Releases: nodejs/node
Releases Β· nodejs/node
2026-02-03, Version 25.6.0 (Current), @aduh95
Notable Changes
- [
796ff46ae6] - (SEMVER-MINOR) async_hooks: addtrackPromisesoption tocreateHook()(Joyee Cheung) #61415 - [
4cf94fae17] - (SEMVER-MINOR) net: addsetTOSandgetTOStoSocket(Amol Yadav) #61503 - [
dce657071e] - (SEMVER-MINOR) src: add initial support for ESM in embedder API (Joyee Cheung) #61548 - [
e62608bbcf] - src: improveTextEncoderencode performance withsimdutf(Mert Can Altin) #61496 - [
93938a4738] - (SEMVER-MINOR) stream: addbytes()method tonode:stream/consumers(wantaek) #60426 - [
5fe2582329] - (SEMVER-MINOR) test_runner: addenvoption torunfunction (Ethan Arrowood) #61367 - [
a181d0c43d] - url: update Ada to v3.4.2 and support Unicode 17 (Yagiz Nizipli) #61593
Commits
- [
9c8d1b0278] - assert: fix loose deepEqual arrays with undefined and null failing (Ruben Bridgewater) #61587 - [
796ff46ae6] - (SEMVER-MINOR) async_hooks: add trackPromises option to createHook() (Joyee Cheung) #61415 - [
d23ee89693] - benchmark: add streaming TextDecoder benchmark (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) #61549 - [
8759db9d21] - buffer: disallow ArrayBuffer transfer on pooled buffer (Chengzhong Wu) #61372 - [
b2fb82946b] - build: add--shared-liefconfigure flag (Antoine du Hamel) #61536 - [
0ef99de9da] - build: aix: deoptimize implementation-visitor.cc with --shared (Stewart X Addison) #61550 - [
8f2083e73a] - build: enable -DV8_ENABLE_CHECKS flag (Ryuhei Shima) #61327 - [
150910da70] - build,test: add tests for binary linked with shared libnode (Joyee Cheung) #61463 - [
fb7868ba98] - build,win: fix vs2022 compilation (Stefan Stojanovic) #61530 - [
2c39a9234c] - deps: update undici to 7.19.2 (Node.js GitHub Bot) #61566 - [
2a74379367] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #61547 - [
9e26a15c29] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #61547 - [
f16b532e97] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510 - [
780e65c5c5] - deps: V8: cherry-pick c5ff7c4d6cde (Chengzhong Wu) #61372 - [
2eb8e9d760] - deps: update nghttp3 to 1.15.0 (Node.js GitHub Bot) #61512 - [
a999edd8fd] - deps: update ngtcp2 to 1.20.0 (Node.js GitHub Bot) #61511 - [
eedd3bb6b6] - deps: update undici to 7.19.1 (Node.js GitHub Bot) #61514 - [
7d2bd59984] - deps: update undici to 7.19.0 (Node.js GitHub Bot) #61470 - [
3ad4d9b11b] - doc: align Buffer.concat documentation with behavior (GΓΌrgΓΌn DayΔ±oΔlu) #60405 - [
7e3eab5963] - doc: fix node-config-schema (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) #61596 - [
cbcfaf9a35] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #61588 - [
3d68811d1a] - doc: regeneratenode.1usingdoc-kit(Aviv Keller) #61535 - [
71702c581a] - doc: restore @ChALkeR to collaborators (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) #61553 - [
0ceb8cad59] - doc: addedrequestOCSPoption totls.connect(ikeyan) #61064 - [
da93e2178c] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #61495 - [
4bea821b4c] - lib: use utf8 fast path for streaming TextDecoder (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) #61549 - [
f05bad91d8] - lib: recycle queues (Robert Nagy) #61461 - [
44b1927938] - lib: use StringPrototypeStartsWith from primordials in locks (Taejin Kim) #61492 - [
a78259828a] - lib: unify ICU and no-ICU TextDecoder (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) #61409 - [
a28ddd4594] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #61479 - [
4cf94fae17] - (SEMVER-MINOR) net: addsetTOSandgetTOStoSocket(Amol Yadav) #61503 - [
b861451d57] - process: do not truncate long strings in--print(Mohamed Akram) #61497 - [
4a2e184753] - sea: print error information when fs operations fail (Joyee Cheung) #61581 - [
45d25c47da] - sqlite: change approach to fix segfault SQLTagStore (Bart Louwers) #60462 - [
6993386320] - sqlite: reserve vectors space (Guilherme AraΓΊjo) #61540 - [
dce657071e] - (SEMVER-MINOR) src: add initial support for ESM in embedder API (Joyee Cheung) #61548 - [
e62608bbcf] - src: improve textEncoder encode performance with simdutf (Mert Can Altin) #61496 - [
0fce52d22c] - src: expose help texts into node-config-schema.json (Pietro Marchini) #58680 - [
be644e2569] - src: throw RangeError on failed ArrayBuffer BackingStore allocation (Chengzhong Wu) #61480 - [
93938a4738] - (SEMVER-MINOR) stream: add bytes() method to stream/consumers (wantaek) #60426 - [
83b2bf8ea2] - test: split test-fs-watch-ignore-* (Luigi Pinca) #61494 - [
4726627443] - test: aix: unflake test_threadsafe_function/test flaky on AIX (Stewart X Addison) #61560 - [
6fbb0b7572] - test: delay writing the files only on macOS (Luigi Pinca) #61532 - [
0a952b88bb] - test: ensure removeListener event fires for once() listeners (sangwook) [#60137](https://git...
Contributors
ChALkeR
Assets 2
2026-01-26, Version 25.5.0 (Current), @aduh95
Notable Changes
- [
99a4e51f93] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
fbe4da5725] - (SEMVER-MINOR) deps: add LIEF as a dependency (Joyee Cheung) #61167 - [
0feab0f083] - (SEMVER-MINOR) deps: add tools and scripts to pull LIEF as a dependency (Joyee Cheung) #61167 - [
e91b296001] - (SEMVER-MINOR) fs: add ignore option to fs.watch (Matteo Collina) #61433 - [
b351910af1] - (SEMVER-MINOR) sea: add--build-seato generate SEA directly with Node.js binary (Joyee Cheung) #61167 - [
957292e233] - (SEMVER-MINOR) sea: split sea binary manipulation code (Joyee Cheung) #61167 - [
f289817ff8] - (SEMVER-MINOR) sqlite: enable defensive mode by default (Bart Louwers) #61266 - [
069f3603e2] - (SEMVER-MINOR) sqlite: add sqlite prepare options args (Guilherme AraΓΊjo) #61311 - [
5a984b9a09] - src: use node- prefix on thread names (Stewart X Addison) #61307 - [
75c06bc2a8] - (SEMVER-MINOR) test: migrate to--build-seain existing SEA tests (Joyee Cheung) #61167 - [
cabd58f1cb] - (SEMVER-MINOR) test: use fixture directories for sea tests (Joyee Cheung) #61167 - [
ff1fcabfc9] - (SEMVER-MINOR) test_runner: support expecting a test-case to fail (Jacob Smith) #60669
Commits
- [
778a56f3c9] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388 - [
32cd18e37f] - async_hooks: enabledHooksExist shall return if hooks are enabled (Gerhard StΓΆbich) #61054 - [
482b2568bc] - benchmark: add SQLite benchmarks (Guilherme AraΓΊjo) #61401 - [
e9a34263bb] - buffer: make methods work on Uint8Array instances (Neal Beeken) #56578 - [
8255cdefcf] - build: add--shared-nbytesconfigure flag (Antoine du Hamel) #61341 - [
8dd379d110] - build: update android-patches/trap-handler.h.patch (Mo Luo) #60369 - [
1b4b5eb0e4] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #61414 - [
86e2a763ad] - build: infer cargo mode with gyp var build_type directly (Chengzhong Wu) #61354 - [
7e211e6942] - build: add embedtest into native suite (Joyee Cheung) #61357 - [
637470e79f] - build: fix misplaced comma in ldflags (hqzing) #61294 - [
a1a0f77a45] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #61329 - [
d597b8e342] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #61321 - [
b5cdc27ba4] - build,win: improve logs when ClangCL is missing (Mike McCready) #61438 - [
ef01f0c033] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #61431 - [
d8a1cdeefe] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #61344 - [
588b00fafa] - cluster: fix port reuse between cluster (Ryuhei Shima) #60141 - [
99a4e51f93] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
048f7a5c9c] - deps: upgrade npm to 11.8.0 (npm team) #61466 - [
fbe4da5725] - (SEMVER-MINOR) deps: add LIEF as a dependency (Joyee Cheung) #61167 - [
0feab0f083] - (SEMVER-MINOR) deps: add tools and scripts to pull LIEF as a dependency (Joyee Cheung) #61167 - [
4bb00d7e3c] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417 - [
6a3c614f27] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #61339 - [
13c0397d6d] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523 - [
098ec6f196] - deps: update ada to v3.4.0 (Yagiz Nizipli) #61315 - [
320b576125] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135 - [
98f5e7cf51] - deps: V8: cherry-pick highway@dcc0ca1cd42 (Richard Lau) #61008 - [
e326df79c9] - deps: V8: backport 209d2db9e24a (Zhijin Zeng) #61322 - [
ccfd9d9b30] - doc: removevprefix for version references (Mike McCready) #61488 - [
b6cc5d77a1] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #60253 - [
236d7ee635] - doc: add CVE delay mention (Rafael Gonzaga) #61465 - [
0729fb6ee7] - doc: update previous version links in BUILDING (Mike McCready) #61457 - [
0fb464252f] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #61454 - [
3331bdca7c] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #61366 - [
94b34c38e2] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #61434 - [
a17016ee81] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #61355 - [
214fac9d7e] - doc: update Python 3.14 manual install instructions (Windows) (Mike McCready) #61428 - [
6a32a685a6] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #61373 - [
2a8e8dfaf3] - doc: refine WebAssembly error documentation (sangwook) #61382 - [
f3caf27f8b] - doc: add deprecation history for url.parse (Eng Zer Jun) #61389 - [[`5ab80578...
Contributors
watilde
Assets 2
2026-01-19, Version 25.4.0 (Current), @RafaelGSS
Notable Changes
- [
8f6fada8f1] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959 - [
bf8e738df4] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956 - [
7930d7a19b] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
44f61dfb92] - doc: add @avivkeller to collaborators (Aviv Keller) #61115 - [
45903ee884] - doc: add gurgunday to collaborators (GΓΌrgΓΌn DayΔ±oΔlu) #61094 - [
77faa14d99] - doc: mark --build-snapshot and --build-snapshot-config as stable (Joyee Cheung) #60954 - [
aefbe4ba47] - (SEMVER-MINOR) events: repurposeevents.listenerCount()to accept EventTargets (RenΓ©) #60214 - [
8470e2993b] - (SEMVER-MINOR) http: add http.setGlobalProxyFromEnv() (Joyee Cheung) #60953 - [
24384d7438] - meta: add Renegade334 to collaborators (Renegade334) #60714 - [
c1acef6d0f] - module: mark require(esm) as stable (Joyee Cheung) #60959 - [
2e39f3ed6b] - module: mark module compile cache as stable (Joyee Cheung) #60971 - [
e6a05cfb4f] - (SEMVER-MINOR) module: allow subpath imports that start with#/(Jan Martin) #60864 - [
fa927c31da] - (SEMVER-MINOR) process: preserve AsyncLocalStorage in queueMicrotask only when needed (GΓΌrgΓΌn DayΔ±oΔlu) #60913 - [
bd0942f4f5] - (SEMVER-MINOR) stream: do not passreadable.compose()output viaReadable.from()(RenΓ©) #60907 - [
5051d90100] - (SEMVER-MINOR) util: add convertProcessSignalToExitCode utility (Erick Wendel) #60963 - [
408f024906] - v8: mark v8.queryObjects() as stable (Joyee Cheung) #60957
Commits
- [
e61cfdbf50] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076 - [
11861084fd] - assert,util: improve comparison performance (Ruben Bridgewater) #61176 - [
4ef4f759cb] - assert,util: fix deep comparing invalid dates skipping properties (Ruben Bridgewater) #61076 - [
c8fccd585f] - assert,util: improve deep comparison performance (Ruben Bridgewater) #61076 - [
13661a0123] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129 - [
36dead3433] - benchmark: allow boolean option values (SeokhunEom) #60129 - [
376056eaef] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991 - [
22d3e85b7a] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #60841 - [
5016f75522] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663 - [
012a08f6eb] - buffer: let Buffer.of use heap (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) #60503 - [
65696e42ba] - build: add--shared-hdr-histogramconfigure flag (Antoine du Hamel) #61280 - [
6155b8836e] - build: add--shared-gtestconfigure flag (Antoine du Hamel) #61279 - [
e80127f49c] - build: expose libplatform symbols in shared libnode (Joyee Cheung) #61144 - [
d99805049e] - build: fix inconsistent quoting inMakefile(Antoine du Hamel) #60511 - [
3213de08e8] - build: support building crates (temporal) on windows (ζ²ιΈΏι£) #61163 - [
1ad8788391] - build: remove temporal updater (Chengzhong Wu) #61151 - [
e6e25d65be] - build: add --debug-symbols to build with -g without enabling DCHECKs (Joyee Cheung) #61100 - [
7040ec94c8] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #61024 - [
990da3518d] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #61073 - [
3259e395c9] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #60850 - [
af42ca569f] - build: ignore built-in temporal when building with shared lib (Chengzhong Wu) #60703 - [
bec7fce07a] - build: add temporal_capi gyp (Chengzhong Wu) #60703 - [
d2f50047f7] - build: fix OpenSSL version parsing for OpenSSL < 3 (Richard Lau) #60775 - [
91b20c52df] - build: add flag to compile V8 with Temporal support (Antoine du Hamel) #60701 - [
0aaed248f0] - build: add support for Visual Studio 2026 (MichaΓ«l Zasso) #60727 - [
8f6fada8f1] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959 - [
bf8e738df4] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956 - [
7930d7a19b] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
1b15453602] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271 - [
118fa97c95] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #61270 - [
9b136db814] - deps: update ngtcp2 to 1.19.0 (Node.js GitHub Bot) #61156 - [
5635f23a50] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #61187 - [
9ec35c0977] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #60046 - [
4d7d37f701] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138 - [
2c1e3ab19d] - deps: nghttp2: revert 7784fa979d0b (Antoine du Hamel) #61136 - [[
56a6513648](56a651364...
Contributors
avivkeller
Assets 2
2026-01-13, Version 25.3.0 (Current), @RafaelGSS
This is a security release.
Notable Changes
lib:
- (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750
permission: - (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784
- (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
- (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) nodejs-private/node-private#759
tls: - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790
Commits
- [
a6a74b89a7] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997 - [
5100614e26] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #61283 - [
f0a8916887] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750 - [
b4b887c5f7] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748 - [
26be208039] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 - [
bdf5873d44] - (CVE-2026-21636) permission: add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784 - [
0578e3e921] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 - [
4d6b55a6d1] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) nodejs-private/node-private#759 - [
c357a39e14] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790
2026-01-13, Version 24.13.0 'Krypton' (LTS), @marco-ippolito
v24.13.0
This tag was signed with the committerβs verified signature.
This is a security release.
Notable Changes
lib:
- (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
- (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
lib,permission: - (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) nodejs-private/node-private#759
tls: - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796
Commits
- [
2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997 - [
3e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #61283 - [
4ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797 - [
89adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748 - [
7302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 - [
ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 - [
20075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) nodejs-private/node-private#759 - [
20591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796
2026-01-13, Version 22.22.0 'Jod' (LTS), @marco-ippolito
v22.22.0
This tag was signed with the committerβs verified signature.
This is a security release.
Notable Changes
lib:
- (CVE-2025-59465) add TLSSocket default error handler
- (CVE-2025-55132) disable futimes when permission model is enabled
lib,permission: - (CVE-2025-55130) require full read and write to symlink APIs
src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
tls: - (CVE-2026-21637) route callback exceptions through error handlers
Commits
- [
6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997 - [
37509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791 - [
eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797 - [
ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748 - [
6b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 - [
ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 - [
d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) nodejs-private/node-private#759 - [
25d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796
2026-01-13, Version 20.20.0 'Iron' (LTS), @marco-ippolito
v20.20.0
This tag was signed with the committerβs verified signature.
This is a security release.
Notable Changes
lib:
- (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802
- (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
lib,permission: - (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) nodejs-private/node-private#759
tls: - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796
Commits
- [
8f9ba3f623] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997 - [
97fc9b0eb7] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#792 - [
14fbbb510c] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802 - [
1febc48d5b] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797 - [
494f62dc23] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 - [
d7a5c587c0] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 - [
51f4de4b4a] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) nodejs-private/node-private#759 - [
85f73e7057] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796
2025-12-10, Version 24.12.0 'Krypton' (LTS), @targos
Notable Changes
- [
1a00b5f68a] - (SEMVER-MINOR) http: add optimizeEmptyRequests server option (Rafael Gonzaga) #59778 - [
ff5754077d] - (SEMVER-MINOR) lib: add options to util.deprecate (Rafael Gonzaga) #59982 - [
8987159234] - (SEMVER-MINOR) module: mark type stripping as stable (Marco Ippolito) #60600 - [
92c484ebf4] - (SEMVER-MINOR) node-api: add napi_create_object_with_properties (Miguel Marcondes Filho) #59953 - [
b11bc5984e] - (SEMVER-MINOR) sqlite: allow setting defensive flag (Bart Louwers) #60217 - [
e7da5b4b7d] - (SEMVER-MINOR) src: add watch config namespace (Marco Ippolito) #60178 - [
a7f7d10c06] - (SEMVER-MINOR) src: add an option to make compile cache portable (Aditi) #58797 - [
92ea669240] - (SEMVER-MINOR) src,permission: add --allow-inspector ability (Rafael Gonzaga) #59711 - [
05d7509bd2] - (SEMVER-MINOR) v8: add cpu profile (theanarkh) #59807
Commits
- [
e4a23a35ac] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #60603 - [
b6114ae5c9] - benchmark: add per-suite setup option (Joyee Cheung) #60574 - [
ac8e90af7c] - buffer: speed up concat via TypedArray#set (GΓΌrgΓΌn DayΔ±oΔlu) #60399 - [
acbc8ca13e] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #59984 - [
f97a609a07] - console: optimize single-string logging (GΓΌrgΓΌn DayΔ±oΔlu) #60422 - [
6cd9bdc580] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662 - [
0fafe24d9b] - crypto: fix argument validation in crypto.timingSafeEqual fast path (Joyee Cheung) #60538 - [
54421e0419] - debugger: fix event listener leak in the run command (Joyee Cheung) #60464 - [
c361a628b4] - deps: V8: cherry-pick 72b0e27bd936 (pthier) #60732 - [
c70f4588dd] - deps: V8: cherry-pick 6bb32bd2c194 (Erik Corry) #60732 - [
881fe784c5] - deps: V8: cherry-pick 0dd2318b5237 (Erik Corry) #60732 - [
457c33efcc] - deps: V8: cherry-pick df20105ccf36 (Erik Corry) #60732 - [
0bf45a829c] - deps: V8: backport e5dbbbadcbff (Darshan Sen) #60524 - [
4993bdc476] - deps: V8: cherry-pick 5ba9200cd046 (Juan JosΓ© Arboleda) #60620 - [
1e9abe0078] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842 - [
3f704ed08f] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #60643 - [
04e360fdb1] - deps: V8: cherry-pick 06bf293610ef, 146962dda8d2 and e0fb10b5148c (MichaΓ«l Zasso) #60713 - [
fcbd8dbbde] - deps: patch V8 to 13.6.233.17 (MichaΓ«l Zasso) #60712 - [
28e9433f39] - deps: V8: cherry-pick 87356585659b (Joyee Cheung) #60069 - [
3cac85b243] - deps: V8: backport 2e4c5cf9b112 (MichaΓ«l Zasso) #60654 - [
1daece1970] - deps: call OPENSSL_free after ANS1_STRING_to_UTF8 (Rafael Gonzaga) #60609 - [
