deps: fix llhttp version number

[mhdawson]

It's a bit confusing but I think that we acutally have
llhttp version 6.0.6 in master versus 6.0.4. If I check
out 6.0.4 from the llhttp repo and then generate a
release it is missing changes from what we have in Node.js
Checking out 6.0.6 seems to give the matching release
artifacts.

Signed-off-by: Michael Dawson mdawson@devrus.com

[nodejs-github-bot]

Review requested:

• @nodejs/http
• @nodejs/net

[mhdawson]

@mcollina I think you are probably the best person to confirm this as I think you did the update to pull the newer llhttp version into Node.js.

I was initially confused when I tried to recreate llhttp as part of documenting how to do an update in #43028. I checked out llhttp version v6.0.4 in the llhttp repo, generated and copied on top of what we had in Node.js master. I was confused in that there were a number of fixes that seemed to be missing.

After some poking around I then did the same with 6.0.6 and after the copy the only changes were

• the version change in this PR
• a difference in spacing in one of the files
• Some changes to the README.md, at least one explained by the rename of the primary branch to main.

From that I think we have the version tagged as v6.0.6 in the llhttp repo in Node.js.

[mcollina]

lgtm, likely my bad.

[richardlau]

@mcollina I think you are probably the best person to confirm this as I think you did the update to pull the newer llhttp version into Node.js.

I was initially confused when I tried to recreate llhttp as part of documenting how to do an update in #43028. I checked out llhttp version v6.0.4 in the llhttp repo, generated and copied on top of what we had in Node.js master. I was confused in that there were a number of fixes that seemed to be missing.

After some poking around I then did the same with 6.0.6 and after the copy the only changes were

• the version change in this PR
• a difference in spacing in one of the files
• Some changes to the README.md, at least one explained by the rename of the primary branch to main.

From that I think we have the version tagged as v6.0.6 in the llhttp repo in Node.js.

I'm fairly certain this isn't the first time the version number has gone out of sync with upstream llhttp, and it happens when we have security issues that involve llhttp updates -- we have historically applied the llhttp patches directly to the private Node.js repository, released the security release and then @indutny cuts a new llhttp release shortly after. In this case we're not updating directly from llhttp upstream as documented in #43028.

[mhdawson]

@richardlau we should probably think a bit more about the security update process to see if there is anything we can do on that front.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/43940/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/43944/

[mhdawson]

Landed in c059921