Releases: nodejs/node
Releases Β· nodejs/node
2026-05-05, Version 26.0.0 (Current), @RafaelGSS
We're excited to announce the release of Node.js 26! Highlights include the Temporal API enabled by default,
updates to the V8 JavaScript engine to 14.6, Undici to 8.0, and several important deprecations and removals
as we continue to modernize the platform.
As a reminder, Node.js 26 will enter long-term support (LTS) in October, but until then, it will be the "Current" release for the next six months.
We encourage you to explore the new features and benefits offered by this latest release and evaluate their potential impact on your applications.
Notable Changes
Temporal API
The Temporal API is now enabled by default in Node.js 26. Temporal is a modern date/time API for JavaScript
that provides a more robust and feature-rich alternative to the legacy Date object.
Contributed by Richard Lau in #61806.
V8 14.6
The V8 engine is updated to version 14.6.202.33, which is part of Chromium 134.
This version also includes:
- Upsert (https://github.com/tc39/proposal-upsert):
[Weak]Map.prototype.getOrInsert(),[Weak]Map.prototype.getOrInsertComputed() - Iterator sequencing (https://github.com/tc39/proposal-iterator-sequencing):
Iterator.concat()
Contributed by MichaΓ«l Zasso in #61898.
Undici 8
Undici has been updated to version 8.0.2, bringing new features and improvements to Node.js's HTTP client implementation.
Deprecations and Removals
- [
dff46c07c3] - (SEMVER-MAJOR) crypto: move DEP0182 to End-of-Life (Tobias NieΓen) #61084 - [
93c25815ee] - (SEMVER-MAJOR) http: move writeHeader to end-of-life (Sebastian Beltran) #60635
http.Server.prototype.writeHeader() is now fully removed. Use http.Server.prototype.writeHead() instead.
- [
c755b0113c] - (SEMVER-MAJOR) stream: move _stream_* to end-of-life (Sebastian Beltran) #60657
The legacy _stream_wrap, _stream_readable, _stream_writable, _stream_duplex, _stream_transform, and _stream_passthrough modules are now fully removed.
- [
adac077484] - (SEMVER-MAJOR) crypto: runtime-deprecate DEP0203 and DEP0204 (Filip Skokan) #62453 - [
ac6375417a] - (SEMVER-MAJOR) stream: promote DEP0201 to runtime deprecation (RenΓ©) #62173 - [
98907f560f] - (SEMVER-MAJOR) module: runtime-deprecate module.register() (Geoffrey Booth) #62401 - [
89f4b6cddb] - (SEMVER-MAJOR) module: remove --experimental-transform-types (Marco Ippolito) #61803
Semver-Major Commits
- [
d3f79aa65d] - (SEMVER-MAJOR) assert: allow printf-style messages as assertion error (Ruben Bridgewater) #58849 - [
f6ce381fec] - (SEMVER-MAJOR) build: bump GCC requirement to 13.2 (MichaΓ«l Zasso) #62555 - [
bff81fca46] - (SEMVER-MAJOR) build: enable Temporal by default (Richard Lau) #61806 - [
6ddb1643e1] - (SEMVER-MAJOR) build: enable V8_VERIFY_WRITE_BARRIERS in debug build (Joyee Cheung) #61898 - [
