2026-05-21, Version 24.16.0 'Krypton' (LTS)#63263
Open
github-actions[bot] wants to merge 229 commits into
Open
2026-05-21, Version 24.16.0 'Krypton' (LTS)#63263github-actions[bot] wants to merge 229 commits into
github-actions[bot] wants to merge 229 commits into
Conversation
Node.js 24 is using Undici 7 rather than the latest version. Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62739 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: #63011 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
PR-URL: #60854 Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Ilyas Shabi <ilyasshabi94@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
PR-URL: #61829 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
PR-URL: #62324 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #62474 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
On AIX libc++ is returning `EEXIST` instead of `EACCES` when using `std::filesystem::remove_all()` without appropriate permissions to recursively remove the directory. Co-authored-by: Abdirahim Musse <abdirahim.musse@ibm.com> Signed-off-by: Richard Lau <richard.lau@ibm.com> PR-URL: #62788 Refs: #62790 Reviewed-By: Abdirahim Musse <abdirahim.musse@ibm.com> Reviewed-By: Stewart X Addison <sxa@redhat.com>
Expose `f_frsize` from libuv's `uv_statfs_t` as `statfs.frsize`. Per POSIX, `f_blocks`, `f_bfree`, and `f_bavail` are expressed in units of `f_frsize`, not `f_bsize`. On most filesystems the two values are typically equal, but some filesystem drivers report a different `f_bsize`, making it impossible to compute accurate disk usage without `frsize`. Refs: libuv/libuv#4983 PR-URL: #62277 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
PR-URL: #62504 Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
PR-URL: #62504 Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
We have dedicated requirements about memory leaks when triaging DoS. These applies in generall to all types of DoS, and many recent reports about DoS attack vectors fail to meet them, resulting in a lot of extra back-and-forth in triaging. Clarify in the threat model by expanding these requirements to all DoS. Drive-by: clarify criteria of documented JavaScript behavior is that they are included in ECMA262. Also use "Node.js application developer" instead of "user" the refer to the party being vulnerable to avoid confusion. PR-URL: #62505 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: #62523 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
Avoid registering AbortSignal.any() composites as dependants until they are actually observed. This fixes the long-lived source retention pattern from #62363 while preserving abort semantics through lazy refresh and follow paths. Also unregister fired timeout signals from the timeout finalization registry so timeout churn releases memory more promptly. PR-URL: #62367 Fixes: #62363 Refs: #54614 Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Apply suggestion from @jasnell PR-URL: #62510 Refs: nodejs/core-validate-commit#141 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Ruy Adorno <ruy@vlt.sh> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.3 to 5.0.4. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@cdf6c1f...6682284) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #62543 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Bumps [codecov/codecov-action](https://github.com/codecov/codecov-action) from 5.5.2 to 6.0.0. - [Release notes](https://github.com/codecov/codecov-action/releases) - [Changelog](https://github.com/codecov/codecov-action/blob/main/CHANGELOG.md) - [Commits](codecov/codecov-action@671740a...57e3a13) --- updated-dependencies: - dependency-name: codecov/codecov-action dependency-version: 6.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #62545 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.4 to 4.35.1. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@89a39a4...c10b806) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.35.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #62547 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 6.2.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@6044e13...53b8394) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #62548 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.15.0 to 2.16.1. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@a90bcbc...fe10465) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.16.1 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #62550 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Bumps the eslint group in /tools/eslint with 2 updates: [@eslint/markdown](https://github.com/eslint/markdown) and [eslint-plugin-jsdoc](https://github.com/gajus/eslint-plugin-jsdoc). Updates `@eslint/markdown` from 7.5.1 to 8.0.0 - [Release notes](https://github.com/eslint/markdown/releases) - [Changelog](https://github.com/eslint/markdown/blob/main/CHANGELOG.md) - [Commits](eslint/markdown@v7.5.1...v8.0.0) Updates `eslint-plugin-jsdoc` from 62.8.0 to 62.8.1 - [Release notes](https://github.com/gajus/eslint-plugin-jsdoc/releases) - [Commits](gajus/eslint-plugin-jsdoc@v62.8.0...v62.8.1) --- updated-dependencies: - dependency-name: "@eslint/markdown" dependency-version: 8.0.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: eslint - dependency-name: eslint-plugin-jsdoc dependency-version: 62.8.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: eslint ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #62552 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
When a socket with pipelined requests is destroyed then some requests will leak. PR-URL: #62534 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Add documentation for the `cancel` option of the `TransformStream` transformer, which allows users to specify a callback that will be called when the stream is canceled. See: https://streams.spec.whatwg.org/#transformer-api Fixes: #62540 PR-URL: #62566 Fixes: #62540 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com> PR-URL: #62553 Fixes: #62529 Refs: https://datatracker.ietf.org/doc/html/rfc9562#name-uuid-version-7 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Original commit message: win: properly initialize OSVERSIONINFOW (#5107) Otherwise calling `RtlGetVersion()` might produce UB. Problem was causing random crashes in the node.js test suite with stack traces like this one: ``` node.exe!__report_gsfailure(unsigned __int64 stack_cookie) Line 220 at D:\a\_work\1\s\src\vctools\crt\vcstartup\src\gs\gs_report.c(220) ... ``` Fixes: libuv/libuv#5106 Refs: libuv/libuv@aabb765 PR-URL: #62561 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
PR-URL: #62460 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
https://nodejs.org/en/blog/announcements/discontinuing-security-bug-bounties PR-URL: #62590 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
PR-URL: #62917 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Jacob Smith <jacob@frende.me> Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com> Reviewed-By: Darshan Sen <raisinten@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
PR-URL: #62864 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Daeyeon Jeong <daeyeon.dev@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #63087 Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
When investigating a memory leak in one of our applications, we discovered that this listener holds on to a `REPLServer` instance and all heap objects transitively kept alive by it by capturing as part of its closure. It's cleaner to declare the listener outside of the `REPLServer` class and to actually clean it up properly when it is no longer required or meaningful, which is easily achieved through keeping a reference count. PR-URL: #61895 Backport-PR-URL: #63194 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Original commit message:
[maglev] Fix throwing node inside eager inlining
This commit refactors the exception handling logic to correctly identify
and associate nodes with their respective `catch` blocks, even
when multiple levels of inlining are involved.
Previously, the check `!IsInsideTryBlock() && !is_eager_inline()` was
insufficient to determine if catch block inside `CatchDetails` was
already created.
Specifically, consider the case where:
1. Function `bar` is non-eagerly inlined into `foo`.
2. `foo` contains a `catch` block.
3. `bar` calls `in_bar`, which is eagerly inlined.
4. A node within `in_bar` can `throw`.
In this scenario, `is_eager_inline` would be true when compiling
`in_bar`, leading to an incorrect assumption that the catch block didn't exist yet.
This change addresses the issue by propagating a boolean value via
`CatchDetails`. This boolean accurately indicates whether a `catch`
block is present in the call chain, allowing for correct exception
handling regardless of inlining depth or eagerness.
