Releases: nodejs/node
Releases · nodejs/node
2026-03-24, Version 25.8.2 (Current), @RafaelGSS
This is a security release.
Notable Changes
- (CVE-2026-21637) wrap
SNICallbackinvocation intry/catch(Matteo Collina) - High - (CVE-2026-21710) use null prototype for
headersDistinct/trailersDistinct(Matteo Collina) - High - (CVE-2026-21711) include permission check to
pipe_wrap.cc(RafaelGSS) - Medium - (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle
NGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Medium - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21715) add permission check to
realpath.native(RafaelGSS) - Low - (CVE-2026-21716) include permission check on
lib/fs/promises(RafaelGSS) - Low
Commits
- [
2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#834 - [
0f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822 - [
2b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #62216 - [
2feea5bb97] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
86c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
5197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) nodejs-private/node-private#820 - [
04a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
9a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
45b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816 - [
4bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol
This is a security release.
Notable Changes
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
Commits
- [
6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828 - [
cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822 - [
80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035 - [
61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994 - [
9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892 - [
3dab3c4698] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
87521e99d1] - deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#828 - [
045013366f] - deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#828 - [
af22629ea8] - deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#828 - [
380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816 - [
df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95
This is a security release.
Notable Changes
- (CVE-2026-21637) wrap
SNICallbackinvocation intry/catch(Matteo Collina) - High - (CVE-2026-21710) use null prototype for
headersDistinct/trailersDistinct(Matteo Collina) - High - (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle
NGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Medium - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21715) add permission check to
realpath.native(RafaelGSS) - Low - (CVE-2026-21716) include permission check on
lib/fs/promises(RafaelGSS) - Low
Commits
- [
6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809 - [
52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822 - [
30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd95e5b (Joyee Cheung) nodejs-private/node-private#809 - [
e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#809 - [
7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#809 - [
076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#809 - [
963c60a951] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330 - [
859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285 - [
d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215 - [
a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
73deff77c1] - lib: backport_tls_commonand_tls_wraprefactors (Dario Piotrowicz) #57643 - [
06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito
v20.20.2
This tag was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
3626fea
This commit was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
This is a security release.
Notable Changes
- (CVE-2026-21717) fix array index hash collision (Joyee Cheung)
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS)
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)
Commits
- [
cfb51fa9ce] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#831 - [
f333d0be5f] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
2acd5d1226] - deps: update undici to v6.24.1 (Matteo Collina) #62285 - [
af5c144ebc] - (CVE-2026-21717) deps,build,test: fix array index hash collision (Joyee Cheung) nodejs-private/node-private#834 - [
00ad47a28e] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
0123309566] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#840 - [
00830712bc] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#838 - [
a0c73425da] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
cc3f294507] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#839
2026-03-11, Version 25.8.1 (Current), @aduh95
Notable Changes
- [
ea87eea71a] - module: fix extensionless CJS files in"type": "module"packages (Matteo Collina) #62083
Commits
- [
bab750d1b3] - build: do not depend on V8 deps on--without-bundled-v8builds (Antoine du Hamel) #62033 - [
b26d1c7fcb] - crypto: make --use-system-ca per-env rather than per-process (Aditi) #60678 - [
e362635abf] - crypto: add missing AES dictionaries (Filip Skokan) #62099 - [
6f975db8af] - crypto: fix importKey required argument count check (Filip Skokan) #62099 - [
3beaf9c5fc] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151 - [
53afb0edd8] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #62150 - [
a13ed052a1] - deps: update merve to 1.2.0 (Node.js GitHub Bot) #62149 - [
2c850577b7] - deps: patch resb crate (Richard Lau) #62138 - [
37862a6728] - deps: V8: cherry-pick aa0b288f87cc (Richard Lau) #62136 - [
09191ad8b4] - deps: update ada to 3.4.3 (Node.js GitHub Bot) #62049 - [
8d63a178fd] - doc: copyeditaddons.md(Antoine du Hamel) #62071 - [
83719ffb64] - doc: correctutil.convertProcessSignalToExitCodevalidation behavior (René) #62134 - [
eeee7c7fb1] - doc: add efekrskl as triager (Efe) #61876 - [
db150b2e69] - doc: fix markdown forexpectFailurevalues (Jacob Smith) #62100 - [
d55a441e60] - doc: add title to index (Aviv Keller) #62046 - [
cc46204b48] - doc: include url.resolve() in DEP0169 application deprecation (Mike McCready) #62002 - [
1d91a7261e] - doc,module: add missing doc for syncHooks.deregister() (Joyee Cheung) #61959 - [
