Releases: nodejs/node
Releases Β· nodejs/node
2025-09-03, Version 20.19.5 'Iron' (LTS), @marco-ippolito
v20.19.5
This tag was signed with the committerβs verified signature.
marco-ippolito
Marco Ippolito
36ee08d
This commit was signed with the committerβs verified signature.
marco-ippolito
Marco Ippolito
Notable Changes
- [
f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #58355 - [
4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #58308 - [
d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #58499 - [
3c6206cac9] - doc: add @geeksilva97 to collaborators (Edy Silva) #57241
Commits
- [
ea20403467] - build: fix uvwasi pkgname (Antoine du Hamel) #58270 - [
c647aa4b30] - build: fix pointer compression builds (Joyee Cheung) #58171 - [
d2c5e609ae] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #58867 - [
84d5c4d244] - build: search for libnode.so in multiple places (Jan StanΔk) #58213 - [
068c439552] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #58942 - [
edff105c34] - debugger: fix behavior of plain object exec in debugger repl (Dario Piotrowicz) #57498 - [
0473e35b7f] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #58628 - [
1218dbbea5] - deps: update zlib to 1.3.0.1-motley-780819f (Node.js GitHub Bot) #57768 - [
0e3cd9ec00] - deps: update zlib to 1.3.0.1-motley-788cb3c (Node.js GitHub Bot) #56655 - [
a194dd9bd4] - deps: update archs files for openssl-3.0.16 (Node.js GitHub Bot) #57335 - [
cc9b79ca70] - deps: upgrade openssl sources to quictls/openssl-3.0.16 (Node.js GitHub Bot) #57335 - [
82c46d5358] - deps: update cjs-module-lexer to 2.1.0 (Node.js GitHub Bot) #57180 - [
43e3f9b26b] - deps: update cjs-module-lexer to 2.0.0 (Michael Dawson) #56855 - [
91282ff16b] - deps: update corepack to 0.33.0 (Node.js GitHub Bot) #58566 - [
b76bca6f38] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #58711 - [
ae11481011] - deps: update acorn to 8.14.1 (Node.js GitHub Bot) #57382 - [
142d701201] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #58712 - [
fee082d684] - deps: update llhttp to 9.3.0 (Fedor Indutny) #58144 - [
c06f6f3f05] - dns: remove redundant code using common variable (Deokjin Kim) #57386 - [
cded8e7e77] - dns: fix parse memory leaky (theanarkh) #58973 - [
182ae67233] - dns: fix dns query cache implementation (Ethan Arrowood) #58404 - [
621b66a297] - doc: add review guidelines for collaborator nominations (Antoine du Hamel) #57449 - [
b1009b5b72] - doc: explicit mention arbitrary code execution as a vuln (Rafael Gonzaga) #57426 - [
f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #58355 - [
4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #58308 - [
530473f479] - doc: add ovflowd back to core collaborators (Claudio W.) #58911 - [
38e8bbc131] - doc: add info on how project manages social media (Michael Dawson) #57318 - [
d06bb4dcc2] - doc: ping nodejs/tsc for each security pull request (Rafael Gonzaga) #57309 - [
d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #58499 - [
8c3bc156ed] - doc: clarifypath.isAbsoluteis not path traversal mitigation (Eric Fortis) #57073 - [
e688410bda] - doc: fix rendering of DEP0174 description (David Sanders) #56835 - [
e6a0c6a0fa] - doc: add missing assert return types (Colin Ihrig) #57219 - [
026b3cab6a] - doc: add 1ilsang to triage team (1ilsang) #57183 - [
3c6206cac9] - doc: add @geeksilva97 to collaborators (Edy Silva) #57241 - [
ef3a4675c7] - doc: fix web.libera.chat link in pull-requests.md (Samuel Bronson) #57076 - [
1db42b76f7] - doc: remove buffered flag from performance hooks examples (Pavel Romanov) #52607 - [
b73a1356ce] - doc: addmodule namespace objectlinks (Dario Piotrowicz) #57093 - [
09368db20f] - doc: disambiguate pseudo-code statement (Dario Piotrowicz) #57092 - [
2c3dc569a1] - doc: fix wrong articles used to address modules (Dario Piotrowicz) #57090 - [
cd8259cb4e] - doc:modules.md: fixdistancedefinition (Alexander βweejβ Jones) #57046 - [
7b0ea9ab2d] - doc: fix wrong verb form (Dario Piotrowicz) #57091 - [
14fcfc242b] - doc: add a note aboutrequire('../common')in testing documentation (Aditi) #56953 - [
bc7d18b6ea] - doc: recommend writing tests in new files and including comments (Joyee Cheung) #57028 - [
acd4d7f269] - doc: improve documentation on argument validation (Aditi) #56954 - [
4cd6b3ca73] - doc: buffer: fix typo onBuffer.copyBytesFrom(offsetoption (tpoisseau) #57015 - [
01220607f2] - doc: update cleanup to trust on vuln db automation (Rafael Gonzaga) #57004 - [
77a0505a32] - doc: update post sec release process (Rafael Gonzaga) #56907 - [
77dbcfce5f] - doc: add section about using npx with permission model (Rafael Gonzaga) #56539 - [
73e51407b7] - doc: remove...
Contributors
geeksilva97
Assets 2
2025-08-28, Version 22.19.0 'Jod' (LTS), @aduh95
Notable Changes
- [
8e2076a24f] - (SEMVER-MINOR) cli: addNODE_USE_SYSTEM_CA=1(Joyee Cheung) #59276 - [
e592d739c2] - (SEMVER-MINOR) cli: support${pid}placeholder in--cpu-prof-name(Haram Jeong) #59072 - [
cda1dab6e2] - (SEMVER-MINOR) crypto: addtls.setDefaultCACertificates()(Joyee Cheung) #58822 - [
1f184513e9] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440 - [
bace73a173] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113 - [
fa9a9e9c69] - (SEMVER-MINOR) esm: unflag--experimental-wasm-modules(Guy Bedford) #57038 - [
390a9dc20b] - (SEMVER-MINOR) http: addserver.keepAliveTimeoutBufferoption (Haram Jeong) #59243 - [
c12c5343ad] - lib: docs deprecate_http_*(Sebastian Beltran) #59293 - [
f57ee3d71f] - (SEMVER-MINOR) net: updatenet.blocklistto allow file save and file management (alphaleadership) #58087 - [
035da74c31] - (SEMVER-MINOR) process: addthreadCpuUsage(Paolo Insogna) #56467 - [
8e697d1884] - (SEMVER-MINOR) zlib: add dictionary support tozstdCompressandzstdDecompress(lluisemper) #59240
Commits
- [
73aa0ae37f] - assert: change utils to use index instead of for...of (λ°©μ§ν) #59278 - [
dfe3a11eed] - benchmark: remove deprecated _extend from benchmark (Rafael Gonzaga) #59228 - [
9b9d30042a] - benchmark: add fs warmup to writefile-promises (Bruno Rodrigues) #59215 - [
a663f7f954] - benchmark: add calibrate-n script (Rafael Gonzaga) #59186 - [
1b9b5bddd6] - benchmark: adjust configuration for string-decoder bench (Rafael Gonzaga) #59187 - [
d0ac3319f9] - benchmark: add --track to benchmark (Rafael Gonzaga) #59174 - [
2044968b86] - benchmark: small lint fix on _cli.js (Rafael Gonzaga) #59172 - [
4e519934cb] - benchmark: drop misc/punycode benchmark (Rafael Gonzaga) #59171 - [
07e173d969] - benchmark: fix sqlite-is-transaction (Rafael Gonzaga) #59170 - [
8440b6177f] - benchmark: reduce N for diagnostics_channel subscribe benchmark (Arthur Angelo) #59116 - [
8615ea6db0] - buffer: cache Environment::GetCurrent to avoid repeated calls (Mert Can Altin) #59043 - [
3deb5361d2] - build: fix node_use_sqlite for GN builds (Shelley Vohr) #59017 - [
0f0ce63116] - build: remove suppressions.supp (Rafael Gonzaga) #59079 - [
b30a2117dc] - build,deps,tools: prepare to update to OpenSSL 3.5 (Richard Lau) #58100 - [
8e2076a24f] - (SEMVER-MINOR) cli: add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 - [
e592d739c2] - (SEMVER-MINOR) cli: support${pid}placeholder in --cpu-prof-name (Haram Jeong) #59072 - [
b5571047ed] - crypto: prepare webcrypto key import/export for modern algorithms (Filip Skokan) #59284 - [
cda1dab6e2] - (SEMVER-MINOR) crypto: add tls.setDefaultCACertificates() (Joyee Cheung) #58822 - [
76dab34fb7] - deps: support madvise(3C) across ALL illumos revisions (Dan McDonald) #58237 - [
19d3ed64b6] - deps: update sqlite to 3.50.4 (Node.js GitHub Bot) #59337 - [
38bafc59e0] - deps: V8: backport 493cb53691be (Chengzhong Wu) #59238 - [
e8da171cc3] - deps: update sqlite to 3.50.3 (Node.js GitHub Bot) #59132 - [
fd4ba38ab6] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131 - [
f71f427b95] - deps: update archs files for openssl-3.0.17 (Node.js GitHub Bot) #59134 - [
79c5a8f4d2] - deps: upgrade openssl sources to openssl-3.0.17 (Node.js GitHub Bot) #59134 - [
0dcc84cf53] - deps: update corepack to 0.34.0 (Node.js GitHub Bot) #59133 - [
1f184513e9] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440 - [
f64f5df80e] - doc: fix--use-system-cahistory (Joyee Cheung) #59411 - [
e22aeaa38f] - doc: add missing section forsetReturnArraysinsqlite.md(Edy Silva) #59074 - [
e44ef07235] - doc: rename x509.extKeyUsage to x509.keyUsage (Filip Skokan) #59332 - [
2c5d0aac5e] - doc: fix Pbkdf2Params hash attribute heading (Filip Skokan) #59395 - [
fde94346e5] - doc: fix missing reference links for server.keepAliveTimeoutBuffer (Lee Jiho) #59356 - [
9af8bcea58] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #59344 - [
0edf17198f] - doc: run license-builder (github-actions[bot]) #59343 - [
7f767a2e38] - doc: correct orthographyeg.βe.g.(Jacob Smith) #59329 - [
a46ed50350] - doc: clarify the need of compiler compatible with c++20 (Rafael Gonzaga) #59297 - [
212263a305] - doc: clarify release candidate stability index (Filip Skokan) #59295 - [
ce93b8b556] - doc: add WDYT to glossary (btea) #59280 - [
ebaaf2c67f] - doc: add manpage entry for --use-system-ca (Joyee Cheung) #59273 - [
43b5a21916] - doc: add path.join and path.normalize clarification (Rafael Gonzaga) #59262 - [[
409c66d328](https://github.com/nodejs/node/commit/...
