win,tools: use Azure Trusted Signing (v20 backport)

README.md

@@ -317,6 +317,8 @@ For information about the governance of the Node.js project, see
   **Kohei Ueno** <<kohei.ueno119@gmail.com>> (he/him)
 * [daeyeon](https://github.com/daeyeon) -
   **Daeyeon Jeong** <<daeyeon.dev@gmail.com>> (he/him)
+* [dario-piotrowicz](https://github.com/dario-piotrowicz) -
+  **Dario Piotrowicz** <<dario.piotrowicz@gmail.com>> (he/him)
 * [debadree25](https://github.com/debadree25) -
   **Debadree Chatterjee** <<debadree333@gmail.com>> (he/him)
 * [deokjinkim](https://github.com/deokjinkim) -
@@ -745,6 +747,8 @@ maintaining the Node.js project.
   **Feng Yu** <<F3n67u@outlook.com>> (he/him)
 * [gireeshpunathil](https://github.com/gireeshpunathil) -
   **Gireesh Punathil** <<gpunathi@in.ibm.com>> (he/him)
+* [gurgunday](https://github.com/gurgunday) -
+  **Gürgün Dayıoğlu** <<hey@gurgun.day>>
 * [iam-frankqiu](https://github.com/iam-frankqiu) -
   **Frank Qiu** <<iam.frankqiu@gmail.com>> (he/him)
 * [KevinEady](https://github.com/KevinEady) -

SECURITY.md

@@ -55,6 +55,39 @@ Here is the security disclosure policy for Node.js
   possible; however, we must follow the release process above to ensure that we
   handle disclosure consistently.
 
+## Code of Conduct and Vulnerability Reporting Guidelines
+
+When reporting security vulnerabilities, reporters must adhere to the following guidelines:
+
+1. **Code of Conduct Compliance**: All security reports must comply with our
+   [Code of Conduct](CODE_OF_CONDUCT.md). Reports that violate our code of conduct
+   will not be considered and may result in being banned from future participation.
+
+2. **No Harmful Actions**: Security research and vulnerability reporting must not:
+   * Cause damage to running systems or production environments.
+   * Disrupt Node.js development or infrastructure.
+   * Affect other users' applications or systems.
+   * Include actual exploits that could harm users.
+   * Involve social engineering or phishing attempts.
+
+3. **Responsible Testing**: When testing potential vulnerabilities:
+   * Use isolated, controlled environments.
+   * Do not test on production systems.
+   * Do not attempt to access or modify other users' data.
+   * Immediately stop testing if unauthorized access is gained accidentally.
+
+4. **Report Quality**
+   * Provide clear, detailed steps to reproduce the vulnerability.
+   * Include only the minimum proof of concept required to demonstrate the issue.
+   * Remove any malicious payloads or components that could cause harm.
+
+Failure to follow these guidelines may result in:
+
+* Rejection of the vulnerability report.
+* Forfeiture of any potential bug bounty.
+* Temporary or permanent ban from the bug bounty program.
+* Legal action in cases of malicious intent.
+
 ## The Node.js threat model
 
 In the Node.js threat model, there are trusted elements such as the

common.gypi

@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.26',
+    'v8_embedder_string': '-node.29',
 
     ##### V8 defaults for Node.js #####
 

deps/icu-small/LICENSE

@@ -2,7 +2,7 @@ UNICODE LICENSE V3
 
 COPYRIGHT AND PERMISSION NOTICE
 
-Copyright © 2016-2024 Unicode, Inc.
+Copyright © 2016-2025 Unicode, Inc.
 
 NOTICE TO USER: Carefully read the following legal agreement. BY
 DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING DATA FILES, AND/OR

deps/icu-small/README-FULL-ICU.txt

@@ -1,8 +1,8 @@
 ICU sources - auto generated by shrink-icu-src.py
 
 This directory contains the ICU subset used by --with-intl=full-icu
-It is a strict subset of ICU 76 source files with the following exception(s):
-* deps/icu-small/source/data/in/icudt76l.dat.bz2 : compressed data file
+It is a strict subset of ICU 77 source files with the following exception(s):
+* deps/icu-small/source/data/in/icudt77l.dat.bz2 : compressed data file
 
 
 To rebuild this directory, see ../../tools/icu/README.md

deps/icu-small/source/common/brkiter.cpp

@@ -59,7 +59,7 @@ BreakIterator::buildInstance(const Locale& loc, const char *type, UErrorCode &st
 {
     char fnbuff[256];
     char ext[4]={'\0'};
-    CharString actualLocale;
+    CharString actual;
     int32_t size;
     const char16_t* brkfname = nullptr;
     UResourceBundle brkRulesStack;
@@ -94,7 +94,7 @@ BreakIterator::buildInstance(const Locale& loc, const char *type, UErrorCode &st
 
         // Use the string if we found it
         if (U_SUCCESS(status) && brkfname) {
-            actualLocale.append(ures_getLocaleInternal(brkName, &status), -1, status);
+            actual.append(ures_getLocaleInternal(brkName, &status), -1, status);
 
             char16_t* extStart=u_strchr(brkfname, 0x002e);
             int len = 0;
@@ -123,10 +123,9 @@ BreakIterator::buildInstance(const Locale& loc, const char *type, UErrorCode &st
     if (U_SUCCESS(status) && result != nullptr) {
         U_LOCALE_BASED(locBased, *(BreakIterator*)result);
 
-        locBased.setLocaleIDs(ures_getLocaleByType(b, ULOC_VALID_LOCALE, &status), 
-                              actualLocale.data());
-        uprv_strncpy(result->requestLocale, loc.getName(), ULOC_FULLNAME_CAPACITY);
-        result->requestLocale[ULOC_FULLNAME_CAPACITY-1] = 0; // always terminate
+        locBased.setLocaleIDs(ures_getLocaleByType(b, ULOC_VALID_LOCALE, &status),
+                              actual.data(), status);
+        LocaleBased::setLocaleID(loc.getName(), result->requestLocale, status);
     }
 
     ures_close(b);
@@ -206,26 +205,32 @@ BreakIterator::getAvailableLocales(int32_t& count)
 
 BreakIterator::BreakIterator()
 {
-    *validLocale = *actualLocale = *requestLocale = 0;
 }
 
 BreakIterator::BreakIterator(const BreakIterator &other) : UObject(other) {
-    uprv_strncpy(actualLocale, other.actualLocale, sizeof(actualLocale));
-    uprv_strncpy(validLocale, other.validLocale, sizeof(validLocale));
-    uprv_strncpy(requestLocale, other.requestLocale, sizeof(requestLocale));
+    UErrorCode status = U_ZERO_ERROR;
+    U_LOCALE_BASED(locBased, *this);
+    locBased.setLocaleIDs(other.validLocale, other.actualLocale, status);
+    LocaleBased::setLocaleID(other.requestLocale, requestLocale, status);
+    U_ASSERT(U_SUCCESS(status));
 }
 
 BreakIterator &BreakIterator::operator =(const BreakIterator &other) {
     if (this != &other) {
-        uprv_strncpy(actualLocale, other.actualLocale, sizeof(actualLocale));
-        uprv_strncpy(validLocale, other.validLocale, sizeof(validLocale));
-        uprv_strncpy(requestLocale, other.requestLocale, sizeof(requestLocale));
+        UErrorCode status = U_ZERO_ERROR;
+        U_LOCALE_BASED(locBased, *this);
+        locBased.setLocaleIDs(other.validLocale, other.actualLocale, status);
+        LocaleBased::setLocaleID(other.requestLocale, requestLocale, status);
+        U_ASSERT(U_SUCCESS(status));
     }
     return *this;
 }
 
 BreakIterator::~BreakIterator()
 {
+    delete validLocale;
+    delete actualLocale;
+    delete requestLocale;
 }
 
