Update Node.js to v22.22.3

This MR contains the following updates:

Package	Type	Update	Change
node (source)		minor	v22.20.0 → 22.22.3
node	image	minor	22.20-alpine3.22 → 22.22-alpine3.22
node	final	minor	22.20-alpine3.22 → 22.22-alpine3.22
node	stage	minor	22.20-alpine3.22 → 22.22-alpine3.22

---

Release Notes

nodejs/node (node)

v22.22.3: 2026-05-13, Version 22.22.3 'Jod' (LTS), @​marco-ippolito

Compare Source

Commits

• [4f780905c5] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #​61788
• [4a09efb947] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #​62485
• [e4c0d99839] - deps: update timezone to 2026a (Node.js GitHub Bot) #​62164
• [0226c8dd7a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #​62382
• [e742ab748c] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #​62256
• [73cac0571a] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #​62151
• [ae5c162b93] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #​61730
• [b819cb9977] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #​61603
• [bbcce09dc7] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #​62150
• [22ff2d81ce] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #​61930
• [f49b51d75c] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #​61928
• [1a5cec0d49] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #​61925
• [d339497688] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #​61879
• [3ff8ffd459] - deps: remove stale OpenSSL arch configs (René) #​61834
• [b8ddbc1e9a] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #​61827
• [ffda97afd4] - deps: update googletest to 2461743 (Node.js GitHub Bot) #​62484
• [79aa32cf4f] - deps: update googletest to 73a63ea (Node.js GitHub Bot) #​61927
• [b6957e13b6] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [3a27669063] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d568a1bb53] - deps: upgrade npm to 10.9.8 (npm team) #​62463
• [ec11f3c1d5] - deps: V8: backport 85b3900 (Thibaud Michaud) #​62783
• [08609712ed] - deps: V8: backport 1b27e46 (Thibaud Michaud) #​62783
• [dcc60d5ab2] - deps: V8: backport 9997fc0 (Thibaud Michaud) #​62783
• [1d1f4451fb] - deps: V8: cherry-pick b96e40d (Clemens Backes) #​62783
• [2268567237] - deps: V8: cherry-pick 7cb6188 (Thibaud Michaud) #​62783
• [92804cdbea] - deps: V8: cherry-pick e7ccf0a (Thibaud Michaud) #​62783
• [eae2c27a40] - deps: V8: cherry-pick 8e214ec (Thibaud Michaud) #​62783
• [a1799a49bb] - deps: V8: backport 63b8849 (Thibaud Michaud) #​62783
• [a2df2d8731] - deps: V8: backport 3239427 (Thibaud Michaud) #​62783
• [e3d65c7dca] - deps: V8: backport 89dc6ea (Thibaud Michaud) #​62783
• [5e7db133de] - deps: V8: backport 910cb91 (Jakob Kummerow) #​62783
• [d0c24a28af] - deps: V8: cherry-pick b8f91e5 (Thibaud Michaud) #​62783
• [d358687824] - deps: V8: cherry-pick cf03d55 (Thibaud Michaud) #​62783
• [67c8b2c349] - deps: V8: cherry-pick 692f3d5 (Sébastien Doeraene) #​62783
• [71e5a59ffd] - deps: V8: cherry-pick c734674 (Manos Koukoutos) #​62783
• [f0dbe81c7b] - deps: V8: cherry-pick b2f3aea (Thibaud Michaud) #​62783
• [d333f480c3] - deps: V8: cherry-pick 5f1342c (Matthias Liedtke) #​62783
• [db722725bb] - deps: use npm undici@​six tag in update-undici.sh (Matteo Collina) #​63012
• [9b57979d9c] - doc: add Rafael to last security release steward (Rafael Gonzaga) #​62423
• [d8075585bf] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #​62355
• [6ec9a70204] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #​62208
• [1fc86fcb6e] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #​62075
• [491be80bd9] - doc: add efekrskl as triager (Efe) #​61876
• [18558293a3] - doc: fix module.stripTypeScriptTypes indentation (René) #​61992
• [8e20976522] - doc: explicitly mention Slack handle (Rafael Gonzaga) #​61986
• [70b8e6b4fb] - doc: rename invalid function parameter (René) #​61942
• [4045c76f6c] - doc: clarify status of feature request issues (Antoine du Hamel) #​61505
• [c54652f2aa] - doc: remove incorrect mention of module in typescript.md (Rob Palmer) #​61839
• [9fad6cedf5] - doc: clarify async caveats for events.once() (René) #​61572
• [2f1e5733fe] - doc: update Juan's security steward info (Juan José) #​61754
• [a64bdb5068] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #​62206
• [02797de923] - doc: fix small environment_variables typo (chris) #​62279
• [f22ebdc809] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #​62025
• [9f4508062a] - doc: fix methods being documented as properties in process.md (Antoine du Hamel) #​61765
• [3ea39ff135] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #​61735
• [c22445079b] - doc: fix spacing in process message event (Aviv Keller) #​61756
• [32831b5223] - doc: fix broken links of net.md (YuSheng Chen) #​61673
• [005508d509] - doc: remove obsolete Boxstarter automated install (Mike McCready) #​61785
• [37c2fd6f7d] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #​62080
• [1769d74613] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #​59679
• [ee02966ffc] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #​61710
• [2fdb5ce6cc] - http2: fix FileHandle leak in respondWithFile (sangwook) #​61707
• [aa2c1eca04] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #​61990
• [785b00cbeb] - meta: pass release version to release worker (flakey5) #​62777
• [447fb9a0b5] - meta: persist sccache daemon until end of build workflows (René) #​61639
• [5065a0acb3] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #​61529
• [9a2e21305d] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #​61479
• [b9240bc063] - module: fix sync resolve hooks for require with node: prefixes (Joyee Cheung) #​61088
• [2e91b28aaf] - module: handle null source from async loader hooks in sync hooks (Joyee Cheung) #​59929
• [39147c154e] - module: use sync cjs when importing cts (Marco Ippolito) #​60072
• [12a2462b2c] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #​59874
• [cf39566277] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #​61948
• [578a9a9230] - src: clamp WriteUtf8 capacity to INT_MAX in EncodeInto (semimikoh) #​62621
• [57c3035fec] - stream: fix decoded fromList chunk boundary check (Thomas Watson) #​61884
• [57fb008bb8] - test: update tls junk data error expectations (Filip Skokan) #​62629
• [363f9a9d18] - test: skip test-url on --shared-ada builds (Antoine du Hamel) #​62019
• [daaead342b] - test: simplify encodeInto large buffer regression test (semimikoh) #​62621
• [ecfa766b41] - tools: fix auto-start-ci (Antoine du Hamel) #​61900
• [17c0a610af] - tools: fix parsing of commit trailers in lint-release-proposal GHA (Antoine du Hamel) #​62077
• [89ad7dc63b] - tools: enforce removal of lts-watch-* labels on release proposals (Antoine du Hamel) #​61672
• [5f9bb8ef0c] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #​62024
• [977ef80ac1] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #​62574
• [ad8f518a81] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #​62325

v22.22.2: 2026-03-24, Version 22.22.2 'Jod' (LTS), @​RafaelGSS prepared by @​aduh95

