2026-05-21, Version 24.16.0 'Krypton' (LTS) by github-actions[bot] · Pull Request #63263 · nodejs/node
Node.js 24 is using Undici 7 rather than the latest version. Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #62739 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: #63011 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
PR-URL: #60854 Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Ilyas Shabi <ilyasshabi94@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
PR-URL: #61829 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
PR-URL: #62324 Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Filip Skokan <panva.ip@gmail.com> PR-URL: #62474 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
On AIX libc++ is returning `EEXIST` instead of `EACCES` when using `std::filesystem::remove_all()` without appropriate permissions to recursively remove the directory. Co-authored-by: Abdirahim Musse <abdirahim.musse@ibm.com> Signed-off-by: Richard Lau <richard.lau@ibm.com> PR-URL: #62788 Refs: #62790 Reviewed-By: Abdirahim Musse <abdirahim.musse@ibm.com> Reviewed-By: Stewart X Addison <sxa@redhat.com>
Expose `f_frsize` from libuv's `uv_statfs_t` as `statfs.frsize`. Per POSIX, `f_blocks`, `f_bfree`, and `f_bavail` are expressed in units of `f_frsize`, not `f_bsize`. On most filesystems the two values are typically equal, but some filesystem drivers report a different `f_bsize`, making it impossible to compute accurate disk usage without `frsize`. Refs: libuv/libuv#4983 PR-URL: #62277 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
PR-URL: #62504 Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
PR-URL: #62504 Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
We have dedicated requirements about memory leaks when triaging DoS. These applies in generall to all types of DoS, and many recent reports about DoS attack vectors fail to meet them, resulting in a lot of extra back-and-forth in triaging. Clarify in the threat model by expanding these requirements to all DoS. Drive-by: clarify criteria of documented JavaScript behavior is that they are included in ECMA262. Also use "Node.js application developer" instead of "user" the refer to the party being vulnerable to avoid confusion. PR-URL: #62505 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Beth Griggs <bethanyngriggs@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
PR-URL: #62523 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Michaël Zasso <targos@protonmail.com>
Avoid registering AbortSignal.any() composites as dependants until they are actually observed. This fixes the long-lived source retention pattern from #62363 while preserving abort semantics through lazy refresh and follow paths. Also unregister fired timeout signals from the timeout finalization registry so timeout churn releases memory more promptly. PR-URL: #62367 Fixes: #62363 Refs: #54614 Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Apply suggestion from @jasnell PR-URL: #62510 Refs: nodejs/core-validate-commit#141 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Ruy Adorno <ruy@vlt.sh> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
When a socket with pipelined requests is destroyed then some requests will leak. PR-URL: #62534 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Add documentation for the `cancel` option of the `TransformStream` transformer, which allows users to specify a callback that will be called when the stream is canceled. See: https://streams.spec.whatwg.org/#transformer-api Fixes: #62540 PR-URL: #62566 Fixes: #62540 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Original commit message: win: properly initialize OSVERSIONINFOW (#5107) Otherwise calling `RtlGetVersion()` might produce UB. Problem was causing random crashes in the node.js test suite with stack traces like this one: ``` node.exe!__report_gsfailure(unsigned __int64 stack_cookie) Line 220 at D:\a\_work\1\s\src\vctools\crt\vcstartup\src\gs\gs_report.c(220) ... ``` Fixes: libuv/libuv#5106 Refs: libuv/libuv@aabb765 PR-URL: #62561 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
PR-URL: #62460 Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
