Current |
---|
20.3.1 20.3.0 20.2.0 20.1.0 20.0.0 |
- Other Versions
This is a security release.
The following CVEs are fixed in this release:
- CVE-2023-30581:
mainModule.__proto__
Bypass Experimental Policy Mechanism (High) - CVE-2023-30584: Path Traversal Bypass in Experimental Permission Model (High)
- CVE-2023-30587: Bypass of Experimental Permission Model via Node.js Inspector (High)
- CVE-2023-30582: Inadequate Permission Model Allows Unauthorized File Watching (Medium)
- CVE-2023-30583: Bypass of Experimental Permission Model via fs.openAsBlob() (Medium)
- CVE-2023-30585: Privilege escalation via Malicious Registry Key manipulation during Node.js installer repair process (Medium)
- CVE-2023-30586: Bypass of Experimental Permission Model via Arbitrary OpenSSL Engines (Medium)
- CVE-2023-30588: Process interuption due to invalid Public Key information in x509 certificates (Medium)
- CVE-2023-30589: HTTP Request Smuggling via Empty headers separated by CR (Medium)
- CVE-2023-30590: DiffieHellman does not generate keys after setting a private key (Medium)
- OpenSSL Security Releases
More detailed information on each of the vulnerabilities can be found in June 2023 Security Releases blog post.
- [
dac08dafc9
] - crypto: handle cert with invalid SPKI gracefully (Tobias Nießen) nodejs-private/node-private#393 - [
d274c3babc
] - crypto,https,tls: disable engines if perms enabled (Tobias Nießen) nodejs-private/node-private#409 - [
5621c1de38
] - deps: update archs files for openssl-3.0.9-quic1 (Node.js GitHub Bot) #48402 - [
771caa9f1c
] - deps: upgrade openssl sources to quictls/openssl-3.0.9-quic1 (Node.js GitHub Bot) #48402 - [
0459bf9c99
] - doc,test: clarify behavior of DH generateKeys (Tobias Nießen) nodejs-private/node-private#426 - [
27e20501aa
] - http: disable request smuggling via empty headers (Paolo Insogna) nodejs-private/node-private#427 - [
9c17e335f1
] - msi: do not create AppData\Roaming\npm (Tobias Nießen) nodejs-private/node-private#408 - [
b51124c637
] - permission: handle fs path traversal (RafaelGSS) nodejs-private/node-private#403 - [
ebc5927adc
] - permission: handle fs.openAsBlob (RafaelGSS) nodejs-private/node-private#405 - [
c39a43bff5
] - permission: handle fs.watchFile (RafaelGSS) nodejs-private/node-private#404 - [
d0a8264ec9
] - policy: handle mainModule.__proto__ bypass (RafaelGSS) nodejs-private/node-private#416 - [
3df13d5a79
] - src,permission: restrict inspector when pm enabled (RafaelGSS) nodejs-private/node-private#410
- [
bfcb3d1d9a
] - deps: upgrade to libuv 1.45.0, including significant performance improvements to file system operations on Linux (Santiago Gimeno) #48078 - [
5094d1b292
] - doc: add Ruy Adorno to list of TSC members (Michael Dawson) #48172 - [
2f5dbca690
] - doc: mark Node.js 14 as End-of-Life (Richard Lau) #48023 - [
b1828b325e
] - (SEMVER-MINOR) lib: implementAbortSignal.any()
(Chemi Atlow) #47821 - [
f380953103
] - module: change default resolver to not throw on unknown scheme (Gil Tayar) #47824 - [
a94f87ed99
] - (SEMVER-MINOR) node-api: define version 9 (Chengzhong Wu) #48151 - [
9e2b13dfa7
] - stream: deprecateasIndexedPairs
(Chemi Atlow) #48102
- [
35c96156d1
] - benchmark: usecluster.isPrimary
instead ofcluster.isMaster
(Deokjin Kim) #48002 - [
3e6e3abf32
] - bootstrap: throw ERR_NOT_SUPPORTED_IN_SNAPSHOT in unsupported operation (Joyee Cheung) #47887 - [
c480559347
] - bootstrap: put is_building_snapshot state in IsolateData (Joyee Cheung) #47887 - [
50c0a15535
] - build: set v8_enable_webassembly=false when lite mode is enabled (Cheng Shao) #48248 - [
4562805cf6
] - build: speed up compilation of mksnapshot output (Keyhan Vakil) #48162 - [
8b89f13933
] - build: add action to close stale PRs (Michael Dawson) #48051 - [
5d92202220
] - build: replace js2c.py with js2c.cc (Joyee Cheung) #46997 - [
6cf2adc36e
] - cluster: use ObjectPrototypeHasOwnProperty (Daeyeon Jeong) #48141 - [
f564b03c38
] - crypto: use openssl's own memory BIOs in crypto_context.cc (GauriSpears) #47160 - [
ac8dd61fc3
] - crypto: remove default encoding from cipher (Tobias Nießen) #47998 - [
15c2de4407
] - crypto: fix setEngine() when OPENSSL_NO_ENGINE set (Tobias Nießen) #47977 - [
9e2dd5b5e2
] - deps: update zlib to 337322d (Node.js GitHub Bot) #48218 - [
bfcb3d1d9a
] - deps: upgrade to libuv 1.45.0 (Santiago Gimeno) #48078 - [
13930f092f
] - deps: update ada to 2.5.0 (Node.js GitHub Bot) #48223 - [
3047caebec
] - deps: setCARES_RANDOM_FILE
for c-ares (Richard Lau) #48156 - [
0db79a0872
] - deps: update histogram 0.11.8 (Marco Ippolito) #47742 - [
99af6716f5
] - deps: update histogram to 0.11.7 (Marco Ippolito) #47742 - [
d4922bc985
] - deps: update c-ares to 1.19.1 (Node.js GitHub Bot) #48115 - [
f6ccdb289f
] - deps: update simdutf to 3.2.12 (Node.js GitHub Bot) #48118 - [
3ed0afc778
] - deps: update minimatch to 9.0.1 (Node.js GitHub Bot) #48094 - [
df7540fb73
] - deps: update ada to 2.4.2 (Node.js GitHub Bot) #48092 - [
07df5c48e8
] - deps: update corepack to 0.18.0 (Node.js GitHub Bot) #48091 - [
d95a5bb559
] - deps: update uvwasi to 0.0.18 (Node.js GitHub Bot) #47866 - [
443477e041
] - deps: update uvwasi to 0.0.17 (Node.js GitHub Bot) #47866 - [
03f67d6d6d
] - deps: upgrade npm to 9.6.7 (npm team) #48062 - [
d3e3a911fd
] - deps: update nghttp2 to 1.53.0 (Node.js GitHub Bot) #47997 - [
f7c4daaf67
] - deps: update ada to 2.4.1 (Node.js GitHub Bot) #48036 - [
c6a752560d
] - deps: add loongarch64 into openssl Makefile and gen openssl-loongarch64 (Shi Pujin) #46401 - [
d194241716
] - deps: update undici to 5.22.1 (Node.js GitHub Bot) #47994 - [
02e919f4a2
] - deps,test: update postject to 1.0.0-alpha.6 (Node.js GitHub Bot) #48072 - [
2c19f596ad
] - doc: clarify array args to Buffer.from() (Bryan English) #48274 - [
d681e5f456
] - doc: document watch option for node:test run() (Moshe Atlow) #48256 - [
96e54ddbca
] - doc: reserve 117 for Electron 26 (Calvin) #48245 - [
9aff8c7818
] - doc: update documentation for FIPS support (Richard Lau) #48194 - [
8c5338648f
] - doc: improve the documentation of the stdio option (Kumar Arnav) #48110 - [
11918d705f
] - doc: update Buffer.allocUnsafe description (sinkhaha) #48183 - [
2b51ee5e22
] - doc: update codeowners with website team (Claudio Wunder) #48197 - [
360df25d04
] - doc: fix broken link to new folder doc/contributing/maintaining (Andrea Fassina) #48205 - [
13e95e21a4
] - doc: add atlowChemi to triagers (Chemi Atlow) #48104 - [
5f83ce530f
] - doc: fix typo in readline completer function section (Vadym) #48188 - [
3c82165d27
] - doc: remove broken link for keygen (Rich Trott) #48176 - [
0ca90a1e6d
] - doc: addauto
intrinsic height to prevent jitter/flicker (Daniel Holbert) #48195 - [
f117855092
] - doc: add version info on the SEA docs (Antoine du Hamel) #48173 - [
5094d1b292
] - doc: add Ruy to list of TSC members (Michael Dawson) #48172 - [
39d8140227
] - doc: update socket.remote* properties documentation (Saba Kharanauli) #48139 - [
5497c13efe
] - doc: update outdated section on TLSv1.3-PSK (Tobias Nießen) #48123 - [
281dfaf727
] - doc: improve HMAC key recommendations (Tobias Nießen) #48121 - [
bd311b6c70
] - doc: clarify mkdir() recursive behavior (Stephen Odogwu) #48109 - [