2025-08-27, Version 24.7.0 (Current), @targos
Notable Changes
Post-Quantum Cryptography in node:crypto
OpenSSL 3.5 on 24.x kicked off post-quantum cryptography efforts in Node.js by
allowing use of NIST's post-quantum cryptography standards for future-proofing
applications against quantum computing threats. The following post-quantum
algorithms are now available in node:crypto:
- ML-KEM (FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard) through new
crypto.encapsulate()andcrypto.decapsulate()methods. - ML-DSA (FIPS 204, Module-Lattice-Based Digital Signature Standard) in the existing
crypto.sign()andcrypto.verify()methods.
Contributed by Filip Skokan in #59259 and #59491.
Modern Algorithms in Web Cryptography API
The second substantial extension to the Web Cryptography API
(globalThis.crypto.subtle) was recently accepted for incubation by WICG.
The following algorithms and methods from this extension are now available in
the Node.js Web Cryptography API implementation:
- AES-OCB
- ChaCha20-Poly1305
- ML-DSA
- ML-KEM
- SHA-3
- SHAKE
subtle.getPublicKey()SubtleCrypto.supports()- ... with more coming in future releases.
Contributed by Filip Skokan in #59365, #59569, #59461, and #59539.
Node.js execution argument support in single executable applications
The single executable application configuration now supports additional fields
to specify Node.js execution arguments and control how they can be extended when
the application is run.
execArgvtakes an array of strings for the execution arguments to be used.execArgvExtensiontakes one of the following values:"none": No additional execution arguments are allowed."cli": Additional execution arguments can be provided via a special command-line flag--node-options="--flag1 --flag2=value"at run time."env"(default): Additional execution arguments can be provided via theNODE_OPTIONSenvironment variable at run time.
For example, with the following configuration:
{
"main": "/path/to/bundled/script.js",
"output": "/path/to/write/the/generated/blob.blob",
"execArgv": ["--no-warnings"],
"execArgvExtension": "cli",
}If the generated single executable application is named sea, then running:
sea --node-options="--max-old-space-size=4096" user-arg1 user-arg2Would be equivalent to running:
node --no-warnings --max-old-space-size=4096 /path/to/bundled/script.js user-arg1 user-arg2Contributed by Joyee Cheung in #59314 and #59560.
Root certificates updated to NSS 3.114
Certificates added:
- TrustAsia TLS ECC Root CA
- TrustAsia TLS RSA Root CA
- SwissSign RSA TLS Root CA 2022 - 1
Certificates removed:
- GlobalSign Root CA
- Entrust.net Premium 2048 Secure Server CA
- Baltimore CyberTrust Root
- Comodo AAA Services root
- XRamp Global CA Root
- Go Daddy Class 2 CA
- Starfield Class 2 CA
Other Notable Changes
- [
d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #50353 - [
6ae202fcdf] - (SEMVER-MINOR) http: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315 - [
dafee05358] - (SEMVER-MINOR) http2: add support for raw header arrays in h2Stream.respond() (Tim Perry) #59455 - [
8dc6f5b696] - (SEMVER-MINOR) stream: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464
Commits
- [
0fa22cbf7c] - benchmark: calibrate config v8/serialize.js (Rafael Gonzaga) #59586 - [
f5ece45b45] - benchmark: reduce readfile-permission-enabled config (Rafael Gonzaga) #59589 - [
8ebd4f4434] - benchmark: calibrate length of util.diff (Rafael Gonzaga) #59588 - [
7dee3ffd14] - benchmark: reflect current OpenSSL in crypto key benchmarks (Filip Skokan) #59459 - [
027b861ca1] - benchmark, test: replace CRLF variable with string literal (Lee Jiho) #59466 - [
89dd770889] - build: do not set-mminimal-tocwithclang(Richard Lau) #59484 - [
e13de4542f] - child_process: remove unsafe array iteration (hotpineapple) #59347 - [
89fe63551e] - crypto: load system CA certificates off thread (Joyee Cheung) #59550 - [
152c5ef518] - (SEMVER-MINOR) crypto: add AES-OCB Web Cryptography algorithm (Filip Skokan) #59539 - [
c6c418343d] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571 - [
18a2ee5b6c] - (SEMVER-MINOR) crypto: support ML-KEM in Web Cryptography (Filip Skokan) #59569 - [
72937e5144] - crypto: require HMAC key length with SHA-3 hashes in Web Cryptography (Filip Skokan) #59567 - [
b7383186c7] - crypto: fix subtle.getPublicKey error for secret type key inputs (Filip Skokan) #59558 - [
2d05c046db] - crypto: return cached copies from CryptoKey algorithm and usages getters (Filip Skokan) #59538 - [
207ffbeb07] - crypto: use CryptoKey internal slots in Web Cryptography (Filip Skokan) #59538 - [
4276516781] - crypto: normalize RsaHashedKeyParams publicExponent (Filip Skokan) #59538 - [
14741539a7] - (SEMVER-MINOR) crypto: support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms (Filip Skokan) #59491 - [
d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #50353 - [
4fe383e45a] - (SEMVER-MINOR) crypto: support ML-DSA spki/pkcs8 key formats in Web Cryptography (Filip Skokan) #59365 - [
a95386fbf9] - (SEMVER-MINOR) crypto: subject some algorithms in Web Cryptography on BoringSSL absence (Filip Skokan) #59365 - [
3f47a2fb63] - (SEMVER-MINOR) crypto: add ChaCha20-Poly1305 Web Cryptography algorithm (Filip Skokan) #59365 - [
6fcce9058a] - (SEMVER-MINOR) crypto: add subtle.getPublicKey() utility function in Web Cryptography (Filip Skokan) #59365 - [
76cde76429] - (SEMVER-MINOR) crypto: add SHA-3 Web Cryptography digest algorithms (Filip Skokan) #59365 - [
247d017501] - (SEMVER-MINOR) crypto: add SHAKE Web Cryptography digest algorithms (Filip Skokan) #59365 - [
f4fbcca5ce] - (SEMVER-MINOR) crypto: add SubtleCrypto.supports feature detection in Web Cryptography (Filip Skokan) #59365 - [
a55382214f] - (SEMVER-MINOR) crypto: support ML-DSA in Web Cryptography (Filip Skokan) #59365 - [
c38988c860] - crypto: fix EVPKeyCtxPointer::publicCheck() (Tobias NieΓen) #59471 - [[
61c3bcdc56](https://github.com...
2025-08-14, Version 24.6.0 (Current), @RafaelGSS
Notable Changes
- [
471fe712b3] - (SEMVER-MINOR) cli: add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 - [
38aedfbf73] - (SEMVER-MINOR) crypto: support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259 - [
201304537e] - (SEMVER-MINOR) zlib: add dictionary support to zstdCompress and zstdDecompress (lluisemper) #59240 - [
e79c93a5d0] - (SEMVER-MINOR) http: add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243 - [
c144d69efc] - lib: docs deprecate _http_* (Sebastian Beltran) #59293 - [
aeb4de55a7] - (SEMVER-MINOR) fs: port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897
Commits
- [
f7484575ff] - assert: change utils to use index instead of for...of (λ°©μ§ν) #59278 - [
269cd16185] - benchmark: remove deprecated _extend from benchmark (Rafael Gonzaga) #59228 - [
848e49c20b] - benchmark: add fs warmup to writefile-promises (Bruno Rodrigues) #59215 - [
8c609be1b1] - benchmark: add calibrate-n script (Rafael Gonzaga) #59186 - [
6a3bf772d8] - build: fix node_use_sqlite for GN builds (Shelley Vohr) #59017 - [
471fe712b3] - (SEMVER-MINOR) cli: add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #59276 - [
38aedfbf73] - (SEMVER-MINOR) crypto: support ML-DSA KeyObject, sign, and verify (Filip Skokan) #59259 - [
a312e706cf] - crypto: prepare webcrypto key import/export for modern algorithms (Filip Skokan) #59284 - [
3a7c2c3a47] - deps: update ada to 3.2.7 (Node.js GitHub Bot) #59336 - [
8d9ceeaf6a] - deps: update archs files for openssl-3.5.2 (Node.js GitHub Bot) #59371 - [
33b06df354] - deps: upgrade openssl sources to openssl-3.5.2 (Node.js GitHub Bot) #59371 - [
fa70f1af77] - deps: support madvise(3C) across ALL illumos revisions (Dan McDonald) #58237 - [
f834a6be59] - deps: update undici to 7.13.0 (Node.js GitHub Bot) #59338 - [
db2417487e] - deps: update sqlite to 3.50.4 (Node.js GitHub Bot) #59337 - [
41978adb08] - deps: V8: backport 493cb53691be (Chengzhong Wu) #59238 - [
05667991ca] - deps: V8: backport 1c3e018e7d48 (Renegade334) #58818 - [
fd61588bb4] - doc: rename x509.extKeyUsage to x509.keyUsage (Filip Skokan) #59332 - [
a271ae4360] - doc: fix Pbkdf2Params hash attribute heading (Filip Skokan) #59395 - [
72cfff165b] - doc: fix missing reference links for server.keepAliveTimeoutBuffer (Lee Jiho) #59356 - [
8341916772] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #59344 - [
e3e489706b] - doc: run license-builder (github-actions[bot]) #59343 - [
46527e8cea] - doc: correct orthographyeg.βe.g.(Jacob Smith) #59329 - [
d140c3713e] - doc: clarify the need of compiler compatible with c++20 (Rafael Gonzaga) #59297 - [
95e9cabf9d] - doc: clarify release candidate stability index (Filip Skokan) #59295 - [
a056dd36d2] - doc: add WDYT to glossary (btea) #59280 - [
1e2c52f5c4] - doc: add manpage entry for --use-system-ca (Joyee Cheung) #59273 - [
31a46fdeb4] - doc: add path.join and path.normalize clarification (Rafael Gonzaga) #59262 - [
cff3725ff9] - doc: fix typo intest/common/README.md(Yoo) #59180 - [
31a9283591] - doc: add note on process memoryUsage (fengmk2) #59026 - [
5a98bff6b8] - doc: format safely fordoc-kit(Aviv Keller) #59229 - [
95b8b7ea5c] - domain: remove deprecated API call (Alex Yang) #59339 - [
2990f178bd] - fs: fix glob TypeError on restricted dirs (Sylphy-0xd3ac) #58674 - [
e2fb4caf9c] - fs: correct error message when FileHandle is transferred (Alex Yang) #59156 - [
aeb4de55a7] - (SEMVER-MINOR) fs: port SonicBoom module to fs module as Utf8Stream (James M Snell) #58897 - [
e79c93a5d0] - (SEMVER-MINOR) http: add server.keepAliveTimeoutBuffer option (Haram Jeong) #59243 - [
0fb005a53f] - http2: set Http2Stream#sentHeaders for raw headers (Darshan Sen) #59244 - [
e055539604] - lib: add trace-sigint APIs (theanarkh) #59040 - [
d2183d860a] - lib: optimize writable stream buffer clearing (Yoo) #59406 - [
47543a7e17] - lib: handle windows reserved device names on UNC (Rafael Gonzaga) #59286 - [
c6911f0717] - lib: do not modify prototype deprecated asyncResource (RafaelGSS) #59195 - [
3c88b769bb] - lib: restructure assert to become a class (Miguel Marcondes Filho) #58253 - [
e91b54df59] - lib: handle superscript variants on windows device (Rafael Gonzaga) #59261 - [
4ee467905d] - lib: use validateString (hotpineapple) #59296 - [
c144d69efc] - lib: docs deprecate _http_* (Sebastian Beltran) #59293 - [
c89b67e681] - lib: add type names in source mapped stack traces (Chengzhong Wu) #58976 - [
5b2363be8d] - lib: prefer AsyncIteratorPrototype primordial (RenΓ©) #59097 - [
41b4f4d694] - meta: cla...
2025-07-31, Version 24.5.0 (Current), @aduh95
Notable Changes
Upgrade to OpenSSL 3.5
This release is distributed with OpenSSL 3.5.1, following the announcement that
OpenSSL 3.5 will be supported until April 2030, while Node.js 24 will be
supported until April 2028. Read more about OpenSSL support in their blog post:
https://openssl-library.org/post/2025-02-20-openssl-3.5-lts/.
Contributed by Richard Lau in #58100.
Unflag --experimental-wasm-modules
Node.js supports both source phase imports and instance phase imports to WebAssembly
modules and for WASM imports to JavaScript, in line with the current Phase 3
WebAssembly ESM Integration proposal.
The implementation and the specification are still subject to change.
Contributed by Guy Bedford in #57038.
Built-in proxy support in request() and Agent
node:http and node:https now support proxies. When NODE_USE_ENV_PROXY
is set to 1, the default global agent would parse the http_proxy/HTTP_PROXY,
https_proxy/HTTPS_PROXY, no_proxy/NO_PROXY settings from the
environment variables, and proxy the requests sent through the built-in http/https
client accordingly.
To use global proxy support from the command line:
NODE_USE_ENV_PROXY=1 HTTP_PROXY=http://proxy.example.com:8080 HTTPS_PROXY=http://proxy.example.com:8080 NO_PROXY=localhost,127.0.0.1 node client.jsIn addition, http.Agent and https.Agent now support the custom proxyEnv options.
const agent = new https.Agent({ proxyEnv: { HTTPS_PROXY: 'http://proxy.example.com:8080' } });For reference, fetch() already supports NODE_USE_ENV_PROXY as of Node.js 24.0.0.
Contributed by Joyee Cheung in #58980.
Add setDefaultCACertificates() to node:tls
This API allows dynamically configuring CA certificates that will be used by the
Node.js TLS clients by default.
Once called, the provided certificates will become the default CA certificate list
returned by tls.getCACertificates('default') and used by TLS connections that
don't specify their own CA certificates.
To add system CA certificates to the default bundle (which includes the Mozilla
CA certificates):
tls.setDefaultCACertificates(tls.getCACertificates('default').concat(tls.getCACertificates('system')));Contributed by Joyee Cheung in #58822.