5198573bee] - http: fix use-after-free when freeParser is called during llhttp_execute (Gerhard Stöbich) #62095 - [
f8793f80df] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990 - [
5439d0e0cf] - meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot[bot]) #62063 - [
27fd21943a] - meta: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #62062 - [
5b266f3295] - meta: bump step-security/harden-runner from 2.14.2 to 2.15.0 (dependabot[bot]) #62064 - [
ea87eea71a] - module: fix extensionless CJS files in"type": "module"packages (Matteo Collina) #62083 - [
851228cd60] - sqlite: handle stmt invalidation (Guilherme Araújo) #61877 - [
19efe60548] - src: expose async context frame debugging helper to JS (Anna Henningsen) #62103 - [
0257e8072f] - src: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) #62103 - [
975dafbe3b] - src: release context frame in AsyncWrap::EmitDestroy (Gerhard Stöbich) #61995 - [
f2c08c7888] - src: use validate_ascii_with_errors instead of validate_ascii (Сковорода Никита Андреевич) #61122 - [
0278461d83] - stream: optimize webstreams pipeTo (Mattias Buelens) #62079 - [
4d62e95bfa] - stream: fix brotli error handling in web compression streams (Filip Skokan) #62107 - [
4bdcaf2865] - stream: improve Web Compression spec compliance (Filip Skokan) #62107 - [
a5b1be2045] - stream: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) #61745 - [
5632446c4e] - stream: fix TransformStream race on cancel with pending write (Marco) #62040 - [
f90fa9cd1a] - stream: accept ArrayBuffer in CompressionStream and DecompressionStream (조수민) #61913 - [
00319eaa3a] - test: update WPT for url to c928b19ab0 (Node.js GitHub Bot) #62148 - [
456abc7d20] - test: update WPT for WebCryptoAPI to c9e955840a (Node.js GitHub Bot) #62147 - [
82770cb7d3] - test: improve WPT report runner (Filip Skokan) #62107 - [
cfc847d233] - test: update WPT compression to ae05f5cb53 (Filip Skokan) #62107 - [
80f78f2737] - test: update WPT for WebCryptoAPI to 42e47329fd (Node.js GitHub Bot) #62048 - [
8048e0508c] - test: fix skipping behavior fortest-runner-run-files-undefined(Antoine du Hamel) #62026 - [
699a6214c6] - tools: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) #62140 - [
1a453b550c] - tools: improve error handling in test426 update script (Rich Trott) #62121 - [
710dde5ee2] - tools: fix--node-builtin-modules-pathvalue inshell.nix(Antoine du Hamel) #62102 - [
dcb1cbb21f] - tools: bump the eslint group across 1 directory with 2 updates (dependabot[bot]) #62092 - [
7d0b758583] - tools: fix daily wpt workflow nighly release version lookup (Filip Skokan) #62076 - [
3e8c816f2e] - tools: fix example in release proposal linter (Richard Lau) #62074 - [
772d3d270d] - tools: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot[bot]) #62013 - [
92f3b42672] - tools: bump eslint to v10, babel to v8.0.0-rc.2 (Huáng Jùnliàng) #61905 - [
deead95ec5] - url: suppress warnings from url.format/url.resolve inside node_modules (René) #62005
2026-03-05, Version 22.22.1 'Jod' (LTS)
v22.22.1
This tag was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
Notable Changes
- [
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983 - [
6063d888fe] - cli: mark--heapsnapshot-near-heap-limitas stable (Joyee Cheung) #60956 - [
d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #61115 - [
35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #61094 - [
5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #60714
Commits
- [
5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076 - [
feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388 - [
096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #61401 - [
b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129 - [
fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #60129 - [
ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #60841 - [
53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663 - [
e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #60603 - [
1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #60574 - [
e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #60162 - [
623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #60205 - [
7f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991 - [
db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #58938 - [
66aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #60503 - [
c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #60399 - [
f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
2145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #60369 - [
5b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #61414 - [
24724cde40] - build: fix misplaced comma in ldflags (hqzing) #61294 - [
c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #61329 - [
8659d7cd07] - build: fix inconsistent quoting inMakefile(Antoine du Hamel) #60511 - [
44f339b315] - build: remove temporal updater (Chengzhong Wu) #61151 - [
d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #61024 - [
34ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #61073 - [
7b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #60850 - [
9408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #59984 - [
2166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #60098 - [
73ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #60296 - [
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983 - [
508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #59999 - [
c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #61321 - [
40904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #61431 - [
6d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #61344 - [
6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956 - [
3d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #60141 - [
40a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #60422 - [
d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662 - [
8c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #59956 - [
91dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #60464 - [
0781bd3764] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61688 - [
0cf1f9c3e9] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417 - [
521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #61339 - [
58b9d219a3] - *deps...