5f55a9c9ea] - deps: nghttp2: revert 7784fa979d0b (Antoine du Hamel) #59790 - [
1d9e7c1f4d] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #59790 - [
3140415068] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #60542 - [
d911f9f1b8] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #60541 - [
daaaf04a32] - deps: V8: cherry-pick 2abc61361dd4 (Richard Lau) #60177 - [
b4f63ee5f8] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #60650 - [
effcf7a8ab] - doc: fix link in--env-file=filesection (N. Bighetti) #60563 - [
7011736703] - doc: fix linter issues (Antoine du Hamel) #60636 - [
5cc79d8945] - doc: add missing history entry forsqlite.md(Antoine du Hamel) #60607 - [
bbc649057c] - doc: correct values/references for buffer.kMaxLength (RenΓ©) #60305 - [
ea7ecb517b] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #60017 - [
58bff04cc2] - doc: highlight module loading difference between import and require (Ajay A) #59815 - [
bbcbff9b4d] - doc: add CJS code snippets insqlite.md(Allon Murienik) #60395 - [
f8af33d5a7] - doc: fix typo inprocess.unrefdocumentation (μ°ν) #59698 - [
df105dc351] - doc: add some entries toglossary.md(Mohataseem Khan) #59277 - [
4955cb2b5b] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #58205 - [
6283bb5cc9] - doc: fix pseudo code in modules.md (chirsz) #57677 - [
d5059ea537] - doc: add missing variable in code snippet (Koushil Mankali) #55478 - [
900de373ae] - doc: add missing word insingle-executable-applications.md(Konstantin Tsabolov) #53864 - [
5735044c8b] - doc: fix typo in http.md (Michael Solomon) #59354 - [
2dee6df831] - doc: update devcontainer.json and add documentation (Joyee Cheung) #60472 - [
8f2d98d7d2] - doc: add haramj as triager (Haram Jeong) #60348 - [[
bbd7fdfff4](https://gith...
2025-11-25, Version 20.19.6 'Iron' (LTS), @marco-ippolito
v20.19.6
This tag was signed with the committerβs verified signature.
6a530fe
This commit was signed with the committerβs verified signature.
Notable Changes
- [
6277910a15] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571 - [
082e50d4a2] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113 - [
db68cec4cb] - doc: deprecate HTTP/2 priority signaling (Matteo Collina) #58313
Commits
- [
0f644df42e] - build: fix 'implicit-function-declaration' on OpenHarmony platform (hqzing) #59547 - [
fba0025b9c] - build: usewindows-2025runner (MichaΓ«l Zasso) #59673 - [
3456ec946d] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #59956 - [
6277910a15] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571 - [
1788fb5f3d] - deps: update undici to 6.22.0 (Matteo Collina) #60112 - [
5d61b55f24] - deps: update uvwasi to 0.0.23 (Node.js GitHub Bot) #59791 - [
9f1e5e4637] - deps: update histogram to 0.11.9 (Node.js GitHub Bot) #59689 - [
d0edb01d25] - deps: update googletest to eb2d85e (Node.js GitHub Bot) #59335 - [
576242ff39] - deps: V8: cherry-pick a0d0d4fc4f19 (Ho Cheung) #60716 - [
a07a277020] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #60314 - [
fa5c5af8ce] - deps: update archs files for openssl-3.0.17 (Node.js GitHub Bot) #59134 - [
556113e2fc] - deps: upgrade openssl sources to openssl-3.0.17 (Node.js GitHub Bot) #59134 - [
cd1536ca90] - deps: update corepack to 0.34.0 (Node.js GitHub Bot) #59133 - [
acec79989e] - deps: V8: cherry-pick 6b1b9bca2a8 (zhoumingtao) #59283 - [
e65b930aa7] - deps: V8: backport 2e4c5cf9b112 (MichaΓ«l Zasso) #60654 - [
1b75a601f7] - doc: fix typo on child_process.md (Angelo Gazzola) #60114 - [
a2bcb217c6] - doc: fix typo in section on microtask order (Tobias NieΓen) #59932 - [
