Releases: nodejs/node
Releases · nodejs/node
2026-04-01, Version 25.9.0 (Current), @aduh95
Notable Changes
Test runner module mocking improvements
MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.
A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.
An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports
npx codemod @nodejs/mock-module-exportsContributed by sangwook in #61727.
Other notable changes
- [
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes toAsyncLocalStorage(Stephen Belanger) #61674 - [
62d2cd473b] - (SEMVER-MINOR) cli: add--max-heap-sizeoption (tannal) #58708 - [
d0ebf0e44b] - (SEMVER-MINOR) crypto: addTurboSHAKEandKangarooTwelveWeb Cryptography algorithms (Filip Skokan) #62183 - [
f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188 - [
67b854d407] - (SEMVER-MINOR) repl: remove dependency onnode:domain(Matteo Collina) #61227 - [
966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158 - [
e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066
Commits
- [
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674 - [
bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066 - [
c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084 - [
e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #61871 - [
2fcd07f1ba] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477 - [
b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #62280 - [
7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189 - [
f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #62115 - [
62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708 - [
ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485 - [
d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 - [
3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254 - [
f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218 - [
f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #61875 - [
4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #62169 - [
93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #62170 - [
3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414 - [
176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #62164 - [
95c7fc67ba] - deps: update googletest to 2461743991f9aa53e9a3625eafcbacd81a3c74cd (Node.js GitHub Bot) #62484 - [
e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382 - [
905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051 - [
180c150122] - deps: V8: cherry-pick cf1bce40a5ef (Richard Lau) #62449 - [
bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448 - [
f1b28612c4] - deps: V8: cherry-pick b25cd62c7ba2 (Yagiz Nizipli) #62354 - [
757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #62284 - [
3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256 - [
a9703d194a] - deps: update googletest to 73a63ea05dc8ca29ec1d2c1d66481dd0de1950f1 (Node.js GitHub Bot) #61927 - [
85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213 - [
231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #62123 - [
0093863664] - doc: deprecatemodule.register()(DEP0205) (Geoffrey Booth) #62395 - [
0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #62456 - [
8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #62492 - [
08ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #62482 - [
61cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #62423 - [
64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #62139 - [
1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #62206 - [
9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374 - [
e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #62302 - [
9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #62243 - [
7f37c17516] - doc: minor typo fix (Jeff Matson) #62358 - [[
eb0ca98f01](ht...
2026-03-24, Version 25.8.2 (Current), @RafaelGSS
This is a security release.
Notable Changes
- (CVE-2026-21637) wrap
SNICallbackinvocation intry/catch(Matteo Collina) - High - (CVE-2026-21710) use null prototype for
headersDistinct/trailersDistinct(Matteo Collina) - High - (CVE-2026-21711) include permission check to
pipe_wrap.cc(RafaelGSS) - Medium - (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle
NGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Medium - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21715) add permission check to
realpath.native(RafaelGSS) - Low - (CVE-2026-21716) include permission check on
lib/fs/promises(RafaelGSS) - Low
Commits
- [
2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#834 - [
0f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822 - [
2b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #62216 - [
2feea5bb97] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
86c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
5197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) nodejs-private/node-private#820 - [
04a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
9a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
45b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816 - [
4bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol
This is a security release.
Notable Changes
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
Commits
- [
6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828 - [
cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822 - [
80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035 - [
61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994 - [
9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892 - [
3dab3c4698] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
87521e99d1] - deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#828 - [
045013366f] - deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#828 - [
af22629ea8] - deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#828 - [
380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816 - [
df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95
This is a security release.
Notable Changes
- (CVE-2026-21637) wrap
SNICallbackinvocation intry/catch(Matteo Collina) - High - (CVE-2026-21710) use null prototype for
headersDistinct/trailersDistinct(Matteo Collina) - High - (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle
NGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Medium - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21715) add permission check to
realpath.native(RafaelGSS) - Low - (CVE-2026-21716) include permission check on
lib/fs/promises(RafaelGSS) - Low
Commits
- [
6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809 - [
52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822 - [
30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd95e5b (Joyee Cheung) nodejs-private/node-private#809 - [
e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#809 - [
7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#809 - [
076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#809 - [
963c60a951] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330 - [
859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285 - [
d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215 - [
a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
73deff77c1] - lib: backport_tls_commonand_tls_wraprefactors (Dario Piotrowicz) #57643 - [
06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito
v20.20.2
This tag was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
3626fea
This commit was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
This is a security release.
