deps: update undici to 7.9.0 · nodejs/node@1091066
@@ -261,12 +261,22 @@ const readableWebStream = response.body
261261const readableNodeStream = Readable.fromWeb(readableWebStream)
262262```
263263264-#### Specification Compliance
264+## Specification Compliance
265265266-This section documents parts of the [Fetch Standard](https://fetch.spec.whatwg.org) that Undici does
266+This section documents parts of the [HTTP/1.1](https://www.rfc-editor.org/rfc/rfc9110.html) and [Fetch Standard](https://fetch.spec.whatwg.org) that Undici does
267267not support or does not fully implement.
268268269-##### Garbage Collection
269+#### CORS
270+271+Unlike browsers, Undici does not implement CORS (Cross-Origin Resource Sharing) checks by default. This means:
272+273+- No preflight requests are automatically sent for cross-origin requests
274+- No validation of `Access-Control-Allow-Origin` headers is performed
275+- Requests to any origin are allowed regardless of the source
276+277+This behavior is intentional for server-side environments where CORS restrictions are typically unnecessary. If your application requires CORS-like protections, you will need to implement these checks manually.
278+279+#### Garbage Collection
270280271281* https://fetch.spec.whatwg.org/#garbage-collection
272282@@ -307,7 +317,7 @@ const headers = await fetch(url, { method: 'HEAD' })
307317 .then(res => res.headers)
308318```
309319310-##### Forbidden and Safelisted Header Names
320+#### Forbidden and Safelisted Header Names
311321312322* https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
313323* https://fetch.spec.whatwg.org/#forbidden-header-name
@@ -316,7 +326,7 @@ const headers = await fetch(url, { method: 'HEAD' })
316326317327The [Fetch Standard](https://fetch.spec.whatwg.org) requires implementations to exclude certain headers from requests and responses. In browser environments, some headers are forbidden so the user agent remains in full control over them. In Undici, these constraints are removed to give more control to the user.
318328319-### `undici.upgrade([url, options]): Promise`
329+#### `undici.upgrade([url, options]): Promise`
320330321331Upgrade to a different protocol. See [MDN - HTTP - Protocol upgrade mechanism](https://developer.mozilla.org/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism) for more details.
322332@@ -378,20 +388,15 @@ Returns: `URL`
378388* **protocol** `string` (optional)
379389* **search** `string` (optional)
380390381-## Specification Compliance
382-383-This section documents parts of the HTTP/1.1 specification that Undici does
384-not support or does not fully implement.
385-386-### Expect
391+#### Expect
387392388393Undici does not support the `Expect` request header field. The request
389394body is always immediately sent and the `100 Continue` response will be
390395ignored.
391396392397Refs: https://tools.ietf.org/html/rfc7231#section-5.1.1
393398394-### Pipelining
399+#### Pipelining
395400396401Undici will only use pipelining if configured with a `pipelining` factor
397402greater than `1`. Also it is important to pass `blocking: false` to the
@@ -412,7 +417,7 @@ aborted.
412417* Refs: https://tools.ietf.org/html/rfc2616#section-8.1.2.2
413418* Refs: https://tools.ietf.org/html/rfc7230#section-6.3.2
414419415-### Manual Redirect
420+#### Manual Redirect
416421417422Since it is not possible to manually follow an HTTP redirect on the server-side,
418423Undici returns the actual response instead of an `opaqueredirect` filtered one
@@ -421,9 +426,9 @@ implementations in Deno and Cloudflare Workers.
421426422427Refs: https://fetch.spec.whatwg.org/#atomic-http-redirect-handling
423428424-## Workarounds
429+### Workarounds
425430426-### Network address family autoselection.
431+#### Network address family autoselection.
427432428433If you experience problem when connecting to a remote server that is resolved by your DNS servers to a IPv6 (AAAA record)
429434first, there are chances that your local router or ISP might have problem connecting to IPv6 networks. In that case