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

Commits

• [6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809
• [52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822
• [30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd (Joyee Cheung) nodejs-private/node-private#809
• [e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a (Joyee Cheung) nodejs-private/node-private#809
• [7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe (Joyee Cheung) nodejs-private/node-private#809
• [076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cd (snek) nodejs-private/node-private#809
• [963c60a951] - deps: V8: override depot_tools version (Richard Lau) #​62344
• [a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #​62330
• [859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #​62285
• [d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #​62215
• [a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [73deff77c1] - lib: backport _tls_common and _tls_wrap refactors (Dario Piotrowicz) #​57643
• [06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

v22.22.1: 2026-03-05, Version 22.22.1 'Jod' (LTS)

Compare Source

Notable Changes

• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #​61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #​60714

Commits

• [5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #​61076
• [feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #​61388
• [096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #​61401
• [b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #​60129
• [fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #​60129
• [ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #​60841
• [53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #​60663
• [e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #​60603
• [1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #​60574
• [e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #​60162
• [623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #​60205
• [7f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #​60991
• [db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #​58938
• [66aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #​60503
• [c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #​60399
• [f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #​61790
• [2145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #​60369
• [5b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #​61414
• [24724cde40] - build: fix misplaced comma in ldflags (hqzing) #​61294
• [c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #​61329
• [8659d7cd07] - build: fix inconsistent quoting in Makefile (Antoine du Hamel) #​60511
• [44f339b315] - build: remove temporal updater (Chengzhong Wu) #​61151
• [d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #​61024
• [34ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #​61073
• [7b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #​60850
• [9408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #​59984
• [2166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #​60098
• [73ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #​60296
• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #​59999
• [c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #​61321
• [40904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #​61431
• [6d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #​61344
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [3d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #​60141
• [40a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #​60422
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #​60662
• [8c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #​59956
• [91dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #​60464
• [0781bd3764] - deps: V8: backport 6a0a25a (Vivian Wang) #​61688
• [0cf1f9c3e9] - deps: update googletest to 8508785 (Node.js GitHub Bot) #​61417
• [521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #​61339
• [58b9d219a3] - deps: update icu to 78.2 (Node.js GitHub Bot) #​60523
• [cbc1e4306d] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #​61135
• [db59c35ed8] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #​61271
• [c18518ee3c] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #​61270
• [376df62d63] - deps: update timezone to 2025c (Node.js GitHub Bot) #​61138
• [993e905302] - deps: update simdjson to 4.2.4 (Node.js GitHub Bot) #​61056
• [b72fd2a5d3] - deps: update googletest to 065127f (Node.js GitHub Bot) #​61055
• [d765147405] - deps: update sqlite to 3.51.1 (Node.js GitHub Bot) #​60899
• [37abe2a7d2] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #​60898
• [97241fcb86] - deps: update sqlite to 3.51.0 (Node.js GitHub Bot) #​60614
• [3669c7b4f4] - deps: update simdjson to 4.2.2 (Node.js GitHub Bot) #​60740
• [9a056ec89c] - deps: update googletest to 1b96fa1 (Node.js GitHub Bot) #​60739
• [b5803b3ea0] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #​60543
• [5bf99f3d46] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #​60646
• [801f187357] - deps: update simdjson to 4.2.1 (Node.js GitHub Bot) #​60644
• [03c16e5a4c] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #​60542
• [2ebfc2ca56] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #​60541
• [d24ba4fed6] - deps: update simdjson to 4.0.7 (Node.js GitHub Bot) #​59883
• [9480a139bf] - deps: update googletest to 279f847 (Node.js GitHub Bot) #​60219
• [635e67379e] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #​61547
• [c7b774047d] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #​61547
• [5b324d7d7f] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #​61510
• [eef8ba0667] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #​60842
• [490f7c7fb1] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #​60643
• [66903ea3b3] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #​60550
• [a2f0b69282] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #​60314
• [c8044a48a6] - deps: V8: backport 2e4c5cf (Michaël Zasso) #​60654
