⬆️ Updates Node.js to v26

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
node (source)		major	14.16.0 → 26.3.0
node	uses-with	major	12 → 26
node	uses-with	major	12.x → 26.x

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

nodejs/node (node)

v26.3.0: 2026-06-01, Version 26.3.0 (Current), @​aduh95

Compare Source

Notable Changes

Potential changes to macOS Universal Binary availability

With Apple and its ecosystem progressively dropping support for Intel-based
architectures, it has become apparent that the Node.js project may not be able
to maintain the universal binaries we currently distribute for the full lifetime
of Node.js 26. This change serves to communicate that risk. At present, our
intention remains to continue shipping universal binaries supporting both Apple
Silicon and Intel-based Macs for as long as practical.

Contributed by Antoine du Hamel in #​63055.

Other notable changes

• [a2a4b33dd8] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
• [051a2152f7] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
• [49462eca37] - (SEMVER-MINOR) http: add httpValidation option to configure header value validation (RajeshKumar11) #​61597
• [97b7ab19bd] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
• [cfb80a2103] - (SEMVER-MINOR) lib,permission: add permission.drop (Rafael Gonzaga) #​62672

Commits

• [a2a4b33dd8] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
• [0eff3e23b9] - build: def NODE_USE_NODE_CODE_CACHE only used in node_mksnapshot (Chengzhong Wu) #​63588
• [447ab2d252] - build,win: fix VS2022 arm64 PGO build (Stefan Stojanovic) #​63413
• [86032758e4] - build,win: replace LTCG with Thin LTO for releases (Stefan Stojanovic) #​63114
• [5f4d794052] - build,win: add Rust toolchain automated configuration Windows (Mike McCready) #​63381
• [051a2152f7] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
• [d0f65e3579] - crypto: coerce -0 keylen to +0 in pbkdf2 and scrypt (Jordan Harband) #​63531
• [e3ddb326c9] - crypto: harden WebCrypto against prototype pollution (Filip Skokan) #​63363
• [e04cd17dc0] - crypto: pass CryptoKey handles to KDF jobs (Filip Skokan) #​63363
• [64ba74d847] - crypto: remove async from WebCrypto methods (Filip Skokan) #​63363
• [bd230418b4] - crypto: add WebCrypto CryptoJob mode (Filip Skokan) #​63363
• [1a4090a83d] - debugger: surface inspector failures in probe mode (Joyee Cheung) #​63437
• [dbc78ff825] - debugger,test: deflake resume failure test and add debug logs (Joyee Cheung) #​63524
• [4da442f432] - deps: upgrade npm to 11.16.0 (npm team) #​63602
• [63372cfa87] - deps: SQLite: cherry-pick b869ed6 (Junsu Han) #​63525
• [e286fa170d] - deps: upgrade npm to 11.15.0 (npm team) #​63463
• [de996437a5] - doc: downgrade macOS x64 to Tier 2 (Antoine du Hamel) #​63055
• [22ac78750c] - doc: remove duplicated sentences in large-pull-requests.md (Joyee Cheung) #​63650
• [532f7f2085] - doc: update git node land instructions for security releases (Antoine du Hamel) #​63586
• [c61f90dfb9] - doc: drop --experimental from --permission (Rafael Gonzaga) #​63583
• [fd69d7b16a] - doc: improve fs.StatFs properties descriptions (aymanxdev) #​62578
• [693257782c] - doc: generate llms.txt (Guilherme Araújo) #​62027
• [55a57beb26] - doc: explicitly ask for reproducible in JS (Rafael Gonzaga) #​63479
• [4895c2babc] - doc: fix URL postMessage example in worker_threads (Kit Dallege) #​62203
• [0355c36e37] - doc: clarify filter option of sqlite.database.applyChangeset (Antoine du Hamel) #​63515
