (input, init = undefined) {
   webidl.argumentLengthCheck(arguments, 1, 'globalThis.fetch')
 
   // 1. Let p be a new promise.
-  let p = createDeferredPromise()
+  let p = Promise.withResolvers()
 
   // 2. Let requestObject be the result of invoking the initial value of
   // Request as constructor with input and init as arguments. If this throws
@@ -1644,12 +1639,25 @@ async function httpNetworkOrCacheFetch (
   // 14. If response’s status is 401, httpRequest’s response tainting is not "cors",
   //     includeCredentials is true, and request’s traversable for user prompts is
   //     a traversable navigable:
-  if (response.status === 401 && httpRequest.responseTainting !== 'cors' && includeCredentials && isTraversableNavigable(request.traversableForUserPrompts)) {
+  //
+  //     In Node.js there is no traversable navigable to prompt the user, but we
+  //     still need to handle URL-embedded credentials so authentication retries
+  //     for WebSocket handshakes continue to work.
+  if (response.status === 401 && httpRequest.responseTainting !== 'cors' && includeCredentials && (
+    request.useURLCredentials !== undefined ||
+    isTraversableNavigable(request.traversableForUserPrompts)
+  )) {
     // 2. If request’s body is non-null, then:
     if (request.body != null) {
       // 1. If request’s body’s source is null, then return a network error.
       if (request.body.source == null) {
-        return makeNetworkError('expected non-null body source')
+        // Note: In Node.js, this code path should not be reached because
+        // isTraversableNavigable() returns false for non-navigable contexts.
+        // However, we handle it gracefully by returning the response instead of
+        // a network error, as we won't actually retry the request.
+        // This aligns with the Fetch spec discussion in whatwg/fetch#1132,
+        // which allows implementations flexibility when credentials can't be obtained.
+        return response
       }
 
       // 2. Set request’s body to the body of the result of safely extracting
@@ -2251,7 +2259,7 @@ async function httpNetworkFetch (
                     flush: zlib.constants.BROTLI_OPERATION_FLUSH,
                     finishFlush: zlib.constants.BROTLI_OPERATION_FLUSH
                   }))
-                } else if (coding === 'zstd' && hasZstd) {
+                } else if (coding === 'zstd') {
                   decoders.push(zlib.createZstdDecompress({
                     flush: zlib.constants.ZSTD_e_continue,
                     finishFlush: zlib.constants.ZSTD_e_end

package/lib/web/fetch/util.js

@@ -1447,8 +1447,10 @@ function includesCredentials (url) {
  * @param {object|string} navigable
  */
 function isTraversableNavigable (navigable) {
-  // TODO
-  return true
+  // Returns true only if we have an actual traversable navigable object
+  // that can prompt the user for credentials. In Node.js, this will always
+  // be false since there's no Window object or navigable.
+  return navigable != null && navigable !== 'client' && navigable !== 'no-traversable'
 }
 
 class EnvironmentSettingsObjectBase {

package/lib/web/webidl/index.js

@@ -2,7 +2,7 @@
 
 const assert = require('node:assert')
 const { types, inspect } = require('node:util')
-const { runtimeFeatures } = require('../../util/runtime-features')
+const { markAsUncloneable } = require('node:worker_threads')
 
 const UNDEFINED = 1
 const BOOLEAN = 2
@@ -158,9 +158,7 @@ webidl.util.TypeValueToString = function (o) {
   }
 }
 
-webidl.util.markAsUncloneable = runtimeFeatures.has('markAsUncloneable')
-  ? require('node:worker_threads').markAsUncloneable
-  : () => {}
+webidl.util.markAsUncloneable = markAsUncloneable
 
 // https://webidl.spec.whatwg.org/#abstract-opdef-converttoint
 webidl.util.ConvertToInt = function (V, bitLength, signedness, flags) {

package/lib/web/websocket/stream/websocketstream.js

@@ -1,6 +1,5 @@
 'use strict'
 
-const { createDeferredPromise } = require('../../../util/promise')
 const { environmentSettingsObject } = require('../../fetch/util')
 const { states, opcodes, sentCloseFrameState } = require('../constants')
 const { webidl } = require('../../webidl')
@@ -21,11 +20,11 @@ class WebSocketStream {
   #url
 
   // Each WebSocketStream object has an associated opened promise , which is a promise.
-  /** @type {import('../../../util/promise').DeferredPromise} */
+  /** @type {ReturnType<typeof Promise.withResolvers>} */
   #openedPromise
 
   // Each WebSocketStream object has an associated closed promise , which is a promise.
-  /** @type {import('../../../util/promise').DeferredPromise} */
+  /** @type {ReturnType<typeof Promise.withResolvers>} */
   #closedPromise
 
   // Each WebSocketStream object has an associated readable stream , which is a ReadableStream .
@@ -113,8 +112,8 @@ class WebSocketStream {
     this.#url = urlRecord.toString()
 