• [642f518198] - doc: supported toolchain with Visual Studio 2022 only (Mike McCready) #​61451
• [625f674487] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #​61495
• [029e32f8ba] - doc: added requestOCSP option to tls.connect (ikeyan) #​61064
• [68e33dfa89] - doc: restore @​ChALkeR to collaborators (Сковорода Никита Андреевич) #​61553
• [e016770d62] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #​61588
• [ec63954657] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #​60253
• [c8e1563a98] - doc: add CVE delay mention (Rafael Gonzaga) #​61465
• [4b00cf2b54] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #​61454
• [4b73bf5bc8] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #​61366
• [d3151df4b3] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #​61434
• [2323462e35] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #​61355
• [6c5478c8b2] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #​61373
• [ba4a043103] - doc: refine WebAssembly error documentation (sangwook) #​61382
• [cd315ea589] - doc: add deprecation history for url.parse (Eng Zer Jun) #​61389
• [42db0c392d] - doc: add marco and rafael in last sec release (Marco Ippolito) #​61383
• [4c3b680fc7] - doc: packages: example of private import switch to internal (coderaiser) #​61343
• [684d15e421] - doc: add esm and cjs examples to node:v8 (Alfredo González) #​61328
• [c3f9c7a7d9] - doc: added 'secure' event to tls.TLSSocket (ikeyan) #​61066
• [aa9acad5ca] - doc: restore @​watilde to collaborators (Daijiro Wachi) #​61350
• [9cafec084e] - doc: run license-builder (github-actions[bot]) #​61348
• [cdb12ccbc6] - doc: document ALPNCallback option for TLSSocket constructor (ikeyan) #​61331
• [461c5e65c5] - doc: update MDN links (Livia Medeiros) #​61062
• [dde45baeab] - doc: add documentation for process.traceProcessWarnings (Alireza Ebrahimkhani) #​53641
• [59a7aeec92] - doc: fix filename typo (Hardanish Singh) #​61297
• [9a0a40d1ed] - doc: fix typos and grammar in BUILDING.md & onboarding.md (Hardanish Singh) #​61267
• [dca7005f9d] - doc: mention --newVersion release script (Rafael Gonzaga) #​61255
• [c0dc8ddf85] - doc: correct typo in api contributing doc (Mike McCready) #​61260
• [066af38fe1] - doc: add MR-URL requirement for security backports (Rafael Gonzaga) #​61256
• [71dd46bd0c] - doc: add reusePort error behavior to net module (mag123c) #​61250
• [f6abe3ba33] - doc: note corepack package removal in distribution doc (Mike McCready) #​61207
• [9059d49d8c] - doc: fix tls.connect() timeout documentation (Azad Gupta) #​61079
• [e7b34b76b0] - doc: missing passed, error and passed properties on TestContext (Xavier Stouder) #​61185
• [9ae2dcfbb6] - doc: clarify threat model for application-level API exposure (Rafael Gonzaga) #​61184
• [9902331a7c] - doc: correct options for net.Socket class and socket.connect (Xavier Stouder) #​61179
• [a80122d2fe] - doc: document error event on readline InterfaceConstructor (Xavier Stouder) #​61170
• [38d73c9cfa] - doc: add a smooth scrolling effect to the sidebar (btea) #​59007
• [95c51fa984] - doc: correct invalid collaborator profile (JJ) #​61091
• [f5a044763c] - doc: exclude compile-time flag features from security policy (Matteo Collina) #​61109
• [b6ebf2cd53] - doc: add @​avivkeller to collaborators (Aviv Keller) #​61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [4932322c29] - doc: add File modes cross-references in fs methods (Mohit Raj Saxena) #​60286
• [c84904e047] - doc: add missing zstd to mjs example of zlib (Deokjin Kim) #​60915
• [e615b9e2f2] - doc: clarify fileURLToPath security considerations (Rafael Gonzaga) #​60887
• [99e384e6d4] - doc: replace column with columnNumber in example of util.getCallSites (Deokjin Kim) #​60881
• [9351bb4d02] - doc: correct spelling in BUILDING.md (Rich Trott) #​60875
• [e1f6e7fc4d] - doc: update debuglog examples to use 'foo-bar' instead of 'foo' (xiaoyao) #​60867
• [ccbb2d7300] - doc: fix typos in changelogs (Rich Trott) #​60855
• [1cb2fe8b35] - doc: mark module.register as active development (Chengzhong Wu) #​60849
• [ceeb4968a6] - doc: add fullName property to SuiteContext (PaulyBearCoding) #​60762
• [56155909dd] - doc: keep sidebar module visible when navigating docs (Botato) #​60410
• [6b637763d5] - doc: correct concurrency wording in test() documentation (Azad Gupta) #​60773
• [7183e8ffa1] - doc: clarify that CQ only picks up MRs targeting main (René) #​60731
• [d5d94303be] - doc: clarify license section and add contributor note (KaleruMadhu) #​60590
• [e0210c8f53] - doc: correct tls ALPNProtocols types (René) #​60143
• [eff87b498a] - doc: remove mention of SMS 2FA (Antoine du Hamel) #​60707
• [e77ef94a51] - doc: domain.add() does not accept timer objects (René) #​60675
• [4fe19c95ea] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #​60650
• [eece59b6ce] - doc: fix linter issues (Antoine du Hamel) #​60636
• [6e17e596e4] - doc: correct values/references for buffer.kMaxLength (René) #​60305
• [ac327ae9a7] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #​60017
• [d9b149ea42] - doc: highlight module loading difference between import and require (Ajay A) #​59815
• [f6d62cb22c] - doc: fix typo in process.unref documentation (우혁) #​59698
• [6d5078b196] - doc: add some entries to glossary.md (Mohataseem Khan) #​59277
• [b0a5820dea] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #​58205
• [b5db02fe67] - doc: fix pseudo code in modules.md (chirsz) #​57677
• [e9b912d481] - doc: add missing variable in code snippet (Koushil Mankali) #​55478
• [44c06c7812] - doc: add missing word in single-executable-applications.md (Konstantin Tsabolov) #​53864
• [482b43f160] - doc: fix typo in http.md (Michael Solomon) #​59354
• [cd323bc718] - doc: update devcontainer.json and add documentation (Joyee Cheung) #​60472
• [c7c70f3a16] - doc: add haramj as triager (Haram Jeong) #​60348
• [04b8c4d14e] - doc: clarify require(esm) description (dynst) #​60520
• [de382dc832] - doc: instantiate resolver object (Donghoon Nam) #​60476
• [b6845ce460] - doc: clarify --use-system-ca support status (Joyee Cheung) #​60340