Notable Changes
- (CVE-2026-21717) fix array index hash collision (Joyee Cheung)
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS)
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)
Commits
- [
cfb51fa9ce] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#831 - [
f333d0be5f] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
2acd5d1226] - deps: update undici to v6.24.1 (Matteo Collina) #62285 - [
af5c144ebc] - (CVE-2026-21717) deps,build,test: fix array index hash collision (Joyee Cheung) nodejs-private/node-private#834 - [
00ad47a28e] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
0123309566] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#840 - [
00830712bc] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#838 - [
a0c73425da] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
cc3f294507] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#839
2026-03-11, Version 25.8.1 (Current), @aduh95
Notable Changes
- [
ea87eea71a] - module: fix extensionless CJS files in"type": "module"packages (Matteo Collina) #62083
Commits
- [
bab750d1b3] - build: do not depend on V8 deps on--without-bundled-v8builds (Antoine du Hamel) #62033 - [
b26d1c7fcb] - crypto: make --use-system-ca per-env rather than per-process (Aditi) #60678 - [
e362635abf] - crypto: add missing AES dictionaries (Filip Skokan) #62099 - [
6f975db8af] - crypto: fix importKey required argument count check (Filip Skokan) #62099 - [
3beaf9c5fc] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151 - [
53afb0edd8] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #62150 - [
a13ed052a1] - deps: update merve to 1.2.0 (Node.js GitHub Bot) #62149 - [
2c850577b7] - deps: patch resb crate (Richard Lau) #62138 - [
37862a6728] - deps: V8: cherry-pick aa0b288f87cc (Richard Lau) #62136 - [
09191ad8b4] - deps: update ada to 3.4.3 (Node.js GitHub Bot) #62049 - [
8d63a178fd] - doc: copyeditaddons.md(Antoine du Hamel) #62071 - [
83719ffb64] - doc: correctutil.convertProcessSignalToExitCodevalidation behavior (René) #62134 - [
eeee7c7fb1] - doc: add efekrskl as triager (Efe) #61876 - [
db150b2e69] - doc: fix markdown forexpectFailurevalues (Jacob Smith) #62100 - [
d55a441e60] - doc: add title to index (Aviv Keller) #62046 - [
cc46204b48] - doc: include url.resolve() in DEP0169 application deprecation (Mike McCready) #62002 - [
1d91a7261e] - doc,module: add missing doc for syncHooks.deregister() (Joyee Cheung) #61959 - [
5198573bee] - http: fix use-after-free when freeParser is called during llhttp_execute (Gerhard Stöbich) #62095 - [
f8793f80df] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990 - [
5439d0e0cf] - meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot[bot]) #62063 - [
27fd21943a] - meta: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #62062 - [
5b266f3295] - meta: bump step-security/harden-runner from 2.14.2 to 2.15.0 (dependabot[bot]) #62064 - [
ea87eea71a] - module: fix extensionless CJS files in"type": "module"packages (Matteo Collina) #62083 - [
851228cd60] - sqlite: handle stmt invalidation (Guilherme Araújo) #61877 - [
19efe60548] - src: expose async context frame debugging helper to JS (Anna Henningsen) #62103 - [
0257e8072f] - src: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) #62103 - [
975dafbe3b] - src: release context frame in AsyncWrap::EmitDestroy (Gerhard Stöbich) #61995 - [
f2c08c7888] - src: use validate_ascii_with_errors instead of validate_ascii (Сковорода Никита Андреевич) #61122 - [
0278461d83] - stream: optimize webstreams pipeTo (Mattias Buelens) #62079 - [
4d62e95bfa] - stream: fix brotli error handling in web compression streams (Filip Skokan) #62107 - [
4bdcaf2865] - stream: improve Web Compression spec compliance (Filip Skokan) #62107 - [
a5b1be2045] - stream: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) #61745 - [
5632446c4e] - stream: fix TransformStream race on cancel with pending write (Marco) #62040 - [
f90fa9cd1a] - stream: accept ArrayBuffer in CompressionStream and DecompressionStream (조수민) #61913 - [
00319eaa3a] - test: update WPT for url to c928b19ab0 (Node.js GitHub Bot) #62148 - [
456abc7d20] - test: update WPT for WebCryptoAPI to c9e955840a (Node.js GitHub Bot) #62147 - [
82770cb7d3] - test: improve WPT report runner (Filip Skokan) #62107 - [
cfc847d233] - test: update WPT compression to ae05f5cb53 (Filip Skokan) #62107 - [
80f78f2737] - test: update WPT for WebCryptoAPI to 42e47329fd (Node.js GitHub Bot) #62048 - [
