2025-09-25, Version 24.9.0 (Current), @targos

Notable Changes

• [9b043a9096] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #59824
• [a6456ab90a] - (SEMVER-MINOR) sqlite: cleanup ERM support and export Session class (James M Snell) #58378
• [5563361d22] - (SEMVER-MINOR) sqlite: add tagged template (0hm☘️) #58748
• [04013ee933] - (SEMVER-MINOR) worker: add heap profile API (theanarkh) #59846

Commits

• [cbec4fd6de] - benchmark: calibrate config dgram multi-buffer (Bruno Rodrigues) #59696
• [9a4bbdc3c5] - benchmark: calibrate config cluster/echo.js (Nam Yooseong) #59836
• [0b284d86e8] - build: add the missing macro definitions for OpenHarmony (hqzing) #59804
• [43e6e54d66] - build: do not include custom ESLint rules testing in tarball (Antoine du Hamel) #59809
• [039ac19154] - crypto: expose signatureAlgorithm on X509Certificate (Patrick Costa) #59235
• [647c332704] - crypto: use return await when returning Promises from async functions (Renegade334) #59841
• [8ed4587cf0] - crypto: use async functions for non-stub Promise-returning functions (Renegade334) #59841
• [bb051c56ef] - crypto: avoid calls to promise.catch() (Renegade334) #59841
• [05e560dd25] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #59955
• [fa40d3a785] - deps: update archs files for openssl-3.5.3 (Node.js GitHub Bot) #59901
• [8c85570d18] - deps: upgrade openssl sources to openssl-3.5.3 (Node.js GitHub Bot) #59901
• [b71125664e] - deps: update undici to 7.16.0 (Node.js GitHub Bot) #59830
• [dea5dd7077] - dgram: restore buffer optimization in fixBufferList (Yoo) #59934
• [b0c1e67532] - diagnostics_channel: fix race condition with diagnostics_channel and GC (Ugaitz Urien) #59910
• [0b37b594c3] - doc: use "WebAssembly" instead of "Web Assembly" (Tobias Nießen) #59954
• [1e723f9c6b] - doc: fix typo in section on microtask order (Tobias Nießen) #59932
• [a28962a85c] - doc: update V8 fast API guidance (René) #58999
• [bd767c5d1b] - doc: add security escalation policy (Ulises Gascón) #59806
• [9df91e59e1] - doc: type improvement of file http.md (yusheng chen) #58189
• [e4f571680b] - doc: deprecate closing fs.Dir on garbage collection (Livia Medeiros) #59839
• [e9cb986fa5] - doc: rephrase dynamic import() description (Nam Yooseong) #59224
• [026d4e33f7] - doc,crypto: update subtle.generateKey and subtle.importKey (Filip Skokan) #59851
• [2b2591db52] - esm: make hasAsyncGraph non-enumerable (Joyee Cheung) #59905
• [993f05d323] - fs,win: do not add a second trailing slash in readdir (Gerhard Stöbich) #59847
• [7aec53b607] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #59824
• [83ae6102e7] - http: optimize checkIsHttpToken for short strings (방진혁) #59832
• [6695067636] - http,https: handle IPv6 with proxies (Joyee Cheung) #59894
• [c5d910a0a9] - http2: fix allowHttp1+Upgrade, broken by shouldUpgradeCallback (Tim Perry) #59924
• [acada1fb82] - inspector: ensure adequate memory allocation for Binary::toBase64 (René) #59870
• [396cc8ec65] - lib: update inspect output format for subclasses (Miguel Marcondes Filho) #59687
• [fed1dac8de] - lib: update isDeepStrictEqual to support options (Miguel Marcondes Filho) #59762
• [d785929fd7] - lib: add source map support for assert messages (Chengzhong Wu) #59751
• [ff13d1d61e] - lib,src: cache ModuleWrap.hasAsyncGraph (Chengzhong Wu) #59703
• [b200cd8470] - lib,src: refactor assert to load error source from memory (Chengzhong Wu) #59751
• [e94c57301b] - meta: add .npmrc with ignore-scripts=true (Joyee Cheung) #59914
• [728472a57b] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #59874
• [be48760b93] - node-api: added SharedArrayBuffer api (Mert Can Altin) #59071
• [f006a14522] - node-api: make napi_delete_reference use node_api_basic_env (Jeetu Suthar) #59684
• [0f46c1c3b0] - repl: fix cpu overhead pasting big strings to the REPL (Ruben Bridgewater) #59857
• [3eeb7b47ea] - sqlite: fix crash session extension callbacks with workers (Bart Louwers) #59848
• [0fe53375ec] - (SEMVER-MINOR) sqlite: cleanup ERM support and export Session class (James M Snell) #58378
• [9a3e58a007] - (SEMVER-MINOR) sqlite: add tagged template (0hm☘️) #58748
• [f14ed5ab7b] - src: simplify watchdog instantiations via std::optional (Anna Henningsen) #59960
• [e330f03f84] - src: update crypto objects to use DictionaryTemplate (James M Snell) #59942
• [69b5607cf4] - src: simplify is_callable by making it a concept (Tobias Nießen) #58169
• [86150f3401] - src: rename private fields to follow naming convention (Moonki Choi) #59923
• [d17f299539] - src: use DictionaryTemplate more in URLP...

2025-09-24, Version 22.20.0 'Jod' (LTS), @richardlau

Notable Changes

OpenSSL updated to 3.5.2

For official Node.js builds, or builds using the default build configuration, Node.js now bundles OpenSSL 3.5.2. This update allows Node.js 22.x to be supported through to the planned End-of-Life date of 2027-04-30 as the previously bundled OpenSSL 3.0.x goes out of support in September 2026.

This change does not affect third-party builds of Node.js that link to an external OpenSSL (or OpenSSL-compatible) library.