• [0894dae9bc] - doc: add missing CAA type to dns.resolveAny() & dnsPromises.resolveAny() (Jimmy Leung) #​58899
• [c86a69f692] - doc: use any for worker_threads.Worker 'error' event argument err (Jonas Geiler) #​60300
• [0c5031e233] - doc: update decorator documentation to reflect actual policy (Muhammad Salman Aziz) #​60288
• [b01f710175] - doc: document wildcard supported by tools/test.py (Joyee Cheung) #​60265
• [b4524dabcc] - doc: fix blob.bytes() heading level (XTY) #​60252
• [5df02776e3] - doc: fix not working code example in vm docs (Artur Gawlik) #​60224
• [6a4359a0b5] - doc: improve code snippet alternative of url.parse() using WHATWG URL (Steven) #​60209
• [ad06bee70d] - doc: use markdown when branch-diff major release (Rafael Gonzaga) #​60179
• [c0d4b11ed4] - doc: update teams in collaborator-guide.md and add links (Bart Louwers) #​60065
• [20b5ffcac3] - doc: update previous version links in BUILDING (Mike McCready) #​61457
• [de345ea3a3] - doc: correct description of error.stack accessor behavior (René) #​61090
• [d8418d9de7] - doc: fix link in --env-file=file section (N. Bighetti) #​60563
• [1107bda21e] - doc: fix v22 changelog after security release (Marco Ippolito) #​61371
• [42aab9469a] - doc: add missing history entry for sqlite.md (Antoine du Hamel) #​60607
• [deb6d5deff] - doc, module: change async customization hooks to experimental (Gerhard Stöbich) #​60302
• [c659add7d1] - doc,src,lib: clarify experimental status of Web Storage support (Antoine du Hamel) #​60708
• [dda95e91b9] - esm: avoid throw when module specifier is not url (Craig Macomber (Microsoft)) #​61000
• [912945be89] - events: remove redundant todo (Gürgün Dayıoğlu) #​60595
• [22e156eb10] - events: remove eventtarget custom inspect branding (Efe) #​61128
• [df6fd9b03f] - fs: remove duplicate getValidatedPath calls (Mert Can Altin) #​61359
• [6ea3e4d850] - fs: fix errorOnExist behavior for directory copy in fs.cp (Nicholas Paun) #​60946
• [dd918b9980] - fs: fix ENOTDIR in globSync when file is treated as dir (sangwook) #​61259
• [4908e67ba0] - fs: remove duplicate fd validation in sync functions (Mert Can Altin) #​61361
• [4a27bce3d9] - fs: detect dot files when using globstar (Robin van Wijngaarden) #​61012
• [b0186ff65c] - fs: validate statfs path (Efe) #​61230
• [6689775023] - gyp: aix: change gcc version detection so CXX="ccache g++" works (Stewart X Addison) #​61464
• [5c4f4db663] - http: fix rawHeaders exceeding maxHeadersCount limit (Max Harari) #​61285
• [7599e2eccd] - http: replace startsWith with strict equality (btea) #​59394
• [99a85213bf] - http: lazy allocate cookies array (Robert Nagy) #​59734
• [7669e6a5ad] - http: fix http client leaky with double response (theanarkh) #​60062
• [f074c126a8] - http,https: fix double ERR_PROXY_TUNNEL emission (Shima Ryuhei) #​60699
• [d8ac368363] - http2: add diagnostics channels for client stream request body (Darshan Sen) #​60480
• [e26a7e464d] - http2: rename variable to additionalPseudoHeaders (Tobias Nießen) #​60208
• [5df634f46e] - http2: validate initialWindowSize per HTTP/2 spec (Matteo Collina) #​61402
• [2ccc9a6205] - http2: do not crash on mismatched ping buffer length (René) #​60135
• [3e68a5f78a] - inspector: inspect HTTP response body (Chengzhong Wu) #​60572
• [a86ffa9a5d] - inspector: add network payload buffer size limits (Chengzhong Wu) #​60236
• [ea60ef5d74] - lib: fix typo in util.js comment (Taejin Kim) #​61365
• [9d8d9322a4] - lib: fix TypeScript support check in jitless mode (sangwook) #​61382
• [fc26f5c78f] - lib: gbk decoder is gb18030 decoder per spec (Сковорода Никита Андреевич) #​61099
• [3b87030012] - lib: enforce use of URLParse (Antoine du Hamel) #​61016
• [2a7479d4fc] - lib: use FastBuffer for empty buffer allocation (Gürgün Dayıoğlu) #​60558
• [7cf4c43582] - lib: fix constructor in _errnoException stack tree (SeokHun) #​60156
• [f9d87fbfaa] - lib: fix typo in QuicSessionStats (SeokHun) #​60155
• [8d26ccc652] - lib: remove redundant destroyHook checks (Gürgün Dayıoğlu) #​60120
• [705832a1be] - lib,src: isInsideNodeModules should test on the first non-internal frame (Chengzhong Wu) #​60991
• [6f39ad190b] - meta: do not fast-track npm updates (Antoine du Hamel) #​61475
• [a6a0ff9486] - meta: fix typos in issue template config (Daijiro Wachi) #​61399
• [ec88c9b378] - meta: label v8 module MRs (René) #​61325
• [83143835de] - meta: bump step-security/harden-runner from 2.13.2 to 2.14.0 (dependabot[bot]) #​61245
• [0802dc663a] - meta: bump actions/setup-node from 6.0.0 to 6.1.0 (dependabot[bot]) #​61244
• [587db55796] - meta: bump actions/cache from 4.3.0 to 5.0.1 (dependabot[bot]) #​61243
• [262c9d37a6] - meta: bump github/codeql-action from 4.31.6 to 4.31.9 (dependabot[bot]) #​61241
• [d9763b5afd] - meta: bump codecov/codecov-action from 5.5.1 to 5.5.2 (dependabot[bot]) #​61240
• [0af73d1811] - meta: bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 (dependabot[bot]) #​61237
• [8be6afd239] - meta: move lukekarrys to emeritus (Node.js GitHub Bot) #​60985
• [c497de5c74] - meta: bump actions/setup-python from 6.0.0 to 6.1.0 (dependabot[bot]) #​60927
• [774920f169] - meta: bump github/codeql-action from 4.31.3 to 4.31.6 (dependabot[bot]) #​60926
• [ef3b1e5991] - meta: bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 (dependabot[bot]) #​60924
• [3ed667379f] - meta: bump github/codeql-action from 4.31.2 to 4.31.3 (dependabot[bot]) #​60770
• [7c0cefb126] - meta: bump step-security/harden-runner from 2.13.1 to 2.13.2 (dependabot[bot]) #​60769
• [5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #​60714
• [4f4dda2a18] - meta: bump actions/download-artifact from 5.0.0 to 6.0.0 (dependabot[bot]) #​60532
• [c436f8d57c] - meta: bump actions/upload-artifact from 4.6.2 to 5.0.0 (dependabot[bot]) #​60531
• [402d9f87a6] - meta: bump github/codeql-action from 3.30.5 to 4.31.2 (dependabot[bot]) #​60533
• [61be78e326] - meta: bump actions/setup-node from 5.0.0 to 6.0.0 (dependabot[bot]) #​60529
• [7e4164a623] - meta: bump actions/stale from 10.0.0 to 10.1.0 (dependabot[bot]) #​60528