8048e0508c] - test: fix skipping behavior fortest-runner-run-files-undefined(Antoine du Hamel) #62026 - [
699a6214c6] - tools: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) #62140 - [
1a453b550c] - tools: improve error handling in test426 update script (Rich Trott) #62121 - [
710dde5ee2] - tools: fix--node-builtin-modules-pathvalue inshell.nix(Antoine du Hamel) #62102 - [
dcb1cbb21f] - tools: bump the eslint group across 1 directory with 2 updates (dependabot[bot]) #62092 - [
7d0b758583] - tools: fix daily wpt workflow nighly release version lookup (Filip Skokan) #62076 - [
3e8c816f2e] - tools: fix example in release proposal linter (Richard Lau) #62074 - [
772d3d270d] - tools: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot[bot]) #62013 - [
92f3b42672] - tools: bump eslint to v10, babel to v8.0.0-rc.2 (Huáng Jùnliàng) #61905 - [
deead95ec5] - url: suppress warnings from url.format/url.resolve inside node_modules (René) #62005
2026-03-05, Version 22.22.1 'Jod' (LTS)
v22.22.1
This tag was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
Notable Changes
- [
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983 - [
6063d888fe] - cli: mark--heapsnapshot-near-heap-limitas stable (Joyee Cheung) #60956 - [
d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #61115 - [
35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #61094 - [
5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #60714
Commits
- [
5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076 - [
feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388 - [
096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #61401 - [
b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129 - [
fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #60129 - [
ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #60841 - [
53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663 - [
e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #60603 - [
1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #60574 - [
e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #60162 - [
623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #60205 - [
7f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991 - [
db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #58938 - [
66aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #60503 - [
c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #60399 - [
f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
2145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #60369 - [
5b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #61414 - [
24724cde40] - build: fix misplaced comma in ldflags (hqzing) #61294 - [
c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #61329 - [
8659d7cd07] - build: fix inconsistent quoting inMakefile(Antoine du Hamel) #60511 - [
44f339b315] - build: remove temporal updater (Chengzhong Wu) #61151 - [
d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #61024 - [
34ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #61073 - [
7b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #60850 - [
9408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #59984 - [
2166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #60098 - [
73ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #60296 - [
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983 - [
508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #59999 - [
c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #61321 - [
40904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #61431 - [
6d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #61344 - [
6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956 - [
3d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #60141 - [
40a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #60422 - [
d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662 - [
8c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #59956 - [
91dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #60464 - [
0781bd3764] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61688 - [
0cf1f9c3e9] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417 - [
521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #61339 - [
58b9d219a3] - *deps...
Contributors
ChALkeR, watilde, and avivkeller
Assets 2
2026-03-05, Version 20.20.1 'Iron' (LTS), @marco-ippolito
v20.20.1
This tag was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
eb53343
This commit was signed with the committer’s verified signature.
