Update Node.js to v24.13.0 #9
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/node-24.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
24.6.0→24.13.024.0.13→24.10.9Release Notes
nodejs/node (node)
v24.13.0: 2026-01-13, Version 24.13.0 'Krypton' (LTS), @marco-ippolitoCompare Source
This is a security release.
Notable Changes
lib:
lib,permission:
src:
src,lib:
tls:
Commits
2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #609973e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #612834ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#79789adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#7487302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#77320075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#75920591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796v24.12.0: 2025-12-10, Version 24.12.0 'Krypton' (LTS), @targosCompare Source
Notable Changes
1a00b5f68a] - (SEMVER-MINOR) http: add optimizeEmptyRequests server option (Rafael Gonzaga) #59778ff5754077d] - (SEMVER-MINOR) lib: add options to util.deprecate (Rafael Gonzaga) #599828987159234] - (SEMVER-MINOR) module: mark type stripping as stable (Marco Ippolito) #6060092c484ebf4] - (SEMVER-MINOR) node-api: add napi_create_object_with_properties (Miguel Marcondes Filho) #59953b11bc5984e] - (SEMVER-MINOR) sqlite: allow setting defensive flag (Bart Louwers) #60217e7da5b4b7d] - (SEMVER-MINOR) src: add watch config namespace (Marco Ippolito) #60178a7f7d10c06] - (SEMVER-MINOR) src: add an option to make compile cache portable (Aditi) #5879792ea669240] - (SEMVER-MINOR) src,permission: add --allow-inspector ability (Rafael Gonzaga) #5971105d7509bd2] - (SEMVER-MINOR) v8: add cpu profile (theanarkh) #59807Commits
e4a23a35ac] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #60603b6114ae5c9] - benchmark: add per-suite setup option (Joyee Cheung) #60574ac8e90af7c] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #60399acbc8ca13e] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #59984f97a609a07] - console: optimize single-string logging (Gürgün Dayıoğlu) #604226cd9bdc580] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #606620fafe24d9b] - crypto: fix argument validation in crypto.timingSafeEqual fast path (Joyee Cheung) #6053854421e0419] - debugger: fix event listener leak in the run command (Joyee Cheung) #60464c361a628b4] - deps: V8: cherry-pick72b0e27(pthier) #60732c70f4588dd] - deps: V8: cherry-pick6bb32bd(Erik Corry) #60732881fe784c5] - deps: V8: cherry-pick0dd2318(Erik Corry) #60732457c33efcc] - deps: V8: cherry-pickdf20105(Erik Corry) #607320bf45a829c] - deps: V8: backporte5dbbba(Darshan Sen) #605244993bdc476] - deps: V8: cherry-pick5ba9200(Juan José Arboleda) #606201e9abe0078] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #608423f704ed08f] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #6064304e360fdb1] - deps: V8: cherry-pick06bf293,146962dande0fb10b(Michaël Zasso) #60713fcbd8dbbde] - deps: patch V8 to 13.6.233.17 (Michaël Zasso) #6071228e9433f39] - deps: V8: cherry-pick8735658(Joyee Cheung) #600693cac85b243] - deps: V8: backport2e4c5cf(Michaël Zasso) #606541daece1970] - deps: call OPENSSL_free after ANS1_STRING_to_UTF8 (Rafael Gonzaga) #606095f55a9c9ea] - deps: nghttp2: revert7784fa9(Antoine du Hamel) #597901d9e7c1f4d] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #597903140415068] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #60542d911f9f1b8] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #60541daaaf04a32] - deps: V8: cherry-pick2abc613(Richard Lau) #60177b4f63ee5f8] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #60650effcf7a8ab] - doc: fix link in--env-file=filesection (N. Bighetti) #605637011736703] - doc: fix linter issues (Antoine du Hamel) #606365cc79d8945] - doc: add missing history entry forsqlite.md(Antoine du Hamel) #60607bbc649057c] - doc: correct values/references for buffer.kMaxLength (René) #60305ea7ecb517b] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #6001758bff04cc2] - doc: highlight module loading difference between import and require (Ajay A) #59815bbcbff9b4d] - doc: add CJS code snippets insqlite.md(Allon Murienik) #60395f8af33d5a7] - doc: fix typo inprocess.unrefdocumentation (우혁) #59698df105dc351] - doc: add some entries toglossary.md(Mohataseem Khan) #592774955cb2b5b] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #582056283bb5cc9] - doc: fix pseudo code in modules.md (chirsz) #57677d5059ea537] - doc: add missing variable in code snippet (Koushil Mankali) #55478900de373ae] - doc: add missing word insingle-executable-applications.md(Konstantin Tsabolov) #538645735044c8b] - doc: fix typo in http.md (Michael Solomon) #593542dee6df831] - doc: update devcontainer.json and add documentation (Joyee Cheung) #604728f2d98d7d2] - doc: add haramj as triager (Haram Jeong) #60348bbd7fdfff4] - doc: clarify require(esm) description (dynst) #6052033ad11a764] - doc: instantiate resolver object (Donghoon Nam) #6047681a61274f3] - doc: correct module loading descriptions (Joyee Cheung) #6034677911185fe] - doc: clarify --use-system-ca support status (Joyee Cheung) #60340185f6e95d9] - doc,crypto: link keygen to supported types (Filip Skokan) #60585772d6c6608] - doc,src,lib: clarify experimental status of Web Storage support (Antoine du Hamel) #60708ad98e11ac2] - esm: use sync loading/resolving on non-loader-hook thread (Joyee Cheung) #603801a00b5f68a] - (SEMVER-MINOR) http: add optimizeEmptyRequests server option (Rafael Gonzaga) #597785703ce68bc] - http: replace startsWith with strict equality (btea) #593942b696ffad8] - http2: add diagnostics channels for client stream request body (Darshan Sen) #60480dbdf4cb5a5] - inspector: inspect HTTP response body (Chengzhong Wu) #605729dc9a7d33d] - inspector: support inspecting HTTP/2 request and response bodies (Darshan Sen) #6048389fa2befe4] - inspector: fix crash when receiving non json message (Shima Ryuhei) #60388ff5754077d] - (SEMVER-MINOR) lib: add options to util.deprecate (Rafael Gonzaga) #5998233baaf42c8] - lib: replace global SharedArrayBuffer constructor with bound method (Renegade334) #60497b047586a08] - meta: bump actions/download-artifact from 5.0.0 to 6.0.0 (dependabot[bot]) #6053264192176d7] - meta: bump actions/upload-artifact from 4.6.2 to 5.0.0 (dependabot[bot]) #60531af6d4a6b9b] - meta: bump github/codeql-action from 3.30.5 to 4.31.2 (dependabot[bot]) #60533c17276fd24] - meta: bump actions/setup-node from 5.0.0 to 6.0.0 (dependabot[bot]) #605296e8b52a7dc] - meta: bump actions/stale from 10.0.0 to 10.1.0 (dependabot[bot]) #60528a12658595b] - meta: callcreate-release-post.ymlpost release (Aviv Keller) #603668987159234] - (SEMVER-MINOR) module: mark type stripping as stable (Marco Ippolito) #6060036da413663] - module: fix directory option in the enableCompileCache() API (Joyee Cheung) #5993192c484ebf4] - (SEMVER-MINOR) node-api: add napi_create_object_with_properties (Miguel Marcondes Filho) #59953545162b0d4] - node-api: use local files for instanceof test (Vladimir Morozov) #60190526c011d89] - perf_hooks: fix stack overflow error (Antoine du Hamel) #600841de0476939] - perf_hooks: move non-standard performance properties to perf_hooks (Chengzhong Wu) #6037007ec1239ef] - repl: fix pasting after moving the cursor to the left (Ruben Bridgewater) #60470b11bc5984e] - (SEMVER-MINOR) sqlite: allow setting defensive flag (Bart Louwers) #60217273c9661fd] - sqlite,doc: fix StatementSync section (Edy Silva) #60474d92ec21a4c] - src: use CP_UTF8 for wide file names on win32 (Fedor Indutny) #60575baef0468ed] - src: move Node-API version detection to where it is used (Anna Henningsen) #60512e7da5b4b7d] - (SEMVER-MINOR) src: add watch config namespace (Marco Ippolito) #60178a7f7d10c06] - (SEMVER-MINOR) src: add an option to make compile cache portable (Aditi) #58797566add0b19] - src: avoid C strings in more C++ exception throws (Anna Henningsen) #605929b796347c1] - src: add internal binding for constructing SharedArrayBuffers (Renegade334) #604973b01cbb411] - src: movenapi_addon_register_functonode_api_types.h(Anna Henningsen) #6051202fb7f4ecb] - src: remove unconditional NAPI_EXPERIMENTAL in node.h (Chengzhong Wu) #60345bd09ae24e4] - src: clean up generic counter implementation (Anna Henningsen) #60447cd6bf51dbd] - src: add enum handle for ToStringHelper + formatting (Burkov Egor) #5682992ea669240] - (SEMVER-MINOR) src,permission: add --allow-inspector ability (Rafael Gonzaga) #59711ac3dbe48f7] - stream: don't try to read more if reading (Robert Nagy) #60454790288a93b] - test: ensure assertions are reachable intest/internet(Antoine du Hamel) #605130a85132989] - test: fix status when compiled without inspector (Antoine du Hamel) #602892f57673172] - test: deflake test-perf-hooks-timerify-histogram-sync (Joyee Cheung) #6063909726269de] - test: apply a delay towatch-mode-kill-signaltests (Joyee Cheung) #6061045537b9562] - test: async iife in repl (Tony Gorez) #448784ca81f101d] - test: parallelize sea tests when there's enough disk space (Joyee Cheung) #60604ea71e96191] - test: only show overridden env in child process failures (Joyee Cheung) #6055606b2e348c7] - test: ensure assertions are reached on more tests (Antoine du Hamel) #60498de9c8cb670] - test: ensure assertions are reachable intest/es-module(Antoine du Hamel) #6050175bc40fced] - test: ensure assertions are reached on more tests (Antoine du Hamel) #604851a6084cfd3] - test: ensure assertions are reached on more tests (Antoine du Hamel) #605002c651c90cf] - test: split test-perf-hooks-timerify (Joyee Cheung) #605686e8b5f7345] - test: add more logs to test-esm-loader-hooks-inspect-wait (Joyee Cheung) #604669dea7ffa30] - test: mark stringbytes-external-exceed-max tests as flaky on AIX (Joyee Cheung) #605650b3c3b710a] - test: split test-esm-wasm.js (Joyee Cheung) #60491a15b795b34] - test: correct conditional secure heap flags test (Shelley Vohr) #6038538b77b3a44] - test: fix flaky test-watch-mode-kill-signal-* (Joyee Cheung) #60443e8d7598057] - test: capture stack trace in debugger timeout errors (Joyee Cheung) #60457674befeb81] - test: ensure assertions are reachable intest/sequential(Antoine du Hamel) #60412952c08a735] - test: ensure assertions are reachable in more folders (Antoine du Hamel) #60411bbca57584b] - test: split test-runner-watch-mode (Joyee Cheung) #60391e78e0cf6e7] - test: move test-runner-watch-mode helper into common (Joyee Cheung) #6039184576ef021] - test: ensure assertions are reachable intest/addons(Antoine du Hamel) #601421659078c11] - test: ignore EPIPE errors in https proxy invalid URL test (Joyee Cheung) #6026979ffee80ec] - test: ensure assertions are reachable intest/client-proxy(Antoine du Hamel) #60175e5a812243a] - test: ensure assertions are reachable intest/async-hooks(Antoine du Hamel) #60150e924fd72e3] - test,crypto: handle a few more BoringSSL tests (Shelley Vohr) #59030a55ac11611] - test,crypto: update x448 and ed448 expectation when on boringssl (Shelley Vohr) #6038755d5e9ec73] - tls: fix leak on invalid protocol method (Shelley Vohr) #604275763c96e7c] - tools: replace invalid expression in dependabot config (Riddhi) #60649b6e21b47d7] - tools: skip unaffected GHA jobs for changes intest/internet(Antoine du Hamel) #60517999664c76d] - tools: do not use short hashes for deps versioning to avoid collision (Antoine du Hamel) #60407ada856d0fb] - tools: only add test reporter args when node:test is used (Joyee Cheung) #605511812c56bb3] - tools: fix update-icu script (Michaël Zasso) #60521747040438a] - tools: fix linter for semver-major release proposals (Antoine du Hamel) #60481f170551e40] - tools: fix failing release-proposal linter for LTS transitions (Antoine du Hamel) #604652db4ea0ce4] - tools: remove undici from daily wpt.fyi job (Filip Skokan) #604442a85aa4e7b] - tools: add lint rule to ensure assertions are reached (Antoine du Hamel) #6012548299ef5fb] - tools,doc: update JavaScript primitive types to match MDN Web Docs (JustApple) #605817ec04cf936] - util: fix stylize of special properties in inspect (Ge Gao) #6047905d7509bd2] - (SEMVER-MINOR) v8: add cpu profile (theanarkh) #59807884fe884a1] - vm: hint module identifier in instantiate errors (Chengzhong Wu) #60199a2caf19f70] - watch: fix interaction with multiple env files (Marco Ippolito) #60605v24.11.1: 2025-11-11, Version 24.11.1 'Krypton' (LTS), @aduh95Compare Source
Notable Changes
The known issue relating to
Buffer.allocUnsafeincorrectly zero-filling buffershas now been addressed and now returns uninitialized memory as documented in the
Buffer.allocUnsafedocumentation.
