2026-06-23, Version 24.18.0 'Krypton' (LTS)#64062
Open
sxa wants to merge 150 commits into
Open
Conversation
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63113 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Signed-off-by: Marco Ippolito <marcoippolito54@gmail.com> PR-URL: #63033 Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62673 Reviewed-By: Daniel Lemire <daniel@lemire.me> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
- For imported CJS, if it's not customized by asynchronous hooks, make sure it won't use the quirky re-invented require in all cases. - When the imported CJS module is customized by synchronous hooks, in the synthetic module evalutation step, avoid calling the respective default step again. - Make the branching of loadCJSModuleWithModuleLoad() and loadCJSModuleWithSpecialRequire() more explicit, and fold the tentative fs read in the 'commonjs' translator into the share createCJSModuleWrap() helper instead of checking it twice in the same path. Signed-off-by: Joyee Cheung <joyeec9h3@gmail.com> PR-URL: #62920 Fixes: #63060 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
Signed-off-by: geeksilva97 <edigleyssonsilva@gmail.com> PR-URL: #63152 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #63131 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Map BoringSSL's native renegotiation failure to ERR_TLS_RENEGOTIATION_UNSUPPORTED when TLSSocket#renegotiate() is called. This avoids exposing an implementation-specific OpenSSL error when the TLS backend does not support caller-initiated renegotiation. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63161 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: #63177 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
The Platform support section of the single-executable-applications doc listed `macOS` without qualifying which architecture is supported. SEA on x64 macOS is not supported and is skipped in CI; only arm64 macOS is exercised. Refs: #62893 Signed-off-by: mokashang <64570909+mokashang@users.noreply.github.com> PR-URL: #63181 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63200 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Jacob Smith <jacob@frende.me> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Ignore CLAUDE.md and AGENTS.md in .gitignore, and exclude them from markdown and ESLint linting. Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62612 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Daijiro Wachi <daijiro.wachi@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
Follow WHATWG streams spec update: whatwg/streams#1367 ReadableStreamBYOBRequest.view is always constructed as a Uint8Array. This changes the documented return type from ArrayBufferView to Uint8Array per the updated spec. Fixes: #62952 Signed-off-by: Jah-yee <166608075+Jah-yee@users.noreply.github.com> PR-URL: #63017 Reviewed-By: Mattias Buelens <mattias@buelens.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com>
- Exclude routine dependency/WPT/bot PRs from the policy - Replace design document requirement with detailed PR description - Clarify dependency commit ordering for squash landing - Remove splitting strategies that contradict self-contained PRs - Add links from CONTRIBUTING.md, pull-requests.md, collaborator-guide.md Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62829 Fixes: #62752 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day> Reviewed-By: Ruy Adorno <ruy@vlt.sh>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63110 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
- Add `--help` / `-h` to `node inspect` covering both interactive and non-interactive probe modes. The help text is printed when `--help`/`-h` appears before any positional argument to avoid hijacking `--help` passed to a child script. - Improve the documentation of probe mode and add examples, explain same-location probe coalescing, TDZ caveat for let/const bindings, basename matching and exit code behavior. Also move it to a section parallel to interactive mode. Remove recommendation of evaluating structured expressions as that is prone to missing info in JSON mode. Drive-by: When probe mode exits due to invalid arguments, exit with `kInvalidCommandLineArgument` (9) instead of `kGenericUserError` (1). Signed-off-by: Joyee Cheung <joyeec9h3@gmail.com> PR-URL: #63201 Reviewed-By: Jan Martin <jan.krems@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Aviv Keller <me@aviv.sh>
Original commit message:
unix: fix pedantic compiler warnings (#5052)
Fixes: libuv/libuv#5051
Fixes: #63196
Refs: libuv/libuv#5052
Refs: libuv/libuv@a43e543
PR-URL: #63222
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Signed-off-by: geeksilva97 <edigleyssonsilva@gmail.com> PR-URL: #63204 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Original commit message:
[wasm] Update WebAssembly.Exception JS API
WebIDL specifies the existence of a
`WebAssembly.Exception.prototype.stack` getter.