Other notable changes

• [5b83e1e0a2] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571
• [34b25fd97b] - doc: stabilize --disable-sigusr1 (Rafael Gonzaga) #59707
• [bf41218ed9] - doc: mark path.matchesGlob as stable (Aviv Keller) #59572
• [1dbad2058f] - (SEMVER-MINOR) http: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315
• [062e837d5f] - (SEMVER-MINOR) http2: add support for raw header arrays in h2Stream.respond() (Tim Perry) #59455
• [b8066611c3] - inspector: add http2 tracking support (Darshan Sen) #59611
• [9b7dd40da8] - (SEMVER-MINOR) sea: implement execArgvExtension (Joyee Cheung) #59560
• [48bfbd3dca] - (SEMVER-MINOR) sea: support execArgv in sea config (Joyee Cheung) #59314
• [cf06e74076] - (SEMVER-MINOR) stream: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464
• [62bb80c17e] - (SEMVER-MINOR) test_runner: support object property mocking (Idan Goshen) #58438
• [9e2aa23be9] - (SEMVER-MINOR) worker: add cpu profile APIs for worker (theanarkh) #59428

Commits

• [b7b78fd565] - assert: cap input size in myersDiff to avoid Int32Array overflow (Haram Jeong) #59578
• [9da50a6c53] - benchmark: sqlite prevent create both tables on prepare selects (Bruno Rodrigues) #59709
• [4c1538770e] - benchmark: calibrate config array-vs-concat (Rafael Gonzaga) #59587
• [fc3f82d683] - benchmark: calibrate config v8/serialize.js (Rafael Gonzaga) #59586
• [e95c9b2950] - benchmark: reduce readfile-permission-enabled config (Rafael Gonzaga) #59589
• [e4fea38b31] - benchmark: calibrate length of util.diff (Rafael Gonzaga) #59588
• [c5d68c4a0f] - benchmark, test: replace CRLF variable with string literal (Lee Jiho) #59466
• [129a1d673b] - build: fix getting OpenSSL version on Windows (Michaël Zasso) #59609
• [9f53db7162] - build: fix 'implicit-function-declaration' on OpenHarmony platform (hqzing) #59547
• [3839593e07] - build: use windows-2025 runner (Michaël Zasso) #59673
• [e430464669] - build: compile bundled uvwasi conditionally (Carlo Cabrera) #59622
• [e2c9cab0cd] - build: do not set -mminimal-toc with clang (Richard Lau) #59484
• [208bc810a1] - child_process: remove unsafe array iteration (hotpineapple) #59347
• [d74799d90c] - crypto: load system CA certificates off thread (Joyee Cheung) #59550
• [5b83e1e0a2] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571
• [d289b1d1af] - deps: V8: cherry-pick e3df60f3f5ab (Chengzhong Wu) #58691
• [cf5d91e2a6] - deps: update uvwasi to 0.0.23 (Node.js GitHub Bot) #59791
• [1cf24a0445] - deps: update histogram to 0.11.9 (Node.js GitHub Bot) #59689
• [8638bd3f2e] - deps: update googletest to eb2d85e (Node.js GitHub Bot) #59335
• [3ff4eb5b37] - deps: update amaro to 1.1.2 (Node.js GitHub Bot) #59616
• [4d268ac034] - deps: V8: cherry-pick 7b91e3e2cbaf (Milad Fa) #59485
• [83410eb0e3] - deps: V8: cherry-pick 59d52e311bb1 (Milad Fa) #59485
• [5780af02cb] - deps: update amaro to 1.1.1 (Node.js GitHub Bot) #59141
• [2986eca821] - deps: V8: cherry-pick 6b1b9bca2a8 (zhoumingtao) #59283
• [98e399b3ea] - deps: update archs files for openssl-3.5.2 (Node.js GitHub Bot) #59371
• [2b983a7520] - deps: upgrade openssl sources to openssl-3.5.2 (Node.js GitHub Bot) #59371
• [7ffbb42454] - deps: update archs files for openssl-3.5.1 (Node.js GitHub Bot) #59234
• [bd48a60a75] - deps: upgrade openssl sources to openssl-3.5.1 (Node.js GitHub Bot) #59234
• [24762a10ca] - deps: fix OpenSSL security level at 1 (Richard Lau) #59859
• [1233e92d10] - diagnostics_channel: revoke DEP0163 (René) #59758
• [34b25fd97b] - doc: stabilize --disable-sigusr1 (Rafael Gonzaga) #59707
• [d7adf8be64] - doc: update "Type stripping in dependencies" section (Josh Kelley) #59652
• [a1d7e4fdbf] - doc: add Miles Guicent as triager (Miles Guicent) #59562
• [bf41218ed9] - doc: mark path.matchesGlob as stable (Aviv Keller) #59572
• [afaa1ccb74] - doc: improve documentation for raw headers in HTTP/2 APIs (Tim Perry) #59633
• [b95ff56102] - doc: update install_tools.bat free disk space (Stefan Stojanovic) #59579
• [6ff939b8d3] - doc: fix filehandle.read typo (Ruy Adorno) #59635
• [963bfa9d6f] - doc: fix missing link to the Error documentation in the http page (Alexander Makarenko) #59080
• [0e10a8ea27] - **d...

2025-09-10, Version 24.8.0 (Current), @targos

Notable Changes

HTTP/2 Network Inspection Support in Node.js

Node.js now supports inspection of HTTP/2 network calls in Chrome DevTools for Node.js.

Usage

Write a test.js script that makes HTTP/2 requests.

const http2 = require('node:http2');

const client = http2.connect('https://nghttp2.org');

const req = client.request([
  ':path', '/',
  ':method', 'GET',
]);

Run it with these options:

node --inspect-wait --experimental-network-inspection test.js

Open about:inspect on Google Chrome and click on Open dedicated DevTools for Node.
The Network tab will let you track your HTTP/2 calls.

Contributed by Darshan Sen in #59611.