     // 6. Set this 's opened promise and closed promise to new promises.
-    this.#openedPromise = createDeferredPromise()
-    this.#closedPromise = createDeferredPromise()
+    this.#openedPromise = Promise.withResolvers()
+    this.#closedPromise = Promise.withResolvers()
 
     // 7. Apply backpressure to the WebSocket.
     // TODO
@@ -202,7 +201,7 @@ class WebSocketStream {
     chunk = webidl.converters.WebSocketStreamWrite(chunk)
 
     // 1. Let promise be a new promise created in stream ’s relevant realm .
-    const promise = createDeferredPromise()
+    const promise = Promise.withResolvers()
 
     // 2. Let data be null.
     let data = null

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "8.0.2",
+  "version": "8.0.3",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {
@@ -119,7 +119,7 @@
     "c8": "^10.0.0",
     "cross-env": "^10.0.0",
     "dns-packet": "^5.4.0",
-    "esbuild": "^0.27.3",
+    "esbuild": "^0.28.0",
     "eslint": "^9.9.0",
     "fast-check": "^4.1.1",
     "husky": "^9.0.7",
@@ -127,7 +127,7 @@
     "jsondiffpatch": "^0.7.3",
     "neostandard": "^0.12.0",
     "node-forge": "^1.3.1",
-    "proxy": "^2.1.1",
+    "proxy": "^4.0.0",
     "tsd": "^0.33.0",
     "typescript": "^6.0.2",
     "ws": "^8.11.0"

package/types/agent.d.ts

@@ -22,8 +22,6 @@ declare namespace Agent {
   export interface Options extends Pool.Options {
     /** Default: `(origin, opts) => new Pool(origin, opts)`. */
     factory?(origin: string | URL, opts: Object): Dispatcher;
-
-    interceptors?: { Agent?: readonly Dispatcher.DispatchInterceptor[] } & Pool.Options['interceptors']
     maxOrigins?: number
   }
 

package/types/client.d.ts

@@ -30,12 +30,7 @@ export class Client extends Dispatcher {
 }
 
 export declare namespace Client {
-  export interface OptionsInterceptors {
-    Client: readonly Dispatcher.DispatchInterceptor[];
-  }
   export interface Options {
-    /** TODO */
-    interceptors?: OptionsInterceptors;
     /** The maximum length of request headers in bytes. Default: Node.js' `--max-http-header-size` or `16384` (16KiB). */
     maxHeaderSize?: number;
     /** The amount of time, in milliseconds, the parser will wait to receive the complete HTTP headers (Node 14 and above only). Default: `300e3` milliseconds (300s). */
@@ -44,7 +39,7 @@ export declare namespace Client {
     socketTimeout?: never;
     /** @deprecated unsupported requestTimeout, use headersTimeout & bodyTimeout instead */
     requestTimeout?: never;
-    /** TODO */
+    /** The timeout for establishing a socket connection, in milliseconds. Use `0` to disable it entirely. Default: `10e3` milliseconds (10s). */
     connectTimeout?: number;
     /** The timeout after which a request will time out, in milliseconds. Monitors time between receiving body data. Use `0` to disable it entirely. Default: `300e3` milliseconds (300s). */
     bodyTimeout?: number;
@@ -60,7 +55,7 @@ export declare namespace Client {
     keepAliveMaxTimeout?: number;
     /** A number of milliseconds subtracted from server *keep-alive* hints when overriding `idleTimeout` to account for timing inaccuracies caused by e.g. transport latency. Default: `1e3` milliseconds (1s). */
     keepAliveTimeoutThreshold?: number;
-    /** TODO */
+    /** An IPC endpoint, either a Unix domain socket or Windows named pipe. Default: `null`. */
     socketPath?: string;
     /** The amount of concurrent requests to be sent over the single TCP/TLS connection according to [RFC7230](https://tools.ietf.org/html/rfc7230#section-6.3.2). Default: `1`. */
     pipelining?: number;
@@ -68,13 +63,13 @@ export declare namespace Client {
     tls?: never;
     /** If `true`, an error is thrown when the request content-length header doesn't match the length of the request body. Default: `true`. */
     strictContentLength?: boolean;
-    /** TODO */
+    /** Maximum number of TLS cached sessions used by the built-in connector. Use `0` to disable TLS session caching. Default: `100`. */
     maxCachedSessions?: number;
-    /** TODO */
+    /** Connector options passed to `buildConnector`, or a custom connector function. Default: `null`. */
     connect?: Partial<buildConnector.BuildOptions> | buildConnector.connector;
-    /** TODO */
+    /** The maximum number of requests to send over a single connection before it is reset. Use `0` to disable this limit. Default: `null`. */
     maxRequestsPerClient?: number;
-    /** TODO */
+    /** Local IP address the socket should connect from. */
     localAddress?: string;
     /** Max response body size in bytes, -1 is disabled */
     maxResponseSize?: number;
@@ -84,7 +79,7 @@ export declare namespace Client {
     autoSelectFamilyAttemptTimeout?: number;
     /**
      * @description Enables support for H2 if the server has assigned bigger priority to it through ALPN negotiation.
-     * @default false
+     * @default true
      */
     allowH2?: boolean;
     /**

package/types/dispatcher.d.ts

@@ -8,8 +8,6 @@ import { FormData } from './formdata'
 import Errors from './errors'
 import { Autocomplete } from './utility'
 