WebIDL also expects the constructor to have 2 parameters (plus an
optional one).
https://webassembly.github.io/spec/js-api/#exceptions
Bug: 336347912, 42204334
Change-Id: I128e976a84f942dcf9b93a157534b15fad0f9215
Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/7697976
Commit-Queue: Matthias Liedtke <mliedtke@chromium.org>
Auto-Submit: Matthias Liedtke <mliedtke@chromium.org>
Commit-Queue: Clemens Backes <clemensb@chromium.org>
Reviewed-by: Clemens Backes <clemensb@chromium.org>
Cr-Commit-Position: refs/heads/main@{#106215}
Refs: v8/v8@435a2cd
PR-URL: #63136
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Mattias Buelens <mattias@buelens.com>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
1) Fixed macOS default for missing kSecTrustSettingsResult When kSecTrustSettingsResult is absent from a trust settings dictionary, Apple specifies kSecTrustSettingsResultTrustRoot as the default value. Previously, the trust result evaluation (deny check, self-issued check, TrustAsRoot check) was inside the block that only executed when kSecTrustSettingsResult was explicitly present. When the key was absent, the function fell through to return UNSPECIFIED, incorrectly rejecting self-signed certificates that should have been trusted via the default. Move the trust result evaluation outside the conditional block so the default value of kSecTrustSettingsResultTrustRoot flows through the same code path as explicit values. This aligns with Chromium's trust_store_mac.cc implementation. 2) Fix CFRelease leak in IsTrustDictionaryTrustedForPolicy: the CFDictionaryRef returned by SecPolicyCopyProperties(policy_ref) was not released when the policy OID matched kSecPolicyAppleSSL. 3) Deduplicate certificates: SecItemCopyMatching can return the same certificate from multiple keychains. 4) Filter expired certificates. Signed-off-by: deepak1556 <hop2deep@gmail.com> PR-URL: #62576 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
PR-URL: #63232 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
PR-URL: #62823 Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #63112 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Aviv Keller <me@aviv.sh>
Signed-off-by: umuoy1 <burningdian@gmail.com> PR-URL: #62710 Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Vladimir Morozov <vmorozov@microsoft.com>
PR-URL: #63235 Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Signed-off-by: Mike McCready <66998419+MikeMcC399@users.noreply.github.com> PR-URL: #63187 Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Mike McCready <66998419+MikeMcC399@users.noreply.github.com> PR-URL: #63211 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Stefan Stojanovic <stefan.stojanovic@janeasystems.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63165 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Robin Malfait <malfait.robin@gmail.com> PR-URL: #63247 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Move KeyObject type and handle storage behind NativeKeyObject and expose it to JS through a module-private slot reader, mirroring the CryptoKey hardening. Cache the native slot tuple in a private field and lazily derive secret and asymmetric metadata from the cached KeyObjectHandle. Update internal crypto, QUIC, and comparison callers to use private helpers instead of public KeyObject accessors. Keep getKeyObjectSlots restricted to internal/crypto/keys with an ESLint guard. Add regression coverage for brand checks, hidden slots, clone and transfer behavior, own-property reflection, and post-clone crypto operations. Extend the CryptoKey brand test to assert getSlots is not reachable through the public constructor or prototype chain. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63111 Backport-PR-URL: #63563 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Clone CryptoKey algorithm dictionaries into null-prototype objects before storing or caching them internally. Copy nested hash dictionaries and publicExponent bytes so internal consumers and transferred keys do not observe user-mutable input objects or polluted Object.prototype fields. Keep public algorithm and inspect output as ordinary objects. Make the clone path check only own hash and publicExponent properties. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63111 Backport-PR-URL: #63563 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Add ESLint rules that reject public KeyObject and CryptoKey accessor reads after internal brand checks. Internal code must use the private key helpers so it reads native-backed slots instead of user-replaceable properties. Add a separate rule that rejects instanceof checks against KeyObject and CryptoKey constructors, including the global CryptoKey constructor. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63111 Backport-PR-URL: #63563 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