5b061c8922
] - doc: fix typo in crypto legacy streams API section (Tobias Nießen) #48122 - [
10ccb2bd81
] - doc: update SEA source link (Rich Trott) #48080 - [
415bf7f532
] - doc: clarify tty.isRaw (Roberto Vidal) #48055 - [
0ac4b33c76
] - doc: correct line break for Windows terminals (Alex Schwartz) #48083 - [
f30ba5c320
] - doc: fix Windows code snippet tags (Antoine du Hamel) #48100 - [
12fef9b68c
] - doc: harmonize fenced code snippet flags (Antoine du Hamel) #48082 - [
13f163eace
] - doc: use secure key length for HMAC generateKey (Tobias Nießen) #48052 - [
1e3e7c9f33
] - doc: update broken EVP_BytesToKey link (Rich Trott) #48064 - [
5917ba1838
] - doc: update broken spkac link (Rich Trott) #48063 - [
0e4a3b7db1
] - doc: document node-api version process (Chengzhong Wu) #47972 - [
85bbaa94ea
] - doc: update process.versions properties (Saba Kharanauli) #48019 - [
7660eb591a
] - doc: fix typo in binding functions (Deokjin Kim) #48003 - [
2f5dbca690
] - doc: mark Node.js 14 as End-of-Life (Richard Lau) #48023 - [
3b94a739f2
] - doc: clarify CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED (Tobias Nießen) #47976 - [
9e381cfa89
] - doc: add heading for permission model limitations (Tobias Nießen) #47989 - [
802db923e0
] - doc,vm: clarify usage of cachedData in vm.compileFunction() (Darshan Sen) #48193 - [
11a3434810
] - esm: remove support for arrays inimport
internal method (Antoine du Hamel) #48296 - [
3b00f3afef
] - esm: handleglobalPreload
hook returning a nullish value (Antoine du Hamel) #48249 - [
3c7846d7e1
] - esm: handle more error types thrown from the loader thread (Antoine du Hamel) #48247 - [
60ce2bcabc
] - http: send implicit headers on HEAD with no body (Matteo Collina) #48108 - [
72de4e7170
] - lib: do not disable linter for entire files (Antoine du Hamel) #48299 - [
10cc60fc91
] - lib: use existingisWindows
variable (sinkhaha) #48134 - [
a90010aae9
] - lib: support FORCE_COLOR for non TTY streams (Moshe Atlow) #48034 - [
b1828b325e
] - (SEMVER-MINOR) lib: implement AbortSignal.any() (Chemi Atlow) #47821 - [
8f1b86961f
] - meta: bump github/codeql-action from 2.3.3 to 2.3.6 (dependabot[bot]) #48287 - [
1b87ccdf70
] - meta: bump actions/setup-python from 4.6.0 to 4.6.1 (dependabot[bot]) #48286 - [
10715aea26
] - meta: bump codecov/codecov-action from 3.1.3 to 3.1.4 (dependabot[bot]) #48285 - [
79f73778ab
] - meta: remove dont-land-on-v14 auto labeling (Shrujal Shah) #48031 - [
9c5711f3ea
] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #48010 - [
6d6bf3ee52
] - module: reduce the number of URL initializations (Yagiz Nizipli) #48272 - [
f380953103
] - module: change default resolver to not throw on unknown scheme (Gil Tayar) #47824 - [
950185b0c0
] - net: fix address iteration with autoSelectFamily (Fedor Indutny) #48258 - [
5ddca72e62
] - net: fix family autoselection SSL connection handling (Paolo Insogna) #48189 - [
750e53ca3c
] - net: fix family autoselection timeout handling (Paolo Insogna) #47860 - [
a94f87ed99
] - (SEMVER-MINOR) node-api: define version 9 (Chengzhong Wu) #48151 - [
e834979818
] - node-api: add status napi_cannot_run_js (Gabriel Schulhof) #47986 - [
eafe0c3ec6
] - node-api: napi_ref on all types is experimental (Vladimir Morozov) #47975 - [
9a034746f5
] - src: add Realm document in the src README.md (Chengzhong Wu) #47932 - [
b8f4070f71
] - src: check node_extra_ca_certs after openssl cfg (Raghu Saxena) #48159 - [
0347a18056
] - src: include missing header in node_sea.h (Joyee Cheung) #48152 - [
45c3782c20
] - src: remove INT_MAX asserts in SecretKeyGenTraits (Tobias Nießen) #48053 - [
b25e7045ad
] - src: avoid prototype access in binding templates (Joyee Cheung) #47913 - [
33aa373eec
] - src: use Blob{Des|S}erializer for SEA blobs (Joyee Cheung) #47962 - [
9e2b13dfa7
] - stream: deprecate asIndexedPairs (Chemi Atlow) #48102 - [
96c323dee2
] - test: mark test-child-process-pipe-dataflow as flaky (Moshe Atlow) #48334 - [
9875885357
] - test: adapt tests for OpenSSL 3.1 (OttoHollmann) #47859 - [
3440d7c6bf
] - test: unflake test-vm-timeout-escape-nexttick (Santiago Gimeno) #48078 - [
215b2bc72c
] - test: fix zlib version regex (Luigi Pinca) #48227 - [
e12ee59d26
] - test: use lower security level in s_client (Luigi Pinca) #48192 - [
1dabc7390c
] - Revert "test: unskip negative-settimeout.any.js WPT" (Filip Skokan) #48182 - [
c1c4796a86
] - test: mark test_cannot_run_js as flaky (Keyhan Vakil) #48181 - [
8c49d74002
] - test: fix flaky test-runner-watch-mode (Moshe Atlow) #48144 - [
6388766862
] - test: skip test-http-pipeline-flood on IBM i (Abdirahim Musse) #48048 - [
8d2a3b1952
] - test: ignore helper files in WPTs (Filip Skokan) #48079 - [
7a96d825fd
] - test: movetest-cluster-primary-error
flaky test (Yagiz Nizipli) #48039 - [
a80dd3a8b3
] - test: fix suite signal (Benjamin Gruenbaum) #47800 - [
a41cfd183f
] - test: fix parsing test flags (Daeyeon Jeong) #48012 - [
4d4e506f2b
] - test,doc,sea: run SEA tests on ppc64 (Darshan Sen) #48111 - [
44411fc40c
] - test_runner: applyrunOnly
on suites (Moshe Atlow) #48279 - [
3f259b7a30
] - test_runner: emittest:watch:drained
event (Moshe Atlow) #48259 - [
c9f8e8c562
] - test_runner: stop watch mode when abortSignal aborted (Moshe Atlow) #48259 - [
f3268d64cb
] - test_runner: fix global after hook (Moshe Atlow) #48231 - [
15336c3139
] - test_runner: remove redundant check from coverage (Colin Ihrig) #48070 - [
750d3e8606
] - test_runner: pass FORCE_COLOR to child process (Moshe Atlow) #48057 - [
3278542243
] - test_runner: dont split lines ontest:stdout
(Moshe Atlow) #48057 - [
027c531766
] - test_runner: fix test deserialize edge cases (Moshe Atlow) #48106 - [
2b797a6d39
] - test_runner: delegate stderr and stdout formatting to reporter (Shiba) #48045 - [
23d310bee8
] - test_runner: display dot report as wide as the terminal width (Raz Luvaton) #48038 - [
fd2620dcf1
] - tls: reapply servername on happy eyeballs connect (Fedor Indutny) #48255 - [
62f847d0b3
] - tools: update rollup lint-md-dependencies (Node.js GitHub Bot) #48329 - [
3e97826a66
] - Revert "tools: open issue when update workflow fails" (Marco Ippolito) #48312 - [
5f08bfe35f
] - tools: don't gitignore base64 config.h (Ben Noordhuis) #48174 - [
ded0e2d755
] - tools: update LICENSE and license-builder.sh (Santiago Gimeno) #48078 - [
07aa264366
] - tools: automate histogram update (Marco Ippolito) #48171 - [
1416b75eaa
] - tools: use shasum instead of sha256sum (Luigi Pinca) #48229 - [
b81e9d9b7b
] - tools: harmonizedep_updaters
scripts (Antoine du Hamel) #48201 - [
a60bc41e53
] - tools: deps update authenticate github api request (Andrea Fassina) #48200 - [
7478ed014e
] - tools: order dependency jobs alphabetically (Luca) #48184 - [
568a705799
] - tools: refactor v8_pch config (Michaël Zasso) #47364 - [
801573ba46
] - tools: log and verify sha256sum (Andrea Fassina) #48088 - [
db62325e18
] - tools: open issue when update workflow fails (Marco Ippolito) #48018 - [
ad8a68856d
] - tools: alphabetize CODEOWNERS (Rich Trott) #48124 - [
4cf5a9edaf
] - tools: use latest upstream commit for zlib updates (Andrea Fassina) #48054 - [
8d93af381b
] - tools: add security-wg as dep updaters owner (Marco Ippolito) #48113 - [
5325be1d99