Fixed: 417768368
Change-Id: Ic52f72f302b4dc644bdcad939addf98111bc525b
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6563500
Commit-Queue: Victor Gomes <victorgomes@chromium.org>
Reviewed-by: Darius Mercadier <dmercadier@chromium.org>
Cr-Commit-Position: refs/heads/main@{#100380}
Refs: v8/v8@657d8de
PR-URL: #62784
Reviewed-By: Xuguang Mei <meixuguang@gmail.com>
PR-URL: #61747 Reviewed-By: Jacob Smith <jacob@frende.me> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Ethan Arrowood <ethan@arrowood.dev> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Aviv Keller <me@aviv.sh> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Signed-off-by: Moshe Atlow <moshe@atlow.co.il> PR-URL: #62502 Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Signed-off-by: Moshe Atlow <moshe@atlow.co.il> PR-URL: #62772 Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Notable changes: crypto: * (SEMVER-MINOR) implement randomUUIDv7() (nabeel378) #62553 debugger: * (SEMVER-MINOR) add edit-free runtime expression probes to `node inspect` (Joyee Cheung) #62713 fs: * (SEMVER-MINOR) add signal option to fs.stat() (Mert Can Altin) #57775 * (SEMVER-MINOR) expose frsize field in statfs (Jinho Jang) #62277 http: * (SEMVER-MINOR) harden ClientRequest options merge (Matteo Collina) #63082 * (SEMVER-MINOR) add req.signal to IncomingMessage (Akshat) #62541 stream: * (SEMVER-MINOR) propagate destruction in duplexPair (Ahmed Elhor) #61098 test_runner: * (SEMVER-MINOR) support test order randomization (Pietro Marchini) #61747 * (SEMVER-MINOR) align mock timeout api (sangwook) #62820 * (SEMVER-MINOR) add mock-timers support for AbortSignal.timeout (DeveloperViraj) #60751 util: * (SEMVER-MINOR) colorize text with hex colors (Guilherme Araújo) #61556 PR-URL: #63263
github-actions
Bot
added
release
Collaborator
|
Review requested:
|
aduh95
approved these changes
May 12, 2026
github-actions
Bot
removed
the
request-ci
Collaborator
|
CI: https://ci.nodejs.org/job/node-test-pull-request/73386/ |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## v24.x #63263 +/- ##
==========================================
- Coverage 90.10% 89.91% -0.20%
==========================================
Files 673 686 +13
Lines 202283 208683 +6400
Branches 39575 40119 +544
==========================================
+ Hits 182273 187639 +5366
- Misses 12213 13273 +1060
+ Partials 7797 7771 -26 🚀 New features to boost your workflow:
|
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes tonode inspect(Joyee Cheung) #627139705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #5777540ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #62277d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #63082aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #625416f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #61098d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #61747d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #6282001a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #6075100705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #61556Commits
dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #62509add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #628881b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #626678752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #62902341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #6297428a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #6286316e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #62839eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #628759dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #59051b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #625537597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #624744bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #63013ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes tonode inspect(Joyee Cheung) #62713ec8c6b939a] - deps: V8: cherry-pick 657d8de27427 (Guy