Gathering detailed insights and metrics for undici
Gathering detailed insights and metrics for undici
Gathering detailed insights and metrics for undici
Gathering detailed insights and metrics for undici
undici-types
A stand-alone types package for Undici
@opentelemetry/instrumentation-undici
OpenTelemetry instrumentation for `undici` http client and Node.js fetch()
urllib
Help in opening URLs (mostly HTTP) in a complex world — basic and digest authentication, redirections, timeout and more. Base undici API.
cross-undici-fetch
Cross Platform Smart Fetch Ponyfill
npm install undici
Typescript
Module System
Min. Node Version
Node Version
NPM Version
98.7
Supply Chain
99.3
Quality
93.6
Maintenance
100
Vulnerability
100
License
JavaScript (96.63%)
TypeScript (3.36%)
Shell (0.01%)
Total Downloads
0
Last Day
0
Last Week
0
Last Month
0
Last Year
0
MIT License
6,940 Stars
3,426 Commits
648 Forks
50 Watchers
76 Branches
324 Contributors
Updated on Jul 15, 2025
Latest Version
7.11.0
Package Id
undici@7.11.0
Unpacked Size
1.31 MB
Size
327.07 kB
File Count
190
NPM Version
11.4.2
Node Version
20.19.2
Published on
Jun 26, 2025
Cumulative downloads
Total Downloads
Last Day
0%
NaN
Compared to previous day
Last Week
0%
NaN
Compared to previous week
Last Month
0%
NaN
Compared to previous month
Last Year
0%
NaN
Compared to previous year
An HTTP/1.1 client, written from scratch for Node.js.
Undici means eleven in Italian. 1.1 -> 11 -> Eleven -> Undici. It is also a Stranger Things reference.
Have a question about using Undici? Open a Q&A Discussion or join our official OpenJS Slack channel.
Looking to contribute? Start by reading the contributing guide
npm i undici
The benchmark is a simple getting data example using a 50 TCP connections with a pipelining depth of 10 running on Node 22.11.0.
┌────────────────────────┬─────────┬────────────────────┬────────────┬─────────────────────────┐
│ Tests │ Samples │ Result │ Tolerance │ Difference with slowest │
├────────────────────────┼─────────┼────────────────────┼────────────┼─────────────────────────┤
│ 'axios' │ 15 │ '5708.26 req/sec' │ '± 2.91 %' │ '-' │
│ 'http - no keepalive' │ 10 │ '5809.80 req/sec' │ '± 2.30 %' │ '+ 1.78 %' │
│ 'request' │ 30 │ '5828.80 req/sec' │ '± 2.91 %' │ '+ 2.11 %' │
│ 'undici - fetch' │ 40 │ '5903.78 req/sec' │ '± 2.87 %' │ '+ 3.43 %' │
│ 'node-fetch' │ 10 │ '5945.40 req/sec' │ '± 2.13 %' │ '+ 4.15 %' │
│ 'got' │ 35 │ '6511.45 req/sec' │ '± 2.84 %' │ '+ 14.07 %' │
│ 'http - keepalive' │ 65 │ '9193.24 req/sec' │ '± 2.92 %' │ '+ 61.05 %' │
│ 'superagent' │ 35 │ '9339.43 req/sec' │ '± 2.95 %' │ '+ 63.61 %' │
│ 'undici - pipeline' │ 50 │ '13364.62 req/sec' │ '± 2.93 %' │ '+ 134.13 %' │
│ 'undici - stream' │ 95 │ '18245.36 req/sec' │ '± 2.99 %' │ '+ 219.63 %' │
│ 'undici - request' │ 50 │ '18340.17 req/sec' │ '± 2.84 %' │ '+ 221.29 %' │
│ 'undici - dispatch' │ 40 │ '22234.42 req/sec' │ '± 2.94 %' │ '+ 289.51 %' │
└────────────────────────┴─────────┴────────────────────┴────────────┴─────────────────────────┘
Node.js includes a built-in fetch()
implementation powered by undici starting from Node.js v18. However, there are important differences between using the built-in fetch and installing undici as a separate module.