2426d3f3ff] - doc: add security escalation policy (Ulises GascΓ³n) #59806 - [
e7f6f04758] - doc: add Miles Guicent as triager (Miles Guicent) #59562 - [
e51ef3f48b] - doc: update install_tools.bat free disk space (Stefan Stojanovic) #59579 - [
8a504d900a] - doc: fix missing link to the Error documentation in thehttppage (Alexander Makarenko) #59080 - [
8c5c8aa71d] - doc: clarify experimental platform vulnerability policy (Matteo Collina) #59591 - [
109c4bff77] - doc: add security incident reponse plan (Rafael Gonzaga) #59470 - [
4f004efdf3] - doc: add RafaelGSS as performance strategic lead (Rafael Gonzaga) #59445 - [
caa2db4bac] - doc: fix links in test.md (Vas Sudanagunta) #58876 - [
082e50d4a2] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113 - [
19a66365d9] - doc: clarify DEP0194 scope (Antoine du Hamel) #58504 - [
db68cec4cb] - doc: deprecate HTTP/2 priority signaling (Matteo Collina) #58313 - [
3b2368774f] - doc: make Stability labels not sticky in Stability index (Livia Medeiros) #58291 - [
960d05ad7d] - doc: add history entries to--input-typesection (Antoine du Hamel) #58175 - [
20616f1750] - http2: do not crash on mismatched ping buffer length (RenΓ©) #60135 - [
9eb94232c8] - lib: handle superscript variants on windows device (Rafael Gonzaga) #59261 - [
dc58b4e35f] - meta: move Michael to emeritus (Michael Dawson) #60070 - [
d943cfb260] - meta: bump actions/setup-node from 4.4.0 to 5.0.0 (dependabot[bot]) #60093 - [
de9a3aaf0f] - meta: bump step-security/harden-runner from 2.12.2 to 2.13.1 (dependabot[bot]) #60094 - [
b4b5d4a4d7] - meta: bump ossf/scorecard-action from 2.4.2 to 2.4.3 (dependabot[bot]) #60096 - [
e5b4eee901] - meta: bump actions/setup-python from 5.6.0 to 6.0.0 (dependabot[bot]) #60090 - [
7cb032c2c1] - meta: update devcontainer to the latest schema (Aviv Keller) #54347 - [
bb108191aa] - meta: callcreate-release-post.ymlpost release (Aviv Keller) #60366 - [
2a11d50526] - module: correctly detect top-level await in ambiguous contexts (Shima Ryuhei) #58646 - [
144233b71a] - process: fix wrong asyncContext under unhandled-rejections=strict (Shima Ryuhei) #60103 - [
409cb773a4] - repl: fix cpu overhead pasting big strings to the REPL (Ruben Bridgewater) #59857 - [
d1c9d80cac] - repl: add isValidParentheses check before wrap input (Xuguang Mei) #59607 - [
b8d145db2c] - src: fix order of CHECK_NOT_NULL/dereference (Tobias NieΓen) #59487 - [
2c8a73f95f] - src: remove duplicate assignment ofO_EXCLin node_constants.cc (Daniel Osvaldo R) #59049 - [
b1da374503] - test: fix typo of test-benchmark-readline.js (Deokjin Kim) #59993 - [
4b4e38f497] - test: mark sea tests flaky on macOS x64 (Richard Lau) #60068 - [
cbf4fc34c3] - test: skip more sea tests on Linux ppc64le (Richard Lau) #59755 - [
9543facad7] - test: mark test-inspector-network-fetch as flaky again (Joyee Cheung) [#59640](https://github.com/nodejs/node...
2025-11-17, Version 25.2.1 (Current), @aduh95
This release reverts the spec-compliant behavior of sometimes throwing on localStorage
access. We received feedback that this change on an experimental API was too breaking
for a semver-minor release, so we decided to push it back for Node.js 26.0.0.
Commits
- [
ff89b7b6c7] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662 - [
5316b580eb] - deps: V8: backport 2e4c5cf9b112 (MichaΓ«l Zasso) #60654 - [
ca878bc90e] - doc,src,lib: clarify experimental status of Web Storage support (Antoine du Hamel) #60708 - [
a4dee613fd] - Revert "lib: throw from localStorage getter on missing storage path" (Antoine du Hamel) #60750