Commits
0a15ccf3f4] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #60162a1c7d1dac9] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #6020599e2acf46b] - benchmark: add vm.SourceTextModule benchmark (Joyee Cheung) #59396c01c72b407] - benchmark: use non-deprecated WriteUtf8V2 method (Michaël Zasso) #60173a42dbd138e] - build: ibmi follow aix visibility (SRAVANI GUNDEPALLI) #603605673a54a5d] - build: use call command when calling python configure (Jacob Nichols) #60098c67cb727cb] - build: build v8 with -fvisibility=hidden -fvisibility-inlines-hidden (Joyee Cheung) #56290b03f7b93b1] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #602962505568531] - build, src: fix include paths for vtune files (Rahul) #5999995330b036f] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #59956c221d892ef] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #60550bc00aa4c77] - deps: update simdjson to 4.0.7 (Node.js GitHub Bot) #59883d03b89ec53] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #60314b7882090de] - deps: update inspector_protocol toaf7f5a8(Node.js GitHub Bot) #603127007f9dd65] - deps: update googletest to279f847(Node.js GitHub Bot) #60219a56aa9ffa8] - deps: upgrade npm to 11.6.2 (npm team) #601680bf8952721] - doc: mention more codemods indeprecations.md(Augustin Mauroy) #602432473ca77f6] - doc: add missing CAA type to dns.resolveAny() & dnsPromises.resolveAny() (Jimmy Leung) #5889939ddd8522e] - doc: useanyforworker_threads.Worker'error' event argumenterr(Jonas Geiler) #60300eaa825fd97] - doc: update decorator documentation to reflect actual policy (Muhammad Salman Aziz) #60288a744e42282] - doc: document wildcard supported by tools/test.py (Joyee Cheung) #60265ec0d5beb09] - doc: add --heap-snapshot-on-oom to useful v8 flag (jakecastelli) #6026013da0df12a] - doc: fixblob.bytes()heading level (XTY) #602528e771632b7] - doc: fix not working code example in vm docs (Artur Gawlik) #6022470c2080bff] - doc: improve code snippet alternative of url.parse() using WHATWG URL (Steven) #60209beadcf176e] - doc:createSQLTagStore->createTagStore(Aviv Keller) #60182b0da3b9c6a] - doc: use markdown when branch-diff major release (Rafael Gonzaga) #60179688115aa6b] - doc: update teams in collaborator-guide.md and add links (Bart Louwers) #60065923082a064] - doc: disambiguate top-levelworker_threadsmodule exports (René) #598907be4330870] - doc: add known issue to v24.11.0 release notes (Richard Lau) #604674d8f62aeaf] - doc, module: change async customization hooks to experimental (Gerhard Stöbich) #60302d86a118bbd] - http: lazy allocate cookies array (Robert Nagy) #597348c256d4139] - http: fix http client leaky with double response (theanarkh) #60062265e9d59fa] - http2: rename variable to additionalPseudoHeaders (Tobias Nießen) #6020865bec037e2] - http2: do not crash on mismatched ping buffer length (René) #601359b83ef53b7] - inspector: add network payload buffer size limits (Chengzhong Wu) #6023603ac05c458] - inspector: support handshake response for websocket inspection (Shima Ryuhei) #60225aa04f06190] - lib: fix typo in createBlobReaderStream (SeokHun) #601325aea1a429e] - lib: fix constructor in _errnoException stack tree (SeokHun) #601564f7745acc7] - lib: fix typo in QuicSessionStats (SeokHun) #60155f8725861ea] - lib: remove redundant destroyHook checks (Gürgün Dayıoğlu) #60120696c20bf3f] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #6032590434ff99a] - meta: loop userland-migrations in deprecations (Chengzhong Wu) #60299ffbc0ae60a] - module: refactor and clarify async loader hook customizations (Joyee Cheung) #602786ed6062f7d] - module: handle null source from async loader hooks in sync hooks (Joyee Cheung) #59929a2871baed2] - msi: fix WiX warnings (Stefan Stojanovic) #602516199541d67] - src: fix timing of snapshot serialize callback (Joyee Cheung) #6043413b687959a] - src: add COUNT_GENERIC_USAGE utility for tests (Joyee Cheung) #60434a587623b4f] - src: conditionally disable source phase imports by default (Shelley Vohr) #60364e483267995] - src: use cached primordials_string (Sohyeon Kim) #602554c9a64fbaf] - src: replace Environment::GetCurrent with args.GetIsolate (Sohyeon Kim) #60256eb8a0493d1] - src: initial enablement of IsolateGroups (James M Snell) #60254463c6450cf] - src: useUtf8ValueandTwoByteValueinstead of V8 helpers (Anna Henningsen) #60244b370e02789] - src: add a default branch for module phase (Chengzhong Wu) #602614e1c5c5601] - src: make additional cleanups in node locks impl (James M Snell) #60061f00d4c10fc] - src: update locks to use DictionaryTemplate (James M Snell) #600611c8716e97c] - test: increase debugger waitFor timeout on macOS (Chengzhong Wu) #6036717b4f38e9c] - test: put helper in test-runner-output into common (Joyee Cheung) #6033043b9ea8389] - test: fix small compile warning in test_network_requests_buffer.cc (xiaocainiao633) #6028138a62980ad] - test: split test-runner-watch-mode-kill-signal (Joyee Cheung) #6029834e4c8c84f] - test: fix incorrect calculation in test-perf-hooks.js (Joyee Cheung) #602714481feb17b] - test: parallelize test-without-async-context-frame correctly (Joyee Cheung) #6027391ea9b06e0] - test: skip sea tests on x64 macOS (Joyee Cheung) #60250cedba09e60] - test: move sea tests into test/sea (Joyee Cheung) #60250635af55e12] - Revert "test: ensure message event fires in worker message port test" (Luigi Pinca) #6012668f678028e] - test: skip tests that cause timeouts on IBM i (SRAVANI GUNDEPALLI) #60148cc3a70598c] - test: deflake test-fs-promises-watch-iterator (Luigi Pinca) #600603d784dd766] - test: prepare junit file attribute normalization (sangwook) #5943284974d97ad] - test: skip failing test on macOS 15.7+ (Antoine du Hamel) #60419fabf8e4975] - test,crypto: fix conditional SHA3-* skip on BoringSSL (Filip Skokan) #603798faa494bf2] - test,crypto: sha3 algorithms aren't supported with BoringSSL (Shelley Vohr) #60374538a00c0f6] - test,doc: skip --max-old-space-size-percentage on 32-bit platforms (Asaf Federman) #601449ac5dbb694] - test_runner: use module.registerHooks in module mocks (Joyee Cheung) #60326f6ff6e7166] - test_runner: fix suite timeout (Moshe Atlow) #59853455bfeb52d] - test_runner: add junit file attribute support (sangwook) #59432223c5e105d] - tools: update gyp-next to 0.20.5 (Node.js GitHub Bot) #603132949408fc1] - tools: limit inspector protocol PR title length (Chengzhong Wu) #60324b36a898650] - tools: fix inspector_protocol updater (Chengzhong Wu) #60277d60f002b62] - tools: optimize wildcard execution in tools/test.py (Joyee Cheung) #602669d4e422419] - tools: add inspector_protocol updater (Chengzhong Wu) #602452f93a9894f] - tools: use cooldown property correctly (Rafael Gonzaga) #601349468ade95d] - typings: add missing properties and method in Worker (Woohyun Sung) #60257f611ec0a9e] - typings: add missing properties in HTTPParser (Woohyun Sung) #60257301c1347a1] - typings: delete undefined property in ConfigBinding (Woohyun Sung) #6025780fdb3d39b] - typings: add buffer internalBinding typing (방진혁) #601638cb3b77039] - util: use more defensive code when inspecting error objects (Antoine du Hamel) #60139748d4f6430] - util: mark special properties when inspecting them (Ruben Bridgewater) #601316183a759d7] - vm: make vm.Module.evaluate() conditionally synchronous (Joyee Cheung) #602054b8506628f] - win: upgrade Visual Studio workload from 2019 to 2022 (Jiawen Geng) #60318v24.11.0: 2025-10-28, Version 24.11.0 'Krypton' (LTS), @richardlauCompare Source
Notable Changes
This release marks the transition of Node.js 24.x into Long Term Support (LTS)
with the codename 'Krypton'. It will continue to receive updates through to
the end of April 2028.
Other than updating metadata, such as the
process.releaseobject, to reflectthat the release is LTS, no further changes from Node.js 24.10.0 are included.
Known issue
An issue has been identified in the Node.js 24.x line with
Buffer.allocUnsafeunintentionally returning zero-filled buffers. This API is
documented to return uninitialized memory.
The documented behavior will be restored in the next Node.js 24.x LTS release to bring
it back in line with previous releases. For more information, see
#60423.