Contributors
ChALkeR, watilde, and avivkeller
Assets 2
2026-03-05, Version 20.20.1 'Iron' (LTS), @marco-ippolito
v20.20.1
This tag was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
eb53343
This commit was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
Notable Changes
- [
91a66e671c] - build: test on Python 3.14 (Christian Clauss) #59983 - [
f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
Commits
- [
6f580d5399] - assert: fix deepEqual always return true on URL (Xuguang Mei) #50853 - [
91a66e671c] - build: test on Python 3.14 (Christian Clauss) #59983 - [
cc4f7af6f3] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
fa88cc07e2] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662 - [
88b2eec88a] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830 - [
5c053264f1] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61687 - [
4a398699d0] - deps: update googletest to 5a9c3f9e8d9b90bbbe8feb32902146cb8f7c1757 (Node.js GitHub Bot) #61731 - [
4fa43adf15] - deps: update googletest to 56efe3983185e3f37e43415d1afa97e3860f187f (Node.js GitHub Bot) #61605 - [
1a855d490c] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417 - [
d8a9359826] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523 - [
e79cd3a0bb] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928 - [
0707ade464] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925 - [
dc5a3cddef] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827 - [
46043b94c7] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135 - [
6be15a596e] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271 - [
10881404cd] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138 - [
1594a78c85] - deps: update googletest to 065127f1e4b46c5f14fc73cf8d323c221f9dc68e (Node.js GitHub Bot) #61055 - [
7fa2ee1933] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #60898 - [
09259532ef] - deps: update googletest to 1b96fa13f549387b7549cc89e1a785cf143a1a50 (Node.js GitHub Bot) #60739 - [
aa8bdb6886] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #60646 - [
cc849fde27] - deps: update googletest to 279f847 (Node.js GitHub Bot) #60219 - [
a99ba553a2] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #59955 - [
6349a79f5f] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131 - [
8ba759f1a0] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710 - [
927d906850] - deps: update googletest to e9092b1 (Node.js GitHub Bot) #58565 - [
bf8919f5c2] - deps: update googletest to 0bdccf4 (Node.js GitHub Bot) #57380 - [
ae6231dac0] - deps: update googletest to e235eb3 (Node.js GitHub Bot) #56873 - [
0561c62e85] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #61732 - [
f0ef221b0d] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #60543 - [
15bd0da404] - deps: update archs files for openssl (Antoine du Hamel) #61912 - [
04d439323f] - deps: upgrade openssl sources to openssl-3.0.19 (Antoine du Hamel) #61912 - [
2ea16d3bd6] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510 - [
622f973d1c] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842 - [
2cd265d8b9] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #60643 - [
65e839687b] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #60550 - [
2dc99d2771] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #61453 - [
2c7b84b1d8] - doc: fix typo in http.md (Michael Solomon) #59354 - [
a84b42667c] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #59344 - [
ffd0ada45f] - doc: fix typo intest/common/README.md(Yoo) #59180 - [
b4d9d006e7] - doc: fix broken sentence inURL.parse(Superchupu) #59164 - [
45e9971d9c] - doc: fix typo in writing-test.md (SeokHun) #59123 - [
e9fd10b5d6] - doc: fixfetchsubsections inglobals.md(Antoine du Hamel) #58933 - [
3715dd1c2b] - doc: fix wrong RFC number in http2 (Deokjin Kim) #58753 - [
098c017eac] - doc: punctuation fix for Node-API versioning clarification (Jiacai Liu) #58599 - [
545bf434e1] - doc: fix typo of filehttp.md,outgoingMessage.setTimeoutsection (yusheng chen) #58188 - [
b3d6683e7b] - doc: support toolchain with Visual Studio 2019 & 2022 only (Mike McCready) #61450 - [
8fdde5d110] - doc: fix v20 changelog after security release (Marco Ippolito) #61371 - [
31d04599be] - http: fix ...
