2024-04-24, Version 22.0.0 (Current), @RafaelGSS and @marco-ippolito

We're excited to announce the release of Node.js 22!
Highlights include require()ing ESM graphs, WebSocket client, updates of the V8 JavaScript engine, and more!
As a reminder, Node.js 22 will enter long-term support (LTS) in October, but until then, it will be the "Current" release for the next six months.
We encourage you to explore the new features and benefits offered by this latest release and evaluate their potential impact on your applications.

Other Notable Changes

• [25c79f3331] - esm: drop support for import assertions (Nicolò Ribaudo) #52104
• [818c10e86d] - lib: improve perf of AbortSignal creation (Raz Luvaton) #52408
• [4f68c7c1c9] - watch: mark as stable (Moshe Atlow) #52074
• [02b0bc01fe] - (SEMVER-MAJOR) deps: update V8 to 12.4.254.14 (Michaël Zasso) #52465
• [c975384264] - (SEMVER-MAJOR) lib: enable WebSocket by default (Aras Abbasi) #51594
• [1abff07392] - (SEMVER-MAJOR) stream: bump default highWaterMark (Robert Nagy) #52037
• [1a5acd0638] - (SEMVER-MAJOR) v8: enable maglev on supported architectures (Keyhan Vakil) #51360
• [128c60d906] - (SEMVER-MINOR) cli: implement node --run <script-in-package-json> (Yagiz Nizipli) #52190
• [151d365ad1] - (SEMVER-MINOR) fs: expose glob and globSync (Moshe Atlow) #51912
• [5f7fad2605] - (SEMVER-MINOR) module: support require()ing synchronous ESM graphs (Joyee Cheung) #51977

Semver-Major Commits

• [2b1e7c2fcb] - (SEMVER-MAJOR) build: compile with C++20 support on Windows (StefanStojanovic) #52465
• [12d00f1479] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #52465
• [5f08e11a3c] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #52293
• [94f0369d1d] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #51362
• [58674cd1d8] - (SEMVER-MAJOR) build: reset embedder string to "-node.0" (Michaël Zasso) #50115
• [60e836427e] - (SEMVER-MAJOR) console: treat non-strings as separate argument in console.assert() (Jacob Hummer) #49722
• [d62ab3a1ef] - (SEMVER-MAJOR) crypto: runtime deprecate hmac constructor (Marco Ippolito) #52071
• [de0602d190] - (SEMVER-MAJOR) crypto: runtime deprecate Hash constructor (Marco Ippolito) #51880
• [215f4d04b7] - (SEMVER-MAJOR) crypto: move createCipher and createDecipher to eol (Marco Ippolito) #50973
• [30801b8aaf] - (SEMVER-MAJOR) deps: V8: cherry-pick cd10ad7cdbe5 (Joyee Cheung) #52465
• [521b629ab1] - (SEMVER-MAJOR) deps: V8: revert CL 5331688 (Michaël Zasso) #52465
• [3795e97e6c] - (SEMVER-MAJOR) deps: patch V8 to support compilation with MSVC (StefanStojanovic) #52465
• [5bde9e677d] - (SEMVER-MAJOR) deps: silence internal V8 deprecation warning (Michaël Zasso) #52465
• [46e628c6f2] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #52465
• [f824e40a82] - (SEMVER-MAJOR) deps: remove usage of a C++20 feature from V8 (Michaël Zasso) #52465
• [d2c84c9a13] - (SEMVER-MAJOR) deps: avoid compilation error with ASan (Michaël Zasso) #52465
• [95d6045bdb] - (SEMVER-MAJOR) deps: disable V8 concurrent sparkplug compilation (Michaël Zasso) #52465
• [00f55f5743] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) #52465
• [764085aa66] - (SEMVER-MAJOR) deps: always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #52465
• [02b0bc01fe] - (SEMVER-MAJOR) deps: update V8 to 12.4.254.14 (Michaël Zasso) #52465
• [0ec50a19dd] - (SEMVER-MAJOR) deps: V8: cherry-pick cd10ad7cdbe5 (Joyee Cheung) #52293
• [021b0b7dee] - (SEMVER-MAJOR) deps: V8: backport c4be0a97f981 (Richard Lau) #52293
• [681aaf85c7] - (SEMVER-MAJOR) deps: silence internal V8 deprecation warning (Michaël Zasso) #52293
• [c563a1c4e4] - (SEMVER-MAJOR) deps: patch V8 to support compilation with MSVC (Stefan Stojanovic) #52293
• [11e94b9987] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #52293
• [856163e23c] - (SEMVER-MAJOR) deps: remove usage of a C++20 feature from V8 (Michaël Zasso) #52293
• [b530214127] - (SEMVER-MAJOR) deps: avoid compilation error with ASan (Michaël Zasso) #52293
• [8054f69dd9] - (SEMVER-MAJOR) deps: disable V8 concurrent sparkplug compilation (Michaël Zasso) #52293
• [dee908be42] - (SEMVER-MAJOR) deps: silence irrelevant V8 warning (Michaël Zasso) #52293
• [cf069414ee] - (SEMVER-MAJOR) deps: always define V8_EXPORT_PRIVATE as no-op (Michaël Zasso) #52293
• [cc5792dd85] - (SEMVER-MAJOR) deps: update V8 to 12.3.219.16 (Michaël Zasso) #52293
• [61a0d3b4c4] - (SEMVER-MAJOR) deps: V8: backport c4be0a97f981 (Richard Lau) #51362
• [f55380a725] - (SEMVER-MAJOR) deps: V8: cherry-pick f8d5e576b814 (Richard Lau) #51362
• [b9d806a2dd] - (SEMVER-MAJOR) deps: patch V8 to support compilation with MSVC (StefanStojanovic) #51362
• [63b58bc17b] - (SEMVER-MAJOR) deps: patch V8 to avoid duplicated zlib symbol (Michaël Zasso) #51362
• [86056353c4] - (SEMVER-MAJOR) deps: remove usage of a C++20 feature from V8 (Michaël Zasso) #51362
• [[2e0efc1c8d](2e0efc1c8...