• [c85ee22df6] - doc: fix double spaces in ERR_TLS_INVALID_PROTOCOL_METHOD (Daijiro Wachi) #​63511
• [62947192f6] - doc: move hyperlinks outside of text blocks (Aviv Keller) #​63493
• [9849690a1d] - doc: edit Rust toolchain general install instructions (Antoine du Hamel) #​63488
• [885d2462e9] - doc: fix double space in modules.md (Daijiro Wachi) #​63512
• [42fbb48bc6] - doc: fix "options" to "option" in tls.createServer (Daijiro Wachi) #​63453
• [05a7b0a301] - doc: add Rust toolchain general install instructions (Mike McCready) #​63426
• [e13dfd7ed0] - doc: update toolchain for official releases (Richard Lau) #​63441
• [82306881cc] - doc: fix typo in deprecations (Daijiro Wachi) #​63434
• [eeb77d217c] - doc,lib: align WebCrypto names with spec (Filip Skokan) #​63518
• [679e13c57f] - errors: handle V8 warnings in DisallowJavascriptExecutionScope (Divyanshu Sharma) #​63491
• [7f41f5d803] - ffi: validate 'void' as parameter type in getFunction and getFunctions (Anshika Jain) #​63504
• [972cd227cb] - ffi: remove function signature property aliases (René) #​63482
• [5d7805e433] - ffi: move DynamicLibrary disposer to native layer (René) #​63459
• [5a0b32dc24] - gyp: update deps gypfiles (Nad Alaba) #​63117
• [49462eca37] - (SEMVER-MINOR) http: add httpValidation option to configure header value validation (RajeshKumar11) #​61597
• [e3c6629ee3] - http2: emit session close before stream close (Matteo Collina) #​63414
• [97b7ab19bd] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
• [6bef10e7b7] - lib: cleanup stateless diffiehellman key handling (Filip Skokan) #​62645
• [fdc0b3d49c] - lib: define kEnumerableProperty atomically (Antoine du Hamel) #​63609
• [99baf27aeb] - lib: fix typos in esm loader comments (RonGamzu) #​63465
• [cfb80a2103] - (SEMVER-MINOR) lib,permission: add permission.drop (Rafael Gonzaga) #​62672
• [8e75efb9bc] - meta: flip mcollina emails in .mailmap (Matteo Collina) #​63621
• [a4ae97045f] - meta: label "source maps" PRs (Chengzhong Wu) #​63591
• [3455a48ae1] - meta: add vfs subsystem label (René) #​62331
• [01bfcdfc20] - meta: skip scheduled workflows on forks (Jamie Magee) #​63565
• [bc4c457eae] - meta: add additional gitignore entries (James M Snell) #​63267
• [e1d65d9509] - module: load ESM helpers eagerly in the snapshot (Joyee Cheung) #​63550
• [6a97b0932a] - quic: add proper error codes & messages for QUIC failures (Tim Perry) #​63198
• [5989f4a6e1] - quic: support hostname verification (James M Snell) #​63483
• [b4d30e7a78] - quic: add stream idle timeout (James M Snell) #​63483
• [8a1017f774] - quic: add block list support for endpoints (James M Snell) #​63483
• [5a3ab93c49] - quic: improve peer cert verification (James M Snell) #​63483
• [9701a82a78] - quic: handle h3 max header size option (James M Snell) #​63483
• [71788a2048] - quic: add rate limiting docs (James M Snell) #​63483
• [309bd49906] - quic: cache timestamp for address lru cache (James M Snell) #​63483
• [2ce5588d51] - quic: add session creation rate limiting (James M Snell) #​63483
• [98808baed1] - quic: refine rate limiting (James M Snell) #​63483
• [75a4176b32] - quic: flip preferred address policy default to 'ignore' (James M Snell) #​63483
• [8b6b03d60c] - quic: add doc note about certificate size limitations (James M Snell) #​63483
• [30eff873e0] - quic: add applicationOptions to session (James M Snell) #​63267