marco-ippolito
Marco Ippolito
Notable Changes
- [
91a66e671c] - build: test on Python 3.14 (Christian Clauss) #59983 - [
f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
Commits
- [
6f580d5399] - assert: fix deepEqual always return true on URL (Xuguang Mei) #50853 - [
91a66e671c] - build: test on Python 3.14 (Christian Clauss) #59983 - [
cc4f7af6f3] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
fa88cc07e2] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662 - [
88b2eec88a] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830 - [
5c053264f1] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61687 - [
4a398699d0] - deps: update googletest to 5a9c3f9e8d9b90bbbe8feb32902146cb8f7c1757 (Node.js GitHub Bot) #61731 - [
4fa43adf15] - deps: update googletest to 56efe3983185e3f37e43415d1afa97e3860f187f (Node.js GitHub Bot) #61605 - [
1a855d490c] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417 - [
d8a9359826] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523 - [
e79cd3a0bb] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928 - [
0707ade464] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925 - [
dc5a3cddef] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827 - [
46043b94c7] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135 - [
6be15a596e] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271 - [
10881404cd] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138 - [
1594a78c85] - deps: update googletest to 065127f1e4b46c5f14fc73cf8d323c221f9dc68e (Node.js GitHub Bot) #61055 - [
7fa2ee1933] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #60898 - [
09259532ef] - deps: update googletest to 1b96fa13f549387b7549cc89e1a785cf143a1a50 (Node.js GitHub Bot) #60739 - [
aa8bdb6886] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #60646 - [
cc849fde27] - deps: update googletest to 279f847 (Node.js GitHub Bot) #60219 - [
a99ba553a2] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #59955 - [
6349a79f5f] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131 - [
8ba759f1a0] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710 - [
927d906850] - deps: update googletest to e9092b1 (Node.js GitHub Bot) #58565 - [
bf8919f5c2] - deps: update googletest to 0bdccf4 (Node.js GitHub Bot) #57380 - [
ae6231dac0] - deps: update googletest to e235eb3 (Node.js GitHub Bot) #56873 - [
0561c62e85] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #61732 - [
f0ef221b0d] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #60543 - [
15bd0da404] - deps: update archs files for openssl (Antoine du Hamel) #61912 - [
04d439323f] - deps: upgrade openssl sources to openssl-3.0.19 (Antoine du Hamel) #61912 - [
2ea16d3bd6] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510 - [
622f973d1c] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842 - [
2cd265d8b9] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #60643 - [
65e839687b] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #60550 - [
2dc99d2771] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #61453 - [
2c7b84b1d8] - doc: fix typo in http.md (Michael Solomon) #59354 - [
a84b42667c] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #59344 - [
ffd0ada45f] - doc: fix typo intest/common/README.md(Yoo) #59180 - [
b4d9d006e7] - doc: fix broken sentence inURL.parse(Superchupu) #59164 - [
45e9971d9c] - doc: fix typo in writing-test.md (SeokHun) #59123 - [
e9fd10b5d6] - doc: fixfetchsubsections inglobals.md(Antoine du Hamel) #58933 - [
3715dd1c2b] - doc: fix wrong RFC number in http2 (Deokjin Kim) #58753 - [
098c017eac] - doc: punctuation fix for Node-API versioning clarification (Jiacai Liu) #58599 - [
545bf434e1] - doc: fix typo of filehttp.md,outgoingMessage.setTimeoutsection (yusheng chen) #58188 - [
b3d6683e7b] - doc: support toolchain with Visual Studio 2019 & 2022 only (Mike McCready) #61450 - [
8fdde5d110] - doc: fix v20 changelog after security release (Marco Ippolito) #61371 - [
31d04599be] - http: fix ...
2026-03-03, Version 25.8.0 (Current), @richardlau
v25.8.0
This tag was signed with the committer’s verified signature.
richardlau
Richard Lau
ae94abf
This commit was signed with the committer’s verified signature.