Node.js's built-in fetch is powered by a bundled version of undici:
1// Available globally in Node.js v18+ 2const response = await fetch('https://api.example.com/data'); 3const data = await response.json(); 4 5// Check the bundled undici version 6console.log(process.versions.undici); // e.g., "5.28.4"
Pros:
Cons:
TypeError
)Installing undici as a separate module gives you access to the latest features and APIs:
1npm install undici
1import { request, fetch, Agent, setGlobalDispatcher } from 'undici'; 2 3// Use undici.request for maximum performance 4const { statusCode, headers, body } = await request('https://api.example.com/data'); 5const data = await body.json(); 6 7// Or use undici.fetch with custom configuration 8const agent = new Agent({ keepAliveTimeout: 10000 }); 9setGlobalDispatcher(agent); 10const response = await fetch('https://api.example.com/data');
Pros:
request
, stream
, pipeline
)undici.request
ProxyAgent
, MockAgent
Cons:
ProxyAgent
, MockAgent
, etc.)undici.request
for maximum speed)Based on benchmarks, here's the typical performance hierarchy:
undici.request()
- Fastest, most efficientundici.fetch()
- Good performance, standard compliancehttp
/https
- Baseline performanceIf you're currently using built-in fetch and want to migrate to undici:
1// Before: Built-in fetch 2const response = await fetch('https://api.example.com/data'); 3 4// After: Undici fetch (drop-in replacement) 5import { fetch } from 'undici'; 6const response = await fetch('https://api.example.com/data'); 7 8// Or: Undici request (better performance) 9import { request } from 'undici'; 10const { statusCode, body } = await request('https://api.example.com/data'); 11const data = await body.json();
You can check which version of undici is bundled with your Node.js version:
1console.log(process.versions.undici);
Installing undici as a module allows you to use a newer version than what's bundled with Node.js, giving you access to the latest features and performance improvements.
1import { request } from 'undici' 2 3const { 4 statusCode, 5 headers, 6 trailers, 7 body 8} = await request('http://localhost:3000/foo') 9 10console.log('response received', statusCode) 11console.log('headers', headers) 12 13for await (const data of body) { console.log('data', data) } 14 15console.log('trailers', trailers)
Undici provides an install()
function to add all WHATWG fetch classes to globalThis
, making them available globally:
1import { install } from 'undici'
2
3// Install all WHATWG fetch classes globally
4install()
5
6// Now you can use fetch classes globally without importing
7const response = await fetch('https://api.example.com/data')
8const data = await response.json()
9
10// All classes are available globally:
11const headers = new Headers([['content-type', 'application/json']])
12const request = new Request('https://example.com')
13const formData = new FormData()
14const ws = new WebSocket('wss://example.com')
15const eventSource = new EventSource('https://example.com/events')
The install()
function adds the following classes to globalThis
:
fetch
- The fetch functionHeaders
- HTTP headers managementResponse
- HTTP response representationRequest
- HTTP request representationFormData
- Form data handlingWebSocket
- WebSocket clientCloseEvent
, ErrorEvent
, MessageEvent
- WebSocket eventsEventSource
- Server-sent events clientThis is useful for:
The body
mixins are the most common way to format the request/response body. Mixins include:
[!NOTE] The body returned from
undici.request
does not implement.formData()
.
Example usage:
1import { request } from 'undici' 2 3const { 4 statusCode, 5 headers, 6 trailers, 7 body 8} = await request('http://localhost:3000/foo') 9 10console.log('response received', statusCode) 11console.log('headers', headers) 12console.log('data', await body.json()) 13console.log('trailers', trailers)
Note: Once a mixin has been called then the body cannot be reused, thus calling additional mixins on .body
, e.g. .body.json(); .body.text()
will result in an error TypeError: unusable
being thrown and returned through the Promise
rejection.
Should you need to access the body
in plain-text after using a mixin, the best practice is to use the .text()
mixin first and then manually parse the text to the desired format.
For more information about their behavior, please reference the body mixin from the Fetch Standard.
This section documents our most commonly used API methods. Additional APIs are documented in their own files within the docs folder and are accessible via the navigation list on the left side of the docs site.
undici.request([url, options]): Promise
Arguments:
string | URL | UrlObject
RequestOptions
Dispatcher
- Default: getGlobalDispatcherString
- Default: PUT
if options.body
, otherwise GET
Returns a promise with the result of the Dispatcher.request
method.
