deps: update nghttp2 to 1.69.0, with fixes for some integration issues#62867
deps: update nghttp2 to 1.69.0, with fixes for some integration issues#62867pimterry wants to merge 2 commits intonodejs:mainfrom
Conversation
|
Review requested:
|
nodejs-github-bot
added
lib / src
This is a manual dep update due to changes in v1.67.0+ which require a selection of changes to how we handle low-level protocol errors when using the latest versions of nghttp2, changing both some src details and updating some tests to match. Signed-off-by: Tim Perry <pimterry@gmail.com>
pimterry
force-pushed
the
nghttp2-update-fix
branch
from
5b342e0 to
425e347
Compare
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #62867 +/- ##
==========================================
- Coverage 89.62% 89.60% -0.03%
==========================================
Files 706 706
Lines 219140 219160 +20
Branches 41984 41986 +2
==========================================
- Hits 196415 196372 -43
- Misses 14618 14671 +53
- Partials 8107 8117 +10
🚀 New features to boost your workflow:
|
Signed-off-by: Tim Perry <pimterry@gmail.com>
|
Shared libs build failed. Our nix setup uses a previous nghttp2 version, so the test changes here fail in that environment. I've never touched nix but I've pushed what I think is the correct solution to update our test env to the latest nghttp2 manually, since that nixpkgs is still using v1.67.1 🤞 The build failures here in that environment aren't anything unexpected, it's just two specific assertions on error codes & messages that differ, due to the changes described above. |
|
Can we have the bot generate the nghttp2 update, and you can push the additional changes as a follow up commit in the same PR? That way, it's much easier to review |
3 participants
See #62381 and #60661 for context.
This is a manual dep update due to changes in nghttp2 v1.67.0+ which now treats some stream-level errors as session errors, and internally sends GOAWAY frames to kill the connection (without calling the
on_invalid_framecallback). That requires some fixes here to detect those internally triggered GOAWAYs and expose these as HTTP/2 session errors at the end of the core nghttp2 write loop.Some of these changes will result in user-visible differences to how protocol errors are exposed in Node, moving some error events from the stream to the session, and exposing some errors where previously they were swallowed. After the changes in 1.69.0 (as opposed to 1.67 & 1.68) this only applies to low-level protocol failures like broken flow control or compression failures, not to HTTP validation errors more generally.
This is unfortunate, and in that context it's debatable whether this is a breaking change (new errors from the same traffic) or just a bugfix (we shouldn't silently swallow serious protocol errors) but we can't realistically avoid this if we want to keep nghttp2 up to date, and in some unbundled scenarios the latest nghttp2 will be used regardless. For anything non-trivial this shouldn't cause problems since session errors need to be handled by all applications to deal with existing common production issues like connection resets anyway. The changed behaviour only applies to connections that hit serious protocol errors, and doesn't change anything in normal expected flows.
See the test changes for some examples of how this changes behaviour in practice - the vast majority of h2 tests are unchanged, it's just a couple of specific invalid traffic cases that change. I've also added a new test as well to confirm specifically that we cover the new internally triggered GOAWAYs correctly, and tightened up some checks on the existing tests to confirm everything is working correctly there.
Fixes #60661