a8ab08b373] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (MichaΓ«l Zasso) #61898 - [
0998c37eb6] - (SEMVER-MAJOR) build: target Power 9 for AIX/IBM i (Richard Lau) #62296 - [
d73c49e849] - (SEMVER-MAJOR) build: drop support for Python 3.9 (Mike McCready) #61177 - [
3c92ee1008] - (SEMVER-MAJOR) build: enable maglev for Linux on s390x (Richard Lau) #60863 - [
908c468828] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (MichaΓ«l Zasso) #60488 - [
6380fbb5ee] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (MichaΓ«l Zasso) #60111 - [
089d6c77e7] - (SEMVER-MAJOR) (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) #61898 - [
f9bd0165c4] - (SEMVER-MAJOR) build,win: fix Temporal build (StefanStojanovic) #61806 - [
6cc4cf8fe8] - (SEMVER-MAJOR) crypto: unify asymmetric key import through KeyObjectHandle::Init (Filip Skokan) #62499 - [
adac077484] - (SEMVER-MAJOR) crypto: runtime-deprecate DEP0203 and DEP0204 (Filip Skokan) #62453 - [
74509b166a] - (SEMVER-MAJOR) crypto: decorate async crypto job errors with OpenSSL error details (Filip Skokan) #62348 - [
da5843b91d] - (SEMVER-MAJOR) crypto: default ML-KEM and ML-DSA pkcs8 export to seed-only format (Filip Skokan) #62178 - [
dff46c07c3] - (SEMVER-MAJOR) crypto: move DEP0182 to End-of-Life (Tobias NieΓen) #61084 - [
94cd600542] - (SEMVER-MAJOR) crypto: fix DOMException name for non-extractable key error (Filip Skokan) #60830 - [
dae2219cca] - (SEMVER-MAJOR) deps: V8: cherry-pick 0f024d4e66e0 (ishabi) #62408 - [
15d406c1b1] - (SEMVER-MAJOR) deps: fix V8 race condition for AIX (Abdirahim Musse) #61898 - [
46852d2d7a] - (SEMVER-MAJOR) deps: V8: cherry-pick cd2c216e7658 (LuYahan) #61898 - [
784431d6fc] - (SEMVER-MAJOR) deps: V8: backport 088b7112e7ab (Igor Sheludko) #61898 - [
3839c4a756] - (SEMVER-MAJOR) deps: V8: cherry-pick 00f6e834029f (Joyee Cheung) #61898 - [
44f64f1dd9] - (SEMVER-MAJOR) deps: V8: backport bef0d9c1bc90 (Joyee Cheung) #61898 - [
1f8f288e22] - (SEMVER-MAJOR) deps: V8: cherry-pick cf1bce40a5ef (Richard Lau) #61898 - [
d7eccac9ad] - (SEMVER-MAJOR) deps: V8: cherry-pick daf4656ba85e (Milad Fa) #61898 - [
3ee1ea7d0b] - (SEMVER-MAJOR) deps: V8: cherry-pick d83f479604c8 (Joyee Cheung) #61898 - [
80907c0239] - (SEMVER-MAJOR) deps: V8: cherry-pick edeb0a4fa181 (Joyee Cheung) #61898 - [
5e0dc169e9] - (SEMVER-MAJOR) deps: V8: cherry-pick aa0b288f87cc (Richard Lau) #61898 - [
8c1f7adbcd] - (SEMVER-MAJOR) deps: patch V8 to fix Windows build (StefanStojanovic) #61898 - [
3cbd3404d9] - (SEMVER-MAJOR) deps: V8: cherry-pick highway@989a498fdf3 (Richard Lau) #61898 - [
9f2b7d4031] - (SEMVER-MAJOR) deps: support madvise(3C) across ALL illumos revisions (Dan McDonald) #61898 - [
947ec32118] - (SEMVER-MAJOR) deps: patch V8 for illumos (Dan McDonald) #61898 - [[`0660b942b2...