2026-03-03, Version 25.8.0 (Current), @richardlau
v25.8.0
This tag was signed with the committer’s verified signature.
richardlau
Richard Lau
ae94abf
This commit was signed with the committer’s verified signature.
richardlau
Richard Lau
Notable Changes
- [
e55eddea2a] - build, doc: use new api doc tooling (flakey5) #57343 - [
4c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298 - [
46ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869 - [
9ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #61869 - [
0d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394
Commits
- [
940b58c8c1] - buffer: optimize buffer.concat performance (Mert Can Altin) #61721 - [
0589b0e5a1] - build: fix GN for new merve dep (Shelley Vohr) #61984 - [
f3d3968dcd] - Revert "build: add temporal test on GHA windows" (Antoine du Hamel) #61810 - [
e55eddea2a] - build, doc: use new api doc tooling (flakey5) #57343 - [
b7715292f8] - child_process: add tracing channel for spawn (Marco) #61836 - [
a32a598748] - crypto: fix missing nullptr check on RSA_new() (ndossche) #61888 - [
dc384f95b3] - crypto: fix handling of null BUF_MEM* in ToV8Value() (Nora Dossche) #61885 - [
3337b095db] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #61788 - [
51ded81139] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035 - [
8aa2fde931] - deps: update minimatch to 10.2.4 (Node.js GitHub Bot) #62016 - [
57dc092eaf] - deps: upgrade npm to 11.11.0 (npm team) #61994 - [
705bbd60a9] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #61930 - [
4d411d72e5] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928 - [
f53a32ab84] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925 - [
9b483fbb27] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830 - [
4e54c103cb] - doc: separate in-types and out-types in SQLite conversion docs (René) #62034 - [
ca78ebbeaa] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #62025 - [
e6b131f3fe] - doc: fix module.stripTypeScriptTypes indentation (René) #61992 - [
7508540e19] - doc: update DEP0040 (punycode) to application type deprecation (Mike McCready) #61916 - [
33a364cb62] - doc: explicitly mention Slack handle (Rafael Gonzaga) #61986 - [
46a61922bd] - doc: support toolchain Visual Studio 2022 & 2026 + Windows 11 SDK (Mike McCready) #61864 - [
dc12a257aa] - doc: rename invalidfunctionparameter (René) #61942 - [
dafdc0a5b8] - http: validate headers in writeEarlyHints (Richard Clarke) #61897 - [
3c94b56fa6] - inspector: unwrap internal/debugger/inspect imports (René) #61974 - [
8a24c17648] - lib: improve argument handling in Blob constructor (Ms2ger) #61980 - [
21d4baf256] - meta: bump github/codeql-action from 4.32.0 to 4.32.4 (dependabot[bot]) #61911 - [
59a726a8e3] - meta: bump step-security/harden-runner from 2.14.1 to 2.14.2 (dependabot[bot]) #61909 - [
0072b7f991] - meta: bump actions/stale from 10.1.1 to 10.2.0 (dependabot[bot]) #61908 - [
999bf22f47] - repl: keep reference count forprocess.on('newListener')(Anna Henningsen) #61895 - [
4c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298 - [
aee2a18257] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #61948 - [
46ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869 - [
9ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #61869 - [
ea2df2a16f] - stream: fix pipeTo to defer writes per WHATWG spec (Matteo Collina) #61800 - [
aa0c7b09e0] - test: remove unnecessaryprocess.exitcalls from test files (Antoine du Hamel) #62020 - [
