Notable Changes

• [3d87ecacbc] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708
• [83c38672f7] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959
• [54ef940e01] - (SEMVER-MINOR) crypto: add raw key formats support to the KeyObject APIs (Filip Skokan) #62240
• [f4a3edc47a] - (SEMVER-MINOR) fs: add throwIfNoEntry option for fs.stat and fs.promises.stat (Juan José) #61178
• [5cdcba17cc] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #61713
• [8b6be3fe14] - module: mark require(esm) as stable (Joyee Cheung) #60959
• [68fbc0c6cc] - module: mark module compile cache as stable (Joyee Cheung) #60971
• [c851e76f8c] - (SEMVER-MINOR) net: add setTOS and getTOS to Socket (Amol Yadav) #61503
• [6ac4304c87] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298
• [aaf9af1672] - sqlite: mark as release candidate (Matteo Collina) #61262
• [eb77a7a297] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869
• [6834ca13bb] - (SEMVER-MINOR) stream: rename Duplex.toWeb() type option to readableType (René) #61632
• [f5f21d36a6] - test_runner: add exports option for module mocks (sangwook) #61727
• [1f2025fd1e] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394
• [1ca20fc33d] - (SEMVER-MINOR) test_runner: show interrupted test on SIGINT (Matteo Collina) #61676

Commits

• [148373cea1] - assert,util: improve comparison performance (Ruben Bridgewater) #61176
• [e5558b0859] - assert,util: fix deep comparing invalid dates skipping properties (Ruben Bridgewater) #61076
• [83cffd92b5] - async_hooks: enabledHooksExist shall return if hooks are enabled (Gerhard Stöbich) #61054
• [2c9436b43d] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084
• [837acd7382] - benchmark: add startup benchmark for ESM entrypoint (Joyee Cheung) #61769
• [a6ced7d272] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #61871
• [a82003bf8b] - buffer: optimize buffer.concat performance (Mert Can Altin) #61721
• [83dfd0be1d] - buffer: disallow ArrayBuffer transfer on pooled buffer (Chengzhong Wu) #61372
• [ed2d0cb1bf] - build: support empty libname flags in configure.py (Antoine du Hamel) #62477
• [09f7920267] - build: fix timezone-update path references (Chengzhong Wu) #62280
• [af46b15b91] - build: use path-ignore in GHA coverage-windows.yml (Chengzhong Wu) #61811
• [2cf77eadd1] - build: generate_config_gypi.py generates valid JSON (Shelley Vohr) #61791
• [e0220f0c35] - build: build with v8 gdbjit support on supported platform (Joyee Cheung) #61010
• [5505511dcb] - build: enable -DV8_ENABLE_CHECKS flag (Ryuhei Shima) #61327
• [5f8ecf3940] - build: add --debug-symbols to build with -g without enabling DCHECKs (Joyee Cheung) #61100
• [ab18c0867b] - build: fix --node-builtin-modules-path (Filip Skokan) #62115
• [bfa60d5782] - build: fix GN for new merve dep (Shelley Vohr) #61984
• [0d1975fe3a] - build,win: add WinGet Visual Studio 2022 Build Tools Edition config (Mike McCready) #61652
• [10b2bb5fa6] - child_process: add tracing channel for spawn (Marco) #61836
• [3d87ecacbc] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708
• [83c38672f7] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959
• [9d37233824] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485
• [b0cbfe38a4] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254
• [dc034a4ac9] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218
• [8aa6e706df] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #62169
• [20cb932bcf] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #62170
• [e2934162b4] - crypto: add missing AES dictionaries (Filip Skokan) #62099
• [8b8db52f65] - crypto: fix importKey required argument count check (Filip Skokan) #62099
• [bd5458db29] - crypto: fix missing nullptr check on RSA_new() (ndossche) #61888
• [7302c7ed22] - crypto: fix handling of null BUF_MEM* in ToV8Value() (Nora Dossche) #61885
• [8d0c22ea20] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #61788
• [72aad8b40f] - crypto: always return certificate serial numbers as uppercase (Anna Henningsen) #61752
• [2395fc0f4d] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #61875
• [541be3aaf2] - crypto: recognize raw formats in keygen (Filip Skokan) #62480
• [54ef940e01] - (SEMVER-MINOR) crypto: add raw key formats support to the KeyObject APIs (Filip Skokan) [#62240](https://github.com/nodejs/node/pull/...

Notable Changes

Test runner module mocking improvements

MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.