Other Notable Changes

• [7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #59570
• [4b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #59570
• [3e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #59647
• [b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #59544
• [430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #59537
• [d6d05ba397] - (SEMVER-MINOR) worker: add cpu profile APIs for worker (theanarkh) #59428

Commits

• [d913872369] - assert: cap input size in myersDiff to avoid Int32Array overflow (Haram Jeong) #59578
• [7bbbcf6666] - benchmark: sqlite prevent create both tables on prepare selects (Bruno Rodrigues) #59709
• [44d7b92271] - benchmark: calibrate config array-vs-concat (Rafael Gonzaga) #59587
• [7f347fc551] - build: fix getting OpenSSL version on Windows (Michaël Zasso) #59609
• [4a317150d5] - build: fix 'implicit-function-declaration' on OpenHarmony platform (hqzing) #59547
• [bda32af587] - build: use windows-2025 runner (Michaël Zasso) #59673
• [a4a8ed8f6e] - build: compile bundled uvwasi conditionally (Carlo Cabrera) #59622
• [d944a87761] - crypto: refactor subtle methods to use synchronous import (Filip Skokan) #59771
• [7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #59570
• [4b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #59570
• [3e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #59647
• [b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #59544
• [430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #59537
• [0d1e53d935] - deps: update uvwasi to 0.0.23 (Node.js GitHub Bot) #59791
• [68732cf426] - deps: update histogram to 0.11.9 (Node.js GitHub Bot) #59689
• [f12c1ad961] - deps: update googletest to eb2d85e (Node.js GitHub Bot) #59335
• [45af6966ae] - deps: upgrade npm to 11.6.0 (npm team) #59750
• [57617244a4] - deps: V8: cherry-pick 6b1b9bca2a8 (Xiao-Tao) #59283
• [2e6225a747] - deps: update amaro to 1.1.2 (Node.js GitHub Bot) #59616
• [1f7f6dfae6] - diagnostics_channel: revoke DEP0163 (René) #59758
• [8671a6cdb3] - doc: stabilize --disable-sigusr1 (Rafael Gonzaga) #59707
• [583b1b255d] - doc: update OpenSSL default security level to 2 (Jeetu Suthar) #59723
• [9b5eb6eb50] - doc: fix missing links in the errors page (Nam Yooseong) #59427
• [e7bf712c57] - doc: update "Type stripping in dependencies" section (Josh Kelley) #59652
• [96db47f91e] - doc: add Miles Guicent as triager (Miles Guicent) #59562
• [87f829bd0c] - doc: mark path.matchesGlob as stable (Aviv Keller) #59572
• [062b2f705e] - doc: improve documentation for raw headers in HTTP/2 APIs (Tim Perry) #59633
• [6ab9306370] - doc: update install_tools.bat free disk space (Stefan Stojanovic) #59579
• [c8d6b60da6] - doc: fix quic session instance typo (jakecastelli) #59642
• [61d0a2d1ba] - doc: fix filehandle.read typo (Ruy Adorno) #59635
• [3276bfa0d0] - doc: update migration recomendations for util.is**() deprecations (Augustin Mauroy) #59269
• [11de6c7ebb] - doc: fix missing link to the Error documentation in the http page (Alexander Makarenko) #59080
• [f5b6829bba] - doc,crypto: add description to the KEM and supports() methods (Filip Skokan) #59644
• [5bfdc7ee74] - doc,crypto: cleanup unlinked and self method references webcrypto.md (Filip Skokan) #59608
• [010458d061] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #59679
• [dbe6e63baf] - esm: fix missed renaming in ModuleJob.runSync (Joyee Cheung) #59724
• [8eb0d9d834] - fs: fix wrong order of file names in cpSync error message (Nicholas Paun) #59775
• [e69be5611f] - fs: fix dereference: false on cpSync (Nicholas Paun) #59681
• [2865d2ac20] - http: unbreak keepAliveTimeoutBuffer (Robert Nagy) #59784
• [ade1175475] - http: use cached '1.1' http version string (Robert Nagy) #59717
• [74a09482de] - inspector: undici as shared-library shoul...

2025-09-03, Version 20.19.5 'Iron' (LTS), @marco-ippolito

Notable Changes

• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #58308
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #58499
• [3c6206cac9] - doc: add @geeksilva97 to collaborators (Edy Silva) #57241

Commits

• [ea20403467] - build: fix uvwasi pkgname (Antoine du Hamel) #58270
• [c647aa4b30] - build: fix pointer compression builds (Joyee Cheung) #58171
• [d2c5e609ae] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #58867
• [84d5c4d244] - build: search for libnode.so in multiple places (Jan Staněk) #58213
• [068c439552] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #58942
• [edff105c34] - debugger: fix behavior of plain object exec in debugger repl (Dario Piotrowicz) #57498
• [0473e35b7f] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #58628
• [1218dbbea5] - deps: update zlib to 1.3.0.1-motley-780819f (Node.js GitHub Bot) #57768
• [0e3cd9ec00] - deps: update zlib to 1.3.0.1-motley-788cb3c (Node.js GitHub Bot) #56655
• [a194dd9bd4] - deps: update archs files for openssl-3.0.16 (Node.js GitHub Bot) #57335
• [cc9b79ca70] - deps: upgrade openssl sources to quictls/openssl-3.0.16 (Node.js GitHub Bot) #57335
• [82c46d5358] - deps: update cjs-module-lexer to 2.1.0 (Node.js GitHub Bot) #57180
• [43e3f9b26b] - deps: update cjs-module-lexer to 2.0.0 (Michael Dawson) #56855
• [91282ff16b] - deps: update corepack to 0.33.0 (Node.js GitHub Bot) #58566
• [b76bca6f38] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #58711
• [ae11481011] - deps: update acorn to 8.14.1 (Node.js GitHub Bot) #57382
• [142d701201] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #58712
• [fee082d684] - deps: update llhttp to 9.3.0 (Fedor Indutny) #58144
• [c06f6f3f05] - dns: remove redundant code using common variable (Deokjin Kim) #57386
• [cded8e7e77] - dns: fix parse memory leaky (theanarkh) #58973
• [182ae67233] - dns: fix dns query cache implementation (Ethan Arrowood) #58404
• [621b66a297] - doc: add review guidelines for collaborator nominations (Antoine du Hamel) #57449
• [b1009b5b72] - doc: explicit mention arbitrary code execution as a vuln (Rafael Gonzaga) #57426
• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #58308
• [530473f479] - doc: add ovflowd back to core collaborators (Claudio W.) #58911
• [38e8bbc131] - doc: add info on how project manages social media (Michael Dawson) #57318
• [d06bb4dcc2] - doc: ping nodejs/tsc for each security pull request (Rafael Gonzaga) #57309
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #58499
• [8c3bc156ed] - doc: clarify path.isAbsolute is not path traversal mitigation (Eric Fortis) #57073
• [e688410bda] - doc: fix rendering of DEP0174 description (David Sanders) #56835
• [e6a0c6a0fa] - doc: add missing assert return types (Colin Ihrig) #57219
• [026b3cab6a] - doc: add 1ilsang to triage team (1ilsang) #57183
• [3c6206cac9] - doc: add @geeksilva97 to collaborators (Edy Silva) #57241
• [ef3a4675c7] - doc: fix web.libera.chat link in pull-requests.md (Samuel Bronson) #57076
• [1db42b76f7] - doc: remove buffered flag from performance hooks examples (Pavel Romanov) #52607
• [b73a1356ce] - doc: add module namespace object links (Dario Piotrowicz) #57093
• [09368db20f] - doc: disambiguate pseudo-code statement (Dario Piotrowicz) #57092
• [2c3dc569a1] - doc: fix wrong articles used to address modules (Dario Piotrowicz) #57090
• [cd8259cb4e] - doc: modules.md: fix distance definition (Alexander “weej” Jones) #57046
• [7b0ea9ab2d] - doc: fix wrong verb form (Dario Piotrowicz) #57091
• [14fcfc242b] - doc: add a note about require('../common') in testing documentation (Aditi) #56953
• [bc7d18b6ea] - doc: recommend writing tests in new files and including comments (Joyee Cheung) #57028
• [acd4d7f269] - doc: improve documentation on argument validation (Aditi) #56954
• [4cd6b3ca73] - doc: buffer: fix typo on Buffer.copyBytesFrom( offset option (tpoisseau) #57015
• [01220607f2] - doc: update cleanup to trust on vuln db automation (Rafael Gonzaga) #57004
• [77a0505a32] - doc: update post sec release process (Rafael Gonzaga) #56907
• [77dbcfce5f] - doc: add section about using npx with permission model (Rafael Gonzaga) #56539
• [73e51407b7] - doc: remove...