BoringSSL declares EVP_CIPHER_do_all_sorted and EVP_MD_do_all_sorted, but stock no-decrepit builds do not provide those symbols. Add a Node build flag that keeps ncrypto and its dependents on a local BoringSSL fallback list when libdecrepit is absent. Keep embedders that provide the EVP enumeration symbols on the normal OpenSSL-compatible path, matching Electron's patched BoringSSL build. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63206 Backport-PR-URL: #63563 Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Add OPENSSL_WITH_* feature macros for crypto capabilities that vary by OpenSSL version and use those instead of repeating version checks. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63255 Backport-PR-URL: #63563 Refs: electron/electron#36256 Refs: electron/electron#41720 Refs: electron/electron#51127 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63255 Backport-PR-URL: #63563 Refs: electron/electron#36256 Refs: electron/electron#41720 Refs: electron/electron#51127 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63255 Backport-PR-URL: #63563 Refs: electron/electron#36256 Refs: electron/electron#41720 Refs: electron/electron#51127 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63255 Backport-PR-URL: #63563 Refs: electron/electron#36256 Refs: electron/electron#41720 Refs: electron/electron#51127 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Add a WebCrypto-specific CryptoJob mode that returns a promise from run() and resolves it when native work is finished. Encode job output directly as Web Crypto values, including CryptoKey instances and CryptoKeyPair dictionaries. Convert operation-specific setup failures from AdditionalConfig into OperationError rejections. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63363 Backport-PR-URL: #63563 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Remove async function wrappers from SubtleCrypto methods while keeping their public promise-returning behaviour. Route method entry points through a shared helper that converts synchronous validation errors into rejected promises. Let the internal implementations return native job promises directly. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63363 Backport-PR-URL: #63563 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Pass CryptoKey handles directly into KDF jobs instead of exporting secret bytes in lib. Normalize HKDF, PBKDF2, and Argon2 around the same job construction pattern so WebCrypto derivation paths avoid extra key material copies and keep operation failures in native job handling. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63363 Backport-PR-URL: #63563 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Avoid re-wrapping native WebCrypto promises with PromiseResolve(), since resolving a promise can read its user-mutated constructor. Add a helper for chaining internal WebCrypto job promises without consulting Promise species state, and use it for intermediate job results. Also align JWK wrapping and unwrapping with the spec's fresh-global JSON handling by detaching internal JWK values from user prototypes. Use the internal UTF-8 encoder/decoder bindings instead of shared TextEncoder/TextDecoder prototype methods. Expand the WebCrypto prototype pollution regression test to cover SubtleCrypto methods, export formats, zero-length KDF results, JWK toJSON/kty pollution, and encoder/decoder prototype poisoning. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #63363 Backport-PR-URL: #63563 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Rework lib/internal/webidl.js into a documented shared converter module that follows the Web IDL conversion algorithms more closely. Improvements: - Add documented converters and helper factories for primitive values, dictionaries, enums, sequences, interfaces, required arguments, integers, `Uint8Array`, and `BufferSource`. - Move WebCrypto onto the shared converters, while keeping compatibility wrappers for its existing `BufferSource` and `BigInteger` behavior. - Use shared converters from Blob, Performance, Web Locks, and structured clone option handling. - Add benchmarks for `ConvertToInt` and WebCrypto Web IDL converter hot paths. - Add focused tests for core converters, WebCrypto converters, integer conversion, and buffer source behavior. Fixes: - Make the shared `BufferSource` and `Uint8Array` converters reject resizable `ArrayBuffer` and growable `SharedArrayBuffer` backing stores unless explicitly allowed. WebCrypto preserves its legacy resizable backing-store behavior through compatibility wrappers until a semver-major follow-up can opt in to the stricter behavior. - Use Web IDL `ToNumber` and `ToString` behavior for BigInt, Symbol, and object primitive conversion. - Use exact BigInt modulo for 64-bit `ConvertToInt` wrapping and document the final Number approximation behavior. - Normalize mathematical modulo results to `+0` where Web IDL requires it. - Process inherited dictionaries in least-derived to most-derived order, sorting members only within each dictionary level. - Use `IteratorComplete` truthiness for sequence conversion. - Cover detached buffers, resizable-backed views, growable-backed views, cross-realm buffer sources, mutation-after-call behavior, inherited dictionary member order, and sequence iterator completion behavior. Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #62979 Backport-PR-URL: #63563 Reviewed-By: Сковорода Никита Андреевич <chalkerx@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Instead of first discarding the top 24 bits of the argument and then checking that the low 8 bits are within the expected range, first check that the original 32-bit integer is within the expected range and then discard the top 24 bits. PR-URL: #62763 Backport-PR-URL: #63563 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Xuguang Mei <meixuguang@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Notable changes: buffer: * (SEMVER-MINOR) increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597 crypto: * update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527 * (SEMVER-MINOR) align key argument names in docs and error messages (Filip Skokan) #62527 * (SEMVER-MINOR) accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527 * (SEMVER-MINOR) add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 http: * http: avoid stream listeners on idle agent sockets (Matteo Collina) #64004 * (SEMVER-MINOR) add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155 inspector: * (SEMVER-MINOR) expose precise coverage start to JS runtime (sangwook) #63079 stream: * stream: Revert noop pause/resume on destroyed streams" (Stewart X Addison) #63834 PR-URL: #64062
github-actions
Bot
added
request-ci-failed
Contributor
Failed to start CI⚠ Commits were pushed since the last approving review: ⚠ - test: deflake watch mode worker test ⚠ - test: avoid repeated writes in watch helper ⚠ - doc: update http2's `push` and `trailers` events with `rawHeaders` param ⚠ - doc: remove the bi-monthly contributor spotlight section ⚠ - doc: fix article usage before vowel-sound acronyms ⚠ - test: deflake connection refused proxy tests ⚠ - test: disable Maglev in near-heap-limit worker test ⚠ - meta: move one or more collaborators to emeritus ⚠ - doc: remove unsupported template type from v8.md ⚠ - Revert "stream: noop pause/resume on destroyed streams" ⚠ - test_runner: preserve run duration when using test-rerun ⚠ - test_runner: show replayed-from-attempt hint in spec reporter ⚠ - src: expose `node::RegisterContext` to make a node managed context ⚠ - test: wait for ok before initial break after restart ⚠ - doc: fix typo in deprecations ⚠ - meta: add additional gitignore entries ⚠ - quic: fixup linting issue after other changes ⚠ - quic: implement rate limiting for version nego and immediate close ⚠ - quic: add reusePort option to QuicEndpoint ⚠ - stream: fix Writable.toWeb() hang on synchronous drain ⚠ - test: isolate rerun-failures state file under tmpdir ⚠ - doc: fix "options" to "option" in tls.createServer ⚠ - deps: upgrade npm to 11.15.0 ⚠ - inspector: expose precise coverage start