Bump undici from 6.26.0 to 8.3.0

[dependabot]

Bumps undici from 6.26.0 to 8.3.0.

Release notes

Sourced from undici's releases.

v8.3.0

What's Changed

• fix: preserve pool capacity after removing stale client by @​trivikr in nodejs/undici#5151
• build(deps): bump actions/github-script from 8.0.0 to 9.0.0 by @​dependabot[bot] in nodejs/undici#5157
• build(deps): bump actions/upload-artifact from 5.0.0 to 7.0.1 by @​dependabot[bot] in nodejs/undici#5162
• build(deps): bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 by @​dependabot[bot] in nodejs/undici#5156
• chore(http2): collapse duplicate request stream setup by @​trivikr in nodejs/undici#5140
• perf(client): cache HTTP/2 authority by @​trivikr in nodejs/undici#5141
• build(deps-dev): bump borp from 0.20.2 to 1.0.0 by @​dependabot[bot] in nodejs/undici#4819
• types: add TOpaque to client connect options by @​samuel871211 in nodejs/undici#4928
• build(deps): bump tinybench from 5.1.0 to 6.0.1 in /benchmarks by @​dependabot[bot] in nodejs/undici#4688
• build(deps): bump codecov/codecov-action from 5.5.1 to 6.0.0 by @​dependabot[bot] in nodejs/undici#4950
• build(deps): bump actions/dependency-review-action from 4.8.1 to 4.9.0 by @​dependabot[bot] in nodejs/undici#4951
• test(fetch): add userinfo coverage for issue-4897 URLs by @​mcollina in nodejs/undici#4901
• perf: avoid duplicate pool dispatcher selection on backpressure by @​trivikr in nodejs/undici#5149
• build(deps): bump actions/setup-node from 6.2.0 to 6.4.0 by @​dependabot[bot] in nodejs/undici#5163
• build(deps): bump step-security/harden-runner from 2.14.1 to 2.19.1 by @​dependabot[bot] in nodejs/undici#5160
• build(deps): bump cronometro from 5.3.0 to 6.0.3 in /benchmarks by @​dependabot[bot] in nodejs/undici#4687
• build(deps): bump github/codeql-action from 4.35.1 to 4.35.3 by @​dependabot[bot] in nodejs/undici#5161
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in nodejs/undici#4853
• build(deps): bump hendrikmuhs/ccache-action from 1.2.22 to 1.2.23 by @​dependabot[bot] in nodejs/undici#5158
• build(deps): bump fastify/github-action-merge-dependabot from 3.11.2 to 3.12.0 by @​dependabot[bot] in nodejs/undici#5159
• build(deps-dev): bump c8 from 10.1.3 to 11.0.0 by @​dependabot[bot] in nodejs/undici#4854
• build(deps): bump uWebSockets.js from v20.64.0 to v20.66.0 in /benchmarks by @​dependabot[bot] in nodejs/undici#5130
• docs: mention install() also installs WebSocket globals by @​mcollina in nodejs/undici#5174
• types: stop interfering with @​types/node by @​Renegade334 in nodejs/undici#5173
• fix: align h2 empty body content-length methods with h1 by @​trivikr in nodejs/undici#5172
• build(deps-dev): bump fast-check from 4.6.0 to 4.7.0 by @​dependabot[bot] in nodejs/undici#5192
• build(deps-dev): bump typescript from 6.0.2 to 6.0.3 by @​dependabot[bot] in nodejs/undici#5191
• test: move cleanup from finally to after hooks by @​trivikr in nodejs/undici#5194
• test: resolve flaky timeout in issue-3356 by @​trivikr in nodejs/undici#5188
• SnapshotAgent: Add normalizeBody and normalizeQuery by @​GeoffreyBooth in nodejs/undici#5121
• fix(socks5): use configured connector in Socks5ProxyAgent by @​trivikr in nodejs/undici#5168
• perf(http2): avoid isArray checks for common headers by @​trivikr in nodejs/undici#5170
• fix(test): make deduplicate body-streaming test non-flaky by @​mcollina in nodejs/undici#5196
• test(retry): add regression test for RetryAgent + HTTP/2 stream timeout (#5137) by @​mcollina in nodejs/undici#5176
• fix(socks5): preserve dispatch backpressure return value by @​trivikr in nodejs/undici#5166
• perf(http2): end zero-length request bodies with headers by @​trivikr in nodejs/undici#5169
• fix(test): make issue-2898-comment.js assertion robust against flakiness by @​mcollina in nodejs/undici#5208
• test: disable timeouts in h2 high concurrency regression by @​trivikr in nodejs/undici#5205
• test: deflake stream compat coverage by @​mcollina in nodejs/undici#5209
• fix(dispatcher): remove unreachable assert in writeBlob by @​SAY-5 in nodejs/undici#5231
• fix: clean up benchmark resources before worker exit by @​trivikr in nodejs/undici#5225
• test: avoid per-chunk assertions in diagnostics get by @​trivikr in nodejs/undici#5224
• test: capture cache test worker stderr and preserve failures by @​trivikr in nodejs/undici#5206
• chore: gitignore benchmarks/package-lock.json by @​trivikr in nodejs/undici#5228
• perf(proxy-agent): avoid extra header allocations in auth guard by @​trivikr in nodejs/undici#5164
• test(wpt): retry WPT server startup on port conflicts or timeout by @​trivikr in nodejs/undici#5215
• test: make websocket diagnostics ping-pong ordering deterministic by @​trivikr in nodejs/undici#5222
• test(websocket): fix flaky send test by @​mcollina in nodejs/undici#5232

... (truncated)

Commits

• aa33b19 Bumped v8.3.0 (#5305)
• f33a6cb test: fix flaky http2-dispatcher WebSocket upgrade tests (#5304)
• ca0cb16 build(deps): bump uWebSockets.js in /benchmarks (#5299)
• e1f9035 build(deps-dev): bump jest from 30.3.0 to 30.4.2 (#5297)
• 314ba6a perf(client-h2): reuse request upgrade stream handlers (#5293)
• be9a544 Add Node 26 to the matrix (#5271)
• 45f7bd3 test: retry crashed cache-test workers once (#5294)
• 08cf765 build(deps-dev): bump fast-check from 4.7.0 to 4.8.0 (#5298)
• df5ded9 cache formdata boundary (#5292)
• e101dcb test: include after in parser-issues (#5284)
• Additional commits viewable in compare view

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/undici	8.3.0	🟢 8.4	Details Check Score Reason Security-Policy 🟢 10 security policy file detected Code-Review 🟢 10 all changesets reviewed Dependency-Update-Tool 🟢 10 update tool detected Maintained 🟢 10 30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 8 binaries present in source code Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies 🟢 6 dependency not pinned by hash detected -- score normalized to 6 License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Fuzzing 🟢 10 project is fuzzed Packaging 🟢 10 packaging workflow detected Vulnerabilities 🟢 9 1 existing vulnerabilities detected SAST 🟢 9 SAST tool detected but not run on all commits Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md CI-Tests 🟢 10 30 out of 30 merged PRs checked by a CI test -- score normalized to 10 Contributors 🟢 10 project has 74 contributing companies or organizations

Scanned Files

• package-lock.json

[Lomilar]

@dependabot rebase

[dependabot]

Superseded by #472.