Skip to content

net - chore: upgrade undici to 8 (breaking)#1682

Merged
jaredwray merged 1 commit into
mainfrom
claude/cacheable-dependency-management-d6gb1r
Jul 8, 2026
Merged

net - chore: upgrade undici to 8 (breaking)#1682
jaredwray merged 1 commit into
mainfrom
claude/cacheable-dependency-management-d6gb1r

Conversation

@jaredwray

Copy link
Copy Markdown
Owner

Please check if the PR fulfills these requirements

  • Followed the Contributing guidelines and Code of Conduct
  • Tests for the changes have been added (for bug fixes/features) with 100% code coverage. — N/A: dependency-only upgrade with no source changes.

What kind of change does this PR introduce?

Maintenance (chore) — runtime phase, major upgrade of undici in @cacheable/net. The final dependency major of this pass. Marked (breaking) for the major bump; no code changes were needed.

Versions

  • undici ^7.24.5^8.6.0 (@cacheable/net, dependency)

Breaking notes

  • No code changes required. @cacheable/net uses undici only for its types (RequestInit, Response) and re-exports RequestInit as FetchRequestInit; runtime fetching uses Node's global fetch (deliberately, to keep instanceof checks aligned with Node's bundled undici). net's source type-checks cleanly against undici 8 — verified with tsc --noEmit, since net builds with tsdown which doesn't type-check.
  • @cacheable/net declares no engines field, so there's no engine-floor mismatch to reconcile.

Verification

  • pnpm build + node scripts/test-build.mjs pass for all packages
  • tsc --noEmit on @cacheable/net src is clean against undici 8
  • pnpm test@cacheable/net passes all 212 tests at 100% coverage; other packages unaffected (undici is net-only). The only repo-wide failures remain the 3 pre-existing sandbox-only ones (mockhttp.org:8080; two file-entry-cache chmod-under-root tests), which pass on GitHub CI.

Generated by Claude Code

undici ^7.24.5 -> ^8.6.0 (@cacheable/net dependency).

No code changes required. @cacheable/net uses undici only for its types
(RequestInit, Response) and re-exports RequestInit as FetchRequestInit;
runtime fetching uses Node's global fetch (to keep instanceof checks aligned
with Node's bundled undici). net's source type-checks cleanly against
undici 8 (verified with tsc --noEmit, since net builds with tsdown which
doesn't type-check), and its 212 tests pass at 100%.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01P1TBuMiXotBjpNHYcbwvqf
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedundici@​8.6.09510010097100

View full report

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request upgrades the undici dependency in packages/net/package.json from version ^7.24.5 to ^8.6.0, with corresponding updates made to the pnpm-lock.yaml file. I have no feedback to provide.

@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (3c9b7a2) to head (7e241ae).

Additional details and impacted files
@@            Coverage Diff            @@
##              main     #1682   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           29        29           
  Lines         3504      3504           
  Branches       796       796           
=========================================
  Hits          3504      3504           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jaredwray jaredwray merged commit c21df29 into main Jul 8, 2026
12 checks passed
@jaredwray jaredwray deleted the claude/cacheable-dependency-management-d6gb1r branch July 8, 2026 20:27

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 7e241ae27b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread packages/net/package.json
"hookified": "^3.0.1",
"http-cache-semantics": "^4.2.0",
"undici": "^7.24.5"
"undici": "^8.6.0"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Surface the transitive Node 22.19 requirement

With this dependency bump, the lockfile resolves undici@8.6.0 with engines: { node: '>=22.19.0' }, while @cacheable/net still declares no engines field. Projects installing @cacheable/net on Node 20 or Node 22.18 with engine-strict package managers can now fail during install even though this package does not advertise the new runtime floor; either keep the dependency on the Node-20-compatible undici line or add the matching engine requirement so consumers get a clear supported runtime.

Useful? React with 👍 / 👎.

jaredwray added a commit that referenced this pull request Jul 8, 2026
Catch-up minor bump within undici 8 (8.6.0 -> 8.7.0), following the
undici 8 major migration in #1682. `undici` is used type-only in
@cacheable/net (the RequestInit / Response types); the actual fetch
runs through Node's global fetch, so this only refreshes the type
definitions.

Verified: build, `tsc --noEmit` on net, 212/212 net tests, and the
build-artifact validation (runtime + publint + attw) all pass.


Claude-Session: https://claude.ai/code/session_01P1TBuMiXotBjpNHYcbwvqf

Co-authored-by: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants