[pull] main from nodejs:main

.github/workflows/test-linux.yml

@@ -35,6 +35,7 @@ env:
   CC: sccache clang-19
   CXX: sccache clang++-19
   SCCACHE_GHA_ENABLED: 'true'
+  RUSTC_VERSION: '1.82'
 
 permissions:
   contents: read
@@ -56,6 +57,10 @@ jobs:
         uses: ./node/.github/actions/install-clang
         with:
           clang-version: ${{ env.CLANG_VERSION }}
+      - name: Install Rust ${{ env.RUSTC_VERSION }}
+        run: |
+          rustup override set "$RUSTC_VERSION"
+          rustup --version
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548  # v6.1.0
         with:
@@ -68,7 +73,7 @@ jobs:
       - name: Environment Information
         run: npx envinfo
       - name: Build
-        run: make -C node build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn"
+        run: make -C node build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn --v8-enable-temporal-support"
       - name: Test
         run: make -C node run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
       - name: Re-run test in a folder whose name contains unusual chars

BUILDING.md

@@ -1044,6 +1044,16 @@ configure option:
 ./configure --openssl-conf-name=<some_conf_name>
 ```
 
+## Building Node.js with Temporal support
+
+Node.js supports the [Temporal](https://github.com/tc39/proposal-temporal) APIs, when
+linking statically or dynamically with a version [temporal\_rs](https://github.com/boa-dev/temporal).
+
+To build Node.js with Temporal support, a Rust toolchain is required:
+
+* rustc >= 1.82 (with LLVM >= 19)
+* cargo >= 1.82
+
 ## Building Node.js with FIPS-compliant OpenSSL
 
 Node.js supports FIPS when statically or dynamically linked with OpenSSL 3 via

test/fixtures/permission/config-fs-read-only.json

@@ -0,0 +1,7 @@
+{
+    "permission": {
+        "allow-fs-read": [
+            "*"
+        ]
+    }
+}

test/parallel/test-permission-config-file.mjs

@@ -5,15 +5,16 @@ import { describe, it } from 'node:test';
 
 describe('Permission model config file support', () => {
   it('should load filesystem read/write permissions from config file', async () => {
-    const configPath = fixtures.path('permission/config-fs-read-write.json');
+    const readWriteConfigPath = fixtures.path('permission/config-fs-read-write.json');
+    const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');
     const readTestPath = fixtures.path('permission/fs-read-test.js');
     const writeTestPath = fixtures.path('permission/fs-write-test.js');
 
     {
       const result = await spawnPromisified(process.execPath, [
         '--permission',
         '--experimental-config-file',
-        configPath,
+        readOnlyConfigPath,
         readTestPath,
       ]);
       assert.strictEqual(result.code, 0);
@@ -23,40 +24,78 @@ describe('Permission model config file support', () => {
       const result = await spawnPromisified(process.execPath, [
         '--permission',
         '--experimental-config-file',
-        configPath,
+        readWriteConfigPath,
         writeTestPath,
       ]);
       assert.strictEqual(result.code, 0);
     }
+
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        readOnlyConfigPath,
+        writeTestPath,
+      ]);
+      assert.strictEqual(result.code, 1);
+      assert.match(result.stderr, /Access to this API has been restricted\. Use --allow-fs-write to manage permissions/);
+    }
   });
 
   it('should load child process and worker permissions from config file', async () => {
     const configPath = fixtures.path('permission/config-child-worker.json');
+    const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');
     const childTestPath = fixtures.path('permission/child-process-test.js');
 
-    const result = await spawnPromisified(process.execPath, [
-      '--permission',
-      '--experimental-config-file',
-      configPath,
-      '--allow-fs-read=*',
-      childTestPath,
-    ]);
-    assert.strictEqual(result.code, 0);
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        configPath,
+        childTestPath,
+      ]);
+      assert.strictEqual(result.code, 0);
+    }
+
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        readOnlyConfigPath,
+        childTestPath,
+      ]);
+      assert.strictEqual(result.code, 1, result.stderr);
+      assert.match(result.stderr, /Access to this API has been restricted\. Use --allow-child-process to manage permissions/);
+    }
   });
 
   it('should load network and inspector permissions from config file', async () => {
     const configPath = fixtures.path('permission/config-net-inspector.json');
+    const readOnlyConfigPath = fixtures.path('permission/config-fs-read-only.json');
 
-    const result = await spawnPromisified(process.execPath, [
-      '--permission',
-      '--experimental-config-file',
-      configPath,
-      '--allow-fs-read=*',
-      '-p',
-      'process.permission.has("net") && process.permission.has("inspector")',
-    ]);
-    assert.match(result.stdout, /true/);
-    assert.strictEqual(result.code, 0);
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        configPath,
+        '-p',
+        'process.permission.has("net") && process.permission.has("inspector")',
+      ]);
+      assert.match(result.stdout, /true/);
+      assert.strictEqual(result.code, 0);
+    }
+
+    {
+      const result = await spawnPromisified(process.execPath, [
+        '--permission',
+        '--experimental-config-file',
+        readOnlyConfigPath,
+        '-p',
+        'process.permission.has("net") + process.permission.has("inspector")',
+      ]);
+      assert.match(result.stdout, /0/);
+      assert.strictEqual(result.code, 0);
+    }
   });
 
   it('should load addons and wasi permissions from config file', async () => {
@@ -74,32 +113,17 @@ describe('Permission model config file support', () => {
     assert.strictEqual(result.code, 0);
   });
 
-  it('should deny operations when permissions are not in config file', async () => {
-    const configPath = fixtures.path('permission/config-fs-read-write.json');
-
-    const result = await spawnPromisified(process.execPath, [
-      '--permission',
-      '--experimental-config-file',
-      configPath,
-      '--allow-fs-read=*',
-      '-p',
-      'process.permission.has("child")',
-    ]);
-    assert.match(result.stdout, /false/);
-    assert.strictEqual(result.code, 0);
-  });
-
   it('should combine config file permissions with CLI flags', async () => {
-    const configPath = fixtures.path('permission/config-fs-read-write.json');
+    const configPath = fixtures.path('permission/config-fs-read-only.json');
 
     const result = await spawnPromisified(process.execPath, [
       '--permission',
       '--experimental-config-file',
       configPath,
       '--allow-child-process',
-      '--allow-fs-read=*',
+      '--allow-fs-write=*',
       '-p',
-      'process.permission.has("child") && process.permission.has("fs.read")',
+      'process.permission.has("child") && process.permission.has("fs.read") && process.permission.has("fs.write")',
     ]);
     assert.match(result.stdout, /true/);
     assert.strictEqual(result.code, 0);