2026-03-03, Version 25.8.0 (Current)#62073
Open
github-actions[bot] wants to merge 55 commits intov25.xfrom
Open
2026-03-03, Version 25.8.0 (Current)#62073github-actions[bot] wants to merge 55 commits intov25.xfrom
github-actions[bot] wants to merge 55 commits intov25.xfrom
Conversation
When investigating a memory leak in one of our applications, we discovered that this listener holds on to a `REPLServer` instance and all heap objects transitively kept alive by it by capturing as part of its closure. It's cleaner to declare the listener outside of the `REPLServer` class and to actually clean it up properly when it is no longer required or meaningful, which is easily achieved through keeping a reference count. PR-URL: #61895 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Bumps [actions/stale](https://github.com/actions/stale) from 10.1.1 to 10.2.0. - [Release notes](https://github.com/actions/stale/releases) - [Changelog](https://github.com/actions/stale/blob/main/CHANGELOG.md) - [Commits](actions/stale@9971854...b5d41d4) --- updated-dependencies: - dependency-name: actions/stale dependency-version: 10.2.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> PR-URL: #61908 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.1 to 2.14.2. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@e3f713f...5ef0c07) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.14.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> PR-URL: #61909 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.0 to 4.32.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b20883b...89a39a4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> PR-URL: #61911 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Gürgün Dayıoğlu <[email protected]>
PR-URL: #61944 Refs: #61903 Reviewed-By: René <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
PR-URL: #61942 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Daeyeon Jeong <[email protected]>
PR-URL: #61830 Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Ulises Gascón <[email protected]> Reviewed-By: Richard Lau <[email protected]>
PR-URL: #61833 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Chemi Atlow <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #61864 Refs: #61449 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Stefan Stojanovic <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
This function can return null, which will make the calls to BIO_meth_set_* trigger a null deref. Even after fixing this, there is an issue with the `BIOPointer::New(GetMethod())` call in `NodeBIO::New` because the `New` method cannot handle a null pointer despite other code already guarding for this (e.g. the `NodeBIO::New` function already checks `bio`). This patch solves the issues by adding more null checks. PR-URL: #61788 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
Replace native methods with primordials. PR-URL: #61219 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Chemi Atlow <[email protected]> Reviewed-By: Jordan Harband <[email protected]> Reviewed-By: Pietro Marchini <[email protected]> Reviewed-By: Moshe Atlow <[email protected]>
This adds support for identifying which worker is running a test file when tests execute concurrently, similar to JEST_WORKER_ID in Jest, VITEST_POOL_ID in Vitest, and MOCHA_WORKER_ID in Mocha. When running with --test-isolation=process (default), each test file runs in a separate child process and receives a unique worker ID from 1 to N. When running with --test-isolation=none, all tests run in the same process and the worker ID is always 1. This enables users to allocate separate resources (databases, ports, etc.) for each test worker to avoid conflicts during concurrent execution. Changes: - Add WorkerIdPool class to manage worker ID allocation and reuse - Set NODE_TEST_WORKER_ID environment variable for child processes - Add context.workerId getter to TestContext class - Add tests for worker ID functionality - Add documentation for context.workerId Fixes: #55842 PR-URL: #61394 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Pietro Marchini <[email protected]> Reviewed-By: Jacob Smith <[email protected]>
Signed-off-by: marcopiraccini <[email protected]> PR-URL: #61836 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Paolo Insogna <[email protected]> Reviewed-By: Matteo Collina <[email protected]>
PR-URL: #61925 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #61928 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #61930 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
The assignment to `bptr` calls `BIO_get_mem_ptr` which can fail and leave the `bptr` as nullptr. This then later causes a null pointer deref. This is inconsistent with uses of the similar function `BIO_get_mem_data` that do check its return value, e.g. `node::crypto::X509sToArrayOfStrings()`. Solve it by checking for a null pointer and handling the `Nothing` return value at the call sites. PR-URL: #61885 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #61986 Reviewed-By: Ulises Gascón <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Ilyas Shabi <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Add a C++ API for diagnostics channels that allows native code to check for subscribers and publish messages without unnecessary JS boundary crossings. Uses a shared AliasedUint32Array buffer between C++ and JS to track subscriber counts per channel, enabling a fast inline check (HasSubscribers) that reads the buffer directly. PR-URL: #61869 Reviewed-By: Stephen Belanger <[email protected]>