v24.10.0: 2025-10-08, Version 24.10.0 (Current), @RafaelGSSCompare Source
Notable Changes
31bb476895] - (SEMVER-MINOR) console: allow per-streaminspectOptionsoption (Anna Henningsen) #600823b92be2fb8] - (SEMVER-MINOR) lib: remove util.getCallSite (Rafael Gonzaga) #5998018c79d9e1c] - (SEMVER-MINOR) sqlite: create authorization api (Guilherme Araújo) #59928Commits
e8cff3d51e] - benchmark: remove unused variable from util/priority-queue (Bruno Rodrigues) #5987203294252ab] - benchmark: update count to n in permission startup (Bruno Rodrigues) #598723c8a609d9b] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #598727b2032b13e] - benchmark: adjust dgram offset-length len values (Bruno Rodrigues) #59708552d887aee] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #5970831bb476895] - (SEMVER-MINOR) console: allow per-streaminspectOptionsoption (Anna Henningsen) #600820bf022d4c0] - console,util: improve array inspection performance (Ruben Bridgewater) #6003704d568e591] - deps: V8: cherry-pickf93055f(Olivier Flückiger) #60105621058b3bf] - deps: update archs files for openssl-3.5.4 (Node.js GitHub Bot) #6010181b3009fe6] - deps: upgrade openssl sources to openssl-3.5.4 (Node.js GitHub Bot) #60101dc44c9f349] - deps: upgrade npm to 11.6.1 (npm team) #60012ec0f137198] - deps: update ada to 3.3.0 (Node.js GitHub Bot) #60045f490f91874] - deps: update amaro to 1.1.4 (pmarchini) #60044de7a7cd0d7] - deps: update ada to 3.2.9 (Node.js GitHub Bot) #59987a533e5b5db] - doc: add automated migration info to deprecations (Augustin Mauroy) #600227fb8fe4875] - doc: fix typo on child_process.md (Angelo Gazzola) #6011424c1ef9846] - doc: remove optional title prefixes (Aviv Keller) #6008708b9eb8e19] - doc: mark.envfiles support as stable (Santeri Hiltunen) #5992566d90b8063] - doc: mention reverse proxy and include simple example (Steven) #5973614aa1119cb] - doc: provide alternative tourl.parse()using WHATWG URL (Steven) #59736f9412324f6] - doc: fix typo of built-in module specifier in worker_threads (Deokjin Kim) #5999264e738a342] - doc,crypto: reorder ML-KEM in the asymmetric key types table (Filip Skokan) #600671b25008b41] - http: improve writeEarlyHints by avoiding for-of loop (Haram Jeong) #5995835f9b6b28f] - inspector: improve batch diagnostic channel subscriptions (Chengzhong Wu) #600093b92be2fb8] - (SEMVER-MINOR) lib: remove util.getCallSite (Rafael Gonzaga) #59980c495e1fe57] - lib: optimize priority queue (Gürgün Dayıoğlu) #600396be31fb9f3] - lib: implement passive listener behavior per spec (BCD1me) #59995c5e4aa763b] - meta: bump actions/setup-python from 5.6.0 to 6.0.0 (dependabot[bot]) #6009050fa1f4a76] - meta: bump ossf/scorecard-action from 2.4.2 to 2.4.3 (dependabot[bot]) #60096def4ce976c] - meta: bump actions/cache from 4.2.4 to 4.3.0 (dependabot[bot]) #6009524b5abc0e9] - meta: bump step-security/harden-runner from 2.12.2 to 2.13.1 (dependabot[bot]) #600948ccf2b0b34] - meta: bump actions/setup-node from 4.4.0 to 5.0.0 (dependabot[bot]) #6009378580147ef] - meta: bump actions/stale from 9.1.0 to 10.0.0 (dependabot[bot]) #60092705686b5c4] - meta: bump codecov/codecov-action from 5.5.0 to 5.5.1 (dependabot[bot]) #60091423a6bc744] - meta: bump github/codeql-action from 3.30.0 to 3.30.5 (dependabot[bot]) #600899d9bd0fb4f] - meta: move Michael to emeritus (Michael Dawson) #60070dbeee55824] - module: use sync cjs when importing cts (Marco Ippolito) #60072a722f677ac] - perf_hooks: fix histogram fast call signatures (Renegade334) #59600b3295b8353] - process: fix wrong asyncContext under unhandled-rejections=strict (Shima Ryuhei) #60103cff4a7608a] - process: fix defaultenvforprocess.execve(Richard Lau) #60029cd034e927f] - process: fix hrtime fast call signatures (Renegade334) #5960018c79d9e1c] - (SEMVER-MINOR) sqlite: create authorization api (Guilherme Araújo) #59928d949222043] - sqlite: replaceToLocalCheckedand improve filter error handling (Edy Silva) #600286417dc879e] - src: bring permissions macros in line with general C/C++ standards (Anna Henningsen) #60053e273c2020c] - src: update contextify to use DictionaryTemplate (James M Snell) #600595f9ff60664] - src: removeAnalyzeTemporaryDtorsoption from .clang-tidy (iknoom) #600089db54adccc] - src: update cares_wrap to use DictionaryTemplates (James M Snell) #60033fc0ceb7b82] - src: correct the error handling in StatementExecutionHelper (James M Snell) #600403e8fdc1d8d] - src: remove unused variables from report (Moonki Choi) #60047d744324d8e] - src: avoid unnecessary string allocations in SPrintF impl (Anna Henningsen) #60052de65a5c719] - src: make ToLower/ToUpper input args more flexible (Anna Henningsen) #60052354026df5a] - src: allowstd::string_viewarguments toSPrintF()and friends (Anna Henningsen) #6005842f7d7cb20] - src: remove unnecessarystd::stringerror messages (Anna Henningsen) #6005730c2c0fedd] - src: remove unnecessary shadowed functions on Utf8Value & BufferValue (Anna Henningsen) #60056eb99eec09b] - src: avoid unnecessary string ->char*-> string round trips (Anna Henningsen) #60055c1f1dbdce2] - src: remove useless dereferencing inTHROW_...(Anna Henningsen) #60054ea0f5e575d] - src: filloptions_args,options_envafter vectors are finalized (iknoom) #59945415fff217a] - src: use RAII for uv_process_options_t (iknoom) #59945982b03ecbd] - test: marktest-runner-run-watchflaky on macOS (Richard Lau) #60115831a0d3d28] - test: ensure that the message event is fired (Luigi Pinca) #599525538cfc1e8] - test: replace diagnostics_channel stackframe in output snapshots (Chengzhong Wu) #6002477ec400d90] - test: mark test-web-locks skip on IBM i (SRAVANI GUNDEPALLI) #599961aaadb9e31] - test: ensure message event fires in worker message port test (Jarred Sumner) #598851d5cc5e57a] - test: mark sea tests flaky on macOS x64 (Richard Lau) #60068c412b1855d] - test: expand tls-check-server-identity coverage (Diango Gavidia) #60002ad87975029] - test: fix typo of test-benchmark-readline.js (Deokjin Kim) #59993bad4b9b878] - test: add newstartNewREPLSevertesting utility (Dario Piotrowicz) #59964ef90b0f456] - test: verify tracing channel doesn't swallow unhandledRejection (Gerhard Stöbich) #59974d7285459fe] - timers: fix binding fast call signatures (Renegade334) #596006529ae9b0c] - tools: add message on auto-fixing js lint issues in gh workflow (Dario Piotrowicz) #591281ca116a6ea] - tools: verify signatures when updating nghttp* (Antoine du Hamel) #6011320d10a2398] - tools: use dependabot cooldown and move tools/doc (Rafael Gonzaga) #59978275c07064c] - typings: update 'types' binding (René) #596928c21c4b286] - wasi: fix WasiFunction fast call signature (Renegade334) #59600b865074641] - win,tools: add description to signature (Martin Costello) #59877v24.9.0: 2025-09-25, Version 24.9.0 (Current), @targosCompare Source
Notable Changes