• [4303daa43c] - quic: add getters for local and remote transport parameters (James M Snell) #​63267
• [e1b1bb5465] - quic: improve recv coalescing test sizes (James M Snell) #​63267
• [25a416f457] - quic: add initial RTT option to session options (James M Snell) #​63267
• [22e91c357f] - quic: enable recvmmsg batching in Endpoint (James M Snell) #​63267
• [c96d8a9d9b] - quic: improve stream header collection performance (James M Snell) #​63267
• [409460f2ce] - quic: add reusePort option to QuicEndpoint (James M Snell) #​63267
• [9a2afffec9] - quic: coalesce received data into fewer buffers (James M Snell) #​63267
• [f9a6a2f558] - quic: apply multiple additional minor improvements (James M Snell) #​63267
• [ea5f3724ee] - quic: fix tests that are missing serverEndpoint close (James M Snell) #​63267
• [6cffc931fc] - quic: fixup some v8:: qualifiers (James M Snell) #​63267
• [9bc875e522] - quic: fix premature unref of endpoint when listening (James M Snell) #​63267
• [f940d6b1be] - quic: fixup UAFs in bindingdata, streams, and app (James M Snell) #​63267
• [fd00e0acb0] - quic: fix UAF in Application::OnTimeout() (James M Snell) #​63267
• [378dbf00e9] - quic: improve the quic js structure (James M Snell) #​63267
• [0045dc30b6] - quic: improve internal structure of QuicStream (James M Snell) #​63267
• [5e38946b26] - quic: add aliased struct arenas (James M Snell) #​63267
• [95430437a0] - quic: add handshake timeout and default connection limits (James M Snell) #​63267
• [5622701429] - quic: implement rate limiting for version nego and immediate close (James M Snell) #​63267
• [b171f391cd] - quic: fixup linting issue after other changes (James M Snell) #​63267
• [24e9f4f177] - quic: fix crash in early handshake failure (James M Snell) #​63267
• [5025e85d0a] - quic: eliminate per-received datagram allocation (James M Snell) #​63267
• [aec1e17ec5] - quic: cache the timestamp on send and receive (James M Snell) #​63267
• [9560084560] - quic: add support for future ECN marking (James M Snell) #​63267
• [2b3ff8ada2] - quic: improve batching of packet sending (James M Snell) #​63267
• [fe3639a4d6] - quic: improve backend quic packet processing (James M Snell) #​63267
• [f043013d9a] - src: remove TOCTOU race condition when encoding SAB-backed Buffers (Antoine du Hamel) #​63517
• [343958224d] - src: skip duplicate UTF-8 validation in TextDecoder fatal path (Mert Can Altin) #​63231
• [2906fa833d] - src: dispatch ToV8Value(string_view) via StringBytes::Encode (Mert Can Altin) #​63370
• [860f9d8d4b] - src: fix ContextifyContext property definer interception result (Chengzhong Wu) #​63549
• [fcccffcbe6] - src: fix crash when reading length on Storage.prototype (Mohamed Sayed) #​63529
• [55f65f9fb6] - src: improve token return value check (James M Snell) #​63483
• [7a36ca46cd] - src: expose node::RegisterContext to make a node managed context (Chengzhong Wu) #​62322
• [9bda92963c] - src,sqlite: only pass xFilter when user provided a callback (Antoine du Hamel) #​63516
• [563db50f38] - stream: switch to internal sleep binding (Antoine du Hamel) #​63611
• [a6e2322ee6] - stream: use data listener for compose forwarding (Trivikram Kamat) #​63593
• [7198895c6b] - stream: serialize concurrent share consumer reads (Trivikram Kamat) #​63478
• [70ba8be1d7] - stream: fix lint error (Antoine du Hamel) #​63598
• [1608d905a7] - stream: reject pending reads on iterator throw (Trivikram Kamat) #​63555
• [dc12b730d8] - stream: wait for push writer end fallback to drain (Trivikram Kamat) #​63503