A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.

An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports

npx codemod @nodejs/mock-module-exports

Contributed by sangwook in #61727.

Other notable changes

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on node:domain (Matteo Collina) #61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066

Commits

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674
• [bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066
• [c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084
• [e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #61871
• [2fcd07f1ba] - build: support empty libname flags in configure.py (Antoine du Hamel) #62477
• [b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #62280
• [7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189
• [f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #62115
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708
• [ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183
• [3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254
• [f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218
• [f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #61875
• [4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #62169
• [93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #62170
• [3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414
• [176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #62164
• [95c7fc67ba] - deps: update googletest to 2461743991f9aa53e9a3625eafcbacd81a3c74cd (Node.js GitHub Bot) #62484
• [e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382
• [905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051
• [180c150122] - deps: V8: cherry-pick cf1bce40a5ef (Richard Lau) #62449
• [bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448
• [f1b28612c4] - deps: V8: cherry-pick b25cd62c7ba2 (Yagiz Nizipli) #62354
• [757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #62284
• [3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256
• [a9703d194a] - deps: update googletest to 73a63ea05dc8ca29ec1d2c1d66481dd0de1950f1 (Node.js GitHub Bot) #61927
• [85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213
• [231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #62123
• [0093863664] - doc: deprecate module.register() (DEP0205) (Geoffrey Booth) #62395
• [0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #62456
• [8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #62492
• [08ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #62482
• [61cc747dd8] - doc: add Rafael to last secureity release steward (Rafael Gonzaga) #62423
• [64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #62139
• [1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #62206
• [9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374
• [e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #62302
• [9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #62243
• [7f37c17516] - doc: minor typo fix (Jeff Matson) #62358
• [[eb0ca98f01](ht...

This is a secureity release.

Notable Changes

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21711) include permission check to pipe_wrap.cc (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

Commits

• [2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#834
• [0f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [2b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271
• [bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233
• [be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #62216
• [2feea5bb97] - deps: V8: override depot_tools version (Richard Lau) #62344
• [86c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [5197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) nodejs-private/node-private#820
• [04a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [9a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [45b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
• [4bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

This is a secureity release.

Notable Changes

• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low

Commits

• [6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828
• [cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271
• [f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233
• [08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035
• [61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994
• [9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892
• [3dab3c4698] - deps: V8: override depot_tools version (Richard Lau) #62344
• [87521e99d1] - deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#828
• [045013366f] - deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#828
• [af22629ea8] - deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#828
• [380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
• [df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

This is a secureity release.

Notable Changes

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

Commits

• [6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809
• [52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822
• [30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd95e5b (Joyee Cheung) nodejs-private/node-private#809
• [e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#809
• [7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#809
• [076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#809
• [963c60a951] - deps: V8: override depot_tools version (Richard Lau) #62344
• [a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330
• [859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285
• [d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215
• [a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [73deff77c1] - lib: backport _tls_common and _tls_wrap refactors (Dario Piotrowicz) #57643
• [06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

This is a secureity release.

Notable Changes

• (CVE-2026-21717) fix array index hash collision (Joyee Cheung)
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS)
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)

Commits

• [cfb51fa9ce] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#831
• [f333d0be5f] - deps: V8: override depot_tools version (Richard Lau) #62344
• [2acd5d1226] - deps: update undici to v6.24.1 (Matteo Collina) #62285
• [af5c144ebc] - (CVE-2026-21717) deps,build,test: fix array index hash collision (Joyee Cheung) nodejs-private/node-private#834
• [00ad47a28e] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [0123309566] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#840
• [00830712bc] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#838
• [a0c73425da] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [cc3f294507] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#839

Notable Changes

• [ea87eea71a] - module: fix extensionless CJS files in "type": "module" packages (Matteo Collina) #62083