Other notable changes
- [
d5640ca58a] - (SEMVER-MINOR) cli: support${pid}placeholder in--cpu-prof-name(Haram Jeong) #59072 - [
c52aaacfc5] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440 - [
927742b342] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113 - [
f753645cd8] - (SEMVER-MINOR) net: update net.blocklist to allow file save and file management (alphaleadership) #58087 - [
9791ff3480] - (SEMVER-MINOR) worker: add web locks api (ishabi) #58666
Commits
- [
5457c7a8a1] - benchmark: adjust configuration for string-decoder bench (Rafael Gonzaga) #59187 - [
28538f2255] - benchmark: add --track to benchmark (Rafael Gonzaga) #59174 - [
a28d804497] - benchmark: small lint fix on _cli.js (Rafael Gonzaga) #59172 - [
09717eb68e] - benchmark: drop misc/punycode benchmark (Rafael Gonzaga) #59171 - [
ad6757ef02] - benchmark: fix sqlite-is-transaction (Rafael Gonzaga) #59170 - [
7fc3143f61] - benchmark: reduce N for diagnostics_channel subscribe benchmark (Arthur Angelo) #59116 - [
f2812723a0] - buffer: cache Environment::GetCurrent to avoid repeated calls (Mert Can Altin) #59043 - [
e3e729ca60] - build: remove suppressions.supp (Rafael Gonzaga) #59079 - [
dc66422768] - build,deps,tools: prepare to update to OpenSSL 3.5 (Richard Lau) #58100 - [
f5da4947d9] - cli: add --use-env-proxy (Joyee Cheung) #59151 - [
d5640ca58a] - (SEMVER-MINOR) cli: support${pid}placeholder in --cpu-prof-name (Haram Jeong) #59072 - [
eeeb40e95b] - (SEMVER-MINOR) crypto: add tls.setDefaultCACertificates() (Joyee Cheung) #58822 - [
135fca5b72] - crypto: avoid copying buffers to UTF-8 strings incrypto.hash()(Renegade334) #59067 - [
998cef10e3] - deps: update archs files for openssl-3.5.1 (Node.js GitHub Bot) #59234 - [
1f06ca956a] - deps: upgrade openssl sources to openssl-3.5.1 (Node.js GitHub Bot) #59234 - [
55a90eed8d] - deps: upgrade npm to 11.5.1 (npm team) #59199 - [
2b5d451ae0] - deps: update amaro to 1.1.1 (Node.js GitHub Bot) #59141 - [
af789d9b5c] - deps: update undici to 7.12.0 (Node.js GitHub Bot) #59135 - [
a34e44545e] - deps: update sqlite to 3.50.3 (Node.js GitHub Bot) #59132 - [
bfe4781c7d] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131 - [
72adf52e51] - deps: update ada to 3.2.6 (Node.js GitHub Bot) #58966 - [
2a5f35b589] - deps: V8: cherry-pick 3d750c2aa9ef (MichaΓ«l Zasso) #58750 - [
3f813eaba7] - deps: update archs files for openssl-3.0.17 (Node.js GitHub Bot) #59134 - [
fb52d0d8df] - deps: upgrade openssl sources to openssl-3.0.17 (Node.js GitHub Bot) #59134 - [
f122602f9d] - deps: update corepack to 0.34.0 (Node.js GitHub Bot) #59133 - [
c52aaacfc5] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440 - [
927742b342] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113 - [
9a8d2020ad] - doc: copyedit SECURITY.md (Rich Trott) #59190 - [
3da5bc0668] - doc: fix broken sentence inURL.parse(Superchupu) #59164 - [
06cd7461e0] - doc: improve onboarding instructions (Joyee Cheung) #59159 - [
dfb72d158b] - doc: add constraints for mem leak to threat model (Rafael Gonzaga) #58917 - [
51b8dfd5c6] - doc: add Aditi-1400 to collaborators (Aditi) #59157 - [
4ffa756ce3] - doc: avoid suggesting testing fast api with intense loop (Chengzhong Wu) #59111 - [
6f81b274f7] - doc: fix typo in writing-test.md (SeokHun) #59123 - [
88e434e687] - ...
2025-07-31, Version 22.18.0 'Jod' (LTS), @aduh95
Notable Changes
Type stripping is enabled by default
Node.js will be able to execute TypeScript files without additional configuration:
$ echo 'const foo: string = 'World'; console.log(`Hello ${foo}!`);' > file.ts
$ node file.ts
Hello World!There are some limitations in the supported syntax documented at
https://nodejs.org/api/typescript.html#type-stripping.
This feature is experimental and is subject to change. Disable it by passing
--no-experimental-strip-types CLI flag.
Contributed by Marco Ippolito in #56350.