to JS runtime ⚠ - doc: fix double space in modules.md ⚠ - test_runner: fix --test-rerun-failures swallowing failures on retry ⚠ - tools: fix skip of `test-internet` on forks ⚠ - test_runner: dont buffer unordered events in process isolation mode ⚠ - tools: skip commit-lint on backport pull requests ⚠ - test: reduce watch mode restart flakiness ⚠ - test: avoid test_runner watch restart in spec snapshot ⚠ - test: deflake async-hooks statwatcher test ⚠ - src: improve token return value check ⚠ - test: update WPT for url to e4a4672e9e ⚠ - doc: fix double spaces in ERR_TLS_INVALID_PROTOCOL_METHOD ⚠ - test: update test426-fixtures to 9b9e225b5a63139e9a95cdd1bf874a8f0b9d131 ⚠ - src,sqlite: only pass `xFilter` when user provided a callback ⚠ - test: remove test-node-output-v8-warning ⚠ - crypto: coerce -0 keylen to +0 in pbkdf2 and scrypt ⚠ - crypto: update root certificates to NSS 3.123.1 ⚠ - doc: clarify `filter` option of `sqlite.database.applyChangeset` ⚠ - tools: bump brace-expansion from 5.0.5 to 5.0.6 in /tools/eslint ⚠ - doc: fix URL postMessage example in worker_threads ⚠ - doc: explicitly ask for reproducible in JS ⚠ - lib: fix typos in esm loader comments ⚠ - deps: SQLite: cherry-pick b869ed6b067d623cb1383549f2a18aa35508385d ⚠ - meta: skip scheduled workflows on forks ⚠ - src: skip duplicate UTF-8 validation in TextDecoder fatal path ⚠ - test: shorten path in net pipe connect errors ⚠ - http2: emit session close before stream close ⚠ - meta: add `vfs` subsystem label ⚠ - doc: drop --experimental from --permission ⚠ - module: load ESM helpers eagerly in the snapshot ⚠ - doc: update `git node land` instructions for security releases ⚠ - build: def `NODE_USE_NODE_CODE_CACHE` only used in node_mksnapshot ⚠ - meta: label "source maps" PRs ⚠ - stream: use data listener for compose forwarding ⚠ - buffer: increase Buffer.poolSize default to 64 KiB ⚠ - errors: handle V8 warnings in DisallowJavascriptExecutionScope ⚠ - util: create hex style cache and fast path ⚠ - deps: upgrade npm to 11.16.0 ⚠ - lib: define `kEnumerableProperty` atomically ⚠ - stream: switch to internal `sleep` binding ⚠ - util: remove unused functions ⚠ - meta: flip mcollina emails in .mailmap ⚠ - src: remove TOCTOU race condition when encoding SAB-backed `Buffer`s ⚠ - doc: remove duplicated sentences in large-pull-requests.md ⚠ - build: add --enable-all-experimentals build flag ⚠ - build,win: enable x64 PGO ⚠ - src: split profiling helpers from util ⚠ - src: remove license headers for new node_profiling files ⚠ - test: update WPT resources, interfaces and WebCryptoAPI ⚠ - crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms ⚠ - crypto: unify asymmetric key import through KeyObjectHandle::Init ⚠ - crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs ⚠ - crypto: align key argument names in docs and error messages ⚠ - crypto: guard against size_t overflow on experimental 32-bit arch ⚠ - crypto: add JWK support for ML-KEM and SLH-DSA key types ⚠ - crypto: reject duplicate ML-KEM JWK key_ops ⚠ - crypto: add guards and adjust tests for BoringSSL ⚠ - src: decouple KeyObject and CryptoKey and move CryptoKey to src ⚠ - crypto: harden KeyObject internal slots ⚠ - crypto: harden CryptoKey algorithm slots ⚠ - tools: prevent lib code from reading KeyObject and CryptoKey accessors ⚠ - src: add BoringSSL EVP enumeration fallback ⚠ - src: simplify OpenSSL feature gates ⚠ - crypto: wire AES-KW in Web Cryptography when using BoringSSL ⚠ - crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL ⚠ - crypto: wire ML-DSA and ML-KEM for use when using BoringSSL ⚠ - crypto: add WebCrypto CryptoJob mode ⚠ - crypto: remove async from WebCrypto methods ⚠ - crypto: pass CryptoKey handles to KDF jobs ⚠ - crypto: harden WebCrypto against prototype pollution ⚠ - test: update WPT for WebCryptoAPI to 97bbc7247a ⚠ - lib: refactor internal webidl converters ⚠ - crypto: strengthen argument CHECKs in TurboSHAKE ⚠ - lib: cleanup stateless diffiehellman key handling ⚠ - test: update tls/crypto behaviour expectations when using BoringSSL ⚠ - http: avoid stream listeners on idle agent sockets ⚠ - 2026-06-23, Version 24.18.0 'Krypton' (LTS) ✘ Refusing to run CI on potentially unsafe PRhttps://github.com/nodejs/node/actions/runs/27995253754 |
panva
approved these changes
Jun 23, 2026
panva
removed
the
request-ci-failed