• [4f40a85a1a] - stream: flush each fused stateless transform (Trivikram Kamat) #​63468
• [526e0fc427] - stream: avoid duplicate writes in toWritable (Trivikram Kamat) #​63360
• [0008d01f9c] - stream: propagate abort reason in share and broadcast (Trivikram Kamat) #​63358
• [217338e18b] - stream: fix Writable.toWeb() hang on synchronous drain (sangwook) #​61197
• [381f4b1b10] - stream: disallow writing string chunk with 'buffer' encoding (René) #​63062
• [cbee0de1cb] - stream: align Readable.toWeb termination with eos (ikeyan) #​62394
• [be91f0a927] - test: shorten path in net pipe connect errors (Matteo Collina) #​63405
• [83cada8bcc] - test: deflake test-debugger-probe-timeout (Joyee Cheung) #​63547
• [3560b96a10] - test: deflake test-webcrypto-crypto-job-mode (Filip Skokan) #​63543
• [0c9c52373a] - test: remove test-node-output-v8-warning (Joyee Cheung) #​63469
• [12052dbe14] - test: cover webcrypto prototype pollution systematically (Filip Skokan) #​63520
• [8c479f274a] - test: update test426-fixtures to 9b9e225 (Node.js GitHub Bot) #​63373
• [2ca32a5ee8] - test: update WPT for url to e4a4672 (Node.js GitHub Bot) #​63372
• [1bf875bd21] - test: deflake async-hooks statwatcher test (Trivikram Kamat) #​63396
• [97dbfa09f7] - test: avoid test_runner watch restart in spec snapshot (Trivikram Kamat) #​63392
• [8b038d7b33] - test: reduce watch mode restart flakiness (Trivikram Kamat) #​63390
• [f504c01d66] - test: get rid of unnecessary AbortController instanciations (Antoine du Hamel) #​63489
• [170585ff90] - test: isolate rerun-failures state file under tmpdir (Chemi Atlow) #​63449
• [935468a49e] - test: fixup quic tests (James M Snell) #​63267
• [fbbdfdcfc7] - test: wait for ok before initial break after restart (Yuya Inoue) #​62807
• [db808ad77d] - test: unskip snapshot reproducibility test (Joyee Cheung) #​63307
• [259d8b3dce] - test: update WPT for WebCryptoAPI to 97bbc72 (Node.js GitHub Bot) #​63417
• [d56c6cd708] - test_runner: ignore erased TS lines in coverage (Matteo Collina) #​63510
• [16015f1565] - test_runner: fix suite diagnostic chanel end (Moshe Atlow) #​63533
• [003b9ccbe9] - test_runner: dont buffer unordered events in process isolation mode (Moshe Atlow) #​63432
• [fdc4b5aed4] - test_runner: fix --test-rerun-failures swallowing failures on retry (Chemi Atlow) #​63431
• [6a0bd2f329] - test_runner: add parentId to test events with testId (Moshe Atlow) #​63435
• [a646c93254] - test_runner: show replayed-from-attempt hint in spec reporter (Moshe Atlow) #​63429
• [b1fa59cbb6] - test_runner: preserve run duration when using test-rerun (Moshe Atlow) #​63429
• [6ac7ff24ac] - tools: refine v8.nix source definition (Antoine du Hamel) #​63625
• [59c01b959f] - tools: add lint rule for aborted AbortController (Trivikram Kamat) #​63541
• [2ab034f6f9] - tools: bump @​node-core/doc-kit in /tools/doc in the doc group (dependabot[bot]) #​63494
• [a6af903e0a] - tools: bump brace-expansion from 5.0.5 to 5.0.6 in /tools/eslint (dependabot[bot]) #​63415
• [215cd543dd] - tools: skip commit-lint on backport pull requests (Marco) #​63378
• [0479f28e95] - tools: fix skip of test-internet on forks (Antoine du Hamel) #​63492
• [69dfadf785] - tools: mock some Python utils in v8.nix to reuse builds (Antoine du Hamel) #​63454
• [7b3e222cda] - util: remove unused functions (Antoine du Hamel) #​63612
• [5a1f67c27b] - util: create hex style cache and fast path (Guilherme Araújo) #​62999