Other notable changes
- [
26f3711228] - (SEMVER-MINOR) deps: update amaro to 1.1.0 (Node.js GitHub Bot) #56350 - [
d80ef2a71f] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719 - [
8ab24d21c9] - doc: add islandryu to collaborators (Shima Ryuhei) #58714 - [
430e66b9b8] - (SEMVER-MINOR) esm: implementimport.meta.main(Joe) #57804 - [
62f7926b6a] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490 - [
65f19a00c3] - (SEMVER-MINOR) permission: propagate permission model flags on spawn (Rafael Gonzaga) #58853 - [
ccca1517f9] - (SEMVER-MINOR) sqlite: add support forreadBigIntsoption in db connection level (Miguel Marcondes Filho) #58697 - [
48003e87e8] - (SEMVER-MINOR) src,permission: add support topermission.has(addon)(Rafael Gonzaga) #58951 - [
fe4290a0e6] - (SEMVER-MINOR) url: addfileURLToPathBufferAPI (James M Snell) #58700 - [
4dc6b4c67a] - (SEMVER-MINOR) watch: add--watch-kill-signalflag (Dario Piotrowicz) #58719 - [
8dbc6b210f] - (SEMVER-MINOR) worker: makeWorkerasync disposable (James M Snell) #58385
Commits
- [
b19ffebea7] - assert: remove dead code (Yoshiya Hinosawa) #58760 - [
5bc828beae] - benchmark: add source map and source map cache (Miguel Marcondes Filho) #58125 - [
f7c16985a7] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #58867 - [
ba42c72f7f] - build: option to use custom inspector_protocol path (Shelley Vohr) #58839 - [
4fd8911653] - build: fix typo 'Stoage' to 'Storage' in help text (ganglike) #58777 - [
114cd95919] - crypto: fix inclusion of OPENSSL_IS_BORINGSSL define (Shelley Vohr) #58845 - [
6699c75eac] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #58942 - [
f99aa748c0] - deps: upgrade npm to 10.9.3 (npm team) #58847 - [
02e971190b] - deps: update sqlite to 3.50.2 (Node.js GitHub Bot) #58882 - [
de2b85b5ae] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710 - [
e7591d7a19] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #58712 - [
8c61b96c43] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #58711 - [
113f4e2d3c] - deps: update sqlite to 3.50.1 (Node.js GitHub Bot) #58630 - [
7ccd848995] - deps: update simdjson to 3.13.0 (Node.js GitHub Bot) #58629 - [
e9c51deb5c] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #58628 - [
26f3711228] - (SEMVER-MINOR) deps: update amaro to 1.1.0 (Node.js GitHub Bot) #56350 - [
752dde182f] - (SEMVER-MINOR) deps: update amaro to 1.0.0 (Node.js GitHub Bot) #56350 - [
258534d0dc] - (SEMVER-MINOR) deps: update amaro to 0.5.3 (Node.js GitHub Bot) #56350 - [
7fcf675503] - (SEMVER-MINOR) deps: update amaro to 0.5.2 (Node.js GitHub Bot) #56350 - [
81a10a67d5] - (SEMVER-MINOR) deps: update amaro to 0.5.1 (Marco Ippolito) #56350 - [
25f8682a62] - (SEMVER-MINOR) deps: update amaro to 0.5.0 (nodejs-github-bot) #56350 - [
4baf2167e7] - dns: fix parse memory leaky (theanarkh) #58973 - [
e8f4a7df22] - dns: set timeout to 1000ms when timeout < 0 (theanarkh) #58441 - [
1e373a0a25] - doc: update release key for aduh95 (Antoine du Hamel) #58877 - [
d5c104246f] - doc: remove broken link to permission model source code (Juan JosΓ©) #58972 - [
b8885a25ff] - doc: clarify details of TSC public and private meetings (James M Snell) #58925 - [
aa05823b37] - doc: mark stability markers consistent inglobals.md(Antoine du Hamel) #58932 - [
3856aee9b2] - doc: move "Core Promise APIs" to "Completed initiatives" (Antoine du Hamel) #58934 - [
c2f9735422] - doc: fixfetchsubsections inglobals.md(Antoine du Hamel) #58933 - [
5f4c7a9d2d] - doc: add missingClass:mentions (Antoine du Hamel) #58931 - [
88ee38b37c] - doc: remove myself from security steward rotation (Michael Dawson) #58927 - [
02031a9b0d] - doc: add ovflowd back to core collaborators (Claudio W.) #58911 - [
9551fa3c8f] - doc: update email address for Richard Lau (Richard Lau) #58910 - [
cd6bc982c0] - doc: update vm doc links (Chengzhong Wu) #58885 - [
ce49303cd0] - doc: add missing comma inchild_process.md(ronijames008) #58862 - [
d80ef2a71f] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719 - [
f8fcb1c83a] - doc: fix jsdoc definition of assert.ifError() fn in lib/assert.js (jesh) #58573 - [[
28fddc04ca](https:/...
2025-07-15, Version 24.4.1 (Current), @RafaelGSS
This is a security release.
Notable Changes
- (CVE-2025-27209) HashDoS in V8 with new RapidHash algorithm
- (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
Commits
- [
c33223f1a5] - (CVE-2025-27209) deps: V8: revert rapidhash commits (MichaΓ«l Zasso) nodejs-private/node-private#713 - [
56f9db2aaa] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721
2025-07-15, Version 22.17.1 'Jod' (LTS), @RafaelGSS
This is a security release.
Notable Changes
- (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
Commits
- [
8cf5d66ab7] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721 - [
9c0cb487ec] - win,build: fix MSVS v17.14 compilation issue (StefanStojanovic) #58902
2025-07-15, Version 20.19.4 'Iron' (LTS), @RafaelGSS
This is a security release.
Notable Changes
- (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
Commits
- [
db7b93fcef] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721
2025-07-09, Version 24.4.0 (Current), @RafaelGSS
Notable Changes
- [
22b60e8a57] - (SEMVER-MINOR) crypto: support outputLength option in crypto.hash for XOF functions (Aditi) #58121 - [
80dec9849d] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719 - [
87f4d078b3] - (SEMVER-MINOR) fs: add disposable mkdtempSync (Kevin Gibbons) #58516 - [
9623c50b53] - (SEMVER-MINOR) permission: propagate permission model flags on spawn (Rafael Gonzaga) #58853 - [
797ec4da04] - (SEMVER-MINOR) sqlite: add support for readBigInts option in db connection level (Miguel Marcondes Filho) #58697 - [
ed966a0215] - (SEMVER-MINOR) src,permission: add support to permission.has(addon) (Rafael Gonzaga) #58951 - [
fe17f5d285] - (SEMVER-MINOR) watch: add--watch-kill-signalflag (Dario Piotrowicz) #58719
Commits
- [
a118bfc536] - assert: remove dead code (Yoshiya Hinosawa) #58760 - [
31252b9af1] - benchmark: add source map and source map cache (Miguel Marcondes Filho) #58125 - [
4170359bcd] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #58938 - [
c76585d10e] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #58867 - [
049c838609] - build: option to use custom inspector_protocol path (Shelley Vohr) #58839 - [
22b60e8a57] - (SEMVER-MINOR) crypto: support outputLength option in crypto.hash for XOF functions (Aditi) #58121 - [
77712ae2a1] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #58942 - [
93e1a33b81] - crypto: fix inclusion of OPENSSL_IS_BORINGSSL define (Shelley Vohr) #58845 - [
573171deb0] - deps: V8: cherry-pick 0ce2edb7adfd (Levi Zim) #58773 - [
bf66291382] - deps: V8: cherry-pick 1d7159580156 (MichaΓ«l Zasso) #58749 - [
f735b8b8d0] - deps: update sqlite to 3.50.2 (Node.js GitHub Bot) #58882 - [
8e9622e494] - deps: update undici to 7.11.0 (Node.js GitHub Bot) #58859 - [
8741da81c7] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710 - [
028ce40e25] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #58712 - [
3afb15b715] - dns: fix parse memory leaky (theanarkh) #58973 - [
f40ac32f3e] - dns: set timeout to 1000ms when timeout < 0 (theanarkh) #58441 - [
921b563999] - doc: remove broken link to permission model source code (Juan JosΓ©) #58972 - [
78628d6158] - doc: clarify details of TSC public and private meetings (James M Snell) #58925 - [
ab834a8b94] - doc: mark stability markers consistent inglobals.md(Antoine du Hamel) #58932 - [
8d4f6a0016] - doc: move "Core Promise APIs" to "Completed initiatives" (Antoine du Hamel) #58934 - [
94725fced5] - doc: fixfetchsubsections inglobals.md(Antoine du Hamel) #58933 - [
a7a4870014] - doc: add missingClass:mentions (Antoine du Hamel) #58931 - [
98f29fa2fd] - doc: remove myself from security steward rotation (Michael Dawson) #58927 - [
710e13d436] - doc: add ovflowd back to core collaborators (Claudio W.) #58911 - [
8b93008dc0] - doc: update email address for Richard Lau (Richard Lau) #58910 - [
9ff81d21ed] - doc: update vm doc links (Chengzhong Wu) #58885 - [
ff2efd266d] - doc: fix links in test.md (Vas Sudanagunta) #58876 - [
5e854e1f61] - doc: add missing comma inchild_process.md(ronijames008) #58862 - [
48f5d6d686] - doc: add guidelines for introduction of ERM support (James M Snell) #58526 - [
80dec9849d] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719 - [
b36fa0fda1] - doc: fix jsdoc definition of assert.ifError() fn in lib/assert.js (jesh) #58573 - [
cebb93ea12] - doc: add array type in http request headers (Michael Henrique) #58049 - [
6e6b373da1] - doc: add missing colon to headers inglobals.md(Aviv Keller) #58825 - [
1519b75191] - doc: fixstream.mdsection order (Antoine du Hamel) #58811 - [
87f4d078b3] - (SEMVER-MINOR) fs: add disposable mkdtempSync (Kevin Gibbons) #58516 - [
b378fc3ac0] - fs: close dir before throwing ifoptions.bufferSizeis invalid (Livia Medeiros) #58856 - [
23bd4d1867] - fs: special input-1onchown,lchownandfchown(Alex Yang) #58836 - [
d07ce8e90c] - fs: throwERR_INVALID_THISon illegal invocations (Livia Medeiros) #58848 - [
0d969a66dc] - inspector: support undici traffic data inspection (Chengzhong Wu) #58953 - [
839b25e371] - lib: exposesetupInstancemethod on WASI class (toyobayashi) #57214 - [
d8f3f649c2] - lib: fixgetTypeScriptParsingModejsdoc (ζ²ιΈΏι£) #58681 - [
d534706211] - meta: bump step-security/harden-runner from 2.12.0 to 2.12.2 (dependabot[bot]) #58923 - [
3ec5fe04d0] - meta: bump github/codeql-action from 3.28.18 to 3.29.2 (dependabot[bot]) #58922 - [
bd4a1a5b06] - meta: add IlyasShabi to collaborators (Ilyas Shabi) #58916
...