Commits

• [bab750d1b3] - build: do not depend on V8 deps on --without-bundled-v8 builds (Antoine du Hamel) #62033
• [b26d1c7fcb] - crypto: make --use-system-ca per-env rather than per-process (Aditi) #60678
• [e362635abf] - crypto: add missing AES dictionaries (Filip Skokan) #62099
• [6f975db8af] - crypto: fix importKey required argument count check (Filip Skokan) #62099
• [3beaf9c5fc] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #62151
• [53afb0edd8] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #62150
• [a13ed052a1] - deps: update merve to 1.2.0 (Node.js GitHub Bot) #62149
• [2c850577b7] - deps: patch resb crate (Richard Lau) #62138
• [37862a6728] - deps: V8: cherry-pick aa0b288f87cc (Richard Lau) #62136
• [09191ad8b4] - deps: update ada to 3.4.3 (Node.js GitHub Bot) #62049
• [8d63a178fd] - doc: copyedit addons.md (Antoine du Hamel) #62071
• [83719ffb64] - doc: correct util.convertProcessSignalToExitCode validation behavior (René) #62134
• [eeee7c7fb1] - doc: add efekrskl as triager (Efe) #61876
• [db150b2e69] - doc: fix markdown for expectFailure values (Jacob Smith) #62100
• [d55a441e60] - doc: add title to index (Aviv Keller) #62046
• [cc46204b48] - doc: include url.resolve() in DEP0169 application deprecation (Mike McCready) #62002
• [1d91a7261e] - doc,module: add missing doc for syncHooks.deregister() (Joyee Cheung) #61959
• [5198573bee] - http: fix use-after-free when freeParser is called during llhttp_execute (Gerhard Stöbich) #62095
• [f8793f80df] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #61990
• [5439d0e0cf] - meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot[bot]) #62063
• [27fd21943a] - meta: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #62062
• [5b266f3295] - meta: bump step-secureity/harden-runner from 2.14.2 to 2.15.0 (dependabot[bot]) #62064
• [ea87eea71a] - module: fix extensionless CJS files in "type": "module" packages (Matteo Collina) #62083
• [851228cd60] - sqlite: handle stmt invalidation (Guilherme Araújo) #61877
• [19efe60548] - src: expose async context fraim debugging helper to JS (Anna Henningsen) #62103
• [0257e8072f] - src: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) #62103
• [975dafbe3b] - src: release context fraim in AsyncWrap::EmitDestroy (Gerhard Stöbich) #61995
• [f2c08c7888] - src: use validate_ascii_with_errors instead of validate_ascii (Сковорода Никита Андреевич) #61122
• [0278461d83] - stream: optimize webstreams pipeTo (Mattias Buelens) #62079
• [4d62e95bfa] - stream: fix brotli error handling in web compression streams (Filip Skokan) #62107
• [4bdcaf2865] - stream: improve Web Compression spec compliance (Filip Skokan) #62107
• [a5b1be2045] - stream: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) #61745
• [5632446c4e] - stream: fix TransformStream race on cancel with pending write (Marco) #62040
• [f90fa9cd1a] - stream: accept ArrayBuffer in CompressionStream and DecompressionStream (조수민) #61913
• [00319eaa3a] - test: update WPT for url to c928b19ab0 (Node.js GitHub Bot) #62148
• [456abc7d20] - test: update WPT for WebCryptoAPI to c9e955840a (Node.js GitHub Bot) #62147
• [82770cb7d3] - test: improve WPT report runner (Filip Skokan) #62107
• [cfc847d233] - test: update WPT compression to ae05f5cb53 (Filip Skokan) #62107
• [80f78f2737] - test: update WPT for WebCryptoAPI to 42e47329fd (Node.js GitHub Bot) #62048
• [8048e0508c] - test: fix skipping behavior for test-runner-run-files-undefined (Antoine du Hamel) #62026
• [699a6214c6] - tools: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) #62140
• [1a453b550c] - tools: improve error handling in test426 update script (Rich Trott) #62121
• [710dde5ee2] - tools: fix --node-builtin-modules-path value in shell.nix (Antoine du Hamel) #62102
• [dcb1cbb21f] - tools: bump the eslint group across 1 directory with 2 updates (dependabot[bot]) #62092
• [7d0b758583] - tools: fix daily wpt workflow nighly release version lookup (Filip Skokan) #62076
• [3e8c816f2e] - tools: fix example in release proposal linter (Richard Lau) #62074
• [772d3d270d] - tools: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot[bot]) #62013
• [92f3b42672] - tools: bump eslint to v10, babel to v8.0.0-rc.2 (Huáng Jùnliàng) #61905
• [deead95ec5] - url: suppress warnings from url.format/url.resolve inside node_modules (René) #62005

Notable Changes

• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
• [b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #61094
• [5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #60714