v24.16.0: 2026-05-21, Version 24.16.0 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #​61098
• [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #​61747
• [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #​62820
• [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #​60751
• [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #​61556

Commits

• [dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #​62509
• [add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #​62888
• [1b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #​62667
• [8752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #​62902
• [341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #​62974
• [28a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #​62863
• [16e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #​62839
• [eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #​62875
• [9dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #​59051
• [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #​62553
• [7597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #​62474
• [4bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #​63013
• [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #​62713
• [83e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #​63375
• [ec8c6b939a] - deps: V8: cherry-pick 657d8de (Guy Bedford) #​62784
• [722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #​61187
• [5304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #​60046
• [e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #​59249
• [1d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #​59249
• [8b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #​63090
• [62fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #​63045
• [137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #​62810
• [14a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #​62962
• [3e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #​62898
• [01dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #​62881
• [6cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #​62699
• [f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #​62698
• [b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [2faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #​62594
• [fa46c90c5d] - deps: update googletest to d72f9c8 (Node.js GitHub Bot) #​62593
• [099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #​62592
• [7ce95afe96] - deps: libuv: cherry-pick aabb765 (Santiago Gimeno) #​62561
• [57ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #​62324
• [493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #​61829
• [b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #​63011
• [cb67a925e9] - deps: use npm undici@​seven tag in update-undici.sh (Matteo Collina) #​62739
• [aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #​62828
• [f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #​62917
• [b6378e215c] - doc: fix node-config-schema (Сковорода Никита Андреевич) #​61596
• [233894a9ce] - doc: fix the TypeScript Execute (tsx) project link (David Thornton) #​63093
• [5d97919f8f] - doc: correct diagnostics_channel built-in channel names (Bryan English) #​62995
• [2a9ccc927e] - doc: use mjs/cjs blocks for callbackify null reason example (Daijiro Wachi) #​62884
• [ef413b5358] - doc: fix typo in test.md (Rich Trott) #​62960
• [76f21c5070] - doc: correct typo in PR contribution instructions (Mike McCready) #​62738
• [ca02af1f7d] - doc: fix duplicate word "of of" in postMessageToThread (Daijiro Wachi) #​62917
• [46c99ed526] - doc: fix duplicate word "for for" in compile cache (Daijiro Wachi) #​62917
• [1a60851734] - doc: fix typo in dns.lookup options description (Daijiro Wachi) #​62882
• [169b5ea2ed] - doc: fix Argon2 parameter bounds (Tobias Nießen) #​62868
• [9a3a190f4e] - doc: clarify diffieHellman.generateKeys recomputes same key (Kit Dallege) #​62205
• [0fba9e87d6] - doc: remove Ayase-252 and meixg from triagger team (Antoine du Hamel) #​62841
• [9c700f3446] - doc: clarify dns.lookup() callback signature when all is true (eungi) #​62800
• [6b7280bc17] - doc: add experimental modules lifetime policy (Paolo Insogna) #​62753
• [ce47ea31c9] - doc: clarify process._debugProcess() in Permission Model (Fahad Khan) #​62537
• [ba01633757] - doc: fix typo in devcontainer guide (Rohan Santhosh Kumar) #​62687