Calls options.dispatcher.request(options)
.
See Dispatcher.request for more details, and request examples for examples.
undici.stream([url, options, ]factory): Promise
Arguments:
string | URL | UrlObject
StreamOptions
Dispatcher
- Default: getGlobalDispatcherString
- Default: PUT
if options.body
, otherwise GET
Dispatcher.stream.factory
Returns a promise with the result of the Dispatcher.stream
method.
Calls options.dispatcher.stream(options, factory)
.
See Dispatcher.stream for more details.
undici.pipeline([url, options, ]handler): Duplex
Arguments:
string | URL | UrlObject
PipelineOptions
Dispatcher
- Default: getGlobalDispatcherString
- Default: PUT
if options.body
, otherwise GET
Dispatcher.pipeline.handler
Returns: stream.Duplex
Calls options.dispatch.pipeline(options, handler)
.
See Dispatcher.pipeline for more details.
undici.connect([url, options]): Promise
Starts two-way communications with the requested resource using HTTP CONNECT.
Arguments:
string | URL | UrlObject
ConnectOptions
Dispatcher
- Default: getGlobalDispatcher(err: Error | null, data: ConnectData | null) => void
(optional)Returns a promise with the result of the Dispatcher.connect
method.
Calls options.dispatch.connect(options)
.
See Dispatcher.connect for more details.
undici.fetch(input[, init]): Promise
Implements fetch.
Basic usage example:
1import { fetch } from 'undici' 2 3 4const res = await fetch('https://example.com') 5const json = await res.json() 6console.log(json)
You can pass an optional dispatcher to fetch
as:
1import { fetch, Agent } from 'undici' 2 3const res = await fetch('https://example.com', { 4 // Mocks are also supported 5 dispatcher: new Agent({ 6 keepAliveTimeout: 10, 7 keepAliveMaxTimeout: 10 8 }) 9}) 10const json = await res.json() 11console.log(json)
request.body
A body can be of the following types:
In this implementation of fetch, request.body
now accepts Async Iterables
. It is not present in the Fetch Standard.
1import { fetch } from 'undici' 2 3const data = { 4 async *[Symbol.asyncIterator]() { 5 yield 'hello' 6 yield 'world' 7 }, 8} 9 10await fetch('https://example.com', { body: data, method: 'POST', duplex: 'half' })
FormData besides text data and buffers can also utilize streams via Blob objects:
1import { openAsBlob } from 'node:fs' 2 3const file = await openAsBlob('./big.csv') 4const body = new FormData() 5body.set('file', file, 'big.csv') 6 7await fetch('http://example.com', { method: 'POST', body })
request.duplex
'half'
In this implementation of fetch, request.duplex
must be set if request.body
is ReadableStream
or Async Iterables
, however, even though the value must be set to 'half'
, it is actually a full duplex. For more detail refer to the Fetch Standard.
response.body
Nodejs has two kinds of streams: web streams, which follow the API of the WHATWG web standard found in browsers, and an older Node-specific streams API. response.body
returns a readable web stream. If you would prefer to work with a Node stream you can convert a web stream using .fromWeb()
.
1import { fetch } from 'undici' 2import { Readable } from 'node:stream' 3 4const response = await fetch('https://example.com') 5const readableWebStream = response.body 6const readableNodeStream = Readable.fromWeb(readableWebStream)
This section documents parts of the HTTP/1.1 and Fetch Standard that Undici does not support or does not fully implement.
Unlike browsers, Undici does not implement CORS (Cross-Origin Resource Sharing) checks by default. This means:
Access-Control-Allow-Origin
headers is performedThis behavior is intentional for server-side environments where CORS restrictions are typically unnecessary. If your application requires CORS-like protections, you will need to implement these checks manually.
The Fetch Standard allows users to skip consuming the response body by relying on garbage collection to release connection resources. Undici does not do the same. Therefore, it is important to always either consume or cancel the response body.
Garbage collection in Node is less aggressive and deterministic (due to the lack of clear idle periods that browsers have through the rendering refresh rate) which means that leaving the release of connection resources to the garbage collector can lead to excessive connection usage, reduced performance (due to less connection re-use), and even stalls or deadlocks when running out of connections.