] - tools: port js2c.py to C++ (Joyee Cheung) #46997 - [
6c60d90277
] - tools: fix race condition when npm installing (Tobias Nießen) #48101 - [
0ab840a58f
] - tools: refloat 7 Node.js patches to cpplint.py (Rich Trott) #48098 - [
a298193378
] - tools: update cpplint to 1.6.1 (Yagiz Nizipli) #48098 - [
f6725751b7
] - tools: update eslint to 8.41.0 (Node.js GitHub Bot) #48097 - [
6539361f4e
] - tools: update lint-md-dependencies (Node.js GitHub Bot) #48096 - [
5d94dbb951
] - tools: update doc to remark-parse@10.0.2 (Node.js GitHub Bot) #48095 - [
2226088048
] - tools: add debug logs (Marco Ippolito) #48060 - [
0c8c383583
] - tools: fix zconf.h path (Luigi Pinca) #48089 - [
6adaf4c648
] - tools: update remark-preset-lint-node to 4.0.0 (Node.js GitHub Bot) #47995 - [
92b3334231
] - url: clean vertical alignment of docs (Robin Ury) #48037 - [
ebb6536775
] - url: callada::can_parse
directly (Yagiz Nizipli) #47919 - [
ed4514294a
] - vm: properly handle defining symbol props (Nicolas DUBIEN) #47572
- [
c092df9094
] - doc: add ovflowd to collaborators (Claudio Wunder) #47844 - [
4197a9a5a0
] - (SEMVER-MINOR) http: prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #47732 - [
c4596b9ce7
] - (SEMVER-MINOR) sea: add option to disable the experimental SEA warning (Darshan Sen) #47588 - [
17befe008c
] - (SEMVER-MINOR) test_runner: addskip
,todo
, andonly
shorthands totest
(Chemi Atlow) #47909 - [
a0634d7f89
] - (SEMVER-MINOR) url: add value argument toURLSearchParams
has
anddelete
methods (Sankalp Shubham) #47885
- [
456fca0d9c
] - bootstrap: initialize per-isolate properties of bindings separately (Joyee Cheung) #47768 - [
d6d12bf978
] - bootstrap: log isolate data info in mksnapshot debug logs (Joyee Cheung) #47768 - [
e457d89a1b
] - buffer: combine checking range of sourceStart inbuf.copy
(Deokjin Kim) #47758 - [
00668fcfb4
] - child_process: use signal.reason in child process abort (Debadree Chatterjee) #47817 - [
d7993474ea
] - crypto: remove default encoding from scrypt (Tobias Nießen) #47943 - [
09fb74a7cc
] - crypto: fix webcrypto private/secret import with empty usages (Filip Skokan) #47877 - [
e9c6ee74f3
] - crypto: remove default encoding from pbkdf2 (Tobias Nießen) #47869 - [
b7f13a8679
] - deps: update simdutf to 3.2.9 (Node.js GitHub Bot) #47983 - [
b16f6da153
] - deps: V8: cherry-pick 5f025d1ca2ca (Michaël Zasso) #47610 - [
99f8fcab45
] - deps: V8: cherry-pick a8a11a87cb72 (Michaël Zasso) #47610 - [
c2b14b4c78
] - deps: update ada to 2.4.0 (Node.js GitHub Bot) #47922 - [
cad42e7a56
] - deps: V8: cherry-pick 1b471b796022 (Lu Yahan) #47399 - [
7b2f17ca59
] - deps: upgrade npm to 9.6.6 (npm team) #47862 - [
d23b1af562
] - deps: update ada to 2.3.1 (Node.js GitHub Bot) #47893 - [
72340c98fb
] - dgram: convert macro to template (Tobias Nießen) #47891 - [
9be922892f
] - dns: callada::idna::to_ascii
directly from c++ (Yagiz Nizipli) #47920 - [
4a1e97156a
] - doc: add missing deprecated blocks to cluster (Tobias Nießen) #47981 - [
13118a19ee
] - doc: update description of global (Tobias Nießen) #47969 - [
372796440b
] - doc: update measure memory rejection information (Yash Ladha) #41639 - [
7ecc6740e4
] - doc: fix broken link to TC39 import attributes proposal (Rich Trott) #47954 - [
b9771c95c7
] - doc: fix broken link (Rich Trott) #47953 - [
6f5ba92e61
] - doc: remove broken link (Rich Trott) #47942 - [
c9ffc555f1
] - doc: document make lint-md-clean (Matteo Collina) #47926 - [
7ed99e8ba5
] - doc: mark global object as legacy (Mert Can Altın) #47819 - [
bf39f2d252
] - doc: ntfs junction points must link to directories (Ben Noordhuis) #47907 - [
4dfc3890d8
] - doc: improvepermission.has
description (Daeyeon Jeong) #47875 - [
93f1aa2856
] - doc: fix params names (Dmitry Semigradsky) #47853 - [
9a362aa2fb
] - doc: update supported version of FreeBSD to 12.4 (Michaël Zasso) #47838 - [
89c70dc6e6
] - doc: add stability experimental to pm (Rafael Gonzaga) #47890 - [
f96fb2eee7
] - doc: swap Matteo with Rafael in the stewards (Rafael Gonzaga) #47841 - [
1666a146e3
] - doc: add valgrind suppression details (Kevin Eady) #47760 - [
e53e8231ff
] - doc: replace EOL versions in README (Tobias Nießen) #47833 - [
c092df9094
] - doc: add ovflowd to collaborators (Claudio Wunder) #47844 - [
f7106765b3
] - doc: update BUILDING.md previous versions links (Tobias Nießen) #47835 - [
811b43c215
] - doc,test: update the v8.startupSnapshot doc and test the example (Joyee Cheung) #47468 - [
1ec640ac70
] - esm: do not use'beforeExit'
on the main thread (Antoine du Hamel) #47964 - [
106dc612d6
] - fs: make readdir recursive algorithm iterative (Ethan Arrowood) #47650 - [
a0da2348a8
] - fs: move fs_use_promises_symbol to per-isolate symbols (Joyee Cheung) #47768 - [
4197a9a5a0
] - (SEMVER-MINOR) http: prevent writing to the body when not allowed by HTTP spec (Gerrard Lindsay) #47732 - [
a4d6543598
] - http2: improve nghttp2 error callback (Tobias Nießen) #47840 - [
a4fed6c580
] - lib: update comment (sinkhaha) #47884 - [
fd8bec7b2b
] - meta: bump step-security/harden-runner from 2.3.1 to 2.4.0 (Rich Trott) #47980 - [
f5b4b6d5dc
] - meta: bump github/codeql-action from 2.3.2 to 2.3.3 (Rich Trott) #47979 - [
c05c0a2359
] - meta: bump actions/setup-python from 4.5.0 to 4.6.0 (Rich Trott) #47968 - [
2a3d6d97cb
] - meta: add security-wg ping to permission.js (Rafael Gonzaga) #47941 - [
6c158e8dd1
] - meta: bump step-security/harden-runner from 2.2.1 to 2.3.1 (dependabot[bot]) #47808 - [
f7a8094d37
] - meta: bump actions/setup-python from 4.5.0 to 4.6.0 (dependabot[bot]) #47806 - [
0f58e48792
] - meta: bump actions/checkout from 3.3.0 to 3.5.2 (dependabot[bot]) #47805 - [
652b06dd82
] - meta: remove extra space in scorecard workflow (Mestery) #47805 - [
9f06eaccaf
] - meta: bump github/codeql-action from 2.2.9 to 2.3.2 (dependabot[bot]) #47809 - [
977fd7cf35
] - meta: bump codecov/codecov-action from 3.1.1 to 3.1.3 (dependabot[bot]) #47807 - [
c19385c154
] - module: refactor to usenormalizeRequirableId
in the CJS module loader (Darshan Sen) #47896 - [
739113f2fc
] - module: block requiringtest/reporters
without scheme (Moshe Atlow) #47831 - [
f489c6710c
] - (NODE-API-SEMVER-MAJOR) node-api: get Node API version used by addon (Vladimir Morozov) #45715 - [
7222f9d74b
] - path: indicate index of wrong resolve() parameter (sosoba) #47660 - [
7dd32f1536
] - permission: remove unused function declaration (Deokjin Kim) #47957 - [
af86625a05
] - permission: resolve reference to absolute path only for fs permission (Daeyeon Jeong) #47930 - [
1625ae11fe
] - quic: address recent coverity warning (Michael Dawson) #47753 - [
c4596b9ce7
] - (SEMVER-MINOR) sea: add option to disable the experimental SEA warning (Darshan Sen) #47588 - [
1a7fc186bc
] - sea: allow requiring core modules with the "node:" prefix (Darshan Sen) #47779 - [
786a1c5398
] - src: deduplicate X509Certificate::Fingerprint* (Tobias Nießen) #47978 - [
060c1d502b
] - src: stop copying code cache, part 2 (Keyhan Vakil) #47958 - [
1aec718619
] - (SEMVER-MINOR) src: add cjs_module_lexer_version base64_version (Jithil P Ponnan) #45629 - [
0c06bfd8dc
] - src: move BlobSerializerDeserializer to a separate header file (Darshan Sen) #47933 - [