• [1bf6e1d010] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​60325
• [c66fc0e9cf] - meta: loop userland-migrations in deprecations (Chengzhong Wu) #​60299
• [e4be0791e7] - meta: call create-release-post.yml post release (Aviv Keller) #​60366
• [8674f6527f] - module: preserve URL in the parent created by createRequire() (Joyee Cheung) #​60974
• [41db87a975] - msi: fix WiX warnings (Stefan Stojanovic) #​60251
• [884f313f40] - node-api: use Node-API in comments (Vladimir Morozov) #​61320
• [375164190b] - node-api: use local files for instanceof test (Vladimir Morozov) #​60190
• [972a1107c0] - os: freeze signals constant (Xavier Stouder) #​61038
• [e992057ab7] - perf_hooks: fix stack overflow error (Antoine du Hamel) #​60084
• [0bb1814fdf] - repl: fix pasting after moving the cursor to the left (Ruben Bridgewater) #​60470
• [35a12fb996] - src: replace ranges::sort for libc++13 compatibility on armhf (Rebroad) #​61789
• [dbf00d4664] - src: add missing override specifier to Clean() (Tobias Nießen) #​61429
• [140eba35d3] - src: cache context lookup in vectored io loops (Mert Can Altin) #​61387
• [93e7e1708b] - src: use C++ nullptr in webstorage (Tobias Nießen) #​61407
• [ef868447bc] - src: fix pointer alignment (jhofstee) #​61336
• [a96256524c] - src: dump snapshot source with node:generate_default_snapshot_source (Joyee Cheung) #​61101
• [ec051b9efd] - src: add HandleScope to edge loop in heap_utils (Mert Can Altin) #​60885
• [41749eb5d6] - src: remove redundant CHECK (Tobias Nießen) #​61130
• [57c81e5af3] - src: fix off-thread cert loading in bundled cert mode (Joyee Cheung) #​60764
• [4b0616e024] - src: handle DER decoding errors from system certificates (Joyee Cheung) #​60787
• [93393371f9] - src: use static_cast instead of C-style cast (Michaël Zasso) #​60868
• [900445b655] - src: move Node-API version detection to where it is used (Anna Henningsen) #​60512
• [8353a6da2a] - src: avoid C strings in more C++ exception throws (Anna Henningsen) #​60592
• [27c860c51f] - src: move napi_addon_register_func to node_api_types.h (Anna Henningsen) #​60512
• [e0517752e7] - src: remove unconditional NAPI_EXPERIMENTAL in node.h (Chengzhong Wu) #​60345
• [21e2a52f8e] - src: clean up generic counter implementation (Anna Henningsen) #​60447
• [aed23cb8ca] - src: add enum handle for ToStringHelper + formatting (Burkov Egor) #​56829
• [2e93650ebc] - src: fix timing of snapshot serialize callback (Joyee Cheung) #​60434
• [ece4acc18f] - src: add COUNT_GENERIC_USAGE utility for tests (Joyee Cheung) #​60434
• [31c8e9d9ff] - src: use cached primordials_string (Sohyeon Kim) #​60255
• [7f0ffddc14] - src: implement Windows-1252 encoding support and update related tests (Mert Can Altin) #​60893
• [c2ba56d6b2] - src,permission: fix permission.has on empty param (Rafael Gonzaga) #​60674
• [e55a2b895a] - src,permission: add debug log on is_tree_granted (Rafael Gonzaga) #​60668
• [902a78b43c] - stream: fix isErrored/isWritable for WritableStreams (René) #​60905
• [221b77cf41] - stream: don't try to read more if reading (Robert Nagy) #​60454
• [46d12d826f] - test: skip strace test with shared openssl (Richard Lau) #​61987
• [52e6b01a44] - test: mark test-strace-openat-openssl as flaky (Antoine du Hamel) #​61921
• [4d7468d0e0] - test: skip --build-sea tests on platforms where SEA is flaky (Joyee Cheung) #​61504
• [f604b7ae67] - test: fix flaky debugger test (Ryuhei Shima) #​58324
• [fc2dc4024b] - test: ensure removeListener event fires for once() listeners (sangwook) #​60137
• [5fba382816] - test: delay writing the files only on macOS (Luigi Pinca) #​61532
• [85cc9e20e4] - test: asserts that import.meta.resolve invokes sync loader hooks (Chengzhong Wu) #​61158
• [13831685ca] - test: check util.parseArgs argv parsing with actual process execution (René) #​61089
• [ec4b722cb8] - test: remove unneccessary repl magic_mode tests (Dario Piotrowicz) #​61053
• [5c811106bc] - test: skip sea tests on riscv64 (Stewart X Addison) #​61111
• [4e4a631c07] - test: mark stringbytes-external-max flaky on AIX (Stewart X Addison) #​60995
• [9af0787043] - test: update test426 fixtures (Rich Trott) #​60982
• [277f16d247] - test: skip SEA inspect test if inspector is not available (Livia Medeiros) #​60872
• [7dfa8c96bf] - test: use assert.match for non-literal regexp tests (René) #​60879
• [41e6cd8ce5] - test: fix embedtest in debug windows (Vladimir Morozov) #​60806
• [f65147b226] - test: fix debug test crashes caused by sea tests (Vladimir Morozov) #​60807
• [a93dff9e92] - test: replace deprecated regex test assertions in http trailers test (Aditya Chopra) #​60831
• [f90d5b954f] - test: prefer major GC in cppgc-object teardown (sangwook) #​60672
• [e1645cc78d] - test: skip test that cause timeout on IBM i (SRAVANI GUNDEPALLI) #​60700
• [4f23eba22f] - test: limit the concurrency of WPTRunner for RISC-V (Levi Zim) #​60591
• [c2bef6522b] - test: fix test-strace-openat-openssl for RISC-V (Levi Zim) #​60588
• [4c03a7f864] - test: fix status when compiled without inspector (Antoine du Hamel) #​60289
• [2ef146a074] - test: apply a delay to watch-mode-kill-signal tests (Joyee Cheung) #​60610
• [dc3000c504] - test: async iife in repl (Tony Gorez) #​44878
• [5e06e84db1] - test: parallelize sea tests when there's enough disk space (Joyee Cheung) #​60604
• [940d2752bc] - test: only show overridden env in child process failures (Joyee Cheung) #​60556
• [558a5743c6] - test: add more logs to test-esm-loader-hooks-inspect-wait (Joyee Cheung) #​60466
• [10fac8de45] - test: mark stringbytes-external-exceed-max tests as flaky on AIX (Joyee Cheung) #​60565
• [8bc84046be] - test: correct conditional secure heap flags test (Shelley Vohr) #​60385
• [ccc805f184] - test: fix flaky test-watch-mode-kill-signal-* (Joyee Cheung) #​60443
• [1b8274453d] - test: capture stack trace in debugger timeout errors (Joyee Cheung) #​60457
• [9fcf889279] - test: ensure assertions are reachable in test/async-hooks (Antoine du Hamel) #​60150
• [7f5230333e] - test: increase debugger waitFor timeout on macOS (Chengzhong Wu) #​60367