2026-04-15, Version 24.15.0 'Krypton' (LTS), @aduh95
Notable Changes
- [
3d87ecacbc] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708 - [
83c38672f7] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959 - [
54ef940e01] - (SEMVER-MINOR) crypto: add raw key formats support to the KeyObject APIs (Filip Skokan) #62240 - [
f4a3edc47a] - (SEMVER-MINOR) fs: addthrowIfNoEntryoption for fs.stat and fs.promises.stat (Juan JosΓ©) #61178 - [
5cdcba17cc] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #61713 - [
8b6be3fe14] - module: mark require(esm) as stable (Joyee Cheung) #60959 - [
68fbc0c6cc] - module: mark module compile cache as stable (Joyee Cheung) #60971 - [
c851e76f8c] - (SEMVER-MINOR) net: addsetTOSandgetTOStoSocket(Amol Yadav) #61503 - [
6ac4304c87] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298 - [
aaf9af1672] - sqlite: mark as release candidate (Matteo Collina) #61262 - [
eb77a7a297] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869 - [
6834ca13bb] - (SEMVER-MINOR) stream: renameDuplex.toWeb()type option toreadableType(RenΓ©) #61632 - [
f5f21d36a6] - test_runner: add exports option for module mocks (sangwook) #61727 - [
1f2025fd1e] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394 - [
1ca20fc33d] - (SEMVER-MINOR) test_runner: show interrupted test on SIGINT (Matteo Collina) #61676
Commits
- [
148373cea1] - assert,util: improve comparison performance (Ruben Bridgewater) #61176 - [
e5558b0859] - assert,util: fix deep comparing invalid dates skipping properties (Ruben Bridgewater) #61076 - [
83cffd92b5] - async_hooks: enabledHooksExist shall return if hooks are enabled (Gerhard StΓΆbich) #61054 - [
2c9436b43d] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084 - [
837acd7382] - benchmark: add startup benchmark for ESM entrypoint (Joyee Cheung) #61769 - [
a6ced7d272] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #61871 - [
a82003bf8b] - buffer: optimize buffer.concat performance (Mert Can Altin) #61721 - [
83dfd0be1d] - buffer: disallow ArrayBuffer transfer on pooled buffer (Chengzhong Wu) #61372 - [
ed2d0cb1bf] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477 - [
09f7920267] - build: fix timezone-update path references (Chengzhong Wu) #62280 - [
af46b15b91] - build: use path-ignore in GHA coverage-windows.yml (Chengzhong Wu) #61811 - [
2cf77eadd1] - build: generate_config_gypi.py generates valid JSON (Shelley Vohr) #61791 - [
e0220f0c35] - build: build with v8 gdbjit support on supported platform (Joyee Cheung) #61010 - [
5505511dcb] - build: enable -DV8_ENABLE_CHECKS flag (Ryuhei Shima) #61327 - [
5f8ecf3940] - build: add --debug-symbols to build with -g without enabling DCHECKs (Joyee Cheung) #61100 - [
ab18c0867b] - build: fix --node-builtin-modules-path (Filip Skokan) #62115 - [
bfa60d5782] - build: fix GN for new merve dep (Shelley Vohr) #61984 - [
0d1975fe3a] - build,win: add WinGet Visual Studio 2022 Build Tools Edition config (Mike McCready) #61652 - [
10b2bb5fa6] - child_process: add tracing channel for spawn (Marco) #61836 - [
3d87ecacbc] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708 - [
83c38672f7] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959 - [
9d37233824] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485 - [
b0cbfe38a4] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254 - [
dc034a4ac9] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218 - [
8aa6e706df] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #62169 - [
20cb932bcf] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #62170 - [
e2934162b4] - crypto: add missing AES dictionaries (Filip Skokan) #62099 - [
8b8db52f65] - crypto: fix importKey required argument count check (Filip Skokan) #62099 - [
bd5458db29] - crypto: fix missing nullptr check on RSA_new() (ndossche) #61888 - [
7302c7ed22] - crypto: fix handling of null BUF_MEM* in ToV8Value() (Nora Dossche) #61885 - [
8d0c22ea20] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #61788 - [
72aad8b40f] - crypto: always return certificate serial numbers as uppercase (Anna Henningsen) #61752 - [
2395fc0f4d] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #61875 - [
541be3aaf2] - crypto: recognize raw formats in keygen (Filip Skokan) #62480 - [
54ef940e01] - (SEMVER-MINOR) crypto: add raw key formats support to the KeyObject APIs (Filip Skokan) [#62240](https://github.com/nodejs/node/pull/...
2026-04-01, Version 25.9.0 (Current), @aduh95
Notable Changes
Test runner module mocking improvements
MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.
A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.
An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports
npx codemod @nodejs/mock-module-exportsContributed by sangwook in #61727.