Add --permission-audit flag that enables the permission model in warning-only mode. Instead of throwing ERR_ACCESS_DENIED, it emits a message via diagnostics channel and allows the operation to continue. Publish permission check results to per-scope diagnostics channels (e.g., node:permission-model:fs) so users can observe permission decisions at runtime via diagnostics_channel. Refs: #59935 PR-URL: #61869 Reviewed-By: Stephen Belanger <[email protected]>
The WHATWG Streams spec requires that pipeTo's chunk handling must queue a microtask before calling the write algorithm. This ensures that enqueue() does not synchronously trigger writes. Previously, PipeToReadableStreamReadRequest[kChunk] would synchronously call writableStreamDefaultWriterWrite(), which violated the spec and caused the WPT test "enqueue() must not synchronously call write algorithm" to fail. Fix by wrapping the write operation in queueMicrotask(), which defers it to the next microtask as required by the spec. Refs: whatwg/streams#1243 PR-URL: #61800 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Mattias Buelens <[email protected]>
This change exposes the expectFailure message in the test runner and adds edge cases for expectFailure ambiguity. PR-URL: #61563 Fixes: #61570 Reviewed-By: Jordan Harband <[email protected]> Reviewed-By: Aviv Keller <[email protected]> Reviewed-By: Jacob Smith <[email protected]>
Not checking this can cause a null deref. Since there is already a null check at the bottom of the function with `NewRSA()`. PR-URL: #61888 Reviewed-By: Anna Henningsen <[email protected]>
Signed-off-by: Igor <[email protected]> PR-URL: #61525 Fixes: #61462 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Chemi Atlow <[email protected]> Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Pietro Marchini <[email protected]> Reviewed-By: Jacob Smith <[email protected]>
PR-URL: #61974 Refs: #38161 Reviewed-By: Kohei Ueno <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Gürgün Dayıoğlu <[email protected]>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.3. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.3) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]> PR-URL: #61976 Reviewed-By: Moshe Atlow <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #61773 Refs: #61762 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
As specified in WebIDL (<https://webidl.spec.whatwg.org/#js-dictionary>), the fields of a dictionary need to be read in lexicographical order. PR-URL: #61980 Reviewed-By: Jason Zhang <[email protected]> Reviewed-By: Mattias Buelens <[email protected]> Reviewed-By: René <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
`parallel/test-strace-openat-openssl` was added to check explicitly
for a list of known files that would be opened for a set workload
(`require("crypto")`). This is not reliable when Node.js is linked
to an external/shared OpenSSL library (e.g. it might be configured
to load configuration files from a different default location and/or
load more than one configuration file) so skip this test when Node.js
is built in that way.
PR-URL: #61987
Fixes: #61966
Reviewed-By: Antoine du Hamel <[email protected]>
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: #62035 Reviewed-By: Matthew Aitken <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Richard Lau <[email protected]>
PR-URL: #62038 Refs: #61987 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Gürgün Dayıoğlu <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #61984 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Colin Ihrig <[email protected]>
Signed-off-by: Weixie Cui <[email protected]> PR-URL: #61948 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Add validateHeaderName/validateHeaderValue checks for non-link headers and checkInvalidHeaderChar for the Link value in HTTP/1.1 writeEarlyHints, closing a CRLF injection gap where header names and values were concatenated into the raw response without validation. Also tighten linkValueRegExp to reject CR/LF inside the <...> URL portion of Link header values. PR-URL: #61897 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Tim Perry <[email protected]>
Collaborator
|
Review requested:
|
github-actions
bot
added
release
nodejs-github-bot
added a commit
that referenced
this pull request
Mar 2, 2026
Notable changes: build, doc: * use new api doc tooling (flakey5) #57343 sqlite: * (SEMVER-MINOR) add limits property to DatabaseSync (Mert Can Altin) #61298 src: * (SEMVER-MINOR) add C++ support for diagnostics channels (RafaelGSS) #61869 src,permission: * (SEMVER-MINOR) add --permission-audit (RafaelGSS) #61869 test_runner: * (SEMVER-MINOR) expose worker ID for concurrent test execution (Ali Hassan) #61394 PR-URL: #62073
richardlau
approved these changes
Mar 2, 2026
github-actions
bot
removed
the
request-ci
Collaborator
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## v25.x #62073 +/- ##
==========================================
+ Coverage 88.84% 89.67% +0.82%
==========================================
Files 680 682 +2
Lines 205455 206149 +694
Branches 39303 39535 +232
==========================================
+ Hits 182543 184860 +2317
+ Misses 15092 13437 -1655
- Partials 7820 7852 +32 🚀 New features to boost your workflow:
|
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
PR-URL: #61972 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
Previously, require.resolve() called Module._resolveFilename() directly, bypassing any resolve hooks registered via module.registerHooks(). This patch fixes that. PR-URL: #62028 Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
