Merge remote-tracking branch 'local' into loader/experimental-raw-imports

Author: efekrskl

.github/workflows/test-linux-quic.yml

@@ -0,0 +1,82 @@
+name: Test Linux (with QUIC)
+
+on:
+  workflow_dispatch:
+  pull_request:
+    paths:
+      - .github/workflows/test-linux-quic.yml
+      - configure.py
+      - node.gyp
+      - node.gypi
+      - deps/ngtcp2/**
+      - deps/nghttp3/**
+      - deps/openssl/**
+      - src/quic/**
+      - src/node_bob*
+      - lib/quic.js
+      - lib/http3.js
+      - lib/internal/quic/**
+      - lib/stream/iter.js
+      - lib/internal/streams/iter/**
+      - test/cctest/test_quic_*
+      - test/common/quic*
+      - test/common/quic/**
+      - test/parallel/*quic*
+      - test/parallel/test-stream-iter-*
+    types: [opened, synchronize, reopened, ready_for_review]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
+  cancel-in-progress: true
+
+env:
+  PYTHON_VERSION: '3.14'
+  FLAKY_TESTS: keep_retrying
+  CLANG_VERSION: '19'
+  CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
+  CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
+  SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
+  SCCACHE_IDLE_TIMEOUT: '0'
+  RUSTC_VERSION: '1.82'
+
+permissions:
+  contents: read
+
+jobs:
+  test-quic:
+    if: github.event.pull_request.draft == false
+    runs-on: ubuntu-24.04-arm
+    steps:
+      - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10  # v6.0.3
+        with:
+          persist-credentials: false
+          path: node
+      - name: Install Clang ${{ env.CLANG_VERSION }}
+        uses: ./node/.github/actions/install-clang
+        with:
+          clang-version: ${{ env.CLANG_VERSION }}
+      - name: Install Rust ${{ env.RUSTC_VERSION }}
+        run: |
+          rustup override set "$RUSTC_VERSION"
+          rustup --version
+      - name: Set up Python ${{ env.PYTHON_VERSION }}
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405  # v6.2.0
+        with:
+          python-version: ${{ env.PYTHON_VERSION }}
+          allow-prereleases: true
+      - name: Set up sccache
+        if: github.base_ref == 'main' || github.ref_name == 'main'
+        uses: Mozilla-Actions/sccache-action@9e7fa8a12102821edf02ca5dbea1acd0f89a2696  # v0.0.10
+        with:
+          version: v0.12.0
+      - name: Environment Information
+        run: npx envinfo
+      - name: Build
+        working-directory: node
+        run: make build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn --v8-enable-temporal-support --experimental-quic"
+      - name: Test
+        working-directory: node
+        run: make test-ci -j1 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
+      - name: Ensure running tests did not cause any change in the tree
+        working-directory: node
+        run: git add -A && git diff --name-only --exit-code --staged

.github/workflows/update-wpt.yml

@@ -52,6 +52,14 @@ jobs:
       - name: Update WPT for subsystem ${{ matrix.subsystem }}
         run: |
           git node wpt "$SUBSYSTEM"
+          # TODO: Remove this workaround after @node-core/utils stops
+          # regenerating test/fixtures/wpt/README.md for every subsystem
+          # update.
+          # git node wpt currently rewrites test/fixtures/wpt/README.md with a
+          # generated summary for every subsystem update. versions.json is the
+          # authoritative metadata, and keeping the README stable avoids
+          # conflicts between concurrent WPT update PRs.
+          git restore test/fixtures/wpt/README.md
         env:
           SUBSYSTEM: ${{ matrix.subsystem }}
 

BUILDING.md

@@ -558,7 +558,7 @@ NODE=/path/to/node make doc-only
 To read the man page:
 
 ```bash
-man doc/node.1
+man out/doc/node.1
 ```
 
 If you prefer to read the full documentation in a browser, run the following.

CHANGELOG.md

@@ -41,13 +41,15 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V26.md#26.3.0">26.3.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V26.md#26.3.1">26.3.1</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V26.md#26.3.0">26.3.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V26.md#26.2.0">26.2.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V26.md#26.1.0">26.1.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V26.md#26.0.0">26.0.0</a><br/>
   </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V24.md#24.16.0">24.16.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V24.md#24.17.0">24.17.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V24.md#24.16.0">24.16.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.15.0">24.15.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.14.1">24.14.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.14.0">24.14.0</a><br/>
@@ -72,7 +74,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V24.md#24.0.0">24.0.0</a><br/>
   </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V22.md#22.22.3">22.22.3</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V22.md#22.23.0">22.23.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V22.md#22.22.3">22.22.3</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.22.2">22.22.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.22.1">22.22.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.22.0">22.22.0</a><br/>