• [0e5ea3b795] - test: fix small compile warning in test_network_requests_buffer.cc (xiaocainiao633) #​60281
• [012780c7e8] - test: split test-runner-watch-mode-kill-signal (Joyee Cheung) #​60298
• [b53d35a8f8] - test: fix incorrect calculation in test-perf-hooks.js (Joyee Cheung) #​60271
• [b8ef464c08] - test: skip sea tests on x64 macOS (Joyee Cheung) #​60250
• [a3c4d905da] - test: move sea tests into test/sea (Joyee Cheung) #​60250
• [80bec9fd07] - test: skip tests that cause timeouts on IBM i (SRAVANI GUNDEPALLI) #​60148
• [1d05b44c7c] - test: deflake test-fs-promises-watch-iterator (Luigi Pinca) #​60060
• [8958096840] - test: deflake test-repl-paste-big-data (Livia Medeiros) #​60975
• [e261a59ca4] - test: add new startNewREPLSever testing utility (Dario Piotrowicz) #​59964
• [d4a2d8aa8a] - test: skip failing tests when compiled without amaro (Yuki Okita) #​60815
• [0e407a88bb] - test: skip failing test on macOS 15.7+ (Antoine du Hamel) #​60419
• [a253b7b6dc] - tools: switch to ARM runners on GHA jobs (Antoine du Hamel) #​61903
• [8862c41494] - tools: avoid building twice in coverage jobs (Antoine du Hamel) #​61899
• [7d11a22802] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #​61759
• [d0e7d6cb89] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #​61734
• [cf5ddd1811] - tools: use ubuntu-latest runner in notify-on-push workflow (Antoine du Hamel) #​61742
• [18bcf8e260] - tools: use ubuntu-slim runner in meta GitHub Actions (Tierney Cyren) #​61663
• [db76733b55] - tools: update gyp-next to 0.21.1 (Node.js GitHub Bot) #​61528
• [1dd9d8a3b2] - tools: fix vcbuild lint-js-build (Vladimir Morozov) #​61318
• [ec67f8f9b5] - tools: only report commit validation failure on Slack (Antoine du Hamel) #​61124
• [8e385c8c66] - tools: use sparse-checkout in linter jobs (Antoine du Hamel) #​61123
• [aed2e9c8eb] - tools: simplify notify-on-push (Antoine du Hamel) #​61050
• [32680feefb] - tools: fix update-nghttp2 signature verification (Richard Lau) #​61035
• [c5f68f41e6] - tools: improve log output of create-release-proposal (Antoine du Hamel) #​61028
• [32e0ae0ec7] - tools: fix vcbuild test when path contain spaces (stduhpf) #​56481
• [9e0858e4a2] - tools: do not run test-linux workflow for changes on vcbuild.bat (Antoine du Hamel) #​60979
• [fd656a79fc] - tools: disable some new cpplint rules before update (Michaël Zasso) #​60901
• [df4df52e67] - tools: don't fetch V8 deps in the source tree (Richard Lau) #​60883
• [e5c2fe8d6d] - tools: add temporal updater (Chengzhong Wu) #​60828
• [7f031e097e] - tools: dump config.gypi as json (Chengzhong Wu) #​60794
• [5e69488a5a] - tools: bump js-yaml from 4.1.0 to 4.1.1 in /tools/lint-md (dependabot[bot]) #​60781
• [5119c50931] - tools: bump js-yaml from 4.1.0 to 4.1.1 in /tools/doc in the doc group (dependabot[bot]) #​60766
• [a4b073123d] - tools: remove unsupported cooldown from Dependabot config (Antoine du Hamel) #​60747
• [a3df6b87bb] - tools: update sccache to v0.12.0 (Michaël Zasso) #​60723
• [2efbd54a4a] - tools: update gyp-next to 0.21.0 (Node.js GitHub Bot) #​60645
• [bb7876e4f9] - tools: replace invalid expression in dependabot config (Riddhi) #​60649
• [e444e44d6a] - tools: skip unaffected GHA jobs for changes in test/internet (Antoine du Hamel) #​60517
• [a6a0ec107c] - tools: do not use short hashes for deps versioning to avoid collision (Antoine du Hamel) #​60407
• [c6e2eed65f] - tools: fix update-icu script (Michaël Zasso) #​60521
• [76fb3d123b] - tools: fix linter for semver-major release proposals (Antoine du Hamel) #​60481
• [f02889e24e] - tools: fix failing release-proposal linter for LTS transitions (Antoine du Hamel) #​60465
• [8203df4432] - tools: remove undici from daily wpt.fyi job (Filip Skokan) #​60444
• [a58242b666] - tools: add lint rule to ensure assertions are reached (Antoine du Hamel) #​60125
• [58e3ef398f] - tools: update gyp-next to 0.20.5 (Node.js GitHub Bot) #​60313
• [996494482a] - tools: optimize wildcard execution in tools/test.py (Joyee Cheung) #​60266
• [cf84756d0d] - tools: use cooldown property correctly (Rafael Gonzaga) #​60134
• [5469cb2651] - tools: validate release commit diff as part of lint-release-proposal (Antoine du Hamel) #​61440
• [1b9eab4a1c] - tools,doc: fix format-md files list (Stefan Stojanovic) #​61147
• [b20d9c2ce7] - tools,doc: update JavaScript primitive types to match MDN Web Docs (JustApple) #​60581
• [31760b1beb] - typings: add typing for string_decoder (Taejin Kim) #​61368
• [d6b908917c] - typings: add missing properties and method in Worker (Woohyun Sung) #​60257
• [1e8b6d5686] - typings: add missing properties in HTTPParser (Woohyun Sung) #​60257
• [27ae9b4a26] - typings: delete undefined property in ConfigBinding (Woohyun Sung) #​60257
• [f43c6434e2] - typings: add buffer internalBinding typing (방진혁) #​60163
• [e7f954f63a] - url: add fast path to getPathFromURL decoder (Gürgün Dayıoğlu) #​60749
• [c149b64473] - url: remove array.reduce usage (Gürgün Dayıoğlu) #​60748
• [0bd291bff1] - util: optimize toASCIILower function using V8s native toLowerCase (Mert Can Altin) #​61107
• [bbc54b3c96] - util: limit inspect to only show own properties (Ruben Bridgewater) #​61032
• [78e5fa23c4] - util: fix parseArgs skipping positional arg with --eval and --print (azadgupta1) #​60814
• [f75ec19105] - util: assert getCallSites does not invoke Error.prepareStackTrace (Chengzhong Wu) #​60922
• [d77da9306c] - util: fix stylize of special properties in inspect (Ge Gao) #​60479
• [3a4edc8f6d] - util: use more defensive code when inspecting error objects (Antoine du Hamel) #​60139
• [25c33af752] - util: mark special properties when inspecting them (Ruben Bridgewater) #​60131
• [3f98b46716] - vm: make vm.Module.evaluate() conditionally synchronous (Joyee Cheung) #​60205
• [f64a691493] - win: upgrade Visual Studio workload from 2019 to 2022 (Jiawen Geng) #​60318
• [8e04327954] - worker: update code examples for node:worker_threads module (fisker Cheung) #​58264
• [c4440dcc60] - worker: remove not implemented declarations (Artur Gawlik) #​60655
• [df4cc62954] - zlib: validate write_result array length (Ryuhei Shima) #​61342