Bedford) #62784722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #611875304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #60046e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #592491d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #592498b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #6309062fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #6281014a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #629623e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #6289801dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #628816cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #62699f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #62698b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #62629d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #626292faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #62594fa46c90c5d] - deps: update googletest to d72f9c8aea6817cdf1ca0ac10887f328de7f3da2 (Node.js GitHub Bot) #62593099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #625927ce95afe96] - deps: libuv: cherry-pick aabb7651de (Santiago Gimeno) #6256157ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #62324493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #61829b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #63011cb67a925e9] - deps: use npm undici@seven tag inupdate-undici.sh(Matteo Collina) #62739aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #62828f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #62917b6378e215c] - doc: fix node-config-schema (Сковорода Никита Андреевич) #61596233894a9ce] - doc: fix the TypeScript Execute (tsx) project link (David Thornton) #630935d97919f8f] - doc: correct diagnostics_channel built-in channel names (Bryan English) #629952a9ccc927e] - doc: use mjs/cjs blocks for callbackify null reason example (Daijiro Wachi) #62884ef413b5358] - doc: fix typo in test.md (Rich Trott) #6296076f21c5070] - doc: correct typo in PR contribution instructions (Mike McCready) #62738ca02af1f7d] - doc: fix duplicate word "of of" in postMessageToThread (Daijiro Wachi) #6291746c99ed526] - doc: fix duplicate word "for for" in compile cache (Daijiro Wachi) #629171a60851734] - doc: fix typo in dns.lookup options description (Daijiro Wachi) #62882169b5ea2ed] - doc: fix Argon2 parameter bounds (Tobias Nießen) #628689a3a190f4e] - doc: clarify diffieHellman.generateKeys recomputes same key (Kit Dallege) #622050fba9e87d6] - doc: remove Ayase-252 and meixg from triagger team (Antoine du Hamel) #628419c700f3446] - doc: clarify dns.lookup() callback signature when all is true (eungi) #628006b7280bc17] - doc: add experimental modules lifetime policy (Paolo Insogna) #62753ce47ea31c9] - doc: clarify process._debugProcess() in Permission Model (Fahad Khan) #62537ba01633757] - doc: fix typo in devcontainer guide (Rohan Santhosh Kumar) #6268770b4d5839b] - doc: clarify Backport-PR-URL metadata added automatically (Mike McCready) #626688126d1c3eb] - doc: update WPT test runner README.md (Filip Skokan) #62680978afea4b5] - doc: fix spelling in release announcement guidance (Rohan Santhosh Kumar) #626631684ab8ff8] - doc: note non-monotonic clock in crypto.randomUUIDv7 (nabeel378) #6260086d4f07930] - doc: update bug bounty program (Rafael Gonzaga) #62590736ed8a08f] - doc: document TransformStream transformer.cancel option (Tom Pereira) #62566938af9be01] - doc: mention test runner retry attemp is zero based (Moshe Atlow) #6250494433e450f] - doc,src,test: fix dead inspector help URL (semimikoh) #62745ddf1f01659] - esm: addERR_REQUIRE_ESM_RACE_CONDITION(Antoine du Hamel) #624624a506acd16] - fs: add followSymlinks option to glob (Matteo Collina) #62695f4ea495f9b] - fs: restore fs patchability in ESM loader (Joyee Cheung) #6283563c111cd60] - fs: validate position argument before length === 0 early return (Edy Silva) #626749705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #5777540ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #62277717476a24e] - http: emit 'drain' on OutgoingMessage only after buffers drain (Robert Nagy) #62936d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #6308264f15c274a] - http: fix leaked error listener on sync HTTP req create + destroy (Tim Perry) #628725c4798d799] - http: fix no_proxy leading-dot suffix matching (Daijiro Wachi) #623339f3bc70ae5] - http: cleanup pipeline queue (Robert Nagy) #62534aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #62541900dc758ff] - http2: expose writable stream state on compat response (T) #63003b3bfe35912] - inspector: coerce key and value to string in webstorage events (Ali