Makefile

@@ -196,7 +196,7 @@ config.gypi: configure configure.py src/node_version.h
 	fi
 
 .PHONY: install
-install: all ## Install node into $PREFIX (default=/usr/local).
+install: all out/doc/node.1 ## Install node into $PREFIX (default=/usr/local).
 	$(PYTHON) tools/install.py $@ --dest-dir '$(DESTDIR)' --prefix '$(PREFIX)'
 
 .PHONY: uninstall
@@ -856,7 +856,7 @@ VERSION=v$(RAWVER)
 
 .PHONY: doc-only
 .NOTPARALLEL: doc-only
-doc-only: $(apidoc_dirs) $(apidocs_html) $(apidocs_json) out/doc/api/all.html out/doc/api/all.json out/doc/llms.txt out/doc/apilinks.json  ## Builds the docs with the local or the global Node.js binary.
+doc-only: $(apidoc_dirs) $(apidocs_html) $(apidocs_json) out/doc/node.1 out/doc/api/all.html out/doc/api/all.json out/doc/llms.txt out/doc/apilinks.json  ## Builds the docs with the local or the global Node.js binary.
 
 .PHONY: doc
 doc: $(NODE_EXE) doc-only ## Build Node.js, and then build the documentation with the new binary.
@@ -932,6 +932,19 @@ out/doc/apilinks.json: $(wildcard lib/*.js) tools/doc/node_modules | out/doc
 		) \
 	fi
 
+out/doc/node.1: doc/api/cli.md tools/doc/node_modules | out/doc
+	@if [ "$(shell $(node_use_openssl_and_icu))" != "true" ]; then \
+		echo "Skipping $@ (no crypto and/or no ICU)"; \
+	else \
+		$(call available-node, \
+			$(DOC_KIT) generate \
+			-t man-page \
+			-i $< \
+			-o $(@D) \
+			-v $(VERSION) \
+		) \
+	fi
+
 .PHONY: docopen
 docopen: doc-only ## Open the documentation in a web browser.
 	@$(PYTHON) -mwebbrowser file://$(abspath $<)
@@ -1269,7 +1282,7 @@ $(TARBALL): $(TARBALL_DEPS)
 	git checkout-index -a -f --prefix=$(TARNAME)/
 ifneq ($(SKIP_SHARED_DEPS), 1)
 	mkdir -p $(TARNAME)/doc/api
-	cp doc/node.1 $(TARNAME)/doc/node.1
+	cp out/doc/node.1 $(TARNAME)/doc/node.1
 	cp -r out/doc/api/* $(TARNAME)/doc/api/
 endif
 	sed 's/fileset = fileset.intersection (fileset.gitTracked root)/fileset =/' tools/nix/v8.nix > $(TARNAME)/tools/nix/v8.nix 

SECURITY.md

@@ -374,6 +374,21 @@ the community they pose.
   responsibility to properly handle errors by attaching appropriate
   `'error'` event listeners to EventEmitters that may emit errors.
 
+#### Exceptions Thrown by Application Callbacks (CWE-248)
+
+* Node.js trusts the application code it is asked to run, including callbacks
+  that are invoked by Node.js APIs. If an application callback throws an
+  uncaught exception, any resulting crash is not considered a vulnerability in
+  Node.js.
+* For example, [CVE-2026-21637](https://www.cve.org/CVERecord?id=CVE-2026-21637)
+  was triaged as a Node.js vulnerability, but scenarios that require TLS
+  callbacks such as `ALPNCallback`, `SNICallback`, or `pskCallback` to throw
+  are outside the Node.js threat model. Future reports of similar issues,
+  where the crash depends on application callbacks throwing uncaught
+  exceptions, will not be treated as Node.js vulnerabilities. It is the
+  application's responsibility to handle unexpected callback input and report
+  errors without throwing uncaught exceptions.
+
 #### Permission Model Boundaries (`--permission`)
 