• [70b4d5839b] - doc: clarify Backport-PR-URL metadata added automatically (Mike McCready) #​62668
• [8126d1c3eb] - doc: update WPT test runner README.md (Filip Skokan) #​62680
• [978afea4b5] - doc: fix spelling in release announcement guidance (Rohan Santhosh Kumar) #​62663
• [1684ab8ff8] - doc: note non-monotonic clock in crypto.randomUUIDv7 (nabeel378) #​62600
• [86d4f07930] - doc: update bug bounty program (Rafael Gonzaga) #​62590
• [736ed8a08f] - doc: document TransformStream transformer.cancel option (Tom Pereira) #​62566
• [938af9be01] - doc: mention test runner retry attemp is zero based (Moshe Atlow) #​62504
• [94433e450f] - doc,src,test: fix dead inspector help URL (semimikoh) #​62745
• [ddf1f01659] - esm: add ERR_REQUIRE_ESM_RACE_CONDITION (Antoine du Hamel) #​62462
• [4a506acd16] - fs: add followSymlinks option to glob (Matteo Collina) #​62695
• [f4ea495f9b] - fs: restore fs patchability in ESM loader (Joyee Cheung) #​62835
• [63c111cd60] - fs: validate position argument before length === 0 early return (Edy Silva) #​62674
• [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #​57775
• [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #​62277
• [717476a24e] - http: emit 'drain' on OutgoingMessage only after buffers drain (Robert Nagy) #​62936
• [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #​63082
• [64f15c274a] - http: fix leaked error listener on sync HTTP req create + destroy (Tim Perry) #​62872
• [5c4798d799] - http: fix no_proxy leading-dot suffix matching (Daijiro Wachi) #​62333
• [9f3bc70ae5] - http: cleanup pipeline queue (Robert Nagy) #​62534
• [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #​62541
• [900dc758ff] - http2: expose writable stream state on compat response (T) #​63003
• [b3bfe35912] - inspector: coerce key and value to string in webstorage events (Ali Hassan) #​62616
• [3dc3fb6ad8] - inspector: return errors when CDP protocol event emission fails (Ryuhei Shima) #​62162
• [4f3f21bd7c] - inspector: auto collect webstorage data (Ryuhei Shima) #​62145
• [36cc04189d] - inspector: initial support storage inspection (Ryuhei Shima) #​61139
• [1718bc3b9b] - inspector: fix absolute URLs in network http (bugyaluwang) #​62955
• [97e32c7a74] - lib: avoid quadratic shift() in startup snapshot callback (Daijiro Wachi) #​62914
• [25d2e999de] - lib: harden kKeyOps lookup with null prototype (Filip Skokan) #​62877
• [37d3913c8f] - lib: short-circuit WebIDL BufferSource SAB check (Filip Skokan) #​62833
• [430c69d25f] - lib: use js-only implementation of isDataView() (René) #​62780
• [3ba0add6a0] - lib: fix lint in internal/webstreams/util.js (Filip Skokan) #​62806
• [9b95c41398] - lib: fix sequence argument handling in Blob constructor (Ms2ger) #​62179
• [314dacdbee] - lib: improve Web Cryptography key validation ordering (Filip Skokan) #​62749
• [3d18162430] - lib: reject SharedArrayBuffer in web APIs per spec (Ali Hassan) #​62632
• [ada3ce879d] - lib: defer AbortSignal.any() following (sangwook) #​62367
• [b2981ec7eb] - meta: bump actions/download-artifact from 8.0.0 to 8.0.1 (dependabot[bot]) #​62549
• [7cd20667b5] - meta: bump github/codeql-action from 4.35.1 to 4.35.3 (dependabot[bot]) #​63074
• [[91a07cfe9f](https://redirect.github.com/nodejs/node/commi

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Europe/Moscow)

• Branch creation
  • "after 10pm every weekday,before 5am every weekday,every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

[github-actions]

Thanks for opening an issue! Make sure you've followed CONTRIBUTING.md.

[github-actions]

Hello from PR Helper

Is your PR ready for review and processing? Mark the PR ready by including #pr-ready in a comment.

If you still have work to do, even after marking this ready. Put the PR on hold by including #pr-onhold in a comment.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Prototype Pollution in npm lodash CVE: GHSA-jf85-cpcp-j695 Prototype Pollution in lodash (CRITICAL) Affected versions: < 4.17.12 Patched version: 4.17.12 From: ? → npm/dockerfile_lint@0.3.4 → npm/lodash@2.4.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/entities@6.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm js-yaml is 85.0% likely obfuscated Confidence: 0.85 Location: Package overview From: ? → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report