bd553e7521
] - src: rename SKIP_CHECK_SIZE to SKIP_CHECK_STRLEN (Tobias Nießen) #47845 - [
190596c189
] - src: register external references for source code (Keyhan Vakil) #47055 - [
4293cc47f4
] - src: support V8 experimental shared values in messaging (Shu-yu Guo) #47706 - [
9bc5d78f0c
] - src: register ext reference for Fingerprint512 (Tobias Nießen) #47892 - [
a11507e23b
] - src: stop copying code cache (Keyhan Vakil) #47144 - [
515c9b8de6
] - src: clarify the parameter name inPermission::Apply
(Daeyeon Jeong) #47874 - [
c4217613f5
] - src: fix creating an ArrayBuffer from a Blob created withopenAsBlob
(Daeyeon Jeong) #47691 - [
4bc17fd67b
] - src: avoid strcmp() with Utf8Value (Tobias Nießen) #47827 - [
d358317f70
] - src: get binding data store directly from the realm (Joyee Cheung) #47437 - [
b04d51a0b5
] - src: prefer data accessor of string and vector (Mohammed Keyvanzadeh) #47750 - [
2952cc576c
] - src: add per-isolate SetFastMethod and Set[Fast]MethodNoSideEffect (Joyee Cheung) #47768 - [
010d2ecf94
] - test: mark test-esm-loader-http-imports as flaky (Tobias Nießen) #47987 - [
bb33c74c07
] - test: add getRandomValues return length (Jithil P Ponnan) #46357 - [
6e019586f7
] - test: unskip negative-settimeout.any.js WPT (Filip Skokan) #47946 - [
8f547afe5f
] - test: use appropriate usages for a negative import test (Filip Skokan) #47878 - [
7e34f77518
] - test: fix webcrypto wrap unwrap tests (Filip Skokan) #47876 - [
30f4f35244
] - test: fix output tests when path includes node version (Moshe Atlow) #47843 - [
54607bfd68
] - test: reduce WPT concurrency (Filip Skokan) #47834 - [
17945a2495
] - test: migrate a pseudo_tty test to use assertSnapshot (Moshe Atlow) #47803 - [
c9233679e8
] - test: fix WPT state when process exits but workers are still running (Filip Skokan) #47826 - [
34bfb69b5b
] - test: migrate message tests to use assertSnapshot (Moshe Atlow) #47498 - [
d25c785c2a
] - test: allow SIGBUS in signal-handler abort test (Michaël Zasso) #47851 - [
aa2c7e00d7
] - test,crypto: update WebCryptoAPI WPT (Filip Skokan) #47921 - [
da27542058
] - test_runner: use v8.serialize instead of TAP (Moshe Atlow) #47867 - [
17befe008c
] - (SEMVER-MINOR) test_runner: add shorthands totest
(Chemi Atlow) #47909 - [
42db1d50a0
] - test_runner: fix ordering of test hooks (Phil Nash) #47931 - [
d81c54e3a8
] - test_runner: omit inaccessible files from coverage (Colin Ihrig) #47850 - [
a4e261e910
] - tools: debug log for nghttp3 (Marco Ippolito) #47992 - [
f6ff318d4c
] - tools: automate icu-small update (Marco Ippolito) #47727 - [
706c305381
] - tools: update lint-md-dependencies to rollup@3.21.5 (Node.js GitHub Bot) #47903 - [
e22c686ca9
] - tools: update eslint to 8.40.0 (Node.js GitHub Bot) #47906 - [
36f7cfac93
] - tools: update eslint to 8.39.0 (Node.js GitHub Bot) #47789 - [
7323902a40
] - tools: fix jsdoc lint (Moshe Atlow) #47789 - [
a0634d7f89
] - (SEMVER-MINOR) url: add value argument to has and delete methods (Sankalp Shubham) #47885 - [
1b06c1e003
] - url: improveisURL
detection (Yagiz Nizipli) #47886 - [
2bd869d20c
] - vm: fix crash when setting __proto__ on context's globalThis (Feng Yu) #47939 - [
e6685f9e82
] - vm,lib: refactor microtaskQueue assignment logic (Khaidi Chu) #47765 - [
47fea13dac
] - worker: support more cases when (de)serializing errors (Moshe Atlow) #47925 - [
6f3876c035
] - worker: use snapshot in workers spawned by workers (Joyee Cheung) #47731
- [
5e99598639
] - assert: deprecateCallTracker
(Moshe Atlow) #47740 - [
2d97c89c6f
] - crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #47659 - [
ce8820e292
] - (SEMVER-MINOR) dns: exposegetDefaultResultOrder
(btea) #46973 - [
9d30f469aa
] - doc: add KhafraDev to collaborators (Matthew Aitken) #47510 - [
439ea47a77
] - (SEMVER-MINOR) fs: addrecursive
option toreaddir
andopendir
(Ethan Arrowood) #41439 - [
a54e898dc8
] - (SEMVER-MINOR) fs: add support formode
flag to specify the copy behavior of thecp
methods (Tetsuharu Ohzeki) #47084 - [
4fa773964b
] - (SEMVER-MINOR) http: addhighWaterMark
optionhttp.createServer
(HinataKah0) #47405 - [
2b411f4b42
] - (SEMVER-MINOR) stream: preserve object mode incompose
(Raz Luvaton) #47413 - [
5327483f31
] - (SEMVER-MINOR) test_runner: addtestNamePatterns
torun
API (Chemi Atlow) #47628 - [
bdd02a467d
] - (SEMVER-MINOR) test_runner: executebefore
hook on test (Chemi Atlow) #47586 - [
0e70c187bc
] - (SEMVER-MINOR) test_runner: support combining coverage reports (Colin Ihrig) #47686 - [
75c1d1b66e
] - (SEMVER-MINOR) wasi: makereturnOnExit
true by default (Michael Dawson) #47390
- [
33d1bd3e02
] - assert: deprecate callTracker (Moshe Atlow) #47740 - [
6d87355e83
] - benchmark: add eventtarget creation bench (Rafael Gonzaga) #47774 - [
40324a1dea
] - benchmark: differentiate whatwg and legacy url (Yagiz Nizipli) #47377 - [
936d7cb069
] - benchmark: add a benchmark fordefaultResolve
(Antoine du Hamel) #47543 - [
202042ee93
] - bootstrap: support namespaced builtins in snapshot scripts (Joyee Cheung) #47467 - [
30af5cee55
] - build: use pathlib for paths (Mohammed Keyvanzadeh) #47581 - [
089c9c51e9
] - build: refactor configure.py (Mohammed Keyvanzadeh) #47667 - [
5b851c8074
] - build: add devcontainer configuration (Tierney Cyren) #40825 - [
35e8b3b467
] - build: bump ossf/scorecard-action from 2.1.2 to 2.1.3 (dependabot[bot]) #47367 - [
78c08243df
] - build: replace Python linter flake8 with ruff (Christian Clauss) #47519 - [
2d97c89c6f
] - crypto: update root certificates to NSS 3.89 (Node.js GitHub Bot) #47659 - [
420feb41cf
] - crypto: remove INT_MAX restriction in randomBytes (Tobias Nießen) #47559 - [
6046779dd9
] - deps: disable V8 concurrent sparkplug compilation (Michaël Zasso) #47450 - [
00d461e93f
] - deps: V8: cherry-pick c5ab3e4f0c5a (Richard Lau) #47736 - [
d08dd8069f
] - deps: update ada to 2.3.0 (Node.js GitHub Bot) #47737 - [
996245976b
] - deps: update undici to 5.22.0 (Node.js GitHub Bot) #47679 - [
f3ee3126df
] - deps: update ada to 2.2.0 (Node.js GitHub Bot) #47678 - [
1391d3b9ff
] - deps: add minimatch as a dependency (Moshe Atlow) #47499 - [
315454350d
] - deps: update ada to 2.1.0 (Node.js GitHub Bot) #47598 - [
7f7735cad9
] - deps: update ICU to 73.1 release (Steven R. Loomis) #47456 - [
13105c12b7
] - deps: patch V8 to 11.3.244.8 (Michaël Zasso) #47536 - [
ede69d272a
] - deps: update undici to 5.21.2 (Node.js GitHub Bot) #47508 - [
64b5a5f872
] - deps: update simdutf to 3.2.8 (Node.js GitHub Bot) #47507 - [
2664536796
] - deps: V8: cherry-pick 8e10685ff918 (Jiawen Geng) #47440 - [
ba9ec91f0e
] - deps: update undici to 5.21.1 (Node.js GitHub Bot) #47488 - [
ce8820e292
] - (SEMVER-MINOR) dns: expose getDefaultResultOrder (btea) #46973 - [
4c26e28c33
] - doc: create maintaining folder for deps (Marco Ippolito) #47589 - [
aa0ef3eabd
] - doc: fix --allow-* CLI flag references (Tobias Nießen) #47804 - [
98603b6fd3
] - doc: clarify fs permissions only affect fs module (Tobias Nießen) #47782 - [
3befe5dac9
] - doc: add copy node executable guide on windows (XLor) #47781 - [
98450d9892
] - doc: remove MoLow from Triagers (Moshe Atlow) #47792 - [
d75036410d
] - doc: fix typo in webstreams.md (Christian Takle) #47766 - [
ceba37a74f
] - doc: move BethGriggs to regular member (Rich Trott) #47776 - [
b954ea9781
] - doc: mark signing the binary is macOS and Windows only in SEA (Xuguang Mei) #47722 - [
26bccbcd10
] - doc: move addaleax to TSC emeriti (Anna Henningsen) #47752 - [
20b0de242f
] - doc: add link to news for Node.js core (Michael Dawson) #47704 - [
5709133dc7
] - doc: fix a typo inpermissions.md
(Daeyeon Jeong) #47730 - [
c5c40a89f2
] - doc: async_hooks asynchronous content example add mjs code (btea) #47401 - [
a1403a8df2
] - doc: clarify concurrency model of test runner (Tobias Nießen) #47642 - [
c0c23fbe42
] - doc: fix a typo infs.openAsBlob
(Daeyeon Jeong) #47693 - [
4cef98812d
] - doc: fix typos (Mohammed Keyvanzadeh) #47685 - [
f30ef242ef
] - doc: fix capitalization of ASan (Mohammed Keyvanzadeh) #47676 - [
78a3503406
] - doc: fix typos in SECURITY.md (Mohammed Keyvanzadeh) #47677 - [
9101630e05
] - doc: update error code of buffer (Deokjin Kim) #47617 - [
183f0c3e79
] - doc: change offset of example inBuffer.copyBytesFrom
(Deokjin Kim) #47606 - [
d11ff4bc53
] - doc: improve fs permissions description (Tobias Nießen) #47596 - [
b58920c3a9
] - doc: remove markdown link from heading (Tobias Nießen) #47585 - [
c36634e880
] - doc: fix history ordering ofWASI
constructor (Antoine du Hamel) #47611 - [
d3fadd889d
] - doc: fix release-post script location (Rafael Gonzaga) #47517 - [
2a0bbe7883
] - doc: fix typo in webcrypto metadata (Tobias Nießen) #47595 - [
b0b16ee9f6
] - doc: add link for news from uvwasi team (Michael Dawson) #47531 - [
7ca416af15
] - doc: add missing setEncoding call in ESM example (Anna Henningsen) #47558 - [
f9abd59b41
] - doc: update darwin-x64 toolchain used for Node.js 20 releases (Michaël Zasso) #47546 - [
0dc508070f
] - doc: fix split infinitive in Hooks caveat (Jacob Smith) #47550 - [
4046280475
] - doc: fix typo in util.types.isNativeError() (Julian Dax) #47532 - [
9d30f469aa
] - doc: add KhafraDev to collaborators (Matthew Aitken) #47510 - [
537c17ec48
] - doc: create maintaining-brotli.md (Marco Ippolito) #47380 - [
09ff9eafd9
] - doc,fs: update description of fs.stat() method (Mert Can Altın) #47654 - [
185d6090cd
] - doc,test: fix concurrency option of test() (Tobias Nießen) #47734 - [
a793cf401d
] - esm: renameURLCanParse
to be consistent (Antoine du Hamel) #47668 - [
fbb6b72f87
] - esm: remove support for deprecated hooks (Antoine du Hamel) #47580 - [
c150976c4f
] - esm: initializeimport.meta
on eval (Antoine du Hamel) #47551 - [
55f70f6395
] - esm: propagateprocess.exit
from the loader thread to the main thread (Antoine du Hamel) #47548 - [
269482f61f
] - esm: avoid accessing lazy getters for urls (Yagiz Nizipli) #47542 - [
889add68e5
] - esm: avoid try/catch when validating urls (Yagiz Nizipli) #47541 - [
439ea47a77
] - (SEMVER-MINOR) fs: add recursive option to readdir and opendir (Ethan Arrowood) #41439 - [
a54e898dc8
] - (SEMVER-MINOR) fs: add support for mode flag to specify the copy behavior (Tetsuharu Ohzeki) #47084 - [
96f93cc500
] - (SEMVER-MINOR) http: remove internal error in assignSocket (Matteo Collina) #47723 - [
4fa773964b
] - (SEMVER-MINOR) http: add highWaterMark opt in http.createServer (HinataKah0) #47405 - [
94a5abb1e0
] - inspector: add tips for Session (theanarkh) #47195 - [
21ff33127a
] - lib: improve esm resolve performance (Yagiz Nizipli) #46652 - [
b8bdaf86c4
] - lib: disallow file-backed blob cloning (James M Snell) #47574 - [
e8bc03b372
] - lib: use webidl DOMString converter in EventTarget (Matthew Aitken) #47514 - [
91e4a7cdee
] - loader: use default loader as cascaded loader in the in loader worker (Joyee Cheung) #47620 - [
d5089fe00a
] - meta: fix dependabot commit message (Mestery) #47810 - [
92794400ce
] - meta: ping nodejs/startup for startup test changes (Joyee Cheung) #47771 - [
8d43689077
] - meta: add mailmap entry for KhafraDev (Rich Trott) #47512 - [
4d02901935
] - node-api: test passing NULL to napi_define_class (Gabriel Schulhof) #47567 - [
568256dca0
] - node-api: test passing NULL to number APIs (Gabriel Schulhof) #47549 - [
12f0fa386d
] - node-api: remove unused mark_arraybuffer_as_untransferable (Chengzhong Wu) #47557 - [
e8ea83416a
] - quic: add more QUIC implementation (James M Snell) #47494 - [
af227b159d
] - readline: fix issue with newline-less last line (Ian Harris) #47317 - [
e948bec969
] - src: avoid copying string in fs_permission (Yagiz Nizipli) #47746 - [
dc43ce7706
] - src: replace idna functions with ada::idna (Yagiz Nizipli) #47735 - [
1f9e7ce7e8
] - src: fix typo in comment in quic/sessionticket.cc (Tobias Nießen) #47754 - [
2acb57b777
] - src: mark fatal error functions as noreturn (Chengzhong Wu) #47695 - [
4431df7481
] - src: split BlobSerializer/BlobDeserializer (Joyee Cheung) #47458 - [
bf9a52cb3d
] - src: prevent changing FunctionTemplateInfo after publish (Shelley Vohr) #46979 - [
872e6706ca
] - src: add v8 fast api for url canParse (Matthew Aitken) #47552 - [
cfafe431f2
] - src: make AliasedBuffers in the binding data weak (Joyee Cheung) #47354 - [
cf48db0034
] - src: use v8::Boolean(b) over b ? True() : False() (Tobias Nießen) #47554 - [
ba255eda37
] - src: fix typo in process.env accessor error message (Moritz Raho) #47014 - [
daf0c78232
] - src: replace static const string_view by static constexpr (Daniel Lemire) #47524 - [
57e7ed7f47
] - src: fix CSPRNG when length exceeds INT_MAX (Tobias Nießen) #47515 - [
cda36bfd8f
] - src: use correct variable in node_builtins.cc (Michaël Zasso) #47343 - [
adc1601ccd
] - src: slim down stream_base-inl.h (lilsweetcaligula) #46972 - [
f88132f1b8
] - stream: prevent pipeline hang with generator functions (Debadree Chatterjee) #47712 - [
2b411f4b42
] - (SEMVER-MINOR) stream: preserve object mode in compose (Raz Luvaton) #47413 - [
159cf02920
] - test: refactor to usegetEventListeners
in timers (Deokjin Kim) #47759 - [
97a3d39b8f
] - test: add and use tmpdir.hasEnoughSpace() (Tobias Nießen) #47767 - [
5bb7b26bb5
] - test: remove spaces from test runner test names (Tobias Nießen) #47733 - [
84fa9fd725
] - test: refactor WPTRunner and enable parallel WPT execution (Filip Skokan) #47635 - [
9d3768eb01
] - Revert "test: run WPT files in parallel again" (Filip Skokan) #47627 - [
826f4041d1
] - test: mark test-cluster-primary-error flaky on asan (Yagiz Nizipli) #47422 - [
e5251e31eb
] - test_runner: fix --require with --experimental-loader (Moshe Atlow) #47751 - [
6ee5e42c73
] - (SEMVER-MINOR) test_runner: support combining coverage reports (Colin Ihrig) #47686 - [
f8581e7629
] - test_runner: remove no-op validation (Colin Ihrig) #47687 - [
40b38797c5
] - test_runner: fix test runner concurrency (Moshe Atlow) #47675 - [
2d7cac0c5b
] - test_runner: fix test counting (Moshe Atlow) #47675 - [
5a9b71a52e
] - test_runner: fix nested hooks (Moshe Atlow) #47648 - [
5327483f31
] - (SEMVER-MINOR) test_runner: add testNamePatterns to run api (Chemi Atlow) #47628 - [
b6fb7914ca
] - test_runner: support coverage of unnamed functions (Colin Ihrig) #47652 - [
1f120a396f
] - test_runner: move coverage collection to root.postRun() (Colin Ihrig) #47651 - [
bdd02a467d
] - (SEMVER-MINOR) test_runner: execute before hook on test (Chemi Atlow) #47586 - [
ec24abaa03
