2026-02-10, Version 24.13.1 'Krypton' (LTS) by github-actions[bot] · Pull Request #61661 · nodejs/node
and others added 30 commits
PR-URL: #60853 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
I know we can't fix the parts that are commit messages, but I believe the rest of the text is editable. Am I misremembering? PR-URL: #60855 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: #60692 Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
PR-URL: #60867 Reviewed-By: Deokjin Kim <deokjin81.kim@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: #60868 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Deokjin Kim <deokjin81.kim@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Gerhard Stöbich <deb2001-github@yahoo.de> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
PR-URL: #60806 Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
PR-URL: #60875 Reviewed-By: Stewart X Addison <sxa@redhat.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
If a users attempts to escape strings with quotes in SQLTagStore
template strings (`'${expression}'`), as is usually required for
SQL query strings, the queries would fail. This change shows an
example on the correct use (`${expression}`).
PR-URL: #60873
Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Add clarification that fileURLToPath() decodes encoded dot-segments (%2e%2e) which are normalized as path traversal. Applications must perform their own path validation to prevent directory traversal attacks. Also applies to fileURLToPathBuffer(). PR-URL: #60887 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
When decoding certificates from the system store, it's not actually guaranteed to succeed. In case the system returns a certificate that cannot be decoded (might be related to SSL implementation issues), skip them. PR-URL: #60787 Refs: microsoft/vscode#277064 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Aditi Singh <aditisingh1400@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com>
The Node.js source tree already includes several V8 DEPS under `deps/v8/third_party` that are needed to build Node.js. Exclude these in `tools/v8/fetch_deps.py` to prevent "Conflicting directory" warnings when running the V8 CI. PR-URL: #60883 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
PR-URL: #60896 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Jason Zhang <xzha4350@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #60898 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #60899 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com>
https://redirect.github.com/nodejs/node/pull/59856 had an typo/mistake in the skip conditions so that it is skipping when --use-openssl-ca or --openssl-system-ca-path (configure time) are NOT used, even though they should be skipped only when those ARE used (which is not the default for default builds). This change fixes that so that the perf numbers in that PR is true for the default build. PR-URL: #60764 Reviewed-By: Aditi Singh <aditisingh1400@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
PR-URL: #60872 Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
- Update all dependencies to their latest version and regenerate lock file. - Fixup deprecated field of `@stylistic/eslint-plugin` config. - Disable `assignmentOperator` indent rule (we are inconsistent, so there's no valid config for it). - Disable jsdoc rules that we do not follow. PR-URL: #60908 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Syntax for explicit resource management and import attributes syntax are supported without it. PR-URL: #60908 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
PR-URL: #60908 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
cjs example already has `zstd` as compression encoding. Refs: #52100 PR-URL: #60915 Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Matthew Aitken <maitken033380023@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
PR-URL: #60905 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
PR-URL: #60922 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ilyas Shabi <ilyasshabi94@gmail.com>
--- updated-dependencies: - dependency-name: peter-evans/create-pull-request dependency-version: 7.0.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #60924 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #61547 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
PR-URL: #61547 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
This is the same as the original change, minus the `process.emitWarning` calls and unit tests that expect the deprecation warnings, plus re-application of the fixes for CVE-2025-59465 and CVE-2026-21637. Original commit message: lib: deprecate _tls_common and _tls_wrap runtime deprecate the _tls_common and _tls_wrap modules, users should use nust node:tls insteal and internally internal/tls/commond and internal/tls/wrap should be used instead PR-URL: #57643 Backport-PR-URL: #61044 Co-authored-by: =?UTF-8?q?Micha=C3=ABl=20Zasso?= <targos@protonmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
This prevents the server from crashing due to an unhandled rejection
when a TLSSocket connection is abruptly destroyed during initialization
and the user has not attached an error handler to the socket.
e.g:
```js
const server = http2.createSecureServer({ ... })
server.on('secureConnection', socket => {
socket.on('error', err => {
console.log(err)
})
})
```
PR-URL: nodejs-private/node-private#750
Backport-PR-URL: #61044
Fixes: #44751
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=3262404
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
CVE-ID: CVE-2025-59465
Refs: #57643
Notable changes: build: * add support for Python 3.14 (Christian Clauss) #59983 cli: * mark `--heapsnapshot-near-heap-limit` as stable (Joyee Cheung) #60956 crypto: * update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 doc: * mark `--build-snapshot` and `--build-snapshot-config` as stable (Joyee Cheung) #60954 meta: * add avivkeller to collaborators (Aviv Keller) #61115 * add gurgunday to collaborators (Gürgün Dayıoğlu) #61094 * add Renegade334 to collaborators (Renegade334) #60714 url: * update ada to v3.4.2 and support unicode 17 (Yagiz Nizipli) #61593 v8: * mark `v8.queryObjects()` as stable (Joyee Cheung) #60957 PR-URL: #61661
labels
aduh95 added a commit that referenced this pull request
Notable changes: build: * add support for Python 3.14 (Christian Clauss) #59983 cli: * mark `--heapsnapshot-near-heap-limit` as stable (Joyee Cheung) #60956 crypto: * update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419 doc: * mark `--build-snapshot` and `--build-snapshot-config` as stable (Joyee Cheung) #60954 meta: * add avivkeller to collaborators (Aviv Keller) #61115 * add gurgunday to collaborators (Gürgün Dayıoğlu) #61094 * add Renegade334 to collaborators (Renegade334) #60714 url: * update ada to v3.4.2 and support unicode 17 (Yagiz Nizipli) #61593 v8: * mark `v8.queryObjects()` as stable (Joyee Cheung) #60957 PR-URL: #61661
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters