chore(deps): update node.js to v22.22.3 #121
No reviewers
Labels
No labels
bug
duplicate
enhancement
help wanted
invalid
question
renovate-bot
renovate-security
security
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
mCaptcha/pow_sha256-polyfill!121
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "renovate/node-22.x"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
22.20.0->22.22.3Release Notes
nodejs/node (node)
v22.22.3: 2026-05-13, Version 22.22.3 'Jod' (LTS), @marco-ippolitoCompare Source
Commits
4f780905c5] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #617884a09efb947] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485e4c0d99839] - deps: update timezone to 2026a (Node.js GitHub Bot) #621640226c8dd7a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382e742ab748c] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #6225673cac0571a] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151ae5c162b93] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #61730b819cb9977] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #61603bbcce09dc7] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #6215022ff2d81ce] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #61930f49b51d75c] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #619281a5cec0d49] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925d339497688] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #618793ff8ffd459] - deps: remove stale OpenSSL arch configs (René) #61834b8ddbc1e9a] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827ffda97afd4] - deps: update googletest to2461743(Node.js GitHub Bot) #6248479aa32cf4f] - deps: update googletest to73a63ea(Node.js GitHub Bot) #61927b6957e13b6] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #626293a27669063] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #62629d568a1bb53] - deps: upgrade npm to 10.9.8 (npm team) #62463ec11f3c1d5] - deps: V8: backport85b3900(Thibaud Michaud) #6278308609712ed] - deps: V8: backport1b27e46(Thibaud Michaud) #62783dcc60d5ab2] - deps: V8: backport9997fc0(Thibaud Michaud) #627831d1f4451fb] - deps: V8: cherry-pickb96e40d(Clemens Backes) #627832268567237] - deps: V8: cherry-pick7cb6188(Thibaud Michaud) #6278392804cdbea] - deps: V8: cherry-picke7ccf0a(Thibaud Michaud) #62783eae2c27a40] - deps: V8: cherry-pick8e214ec(Thibaud Michaud) #62783a1799a49bb] - deps: V8: backport63b8849(Thibaud Michaud) #62783a2df2d8731] - deps: V8: backport3239427(Thibaud Michaud) #62783e3d65c7dca] - deps: V8: backport89dc6ea(Thibaud Michaud) #627835e7db133de] - deps: V8: backport910cb91(Jakob Kummerow) #62783d0c24a28af] - deps: V8: cherry-pickb8f91e5(Thibaud Michaud) #62783d358687824] - deps: V8: cherry-pickcf03d55(Thibaud Michaud) #6278367c8b2c349] - deps: V8: cherry-pick692f3d5(Sébastien Doeraene) #6278371e5a59ffd] - deps: V8: cherry-pickc734674(Manos Koukoutos) #62783f0dbe81c7b] - deps: V8: cherry-pickb2f3aea(Thibaud Michaud) #62783d333f480c3] - deps: V8: cherry-pick5f1342c(Matthias Liedtke) #62783db722725bb] - deps: use npm undici@six tag inupdate-undici.sh(Matteo Collina) #630129b57979d9c] - doc: add Rafael to last security release steward (Rafael Gonzaga) #62423d8075585bf] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #623556ec9a70204] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #622081fc86fcb6e] - doc: add note (and caveat) formock.moduleabout customization hooks (Jacob Smith) #62075491be80bd9] - doc: add efekrskl as triager (Efe) #6187618558293a3] - doc: fix module.stripTypeScriptTypes indentation (René) #619928e20976522] - doc: explicitly mention Slack handle (Rafael Gonzaga) #6198670b8e6b4fb] - doc: rename invalidfunctionparameter (René) #619424045c76f6c] - doc: clarify status of feature request issues (Antoine du Hamel) #61505c54652f2aa] - doc: remove incorrect mention ofmoduleintypescript.md(Rob Palmer) #618399fad6cedf5] - doc: clarify async caveats forevents.once()(René) #615722f1e5733fe] - doc: update Juan's security steward info (Juan José) #61754a64bdb5068] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #6220602797de923] - doc: fix small environment_variables typo (chris) #62279f22ebdc809] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #620259f4508062a] - doc: fix methods being documented as properties inprocess.md(Antoine du Hamel) #617653ea39ff135] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #61735c22445079b] - doc: fix spacing in process message event (Aviv Keller) #6175632831b5223] - doc: fix broken links of net.md (YuSheng Chen) #61673005508d509] - doc: remove obsolete Boxstarter automated install (Mike McCready) #6178537c2fd6f7d] - esm: fix path normalization infinalizeResolution(Antoine du Hamel) #620801769d74613] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #59679ee02966ffc] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #617102fdb5ce6cc] - http2: fix FileHandle leak in respondWithFile (sangwook) #61707aa2c1eca04] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990785b00cbeb] - meta: pass release version to release worker (flakey5) #62777447fb9a0b5] - meta: persist sccache daemon until end of build workflows (René) #616395065a0acb3] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #615299a2e21305d] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #61479b9240bc063] - module: fix sync resolve hooks for require with node: prefixes (Joyee Cheung) #610882e91b28aaf] - module: handle null source from async loader hooks in sync hooks (Joyee Cheung) #5992939147c154e] - module: use sync cjs when importing cts (Marco Ippolito) #6007212a2462b2c] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #59874cf39566277] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #61948578a9a9230] - src: clamp WriteUtf8 capacity to INT_MAX in EncodeInto (semimikoh) #6262157c3035fec] - stream: fix decoded fromList chunk boundary check (Thomas Watson) #6188457fb008bb8] - test: update tls junk data error expectations (Filip Skokan) #62629363f9a9d18] - test: skiptest-urlon--shared-adabuilds (Antoine du Hamel) #62019daaead342b] - test: simplify encodeInto large buffer regression test (semimikoh) #62621ecfa766b41] - tools: fix auto-start-ci (Antoine du Hamel) #6190017c0a610af] - tools: fix parsing of commit trailers inlint-release-proposalGHA (Antoine du Hamel) #6207789ad7dc63b] - tools: enforce removal oflts-watch-*labels on release proposals (Antoine du Hamel) #616725f9bb8ef0c] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #62024977ef80ac1] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #62574ad8f518a81] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325v22.22.2: 2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95Compare Source
This is a security release.