] - test_runner: avoid reporting parents of failing tests in summary (Moshe Atlow) #47579 - [
4203057740
] - test_runner: fix spec skip detection (Moshe Atlow) #47537 - [
57c69987ba
] - tls: accept SecureContext object in server.addContext() (HinataKah0) #47570 - [
c620eb80a0
] - tools: update doc to highlight.js@11.8.0 (Node.js GitHub Bot) #47786 - [
326c3f1593
] - tools: add the missing LoongArch64 definition in the v8.gyp file (Sun Haiyong) #47641 - [
8d1588acdc
] - tools: update lint-md-dependencies to rollup@3.21.1 (Node.js GitHub Bot) #47787 - [
226e5b83ee
] - tools: move update-npm to dep updaters (Marco Ippolito) #47619 - [
9d0bef6c0a
] - tools: fix update-v8-patch cache (Marco Ippolito) #47725 - [
63e8c95a66
] - tools: automate v8 patch update (Marco Ippolito) #47594 - [
d2994e52d3
] - tools: fix skip message in update-cjs-module-lexer (Tobias Nießen) #47701 - [
ccf9c37b43
] - tools: update lint-md-dependencies to @rollup/plugin-commonjs@24.1.0 (Node.js GitHub Bot) #47577 - [
0887fa0464
] - tools: keep PR titles/description up-to-date (Tobias Nießen) #47621 - [
b8927ddf16
] - tools: fix updating root certificates (Richard Lau) #47607 - [
87cae0cb59
] - tools: update PR label config (Mohammed Keyvanzadeh) #47593 - [
c17f2688b8
] - Revert "tools: ensure failed daily wpt run still generates a report" (Filip Skokan) #47627 - [
fbe7d73234
] - tools: add execution permission to uvwasi script (Mert Can Altın) #47600 - [
e3f4ff439e
] - tools: add update script for googletest (Tobias Nießen) #47482 - [
7c552e650a
] - tools: add option to run workflow with specific tool id (Michaël Zasso) #47591 - [
1509312170
] - tools: automate zlib update (Marco Ippolito) #47417 - [
6af7f1ee03
] - tools: add url and whatwg-url labels automatically (Yagiz Nizipli) #47545 - [
ff73c05d54
] - tools: add performance label to benchmark changes (Yagiz Nizipli) #47545 - [
9e3e0b0a84
] - tools: automate uvwasi dependency update (Ranieri Innocenti Spada) #47509 - [
233b628f22
] - tools: add missing pinned dependencies (Mateo Nunez) #47346 - [
e4d95859f5
] - tools: automate ngtcp2 and nghttp3 update (Marco Ippolito) #47402 - [
2e8338126b
] - tools: move update-undici.sh to dep_updaters and create maintain md (Marco Ippolito) #47380 - [
8712eafc87
] - typings: fix syntax error in tsconfig (Mohammed Keyvanzadeh) #47584 - [
e4b6b79f18
] - url: reduce revokeObjectURL cpp calls (Yagiz Nizipli) #47728 - [
9aae76727f
] - url: handle URL.canParse without base parameter (Yagiz Nizipli) #47547 - [
180d365439
] - url: validate URL constructor arg length (Matthew Aitken) #47513 - [
4839fc4369
] - url: validate argument length in canParse (Matthew Aitken) #47513 - [
606523d37e
] - v8: fix ERR_NOT_BUILDING_SNAPSHOT is not a constructor (Chengzhong Wu) #47721 - [
75c1d1b66e
] - (SEMVER-MINOR) wasi: make returnOnExit true by default (Michael Dawson) #47390
We're excited to announce the release of Node.js 20! Highlights include the new Node.js Permission Model,
a synchronous import.meta.resolve
, a stable test_runner, updates of the V8 JavaScript engine to 11.3, Ada to 2.0,
and more!
As a reminder, Node.js 20 will enter long-term support (LTS) in October, but until then, it will be the "Current" release for the next six months. We encourage you to explore the new features and benefits offered by this latest release and evaluate their potential impact on your applications.
Node.js now has an experimental feature called the Permission Model.
It allows developers to restrict access to specific resources during program execution, such as file system operations,
child process spawning, and worker thread creation.
The API exists behind a flag --experimental-permission
which when enabled will restrict access to all available permissions.
By using this feature, developers can prevent their applications from accessing or modifying sensitive data or running potentially harmful code.
More information about the Permission Model can be found in the Node.js documentation.
The Permission Model was a contribution by Rafael Gonzaga in #44004.
ESM hooks supplied via loaders (--experimental-loader=foo.mjs
) now run in a dedicated thread, isolated from the main thread.
This provides a separate scope for loaders and ensures no cross-contamination between loaders and application code.
Synchronous import.meta.resolve()
In alignment with browser behavior, this function now returns synchronously.
Despite this, user loader resolve
hooks can still be defined as async functions (or as sync functions, if the author prefers).
Even when there are async resolve
hooks loaded, import.meta.resolve
will still return synchronously for application code.
Contributed by Anna Henningsen, Antoine du Hamel, Geoffrey Booth, Guy Bedford, Jacob Smith, and Michaël Zasso in #44710
The V8 engine is updated to version 11.3, which is part of Chromium 113. This version includes three new features to the JavaScript API:
- String.prototype.isWellFormed and toWellFormed
- Methods that change Array and TypedArray by copy
- Resizable ArrayBuffer and growable SharedArrayBuffer
- RegExp v flag with set notation + properties of strings
- WebAssembly Tail Call
The V8 update was a contribution by Michaël Zasso in #47251.
The recent update to Node.js, version 20, includes an important change to the test_runner module. The module has been marked as stable after a recent update. Previously, the test_runner module was experimental, but this change marks it as a stable module that is ready for production use.
Contributed by Colin Ihrig in #46983
Node.js v20 comes with the latest version of the URL parser, Ada. This update brings significant performance improvements
to URL parsing, including enhancements to the url.domainToASCII
and url.domainToUnicode
functions in node:url
.
Ada 2.0 has been integrated into the Node.js codebase, ensuring that all parts of the application can benefit from the improved performance. Additionally, Ada 2.0 features a significant performance boost over its predecessor, Ada 1.0.4, while also eliminating the need for the ICU requirement for URL hostname parsing.
Contributed by Yagiz Nizipli and Daniel Lemire in #47339
Building a single executable app now requires injecting a blob prepared by Node.js from a JSON config instead of injecting the raw JS file. This opens up the possibility of embedding multiple co-existing resources into the SEA (Single Executable Apps).
Contributed by Joyee Cheung in #47125
Web Crypto API functions' arguments are now coerced and validated as per their WebIDL definitions like in other Web Crypto API implementations. This further improves interoperability with other implementations of Web Crypto API.
This change was made by Filip Skokan in #46067.
Node.js now includes binaries for ARM64 Windows, allowing for native execution on the platform. The MSI, zip/7z packages, and executable are available from the Node.js download site along with all other platforms. The CI system was updated and all changes are now fully tested on ARM64 Windows, to prevent regressions and ensure compatibility.
ARM64 Windows was upgraded to tier 2 support by Stefan Stojanovic in #47233.
When new WASI()
is called, the version option is now required and has no default value.