Other notable changes
- [
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes toAsyncLocalStorage(Stephen Belanger) #61674 - [
62d2cd473b] - (SEMVER-MINOR) cli: add--max-heap-sizeoption (tannal) #58708 - [
d0ebf0e44b] - (SEMVER-MINOR) crypto: addTurboSHAKEandKangarooTwelveWeb Cryptography algorithms (Filip Skokan) #62183 - [
f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188 - [
67b854d407] - (SEMVER-MINOR) repl: remove dependency onnode:domain(Matteo Collina) #61227 - [
966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158 - [
e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066
Commits
- [
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674 - [
bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066 - [
c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084 - [
e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #61871 - [
2fcd07f1ba] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477 - [
b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #62280 - [
7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189 - [
f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #62115 - [
62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708 - [
ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485 - [
d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 - [
3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254 - [
f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218 - [
f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #61875 - [
4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #62169 - [
93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #62170 - [
3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414 - [
176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #62164 - [
95c7fc67ba] - deps: update googletest to 2461743991f9aa53e9a3625eafcbacd81a3c74cd (Node.js GitHub Bot) #62484 - [
e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382 - [
905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051 - [
180c150122] - deps: V8: cherry-pick cf1bce40a5ef (Richard Lau) #62449 - [
bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448 - [
f1b28612c4] - deps: V8: cherry-pick b25cd62c7ba2 (Yagiz Nizipli) #62354 - [
757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #62284 - [
3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256 - [
a9703d194a] - deps: update googletest to 73a63ea05dc8ca29ec1d2c1d66481dd0de1950f1 (Node.js GitHub Bot) #61927 - [
85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213 - [
231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #62123 - [
0093863664] - doc: deprecatemodule.register()(DEP0205) (Geoffrey Booth) #62395 - [
0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #62456 - [
8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #62492 - [
08ff16e0ba] - doc: move sqlite type conversion section to correct level (RenΓ©) #62482 - [
61cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #62423 - [
64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #62139 - [
1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #62206 - [
9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374 - [
e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #62302 - [
9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #62243 - [
7f37c17516] - doc: minor typo fix (Jeff Matson) #62358 - [[
eb0ca98f01](ht...
2026-03-24, Version 25.8.2 (Current), @RafaelGSS
This is a security release.
Notable Changes
- (CVE-2026-21637) wrap
SNICallbackinvocation intry/catch(Matteo Collina) - High - (CVE-2026-21710) use null prototype for
headersDistinct/trailersDistinct(Matteo Collina) - High - (CVE-2026-21711) include permission check to
pipe_wrap.cc(RafaelGSS) - Medium - (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle
NGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Medium - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21715) add permission check to
realpath.native(RafaelGSS) - Low - (CVE-2026-21716) include permission check on
lib/fs/promises(RafaelGSS) - Low
Commits
- [
2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#834 - [
0f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822 - [
2b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #62216 - [
2feea5bb97] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
86c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
5197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) nodejs-private/node-private#820 - [
04a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
9a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
45b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816 - [
4bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol
This is a security release.
Notable Changes
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
Commits
- [
6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828 - [
cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822 - [
80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035 - [
61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994 - [
9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892 - [
3dab3c4698] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
87521e99d1] - deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#828 - [
045013366f] - deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#828 - [
af22629ea8] - deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#828 - [
380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816 - [
df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95
This is a security release.
Notable Changes
- (CVE-2026-21637) wrap
SNICallbackinvocation intry/catch(Matteo Collina) - High - (CVE-2026-21710) use null prototype for
headersDistinct/trailersDistinct(Matteo Collina) - High - (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle
NGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Medium - (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21715) add permission check to
realpath.native(RafaelGSS) - Low - (CVE-2026-21716) include permission check on
lib/fs/promises(RafaelGSS) - Low
Commits
- [
6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809 - [
52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822 - [
30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd95e5b (Joyee Cheung) nodejs-private/node-private#809 - [
e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#809 - [
7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#809 - [
076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#809 - [
963c60a951] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330 - [
859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285 - [
d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215 - [
a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
73deff77c1] - lib: backport_tls_commonand_tls_wraprefactors (Dario Piotrowicz) #57643 - [
06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819
2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito
v20.20.2
This tag was signed with the committerβs verified signature.
marco-ippolito
Marco Ippolito
3626fea
This commit was signed with the committerβs verified signature.
marco-ippolito
Marco Ippolito
This is a security release.
Notable Changes
- (CVE-2026-21717) fix array index hash collision (Joyee Cheung)
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS)
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)
Commits
- [
cfb51fa9ce] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#831 - [
f333d0be5f] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
2acd5d1226] - deps: update undici to v6.24.1 (Matteo Collina) #62285 - [
af5c144ebc] - (CVE-2026-21717) deps,build,test: fix array index hash collision (Joyee Cheung) nodejs-private/node-private#834 - [
00ad47a28e] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
0123309566] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#840 - [
00830712bc] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#838 - [
a0c73425da] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
cc3f294507] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#839
2026-03-11, Version 25.8.1 (Current), @aduh95
Notable Changes
- [
ea87eea71a] - module: fix extensionless CJS files in"type": "module"packages (Matteo Collina) #62083
Commits
- [
bab750d1b3] - build: do not depend on V8 deps on--without-bundled-v8builds (Antoine du Hamel) #62033 - [
b26d1c7fcb] - crypto: make --use-system-ca per-env rather than per-process (Aditi) #60678 - [
e362635abf] - crypto: add missing AES dictionaries (Filip Skokan) #62099 - [
6f975db8af] - crypto: fix importKey required argument count check (Filip Skokan) #62099 - [
3beaf9c5fc] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151 - [
53afb0edd8] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #62150 - [
a13ed052a1] - deps: update merve to 1.2.0 (Node.js GitHub Bot) #62149 - [
2c850577b7] - deps: patch resb crate (Richard Lau) #62138 - [
37862a6728] - deps: V8: cherry-pick aa0b288f87cc (Richard Lau) #62136 - [
09191ad8b4] - deps: update ada to 3.4.3 (Node.js GitHub Bot) #62049 - [
8d63a178fd] - doc: copyeditaddons.md(Antoine du Hamel) #62071 - [
83719ffb64] - doc: correctutil.convertProcessSignalToExitCodevalidation behavior (RenΓ©) #62134 - [
eeee7c7fb1] - doc: add efekrskl as triager (Efe) #61876 - [
db150b2e69] - doc: fix markdown forexpectFailurevalues (Jacob Smith) #62100 - [
d55a441e60] - doc: add title to index (Aviv Keller) #62046 - [
cc46204b48] - doc: include url.resolve() in DEP0169 application deprecation (Mike McCready) #62002 - [
1d91a7261e] - doc,module: add missing doc for syncHooks.deregister() (Joyee Cheung) #61959 - [
5198573bee] - http: fix use-after-free when freeParser is called during llhttp_execute (Gerhard StΓΆbich) #62095 - [
f8793f80df] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990 - [
5439d0e0cf] - meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot[bot]) #62063 - [
27fd21943a] - meta: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #62062 - [
5b266f3295] - meta: bump step-security/harden-runner from 2.14.2 to 2.15.0 (dependabot[bot]) #62064 - [
ea87eea71a] - module: fix extensionless CJS files in"type": "module"packages (Matteo Collina) #62083 - [
851228cd60] - sqlite: handle stmt invalidation (Guilherme AraΓΊjo) #61877 - [
19efe60548] - src: expose async context frame debugging helper to JS (Anna Henningsen) #62103 - [
0257e8072f] - src: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) #62103 - [
975dafbe3b] - src: release context frame in AsyncWrap::EmitDestroy (Gerhard StΓΆbich) #61995 - [
f2c08c7888] - src: use validate_ascii_with_errors instead of validate_ascii (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) #61122 - [
0278461d83] - stream: optimize webstreams pipeTo (Mattias Buelens) #62079 - [
4d62e95bfa] - stream: fix brotli error handling in web compression streams (Filip Skokan) #62107 - [
4bdcaf2865] - stream: improve Web Compression spec compliance (Filip Skokan) #62107 - [
a5b1be2045] - stream: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) #61745 - [
5632446c4e] - stream: fix TransformStream race on cancel with pending write (Marco) #62040 - [
f90fa9cd1a] - stream: accept ArrayBuffer in CompressionStream and DecompressionStream (μ‘°μλ―Ό) #61913 - [
00319eaa3a] - test: update WPT for url to c928b19ab0 (Node.js GitHub Bot) #62148 - [
456abc7d20] - test: update WPT for WebCryptoAPI to c9e955840a (Node.js GitHub Bot) #62147 - [
82770cb7d3] - test: improve WPT report runner (Filip Skokan) #62107 - [
cfc847d233] - test: update WPT compression to ae05f5cb53 (Filip Skokan) #62107 - [
80f78f2737] - test: update WPT for WebCryptoAPI to 42e47329fd (Node.js GitHub Bot) #62048 - [
8048e0508c] - test: fix skipping behavior fortest-runner-run-files-undefined(Antoine du Hamel) #62026 - [
699a6214c6] - tools: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) #62140 - [
1a453b550c] - tools: improve error handling in test426 update script (Rich Trott) #62121 - [
710dde5ee2] - tools: fix--node-builtin-modules-pathvalue inshell.nix(Antoine du Hamel) #62102 - [
dcb1cbb21f] - tools: bump the eslint group across 1 directory with 2 updates (dependabot[bot]) #62092 - [
7d0b758583] - tools: fix daily wpt workflow nighly release version lookup (Filip Skokan) #62076 - [
3e8c816f2e] - tools: fix example in release proposal linter (Richard Lau) #62074 - [
772d3d270d] - tools: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot[bot]) #62013 - [
92f3b42672] - tools: bump eslint to v10, babel to v8.0.0-rc.2 (HuΓ‘ng JΓΉnliΓ ng) #61905 - [
deead95ec5] - url: suppress warnings from url.format/url.resolve inside node_modules (RenΓ©) #62005
2026-03-05, Version 22.22.1 'Jod' (LTS)
v22.22.1
This tag was signed with the committerβs verified signature.
marco-ippolito
Marco Ippolito
Notable Changes
- [
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983 - [
6063d888fe] - cli: mark--heapsnapshot-near-heap-limitas stable (Joyee Cheung) #60956 - [
d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #61115 - [
35854f424d] - doc: add gurgunday to collaborators (GΓΌrgΓΌn DayΔ±oΔlu) #61094 - [
5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #60714
Commits
- [
5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076 - [
feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388 - [
096095b127] - benchmark: add SQLite benchmarks (Guilherme AraΓΊjo) #61401 - [
b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129 - [
fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #60129 - [
ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #60841 - [
53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663 - [
e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #60603 - [
1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #60574 - [
e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #60162 - [
623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #60205 - [
7f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991 - [
db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #58938 - [
66aab9f987] - buffer: let Buffer.of use heap (Π‘ΠΊΠΎΠ²ΠΎΡΠΎΠ΄Π° ΠΠΈΠΊΠΈΡΠ° ΠΠ½Π΄ΡΠ΅Π΅Π²ΠΈΡ) #60503 - [
c3cf00c671] - buffer: speed up concat via TypedArray#set (GΓΌrgΓΌn DayΔ±oΔlu) #60399 - [
f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
2145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #60369 - [
5b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #61414 - [
24724cde40] - build: fix misplaced comma in ldflags (hqzing) #61294 - [
c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #61329 - [
8659d7cd07] - build: fix inconsistent quoting inMakefile(Antoine du Hamel) #60511 - [
44f339b315] - build: remove temporal updater (Chengzhong Wu) #61151 - [
d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #61024 - [
34ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #61073 - [
7b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #60850 - [
9408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #59984 - [
2166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #60098 - [
73ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #60296 - [
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983 - [
508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #59999 - [
c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #61321 - [
40904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #61431 - [
6d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #61344 - [
6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956 - [
3d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #60141 - [
40a58709b4] - console: optimize single-string logging (GΓΌrgΓΌn DayΔ±oΔlu) #60422 - [
d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662 - [
8c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #59956 - [
91dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #60464 - [
0781bd3764] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61688 - [
0cf1f9c3e9] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417 - [
521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #61339 - [
58b9d219a3] - *deps...