Notable Changes
SNICallbackinvocation intry/catch(Matteo Collina) - HighheadersDistinct/trailersDistinct(Matteo Collina) - HighNGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Mediumrealpath.native(RafaelGSS) - Lowlib/fs/promises(RafaelGSS) - LowCommits
6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#80952a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#82230a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pickaac14dd(Joyee Cheung) nodejs-private/node-private#809e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport1361b2a(Joyee Cheung) nodejs-private/node-private#8097dc00fa5f4] - (CVE-2026-21717) deps: V8: backport185f0fe(Joyee Cheung) nodejs-private/node-private#809076acd052d] - (CVE-2026-21717) deps: V8: backport0a8b1cd(snek) nodejs-private/node-private#809963c60a951] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#82173deff77c1] - lib: backport_tls_commonand_tls_wraprefactors (Dario Piotrowicz) #5764306fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#7942a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#83291b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819v22.22.1: 2026-03-05, Version 22.22.1 'Jod' (LTS)Compare Source
Notable Changes
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #599836063d888fe] - cli: mark--heapsnapshot-near-heap-limitas stable (Joyee Cheung) #60956d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #614194f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #6111535854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #610945c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #60714Commits
5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #61401b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #60129ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #6084153596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #606031155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #60574e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #60162623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #602057f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #5893866aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #60503c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #60399f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #617902145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #603695b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #6141424724cde40] - build: fix misplaced comma in ldflags (hqzing) #61294c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #613298659d7cd07] - build: fix inconsistent quoting inMakefile(Antoine du Hamel) #6051144f339b315] - build: remove temporal updater (Chengzhong Wu) #61151d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #6102434ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #610737b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #608509408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #599842166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #6009873ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #602967b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #59999c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #6132140904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #614316d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #613446063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #609563d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #6014140a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #60422d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #614194f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #606628c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #5995691dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #604640781bd3764] - deps: V8: backport6a0a25a(Vivian Wang) #616880cf1f9c3e9] - deps: update googletest to8508785(Node.js GitHub Bot) #61417521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #6133958b9d219a3] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523cbc1e4306d] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135db59c35ed8] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271c18518ee3c] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #61270376df62d63] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138993e905302] - deps: update simdjson to 4.2.4 (Node.js GitHub Bot) #61056b72fd2a5d3] - deps: update googletest to065127f(Node.js GitHub Bot) #61055d765147405] - deps: update sqlite to 3.51.1 (Node.js GitHub Bot) #6089937abe2a7d2] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #6089897241fcb86] - deps: update sqlite to 3.51.0 (Node.js GitHub Bot) #606143669c7b4f4] - deps: update simdjson to 4.2.2 (Node.js GitHub Bot) #607409a056ec89c] - deps: update googletest to1b96fa1(Node.js GitHub Bot) #60739b5803b3ea0] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #605435bf99f3d46] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #60646801f187357] - deps: update simdjson to 4.2.1 (Node.js GitHub Bot) #6064403c16e5a4c] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #605422ebfc2ca56] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #60541d24ba4fed6] - deps: update simdjson to 4.0.7 (Node.js GitHub Bot) #598839480a139bf] - deps: update googletest to279f847(Node.js GitHub Bot) #60219635e67379e] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #61547c7b774047d] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #615475b324d7d7f] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510eef8ba0667] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842490f7c7fb1] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #6064366903ea3b3] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #60550a2f0b69282] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #60314c8044a48a6] - deps: V8: backport2e4c5cf(Michaël Zasso) #60654642f518198] - doc: supported toolchain with Visual Studio 2022 only (Mike McCready) #61451625f674487] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #61495029e32f8ba] - doc: addedrequestOCSPoption totls.connect(ikeyan) #6106468e33dfa89] - doc: restore @ChALkeR to collaborators (Сковорода Никита Андреевич) #61553e016770d62] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #61588ec63954657] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #60253c8e1563a98] - doc: add CVE delay mention (Rafael Gonzaga) #614654b00cf2b54] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #614544b73bf5bc8] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #61366d3151df4b3] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #614342323462e35] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #613556c5478c8b2] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #61373ba4a043103] - doc: refine WebAssembly error documentation (sangwook) #61382cd315ea589] - doc: add deprecation history for url.parse (Eng Zer Jun) #6138942db0c392d] - doc: add marco and rafael in last sec release (Marco Ippolito) #613834c3b680fc7] - doc: packages: example of private import switch to internal (coderaiser) #61343684d15e421] - doc: add esm and cjs examples to node:v8 (Alfredo González) #61328c3f9c7a7d9] - doc: added 'secure' event to tls.TLSSocket (ikeyan) #61066aa9acad5ca] - doc: restore @watilde to collaborators (Daijiro Wachi) #613509cafec084e] - doc: run license-builder (github-actions[bot]) #61348cdb12ccbc6] - doc: document ALPNCallback option for TLSSocket constructor (ikeyan) #61331461c5e65c5] - doc: update MDN links (Livia Medeiros) #61062dde45baeab] - doc: add documentation for process.traceProcessWarnings (Alireza Ebrahimkhani) #5364159a7aeec92] - doc: fix filename typo (Hardanish Singh) #612979a0a40d1ed] - doc: fix typos and grammar inBUILDING.md&onboarding.md(Hardanish Singh) #61267dca7005f9d] - doc: mention --newVersion release script (Rafael Gonzaga) #61255c0dc8ddf85] - doc: correct typo in api contributing doc (Mike McCready) #61260066af38fe1] - doc: add PR-URL requirement for security backports (Rafael Gonzaga) #6125671dd46bd0c] - doc: add reusePort error behavior to net module (mag123c) #61250f6abe3ba33] - doc: note corepack package removal in distribution doc (Mike McCready) #612079059d49d8c] - doc: fix tls.connect() timeout documentation (Azad Gupta) #61079e7b34b76b0] - doc: missingpassed,errorandpassedproperties onTestContext(Xavier Stouder) #611859ae2dcfbb6] - doc: clarify threat model for application-level API exposure (Rafael Gonzaga) #611849902331a7c] - doc: correct options for net.Socket class and socket.connect (Xavier Stouder) #61179a80122d2fe] - doc: document error event on readline InterfaceConstructor (Xavier Stouder) #6117038d73c9cfa] - doc: add a smooth scrolling effect to the sidebar (btea) #5900795c51fa984] - doc: correct invalid collaborator profile (JJ) #61091f5a044763c] - doc: exclude compile-time flag features from security policy (Matteo Collina) #61109b6ebf2cd53] - doc: add @avivkeller to collaborators (Aviv Keller) #6111535854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #610944932322c29] - doc: add File modes cross-references in fs methods (Mohit Raj Saxena) #60286c84904e047] - doc: add missingzstdto mjs example of zlib (Deokjin Kim) #60915e615b9e2f2] - doc: clarify fileURLToPath security considerations (Rafael Gonzaga) #6088799e384e6d4] - doc: replace column with columnNumber in example ofutil.getCallSites(Deokjin Kim) #608819351bb4d02] - doc: correct spelling in BUILDING.md (Rich Trott) #60875e1f6e7fc4d] - doc: update debuglog examples to use 'foo-bar' instead of 'foo' (xiaoyao) #60867ccbb2d7300] - doc: fix typos in changelogs (Rich Trott) #608551cb2fe8b35] - doc: mark module.register as active development (Chengzhong Wu) #60849ceeb4968a6] - doc: add fullName property to SuiteContext (PaulyBearCoding) #6076256155909dd] - doc: keep sidebar module visible when navigating docs (Botato) #604106b637763d5] - doc: correct concurrency wording in test() documentation (Azad Gupta) #607737183e8ffa1] - doc: clarify that CQ only picks up PRs targetingmain(René) #60731d5d94303be] - doc: clarify license section and add contributor note (KaleruMadhu) #60590e0210c8f53] - doc: correct tls ALPNProtocols types (René) #60143eff87b498a] - doc: remove mention of SMS 2FA (Antoine du Hamel) #60707e77ef94a51] - doc:domain.add()does not accept timer objects (René) #606754fe19c95ea] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #60650eece59b6ce] - doc: fix linter issues (Antoine du Hamel) #606366e17e596e4] - doc: correct values/references for buffer.kMaxLength (René) #60305ac327ae9a7] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #60017d9b149ea42] - doc: highlight module loading difference between import and require (Ajay A) #59815f6d62cb22c] - doc: fix typo inprocess.unrefdocumentation (우혁) #596986d5078b196] - doc: add some entries toglossary.md(Mohataseem Khan) #59277b0a5820dea] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #58205b5db02fe67] - doc: fix pseudo code in modules.md (chirsz) #57677e9b912d481] - doc: add missing variable in code snippet (Koushil Mankali) #5547844c06c7812] - doc: add missing word insingle-executable-applications.md(Konstantin Tsabolov) #53864482b43f160] - doc: fix typo in http.md (Michael Solomon) #59354cd323bc718] - doc: update devcontainer.json and add documentation (Joyee Cheung) #60472c7c70f3a16] - doc: add haramj as triager (Haram Jeong) #6034804b8c4d14e] - doc: clarify require(esm) description (dynst) #60520de382dc832] - doc: instantiate resolver object (Donghoon Nam) #60476b6845ce460] - doc: clarify --use-system-ca support status (Joyee