9b043a9096] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #59824a6456ab90a] - (SEMVER-MINOR) sqlite: cleanup ERM support and export Session class (James M Snell) #583785563361d22] - (SEMVER-MINOR) sqlite: add tagged template (0hm☘️) #5874804013ee933] - (SEMVER-MINOR) worker: add heap profile API (theanarkh) #59846Commits
cbec4fd6de] - benchmark: calibrate config dgram multi-buffer (Bruno Rodrigues) #596969a4bbdc3c5] - benchmark: calibrate config cluster/echo.js (Nam Yooseong) #598360b284d86e8] - build: add the missing macro definitions for OpenHarmony (hqzing) #5980443e6e54d66] - build: do not include custom ESLint rules testing in tarball (Antoine du Hamel) #59809039ac19154] - crypto: expose signatureAlgorithm on X509Certificate (Patrick Costa) #59235647c332704] - crypto: usereturn awaitwhen returning Promises from async functions (Renegade334) #598418ed4587cf0] - crypto: use async functions for non-stub Promise-returning functions (Renegade334) #59841bb051c56ef] - crypto: avoid calls topromise.catch()(Renegade334) #5984105e560dd25] - deps: update googletest to50b8600(Node.js GitHub Bot) #59955fa40d3a785] - deps: update archs files for openssl-3.5.3 (Node.js GitHub Bot) #599018c85570d18] - deps: upgrade openssl sources to openssl-3.5.3 (Node.js GitHub Bot) #59901b71125664e] - deps: update undici to 7.16.0 (Node.js GitHub Bot) #59830dea5dd7077] - dgram: restore buffer optimization in fixBufferList (Yoo) #59934b0c1e67532] - diagnostics_channel: fix race condition with diagnostics_channel and GC (Ugaitz Urien) #599100b37b594c3] - doc: use "WebAssembly" instead of "Web Assembly" (Tobias Nießen) #599541e723f9c6b] - doc: fix typo in section on microtask order (Tobias Nießen) #59932a28962a85c] - doc: update V8 fast API guidance (René) #58999bd767c5d1b] - doc: add security escalation policy (Ulises Gascón) #598069df91e59e1] - doc: type improvement of filehttp.md(yusheng chen) #58189e4f571680b] - doc: deprecate closingfs.Diron garbage collection (Livia Medeiros) #59839e9cb986fa5] - doc: rephrase dynamic import() description (Nam Yooseong) #59224026d4e33f7] - doc,crypto: update subtle.generateKey and subtle.importKey (Filip Skokan) #598512b2591db52] - esm: make hasAsyncGraph non-enumerable (Joyee Cheung) #59905993f05d323] - fs,win: do not add a second trailing slash in readdir (Gerhard Stöbich) #598477aec53b607] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #5982483ae6102e7] - http: optimize checkIsHttpToken for short strings (방진혁) #598326695067636] - http,https: handle IPv6 with proxies (Joyee Cheung) #59894c5d910a0a9] - http2: fix allowHttp1+Upgrade, broken by shouldUpgradeCallback (Tim Perry) #59924acada1fb82] - inspector: ensure adequate memory allocation forBinary::toBase64(René) #59870396cc8ec65] - lib: update inspect output format for subclasses (Miguel Marcondes Filho) #59687fed1dac8de] - lib: update isDeepStrictEqual to support options (Miguel Marcondes Filho) #59762d785929fd7] - lib: add source map support for assert messages (Chengzhong Wu) #59751ff13d1d61e] - lib,src: cache ModuleWrap.hasAsyncGraph (Chengzhong Wu) #59703b200cd8470] - lib,src: refactor assert to load error source from memory (Chengzhong Wu) #59751e94c57301b] - meta: add .npmrc with ignore-scripts=true (Joyee Cheung) #59914728472a57b] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #59874be48760b93] - node-api: added SharedArrayBuffer api (Mert Can Altin) #59071f006a14522] - node-api: make napi_delete_reference use node_api_basic_env (Jeetu Suthar) #596840f46c1c3b0] - repl: fix cpu overhead pasting big strings to the REPL (Ruben Bridgewater) #598573eeb7b47ea] - sqlite: fix crash session extension callbacks with workers (Bart Louwers) #598480fe53375ec] - (SEMVER-MINOR) sqlite: cleanup ERM support and export Session class (James M Snell) #583789a3e58a007] - (SEMVER-MINOR) sqlite: add tagged template (0hm☘️) #58748f14ed5ab7b] - src: simplify watchdog instantiations viastd::optional(Anna Henningsen) #59960e330f03f84] - src: update crypto objects to use DictionaryTemplate (James M Snell) #5994269b5607cf4] - src: simplify is_callable by making it a concept (Tobias Nießen) #5816986150f3401] - src: rename private fields to follow naming convention (Moonki Choi) #59923d17f299539] - src: use DictionaryTemplate more in URLPattern (James M Snell) #59892ac784912ac] - src: reduce the nearest parent package JSON cache size (Michael Smith) #59888abecdcb536] - src: replace FIXED_ONE_BYTE_STRING with Environment-cached strings (Moonki Choi) #598912bb152500b] - src: create strings inFIXED_ONE_BYTE_STRINGas internalized (Anna Henningsen) #5982603116a7cd8] - src: removestd::arrayoverload ofFIXED_ONE_BYTE_STRING(Anna Henningsen) #598268a5325d6e3] - src: ensurev8::Eternalis empty before setting it (Anna Henningsen) #59825f0c20ccd81] - src: remove unnecessaryEnvironment::GetCurrent()calls (Moonki Choi) #59814213188e491] - stream: use new AsyncResource instead of bind (Matteo Collina) #59867ce8435b003] - test: testcase demonstrating issue 59541 (Eric Rannaud) #598018f32746142] - test: guard write to proxy client if proxy connection is ended (Joyee Cheung) #597426790093fcb] - tls: load bundled and extra certificates off-thread (Joyee Cheung) #59856f5d3f919d8] - tls: only do off-thread certificate loading on loading tls (Joyee Cheung) #5985687bbaa23a0] - tools: fixtools/make-v8.shfor clang (Richard Lau) #598930d23fd525b] - tools: skip test-internet workflow for draft PRs (Michaël Zasso) #59817e17c73731a] - tools: copyeditbuild-tarball.yml(Antoine du Hamel) #5980897c4e1bac9] - typings: remove unused imports (Nam Yooseong) #598808b29bbca76] - url: replaced slice with at (Mikhail) #591816458867a6b] - url: add type checking to urlToHttpOptions() (simon-id) #597533c62b3886f] - util: inspect objects with throwing Symbol.toStringTag (Ruben Bridgewater) #598606133a82875] - util: fix debuglog.enabled not being present with callback logger (Ruben Bridgewater) #598589347ddddf4] - vm: explain how to share promises between contexts w/ afterEvaluate (Eric Rannaud) #5980144ce971619] - vm: "afterEvaluate", evaluate() return a promise from the outer context (Eric Rannaud) #598016e586a1409] - vm: expose hasTopLevelAwait on SourceTextModule (Chengzhong Wu) #5986549747a58a3] - (SEMVER-MINOR) worker: add heap profile API (theanarkh) #59846b970c0bbc2] - zlib: reduce code duplication (jhofstee) #578109782ca2b1b] - zlib: implement fast path for crc32 (Gürgün Dayıoğlu) #59813v24.8.0: 2025-09-10, Version 24.8.0 (Current), @targosCompare Source
Notable Changes
HTTP/2 Network Inspection Support in Node.js
Node.js now supports inspection of HTTP/2 network calls in Chrome DevTools for Node.js.
Usage
Write a
test.jsscript that makes HTTP/2 requests.Run it with these options:
Open
about:inspecton Google Chrome and click onOpen dedicated DevTools for Node.The
Networktab will let you track your HTTP/2 calls.Contributed by Darshan Sen in #59611.