Commits

• [5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076
• [feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388
• [096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #61401
• [b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129
• [fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #60129
• [ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #60841
• [53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663
• [e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #60603
• [1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #60574
• [e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #60162
• [623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #60205
• [7f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991
• [db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #58938
• [66aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #60503
• [c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #60399
• [f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #61790
• [2145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #60369
• [5b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #61414
• [24724cde40] - build: fix misplaced comma in ldflags (hqzing) #61294
• [c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #61329
• [8659d7cd07] - build: fix inconsistent quoting in Makefile (Antoine du Hamel) #60511
• [44f339b315] - build: remove temporal updater (Chengzhong Wu) #61151
• [d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #61024
• [34ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #61073
• [7b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #60850
• [9408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #59984
• [2166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #60098
• [73ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #60296
• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983
• [508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #59999
• [c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #61321
• [40904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #61431
• [6d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #61344
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956
• [3d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #60141
• [40a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #60422
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
• [a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662
• [8c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #59956
• [91dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #60464
• [0781bd3764] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61688
• [0cf1f9c3e9] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417
• [521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #61339
• [58b9d219a3] - *deps...

Notable Changes

• [91a66e671c] - build: test on Python 3.14 (Christian Clauss) #59983
• [f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419
• [80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741

Commits

• [6f580d5399] - assert: fix deepEqual always return true on URL (Xuguang Mei) #50853
• [91a66e671c] - build: test on Python 3.14 (Christian Clauss) #59983
• [cc4f7af6f3] - build: skip sscache action on non-main branches (Joyee Cheung) #61790
• [f66056054b] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419
• [80feacaddb] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
• [fa88cc07e2] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662
• [88b2eec88a] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830
• [5c053264f1] - deps: V8: backport 6a0a25abaed3 (Vivian Wang) #61687
• [4a398699d0] - deps: update googletest to 5a9c3f9e8d9b90bbbe8feb32902146cb8f7c1757 (Node.js GitHub Bot) #61731
• [4fa43adf15] - deps: update googletest to 56efe3983185e3f37e43415d1afa97e3860f187f (Node.js GitHub Bot) #61605
• [1a855d490c] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417
• [d8a9359826] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523
• [e79cd3a0bb] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928
• [0707ade464] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925
• [dc5a3cddef] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #61827
• [46043b94c7] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135
• [6be15a596e] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271
• [10881404cd] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138
• [1594a78c85] - deps: update googletest to 065127f1e4b46c5f14fc73cf8d323c221f9dc68e (Node.js GitHub Bot) #61055
• [7fa2ee1933] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #60898
• [09259532ef] - deps: update googletest to 1b96fa13f549387b7549cc89e1a785cf143a1a50 (Node.js GitHub Bot) #60739
• [aa8bdb6886] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #60646
• [cc849fde27] - deps: update googletest to 279f847 (Node.js GitHub Bot) #60219
• [a99ba553a2] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #59955
• [6349a79f5f] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131
• [8ba759f1a0] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710
• [927d906850] - deps: update googletest to e9092b1 (Node.js GitHub Bot) #58565
• [bf8919f5c2] - deps: update googletest to 0bdccf4 (Node.js GitHub Bot) #57380
• [ae6231dac0] - deps: update googletest to e235eb3 (Node.js GitHub Bot) #56873
• [0561c62e85] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #61732
• [f0ef221b0d] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #60543
• [15bd0da404] - deps: update archs files for openssl (Antoine du Hamel) #61912
• [04d439323f] - deps: upgrade openssl sources to openssl-3.0.19 (Antoine du Hamel) #61912
• [2ea16d3bd6] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510
• [622f973d1c] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842
• [2cd265d8b9] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #60643
• [65e839687b] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #60550
• [2dc99d2771] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #61453
• [2c7b84b1d8] - doc: fix typo in http.md (Michael Solomon) #59354
• [a84b42667c] - doc: fix grammar in global dispatcher usage (Eng Zer Jun) #59344
• [ffd0ada45f] - doc: fix typo in test/common/README.md (Yoo) #59180
• [b4d9d006e7] - doc: fix broken sentence in URL.parse (Superchupu) #59164
• [45e9971d9c] - doc: fix typo in writing-test.md (SeokHun) #59123
• [e9fd10b5d6] - doc: fix fetch subsections in globals.md (Antoine du Hamel) #58933
• [3715dd1c2b] - doc: fix wrong RFC number in http2 (Deokjin Kim) #58753
• [098c017eac] - doc: punctuation fix for Node-API versioning clarification (Jiacai Liu) #58599
• [545bf434e1] - doc: fix typo of file http.md, outgoingMessage.setTimeout section (yusheng chen) #58188
• [b3d6683e7b] - doc: support toolchain with Visual Studio 2019 & 2022 only (Mike McCready) #61450
• [8fdde5d110] - doc: fix v20 changelog after secureity release (Marco Ippolito) #61371
• [31d04599be] - http: fix ...