2025-08-28, Version 22.19.0 'Jod' (LTS), @aduh95

Notable Changes

• [8e2076a24f] - (SEMVER-MINOR) cli: add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
• [e592d739c2] - (SEMVER-MINOR) cli: support ${pid} placeholder in --cpu-prof-name (Haram Jeong) #59072
• [cda1dab6e2] - (SEMVER-MINOR) crypto: add tls.setDefaultCACertificates() (Joyee Cheung) #58822
• [1f184513e9] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440
• [bace73a173] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113
• [fa9a9e9c69] - (SEMVER-MINOR) esm: unflag --experimental-wasm-modules (Guy Bedford) #57038
• [390a9dc20b] - (SEMVER-MINOR) http: add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
• [c12c5343ad] - lib: docs deprecate _http_* (Sebastian Beltran) #59293
• [f57ee3d71f] - (SEMVER-MINOR) net: update net.blocklist to allow file save and file management (alphaleadership) #58087
• [035da74c31] - (SEMVER-MINOR) process: add threadCpuUsage (Paolo Insogna) #56467
• [8e697d1884] - (SEMVER-MINOR) zlib: add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240

Commits

• [73aa0ae37f] - assert: change utils to use index instead of for...of (방진혁) #59278
• [dfe3a11eed] - benchmark: remove deprecated _extend from benchmark (Rafael Gonzaga) #59228
• [9b9d30042a] - benchmark: add fs warmup to writefile-promises (Bruno Rodrigues) #59215
• [a663f7f954] - benchmark: add calibrate-n script (Rafael Gonzaga) #59186
• [1b9b5bddd6] - benchmark: adjust configuration for string-decoder bench (Rafael Gonzaga) #59187
• [d0ac3319f9] - benchmark: add --track to benchmark (Rafael Gonzaga) #59174
• [2044968b86] - benchmark: small lint fix on _cli.js (Rafael Gonzaga) #59172
• [4e519934cb] - benchmark: drop misc/punycode benchmark (Rafael Gonzaga) #59171
• [07e173d969] - benchmark: fix sqlite-is-transaction (Rafael Gonzaga) #59170
• [8440b6177f] - benchmark: reduce N for diagnostics_channel subscribe benchmark (Arthur Angelo) #59116
• [8615ea6db0] - buffer: cache Environment::GetCurrent to avoid repeated calls (Mert Can Altin) #59043
• [3deb5361d2] - build: fix node_use_sqlite for GN builds (Shelley Vohr) #59017
• [0f0ce63116] - build: remove suppressions.supp (Rafael Gonzaga) #59079
• [b30a2117dc] - build,deps,tools: prepare to update to OpenSSL 3.5 (Richard Lau) #58100
• [8e2076a24f] - (SEMVER-MINOR) cli: add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
• [e592d739c2] - (SEMVER-MINOR) cli: support ${pid} placeholder in --cpu-prof-name (Haram Jeong) #59072
• [b5571047ed] - crypto: prepare webcrypto key import/export for modern algorithms (Filip Skokan) #59284
• [cda1dab6e2] - (SEMVER-MINOR) crypto: add tls.setDefaultCACertificates() (Joyee Cheung) #58822
• [76dab34fb7] - deps: support madvise(3C) across ALL illumos revisions (Dan McDonald) #58237
• [19d3ed64b6] - deps: update sqlite to 3.50.4 (Node.js GitHub Bot) #59337
• [38bafc59e0] - deps: V8: backport 493cb53691be (Chengzhong Wu) #59238
• [e8da171cc3] - deps: update sqlite to 3.50.3 (Node.js GitHub Bot) #59132
• [fd4ba38ab6] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131
• [f71f427b95] - deps: update archs files for openssl-3.0.17 (Node.js GitHub Bot) #59134
• [79c5a8f4d2] - deps: upgrade openssl sources to openssl-3.0.17 (Node.js GitHub Bot) #59134
• [0dcc84cf53] - deps: update corepack to 0.34.0 (Node.js GitHub Bot) #59133
• [1f184513e9] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440
• [f64f5df80e] - doc: fix --use-system-ca history (Joyee Cheung) #59411
• [e22aeaa38f] - doc: add missing section for setReturnArrays in sqlite.md (Edy Silva) #59074
• [e44ef07235] - doc: rename x509.extKeyUsage to x509.keyUsage (Filip Skokan) #59332
• [2c5d0aac5e] - doc: fix Pbkdf2Params hash attribute heading (Filip Skokan) #59395
• [fde94346e5] - doc: fix missing reference links for server.keepAliveTimeoutBuffer (Lee Jiho) #59356
• [9af8bcea58] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #59344
• [0edf17198f] - doc: run license-builder (github-actions[bot]) #59343
• [7f767a2e38] - doc: correct orthography eg. → e.g. (Jacob Smith) #59329
• [a46ed50350] - doc: clarify the need of compiler compatible with c++20 (Rafael Gonzaga) #59297
• [212263a305] - doc: clarify release candidate stability index (Filip Skokan) #59295
• [ce93b8b556] - doc: add WDYT to glossary (btea) #59280
• [ebaaf2c67f] - doc: add manpage entry for --use-system-ca (Joyee Cheung) #59273
• [43b5a21916] - doc: add path.join and path.normalize clarification (Rafael Gonzaga) #59262
• [[409c66d328](https://github.com/nodejs/node/commit/...