ad96a6578f] - test: skiptest-urlon--shared-adabuilds (Antoine du Hamel) #62019 - [
7c72a31e4b] - test: skip strace test with shared openssl (Richard Lau) #61987 - [
604456c163] - test: avoid flaky debugger restart waits (Yuya Inoue) #61773 - [
4890d6bd43] - test_runner: run afterEach on runtime skip (Igor Shevelenkov) #61525 - [
fce2930110] - test_runner: expose expectFailure message (sangwook) #61563 - [
0d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394 - [
243e6b2009] - test_runner: replace native methods with primordials (Ayoub Mabrouk) #61219 - [
bf1ed7e647] - tls: forward keepAlive, keepAliveInitialDelay, noDelay to socket (Sergey Zelenov) #62004 - [
0f15079d94] - tools: remove custom logic for skippingtest-strace-openat-openssl(Antoine du Hamel) #62038 - [
54a055a59d] - tools: bump minimatch from 3.1.2 to 3.1.3 in/tools/clang-format(dependabot[bot]) #61977 - [
a28744cb62] - tools: fix permissions for merve update script (Richard Lau) #62023 - [[
31e7936354](https://...
2026-02-24, Version 25.7.0 (Current), @ruyadorno prepared by @aduh95
Notable Changes
- [
b0a79b10f0] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #61713 - [
2d874dfb8e] - (SEMVER-MINOR) sea: support ESM entry point in SEA (Joyee Cheung) #61813 - [
ee59127664] - sqlite: mark as release candidate (Matteo Collina) #61262 - [
608736e19e] - (SEMVER-MINOR) stream: renameDuplex.toWeb()type option toreadableType(René) #61632 - [
a43375999f] - (SEMVER-MINOR) test_runner: show interrupted test on SIGINT (Matteo Collina) #61676
Commits
- [
ab4375e141] - benchmark: add startup benchmark for ESM entrypoint (Joyee Cheung) #61769 - [
8d83d8026b] - build: add temporal test on GHA windows (Chengzhong Wu) #61810 - [
aab153eec3] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
9e40fb93bc] - build: use path-ignore in GHA coverage-windows.yml (Chengzhong Wu) #61811 - [
4896653361] - build: generate_config_gypi.py generates valid JSON (Shelley Vohr) #61791 - [
bb82b44de0] - build: build with v8 gdbjit support on supported platform (Joyee Cheung) #61010 - [
e7173a093a] - build: show cc outputs when version detection failed (Chengzhong Wu) #61700 - [
848050d38f] - build,win: add WinGet Visual Studio 2022 Build Tools Edition config (Mike McCready) #61652 - [
938841e1cd] - crypto: always return certificate serial numbers as uppercase (Anna Henningsen) #61752 - [
dba9001d6f] - deps: upgrade npm to 11.10.1 (npm team) #61892 - [
75c8e18d2f] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #61879 - [
4ca1597f25] - deps: remove stale OpenSSL arch configs (René) #61834 - [
c4f298c729] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827 - [
7d63a2df93] - deps: V8: cherry-pick 64b36b441179 (Rafael Magrin) #61712 - [
241a6b7088] - deps: update googletest to 5a9c3f9e8d9b90bbbe8feb32902146cb8f7c1757 (Node.js GitHub Bot) #61731 - [
eec896c0e0] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61666 - [
5a9874af09] - doc: clarify status of feature request issues (Antoine du Hamel) #61505 - [
0648ac64aa] - doc: add esm and cjs examples to node:vm (Alfredo González) #61498 - [
8b38718294] - doc: clarify build environment is trusted in threat model (Matteo Collina) #61865 - [
10e86818ee] - doc: remove incorrect mention ofmoduleintypescript.md(Rob Palmer) #61839 - [
b50376f527] - doc: simplify addAbortListener example (Chemi Atlow) #61842 - [