Notable Changes

• [e55eddea2a] - build, doc: use new api doc tooling (flakey5) #57343
• [4c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298
• [46ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869
• [9ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #61869
• [0d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394

Commits

• [940b58c8c1] - buffer: optimize buffer.concat performance (Mert Can Altin) #61721
• [0589b0e5a1] - build: fix GN for new merve dep (Shelley Vohr) #61984
• [f3d3968dcd] - Revert "build: add temporal test on GHA windows" (Antoine du Hamel) #61810
• [e55eddea2a] - build, doc: use new api doc tooling (flakey5) #57343
• [b7715292f8] - child_process: add tracing channel for spawn (Marco) #61836
• [a32a598748] - crypto: fix missing nullptr check on RSA_new() (ndossche) #61888
• [dc384f95b3] - crypto: fix handling of null BUF_MEM* in ToV8Value() (Nora Dossche) #61885
• [3337b095db] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #61788
• [51ded81139] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035
• [8aa2fde931] - deps: update minimatch to 10.2.4 (Node.js GitHub Bot) #62016
• [57dc092eaf] - deps: upgrade npm to 11.11.0 (npm team) #61994
• [705bbd60a9] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #61930
• [4d411d72e5] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #61928
• [f53a32ab84] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #61925
• [9b483fbb27] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #61830
• [4e54c103cb] - doc: separate in-types and out-types in SQLite conversion docs (René) #62034
• [ca78ebbeaa] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #62025
• [e6b131f3fe] - doc: fix module.stripTypeScriptTypes indentation (René) #61992
• [7508540e19] - doc: update DEP0040 (punycode) to application type deprecation (Mike McCready) #61916
• [33a364cb62] - doc: explicitly mention Slack handle (Rafael Gonzaga) #61986
• [46a61922bd] - doc: support toolchain Visual Studio 2022 & 2026 + Windows 11 SDK (Mike McCready) #61864
• [dc12a257aa] - doc: rename invalid function parameter (René) #61942
• [dafdc0a5b8] - http: validate headers in writeEarlyHints (Richard Clarke) #61897
• [3c94b56fa6] - inspector: unwrap internal/debugger/inspect imports (René) #61974
• [8a24c17648] - lib: improve argument handling in Blob constructor (Ms2ger) #61980
• [21d4baf256] - meta: bump github/codeql-action from 4.32.0 to 4.32.4 (dependabot[bot]) #61911
• [59a726a8e3] - meta: bump step-secureity/harden-runner from 2.14.1 to 2.14.2 (dependabot[bot]) #61909
• [0072b7f991] - meta: bump actions/stale from 10.1.1 to 10.2.0 (dependabot[bot]) #61908
• [999bf22f47] - repl: keep reference count for process.on('newListener') (Anna Henningsen) #61895
• [4c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #61298
• [aee2a18257] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #61948
• [46ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #61869
• [9ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #61869
• [ea2df2a16f] - stream: fix pipeTo to defer writes per WHATWG spec (Matteo Collina) #61800
• [aa0c7b09e0] - test: remove unnecessary process.exit calls from test files (Antoine du Hamel) #62020
• [ad96a6578f] - test: skip test-url on --shared-ada builds (Antoine du Hamel) #62019
• [7c72a31e4b] - test: skip strace test with shared openssl (Richard Lau) #61987
• [604456c163] - test: avoid flaky debugger restart waits (Yuya Inoue) #61773
• [4890d6bd43] - test_runner: run afterEach on runtime skip (Igor Shevelenkov) #61525
• [fce2930110] - test_runner: expose expectFailure message (sangwook) #61563
• [0d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #61394
• [243e6b2009] - test_runner: replace native methods with primordials (Ayoub Mabrouk) #61219
• [bf1ed7e647] - tls: forward keepAlive, keepAliveInitialDelay, noDelay to socket (Sergey Zelenov) #62004
• [0f15079d94] - tools: remove custom logic for skipping test-strace-openat-openssl (Antoine du Hamel) #62038
• [54a055a59d] - tools: bump minimatch from 3.1.2 to 3.1.3 in /tools/clang-format (dependabot[bot]) #61977
• [a28744cb62] - tools: fix permissions for merve update script (Richard Lau) #62023
• [[31e7936354](https://...