2025-08-27, Version 24.7.0 (Current), @targos

Notable Changes

Post-Quantum Cryptography in node:crypto

OpenSSL 3.5 on 24.x kicked off post-quantum cryptography efforts in Node.js by
allowing use of NIST's post-quantum cryptography standards for future-proofing
applications against quantum computing threats. The following post-quantum
algorithms are now available in node:crypto:

• ML-KEM (FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard) through new crypto.encapsulate() and crypto.decapsulate() methods.
• ML-DSA (FIPS 204, Module-Lattice-Based Digital Signature Standard) in the existing crypto.sign() and crypto.verify() methods.

Contributed by Filip Skokan in #59259 and #59491.

Modern Algorithms in Web Cryptography API

The second substantial extension to the Web Cryptography API
(globalThis.crypto.subtle) was recently accepted for incubation by WICG.
The following algorithms and methods from this extension are now available in
the Node.js Web Cryptography API implementation:

• AES-OCB
• ChaCha20-Poly1305
• ML-DSA
• ML-KEM
• SHA-3
• SHAKE
• subtle.getPublicKey()
• SubtleCrypto.supports()
• ... with more coming in future releases.

Contributed by Filip Skokan in #59365, #59569, #59461, and #59539.

Node.js execution argument support in single executable applications

The single executable application configuration now supports additional fields
to specify Node.js execution arguments and control how they can be extended when
the application is run.

• execArgv takes an array of strings for the execution arguments to be used.
• execArgvExtension takes one of the following values:
  • "none": No additional execution arguments are allowed.
  • "cli": Additional execution arguments can be provided via a special command-line flag --node-options="--flag1 --flag2=value" at run time.
  • "env" (default): Additional execution arguments can be provided via the NODE_OPTIONS environment variable at run time.

For example, with the following configuration:

{
  "main": "/path/to/bundled/script.js",
  "output": "/path/to/write/the/generated/blob.blob",
  "execArgv": ["--no-warnings"],
  "execArgvExtension": "cli",
}

If the generated single executable application is named sea, then running:

sea --node-options="--max-old-space-size=4096" user-arg1 user-arg2

Would be equivalent to running:

node --no-warnings --max-old-space-size=4096 /path/to/bundled/script.js user-arg1 user-arg2

Contributed by Joyee Cheung in #59314 and #59560.

Root certificates updated to NSS 3.114

Certificates added:

• TrustAsia TLS ECC Root CA
• TrustAsia TLS RSA Root CA
• SwissSign RSA TLS Root CA 2022 - 1

Certificates removed:

• GlobalSign Root CA
• Entrust.net Premium 2048 Secure Server CA
• Baltimore CyberTrust Root
• Comodo AAA Services root
• XRamp Global CA Root
• Go Daddy Class 2 CA
• Starfield Class 2 CA

Other Notable Changes

• [d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #50353
• [6ae202fcdf] - (SEMVER-MINOR) http: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315
• [dafee05358] - (SEMVER-MINOR) http2: add support for raw header arrays in h2Stream.respond() (Tim Perry) #59455
• [8dc6f5b696] - (SEMVER-MINOR) stream: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464

Commits

• [0fa22cbf7c] - benchmark: calibrate config v8/serialize.js (Rafael Gonzaga) #59586
• [f5ece45b45] - benchmark: reduce readfile-permission-enabled config (Rafael Gonzaga) #59589
• [8ebd4f4434] - benchmark: calibrate length of util.diff (Rafael Gonzaga) #59588
• [7dee3ffd14] - benchmark: reflect current OpenSSL in crypto key benchmarks (Filip Skokan) #59459
• [027b861ca1] - benchmark, test: replace CRLF variable with string literal (Lee Jiho) #59466
• [89dd770889] - build: do not set -mminimal-toc with clang (Richard Lau) #59484
• [e13de4542f] - child_process: remove unsafe array iteration (hotpineapple) #59347
• [89fe63551e] - crypto: load system CA certificates off thread (Joyee Cheung) #59550
• [152c5ef518] - (SEMVER-MINOR) crypto: add AES-OCB Web Cryptography algorithm (Filip Skokan) #59539
• [c6c418343d] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571
• [18a2ee5b6c] - (SEMVER-MINOR) crypto: support ML-KEM in Web Cryptography (Filip Skokan) #59569
• [72937e5144] - crypto: require HMAC key length with SHA-3 hashes in Web Cryptography (Filip Skokan) #59567
• [b7383186c7] - crypto: fix subtle.getPublicKey error for secret type key inputs (Filip Skokan) #59558
• [2d05c046db] - crypto: return cached copies from CryptoKey algorithm and usages getters (Filip Skokan) #59538
• [207ffbeb07] - crypto: use CryptoKey internal slots in Web Cryptography (Filip Skokan) #59538
• [4276516781] - crypto: normalize RsaHashedKeyParams publicExponent (Filip Skokan) #59538
• [14741539a7] - (SEMVER-MINOR) crypto: support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms (Filip Skokan) #59491
• [d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #50353
• [4fe383e45a] - (SEMVER-MINOR) crypto: support ML-DSA spki/pkcs8 key formats in Web Cryptography (Filip Skokan) #59365
• [a95386fbf9] - (SEMVER-MINOR) crypto: subject some algorithms in Web Cryptography on BoringSSL absence (Filip Skokan) #59365
• [3f47a2fb63] - (SEMVER-MINOR) crypto: add ChaCha20-Poly1305 Web Cryptography algorithm (Filip Skokan) #59365
• [6fcce9058a] - (SEMVER-MINOR) crypto: add subtle.getPublicKey() utility function in Web Cryptography (Filip Skokan) #59365
• [76cde76429] - (SEMVER-MINOR) crypto: add SHA-3 Web Cryptography digest algorithms (Filip Skokan) #59365
• [247d017501] - (SEMVER-MINOR) crypto: add SHAKE Web Cryptography digest algorithms (Filip Skokan) #59365
• [f4fbcca5ce] - (SEMVER-MINOR) crypto: add SubtleCrypto.supports feature detection in Web Cryptography (Filip Skokan) #59365
• [a55382214f] - (SEMVER-MINOR) crypto: support ML-DSA in Web Cryptography (Filip Skokan) #59365
• [c38988c860] - crypto: fix EVPKeyCtxPointer::publicCheck() (Tobias Nießen) #59471
• [[61c3bcdc56](https://github.com...