-type AbortSignal = unknown
-
 export default Dispatcher
 
 export type UndiciHeaders = Record<string, string | string[]> | IncomingHttpHeaders | string[] | Iterable<[string, string | string[] | undefined]> | null

package/types/h2c-client.d.ts

@@ -32,7 +32,7 @@ export declare namespace H2CClient {
     maxHeaderSize?: number;
     /** The amount of time, in milliseconds, the parser will wait to receive the complete HTTP headers (Node 14 and above only). Default: `300e3` milliseconds (300s). */
     headersTimeout?: number;
-    /** TODO */
+    /** The timeout for establishing a socket connection, in milliseconds. Use `0` to disable it entirely. Default: `10e3` milliseconds (10s). */
     connectTimeout?: number;
     /** The timeout after which a request will time out, in milliseconds. Monitors time between receiving body data. Use `0` to disable it entirely. Default: `300e3` milliseconds (300s). */
     bodyTimeout?: number;
@@ -42,19 +42,19 @@ export declare namespace H2CClient {
     keepAliveMaxTimeout?: number;
     /** A number of milliseconds subtracted from server *keep-alive* hints when overriding `idleTimeout` to account for timing inaccuracies caused by e.g. transport latency. Default: `1e3` milliseconds (1s). */
     keepAliveTimeoutThreshold?: number;
-    /** TODO */
+    /** An IPC endpoint, either a Unix domain socket or Windows named pipe. Default: `null`. */
     socketPath?: string;
     /** The amount of concurrent requests to be sent over the single TCP/TLS connection according to [RFC7230](https://tools.ietf.org/html/rfc7230#section-6.3.2). Default: `1`. */
     pipelining?: number;
     /** If `true`, an error is thrown when the request content-length header doesn't match the length of the request body. Default: `true`. */
     strictContentLength?: boolean;
-    /** TODO */
+    /** Maximum number of TLS cached sessions used by the built-in connector. Use `0` to disable TLS session caching. Default: `100`. */
     maxCachedSessions?: number;
-    /** TODO */
+    /** Connector options passed to `buildConnector`, or a custom connector function. Default: `null`. */
     connect?: Omit<Partial<buildConnector.BuildOptions>, 'allowH2'> | buildConnector.connector;
-    /** TODO */
+    /** The maximum number of requests to send over a single connection before it is reset. Use `0` to disable this limit. Default: `null`. */
     maxRequestsPerClient?: number;
-    /** TODO */
+    /** Local IP address the socket should connect from. */
     localAddress?: string;
     /** Max response body size in bytes, -1 is disabled */
     maxResponseSize?: number;

package/types/pool.d.ts

@@ -35,7 +35,5 @@ declare namespace Pool {
     connections?: number | null;
     /** The amount of time before a client is removed from the pool and closed. `null` if no time limit. Default `null` */
     clientTtl?: number | null;
-
-    interceptors?: { Pool?: readonly Dispatcher.DispatchInterceptor[] } & Client.Options['interceptors']
   }
 }

package/types/round-robin-pool.d.ts

@@ -35,7 +35,5 @@ declare namespace RoundRobinPool {
     connections?: number | null;
     /** The amount of time before a client is removed from the pool and closed. `null` if no time limit. Default `null` */
     clientTtl?: number | null;
-
-    interceptors?: { RoundRobinPool?: readonly Dispatcher.DispatchInterceptor[] } & Client.Options['interceptors']
   }
 }

package/types/webidl.d.ts

@@ -87,7 +87,6 @@ interface WebidlUtil {
 
   /**
    * Mark a value as uncloneable for Node.js.
-   * This is only effective in some newer Node.js versions.
    */
   markAsUncloneable (V: any): void
 

package/lib/util/promise.js

@@ -1,28 +0,0 @@
-'use strict'
-
-/**
- * @template {*} T
- * @typedef {Object} DeferredPromise
- * @property {Promise<T>} promise
- * @property {(value?: T) => void} resolve
- * @property {(reason?: any) => void} reject
- */
-
-/**
- * @template {*} T
- * @returns {DeferredPromise<T>} An object containing a promise and its resolve/reject methods.
- */
-function createDeferredPromise () {
-  let res
-  let rej
-  const promise = new Promise((resolve, reject) => {
-    res = resolve
-    rej = reject
-  })
-
-  return { promise, resolve: res, reject: rej }
-}
-
-module.exports = {
-  createDeferredPromise
-}