1// Do 2const { body, headers } = await fetch(url); 3for await (const chunk of body) { 4 // force consumption of body 5} 6 7// Do not 8const { headers } = await fetch(url);
The same applies for request
too:
1// Do 2const { body, headers } = await request(url); 3await res.body.dump(); // force consumption of body 4 5// Do not 6const { headers } = await request(url);
However, if you want to get only headers, it might be better to use HEAD
request method. Usage of this method will obviate the need for consumption or cancelling of the response body. See MDN - HTTP - HTTP request methods - HEAD for more details.
1const headers = await fetch(url, { method: 'HEAD' }) 2 .then(res => res.headers)
The Fetch Standard requires implementations to exclude certain headers from requests and responses. In browser environments, some headers are forbidden so the user agent remains in full control over them. In Undici, these constraints are removed to give more control to the user.
undici.upgrade([url, options]): Promise
Upgrade to a different protocol. See MDN - HTTP - Protocol upgrade mechanism for more details.
Arguments:
string | URL | UrlObject
UpgradeOptions
Dispatcher
- Default: getGlobalDispatcher(error: Error | null, data: UpgradeData) => void
(optional)Returns a promise with the result of the Dispatcher.upgrade
method.
Calls options.dispatcher.upgrade(options)
.
See Dispatcher.upgrade for more details.
undici.setGlobalDispatcher(dispatcher)
Dispatcher
Sets the global dispatcher used by Common API Methods. Global dispatcher is shared among compatible undici modules, including undici that is bundled internally with node.js.
undici.getGlobalDispatcher()
Gets the global dispatcher used by Common API Methods.
Returns: Dispatcher
undici.setGlobalOrigin(origin)
string | URL | undefined
Sets the global origin used in fetch
.
If undefined
is passed, the global origin will be reset. This will cause Response.redirect
, new Request()
, and fetch
to throw an error when a relative path is passed.
1setGlobalOrigin('http://localhost:3000') 2 3const response = await fetch('/api/ping') 4 5console.log(response.url) // http://localhost:3000/api/ping
undici.getGlobalOrigin()
Gets the global origin used in fetch
.
Returns: URL
UrlObject
string | number
(optional)string
(optional)string
(optional)string
(optional)string
(optional)string
(optional)string
(optional)Undici does not support the Expect
request header field. The request
body is always immediately sent and the 100 Continue
response will be
ignored.
Refs: https://tools.ietf.org/html/rfc7231#section-5.1.1
Undici will only use pipelining if configured with a pipelining
factor
greater than 1
. Also it is important to pass blocking: false
to the
request options to properly pipeline requests.
Undici always assumes that connections are persistent and will immediately pipeline requests, without checking whether the connection is persistent. Hence, automatic fallback to HTTP/1.0 or HTTP/1.1 without pipelining is not supported.
Undici will immediately pipeline when retrying requests after a failed connection. However, Undici will not retry the first remaining requests in the prior pipeline and instead error the corresponding callback/promise/stream.
Undici will abort all running requests in the pipeline when any of them are aborted.
Since it is not possible to manually follow an HTTP redirect on the server-side,
Undici returns the actual response instead of an opaqueredirect
filtered one
when invoked with a manual
redirect. This aligns fetch()
with the other
implementations in Deno and Cloudflare Workers.
Refs: https://fetch.spec.whatwg.org/#atomic-http-redirect-handling
If you experience problem when connecting to a remote server that is resolved by your DNS servers to a IPv6 (AAAA record)
first, there are chances that your local router or ISP might have problem connecting to IPv6 networks. In that case
undici will throw an error with code UND_ERR_CONNECT_TIMEOUT
.
If the target server resolves to both a IPv6 and IPv4 (A records) address and you are using a compatible Node version
(18.3.0 and above), you can fix the problem by providing the autoSelectFamily
option (support by both undici.request
and undici.Agent
) which will enable the family autoselection algorithm when establishing the connection.