Cheung) #603400894dae9bc] - doc: add missing CAA type to dns.resolveAny() & dnsPromises.resolveAny() (Jimmy Leung) #58899c86a69f692] - doc: useanyforworker_threads.Worker'error' event argumenterr(Jonas Geiler) #603000c5031e233] - doc: update decorator documentation to reflect actual policy (Muhammad Salman Aziz) #60288b01f710175] - doc: document wildcard supported by tools/test.py (Joyee Cheung) #60265b4524dabcc] - doc: fixblob.bytes()heading level (XTY) #602525df02776e3] - doc: fix not working code example in vm docs (Artur Gawlik) #602246a4359a0b5] - doc: improve code snippet alternative of url.parse() using WHATWG URL (Steven) #60209ad06bee70d] - doc: use markdown when branch-diff major release (Rafael Gonzaga) #60179c0d4b11ed4] - doc: update teams in collaborator-guide.md and add links (Bart Louwers) #6006520b5ffcac3] - doc: update previous version links in BUILDING (Mike McCready) #61457de345ea3a3] - doc: correct description oferror.stackaccessor behavior (René) #61090d8418d9de7] - doc: fix link in--env-file=filesection (N. Bighetti) #605631107bda21e] - doc: fix v22 changelog after security release (Marco Ippolito) #6137142aab9469a] - doc: add missing history entry forsqlite.md(Antoine du Hamel) #60607deb6d5deff] - doc, module: change async customization hooks to experimental (Gerhard Stöbich) #60302c659add7d1] - doc,src,lib: clarify experimental status of Web Storage support (Antoine du Hamel) #60708dda95e91b9] - esm: avoid throw when module specifier is not url (Craig Macomber (Microsoft)) #61000912945be89] - events: remove redundant todo (Gürgün Dayıoğlu) #6059522e156eb10] - events: remove eventtarget custom inspect branding (Efe) #61128df6fd9b03f] - fs: remove duplicate getValidatedPath calls (Mert Can Altin) #613596ea3e4d850] - fs: fix errorOnExist behavior for directory copy in fs.cp (Nicholas Paun) #60946dd918b9980] - fs: fix ENOTDIR in globSync when file is treated as dir (sangwook) #612594908e67ba0] - fs: remove duplicate fd validation in sync functions (Mert Can Altin) #613614a27bce3d9] - fs: detect dot files when using globstar (Robin van Wijngaarden) #61012b0186ff65c] - fs: validate statfs path (Efe) #612306689775023] - gyp: aix: change gcc version detection so CXX="ccache g++" works (Stewart X Addison) #614645c4f4db663] - http: fix rawHeaders exceeding maxHeadersCount limit (Max Harari) #612857599e2eccd] - http: replace startsWith with strict equality (btea) #5939499a85213bf] - http: lazy allocate cookies array (Robert Nagy) #597347669e6a5ad] - http: fix http client leaky with double response (theanarkh) #60062f074c126a8] - http,https: fix double ERR_PROXY_TUNNEL emission (Shima Ryuhei) #60699d8ac368363] - http2: add diagnostics channels for client stream request body (Darshan Sen) #60480e26a7e464d] - http2: rename variable to additionalPseudoHeaders (Tobias Nießen) #602085df634f46e] - http2: validate initialWindowSize per HTTP/2 spec (Matteo Collina) #614022ccc9a6205] - http2: do not crash on mismatched ping buffer length (René) #601353e68a5f78a] - inspector: inspect HTTP response body (Chengzhong Wu) #60572a86ffa9a5d] - inspector: add network payload buffer size limits (Chengzhong Wu) #60236ea60ef5d74] - lib: fix typo inutil.jscomment (Taejin Kim) #613659d8d9322a4] - lib: fix TypeScript support check in jitless mode (sangwook) #61382fc26f5c78f] - lib: gbk decoder is gb18030 decoder per spec (Сковорода Никита Андреевич) #610993b87030012] - lib: enforce use ofURLParse(Antoine du Hamel) #610162a7479d4fc] - lib: useFastBufferfor empty buffer allocation (Gürgün Dayıoğlu) #605587cf4c43582] - lib: fix constructor in _errnoException stack tree (SeokHun) #60156f9d87fbfaa] - lib: fix typo in QuicSessionStats (SeokHun) #601558d26ccc652] - lib: remove redundant destroyHook checks (Gürgün Dayıoğlu) #60120705832a1be] - lib,src: isInsideNodeModules should test on the first non-internal frame (Chengzhong Wu) #609916f39ad190b] - meta: do not fast-track npm updates (Antoine du Hamel) #61475a6a0ff9486] - meta: fix typos in issue template config (Daijiro Wachi) #61399ec88c9b378] - meta: label v8 module PRs (René) #6132583143835de] - meta: bump step-security/harden-runner from 2.13.2 to 2.14.0 (dependabot[bot]) #612450802dc663a] - meta: bump actions/setup-node from 6.0.0 to 6.1.0 (dependabot[bot]) #61244587db55796] - meta: bump actions/cache from 4.3.0 to 5.0.1 (dependabot[bot]) #61243262c9d37a6] - meta: bump github/codeql-action from 4.31.6 to 4.31.9 (dependabot[bot]) #61241d9763b5afd] - meta: bump codecov/codecov-action from 5.5.1 to 5.5.2 (dependabot[bot]) #612400af73d1811] - meta: bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 (dependabot[bot]) #612378be6afd239] - meta: move lukekarrys to emeritus (Node.js GitHub Bot) #60985c497de5c74] - meta: bump actions/setup-python from 6.0.0 to 6.1.0 (dependabot[bot]) #60927774920f169] - meta: bump github/codeql-action from 4.31.3 to 4.31.6 (dependabot[bot]) #60926ef3b1e5991] - meta: bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 (dependabot[bot]) #609243ed667379f] - meta: bump github/codeql-action from 4.31.2 to 4.31.3 (dependabot[bot]) #607707c0cefb126] - meta: bump step-security/harden-runner from 2.13.1 to 2.13.2 (dependabot[bot]) #607695c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #607144f4dda2a18] - meta: bump actions/download-artifact from 5.0.0 to 6.0.0 (dependabot[bot]) #60532c436f8d57c] - meta: bump actions/upload-artifact from 4.6.2 to 5.0.0 (dependabot[bot]) #60531402d9f87a6] - meta: bump github/codeql-action from 3.30.5 to 4.31.2 (dependabot[bot]) #6053361be78e326] - meta: bump actions/setup-node from 5.0.0 to 6.0.0 (dependabot[bot]) #605297e4164a623] - meta: bump actions/stale from 10.0.0 to 10.1.0 (dependabot[bot]) #605281bf6e1d010] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #60325c66fc0e9cf] - meta: loop userland-migrations in deprecations (Chengzhong Wu) #60299e4be0791e7] - meta: callcreate-release-post.ymlpost release (Aviv Keller) #603668674f6527f] - module: preserve URL in the parent created by createRequire() (Joyee Cheung) #6097441db87a975] - msi: fix WiX warnings (Stefan Stojanovic) #60251884f313f40] - node-api: use Node-API in comments (Vladimir Morozov) #61320375164190b] - node-api: use local files for instanceof test (Vladimir Morozov) #60190972a1107c0] - os: freeze signals constant (Xavier Stouder) #61038e992057ab7] - perf_hooks: fix stack overflow error (Antoine du Hamel) #600840bb1814fdf] - repl: fix pasting after moving the cursor to the left (Ruben Bridgewater) #6047035a12fb996] - src: replaceranges::sortfor libc++13 compatibility on armhf (Rebroad) #61789dbf00d4664] - src: add missing override specifier to Clean() (Tobias Nießen) #61429140eba35d3] - src: cache context lookup in vectored io loops (Mert Can Altin) #6138793e7e1708b] - src: use C++ nullptr in webstorage (Tobias Nießen) #61407ef868447bc] - src: fix pointer alignment (jhofstee) #61336a96256524c] - src: dump snapshot source with node:generate_default_snapshot_source (Joyee Cheung) #61101ec051b9efd] - src: add HandleScope to edge loop in heap_utils (Mert Can Altin) #6088541749eb5d6] - src: remove redundant CHECK (Tobias Nießen) #6113057c81e5af3] - src: fix off-thread cert loading in bundled cert mode (Joyee Cheung) #607644b0616e024] - src: handle DER decoding errors from system certificates (Joyee Cheung) #6078793393371f9] - src: use static_cast instead of C-style cast (Michaël Zasso) #60868900445b655] - src: move Node-API version detection to where it is used (Anna Henningsen) #605128353a6da2a] - src: avoid C strings in more C++ exception throws (Anna Henningsen) #6059227c860c51f] - src: movenapi_addon_register_functonode_api_types.h(Anna Henningsen) #60512e0517752e7] - src: remove unconditional NAPI_EXPERIMENTAL in node.h (Chengzhong Wu) #6034521e2a52f8e] - src: clean up generic counter implementation (Anna Henningsen) #60447aed23cb8ca] - src: add enum handle for ToStringHelper + formatting (Burkov Egor) #568292e93650ebc] - src: fix timing of snapshot serialize callback (Joyee Cheung) #60434ece4acc18f] - src: add COUNT_GENERIC_USAGE utility for tests (Joyee Cheung) #6043431c8e9d9ff] - src: use cached primordials_string (Sohyeon Kim) #602557f0ffddc14] - src: implement Windows-1252 encoding support and update related tests (Mert Can Altin) #60893c2ba56d6b2] - src,permission: fix permission.has on empty param (Rafael Gonzaga) #60674e55a2b895a] - src,permission: add debug log on is_tree_granted (Rafael Gonzaga) #60668902a78b43c] - stream: fix isErrored/isWritable for WritableStreams (René) #60905221b77cf41] - stream: don't try to read more if reading (Robert Nagy) #6045446d12d826f] - test: skip strace test with shared openssl (Richard Lau) #6198752e6b01a44] - test: marktest-strace-openat-opensslas flaky (Antoine du Hamel) #619214d7468d0e0] - test: skip --build-sea tests on platforms where SEA is flaky (Joyee Cheung) #61504f604b7ae67] - test: fix flaky debugger test (Ryuhei Shima) #58324fc2dc4024b] - test: ensure removeListener event fires for once() listeners (sangwook) #601375fba382816] - test: delay writing the files only on macOS (Luigi Pinca) #6153285cc9e20e4] - test: asserts that import.meta.resolve invokes sync loader hooks (Chengzhong Wu) #6115813831685ca] - test: check util.parseArgs argv parsing with actual process execution (René) #61089ec4b722cb8] - test: remove unneccessary repl magic_mode tests (Dario Piotrowicz) #610535c811106bc] - test: skip sea tests on riscv64 (Stewart X Addison) #611114e4a631c07] - test: mark stringbytes-external-max flaky on AIX (Stewart X Addison) #609959af0787043] - test: update test426 fixtures (Rich Trott) #60982277f16d247] - test: skip SEA inspect test if inspector is not available (Livia Medeiros) #608727dfa8c96bf] - test: useassert.matchfor non-literal regexp tests (René) #6087941e6cd8ce5] - test: fix embedtest in debug windows (Vladimir Morozov) #60806f65147b226] - test: fix debug test crashes caused by sea tests (Vladimir Morozov) #60807a93dff9e92] - test: replace deprecated regex test assertions in http trailers test (Aditya Chopra) #60831f90d5b954f] - test: prefer major GC in cppgc-object teardown (sangwook) #60672e1645cc78d] - test: skip test that cause timeout on IBM i (SRAVANI GUNDEPALLI) #607004f23eba22f] - test: limit the concurrency of WPTRunner for RISC-V (Levi Zim) #60591c2bef6522b] - test: fix test-strace-openat-openssl for RISC-V (Levi Zim) #605884c03a7f864] - test: fix status when compiled without inspector (Antoine du Hamel) #602892ef146a074] - test: apply a delay towatch-mode-kill-signaltests (Joyee Cheung) #60610dc3000c504] - test: async iife in repl (Tony Gorez) #448785e06e84db1] - test: parallelize sea tests when there's enough disk space (Joyee Cheung) #60604940d2752bc] - test: only show overridden env in child process failures (Joyee Cheung) #60556558a5743c6] - test: add more logs to test-esm-loader-hooks-inspect-wait (Joyee Cheung) #6046610fac8de45] - test: mark stringbytes-external-exceed-max tests as flaky on AIX (Joyee Cheung) #605658bc84046be] - test: correct conditional secure heap flags test (Shelley Vohr) #60385ccc805f184] - test: fix flaky test-watch-mode-kill-signal-* (Joyee Cheung) #604431b8274453d] - test: capture stack trace in debugger timeout errors (Joyee Cheung) #604579fcf889279] - test: ensure assertions are reachable intest/async-hooks(Antoine du Hamel) #601507f5230333e] - test: increase debugger waitFor timeout on macOS (Chengzhong Wu) #603670e5ea3b795] - test: fix small compile warning in test_network_requests_buffer.cc (xiaocainiao633) #60281012780c7e8] - test: split test-runner-watch-mode-kill-signal (Joyee Cheung) #60298b53d35a8f8] - test: fix incorrect calculation in test-perf-hooks.js (Joyee Cheung) #60271b8ef464c08] - test: skip sea tests on x64 macOS (Joyee Cheung) #60250a3c4d905da] - test: move sea tests into test/sea (Joyee Cheung) #6025080bec9fd07] - test: skip tests that cause timeouts on IBM i (SRAVANI GUNDEPALLI) #601481d05b44c7c] - test: deflake test-fs-promises-watch-iterator (Luigi Pinca) #600608958096840] - test: deflaketest-repl-paste-big-data(Livia Medeiros) #60975e261a59ca4] - test: add newstartNewREPLSevertesting utility (Dario Piotrowicz) #59964d4a2d8aa8a] - test: skip failing tests when compiled without amaro (Yuki Okita) #608150e407a88bb] - test: skip failing test on macOS 15.7+ (Antoine du Hamel) #60419a253b7b6dc] - tools: switch to ARM runners on GHA jobs (Antoine du Hamel) #619038862c41494] - tools: avoid building twice in coverage jobs (Antoine du Hamel) #618997d11a22802] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #61759d0e7d6cb89] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #61734cf5ddd1811] - tools: use ubuntu-latest runner innotify-on-pushworkflow (Antoine du Hamel) #6174218bcf8e260] - tools: use ubuntu-slim runner in meta GitHub Actions (Tierney Cyren) #61663db76733b55] - tools: update gyp-next to 0.21.1 (Node.js GitHub Bot) #615281dd9d8a3b2] - tools: fix vcbuild lint-js-build (Vladimir Morozov) #61318ec67f8f9b5] - tools: only report commit validation failure on Slack (Antoine du Hamel) #611248e385c8c66] - tools: use sparse-checkout in linter jobs (Antoine du Hamel) #61123aed2e9c8eb] - tools: simplifynotify-on-push(Antoine du Hamel) #6105032680feefb] - tools: fix update-nghttp2 signature verification (Richard Lau) #61035c5f68f41e6] - tools: improve log output ofcreate-release-proposal(Antoine du Hamel) #6102832e0ae0ec7] - tools: fixvcbuild testwhen path contain spaces (stduhpf) #564819e0858e4a2] - tools: do not runtest-linuxworkflow for changes onvcbuild.bat(Antoine du Hamel) #60979fd656a79fc] - tools: disable some new cpplint rules before update (Michaël Zasso) #60901df4df52e67] - tools: don't fetch V8 deps in the source tree (Richard Lau) #60883e5c2fe8d6d] - tools: add temporal updater (Chengzhong Wu) #608287f031e097e] - tools: dump config.gypi as json (Chengzhong Wu) #607945e69488a5a] - tools: bump js-yaml from 4.1.0 to 4.1.1 in /tools/lint-md (dependabot[bot]) #607815119c50931] - tools: bump js-yaml from 4.1.0 to 4.1.1 in /tools/doc in the doc group (dependabot[bot]) #60766a4b073123d] - tools: remove unsupportedcooldownfrom Dependabot config (Antoine du Hamel) #60747a3df6b87bb] - tools: update sccache to v0.12.0 (Michaël Zasso) #607232efbd54a4a] - tools: update gyp-next to 0.21.0 (Node.js GitHub Bot) #60645bb7876e4f9] - tools: replace invalid expression in dependabot config (Riddhi) #60649e444e44d6a] - tools: skip unaffected GHA jobs for changes intest/internet(Antoine du Hamel) #60517a6a0ec107c] - tools: do not use short hashes for deps versioning to avoid collision (Antoine du Hamel) #60407c6e2eed65f] - tools: fix update-icu script (Michaël Zasso) #6052176fb3d123b] - tools: fix linter for semver-major release proposals (Antoine du Hamel) #60481f02889e24e] - tools: fix failing release-proposal linter for LTS transitions (Antoine du Hamel) #604658203df4432] - tools: remove undici from daily wpt.fyi job (Filip Skokan) #60444a58242b666] - tools: add lint rule to ensure assertions are reached (Antoine du Hamel) #6012558e3ef398f] - tools: update gyp-next to 0.20.5 (Node.js GitHub Bot) #60313996494482a] - tools: optimize wildcard execution in tools/test.py (Joyee Cheung) #60266cf84756d0d] - tools: use cooldown property correctly (Rafael Gonzaga) #601345469cb2651] - tools: validate release commit diff as part oflint-release-proposal(Antoine du Hamel) #614401b9eab4a1c] - tools,doc: fix format-md files list (Stefan Stojanovic) #61147b20d9c2ce7] - tools,doc: update JavaScript primitive types to match MDN Web Docs (JustApple) #6058131760b1beb] - typings: add typing for string_decoder (Taejin Kim) #61368d6b908917c] - typings: add missing properties and method in Worker (Woohyun Sung) #602571e8b6d5686] - typings: add missing properties in HTTPParser (Woohyun Sung) #6025727ae9b4a26] - typings: delete undefined property in ConfigBinding (Woohyun Sung) #60257f43c6434e2] - typings: add buffer internalBinding typing (방진혁) #60163e7f954f63a] - url: add fast path to getPathFromURL decoder (Gürgün Dayıoğlu) #60749c149b64473] - url: remove array.reduce usage (Gürgün Dayıoğlu) #607480bd291bff1] - util: optimize toASCIILower function using V8s native toLowerCase (Mert Can Altin) #61107bbc54b3c96] - util: limitinspectto only show own properties (Ruben Bridgewater) #6103278e5fa23c4] - util: fix parseArgs skipping positional arg with --eval and --print (azadgupta1) #60814f75ec19105] - util: assert getCallSites does not invoke Error.prepareStackTrace (Chengzhong Wu) #60922d77da9306c] - util: fix stylize of special properties in inspect (Ge Gao) #604793a4edc8f6d] - util: use more defensive code when inspecting error objects (Antoine du Hamel) #6013925c33af752] - util: mark special properties when inspecting them (Ruben Bridgewater) #601313f98b46716] - vm: make vm.Module.evaluate() conditionally synchronous (Joyee Cheung) #60205f64a691493] - win: upgrade Visual Studio workload from 2019 to 2022 (Jiawen Geng) #603188e04327954] - worker: update code examples fornode:worker_threadsmodule (fisker Cheung) #58264c4440dcc60] - worker: remove not implemented declarations (Artur Gawlik) #60655df4cc62954] - zlib: validate write_result array length (Ryuhei Shima) #61342v22.22.0: 2026-01-13, Version 22.22.0 'Jod' (LTS), @marco-ippolitoCompare Source
This is a security release.