Hassan) #626163dc3fb6ad8] - inspector: return errors when CDP protocol event emission fails (Ryuhei Shima) #621624f3f21bd7c] - inspector: auto collect webstorage data (Ryuhei Shima) #6214536cc04189d] - inspector: initial support storage inspection (Ryuhei Shima) #611391718bc3b9b] - inspector: fix absolute URLs in network http (bugyaluwang) #6295597e32c7a74] - lib: avoid quadratic shift() in startup snapshot callback (Daijiro Wachi) #6291425d2e999de] - lib: harden kKeyOps lookup with null prototype (Filip Skokan) #6287737d3913c8f] - lib: short-circuit WebIDL BufferSource SAB check (Filip Skokan) #62833430c69d25f] - lib: use js-only implementation ofisDataView()(René) #627803ba0add6a0] - lib: fix lint in internal/webstreams/util.js (Filip Skokan) #628069b95c41398] - lib: fix sequence argument handling in Blob constructor (Ms2ger) #62179314dacdbee] - lib: improve Web Cryptography key validation ordering (Filip Skokan) #627493d18162430] - lib: reject SharedArrayBuffer in web APIs per spec (Ali Hassan) #62632ada3ce879d] - lib: defer AbortSignal.any() following (sangwook) #62367b2981ec7eb] - meta: bump actions/download-artifact from 8.0.0 to 8.0.1 (dependabot[bot]) #625497cd20667b5] - meta: bump github/codeql-action from 4.35.1 to 4.35.3 (dependabot[bot]) #6307491a07cfe9f] - meta: bump Mozilla-Actions/sccache-action from 0.0.9 to 0.0.10 (dependabot[bot]) #6307309e17fe47c] - meta: add automation policy (Chengzhong Wu) #6287159e7fb7986] - meta: move VoltrexKeyva to emeritus (Matteo Collina) #628951e2915cfa6] - meta: bump peter-evans/create-pull-request from 8.1.0 to 8.1.1 (dependabot[bot]) #628450253c6e2be] - meta: bump step-security/harden-runner from 2.16.1 to 2.19.0 (dependabot[bot]) #62844f503675b86] - meta: bump actions/setup-node from 6.3.0 to 6.4.0 (dependabot[bot]) #628425e14e4d26e] - meta: broaden stale bot (Aviv Keller) #62658795db76f87] - meta: pass release version to release worker (flakey5) #62777ef384fe39f] - meta: add QUIC to CODEOWNERS (Tim Perry) #6265267e0ac568d] - meta: move Michael to emeritus (Michael Dawson) #625365dad616393] - meta: populate apt list for slim runner in update-openssl workflow (René) #62628a869d25d8a] - meta: bump step-security/harden-runner from 2.15.0 to 2.16.1 (dependabot[bot]) #62550769efc0403] - meta: bump actions/setup-node from 6.2.0 to 6.3.0 (dependabot[bot]) #6254873fcc2b055] - meta: bump github/codeql-action from 4.32.4 to 4.35.1 (dependabot[bot]) #625476c001246fe] - meta: bump codecov/codecov-action from 5.5.2 to 6.0.0 (dependabot[bot]) #625455ee40d6a03] - meta: bump actions/cache from 5.0.3 to 5.0.4 (dependabot[bot]) #62543ca16ad8a05] - meta: require DCO signoff in commit message guidelines (James M Snell) #62510db9497fc41] - meta: expand memory leak DoS criteria to all DoS (Joyee Cheung) #6250513b7d08b8d] - module: remove duplicated checks from_resolveFilename(Antoine du Hamel) #627296b53efb53a] - module,win: fix long subpath import (Stefan Stojanovic) #62101841dfbf6fc] - node-api: update libuv ABI stability note (Chengzhong Wu) #6278901090f2aa1] - node-api: add napi_create_external_sharedarraybuffer (Ben Noordhuis) #6262387443b4355] - node-api: execute tsfn finalizer after queue drains when aborted (Kevin Eady) #61956e95570c054] - process: handle rejections only when needed (Gürgün Dayıoğlu) #6291937d49f3219] - process: optimize asyncHandledRejections by using FixedQueue (Gürgün Dayıoğlu) #60854f697c55e38] - quic: add QuicEndpoint.listening & QuicStream.destroy() and tests (Tim Perry) #62648c128942b69] - quic: fixup token verification to handle zero expiration (James M Snell) #62620abb881ec92] - quic: support multiple ALPN negotiation (James M Snell) #62620476926c2ad] - quic: apply multiple TLS context improvements and SNI support (James M Snell) #6262076d9c24b95] - quic: implement rapidhash for hashing improvements (James M Snell) #6262008726cd43d] - quic: move quic behind compile time flag (Matteo Collina) #61444ea4f19aaa7] - quic: use arena allocation for packets (James M Snell) #6258921e9239e2a] - quic: fixup linting/formatting issues (James M Snell) #62387edeed4303b] - quic: update http3 impl details (James M Snell) #623877f3a85e6aa] - quic: fix a handful of bugs and missing functionality (James M Snell) #6238745c1ebddf8] - quic: copy options.certs buffer instead