Undici aligns with the Node.js LTS schedule. The following table shows the supported versions:
Version | Node.js | End of Life |
---|---|---|
5.x | v18.x | 2024-04-30 |
6.x | v20.x v22.x | 2026-04-30 |
7.x | v24.x | 2027-04-30 |
MIT
7.5/10
Summary
Regular Expression Denial of Service in Headers
Affected Versions
< 5.19.1
Patched Versions
5.19.1
7.7/10
Summary
ProxyAgent vulnerable to MITM
Affected Versions
>= 4.8.2, <= 5.5.0
Patched Versions
5.5.1
6.8/10
Summary
Use of Insufficiently Random Values in undici
Affected Versions
>= 7.0.0, < 7.2.3
Patched Versions
7.2.3
6.8/10
Summary
Use of Insufficiently Random Values in undici
Affected Versions
>= 6.0.0, < 6.21.1
Patched Versions
6.21.1
6.8/10
Summary
Use of Insufficiently Random Values in undici
Affected Versions
>= 4.5.0, < 5.28.5
Patched Versions
5.28.5
6.5/10
Summary
fetch(url) leads to a memory leak in undici
Affected Versions
>= 6.0.0, <= 6.6.0
Patched Versions
6.6.1
4.6/10
Summary
CRLF Injection in Nodejs ‘undici’ via host
Affected Versions
>= 2.0.0, < 5.19.1
Patched Versions
5.19.1
5.3/10
Summary
Nodejs ‘undici’ vulnerable to CRLF Injection via Content-Type
Affected Versions
<= 5.8.1
Patched Versions
5.8.2
5.3/10
Summary
`undici.request` vulnerable to SSRF using absolute URL on `pathname`
Affected Versions
<= 5.8.1
Patched Versions
5.8.2
5.3/10
Summary
undici before v5.8.0 vulnerable to CRLF injection in request headers
Affected Versions
< 5.8.0
Patched Versions
5.8.0
3.1/10
Summary
undici Denial of Service attack via bad certificate data
Affected Versions
>= 7.0.0, < 7.5.0
Patched Versions
7.5.0
3.1/10
Summary
undici Denial of Service attack via bad certificate data
Affected Versions
>= 6.0.0, < 6.21.2
Patched Versions
6.21.2
3.1/10
Summary
undici Denial of Service attack via bad certificate data
Affected Versions
< 5.29.0
Patched Versions
5.29.0
2/10
Summary
Undici vulnerable to data leak when using response.arrayBuffer()
Affected Versions
>= 6.14.0, < 6.19.2
Patched Versions
6.19.2
2.6/10
Summary
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Affected Versions
>= 6.0.0, < 6.11.1
Patched Versions
6.11.1
2.6/10
Summary
Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect
Affected Versions
< 5.28.4
Patched Versions
5.28.4
3.9/10
Summary
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Affected Versions
>= 6.0.0, < 6.11.1
Patched Versions
6.11.1
3.9/10
Summary
Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline
Affected Versions
< 5.28.4
Patched Versions
5.28.4
3.9/10
Summary
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
Affected Versions
>= 6.0.0, <= 6.6.0
Patched Versions
6.6.1
3.9/10
Summary
Undici proxy-authorization header not cleared on cross-origin redirect in fetch
Affected Versions
<= 5.28.2
Patched Versions
5.28.3
3.9/10
Summary
Undici's cookie header not cleared on cross-origin redirect in fetch
Affected Versions
< 5.26.2
Patched Versions
5.26.2
3.7/10
Summary
undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect
Affected Versions
< 5.8.0
Patched Versions
5.8.0
Reason
update tool detected
Details
Reason
30 commit(s) and 20 issue activity found in the last 90 days -- score normalized to 10
Reason
all changesets reviewed
Reason
no dangerous workflow patterns detected
Reason
0 existing vulnerabilities detected
Reason
license file detected
Details
Reason
project is fuzzed
Details
Reason
packaging workflow detected
Details
Reason
30 out of 30 merged PRs checked by a CI test -- score normalized to 10
Reason
project has 85 contributing companies or organizations
Details
Reason
security policy file detected
Details
Reason
SAST tool detected but not run on all commits
Details
Reason
binaries present in source code
Details
Reason
dependency not pinned by hash detected -- score normalized to 3
Details
Reason
detected GitHub workflow tokens with excessive permissions
Details
Reason
no effort to earn an OpenSSF best practices badge detected
Score
Last Scanned on 2025-07-15T10:26:42Z
The Open Source Security Foundation is a cross-industry collaboration to improve the security of open source software (OSS). The Scorecard provides security health metrics for open source projects.
Learn More