Other Notable Changes
7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #595704b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #595703e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #59647b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #59544430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #59537d6d05ba397] - (SEMVER-MINOR) worker: add cpu profile APIs for worker (theanarkh) #59428Commits
d913872369] - assert: cap input size in myersDiff to avoid Int32Array overflow (Haram Jeong) #595787bbbcf6666] - benchmark: sqlite prevent create both tables on prepare selects (Bruno Rodrigues) #5970944d7b92271] - benchmark: calibrate config array-vs-concat (Rafael Gonzaga) #595877f347fc551] - build: fix getting OpenSSL version on Windows (Michaël Zasso) #596094a317150d5] - build: fix 'implicit-function-declaration' on OpenHarmony platform (hqzing) #59547bda32af587] - build: usewindows-2025runner (Michaël Zasso) #59673a4a8ed8f6e] - build: compile bundled uvwasi conditionally (Carlo Cabrera) #59622d944a87761] - crypto: refactor subtle methods to use synchronous import (Filip Skokan) #597717a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #595704b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #595703e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #59647b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #59544430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #595370d1e53d935] - deps: update uvwasi to 0.0.23 (Node.js GitHub Bot) #5979168732cf426] - deps: update histogram to 0.11.9 (Node.js GitHub Bot) #59689f12c1ad961] - deps: update googletest toeb2d85e(Node.js GitHub Bot) #5933545af6966ae] - deps: upgrade npm to 11.6.0 (npm team) #5975057617244a4] - deps: V8: cherry-pick6b1b9bc(Xiao-Tao) #592832e6225a747] - deps: update amaro to 1.1.2 (Node.js GitHub Bot) #596161f7f6dfae6] - diagnostics_channel: revoke DEP0163 (René) #597588671a6cdb3] - doc: stabilize --disable-sigusr1 (Rafael Gonzaga) #59707583b1b255d] - doc: update OpenSSL default security level to 2 (Jeetu Suthar) #597239b5eb6eb50] - doc: fix missing links in theerrorspage (Nam Yooseong) #59427e7bf712c57] - doc: update "Type stripping in dependencies" section (Josh Kelley) #5965296db47f91e] - doc: add Miles Guicent as triager (Miles Guicent) #5956287f829bd0c] - doc: markpath.matchesGlobas stable (Aviv Keller) #59572062b2f705e] - doc: improve documentation for raw headers in HTTP/2 APIs (Tim Perry) #596336ab9306370] - doc: update install_tools.bat free disk space (Stefan Stojanovic) #59579c8d6b60da6] - doc: fix quic session instance typo (jakecastelli) #5964261d0a2d1ba] - doc: fix filehandle.read typo (Ruy Adorno) #596353276bfa0d0] - doc: update migration recomendations forutil.is**()deprecations (Augustin Mauroy) #5926911de6c7ebb] - doc: fix missing link to the Error documentation in thehttppage (Alexander Makarenko) #59080f5b6829bba] - doc,crypto: add description to the KEM and supports() methods (Filip Skokan) #596445bfdc7ee74] - doc,crypto: cleanup unlinked and self method references webcrypto.md (Filip Skokan) #59608010458d061] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #59679dbe6e63baf] - esm: fix missed renaming in ModuleJob.runSync (Joyee Cheung) #597248eb0d9d834] - fs: fix wrong order of file names in cpSync error message (Nicholas Paun) #59775e69be5611f] - fs: fix dereference: false on cpSync (Nicholas Paun) #596812865d2ac20] - http: unbreak keepAliveTimeoutBuffer (Robert Nagy) #59784ade1175475] - http: use cached '1.1' http version string (Robert Nagy) #5971774a09482de] - inspector: undici as shared-library should pass tests (Aras Abbasi) #59837772f8f415a] - inspector: add http2 tracking support (Darshan Sen) #596113d225572d7] - Revert "lib: optimize writable stream buffer clearing" (Yoo) #597434fd213ce73] - lib: fix isReadable and isWritable return type value (Gabriel Quaresma) #5908939befddb87] - lib: prefer TypedArrayPrototype primordials (Filip Skokan) #597660748160d2e] - lib: fix DOMException subclass support (Chengzhong Wu) #596801a93df808c] - lib: revert to using default derived class constructors (René) #59650bb0755df37] - meta: bumpcodecov/codecov-action(dependabot[bot]) #5972645d148d9be] - meta: bump actions/download-artifact from 4.3.0 to 5.0.0 (dependabot[bot]) #5972901b66b122e] - meta: bump github/codeql-action from 3.29.2 to 3.30.0 (dependabot[bot]) #5972834f7ab5502] - meta: bump actions/cache from 4.2.3 to 4.2.4 (dependabot[bot]) #597275806ea02af] - meta: bump actions/checkout from 4.2.2 to 5.0.0 (dependabot[bot]) #59725f667215583] - path: refactor path joining logic for clarity and performance (Lee Jiho) #597810340fe92a6] - repl: do not cause side effects in tab completion (Anna Henningsen) #59774a414c1eb51] - repl: fix REPL completion under unary expressions (Kingsword) #59744c206f8dd87] - repl: add isValidParentheses check before wrap input (Xuguang Mei) #596070bf9775ee2] - sea: implement sea.getAssetKeys() (Joyee Cheung) #59661bf26b478d8] - sea: allow using inspector command line flags with SEA (Joyee Cheung) #5956892128a8fe2] - src: use DictionaryTemplate for node_url_pattern (James M Snell) #59802bcb29fb84f] - src: correctly report memory changes to V8 (Yaksh Bariya) #5962344c24657d3] - src: fixup node_messaging error handling (James M Snell) #597922cd6a3b7ec] - src: track async resources via pointers to stack-allocated handles (Anna Henningsen) #5970434d752586f] - src: fix build on NetBSD (Thomas Klausner) #5971815fa779ac5] - src: fix race on process exit and off thread CA loading (Chengzhong Wu) #5963215cbd3966a] - src: separate module.hasAsyncGraph and module.hasTopLevelAwait (Joyee Cheung) #5967588d1ca8990] - src: use non-deprecated Get/SetPrototype methods (Michaël Zasso) #5967156ac9a2d46] - src: migrate WriteOneByte to WriteOneByteV2 (Chengzhong Wu) #596343d88aa9f2f] - src: remove duplicate code (theanarkh) #596490718a70b2a] - src: add name for more threads (theanarkh) #596010379a8b254] - src: remove JSONParser (Joyee Cheung) #5961990d0a1b2e9] - src,sqlite: refactor value conversion (Edy Silva) #596595e025c7ca7] - stream: replace manual function validation with validateFunction (방진혁) #59529155a999bed] - test: skip tests failing when run under root (Livia Medeiros) #597796313706c69] - test: update WPT for urlpattern tocff1ac1(Node.js GitHub Bot) #5960241245ad4c7] - test: skip more sea tests on Linux ppc64le (Richard Lau) #59755df63d37ec4] - test: fix internet/test-dns (Michaël Zasso) #596601f6c335e82] - test: mark test-inspector-network-fetch as flaky again (Joyee Cheung) #596401798683df1] - test: skip test-fs-cp* tests that are constantly failing on Windows (Joyee Cheung) #596374c48ec09e5] - test: deflake test-http-keep-alive-empty-line (Luigi Pinca) #59595dcdb259e85] - test_runner: fix todo inheritance (Moshe Atlow) #5972124177973a2] - test_runner: set mock timer's interval undefined (hotpineapple) #5947983d11f8a7a] - tools: print appropriate output when test aborted (hotpineapple) #597941eca2cc548] - tools: use sparse checkout inbuild-tarball.yml(Antoine du Hamel) #5978889fa1a929d] - tools: remove unused actions frombuild-tarball.yml(Antoine du Hamel) #59787794ca3511d] - tools: do not attempt to compress tgz archive (Antoine du Hamel) #59785377bdb9b7e] - tools: add v8windbg target (Chengzhong Wu) #597676696d1d6c9] - tools: improve error handling in node_mksnapshot (James M Snell) #594378dbd0f13e8] - tools: add sccache totest-internetworkflow (Antoine du Hamel) #597206523c2d7d9] - tools: update gyp-next to 0.20.4 (Node.js GitHub Bot) #5969019d633f40c] - tools: add script to make reviewing backport PRs easier (Antoine du Hamel) #5916115e547b3a4] - typings: add typing for 'uv' (방진혁) #59606ad5cfcc901] - typings: add missing properties in ConfigBinding (Lee Jiho) #5958570d2d6d479] - url: add err.input to ERR_INVALID_FILE_URL_PATH (Joyee Cheung) #59730e476e43c17] - util: fix numericSeparator with negative fractional numbers (sangwook) #59379b2e8f40d15] - util: remove unnecessary template strings (btea) #592016f79450ea2] - util: remove outdated TODO comment (haramjeong) #5976032731432ef] - util: use getOptionValue('--no-deprecation') in deprecated() (haramjeong) #5976065e4e68c90] - util: hide duplicated stack frames when using util.inspect (Ruben Bridgewater) #594472086f3365f] - vm: sync-ify SourceTextModule linkage (Chengzhong Wu) #59000c16163511d] - wasi: fixcleantarget intest/wasi/Makefile(Antoine du Hamel) #595762e54411cb6] - worker: optimize cpu profile implement (theanarkh) #59683d6d05ba397] - (SEMVER-MINOR) worker: add cpu profile APIs for worker (theanarkh) #59428v24.7.0: 2025-08-27, Version 24.7.0 (Current), @targosCompare Source
Notable Changes
Post-Quantum Cryptography in
node:cryptoOpenSSL 3.5 on 24.x kicked off post-quantum cryptography efforts in Node.js by
allowing use of NIST's post-quantum cryptography standards for future-proofing
applications against quantum computing threats. The following post-quantum
algorithms are now available in
node:crypto:crypto.encapsulate()andcrypto.decapsulate()methods.crypto.sign()andcrypto.verify()methods.Contributed by Filip Skokan in #59259 and #59491.