Any code that relied on the default for the version will need to be updated to request a specific version.
This change was made by Michael Dawson in #47391.
- [
3bed5f11e0
] - (SEMVER-MAJOR) url: runtime-deprecate url.parse() with invalid ports (Rich Trott) #45526
url.parse()
accepts URLs with ports that are not numbers. This behavior might result in host name spoofing with unexpected input.
These URLs will throw an error in future versions of Node.js, as the WHATWG URL API does already.
Starting with Node.js 20, these URLS cause url.parse()
to emit a warning.
- [
9fafb0a090
] - (SEMVER-MAJOR) async_hooks: deprecate the AsyncResource.bind asyncResource property (James M Snell) #46432 - [
1948d37595
] - (SEMVER-MAJOR) buffer: check INSPECT_MAX_BYTES with validateNumber (Umuoy) #46599 - [
7bc0e6a4e7
] - (SEMVER-MAJOR) buffer: graduate File from experimental and expose as global (Khafra) #47153 - [
671ffd7825
] - (SEMVER-MAJOR) buffer: use min/max ofvalidateNumber
(Deokjin Kim) #45796 - [
ab1614d280
] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #47251 - [
c1bcdbcf79
] - (SEMVER-MAJOR) build: warn for gcc versions earlier than 10.1 (Richard Lau) #46806 - [
649f68fc1e
] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Yagiz Nizipli) #45579 - [
9374700d7a
] - (SEMVER-MAJOR) crypto: remove DEFAULT_ENCODING (Tobias Nießen) #47182 - [
1640aeb680
] - (SEMVER-MAJOR) crypto: remove obsolete SSL_OP_* constants (Tobias Nießen) #47073 - [
c2e4b1fa9a
] - (SEMVER-MAJOR) crypto: remove ALPN_ENABLED (Tobias Nießen) #47028 - [
3ef38c4bd7
] - (SEMVER-MAJOR) crypto: use WebIDL converters in WebCryptoAPI (Filip Skokan) #46067 - [
08af023b1f
] - (SEMVER-MAJOR) crypto: runtime deprecate replaced rsa-pss keygen parameters (Filip Skokan) #45653 - [
7eb0ac3cb6
] - (SEMVER-MAJOR) deps: patch V8 to support compilation on win-arm64 (Michaël Zasso) #47251 - [
a7c129f286
] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) #47251 - [
6f5655a18e
] - (SEMVER-MAJOR) deps: always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #47251 - [
f226350fcb
] - (SEMVER-MAJOR) deps: update V8 to 11.3.244.4 (Michaël Zasso) #47251 - [
d6dae7420e
] - (SEMVER-MAJOR) deps: V8: cherry-pick f1c888e7093e (Michaël Zasso) #45579 - [
56c436533e
] - (SEMVER-MAJOR) deps: fix V8 build on Windows with MSVC (Michaël Zasso) #45579 - [
51ab98c71b
] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) #45579 - [
9f84d3eea8
] - (SEMVER-MAJOR) deps: V8: fix v8-cppgc.h for MSVC (Jiawen Geng) #45579 - [
f2318cd4b5
] - (SEMVER-MAJOR) deps: fix V8 build issue with inline methods (Jiawen Geng) #45579 - [
16e03e7968
] - (SEMVER-MAJOR) deps: update V8 to 10.9.194.4 (Yagiz Nizipli) #45579 - [
6473f5e7f7
] - (SEMVER-MAJOR) doc: update toolchains used for Node.js 20 releases (Richard Lau) #47352 - [
cc18fd9608
] - (SEMVER-MAJOR) events: refactor to usevalidateNumber
(Deokjin Kim) #45770 - [
ff92b40ffc
] - (SEMVER-MAJOR) http: close the connection after sending a body without declared length (Tim Perry) #46333 - [
2a29df6464
] - (SEMVER-MAJOR) http: keep HTTP/1.1 conns alive even if the Connection header is removed (Tim Perry) #46331 - [
391dc74a10
] - (SEMVER-MAJOR) http: throw error if options of http.Server is array (Deokjin Kim) #46283 - [
ed3604cd64
] - (SEMVER-MAJOR) http: server check Host header, to meet RFC 7230 5.4 requirement (wwwzbwcom) #45597 - [
88d71dc301
] - (SEMVER-MAJOR) lib: refactor to use min/max ofvalidateNumber
(Deokjin Kim) #45772 - [
e4d641f02a
] - (SEMVER-MAJOR) lib: refactor to use validators in http2 (Debadree Chatterjee) #46174 - [
0f3e531096
] - (SEMVER-MAJOR) lib: performance improvement on readline async iterator (Thiago Oliveira Santos) #41276 - [
5b5898ac86
] - (SEMVER-MAJOR) lib,src: update exit codes as per todos (Debadree Chatterjee) #45841 - [
55321bafd1
] - (SEMVER-MAJOR) net: enable autoSelectFamily by default (Paolo Insogna) #46790 - [
2d0d99733b
] - (SEMVER-MAJOR) process: removeprocess.exit()
,process.exitCode
coercion to integer (Daeyeon Jeong) #43716 - [
dc06df31b6
] - (SEMVER-MAJOR) readline: refactor to usevalidateNumber
(Deokjin Kim) #45801 - [
295b2f3ff4
] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 115 (Michaël Zasso) #47251 - [
3803b028dd
] - (SEMVER-MAJOR) src: share common code paths for SEA and embedder script (Anna Henningsen) #46825 - [
e8bddac3e9
] - (SEMVER-MAJOR) src: apply ABI-breaking API simplifications (Anna Henningsen) #46705 - [
f84de0ad4c
] - (SEMVER-MAJOR) src: use uint32_t for process initialization flags enum (Anna Henningsen) #46427 - [
a6242772ec
] - (SEMVER-MAJOR) src: fix ArrayBuffer::Detach deprecation (Michaël Zasso) #45579 - [
dd5c39a808
] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 112 (Yagiz Nizipli) #45579 - [
63eca7fec0
] - (SEMVER-MAJOR) stream: validate readable defaultEncoding (Marco Ippolito) #46430 - [
9e7093f416
] - (SEMVER-MAJOR) stream: validate writable defaultEncoding (Marco Ippolito) #46322 - [
fb91ee4f26
] - (SEMVER-MAJOR) test: make trace-gc-flag tests less strict (Yagiz Nizipli) #45579 - [
eca618071e
] - (SEMVER-MAJOR) test: adapt test-v8-stats for V8 update (Michaël Zasso) #45579 - [
c03354d3e0
] - (SEMVER-MAJOR) test: test case for multiple res.writeHead and res.getHeader (Marco Ippolito) #45508 - [
c733cc0c7f
] - (SEMVER-MAJOR) test_runner: mark module as stable (Colin Ihrig) #46983 - [
7ce223273d
] - (SEMVER-MAJOR) tools: update V8 gypfiles for 11.1 (Michaël Zasso) #47251 - [
ca4bd3023e
] - (SEMVER-MAJOR) tools: update V8 gypfiles for 11.0 (Michaël Zasso) #47251 - [
58b06a269a
] - (SEMVER-MAJOR) tools: update V8 gypfiles (Michaël Zasso) #45579 - [
027841c964
] - (SEMVER-MAJOR) url: use private properties for brand check (Yagiz Nizipli) #46904 - [
3bed5f11e0
] - (SEMVER-MAJOR) url: runtime-deprecate url.parse() with invalid ports (Rich Trott) #45526 - [
7c76fddf25
] - (SEMVER-MAJOR) util,doc: mark parseArgs() as stable (Colin Ihrig) #46718 - [
4b52727976
] - (SEMVER-MAJOR) wasi: make version non-optional (Michael Dawson) #47391
- [
d4b440bfac
] - (SEMVER-MINOR) fs: implement byob mode for readableWebStream() (Debadree Chatterjee) #46933 - [
00c222593e
] - (SEMVER-MINOR) src,process: add permission model (Rafael Gonzaga) #44004 - [
978b57d750
] - (SEMVER-MINOR) wasi: no longer require flag to enable wasi (Michael Dawson) #47286
- [
e50c6b9a22
] - bootstrap: do not expand process.argv[1] for snapshot entry points (Joyee Cheung) #47466 - [
c81e1143e4
] - bootstrap: store internal loaders in C++ via a binding (Joyee Cheung) #47215 - [
8e673bdb84
] - build: add node-core-utils to setup (Jiawen Geng) #47442 - [
5b561d72a6
] - build: sync cares source change (Jiawen Geng) #47359 - [
8e6ee53e4e
] - build: remove non-exist build file (Jiawen Geng) #47361 - [
9a4d21d1d9
] - build, deps, tools: avoid excessive LTO (Konstantin Demin) #47313 - [
48c01485cd
] - crypto: replace THROW with CHECK for scrypt keylen (Tobias Nießen) #47407 - [
4c1a27716b
] - crypto: re-add padding for AES-KW wrapped JWKs (Filip Skokan) #46563 - [