v22.22.0: 2026-01-13, Version 22.22.0 'Jod' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler
• (CVE-2025-55132) disable futimes when permission model is enabled lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle tls:
• (CVE-2026-21637) route callback exceptions through error handlers

Commits

• [6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #​60997
• [37509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791
• [eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [6b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [25d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

v22.21.1: 2025-10-28, Version 22.21.1 'Jod' (LTS), @​aduh95

Compare Source

Commits

• [af33e8e668] - benchmark: remove unused variable from util/priority-queue (Bruno Rodrigues) #​59872
• [6764ce8756] - benchmark: update count to n in permission startup (Bruno Rodrigues) #​59872
• [4e8d99f0dc] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #​59872
• [af0a8ba7f8] - benchmark: adjust dgram offset-length len values (Bruno Rodrigues) #​59708
• [78efd1be4a] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #​59708
• [df72dc96e9] - console,util: improve array inspection performance (Ruben Bridgewater) #​60037
• [ef67d09f50] - http: improve writeEarlyHints by avoiding for-of loop (Haram Jeong) #​59958
• [23468fd76b] - http2: fix allowHttp1+Upgrade, broken by shouldUpgradeCallback (Tim Perry) #​59924
• [56abc4ac76] - lib: optimize priority queue (Gürgün Dayıoğlu) #​60039
• [ea5cfd98c5] - lib: implement passive listener behavior per spec (BCD1me) #​59995
• [c2dd6eed2f] - process: fix wrong asyncContext under unhandled-rejections=strict (Shima Ryuhei) #​60103
• [81a3055710] - process: fix default env for process.execve (Richard Lau) #​60029
• [fe492c7ace] - process: fix hrtime fast call signatures (Renegade334) #​59600
• [76b4cab8fc] - src: bring permissions macros in line with general C/C++ standards (Anna Henningsen) #​60053
• [21970970c7] - src: remove AnalyzeTemporaryDtors option from .clang-tidy (iknoom) #​60008
• [609c063e81] - src: remove unused variables from report (Moonki Choi) #​60047
• [987841a773] - src: avoid unnecessary string allocations in SPrintF impl (Anna Henningsen) #​60052
• [6e386c0632] - src: make ToLower/ToUpper input args more flexible (Anna Henningsen) #​60052
• [c3be1226c7] - src: allow std::string_view arguments to SPrintF() and friends (Anna Henningsen) #​60058
• [764d35647d] - src: remove unnecessary std::string error messages (Anna Henningsen) #​60057
• [1289ef89ec] - src: remove unnecessary shadowed functions on Utf8Value & BufferValue (Anna Henningsen) #​60056
• [d1fb8a538d] - src: avoid unnecessary string -> char* -> string round trips (Anna Henningsen) #​60055
• [54b439fb5a] - src: fill options_args, options_env after vectors are finalized (iknoom) #​59945
• [c7c597e2ca] - src: use RAII for uv_process_options_t (iknoom) #​59945
• [b928ea9716] - test: ensure that the message event is fired (Luigi Pinca) #​59952
• [e4b95a5158] - test: replace diagnostics_channel stackframe in output snapshots (Chengzhong Wu) #​60024
• [4206406694] - test: mark test-web-locks skip on IBM i (SRAVANI GUNDEPALLI) #​59996
• [26394cd5bf] - test: expand tls-check-server-identity coverage (Diango Gavidia) #​60002
• [b58df47995] - test: fix typo of test-benchmark-readline.js (Deokjin Kim) #​59993
• [af3a59dba8] - test: verify tracing channel doesn't swallow unhandledRejection (Gerhard Stöbich) #​59974
• [cee362242b] - timers: fix binding fast call signatures (Renegade334) #​59600
• [40fea57fdd] - tools: add message on auto-fixing js lint issues in gh workflow (Dario Piotrowicz) #​59128
• [aac90d351b] - tools: verify signatures when updating nghttp* (Antoine du Hamel) #​60113
• [9fae03c7d9] - tools: use dependabot cooldown and move tools/doc (Rafael Gonzaga) #​59978
• [81548abdf6] - wasi: fix WasiFunction fast call signature (Renegade334) #​59600

v22.21.0: 2025-10-20, Version 22.21.0 'Jod' (LTS), @​aduh95

Compare Source

Notable Changes

• [1486fedea1] - (SEMVER-MINOR) cli: add --use-env-proxy (Joyee Cheung) #​59151
• [bedaaa11fc] - (SEMVER-MINOR) http: support http proxy for fetch under NODE_USE_ENV_PROXY (Joyee Cheung) #​57165
• [af8b5fa29d] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
• [42102594b1] - (SEMVER-MINOR) http,https: add built-in proxy support in http/https.request and Agent (Joyee Cheung) #​58980
• [686ac49b82] - (SEMVER-MINOR) src: add percentage support to --max-old-space-size (Asaf Federman) #​59082