richardlau
Richard Lau
Notable Changes
- [
e55eddea2a] - build, doc: use new api doc tooling (flakey5) #57343 - [
4c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298 - [
46ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869 - [
9ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #61869 - [
0d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394
Commits
- [
940b58c8c1] - buffer: optimize buffer.concat performance (Mert Can Altin) #61721 - [
0589b0e5a1] - build: fix GN for new merve dep (Shelley Vohr) #61984 - [
f3d3968dcd] - Revert "build: add temporal test on GHA windows" (Antoine du Hamel) #61810 - [
e55eddea2a] - build, doc: use new api doc tooling (flakey5) #57343 - [
b7715292f8] - child_process: add tracing channel for spawn (Marco) #61836 - [
a32a598748] - crypto: fix missing nullptr check on RSA_new() (ndossche) #61888 - [
dc384f95b3] - crypto: fix handling of null BUF_MEM* in ToV8Value() (Nora Dossche) #61885 - [
3337b095db] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #61788 - [
51ded81139] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035 - [
8aa2fde931] - deps: update minimatch to 10.2.4 (Node.js GitHub Bot) #62016 - [
57dc092eaf] - deps: upgrade npm to 11.11.0 (npm team) #61994 - [
705bbd60a9] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #61930 - [
4d411d72e5] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928 - [
f53a32ab84] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925 - [
9b483fbb27] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830 - [
4e54c103cb] - doc: separate in-types and out-types in SQLite conversion docs (René) #62034 - [
ca78ebbeaa] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #62025 - [
e6b131f3fe] - doc: fix module.stripTypeScriptTypes indentation (René) #61992 - [
7508540e19] - doc: update DEP0040 (punycode) to application type deprecation (Mike McCready) #61916 - [
33a364cb62] - doc: explicitly mention Slack handle (Rafael Gonzaga) #61986 - [
46a61922bd] - doc: support toolchain Visual Studio 2022 & 2026 + Windows 11 SDK (Mike McCready) #61864 - [
dc12a257aa] - doc: rename invalidfunctionparameter (René) #61942 - [
dafdc0a5b8] - http: validate headers in writeEarlyHints (Richard Clarke) #61897 - [
3c94b56fa6] - inspector: unwrap internal/debugger/inspect imports (René) #61974 - [
8a24c17648] - lib: improve argument handling in Blob constructor (Ms2ger) #61980 - [
21d4baf256] - meta: bump github/codeql-action from 4.32.0 to 4.32.4 (dependabot[bot]) #61911 - [
59a726a8e3] - meta: bump step-security/harden-runner from 2.14.1 to 2.14.2 (dependabot[bot]) #61909 - [
0072b7f991] - meta: bump actions/stale from 10.1.1 to 10.2.0 (dependabot[bot]) #61908 - [
999bf22f47] - repl: keep reference count forprocess.on('newListener')(Anna Henningsen) #61895 - [
4c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298 - [
aee2a18257] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #61948 - [
46ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869 - [
9ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #61869 - [
ea2df2a16f] - stream: fix pipeTo to defer writes per WHATWG spec (Matteo Collina) #61800 - [
aa0c7b09e0] - test: remove unnecessaryprocess.exitcalls from test files (Antoine du Hamel) #62020 - [
ad96a6578f] - test: skiptest-urlon--shared-adabuilds (Antoine du Hamel) #62019 - [
7c72a31e4b] - test: skip strace test with shared openssl (Richard Lau) #61987 - [
604456c163] - test: avoid flaky debugger restart waits (Yuya Inoue) #61773 - [
4890d6bd43] - test_runner: run afterEach on runtime skip (Igor Shevelenkov) #61525 - [
fce2930110] - test_runner: expose expectFailure message (sangwook) #61563 - [
0d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394 - [
243e6b2009] - test_runner: replace native methods with primordials (Ayoub Mabrouk) #61219 - [
bf1ed7e647] - tls: forward keepAlive, keepAliveInitialDelay, noDelay to socket (Sergey Zelenov) #62004 - [
0f15079d94] - tools: remove custom logic for skippingtest-strace-openat-openssl(Antoine du Hamel) #62038 - [
54a055a59d] - tools: bump minimatch from 3.1.2 to 3.1.3 in/tools/clang-format(dependabot[bot]) #61977 - [
a28744cb62] - tools: fix permissions for merve update script (Richard Lau) #62023 - [[
31e7936354](https://...