The `path` property on `ClientRequest` was only validated at construction time. Add a getter/setter so that the same `INVALID_PATH_REGEX` check runs whenever `req.path` is reassigned, preventing invalid characters from reaching `_implicitHeader()`. PR-URL: #62030 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Tim Perry <[email protected]>
PR-URL: #62077 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Stewart X Addison <[email protected]>
Notable changes: build, doc: * use new api doc tooling (flakey5) #57343 sqlite: * (SEMVER-MINOR) add limits property to DatabaseSync (Mert Can Altin) #61298 src: * (SEMVER-MINOR) add C++ support for diagnostics channels (RafaelGSS) #61869 src,permission: * (SEMVER-MINOR) add --permission-audit (RafaelGSS) #61869 test_runner: * (SEMVER-MINOR) expose worker ID for concurrent test execution (Ali Hassan) #61394 PR-URL: #62073
richardlau
force-pushed
the
v25.8.0-proposal
branch
from
fc4ec2e to
ae94abf
Compare
richardlau
approved these changes
Mar 2, 2026
github-actions
bot
removed
the
request-ci
Collaborator
Collaborator
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
2026-03-03, Version 25.8.0 (Current), @richardlau
Notable Changes
e55eddea2a] - build, doc: use new api doc tooling (flakey5) #573434c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #6129846ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #618699ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #618690d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394Commits
940b58c8c1] - buffer: optimize buffer.concat performance (Mert Can Altin) #617210589b0e5a1] - build: fix GN for new merve dep (Shelley Vohr) #61984f3d3968dcd] - Revert "build: add temporal test on GHA windows" (Antoine du Hamel) #61810e55eddea2a] - build, doc: use new api doc tooling (flakey5) #57343b7715292f8] - child_process: add tracing channel for spawn (Marco) #61836a32a598748] - crypto: fix missing nullptr check on RSA_new() (ndossche) #61888dc384f95b3] - crypto: fix handling of null BUF_MEM* in ToV8Value() (Nora Dossche) #618853337b095db] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #6178851ded81139] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #620358aa2fde931] - deps: update minimatch to 10.2.4 (Node.js GitHub Bot) #6201657dc092eaf] - deps: upgrade npm to 11.11.0 (npm team) #61994705bbd60a9] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #619304d411d72e5] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928f53a32ab84] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #619259b483fbb27] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830bdc18940ad] - doc: expand SECURITY.md with non-vulnerability examples (Rafael Gonzaga) #619724e54c103cb] - doc: separate in-types and out-types in SQLite conversion docs (René) #62034ca78ebbeaa] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #62025e6b131f3fe] - doc: fix module.stripTypeScriptTypes indentation (René) #619927508540e19] - doc: update DEP0040 (punycode) to application type deprecation (Mike McCready) #6191633a364cb62] - doc: explicitly mention Slack handle (Rafael Gonzaga) #6198646a61922bd] - doc: support toolchain Visual Studio 2022 & 2026 + Windows 11 SDK (Mike McCready) #61864dc12a257aa] - doc: rename invalidfunctionparameter (René) #619426259abcf55] - http: validate ClientRequest path on set (Matteo Collina) #62030dafdc0a5b8] - http: validate headers in writeEarlyHints (Richard Clarke) #618973c94b56fa6] - inspector: unwrap internal/debugger/inspect imports (René) #619748a24c17648] - lib: improve argument handling in Blob constructor (Ms2ger) #6198021d4baf256] - meta: bump github/codeql-action from 4.32.0 to 4.32.4 (dependabot[bot]) #6191159a726a8e3] - meta: bump step-security/harden-runner from 2.14.1 to 2.14.2 (dependabot[bot]) #619090072b7f991] - meta: bump actions/stale from 10.1.1 to 10.2.0 (dependabot[bot]) #619083d160cd049] - module: run require.resolve through module.registerHooks() (Joyee Cheung) #62028999bf22f47] - repl: keep reference count forprocess.on('newListener')(Anna Henningsen) #618954c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298aee2a18257] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #6194846ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #618699ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #61869ea2df2a16f] - stream: fix pipeTo to defer writes per WHATWG spec (Matteo Collina) #61800aa0c7b09e0] - test: remove unnecessaryprocess.exitcalls from test files (Antoine du Hamel) #62020ad96a6578f] - test: skiptest-urlon--shared-adabuilds (Antoine du Hamel) #620197c72a31e4b] - test: skip strace test with shared openssl (Richard Lau) #61987604456c163] - test: avoid flaky debugger restart waits (Yuya Inoue) #617734890d6bd43] - test_runner: run afterEach on runtime skip (Igor Shevelenkov) #61525fce2930110] - test_runner: expose expectFailure message (sangwook) #615630d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394243e6b2009] - test_runner: replace native methods with primordials (Ayoub Mabrouk) #61219bf1ed7e647] - tls: forward keepAlive, keepAliveInitialDelay, noDelay to socket (Sergey Zelenov) #62004746d0cebbf] - tools: fix parsing of commit trailers inlint-release-proposalGHA (Antoine du Hamel) #620770f15079d94] - tools: remove custom logic for skippingtest-strace-openat-openssl(Antoine du Hamel) #6203854a055a59d] - tools: bump minimatch from 3.1.2 to 3.1.3 in/tools/clang-format(dependabot[bot]) #61977a28744cb62] - tools: fix permissions for merve update script (Richard Lau) #6202331e7936354] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #620240a96a16e1f] - tools: bump minimatch from 3.1.2 to 3.1.3 in /tools/eslint (dependabot[bot]) #61976f279233412] - tools: roll back to x86 runner onscorecard.yml(Antoine du Hamel) #61944192c0382f4] - util: add fast path to stripVTControlCharacters (Hiroki Osame) #61833