b66eb15d12
] - deps: update simdutf to 3.2.7 (Node.js GitHub Bot) #47473 - [
3fc11477ba
] - deps: update corepack to 0.17.2 (Node.js GitHub Bot) #47474 - [
c1776531ab
] - deps: upgrade npm to 9.6.4 (npm team) #47432 - [
e7ca09f310
] - deps: update zlib to upstream 5edb52d4 (Luigi Pinca) #47151 - [
88387ccd12
] - deps: update ada to 2.0.0 (Node.js GitHub Bot) #47339 - [
9f468cc37e
] - deps: cherry-pick Windows ARM64 fix for openssl (Richard Lau) #46570 - [
eeab210b1b
] - deps: update archs files for quictls/openssl-3.0.8+quic (RafaelGSS) #46570 - [
d93d7716c7
] - deps: upgrade openssl sources to quictls/openssl-3.0.8+quic (RafaelGSS) #46571 - [
0f69ec4dd7
] - deps: patch V8 to 10.9.194.9 (Michaël Zasso) #45995 - [
5890d09644
] - deps: patch V8 to 10.9.194.6 (Michaël Zasso) #45748 - [
c02a7e7e93
] - diagnostics_channel: fix ref counting bug when reaching zero subscribers (Stephen Belanger) #47520 - [
c7ad5bb37d
] - doc: info on handling unintended breaking changes (Michael Dawson) #47426 - [
7d2d40ed0d
] - doc: add performance initiative (Yagiz Nizipli) #47424 - [
d56c0f7318
] - doc: do not create a backup file (Luigi Pinca) #47151 - [
412d27b65b
] - doc: add MoLow to the TSC (Colin Ihrig) #47436 - [
f131cca0c0
] - doc: reserve 116 for Electron 25 (Keeley Hammond) #47375 - [
1022c6f424
] - doc: add experimental stages (Geoffrey Booth) #46100 - [
42d3d74717
] - doc: clarify release notes for Node.js 16.19.0 (Richard Lau) #45846 - [
533c6512da
] - doc: clarify release notes for Node.js 14.21.2 (Richard Lau) #45846 - [
97165fc1a6
] - doc: fix doc metadata for Node.js 16.19.0 (Richard Lau) #45863 - [
a266b8b702
] - doc: add registry number for Electron 23 & 24 (Keeley Hammond) #45661 - [
2613a9ced9
] - esm: move hook execution to separate thread (Jacob Smith) #44710 - [
841f6b3abf
] - esm: increase test coverage of edge cases (Antoine du Hamel) #47033 - [
0d575fe61a
] - gyp: put filenames in variables (Cheng Zhao) #46965 - [
41b186722c
] - lib: distinguish webidl interfaces with the extended property "Exposed" (Chengzhong Wu) #46809 - [
9b7db62276
] - lib: makeRequireFunction patch when experimental policy (RafaelGSS) nodejs-private/node-private#358 - [
d43b532789
] - lib: refactor to usevalidateBuffer
(Deokjin Kim) #46489 - [
9a76a2521b
] - meta: ping security-wg team on permission model changes (Rafael Gonzaga) #47483 - [
a4dadde1ba
] - meta: ping startup and realm team on src/node_realm* changes (Joyee Cheung) #47448 - [
631c3ef3de
] - module: do less CJS module loader initialization at run time (Joyee Cheung) #47194 - [
8bcf0a42f7
] - permission: fix chmod,chown improve fs coverage (Rafael Gonzaga) #47529 - [
54d17ff4b5
] - permission: support fs.mkdtemp (Rafael Gonzaga) #47470 - [
b441b5dc65
] - permission: drop process.permission.deny (Rafael Gonzaga) #47335 - [
aa30e16716
] - permission: fix some vulnerabilities in fs (Tobias Nießen) #47091 - [
1726da9300
] - permission: add path separator to loader check (Rafael Gonzaga) #47030 - [
b164038c86
] - permission: fix spawnSync permission check (RafaelGSS) #46975 - [
af91400886
] - policy: makeRequireFunction on mainModule.require (RafaelGSS) nodejs-private/node-private#358 - [
f8b4e26aee
] - quic: add more QUIC impl (James M Snell) #47348 - [
d65ae9f678
] - quic: add additional quic implementation utilities (James M Snell) #47289 - [
9b104be502
] - quic: do not dereference shared_ptr after move (Tobias Nießen) #47294 - [
09a4bb152f
] - quic: add multiple internal utilities (James M Snell) #47263 - [
2bde0059ca
] - sea: use JSON configuration and blob content for SEA (Joyee Cheung) #47125 - [
78c7475493
] - src: allow simdutf::convert_* functions to return zero (Daniel Lemire) #47471 - [
5250947a53
] - src: track ShadowRealm native objects correctly in the heap snapshot (Joyee Cheung) #47389 - [
8059764621
] - src: use the internal field to determine if an object is a BaseObject (Joyee Cheung) #47217 - [
698508afa8
] - src: bootstrap prepare stack trace callback in shadow realm (Chengzhong Wu) #47107 - [
e6b4d30a2f
] - src: bootstrap Web [Exposed=*] APIs in the shadow realm (Chengzhong Wu) #46809 - [
3646a66044
] - src: fix AliasedBuffer memory attribution in heap snapshots (Joyee Cheung) #46817 - [
8b2126f63f
] - src: move AliasedBuffer implementation to -inl.h (Joyee Cheung) #46817 - [
3abbc3829a
] - src: fix useless call in permission.cc (Tobias Nießen) #46833 - [
7b1e153530
] - src: simplify exit code accesses (Daeyeon Jeong) #45125 - [
7359b92a41
] - test: remove unnecessary status check on test-release-npm (RafaelGSS) #47516 - [
a5a5d2fb7e
] - test: mark test/parallel/test-file-write-stream4 as flaky (Yagiz Nizipli) #47423 - [
81ad73a205
] - test: remove unused callback variables (angellovc) #47167 - [
757a586ead
] - test: migrate test runner message tests to snapshot (Moshe Atlow) #47392 - [
86f890539f
] - test: remove stale entry from known_issues.status (Richard Lau) #47454 - [
1f3773d0c1
] - test: move more inspector sequential tests to parallel (Joyee Cheung) #47412 - [
617b8d44c6
] - test: use random port in test-inspector-enabled (Joyee Cheung) #47412 - [
ade0170c4f
] - test: use random port in test-inspector-debug-brk-flag (Joyee Cheung) #47412 - [
1a78632cd3
] - test: use random port in NodeInstance.startViaSignal() (Joyee Cheung) #47412 - [
23f66b137e
] - test: move test-shadow-realm-gc.js to known_issues (Joyee Cheung) #47355 - [
9dfd0394c5
] - test: remove useless WPT init scripts (Khafra) #47221 - [
1cfe058778
] - test: fix test-permission-deny-fs-wildcard (win32) (Tobias Nießen) #47095 - [
b8ef1b476e
] - test: add coverage for custom loader hooks with permission model (Antoine du Hamel) #46977 - [
4a7c3e9c50
] - test: fix file path in permission symlink test (Livia Medeiros) #46859 - [
10005de6a8
] - tools: makejs2c.py
usable for other build systems (Cheng Zhao) #46930 - [
1e2f9aca72
] - tools: move update-acorn.sh to dep_updaters and create maintaining md (Marco Ippolito) #47382 - [
174662a463
] - tools: update eslint to 8.38.0 (Node.js GitHub Bot) #47475 - [
a58ca61f35
] - tools: update eslint to 8.38.0 (Node.js GitHub Bot) #47475 - [
37d12730ab
] - tools: automate cjs-module-lexer dependency update (Marco Ippolito) #47446 - [
4fbfa3c9f2
] - tools: fix notify-on-push Slack messages (Antoine du Hamel) #47453 - [
b1f2ff1242
] - tools: update lint-md-dependencies to @rollup/plugin-node-resolve@15.0.2 (Node.js GitHub Bot) #47431 - [
26b2584b84
] - tools: add root certificate update script (Richard Lau) #47425 - [
553b052648
] - tools: remove targets for individual test suites inMakefile
(Antoine du Hamel) #46892 - [
747ff43e5b
] - url: more sophisticated brand check for URLSearchParams (Timothy Gu) #47414 - [
e727eb066f
] - url: do not use object as hashmap (Timothy Gu) #47415 - [
81c7875eb7
] - url: drop ICU requirement for parsing hostnames (Yagiz Nizipli) #47339 - [
a4895df94a
] - url: use ada::url_aggregator for parsing urls (Yagiz Nizipli) #47339