2026-02-24, Version 25.7.0 (Current), @ruyadorno prepared by @aduh95
Notable Changes
- [
b0a79b10f0] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #61713 - [
2d874dfb8e] - (SEMVER-MINOR) sea: support ESM entry point in SEA (Joyee Cheung) #61813 - [
ee59127664] - sqlite: mark as release candidate (Matteo Collina) #61262 - [
608736e19e] - (SEMVER-MINOR) stream: renameDuplex.toWeb()type option toreadableType(René) #61632 - [
a43375999f] - (SEMVER-MINOR) test_runner: show interrupted test on SIGINT (Matteo Collina) #61676
Commits
- [
ab4375e141] - benchmark: add startup benchmark for ESM entrypoint (Joyee Cheung) #61769 - [
8d83d8026b] - build: add temporal test on GHA windows (Chengzhong Wu) #61810 - [
aab153eec3] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
9e40fb93bc] - build: use path-ignore in GHA coverage-windows.yml (Chengzhong Wu) #61811 - [
4896653361] - build: generate_config_gypi.py generates valid JSON (Shelley Vohr) #61791 - [
bb82b44de0] - build: build with v8 gdbjit support on supported platform (Joyee Cheung) #61010 - [
e7173a093a] - build: show cc outputs when version detection failed (Chengzhong Wu) #61700 - [
848050d38f] - build,win: add WinGet Visual Studio 2022 Build Tools Edition config (Mike McCready) #61652 - [
938841e1cd] - crypto: always return certificate serial numbers as uppercase (Anna Henningsen) #61752 - [
dba9001d6f] - deps: upgrade npm to 11.10.1 (npm team) #61892 - [
75c8e18d2f] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #61879 - [
4ca1597f25] - deps: remove stale OpenSSL arch configs (René) #61834 - [
c4f298c729] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827 - [
7d63a2df93] - deps: V8: cherry-pick 64b36b441179 (Rafael Magrin) #61712 - [
241a6b7088] - deps: update googletest to 5a9c3f9e8d9b90bbbe8feb32902146cb8f7c1757 (Node.js GitHub Bot) #61731 - [
eec896c0e0] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61666 - [
5a9874af09] - doc: clarify status of feature request issues (Antoine du Hamel) #61505 - [
0648ac64aa] - doc: add esm and cjs examples to node:vm (Alfredo González) #61498 - [
8b38718294] - doc: clarify build environment is trusted in threat model (Matteo Collina) #61865 - [
10e86818ee] - doc: remove incorrect mention ofmoduleintypescript.md(Rob Palmer) #61839 - [
b50376f527] - doc: simplify addAbortListener example (Chemi Atlow) #61842 - [
dea0e7a856] - doc: fix typo in --disable-wasm-trap-handler description (Dmytro Semchuk) #61820 - [
57ac1f5aa0] - doc: clean up globals.md (René) #61822 - [
4c30d2bb4d] - doc: remove obsolete Boxstarter automated install (Mike McCready) #61785 - [
db610b9e32] - doc: clarify async caveats forevents.once()(René) #61572 - [
b4a826b11c] - doc: update Juan's security steward info (Juan José) #61754 - [
7d9cc5dc54] - doc: fix methods being documented as properties inprocess.md(Antoine du Hamel) #61765 - [
aa0362c26a] - doc: add riscv64 info into platform list (Lu Yahan) #42251 - [
9b0101b65b] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #61735 - [
df2c65b3e4] - doc: fix spacing in process message event (Aviv Keller) #61756 - [
01018559f5] - doc: move describe/it aliases section before expectFailure (Luca Raveri) #61567 - [
49443583af] - doc: fix broken links of net.md (YuSheng Chen) #61673 - [
af7c927a2a] - doc: clean up Windows code snippet inchild_process.md(reillylm) #61422 - [
221648a687] - esm: update outdated FIXME comment in translators.js (Karan Mangtani) #61715 - [
4484e14a31] - events: don't call resume after close (Сковорода Никита Андреевич) #60548 - [
4cecbe1f53] - fs: addthrowIfNoEntryoption for fs.stat and fs.promises.stat (Juan José) #61178 - [
2c94967684] - http: remove redundant keepAliveTimeoutBuffer assignment (Efe) #61743 - [
435f3dd8e4] - http: attach error handler to socket synchronously in onSocket (RajeshKumar11) #61770 - [
ce0ebd853d] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #61710 - [
8103a78b6a] - http2: add strictSingleValueFields option to relax header validation (Tim Perry) #59917 - [
b0a79b10f0] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #61713 - [
c589b6b23c] - http2: fix FileHandle leak in respondWithFile (sangwook) #61707 - [
df477202ae] - lib: reduce cycles in esm loader and load it in snapshot (Joyee Cheung) #61769 - [
deda50a819] - lib: remove top-level getOptionValue() calls in lib/internal/modules (Joyee Cheung) #61769 - [
b1c1ddff79] - lib: optimize styleText when validateStream is false (Rafael Gonzaga) #61792 - [
df334f7fa0] - meta: use SCCACHE_GHA_ENABLED for shared build workflows (René) #61640 - [[
e1b2cd605f](https://github.co...