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
2026-06-23, Version 24.18.0 'Krypton' (LTS), @richardlau prepared by @sxa
Notable Changes
e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #6352744c8ebcbd6] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #64004d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #62527b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #621834c9251fc09] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #631558c989ec4a3] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #630793f54c8ba32] - Revert "stream: noop pause/resume on destroyed streams" (Stewart X Addison) #63834Commits
d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #635979ff36e40f0] - build: add --enable-all-experimentals build flag (Paolo Insogna) #627557c22ee23aa] - build: defNODE_USE_NODE_CODE_CACHEonly used in node_mksnapshot (Chengzhong Wu) #635882551abdb4a] - build,win: enable x64 PGO (Stefan Stojanovic) #62761e8a55ce9b1] - crypto: strengthen argument CHECKs in TurboSHAKE (Tobias Nießen) #62763ae61cd68f3] - crypto: harden WebCrypto against prototype pollution (Filip Skokan) #633633d05a1d396] - crypto: pass CryptoKey handles to KDF jobs (Filip Skokan) #63363f9d10a3f6b] - crypto: remove async from WebCrypto methods (Filip Skokan) #63363e431d93e9e] - crypto: add WebCrypto CryptoJob mode (Filip Skokan) #6336356e2505e48] - crypto: wire ML-DSA and ML-KEM for use when using BoringSSL (Filip Skokan) #632553bac77f2a8] - crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL (Filip Skokan) #632551bff901b09] - crypto: wire AES-KW in Web Cryptography when using BoringSSL (Filip Skokan) #632554433fca3df] - crypto: harden CryptoKey algorithm slots (Filip Skokan) #63111b5cf01217a] - crypto: harden KeyObject internal slots (Filip Skokan) #63111ce84aef37d] - crypto: add guards and adjust tests for BoringSSL (Filip Skokan) #6288326781689b0] - crypto: reject duplicate ML-KEM JWK key_ops (Filip Skokan) #62905aeea8f4970] - crypto: add JWK support for ML-KEM and SLH-DSA key types (Filip Skokan) #62706407cf91656] - crypto: guard against size_t overflow on experimental 32-bit arch (Filip Skokan) #62626bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #62527b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527b46d52b283] - crypto: unify asymmetric key import through KeyObjectHandle::Init (Filip Skokan) #62499ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #6352761826df455] - crypto: coerce -0 keylen to +0 in pbkdf2 and scrypt (Jordan Harband) #6353116d2fd3c07] - crypto: align verifyOneShot accepted types (Anshika Jain) #632803b8330deda] - crypto: improve system certificate enumeration logic on macOS (Robo) #62576141de35399] - debugger: add --help tonode inspectand improve docs (Joyee Cheung) #63201b76bfcd4fa] - deps: upgrade npm to 11.16.0 (npm team) #636024ec142314c] - deps: SQLite: cherry-pick b869ed6b067d623cb1383549f2a18aa35508385d (Junsu Han) #6352519e8ce1c36] - deps: upgrade npm to 11.15.0 (npm team) #634638a264260e2] - deps: update sqlite to 3.53.1 (Node.js GitHub Bot) #6321750c8ff3f94] - deps: update simdjson to 4.6.4 (Node.js GitHub Bot) #628116e56f01c4b] - deps: V8: cherry-pick 435a2cdf664c (Matthias Liedtke) #631363ba813b242] - deps: cherry-pick libuv/libuv@a43e543 (Ali Hassan) #632222390e3a5ac] - doc: remove duplicated sentences in large-pull-requests.md (Joyee Cheung) #6365052a1c18374] - doc: updategit node landinstructions for security releases (Antoine du Hamel) #635863e6b4da037] - doc: drop --experimental from --permission (Rafael Gonzaga) #6358384d05163b9] - doc: explicitly ask for reproducible in JS (Rafael Gonzaga) #634797da2a4450e] - doc: fix URL postMessage example in worker_threads (Kit Dallege) #622033d79bd8b29] - doc: clarifyfilteroption ofsqlite.database.applyChangeset(Antoine du Hamel) #635154f4174aace] - doc: fix double spaces in ERR_TLS_INVALID_PROTOCOL_METHOD (Daijiro Wachi) #63511388323ca4b] - doc: fix double space in modules.md (Daijiro Wachi) #635125258ccc058] - doc: fix "options" to "option" in tls.createServer (Daijiro Wachi) #6345343e83e6507] - doc: fix typo in deprecations (Daijiro Wachi) #63434f05a61d54c] - doc: remove unsupported template type from v8.md (René) #63410c39d5fc820] - doc: fix article usage before vowel-sound acronyms (joao-oliveira-softtor) #62696398261f911] - doc: remove the bi-monthly contributor