Notable Changes
lib:
lib,permission:
src:
src,lib:
tls:
Commits
6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #6099737509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#7486b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#75925d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796v22.21.1: 2025-10-28, Version 22.21.1 'Jod' (LTS), @aduh95Compare Source
Commits
af33e8e668] - benchmark: remove unused variable from util/priority-queue (Bruno Rodrigues) #598726764ce8756] - benchmark: update count to n in permission startup (Bruno Rodrigues) #598724e8d99f0dc] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #59872af0a8ba7f8] - benchmark: adjust dgram offset-length len values (Bruno Rodrigues) #5970878efd1be4a] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #59708df72dc96e9] - console,util: improve array inspection performance (Ruben Bridgewater) #60037ef67d09f50] - http: improve writeEarlyHints by avoiding for-of loop (Haram Jeong) #5995823468fd76b] - http2: fix allowHttp1+Upgrade, broken by shouldUpgradeCallback (Tim Perry) #5992456abc4ac76] - lib: optimize priority queue (Gürgün Dayıoğlu) #60039ea5cfd98c5] - lib: implement passive listener behavior per spec (BCD1me) #59995c2dd6eed2f] - process: fix wrong asyncContext under unhandled-rejections=strict (Shima Ryuhei) #6010381a3055710] - process: fix defaultenvforprocess.execve(Richard Lau) #60029fe492c7ace] - process: fix hrtime fast call signatures (Renegade334) #5960076b4cab8fc] - src: bring permissions macros in line with general C/C++ standards (Anna Henningsen) #6005321970970c7] - src: removeAnalyzeTemporaryDtorsoption from .clang-tidy (iknoom) #60008609c063e81] - src: remove unused variables from report (Moonki Choi) #60047987841a773] - src: avoid unnecessary string allocations in SPrintF impl (Anna Henningsen) #600526e386c0632] - src: make ToLower/ToUpper input args more flexible (Anna Henningsen) #60052c3be1226c7] - src: allowstd::string_viewarguments toSPrintF()and friends (Anna Henningsen) #60058764d35647d] - src: remove unnecessarystd::stringerror messages (Anna Henningsen) #600571289ef89ec] - src: remove unnecessary shadowed functions on Utf8Value & BufferValue (Anna Henningsen) #60056d1fb8a538d] - src: avoid unnecessary string ->char*-> string round trips (Anna Henningsen) #6005554b439fb5a] - src: filloptions_args,options_envafter vectors are finalized (iknoom) #59945c7c597e2ca] - src: use RAII for uv_process_options_t (iknoom) #59945b928ea9716] - test: ensure that the message event is fired (Luigi Pinca) #59952e4b95a5158] - test: replace diagnostics_channel stackframe in output snapshots (Chengzhong Wu) #600244206406694] - test: mark test-web-locks skip on IBM i (SRAVANI GUNDEPALLI) #5999626394cd5bf] - test: expand tls-check-server-identity coverage (Diango Gavidia) #60002b58df47995] - test: fix typo of test-benchmark-readline.js (Deokjin Kim) #59993af3a59dba8] - test: verify tracing channel doesn't swallow unhandledRejection (Gerhard Stöbich) #59974cee362242b] - timers: fix binding fast call signatures (Renegade334) #5960040fea57fdd] - tools: add message on auto-fixing js lint issues in gh workflow (Dario Piotrowicz) #59128aac90d351b] - tools: verify signatures when updating nghttp* (Antoine du Hamel) #601139fae03c7d9] - tools: use dependabot cooldown and move tools/doc (Rafael Gonzaga) #5997881548abdf6] - wasi: fix WasiFunction fast call signature (Renegade334) #59600v22.21.0: 2025-10-20, Version 22.21.0 'Jod' (LTS), @aduh95Compare Source
Notable Changes
1486fedea1] - (SEMVER-MINOR) cli: add--use-env-proxy(Joyee Cheung) #59151bedaaa11fc] - (SEMVER-MINOR) http: support http proxy for fetch underNODE_USE_ENV_PROXY(Joyee Cheung) #57165af8b5fa29d] - (SEMVER-MINOR) http: addshouldUpgradeCallbackto let servers control HTTP upgrades (Tim Perry) #5982442102594b1] - (SEMVER-MINOR) http,https: add built-in proxy support inhttp/https.requestandAgent(Joyee Cheung) #58980686ac49b82] - (SEMVER-MINOR) src: add percentage support to--max-old-space-size(Asaf Federman) #59082Commits
a71dd592e3] - benchmark: calibrate config dgram multi-buffer (Bruno Rodrigues) #5969616c4b466f4] - benchmark: calibrate config cluster/echo.js (Nam Yooseong) #5983653cb9f3b6c] - build: add the missing macro definitions for OpenHarmony (hqzing) #59804ec5290fe01] - build: do not include custom ESLint rules testing in tarball (Antoine du Hamel) #598091486fedea1] - (SEMVER-MINOR) cli: add --use-env-proxy (Joyee Cheung) #591511f93913446] - crypto: usereturn awaitwhen returning Promises from async functions (Renegade334) #59841f488b2ff73] - crypto: use async functions for non-stub Promise-returning functions (Renegade334) #59841aed9fd5ac4] - crypto: avoid calls topromise.catch()(Renegade334) #5984137c2d186f0] - deps: update amaro to 1.1.4 (pmarchini) #6004428aea13419] - deps: update archs files for openssl-3.5.4 (Node.js GitHub Bot) #60101ddbc1aa0bb] - deps: upgrade openssl sources to openssl-3.5.4 (Node.js GitHub Bot) #60101badbba2da9] - deps: update googletest to50b8600(Node.js GitHub Bot) #5995548aaf98a08] - deps: update archs files for openssl-3.5.3 (Node.js GitHub Bot) #59901e02a562ea6] - deps: upgrade openssl sources to openssl-3.5.3 (Node.js GitHub Bot) #599017e0e86cb92] - deps: upgrade npm to 10.9.4 (npm team) #6007491dda5facf] - deps: update undici to 6.22.0 (Matteo Collina) #601123a3220a2f0] - dgram: restore buffer optimization in fixBufferList (Yoo) #5993409bdcce6b8] - diagnostics_channel: fix race condition with diagnostics_channel and GC (Ugaitz Urien) #59910b3eeb3bd13] - doc: provide alternative tourl.parse()using WHATWG URL (Steven) #597361ddaab1904] - doc: mention reverse proxy and include simple example (Steven) #597363b3b71e99c] - doc: mark.envfiles support as stable (Santeri Hiltunen) #59925d37f67d1bd] - doc: remove optional title prefixes (Aviv Keller) #60087ca2dff63f9] - doc: fix typo on child_process.md (Angelo Gazzola) #601143fca564a05] - doc: add automated migration info to deprecations (Augustin Mauroy) #600224bc366fc16] - doc: use "WebAssembly" instead of "Web Assembly" (Tobias