2025-08-14, Version 24.6.0 (Current), @RafaelGSS

Notable Changes

• [471fe712b3] - (SEMVER-MINOR) cli: add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
• [38aedfbf73] - (SEMVER-MINOR) crypto: support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259
• [201304537e] - (SEMVER-MINOR) zlib: add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240
• [e79c93a5d0] - (SEMVER-MINOR) http: add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
• [c144d69efc] - lib: docs deprecate _http_* (Sebastian Beltran) #59293
• [aeb4de55a7] - (SEMVER-MINOR) fs: port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897

Commits

• [f7484575ff] - assert: change utils to use index instead of for...of (방진혁) #59278
• [269cd16185] - benchmark: remove deprecated _extend from benchmark (Rafael Gonzaga) #59228
• [848e49c20b] - benchmark: add fs warmup to writefile-promises (Bruno Rodrigues) #59215
• [8c609be1b1] - benchmark: add calibrate-n script (Rafael Gonzaga) #59186
• [6a3bf772d8] - build: fix node_use_sqlite for GN builds (Shelley Vohr) #59017
• [471fe712b3] - (SEMVER-MINOR) cli: add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276
• [38aedfbf73] - (SEMVER-MINOR) crypto: support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259
• [a312e706cf] - crypto: prepare webcrypto key import/export for modern algorithms (Filip Skokan) #59284
• [3a7c2c3a47] - deps: update ada to 3.2.7 (Node.js GitHub Bot) #59336
• [8d9ceeaf6a] - deps: update archs files for openssl-3.5.2 (Node.js GitHub Bot) #59371
• [33b06df354] - deps: upgrade openssl sources to openssl-3.5.2 (Node.js GitHub Bot) #59371
• [fa70f1af77] - deps: support madvise(3C) across ALL illumos revisions (Dan McDonald) #58237
• [f834a6be59] - deps: update undici to 7.13.0 (Node.js GitHub Bot) #59338
• [db2417487e] - deps: update sqlite to 3.50.4 (Node.js GitHub Bot) #59337
• [41978adb08] - deps: V8: backport 493cb53691be (Chengzhong Wu) #59238
• [05667991ca] - deps: V8: backport 1c3e018e7d48 (Renegade334) #58818
• [fd61588bb4] - doc: rename x509.extKeyUsage to x509.keyUsage (Filip Skokan) #59332
• [a271ae4360] - doc: fix Pbkdf2Params hash attribute heading (Filip Skokan) #59395
• [72cfff165b] - doc: fix missing reference links for server.keepAliveTimeoutBuffer (Lee Jiho) #59356
• [8341916772] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #59344
• [e3e489706b] - doc: run license-builder (github-actions[bot]) #59343
• [46527e8cea] - doc: correct orthography eg. → e.g. (Jacob Smith) #59329
• [d140c3713e] - doc: clarify the need of compiler compatible with c++20 (Rafael Gonzaga) #59297
• [95e9cabf9d] - doc: clarify release candidate stability index (Filip Skokan) #59295
• [a056dd36d2] - doc: add WDYT to glossary (btea) #59280
• [1e2c52f5c4] - doc: add manpage entry for --use-system-ca (Joyee Cheung) #59273
• [31a46fdeb4] - doc: add path.join and path.normalize clarification (Rafael Gonzaga) #59262
• [cff3725ff9] - doc: fix typo in test/common/README.md (Yoo) #59180
• [31a9283591] - doc: add note on process memoryUsage (fengmk2) #59026
• [5a98bff6b8] - doc: format safely for doc-kit (Aviv Keller) #59229
• [95b8b7ea5c] - domain: remove deprecated API call (Alex Yang) #59339
• [2990f178bd] - fs: fix glob TypeError on restricted dirs (Sylphy-0xd3ac) #58674
• [e2fb4caf9c] - fs: correct error message when FileHandle is transferred (Alex Yang) #59156
• [aeb4de55a7] - (SEMVER-MINOR) fs: port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897
• [e79c93a5d0] - (SEMVER-MINOR) http: add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243
• [0fb005a53f] - http2: set Http2Stream#sentHeaders for raw headers (Darshan Sen) #59244
• [e055539604] - lib: add trace-sigint APIs (theanarkh) #59040
• [d2183d860a] - lib: optimize writable stream buffer clearing (Yoo) #59406
• [47543a7e17] - lib: handle windows reserved device names on UNC (Rafael Gonzaga) #59286
• [c6911f0717] - lib: do not modify prototype deprecated asyncResource (RafaelGSS) #59195
• [3c88b769bb] - lib: restructure assert to become a class (Miguel Marcondes Filho) #58253
• [e91b54df59] - lib: handle superscript variants on windows device (Rafael Gonzaga) #59261
• [4ee467905d] - lib: use validateString (hotpineapple) #59296
• [c144d69efc] - lib: docs deprecate _http_* (Sebastian Beltran) #59293
• [c89b67e681] - lib: add type names in source mapped stack traces (Chengzhong Wu) #58976
• [5b2363be8d] - lib: prefer AsyncIteratorPrototype primordial (René) #59097
• [41b4f4d694] - meta: cla...