spotlight section (Claudio Wunder) #62734fd9e14c405] - doc: update http2'spushandtrailersevents withrawHeadersparam (YuSheng Chen) #63259b943ce6933] - doc: remove inactive members from Triagers list (Antoine du Hamel) #633294b9cdfc022] - doc: reference correct function in Module docs (Robin Malfait) #63247bed84b6df2] - doc: replace Visual Studio 2022 Evergreen version reference with 17.14 (Mike McCready) #6321132ea70569b] - doc: recommend explicitly Tier 1 or 2 for production applications (Mike McCready) #631874627bcfd82] - doc: run license-builder (github-actions[bot]) #6323228eba71845] - doc: add large pull requests contributing guide (Matteo Collina) #628292648efd438] - doc: remove unnecessary<!-- eslint-magic comments (Antoine du Hamel) #63200a95fc1f8fc] - doc: clarify SEA platform support excludes darwin-x64 (MJSHANG) #63181aaef29e2e1] - doc: update release steps when post-release fails (Rafael Gonzaga) #631317d81419cf2] - doc: add Hmac.digest() documentation-only deprecation (DEP0206) (Anshika Jain) #63121ececd80d81] - doc: document the latest-vX.x schema (Marco Ippolito) #6303327c1c1d842] - doc: remove list of versions inBUILDING.md(Antoine du Hamel) #63113e369886a65] - doc,sqlite: document entryPoint argument for loadExtension (Edy Silva) #63152e4e5137cbd] - errors: handle V8 warnings in DisallowJavascriptExecutionScope (Divyanshu Sharma) #634916d1f6048d2] - fs: makeDateproperties onStatsenumerable (LiviaMedeiros) #6332844c8ebcbd6] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #640044c9251fc09] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #6315539f61fb06c] - http2: emit session close before stream close (Matteo Collina) #634148a8f2127d1] - http2: validate non-link headers in writeEarlyHints (Matteo Collina) #620178c989ec4a3] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #63079c05f38229b] - lib: cleanup stateless diffiehellman key handling (Filip Skokan) #626451c16b45d35] - lib: refactor internal webidl converters (Filip Skokan) #6297902f35d6dce] - lib: definekEnumerablePropertyatomically (Antoine du Hamel) #6360912c51547ba] - lib: fix typos in esm loader comments (RonGamzu) #634659b03b84262] - lib: fix typo idenity => identity (Daijiro Wachi) #63112a84e6b0567] - lib: fixes validator message (Daijiro Wachi) #6282311734166a8] - lib: narrow ReadableStreamBYOBRequest.view return type to Uint8Array (RoomWithOutRoof) #630177cead61d21] - meta: flip mcollina emails in .mailmap (Matteo Collina) #63621a08cfcfd35] - meta: label "source maps" PRs (Chengzhong Wu) #63591d56e8d2512] - meta: addvfssubsystem label (René) #623316201cfe488] - meta: skip scheduled workflows on forks (Jamie Magee) #63565f095e2bd31] - meta: add additional gitignore entries (James M Snell) #632671ea52c444c] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #63402b1b2327611] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #632357d88e130a9] - meta: ignore AI assistants files (Matteo Collina) #62612a53b51df38] - module: load ESM helpers eagerly in the snapshot (Joyee Cheung) #6355069df688fff] - module: fix sync hook short-circuit in require() in imported CJS (Joyee Cheung) #6292075d9a4ed47] - node-api: support SharedArrayBuffer in napi_create_typedarray (Yilong Li) #62710c20aa4c47b] - quic: add reusePort option to QuicEndpoint (James M Snell) #6326726a30d8a7f] - quic: implement rate limiting for version nego and immediate close (James M Snell) #632670b534b5770] - quic: fixup linting issue after other changes (James M Snell) #632674b367cbe09] - quic: remove unused binding variable in session.cc (James M Snell) #631772574bef5a6] - repl: fix dedup comparing normalized line against raw history (Daijiro Wachi) #6288630e71c7e49] - sqlite: keep source database alive during backup (Matteo Collina) #62673677ca7e76c] - src: simplify OpenSSL feature gates (Filip Skokan) #63255c863c75c39] - src: add BoringSSL EVP enumeration fallback (Filip Skokan) #63206f6b2466921] - src: decouple KeyObject and CryptoKey and move CryptoKey to src (Filip Skokan) #6292492d4f07dd2] - src: remove license headers for new node_profiling files (Chengzhong Wu) #630668ac5d771c8] - src: split profiling helpers from util (Ilyas Shabi) #6300885d1639495] - src: remove TOCTOU race condition when encoding SAB-backedBuffers (Antoine du Hamel) #635179473c5f05c] - src: skip duplicate UTF-8 validation in TextDecoder