Nießen) #599544808dbdd9a] - doc: fix typo in section on microtask order (Tobias Nießen) #59932d6e303d645] - doc: update V8 fast API guidance (René) #589990a3a3f729e] - doc: add security escalation policy (Ulises Gascón) #598068fd669c70d] - doc: type improvement of filehttp.md(yusheng chen) #581899833dc6060] - doc: rephrase dynamic import() description (Nam Yooseong) #592242870a73681] - doc,crypto: update subtle.generateKey and subtle.importKey (Filip Skokan) #5985185818db93c] - fs,win: do not add a second trailing slash in readdir (Gerhard Stöbich) #59847bedaaa11fc] - (SEMVER-MINOR) http: support http proxy for fetch under NODE_USE_ENV_PROXY (Joyee Cheung) #57165af8b5fa29d] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #59824758271ae66] - http: optimize checkIsHttpToken for short strings (방진혁) #5983242102594b1] - (SEMVER-MINOR) http,https: add built-in proxy support in http/https.request and Agent (Joyee Cheung) #58980a33ed9bf96] - inspector: ensure adequate memory allocation forBinary::toBase64(René) #5987034c686be2b] - lib: update inspect output format for subclasses (Miguel Marcondes Filho) #5968712e553529c] - lib: add source map support for assert messages (Chengzhong Wu) #59751d2a70571f8] - lib,src: refactor assert to load error source from memory (Chengzhong Wu) #5975120a9e86b5d] - meta: move Michael to emeritus (Michael Dawson) #60070c591cca15c] - meta: bump github/codeql-action from 3.30.0 to 3.30.5 (dependabot[bot]) #60089090ba141b1] - meta: bump codecov/codecov-action from 5.5.0 to 5.5.1 (dependabot[bot]) #60091a0ba6884a5] - meta: bump actions/stale from 9.1.0 to 10.0.0 (dependabot[bot]) #600920feca0c541] - meta: bump actions/setup-node from 4.4.0 to 5.0.0 (dependabot[bot]) #600937cd2b42d18] - meta: bump step-security/harden-runner from 2.12.2 to 2.13.1 (dependabot[bot]) #600941f3b9d66ac] - meta: bump actions/cache from 4.2.4 to 4.3.0 (dependabot[bot]) #600950fedbb3de7] - meta: bump ossf/scorecard-action from 2.4.2 to 2.4.3 (dependabot[bot]) #6009604590b8267] - meta: bump actions/setup-python from 5.6.0 to 6.0.0 (dependabot[bot]) #600902bf0a9318f] - meta: add .npmrc with ignore-scripts=true (Joyee Cheung) #59914e10dc7b81c] - module: allow overriding linked requests for a ModuleWrap (Chengzhong Wu) #595272237142369] - module: link module with a module request record (Chengzhong Wu) #588866d24b88fbc] - node-api: added SharedArrayBuffer api (Mert Can Altin) #590714cc84c96f4] - node-api: make napi_delete_reference use node_api_basic_env (Jeetu Suthar) #59684e790eb6b50] - repl: fix cpu overhead pasting big strings to the REPL (Ruben Bridgewater) #5985799ea08dc43] - repl: add isValidParentheses check before wrap input (Xuguang Mei) #59607e4a4f63019] - sqlite: fix crash session extension callbacks with workers (Bart Louwers) #5984842c5544b97] - src: assert memory calc for max-old-space-size-percentage (Asaf Federman) #59460686ac49b82] - (SEMVER-MINOR) src: add percentage support to --max-old-space-size (Asaf Federman) #5908284701ff668] - src: clear all linked module caches once instantiated (Chengzhong Wu) #591178e182e561f] - src: remove unnecessaryEnvironment::GetCurrent()calls (Moonki Choi) #59814c9cde35c4d] - src: simplify is_callable by making it a concept (Tobias Nießen) #58169892b425ee1] - src: rename private fields to follow naming convention (Moonki Choi) #5992336b68db7f5] - src: reduce the nearest parent package JSON cache size (Michael Smith) #5988826b40bad02] - src: replace FIXED_ONE_BYTE_STRING with Environment-cached strings (Moonki Choi) #5989134dcb7dc32] - src: create strings inFIXED_ONE_BYTE_STRINGas internalized (Anna Henningsen) #598264d748add05] - src: removestd::arrayoverload ofFIXED_ONE_BYTE_STRING(Anna Henningsen) #59826bb6fd7c2d1] - src: ensurev8::Eternalis empty before setting it (Anna Henningsen) #598257a91282bf9] - src: use simdjson::pad (0hm☘️) #59391ba00875f01] - stream: use new AsyncResource instead of bind (Matteo Collina) #59867ebec3ef68b] - (SEMVER-MINOR) test: move http proxy tests to test/client-proxy (Joyee Cheung) #589807067d79fb3] - test: mark sea tests flaky on macOS x64 (Richard Lau) #60068ca1942c9d5] - test: testcase demonstrating issue 59541 (Eric Rannaud) #59801660d57355e] - test,doc: skip --max-old-space-size-percentage on 32-bit platforms (Asaf Federman) #6014419a7b1ef26] - tls: load bundled and extra certificates off-thread (Joyee Cheung) #59856095e7a81fc] - tls: only do off-thread certificate loading on loading tls (Joyee Cheung) #59856c42c1204c7] - tools: fixtools/make-v8.shfor clang (Richard Lau) #59893b632a1d98d] - tools: skip test-internet workflow for draft PRs (Michaël Zasso) #598176021c3ac76] - tools: copyeditbuild-tarball.yml(Antoine du Hamel) #59808ef005d0c9b] - typings: update 'types' binding (René) #5969228ef564ecd] - typings: remove unused imports (Nam Yooseong) #59880f88752ddb6] - url: replaced slice with at (Mikhail) #5918124c224960c] - url: add type checking to urlToHttpOptions() (simon-id) #59753f2fbcc576d] - util: fix debuglog.enabled not being present with callback logger (Ruben Bridgewater) #598586277058e43] - vm: sync-ify SourceTextModule linkage (Chengzhong Wu) #590005bf21a4309] - vm: explain how to share promises between contexts w/ afterEvaluate (Eric Rannaud) #59801312b33a083] - vm: "afterEvaluate", evaluate() return a promise from the outer context (Eric Rannaud) #598011eadab863c] - win,tools: add description to signature (Martin Costello) #59877816e1befb1] - zlib: reduce code duplication (jhofstee) #57810Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Renovate Bot.
3116699065to580528afeachore(deps): update node.js to v22.21.0to chore(deps): update node.js to v22.21.1580528afeatoc94b142a54chore(deps): update node.js to v22.21.1to chore(deps): update node.js to v22.22.0c94b142a540d51cd4a9cchore(deps): update node.js to v22.22.0to chore(deps): update node.js to v22.22.10d51cd4a9cecee29ce0achore(deps): update node.js to v22.22.1to chore(deps): update node.js to v22.22.2ecee29ce0ac673b0ae7cchore(deps): update node.js to v22.22.2to chore(deps): update node.js to v22.22.3