Modern Algorithms in Web Cryptography API
The second substantial extension to the Web Cryptography API
(
globalThis.crypto.subtle) was recently accepted for incubation by WICG.The following algorithms and methods from this extension are now available in
the Node.js Web Cryptography API implementation:
subtle.getPublicKey()SubtleCrypto.supports()Contributed by Filip Skokan in #59365, #59569, #59461, and #59539.
Node.js execution argument support in single executable applications
The single executable application configuration now supports additional fields
to specify Node.js execution arguments and control how they can be extended when
the application is run.
execArgvtakes an array of strings for the execution arguments to be used.execArgvExtensiontakes one of the following values:"none": No additional execution arguments are allowed."cli": Additional execution arguments can be provided via a special command-line flag--node-options="--flag1 --flag2=value"at run time."env"(default): Additional execution arguments can be provided via theNODE_OPTIONSenvironment variable at run time.For example, with the following configuration:
If the generated single executable application is named
sea, then running:Would be equivalent to running:
Contributed by Joyee Cheung in #59314 and #59560.
Root certificates updated to NSS 3.114
Certificates added:
Certificates removed:
Other Notable Changes
d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #503536ae202fcdf] - (SEMVER-MINOR) http: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315dafee05358] - (SEMVER-MINOR) http2: add support for raw header arrays in h2Stream.respond() (Tim Perry) #594558dc6f5b696] - (SEMVER-MINOR) stream: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464Commits
0fa22cbf7c] - benchmark: calibrate config v8/serialize.js (Rafael Gonzaga) #59586f5ece45b45] - benchmark: reduce readfile-permission-enabled config (Rafael Gonzaga) #595898ebd4f4434] - benchmark: calibrate length of util.diff (Rafael Gonzaga) #595887dee3ffd14] - benchmark: reflect current OpenSSL in crypto key benchmarks (Filip Skokan) #59459027b861ca1] - benchmark, test: replace CRLF variable with string literal (Lee Jiho) #5946689dd770889] - build: do not set-mminimal-tocwithclang(Richard Lau) #59484e13de4542f] - child_process: remove unsafe array iteration (hotpineapple) #5934789fe63551e] - crypto: load system CA certificates off thread (Joyee Cheung) #59550152c5ef518] - (SEMVER-MINOR) crypto: add AES-OCB Web Cryptography algorithm (Filip Skokan) #59539c6c418343d] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #5957118a2ee5b6c] - (SEMVER-MINOR) crypto: support ML-KEM in Web Cryptography (Filip Skokan) #5956972937e5144] - crypto: require HMAC key length with SHA-3 hashes in Web Cryptography (Filip Skokan) #59567b7383186c7] - crypto: fix subtle.getPublicKey error for secret type key inputs (Filip Skokan) #595582d05c046db] - crypto: return cached copies from CryptoKey algorithm and usages getters (Filip Skokan) #59538207ffbeb07] - crypto: use CryptoKey internal slots in Web Cryptography (Filip Skokan) #595384276516781] - crypto: normalize RsaHashedKeyParams publicExponent (Filip Skokan) #5953814741539a7] - (SEMVER-MINOR) crypto: support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms (Filip Skokan) #59491d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #503534fe383e45a] - (SEMVER-MINOR) crypto: support ML-DSA spki/pkcs8 key formats in Web Cryptography (Filip Skokan) #59365a95386fbf9] - (SEMVER-MINOR) crypto: subject some algorithms in Web Cryptography on BoringSSL absence (Filip Skokan) #593653f47a2fb63] - (SEMVER-MINOR) crypto: add ChaCha20-Poly1305 Web Cryptography algorithm (Filip Skokan) #593656fcce9058a] - (SEMVER-MINOR) crypto: add subtle.getPublicKey() utility function in Web Cryptography (Filip Skokan) #5936576cde76429] - (SEMVER-MINOR) crypto: add SHA-3 Web Cryptography digest algorithms (Filip Skokan) #59365247d017501] - (SEMVER-MINOR) crypto: add SHAKE Web Cryptography digest algorithms (Filip Skokan) #59365f4fbcca5ce] - (SEMVER-MINOR) crypto: add SubtleCrypto.supports feature detection in Web Cryptography (Filip Skokan) #59365a55382214f] - (SEMVER-MINOR) crypto: support ML-DSA in Web Cryptography (Filip Skokan) #59365c38988c860] - crypto: fix EVPKeyCtxPointer::publicCheck() (Tobias Nießen) #5947161c3bcdc56] - (SEMVER-MINOR) crypto: support ML-KEM KeyObject (Filip Skokan) #594610821b446fb] - deps: update undici to 7.14.0 (Node.js GitHub Bot) #59507b3af17c065] - deps: V8: cherry-pick7b91e3e(Milad Fa) #594859b69baf146] - deps: V8: cherry-pick59d52e3(Milad Fa) #59485b4f202c2f1] - doc: improvesqlite.backup()progress/fulfillment documentation (René) #5959840b217a2f9] - doc: clarify experimental platform vulnerability policy (Matteo Collina) #59591cf84fffea5] - doc: link toTypedArray.from()in signature (Aviv Keller) #592264bf6ed0bf5] - doc: fix typos inenvironment_variables.md(PhistucK) #595361784c35a49] - doc: add security incident reponse plan (Rafael Gonzaga) #59470b962560240] - doc: clarify maxRSS unit inprocess.resourceUsage()(Alex Yang) #59511e6a6cdb9df] - doc: add missing Zstd strategy constants (RANDRIAMANANTENA Narindra Tiana Annaick) #59312a6a31cb467] - (SEMVER-MINOR) doc: compress Web Cryptography Algorithm matrix (Filip Skokan) #593658f8960cfcb] - doc: fix the version tls.DEFAULT_CIPHERS was added (Allon Murienik) #592479e76089f1a] - doc: clarify glob's exclude option behavior (hotpineapple) #59245dd5f835af7] - doc: add RafaelGSS as performance strategic lead (Rafael Gonzaga) #594452b7a7a525e] - doc,crypto: add supported asymmetric key types section (Filip Skokan) #594922fafe4c3bb] - esm: link modules synchronously when no async loader hooks are used (Joyee Cheung) #595195347c4997a] - esm: show race error message for inner module job race (Joyee Cheung) #59519b56d8af2fe] - esm: sync-ify module translation (Joyee Cheung) #59453b4a23d6a69] - http: trim off brackets from IPv6 addresses with string operations (Krishnadas PC) #594206ae202fcdf] - (SEMVER-MINOR) http: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315dafee05358] - (SEMVER-MINOR) http2: add support for raw header arrays in h2Stream.respond() (Tim Perry) #59455b7ea39d860] - http2: report sent headers object in client stream dcs (Darshan Sen) #59419ebe9272dae] - inspector: initial support websocket inspection (Shima Ryuhei) #59404b35041c7dc] - inspector: prevent propagation of promise hooks to noPromise hooks (Shima Ryuhei) #58841fe7176d7c6] - lib: do not modify prototype deprecated asyncResource (encore) (Szymon Łągiewka) #5951893fc80a1e2] - (SEMVER-MINOR) lib: refactor kSupportedAlgorithms (Filip Skokan) #593659a12f71ad9] - lib: simplify IPv6 checks in isLoopback() (Krishnadas) #59375566fb04c82] - meta: update devcontainer to the latest schema (Aviv Keller) #54347389a24bbff] - module: allow overriding linked requests for a ModuleWrap (Chengzhong Wu) #595277880978fe3] - module: correctly detect top-level await in ambiguous contexts (Shima Ryuhei) #5864699128d9244] - node-api: link to other programming language bindings (Chengzhong Wu) #5951665c870e6cb] - node-api: clarify enum value ABI stability (Chengzhong Wu) #59085352d63541a] - sea: implement execArgvExtension (Joyee Cheung) #59560c6e3d5d98d] - (SEMVER-MINOR) sea: support execArgv in sea config (Joyee Cheung) #59314e7084df4db] - sqlite: add sqlite-type symbol for DatabaseSync (Alex Yang) #59405e2b6bdc640] - sqlite: handle ?NNN parameters as positional (Edy Silva) #5935099e4a12731] - sqlite: avoid useless call to FromMaybe() (Tobias Nießen) #59490dfd4962e5f] - src: enforce assumptions in FIXED_ONE_BYTE_STRING (Tobias Nießen) #5815593a368df04] - src: use simdjson to parse --snapshot-config (Joyee Cheung) #59473716750fcf8] - src: fix order of CHECK_NOT_NULL/dereference (Tobias Nießen) #5948744a8ecf8d4] - src: assert memory calc for max-old-space-size-percentage (Asaf Federman) #594603462b46fca] - src: use simdjson::pad (0hm☘️) #593913e1551d845] - src: move shared_ptr objects in KeyObjectData (Tobias Nießen) #59472c022c1f85a] - src: add internal GetOptionsAsFlags (Pietro Marchini) #59138c0f08454a3] - src: iterate metadata version entries with std::array (Chengzhong Wu) #57866f87836f3ae] - src: internalizev8::ConvertableToTraceFormatin traces (Chengzhong Wu) #57866852b8e46d8] - src: remove duplicate assignment ofO_EXCLin node_constants.cc (Daniel Osvaldo R) #5904964ffde608f] - src: add Intel CET properties to large_pages.S (tjuhaszrh) #59363823dce32ec] - src: update OpenSSL pqc checks (Filip Skokan) #594368dc6f5b696] - (SEMVER-MINOR) stream: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464b2b8383755] - test: use mustSucceed in test-repl-tab-complete-import (Sohyeon Kim) #59368e3ad5cc2c6] - test: skip sea tests on Linux ppc64le (Richard Lau) #59563f78f47ca5a] - test: support standalone env comment in tests (Pietro Marchini) #595460e8bc2c7ac] - test: rename test-net-server-drop-connections-in-cluster.js to -http- (Meghan Denny) #59532ed339580af] - test: lazy-load internalTTy (Pietro Marchini) #59517fe86bc6da8] - test: fixtest-setproctitlestatus whenpsis not available (Antoine du Hamel) #59523e517792973] - test: add parseTestMetadata support (Pietro Marchini) #5950331092972d6] - test: update WPT for WebCryptoAPI toff26d9b(Node.js GitHub Bot) #5949716afd103cc] - (SEMVER-MINOR) test: add Web Cryptography wrap/unwrap vectors (Filip Skokan) #593655598baf34e] - (SEMVER-MINOR) test: cleanup test-webcrypto-supports (Filip Skokan) #59365e7809d6ddb] - test: make test-debug-process locale-independent (BCD1me) #59254ca7856e73c] - test: mark test-wasi-pthread as flaky (Joyee Cheung) #594880ecd82197f] - test: split test-wasi.js (Joyee Cheung) #594880930c218d6] - test: deflake connection refused proxy tests (Joyee Cheung) #594767f457f886a] - test: use case-insensitive path checking on Windows in fs.cpSync tests (Joyee Cheung) #5947537809115f9] - test: add missing hasPostData in test-inspector-emit-protocol-event (Shima Ryuhei) #59412f4722b1672] - test: refactor error checks to use assert.ifError/mustSucceed (Sohyeon Kim) #594249ff71a672d] - test: fix typos (Lee Jiho) #593309a7700da62] - test: skip test-watch-mode inspect when no inspector (James M Snell) #59440e964c4334e] - test_runner: do not error when gettingfullNameof root context (René) #59377e076f7857c] - test_runner: add option to rerun only failed tests (Moshe Atlow) #59443eb8b1939a4] - test_runner: fix isSkipped check in junit (Sungwon) #594144e02ea1c52] - tools: update gyp-next to 0.20.3 (Node.js GitHub Bot) #5960399da7fbe11] - tools: avoid parsing test files twice (Pietro Marchini) #595269a6a8e319b] - tools: update coverage GitHub Actions to fixed version (Rich Trott) #595128d28236aff] - tools: fix return value of try_check_compiler (theanarkh) #5943452ab64ec3a] - tools: bump @eslint/plugin-kit from 0.3.3 to 0.3.4 in /tools/eslint (dependabot[bot]) #59271baa22893bb] - typings: add missing URLBinding methods (성우현 | Woohyun Sung) #59468b68e0d1eca] - util: fix error's namespaced node_modules highlighting using inspect (Ruben Bridgewater) #5944615ae21b88a] - util: add some additional error classes towellKnownPrototypes(Mark S. Miller) #59456c38b7cfa35] - worker: fix worker name with \0 (theanarkh) #59214f54ace694a] - worker: add worker name to report (theanarkh) #58935Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Renovate Bot.
Update dependency @types/node to ^24.3.0to Update dependency @types/node to v24.3.008f6f824e7toacdaa01b45acdaa01b45to2c06315c91Update dependency @types/node to v24.3.0to Update Node.js to v24.7.02c06315c91to5ae8d65eff5ae8d65efftoaa31be5a79Update Node.js to v24.7.0to Update Node.js to v24.8.0aa31be5a79to8e422546668e42254666to7f9cdd2c817f9cdd2c81to0729b7a00b0729b7a00bto3f455431dd3f455431ddto6de4cd88346de4cd8834toe03501efc5Update Node.js to v24.8.0to Update Node.js to v24.9.0e03501efc5to131c72c889131c72c889tof60de320fff60de320ffto817c4316e9817c4316e9to0a4bbe7a490a4bbe7a49toe3310ea492Update Node.js to v24.9.0to Update Node.js to v24.10.0e3310ea492toe9fb40728de9fb40728dtocd65a9a724cd65a9a724to2d3b6df1342d3b6df134tob668617b81b668617b81to3f424ac3f73f424ac3f7to439a4ec2ecUpdate Node.js to v24.10.0to Update Node.js to v24.11.0439a4ec2ecto331b79fb02331b79fb02to3032bb796a3032bb796atoea63eb165fUpdate Node.js to v24.11.0to Update Node.js to v24.11.1ea63eb165fto1436a53c0d1436a53c0dto7bb9a4ecbd7bb9a4ecbdto947e097172Update Node.js to v24.11.1to Update Node.js to v24.12.0947e097172todc5d3ae955dc5d3ae955to229f4e5946229f4e5946to459350160f459350160fto8855c8b3668855c8b366to76e7f7b5fdUpdate Node.js to v24.12.0to Update Node.js to v24.13.076e7f7b5fdto312d802951View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.Merge
Merge the changes and update on Forgejo.Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.