Contributors
ChALkeR, watilde, and avivkeller
Assets 2
2026-03-05, Version 20.20.1 'Iron' (LTS), @marco-ippolito
v20.20.1
This tag was signed with the committerβs verified signature.
marco-ippolito
Marco Ippolito
eb53343
This commit was signed with the committerβs verified signature.
marco-ippolito
Marco Ippolito
Notable Changes
- [
91a66e671c] - build: test on Python 3.14 (Christian Clauss) #59983 - [
f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
Commits
- [
6f580d5399] - assert: fix deepEqual always return true on URL (Xuguang Mei) #50853 - [
91a66e671c] - build: test on Python 3.14 (Christian Clauss) #59983 - [
cc4f7af6f3] - build: skip sscache action on non-main branches (Joyee Cheung) #61790 - [
f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 - [
80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741 - [
fa88cc07e2] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662 - [
88b2eec88a] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830 - [
5c053264f1] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61687 - [
4a398699d0] - deps: update googletest to 5a9c3f9e8d9b90bbbe8feb32902146cb8f7c1757 (Node.js GitHub Bot) #61731 - [
4fa43adf15] - deps: update googletest to 56efe3983185e3f37e43415d1afa97e3860f187f (Node.js GitHub Bot) #61605 - [
1a855d490c] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417 - [
d8a9359826] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523 - [
e79cd3a0bb] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928 - [
0707ade464] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925 - [
dc5a3cddef] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827 - [
46043b94c7] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135 - [
6be15a596e] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271 - [
10881404cd] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138 - [
1594a78c85] - deps: update googletest to 065127f1e4b46c5f14fc73cf8d323c221f9dc68e (Node.js GitHub Bot) #61055 - [
7fa2ee1933] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #60898 - [
09259532ef] - deps: update googletest to 1b96fa13f549387b7549cc89e1a785cf143a1a50 (Node.js GitHub Bot) #60739 - [
aa8bdb6886] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #60646 - [
cc849fde27] - deps: update googletest to 279f847 (Node.js GitHub Bot) #60219 - [
a99ba553a2] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #59955 - [
6349a79f5f] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131 - [
8ba759f1a0] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710 - [
927d906850] - deps: update googletest to e9092b1 (Node.js GitHub Bot) #58565 - [
bf8919f5c2] - deps: update googletest to 0bdccf4 (Node.js GitHub Bot) #57380 - [
ae6231dac0] - deps: update googletest to e235eb3 (Node.js GitHub Bot) #56873 - [
0561c62e85] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #61732 - [
f0ef221b0d] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #60543 - [
15bd0da404] - deps: update archs files for openssl (Antoine du Hamel) #61912 - [
04d439323f] - deps: upgrade openssl sources to openssl-3.0.19 (Antoine du Hamel) #61912 - [
2ea16d3bd6] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510 - [
622f973d1c] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842 - [
2cd265d8b9] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #60643 - [
65e839687b] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #60550 - [
2dc99d2771] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #61453 - [
2c7b84b1d8] - doc: fix typo in http.md (Michael Solomon) #59354 - [
a84b42667c] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #59344 - [
ffd0ada45f] - doc: fix typo intest/common/README.md(Yoo) #59180 - [
b4d9d006e7] - doc: fix broken sentence inURL.parse(Superchupu) #59164 - [
45e9971d9c] - doc: fix typo in writing-test.md (SeokHun) #59123 - [
e9fd10b5d6] - doc: fixfetchsubsections inglobals.md(Antoine du Hamel) #58933 - [
3715dd1c2b] - doc: fix wrong RFC number in http2 (Deokjin Kim) #58753 - [
098c017eac] - doc: punctuation fix for Node-API versioning clarification (Jiacai Liu) #58599 - [
545bf434e1] - doc: fix typo of filehttp.md,outgoingMessage.setTimeoutsection (yusheng chen) #58188 - [
b3d6683e7b] - doc: support toolchain with Visual Studio 2019 & 2022 only (Mike McCready) #61450 - [
8fdde5d110] - doc: fix v20 changelog after security release (Marco Ippolito) #61371 - [
31d04599be] - http: fix ...