2025-07-31, Version 24.5.0 (Current), @aduh95

Notable Changes

Upgrade to OpenSSL 3.5

This release is distributed with OpenSSL 3.5.1, following the announcement that
OpenSSL 3.5 will be supported until April 2030, while Node.js 24 will be
supported until April 2028. Read more about OpenSSL support in their blog post:
https://openssl-library.org/post/2025-02-20-openssl-3.5-lts/.

Contributed by Richard Lau in #58100.

Unflag --experimental-wasm-modules

Node.js supports both source phase imports and instance phase imports to WebAssembly
modules and for WASM imports to JavaScript, in line with the current Phase 3
WebAssembly ESM Integration proposal.
The implementation and the specification are still subject to change.

Contributed by Guy Bedford in #57038.

Built-in proxy support in request() and Agent

node:http and node:https now support proxies. When NODE_USE_ENV_PROXY
is set to 1, the default global agent would parse the http_proxy/HTTP_PROXY,
https_proxy/HTTPS_PROXY, no_proxy/NO_PROXY settings from the
environment variables, and proxy the requests sent through the built-in http/https
client accordingly.

To use global proxy support from the command line:

NODE_USE_ENV_PROXY=1 HTTP_PROXY=http://proxy.example.com:8080 HTTPS_PROXY=http://proxy.example.com:8080 NO_PROXY=localhost,127.0.0.1 node client.js

In addition, http.Agent and https.Agent now support the custom proxyEnv options.

const agent = new https.Agent({ proxyEnv: { HTTPS_PROXY: 'http://proxy.example.com:8080' } });

For reference, fetch() already supports NODE_USE_ENV_PROXY as of Node.js 24.0.0.

Contributed by Joyee Cheung in #58980.

Add setDefaultCACertificates() to node:tls

This API allows dynamically configuring CA certificates that will be used by the
Node.js TLS clients by default.

Once called, the provided certificates will become the default CA certificate list
returned by tls.getCACertificates('default') and used by TLS connections that
don't specify their own CA certificates.

To add system CA certificates to the default bundle (which includes the Mozilla
CA certificates):

tls.setDefaultCACertificates(tls.getCACertificates('default').concat(tls.getCACertificates('system')));

Contributed by Joyee Cheung in #58822.

Other notable changes

• [d5640ca58a] - (SEMVER-MINOR) cli: support ${pid} placeholder in --cpu-prof-name (Haram Jeong) #59072
• [c52aaacfc5] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440
• [927742b342] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113
• [f753645cd8] - (SEMVER-MINOR) net: update net.blocklist to allow file save and file management (alphaleadership) #58087
• [9791ff3480] - (SEMVER-MINOR) worker: add web locks api (ishabi) #58666

Commits

• [5457c7a8a1] - benchmark: adjust configuration for string-decoder bench (Rafael Gonzaga) #59187
• [28538f2255] - benchmark: add --track to benchmark (Rafael Gonzaga) #59174
• [a28d804497] - benchmark: small lint fix on _cli.js (Rafael Gonzaga) #59172
• [09717eb68e] - benchmark: drop misc/punycode benchmark (Rafael Gonzaga) #59171
• [ad6757ef02] - benchmark: fix sqlite-is-transaction (Rafael Gonzaga) #59170
• [7fc3143f61] - benchmark: reduce N for diagnostics_channel subscribe benchmark (Arthur Angelo) #59116
• [f2812723a0] - buffer: cache Environment::GetCurrent to avoid repeated calls (Mert Can Altin) #59043
• [e3e729ca60] - build: remove suppressions.supp (Rafael Gonzaga) #59079
• [dc66422768] - build,deps,tools: prepare to update to OpenSSL 3.5 (Richard Lau) #58100
• [f5da4947d9] - cli: add --use-env-proxy (Joyee Cheung) #59151
• [d5640ca58a] - (SEMVER-MINOR) cli: support ${pid} placeholder in --cpu-prof-name (Haram Jeong) #59072
• [eeeb40e95b] - (SEMVER-MINOR) crypto: add tls.setDefaultCACertificates() (Joyee Cheung) #58822
• [135fca5b72] - crypto: avoid copying buffers to UTF-8 strings in crypto.hash() (Renegade334) #59067
• [998cef10e3] - deps: update archs files for openssl-3.5.1 (Node.js GitHub Bot) #59234
• [1f06ca956a] - deps: upgrade openssl sources to openssl-3.5.1 (Node.js GitHub Bot) #59234
• [55a90eed8d] - deps: upgrade npm to 11.5.1 (npm team) #59199
• [2b5d451ae0] - deps: update amaro to 1.1.1 (Node.js GitHub Bot) #59141
• [af789d9b5c] - deps: update undici to 7.12.0 (Node.js GitHub Bot) #59135
• [a34e44545e] - deps: update sqlite to 3.50.3 (Node.js GitHub Bot) #59132
• [bfe4781c7d] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131
• [72adf52e51] - deps: update ada to 3.2.6 (Node.js GitHub Bot) #58966
• [2a5f35b589] - deps: V8: cherry-pick 3d750c2aa9ef (Michaël Zasso) #58750
• [3f813eaba7] - deps: update archs files for openssl-3.0.17 (Node.js GitHub Bot) #59134
• [fb52d0d8df] - deps: upgrade openssl sources to openssl-3.0.17 (Node.js GitHub Bot) #59134
• [f122602f9d] - deps: update corepack to 0.34.0 (Node.js GitHub Bot) #59133
• [c52aaacfc5] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440
• [927742b342] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113
• [9a8d2020ad] - doc: copyedit SECURITY.md (Rich Trott) #59190
• [3da5bc0668] - doc: fix broken sentence in URL.parse (Superchupu) #59164
• [06cd7461e0] - doc: improve onboarding instructions (Joyee Cheung) #59159
• [dfb72d158b] - doc: add constraints for mem leak to threat model (Rafael Gonzaga) #58917
• [51b8dfd5c6] - doc: add Aditi-1400 to collaborators (Aditi) #59157
• [4ffa756ce3] - doc: avoid suggesting testing fast api with intense loop (Chengzhong Wu) #59111
• [6f81b274f7] - doc: fix typo in writing-test.md (SeokHun) #59123
• [88e434e687] - ...