dea0e7a856] - doc: fix typo in --disable-wasm-trap-handler description (Dmytro Semchuk) #61820 - [
57ac1f5aa0] - doc: clean up globals.md (René) #61822 - [
4c30d2bb4d] - doc: remove obsolete Boxstarter automated install (Mike McCready) #61785 - [
db610b9e32] - doc: clarify async caveats forevents.once()(René) #61572 - [
b4a826b11c] - doc: update Juan's security steward info (Juan José) #61754 - [
7d9cc5dc54] - doc: fix methods being documented as properties inprocess.md(Antoine du Hamel) #61765 - [
aa0362c26a] - doc: add riscv64 info into platform list (Lu Yahan) #42251 - [
9b0101b65b] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #61735 - [
df2c65b3e4] - doc: fix spacing in process message event (Aviv Keller) #61756 - [
01018559f5] - doc: move describe/it aliases section before expectFailure (Luca Raveri) #61567 - [
49443583af] - doc: fix broken links of net.md (YuSheng Chen) #61673 - [
af7c927a2a] - doc: clean up Windows code snippet inchild_process.md(reillylm) #61422 - [
221648a687] - esm: update outdated FIXME comment in translators.js (Karan Mangtani) #61715 - [
4484e14a31] - events: don't call resume after close (Сковорода Никита Андреевич) #60548 - [
4cecbe1f53] - fs: addthrowIfNoEntryoption for fs.stat and fs.promises.stat (Juan José) #61178 - [
2c94967684] - http: remove redundant keepAliveTimeoutBuffer assignment (Efe) #61743 - [
435f3dd8e4] - http: attach error handler to socket synchronously in onSocket (RajeshKumar11) #61770 - [
ce0ebd853d] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #61710 - [
8103a78b6a] - http2: add strictSingleValueFields option to relax header validation (Tim Perry) #59917 - [
b0a79b10f0] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #61713 - [
c589b6b23c] - http2: fix FileHandle leak in respondWithFile (sangwook) #61707 - [
df477202ae] - lib: reduce cycles in esm loader and load it in snapshot (Joyee Cheung) #61769 - [
deda50a819] - lib: remove top-level getOptionValue() calls in lib/internal/modules (Joyee Cheung) #61769 - [
b1c1ddff79] - lib: optimize styleText when validateStream is false (Rafael Gonzaga) #61792 - [
df334f7fa0] - meta: use SCCACHE_GHA_ENABLED for shared build workflows (René) #61640 - [[
e1b2cd605f](https://github.co...
2026-02-24, Version 24.14.0 'Krypton' (LTS), @ruyadorno prepared by @aduh95
Notable Changes
- [
8b6d31d379] - (SEMVER-MINOR) async_hooks: addtrackPromisesoption tocreateHook()(Joyee Cheung) #61415 - [
68da144b4e] - build,deps: replace cjs-module-lexer with merve (Yagiz Nizipli) #61456 - [
f3a24c76e4] - (SEMVER-MINOR) deps: add LIEF as a dependency (Joyee Cheung) #61167 - [
1948861d23] - (SEMVER-MINOR) events: repurposeevents.listenerCount()to accept EventTargets (René) #60214 - [
d6f7c8d06f] - (SEMVER-MINOR) fs: addignoreoption tofs.watch(Matteo Collina) #61433 - [
cb54b3ca6e] - (SEMVER-MINOR) http: addhttp.setGlobalProxyFromEnv()(Joyee Cheung) #60953 - [
35b1759d06] - (SEMVER-MINOR) module: allow subpath imports that start with#/(Jan Martin) #60864 - [
2d72ea66f2] - (SEMVER-MINOR) process: preserveAsyncLocalStorageinqueueMicrotaskonly when needed (Gürgün Dayıoğlu) #60913 - [
6f4a4f6c8e] - (SEMVER-MINOR) sea: split sea binary manipulation code (Joyee Cheung) #61167 - [
c0ceb9b065] - (SEMVER-MINOR) sqlite: enable defensive mode by default (Bart Louwers) #61266 - [
33d8e8303b] - (SEMVER-MINOR) sqlite: add sqlite prepare options args (Guilherme Araújo) #61311 - [
563ab699eb] - (SEMVER-MINOR) src: add initial support for ESM in embedder API (Joyee Cheung) #61548 - [