Commits

• [a71dd592e3] - benchmark: calibrate config dgram multi-buffer (Bruno Rodrigues) #​59696
• [16c4b466f4] - benchmark: calibrate config cluster/echo.js (Nam Yooseong) #​59836
• [53cb9f3b6c] - build: add the missing macro definitions for OpenHarmony (hqzing) #​59804
• [ec5290fe01] - build: do not include custom ESLint rules testing in tarball (Antoine du Hamel) #​59809
• [1486fedea1] - (SEMVER-MINOR) cli: add --use-env-proxy (Joyee Cheung) #​59151
• [1f93913446] - crypto: use return await when returning Promises from async functions (Renegade334) #​59841
• [f488b2ff73] - crypto: use async functions for non-stub Promise-returning functions (Renegade334) #​59841
• [aed9fd5ac4] - crypto: avoid calls to promise.catch() (Renegade334) #​59841
• [37c2d186f0] - deps: update amaro to 1.1.4 (pmarchini) #​60044
• [28aea13419] - deps: update archs files for openssl-3.5.4 (Node.js GitHub Bot) #​60101
• [ddbc1aa0bb] - deps: upgrade openssl sources to openssl-3.5.4 (Node.js GitHub Bot) #​60101
• [badbba2da9] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #​59955
• [48aaf98a08] - deps: update archs files for openssl-3.5.3 (Node.js GitHub Bot) #​59901
• [e02a562ea6] - deps: upgrade openssl sources to openssl-3.5.3 (Node.js GitHub Bot) #​59901
• [7e0e86cb92] - deps: upgrade npm to 10.9.4 (npm team) #​60074
• [91dda5facf] - deps: update undici to 6.22.0 (Matteo Collina) #​60112
• [3a3220a2f0] - dgram: restore buffer optimization in fixBufferList (Yoo) #​59934
• [09bdcce6b8] - diagnostics_channel: fix race condition with diagnostics_channel and GC (Ugaitz Urien) #​59910
• [b3eeb3bd13] - doc: provide alternative to url.parse() using WHATWG URL (Steven) #​59736
• [1ddaab1904] - doc: mention reverse proxy and include simple example (Steven) #​59736
• [3b3b71e99c] - doc: mark .env files support as stable (Santeri Hiltunen) #​59925
• [d37f67d1bd] - doc: remove optional title prefixes (Aviv Keller) #​60087
• [ca2dff63f9] - doc: fix typo on child_process.md (Angelo Gazzola) #​60114
• [3fca564a05] - doc: add automated migration info to deprecations (Augustin Mauroy) #​60022
• [4bc366fc16] - doc: use "WebAssembly" instead of "Web Assembly" (Tobias Nießen) #​59954
• [4808dbdd9a] - doc: fix typo in section on microtask order (Tobias Nießen) #​59932
• [d6e303d645] - doc: update V8 fast API guidance (René) #​58999
• [0a3a3f729e] - doc: add security escalation policy (Ulises Gascón) #​59806
• [8fd669c70d] - doc: type improvement of file http.md (yusheng chen) #​58189
• [9833dc6060] - doc: rephrase dynamic import() description (Nam Yooseong) #​59224
• [2870a73681] - doc,crypto: update subtle.generateKey and subtle.importKey (Filip Skokan) #​59851
• [85818db93c] - fs,win: do not add a second trailing slash in readdir (Gerhard Stöbich) #​59847
• [bedaaa11fc] - (SEMVER-MINOR) http: support http proxy for fetch under NODE_USE_ENV_PROXY (Joyee Cheung) #​57165
• [af8b5fa29d] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
• [758271ae66] - http: optimize checkIsHttpToken for short strings (방진혁) #​59832
• [42102594b1] - (SEMVER-MINOR) http,https: add built-in proxy support in http/https.request and Agent (Joyee Cheung) #​58980
• [a33ed9bf96] - inspector: ensure adequate memory allocation for Binary::toBase64 (René) #​59870
• [34c686be2b] - lib: update inspect output format for subclasses (Miguel Marcondes Filho) #​59687
• [12e553529c] - lib: add source map support for assert messages (Chengzhong Wu) #​59751
• [d2a70571f8] - lib,src: refactor assert to load error source from memory (Chengzhong Wu) #​59751
• [20a9e86b5d] - meta: move Michael to emeritus (Michael Dawson) #​60070
• [c591cca15c] - meta: bump github/codeql-action from 3.30.0 to 3.30.5 (dependabot[bot]) #​60089
• [090ba141b1] - meta: bump codecov/codecov-action from 5.5.0 to 5.5.1 (dependabot[bot]) #​60091
• [a0ba6884a5] - meta: bump actions/stale from 9.1.0 to 10.0.0 (dependabot[bot]) #​60092
• [0feca0c541] - meta: bump actions/setup-node from 4.4.0 to 5.0.0 (dependabot[bot]) #​60093
• [7cd2b42d18] - meta: bump step-security/harden-runner from 2.12.2 to 2.13.1 (dependabot[bot]) #​60094
• [1f3b9d66ac] - meta: bump actions/cache from 4.2.4 to 4.3.0 (dependabot[bot]) #​60095
• [0fedbb3de7] - meta: bump ossf/scorecard-action from 2.4.2 to 2.4.3 (dependabot[bot]) #​60096
• [04590b8267] - meta: bump actions/setup-python from 5.6.0 to 6.0.0 (dependabot[bot]) #​60090
• [2bf0a9318f] - meta: add .npmrc with ignore-scripts=true (Joyee Cheung) #​59914
• [e10dc7b81c] - module: allow overriding linked requests for a ModuleWrap (Chengzhong Wu) #​59527
• [2237142369] - module: link module with a module request record (Chengzhong Wu) #​58886
• [6d24b88fbc] - node-api: added SharedArrayBuffer api (Mert Can Altin) #​59071
• [4cc84c96f4] - node-api: make napi_delete_reference use node_api_basic_env (Jeetu Suthar) #​59684
• [e790eb6b50] - repl: fix cpu overhead pasting big strings to the REPL (Ruben Bridgewater) #​59857
• [99ea08dc43] - repl: add isValidParentheses check before wrap input (Xuguang Mei) #​59607
• [e4a4f63019] - sqlite: fix crash session extension callbacks with workers (Bart Louwers) #​59848
• [42c5544b97] - src: assert memory calc for max-old-space-size-percentage (Asaf Federman) #​59460
• [686ac49b82] - (SEMVER-MINOR) src: add percentage support to --max-old-space-size (Asaf Federman) #​59082
• [84701ff668] - src: clear all linked module caches once instantiated (Chengzhong Wu) #​59117
• [8e182e561f] - src: remove unnecessary Environment::GetCurrent() calls (Moonki Choi) #​59814
• [c9cde35c4d] - src: simplify is_callable by making it a concept (Tobias Nießen) #​58169
• [892b425ee1] - src: rename private fields to follow naming convention (Moonki Choi) #​59923
• [36b68db7f5] - src: reduce the nearest parent package JSON cache size (Michael Smith) #​59888
• [26b40bad02] - src: replace FIXED_ONE_BYTE_STRING with Environment-cached strings (Moonki Choi) #​59891
• [34dcb7dc32] - src: create strings in FIXED_ONE_BYTE_STRING as internalized (Anna Henningsen) #​59826
• [4d748add05] - src: remove std::array overload of FIXED_ONE_BYTE_STRING (Anna Henningsen) #​59826
• [bb6fd7c2d1] - src: ensure v8::Eternal is empty before setting it (Anna Henningsen) #​59825
• [7a91282bf9] - src: use simdjson::pad (0hm☘️) #​59391
• [ba00875f01] - stream: use new AsyncResource instead of bind (Matteo Collina) #​59867
• [ebec3ef68b] - (SEMVER-MINOR) test: move http proxy tests to test/client-proxy (Joyee Cheung) #​58980
• [7067d79fb3] - test: mark sea tests flaky on macOS x64 (Richard Lau) #​60068
• [ca1942c9d5] - test: testcase demonstrating issue 59541 (Eric Rannaud) #​59801
• [660d57355e] - test,doc: skip --max-old-space-size-percentage on 32-bit platforms (Asaf Federman) #​60144
• [19a7b1ef26] - tls: load bundled and extra certificates off-thread (Joyee Cheung) #​59856
• [095e7a81fc] - tls: only do off-thread certificate loading on loading tls (Joyee Cheung) #​59856
• [c42c1204c7] - tools: fix tools/make-v8.sh for clang (Richard Lau) #​59893
• [b632a1d98d] - tools: skip test-internet workflow for draft MRs (Michaël Zasso) #​59817
• [6021c3ac76] - tools: copyedit build-tarball.yml (Antoine du Hamel) #​59808
• [ef005d0c9b] - typings: update 'types' binding (René) #​59692
• [28ef564ecd] - typings: remove unused imports (Nam Yooseong) #​59880
• [f88752ddb6] - url: replaced slice with at (Mikhail) #​59181
• [24c224960c] - url: add type checking to urlToHttpOptions() (simon-id) #​59753
• [f2fbcc576d] - util: fix debuglog.enabled not being present with callback logger (Ruben Bridgewater) #​59858
• [6277058e43] - vm: sync-ify SourceTextModule linkage (Chengzhong Wu) #​59000
• [5bf21a4309] - vm: explain how to share promises between contexts w/ afterEvaluate (Eric Rannaud) #​59801
• [312b33a083] - vm: "afterEvaluate", evaluate() return a promise from the outer context (Eric Rannaud) #​59801
• [1eadab863c] - win,tools: add description to signature (Martin Costello) #​59877
• [816e1befb1] - zlib: reduce code duplication (jhofstee) #​57810

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻️ Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this MR, check this box

---

This MR has been generated by Mend Renovate.