of detaching (Chengzhong Wu) #61403a31a8ee680] - quic: reduce boilerplate and other minor cleanups (James M Snell) #593423be70ff43a] - quic: multiple fixups and updates (James M Snell) #59342b91a93444c] - quic: update more of the quic to the new compile guard (James M Snell) #59342ca0080c164] - quic: few additional small comment edits in cid.h (James M Snell) #593426553202d83] - quic: fixup NO_ERROR macro conflict on windows (James M Snell) #593816df1508ac2] - quic: fixup windows coverage compile error (James M Snell) #59381b2b0bf8b04] - quic: update the guard to check openssl version (James M Snell) #592495556b154bd] - quic: start re-enabling quic with openssl 3.5 (James M Snell) #592492ca42c8263] - repl: keep reference count forprocess.on('newListener')(Anna Henningsen) #618952f37f9177f] - sqlite: use OneByte for ASCII text and internalize col names (Ali Hassan) #619543c96ae1b2f] - sqlite: add serialize() and deserialize() (Ali Hassan) #62579be4d2f3a4c] - sqlite: enable Percentile extension (Jurj Andrei George) #61295dafed453b2] - src: clean up experimental flag variables (Antoine du Hamel) #62759dca1e6aeea] - src: expose help texts into node-config-schema.json (Pietro Marchini) #5868028c4f44eb1] - src: add permission support to config file (Marco Ippolito) #60746f49175b220] - src: fix small compile warning in quic/streams.cc (James M Snell) #60118c9d4a446d8] - src: cleanup quic TransportParams class (James M Snell) #5988499bb02fd9e] - src: swap dotenv and config file parsing order (Marco Ippolito) #63035ecb4d49b7b] - src: add missing <cstdlib> for abort() declaration (Charles Kerr) #63001b6219b6362] - src: fix crash in GetErrorSource() for invalid using syntax (semimikoh) #62770b5ca5ad4c5] - src: simplifyTCPWrap::Connectsignature (Anna Henningsen) #62929ef7ffce7cf] - src: use DCHECK in AsyncWrap::MakeCallback instead emiting a warning (Gerhard Stöbich) #62795cd9890a5ab] - src: fix MaybeStackBuffer char_traits deprecation warning (om-ghante) #62507c70ff44aee] - src: use context-free V8 message column getters (René) #6277806c405f1d7] - src: coercespawnSyncargs to string once (Antoine du Hamel) #626336151999ad6] - src: use stack allocation for small string encoding (Ali Hassan) #62431a71a4ac7a3] - src: add contextify interceptor debug logs (Chengzhong Wu) #62460ad9a2909c2] - src: workaround AIX libc++ std::filesystem bug (Richard Lau) #627887792f1ae47] - stream: copyeditwebstreams/adapter.js(Antoine du Hamel) #630341397d8ce5c] - stream: remove duplicated utility (Antoine du Hamel) #63031ff86b1d64f] - stream: simplifysetPromiseHandledutility (Antoine du Hamel) #6303224a078149a] - stream: validate ReadableStream.from iterator objects (Daeyeon Jeong) #62911cfb1fa9680] - stream: reject duplicate nested transferables (Daeyeon Jeong) #62831d0c913758a] - stream: ensuring cross-destruction in _duplexify to prevent leaks (Daijiro Wachi) #62824978f5c15d7] - stream: simplifyreadableStreamFromIterable(Antoine du Hamel) #626513527646ba5] - stream: fix nested compose error propagation (Matteo Collina) #62556dfb9edef4f] - stream: allow shared array buffer sources in writable webstream adapter (René) #62163f00cdab627] - stream: simplifycreatePromiseCallback(Antoine du Hamel) #626503ed783535f] - stream: fix writev unhandled rejection in fromWeb (sangwook) #6229729b196694c] - stream: noop pause/resume on destroyed streams (Robert Nagy) #62557d73dbb9fc8] - stream: refactor duplexify to be less suceptible to prototype pollution (Antoine du Hamel) #625596f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #61098b8816580e9] - test: generatelocalstorage.dbin a temp dir (Chengzhong Wu) #6266031a863fd29] - test: update WPT for url to 258f285de0 (Node.js GitHub Bot) #63087d0d19bd8e3] - test: update WPT for streams to f8f26a372f (Node.js GitHub Bot) #62864f50ac5bc78] - test: improve config-file permission test coverage (Rafael Gonzaga) #60929a0f90000f4] - test: export isRiscv64 from common module (Jamie Magee) #62609da4dd8646f] - test: normalize known inspector crash as completion (Joyee Cheung) #62851b7fdd94a4c] - test: account for RFC 7919 FFDHE negotiation in OpenSSL 4.0 (Filip Skokan) #62805375a993aaf] - test: skip tls-deprecated secp256k1 on OpenSSL 4.0 (Filip Skokan) #62805698d8287d1] - test: use an always invalid cipher