fatal path (Mert Can Altin) #63231f35c91ee68] - src: improve token return value check (James M Snell) #6348326f677c1c5] - src: exposenode::RegisterContextto make a node managed context (Chengzhong Wu) #62322275cf909b6] - src,sqlite: only passxFilterwhen user provided a callback (Antoine du Hamel) #63516287e02303f] - src,sqlite: remove dead code (Edy Silva) #6320458fa2ee189] - stream: switch to internalsleepbinding (Antoine du Hamel) #63611f954ab3f1a] - stream: use data listener for compose forwarding (Trivikram Kamat) #63593dc57173003] - stream: fix Writable.toWeb() hang on synchronous drain (sangwook) #611973f54c8ba32] - Revert "stream: noop pause/resume on destroyed streams" (Stewart X Addison) #63834cee279c5d6] - stream: remove unnecessary check (Antoine du Hamel) #6303061b20f60a3] - test: update tls/crypto behaviour expectations when using BoringSSL (Filip Skokan) #63161a835363808] - test: update WPT for WebCryptoAPI to 97bbc7247a (Node.js GitHub Bot) #63417a00297480b] - test: update WPT resources, interfaces and WebCryptoAPI (Node.js GitHub Bot) #623895a95a2b055] - test: shorten path in net pipe connect errors (Matteo Collina) #634055e8ff22d8f] - test: remove test-node-output-v8-warning (Joyee Cheung) #63469ee15380950] - test: update test426-fixtures to 9b9e225b5a63139e9a95cdd1bf874a8f0b9d131 (Node.js GitHub Bot) #633739e063d9bea] - test: update WPT for url to e4a4672e9e (Node.js GitHub Bot) #63372503bee4b43] - test: deflake async-hooks statwatcher test (Trivikram Kamat) #63396cccc7c32d8] - test: avoid test_runner watch restart in spec snapshot (Trivikram Kamat) #63392c89489258c] - test: reduce watch mode restart flakiness (Trivikram Kamat) #63390e4d5e2578e] - test: isolate rerun-failures state file under tmpdir (Chemi Atlow) #63449362644a9ba] - test: wait for ok before initial break after restart (Yuya Inoue) #62807c4058d0e05] - test: disable Maglev in near-heap-limit worker test (Trivikram Kamat) #63398214da630a7] - test: deflake connection refused proxy tests (Trivikram Kamat) #633951d61a29876] - test: avoid repeated writes in watch helper (Trivikram Kamat) #633862004e25387] - test: deflake watch mode worker test (Trivikram Kamat) #63384d691cccfc1] - test: relax test-memory-usage arrayBuffers check (inoway46) #632440ff6bf853c] - test: reduce flakiness ofdifferent-registry-per-thread(Antoine du Hamel) #63244d9f4e8e503] - test: fix flaky test-watch-mode-inspect timeout (Matteo Collina) #633616d7cd50328] - test: relax min assertion in test-performance-eventloopdelay (Marco) #631009dafe1d2d8] - test: avoid flaky restart sync in debugger exceptions test (Yuya Inoue) #62055989b2de973] - test: avoid initial-break wait in restart-message (inoway46) #62060a072a25ee7] - test: move FFI tests toNATIVE_SUITES(Antoine du Hamel) #6316564efbfd878] - test: use ERM to destroy sqlite database handles after tests (René) #630767dee66cd94] - test_runner: dont buffer unordered events in process isolation mode (Moshe Atlow) #63432d257eec1e3] - test_runner: fix --test-rerun-failures swallowing failures on retry (Chemi Atlow) #63431288c320e2f] - test_runner: show replayed-from-attempt hint in spec reporter (Moshe Atlow) #63429904bdf5bb4] - test_runner: preserve run duration when using test-rerun (Moshe Atlow) #63429df183d7bfa] - test_runner: avoid hanging on incomplete v8 frames (Ali Hassan) #62704ec86c69726] - test_runner: fix diagnostics channel context tracking (Moshe Atlow) #6328394e5f63b83] - tls: add unsupported renegotiation error (Filip Skokan) #6316106d308fb61] - tools: prevent lib code from reading KeyObject and CryptoKey accessors (Filip Skokan) #631112e4a0d0c91] - tools: bump brace-expansion from 5.0.5 to 5.0.6 in /tools/eslint (dependabot[bot]) #634154c9666b366] - tools: skip commit-lint on backport pull requests (Marco) #6337867d0c490a8] - tools: fix skip oftest-interneton forks (Antoine du Hamel) #6349202f73c7cac] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #630755d016d3241] - tools: update gyp-next to 0.22.2 (Node.js GitHub Bot) #6337455af0f0edb] - tools: fix test426 updater (Antoine du Hamel) #63271d8475e167a] - tools: use different branch for tool updates on staging branches (Antoine du Hamel) #63110c605df9e50] - util: remove unused functions (Antoine du Hamel) #63612fe4540ebdb] - util: create hex style cache and fast path (Guilherme Araújo) #62999