 // ------------------------------------------
@@ -394,7 +399,7 @@ BreakIterator::createInstance(const Locale& loc, int32_t kind, UErrorCode& statu
         // revisit this in ICU 3.0 and clean it up/fix it/remove it.
         if (U_SUCCESS(status) && (result != nullptr) && *actualLoc.getName() != 0) {
             U_LOCALE_BASED(locBased, *result);
-            locBased.setLocaleIDs(actualLoc.getName(), actualLoc.getName());
+            locBased.setLocaleIDs(actualLoc.getName(), actualLoc.getName(), status);
         }
         return result;
     }
@@ -488,6 +493,7 @@ BreakIterator::makeInstance(const Locale& loc, int32_t kind, UErrorCode& status)
     }
 
     if (U_FAILURE(status)) {
+        delete result;
         return nullptr;
     }
 
@@ -496,20 +502,25 @@ BreakIterator::makeInstance(const Locale& loc, int32_t kind, UErrorCode& status)
 
 Locale
 BreakIterator::getLocale(ULocDataLocaleType type, UErrorCode& status) const {
+    if (U_FAILURE(status)) {
+        return Locale::getRoot();
+    }
     if (type == ULOC_REQUESTED_LOCALE) {
-        return {requestLocale};
+        return requestLocale == nullptr ?
+            Locale::getRoot() : Locale(requestLocale->data());
     }
-    U_LOCALE_BASED(locBased, *this);
-    return locBased.getLocale(type, status);
+    return LocaleBased::getLocale(validLocale, actualLocale, type, status);
 }
 
 const char *
 BreakIterator::getLocaleID(ULocDataLocaleType type, UErrorCode& status) const {
+    if (U_FAILURE(status)) {
+        return nullptr;
+    }
     if (type == ULOC_REQUESTED_LOCALE) {
-        return requestLocale;
+        return requestLocale == nullptr ?  "" : requestLocale->data();
     }
-    U_LOCALE_BASED(locBased, *this);
-    return locBased.getLocaleID(type, status);
+    return LocaleBased::getLocaleID(validLocale, actualLocale, type, status);
 }
 
 
@@ -536,8 +547,10 @@ int32_t BreakIterator::getRuleStatusVec(int32_t *fillInVec, int32_t capacity, UE
 }
 
 BreakIterator::BreakIterator (const Locale& valid, const Locale& actual) {
+  UErrorCode status = U_ZERO_ERROR;
   U_LOCALE_BASED(locBased, (*this));
-  locBased.setLocaleIDs(valid, actual);
+  locBased.setLocaleIDs(valid.getName(), actual.getName(), status);
+  U_ASSERT(U_SUCCESS(status));
 }
 
 U_NAMESPACE_END

deps/icu-small/source/common/charstr.cpp

@@ -70,6 +70,15 @@ CharString &CharString::copyFrom(const CharString &s, UErrorCode &errorCode) {
     return *this;
 }
 
+CharString &CharString::copyFrom(StringPiece s, UErrorCode &errorCode) {
+    if (U_FAILURE(errorCode)) {
+        return *this;
+    }
+    len = 0;
+    append(s, errorCode);
+    return *this;
+}
+
 int32_t CharString::lastIndexOf(char c) const {
     for(int32_t i=len; i>0;) {
         if(buffer[--i]==c) {
@@ -143,7 +152,7 @@ CharString &CharString::append(const char *s, int32_t sLength, UErrorCode &error
     return *this;
 }
 
-CharString &CharString::appendNumber(int32_t number, UErrorCode &status) {
+CharString &CharString::appendNumber(int64_t number, UErrorCode &status) {
     if (number < 0) {
         this->append('-', status);
         if (U_FAILURE(status)) {

deps/icu-small/source/common/charstr.h

@@ -74,6 +74,7 @@ class U_COMMON_API CharString : public UMemory {
      * use a UErrorCode where memory allocations might be needed.
      */
     CharString &copyFrom(const CharString &other, UErrorCode &errorCode);
+    CharString &copyFrom(StringPiece s, UErrorCode &errorCode);
 
     UBool isEmpty() const { return len==0; }
     int32_t length() const { return len; }
@@ -135,7 +136,7 @@ class U_COMMON_API CharString : public UMemory {
     }
     CharString &append(const char *s, int32_t sLength, UErrorCode &status);
 
-    CharString &appendNumber(int32_t number, UErrorCode &status);
+    CharString &appendNumber(int64_t number, UErrorCode &status);
 
     /**
      * Returns a writable buffer for appending and writes the buffer's capacity to