and cover OpenSSL 4.0 behaviours (Filip Skokan) #62805036bc6f300] - test: use valid DER OCSP responses (Filip Skokan) #628053aa9938da8] - test: skip test-tls-error-stack when engines are unsupported (Filip Skokan) #62805947f1ae246] - test: accept renamed OpenSSL 4.0 error code and reason (Filip Skokan) #62805afdd355622] - test: update test/addons/openssl-binding for OpenSSL 4.0 (Filip Skokan) #628058637524a99] - test: mark test-snapshot-reproducible flaky (Filip Skokan) #62808c22d34134b] - test: check contextify contextual store behavior in strict mode (René) #625710b4e0d3c94] - test: update tls junk data error expectations (Filip Skokan) #6262985d83c2cdb] - test: ensure WPT report is in out/wpt (Filip Skokan) #626379e21711c60] - test: improve WPT runner summary (Filip Skokan) #62636e04e2c9ac1] - test: skip url WPT subtests instead of modifying test script (Filip Skokan) #626357b1211f88c] - test: capture negative utimes mtime at call time (Yuya Inoue) #62490f1a6e9fcc7] - test: allow skipping individual WPT subtests (Filip Skokan) #6251723f927542e] - test: use on-disk fixture for test-npm-install (Joyee Cheung) #625844739c45879] - test: update WPT for url to 7a3645b79a (Node.js GitHub Bot) #62591f68189b839] - test_runner: addtestIdto test events (Moshe Atlow) #627725c2770446e] - test_runner: publish to TracingChannel for OTel instrumentation (Moshe Atlow) #62502d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #617473f74a58979] - test_runner: update node-config-schema (Pietro Marchini) #5868060c83f6199] - test_runner: fix failing suite hooks when marked withtodo(Moshe Atlow) #63097d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #628203e72065ed6] - test_runner: fix suite rerun edge case (Moshe Atlow) #6286001a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #60751dd43efffa6] - test_runner: add passed, attempt, and diagnostic to SuiteContext (Moshe Atlow) #62504a12dc445cc] - tools: add a check for clean git tree after tests (Antoine du Hamel) #626615b49178375] - tools: use LTS Node.js in notify-on-push workflow (Nenad Spasenic) #630845a93bde5bb] - tools: update gr2m/create-or-update-pull-request-action to v1.10.1 (Mike McCready) #63065b133019d19] - tools: simplifyupdate-undici.sh(Antoine du Hamel) #6304404d3538074] - tools: do not runtest-linuxon unrelated tools changes (Antoine du Hamel) #630374d396ac4a5] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #628489354bf40e7] - tools: update gyp-next to 0.22.1 (Node.js GitHub Bot) #62961c23db1ca85] - tools: fix commit linter for semver-major release proposals (Antoine du Hamel) #629936e097ee3f1] - tools: consolidate and simplify .editorconfig deps section (Daijiro Wachi) #62887a47ea6d6ea] - tools: set bot as author of tools-deps-update PRs (Antoine du Hamel) #6285600e86f0471] - tools: bump brace-expansion from 5.0.4 to 5.0.5 in /tools/eslint (dependabot[bot]) #62458cd7e262e75] - tools: bump brace-expansion in /tools/clang-format (dependabot[bot]) #62467bfc1319bc8] - tools: exclude @node-core/doc-kit from dependabot cooldown (Levi Zim) #62775a932fbd10b] - tools: re-enable undici WPTs in daily wpt.fyi job (Filip Skokan) #62677f7bd9e3055] - tools: update gyp-next to 0.22.0 (Node.js GitHub Bot) #62697c400d46d87] - tools: improve backport review script (Antoine du Hamel) #62573be23b75814] - tools: improve output for unexpected passes in WTP tests (Antoine du Hamel) #62587609c013ece] - tools: revert OpenSSL update workflow to ubuntu-latest (Richard Lau) #6262781bac1ebfd] - tools: bump the eslint group in /tools/eslint with 2 updates (dependabot[bot]) #625521fee26522d] - tools: allow triagers to queue a PR for CI until it's reviewed (Antoine du Hamel) #62524332088f929] - tools: do not runcommit-linton release proposals (Antoine du Hamel) #625239a25fc8a4d] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #625747bd08ff60a] - url: optimize URLSearchParams set/delete duplicate handling (Gürgün Dayıoğlu) #622662d636388fa] - url: align default argument handling for URLPattern with webidl (Filip Skokan) #6271900705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #615560e2adb3e45] - watch: track worker entry files in watch mode (SudhansuBandha) #62368c58fe38211] - watch: fix --env-file-if-exists crashing on linux if the file is missing (Efe) #61870