4c80031000] - (SEMVER-MINOR) stream: addbytes()method tonode:stream/consumers(wantaek) #60426 - [
f5233df4ff] - (SEMVER-MINOR) stream: do not passreadable.compose()output viaReadable.from()(René) #60907 - [
345a40fda3] - (SEMVER-MINOR) test: use fixture directories for sea tests (Joyee Cheung) #61167 - [
972f82411d] - (SEMVER-MINOR) test_runner: addenvoption torunfunction (Ethan Arrowood) #61367 - [
d77f98c4b6] - (SEMVER-MINOR) test_runner: support expecting a test-case to fail (Jacob Smith) #60669 - [
8e900af6ba] - (SEMVER-MINOR) util: addconvertProcessSignalToExitCodeutility (Erick Wendel) #60963
Commits
- [
180778fb9a] - assert: fix loose deepEqual arrays with undefined and null failing (Ruben Bridgewater) #61587 - [
8b6d31d379] - (SEMVER-MINOR) async_hooks: add trackPromises option to createHook() (Joyee Cheung) #61415 - [
83bcd38d35] - benchmark: add streaming TextDecoder benchmark (Сковорода Никита Андреевич) #61549 - [
4c105844c5] - build: add support for Visual Studio 2026 (Michaël Zasso) #60727 - [
1f84fd91d9] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
30601b680f] - build: add--shared-nbytesconfigure flag (Antoine du Hamel) #61341 - [
c6253eda49] - build: add--shared-hdr-histogramconfigure flag (Antoine du Hamel) #61280 - [
584c189037] - build: add--shared-gtestconfigure flag (Antoine du Hamel) #61279 - [
5998987881] - build: aix: deoptimize implementation-visitor.cc with --shared (Stewart X Addison) #61550 - [
68da144b4e] - build,deps: replace cjs-module-lexer with merve (Yagiz Nizipli) #61456 - [
6a4511bafb] - build,win: fix vs2022 compilation (Stefan Stojanovic) #61530 - [
2d6735db8a] - deps: upgrade npm to 11.9.0 (npm team) #61685 - [
699e2f8f81] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #61730 - [
7be76316d6] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #61732 - [
97e5a65013] - deps: update undici to 7.21.0 (Node.js GitHub Bot) #61683 - [
74e4710ee7] - deps: update googletest to 56efe3983185e3f37e43415d1afa97e3860f187f (Node.js GitHub Bot) #61605 - [
b5113e2a2a] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #61603 - [
f3a24c76e4] - (SEMVER-MINOR) deps: add LIEF as a dependency (Joyee Cheung) #61167 - [
c370c3dc06] - (SEMVER-MINOR) deps: add tools and scripts to pull LIEF as a dependency (Joyee Cheung) #61167 - [
e54975e17d] - deps: V8: cherry-pick highway@dcc0ca1cd42 (Richard Lau) #61008 - [
625b90b76b] - deps: update undici to 7.19.2 (Node.js GitHub Bot) #61566 - [
05e9a9fb5e] - deps: update undici to 7.19.1 (Node.js GitHub Bot) #61514 - [
3d41643e38] - deps: update undici to 7.19.0 (Node.js GitHub Bot) #61470 - [
17b363a66c] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #61453 - [
33d0a8c22d] - doc: clarify EventEmitter error handling in threat model (Matteo Collina) #61701 - [
5b8e72cf85] - doc: mention default option for test runner env (Steven) #61659 - [
f44e67fac2] - doc: fix --inspect security warning section (Tim Perry) #61675 - [
a0e09c9043] - doc: documenturl.format(urlString)as deprecated under DEP0169 (René) #61644 - [
5e719248fe] - doc: deprecation add more codemod (Augustin Mauroy) #61642 - [
8f5a3e5df4] - doc: fix grammatical error in README.md (ayj8201) #61653 - [
d52b535163] - doc: correct tools README Boxstarter link (Mike McCready) #61638 - [
4889dc4f59] - doc: updateserver.dropMaxConnectionlink (YuSheng Chen) #61584 - [[
8e48e72f2a](https://github.com/nodejs/n...