 The Node.js [Permission Model](https://nodejs.org/api/permissions.html)

benchmark/child_process/child-process-exec-maxbuffer.js

@@ -0,0 +1,39 @@
+'use strict';
+const common = require('../common.js');
+const { execFile } = require('child_process');
+
+// Isolates stdout accumulation + maxBuffer handling in execFile(). The child
+// writes `chunks` blocks of 64 KiB; the parent accumulates them through the
+// native pipe read path and the JS buffering in lib/child_process.js until the
+// process exits and the result buffer is handed to the callback.
+
+const bench = common.createBenchmark(main, {
+  // Number of 64 KiB blocks written by the child: 1 MiB, 16 MiB, 64 MiB.
+  chunks: [16, 256, 1024],
+  n: [10],
+});
+
+function main({ n, chunks }) {
+  const script =
+    'const b = Buffer.alloc(65536, 0x61);' +
+    `for (let i = 0; i < ${chunks}; i++) process.stdout.write(b);`;
+  const args = ['-e', script];
+  const options = {
+    maxBuffer: chunks * 65536 + 65536,
+    encoding: 'buffer',
+  };
+
+  let left = n;
+  const run = () => {
+    execFile(process.execPath, args, options, (err) => {
+      if (err)
+        throw err;
+      if (--left === 0)
+        return bench.end(n);
+      run();
+    });
+  };
+
+  bench.start();
+  run();
+}

benchmark/child_process/child-process-ipc-roundtrip.js

@@ -0,0 +1,47 @@
+'use strict';
+if (process.argv[2] === 'child') {
+  // Echo every message straight back to the parent.
+  process.on('message', (msg) => {
+    process.send(msg);
+  });
+} else {
+  const common = require('../common.js');
+  const bench = common.createBenchmark(main, {
+    len: [64, 256, 1024, 4096, 16384, 65536],
+    serialization: ['json', 'advanced'],
+    dur: [5],
+  });
+  const { spawn } = require('child_process');
+
+  function main({ dur, len, serialization }) {
+    const msg = { payload: '.'.repeat(len) };
+    const options = {
+      stdio: ['ignore', 'ignore', 'ignore', 'ipc'],
+      serialization,
+    };
+    const child = spawn(process.argv[0],
+                        [process.argv[1], 'child'], options);
+
+    let messages = 0;
+    let finished = false;
+
+    child.on('message', () => {
+      messages++;
+      // Keep one round-trip in flight per completed one so both the serialize
+      // (write) and deserialize (read) paths stay saturated on both ends.
+      if (!finished)
+        child.send(msg);
+    });
+
+    bench.start();
+    // Prime a window of in-flight messages so the IPC channel never drains.
+    for (let i = 0; i < 256; i++)
+      child.send(msg);
+
+    setTimeout(() => {
+      finished = true;
+      bench.end(messages);
+      child.kill();
+    }, dur * 1000);
+  }
+}

benchmark/child_process/child-process-spawn-options.js

@@ -0,0 +1,43 @@
+'use strict';
+const common = require('../common.js');
+const { spawn } = require('child_process');
+
+// Isolates the cost of marshaling spawn() options across the JS -> C++ boundary
+// (ProcessWrap::Spawn). A trivial, fast-exiting child is spawned repeatedly
+// while scaling the number of environment pairs and arguments that have to be
+// converted, so the per-spawn option-handling overhead is the dominant cost.
+
+const isWindows = process.platform === 'win32';
+const command = isWindows ? 'cmd' : 'true';
+const baseArgs = isWindows ? ['/d', '/s', '/c', 'exit'] : [];
+
+const bench = common.createBenchmark(main, {
+  n: [1000],
+  envc: [0, 64, 256, 1024],
+  argc: [0, 8, 64],
+});
+
+function main({ n, envc, argc }) {
+  const env = { ...process.env };
+  for (let i = 0; i < envc; i++)
+    env[`NODE_BENCH_VAR_${i}`] = `value_${i}`;
+
+  const args = baseArgs.slice();
+  for (let i = 0; i < argc; i++)
+    args.push(`arg_${i}`);
+
+  const options = { env, stdio: ['ignore', 'ignore', 'ignore'] };
+
+  let left = n;
+  const go = () => {
+    if (--left < 0)
+      return bench.end(n);
+    const child = spawn(command, args, options);
+    // The exit code is intentionally ignored: the child only exercises the
+    // option-marshaling path, it is not expected to do any useful work.
+    child.on('exit', go);
+  };
+
+  bench.start();
+  go();
+}

benchmark/crypto/create-hmac.js

@@ -0,0 +1,24 @@
+'use strict';
+
+const common = require('../common.js');
+const { createHmac } = require('crypto');
+const assert = require('assert');
+
+const bench = common.createBenchmark(main, {
+  n: [1e5],
+  algo: ['sha1', 'sha256', 'sha512'],
+  keylen: [0, 16, 64, 1024],
+});
+
+function main({ n, algo, keylen }) {
+  const key = Buffer.alloc(keylen, 'k');
+  const hmacs = new Array(n);
+
+  bench.start();
+  for (let i = 0; i < n; ++i) {
+    hmacs[i] = createHmac(algo, key);
+  }
+  bench.end(n);
+
+  assert.strictEqual(typeof hmacs[n - 1], 'object');
+}