2025-07-31, Version 22.18.0 'Jod' (LTS), @aduh95

Notable Changes

Type stripping is enabled by default

Node.js will be able to execute TypeScript files without additional configuration:

$ echo 'const foo: string = 'World'; console.log(`Hello ${foo}!`);' > file.ts
$ node file.ts
Hello World!

There are some limitations in the supported syntax documented at
https://nodejs.org/api/typescript.html#type-stripping.

This feature is experimental and is subject to change. Disable it by passing
--no-experimental-strip-types CLI flag.

Contributed by Marco Ippolito in #56350.

Other notable changes

• [26f3711228] - (SEMVER-MINOR) deps: update amaro to 1.1.0 (Node.js GitHub Bot) #56350
• [d80ef2a71f] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719
• [8ab24d21c9] - doc: add islandryu to collaborators (Shima Ryuhei) #58714
• [430e66b9b8] - (SEMVER-MINOR) esm: implement import.meta.main (Joe) #57804
• [62f7926b6a] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490
• [65f19a00c3] - (SEMVER-MINOR) permission: propagate permission model flags on spawn (Rafael Gonzaga) #58853
• [ccca1517f9] - (SEMVER-MINOR) sqlite: add support for readBigInts option in db connection level (Miguel Marcondes Filho) #58697
• [48003e87e8] - (SEMVER-MINOR) src,permission: add support to permission.has(addon) (Rafael Gonzaga) #58951
• [fe4290a0e6] - (SEMVER-MINOR) url: add fileURLToPathBuffer API (James M Snell) #58700
• [4dc6b4c67a] - (SEMVER-MINOR) watch: add --watch-kill-signal flag (Dario Piotrowicz) #58719
• [8dbc6b210f] - (SEMVER-MINOR) worker: make Worker async disposable (James M Snell) #58385

Commits

• [b19ffebea7] - assert: remove dead code (Yoshiya Hinosawa) #58760
• [5bc828beae] - benchmark: add source map and source map cache (Miguel Marcondes Filho) #58125
• [f7c16985a7] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #58867
• [ba42c72f7f] - build: option to use custom inspector_protocol path (Shelley Vohr) #58839
• [4fd8911653] - build: fix typo 'Stoage' to 'Storage' in help text (ganglike) #58777
• [114cd95919] - crypto: fix inclusion of OPENSSL_IS_BORINGSSL define (Shelley Vohr) #58845
• [6699c75eac] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #58942
• [f99aa748c0] - deps: upgrade npm to 10.9.3 (npm team) #58847
• [02e971190b] - deps: update sqlite to 3.50.2 (Node.js GitHub Bot) #58882
• [de2b85b5ae] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710
• [e7591d7a19] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #58712
• [8c61b96c43] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #58711
• [113f4e2d3c] - deps: update sqlite to 3.50.1 (Node.js GitHub Bot) #58630
• [7ccd848995] - deps: update simdjson to 3.13.0 (Node.js GitHub Bot) #58629
• [e9c51deb5c] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #58628
• [26f3711228] - (SEMVER-MINOR) deps: update amaro to 1.1.0 (Node.js GitHub Bot) #56350
• [752dde182f] - (SEMVER-MINOR) deps: update amaro to 1.0.0 (Node.js GitHub Bot) #56350
• [258534d0dc] - (SEMVER-MINOR) deps: update amaro to 0.5.3 (Node.js GitHub Bot) #56350
• [7fcf675503] - (SEMVER-MINOR) deps: update amaro to 0.5.2 (Node.js GitHub Bot) #56350
• [81a10a67d5] - (SEMVER-MINOR) deps: update amaro to 0.5.1 (Marco Ippolito) #56350
• [25f8682a62] - (SEMVER-MINOR) deps: update amaro to 0.5.0 (nodejs-github-bot) #56350
• [4baf2167e7] - dns: fix parse memory leaky (theanarkh) #58973
• [e8f4a7df22] - dns: set timeout to 1000ms when timeout < 0 (theanarkh) #58441
• [1e373a0a25] - doc: update release key for aduh95 (Antoine du Hamel) #58877
• [d5c104246f] - doc: remove broken link to permission model source code (Juan José) #58972
• [b8885a25ff] - doc: clarify details of TSC public and private meetings (James M Snell) #58925
• [aa05823b37] - doc: mark stability markers consistent in globals.md (Antoine du Hamel) #58932
• [3856aee9b2] - doc: move "Core Promise APIs" to "Completed initiatives" (Antoine du Hamel) #58934
• [c2f9735422] - doc: fix fetch subsections in globals.md (Antoine du Hamel) #58933
• [5f4c7a9d2d] - doc: add missing Class: mentions (Antoine du Hamel) #58931
• [88ee38b37c] - doc: remove myself from security steward rotation (Michael Dawson) #58927
• [02031a9b0d] - doc: add ovflowd back to core collaborators (Claudio W.) #58911
• [9551fa3c8f] - doc: update email address for Richard Lau (Richard Lau) #58910
• [cd6bc982c0] - doc: update vm doc links (Chengzhong Wu) #58885
• [ce49303cd0] - doc: add missing comma in child_process.md (ronijames008) #58862
• [d80ef2a71f] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719
• [f8fcb1c83a] - doc: fix jsdoc definition of assert.ifError() fn in lib/assert.js (jesh) #58573
• [[28fddc04ca](https:/...

2025-07-15, Version 24.4.1 (Current), @RafaelGSS

This is a security release.

Notable Changes

• (CVE-2025-27209) HashDoS in V8 with new RapidHash algorithm
• (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Commits

• [c33223f1a5] - (CVE-2025-27209) deps: V8: revert rapidhash commits (Michaël Zasso) nodejs-private/node-private#713
• [56f9db2aaa] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721