2024-04-10, Version 21.7.3 (Current), @RafaelGSS

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [9095c914ed] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#562

2024-04-10, Version 20.12.2 'Iron' (LTS), @RafaelGSS

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [69ffc6d50d] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#563

2024-04-10, Version 18.20.2 'Hydrogen' (LTS), @RafaelGSS

This is a security release.

Notable Changes

• CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows

Commits

• [6627222409] - src: disallow direct .bat and .cmd file spawning (Ben Noordhuis) nodejs-private/node-private#564

2024-04-03, Version 21.7.2 (Current), @RafaelGSS prepared by @marco-ippolito

This is a security release.

Notable changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation- (Medium)
• llhttp version 9.2.1
• undici version 6.11.1

Commits

• [3dfc10c851] - deps: update undici to 6.11.1 (Node.js GitHub Bot) #52328
• [aceea1c5e7] - deps: update undici to 6.10.2 (Node.js GitHub Bot) #52227
• [5f0f96b275] - deps: update llhttp to 9.2.0 (Node.js GitHub Bot) #51719
• [1a65e98e22] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#556
• [3bd39fb474] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-04-03, Version 20.12.1 'Iron' (LTS), @RafaelGSS

This is a security release

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

Commits

• [bd8f10a257] - deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#576
• [5e34540a96] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#557
• [ba1ae6d188] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-04-03, Version 18.20.1 'Hydrogen' (LTS), @RafaelGSS

This is a security release.

Notable Changes

• CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
• CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation - (Medium)
• llhttp version 9.2.1
• undici version 5.28.4

Commits

• [60d24938de] - deps: update undici to v5.28.4 (Matteo Collina) nodejs-private/node-private#577
• [5d4d5848cf] - http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#558
• [0fb816dbcc] - src: ensure to close stream when destroying session (Anna Henningsen) nodejs-private/node-private#561

2024-03-26, Version 20.12.0 'Iron' (LTS), @richardlau

Notable Changes

crypto: implement crypto.hash()

This patch introduces a helper crypto.hash() that computes
a digest from the input at one shot. This can be 1.2-2x faster
than the object-based createHash() for smaller inputs (<= 5MB)
that are readily available (not streamed) and incur less memory
overhead since no intermediate objects will be created.

const crypto = require('node:crypto');

// Hashing a string and return the result as a hex-encoded string.
const string = 'Node.js';
// 10b3493287f831e81a438811a1ffba01f8cec4b7
console.log(crypto.hash('sha1', string));

Contributed by Joyee Cheung in #51044.

Loading and parsing environment variables

• process.loadEnvFile(path):

  • Use this function to load the .env file. If no path is specified, it automatically loads the .env file in the current directory. Example: process.loadEnvFile().
  • Load a specific .env file by specifying its path. Example: process.loadEnvFile('./development.env').

• util.parseEnv(content):

  • Use this function to parse an existing string containing environment variable assignments.
  • Example usage: require('node:util').parseEnv('HELLO=world').

Contributed by Yagiz Nizipli in #51476.

New connection attempt events

Three new events were added in the net.createConnection flow:

• connectionAttempt: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptFailed: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptTimeout: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.

Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user.
This led to a failed assertion.

Contributed by Paolo Insogna in #51045.

Permission Model changes

Node.js 20.12.0 comes with several fixes for the experimental permission model and two new semver-minor commits.
We're adding a new flag --allow-addons to enable addon usage when using the Permission Model.

$ node --experimental-permission --allow-addons

Contributed by Rafael Gonzaga in #51183

And relative paths are now supported through the --allow-fs-* flags.
Therefore, with this release one can use:

$ node --experimental-permission --allow-fs-read=./index.js

To give only read access to the entrypoint of the application.

Contributed by Rafael Gonzaga and Carlos Espa in #50758.

sea: support embedding assets

Users can now include assets by adding a key-path dictionary
to the configuration as the assets field. At build time, Node.js
would read the assets from the specified paths and bundle them into
the preparation blob. In the generated executable, users can retrieve
the assets using the sea.getAsset() and sea.getAssetAsBlob() API.

{
  "main": "/path/to/bundled/script.js",
  "output": "/path/to/write/the/generated/blob.blob",
  "assets": {
    "a.jpg": "/path/to/a.jpg",
    "b.txt": "/path/to/b.txt"
  }
}

The single-executable application can access the assets as follows:

const { getAsset } = require('node:sea');
// Returns a copy of the data in an ArrayBuffer
const image = getAsset('a.jpg');
// Returns a string decoded from the asset as UTF8.
const text = getAsset('b.txt', 'utf8');
// Returns a Blob containing the asset without copying.
const blob = getAssetAsBlob('a.jpg');

Contributed by Joyee Cheung in #50960.

Support configurable snapshot through --build-snapshot-config flag

We are adding a new flag --build-snapshot-config to configure snapshots through a custom JSON configuration file.

$ node --build-snapshot-config=/path/to/myconfig.json

When using this flag, additional script files provided on the command line will
not be executed and instead be interpreted as regular command line arguments.

These changes were contributed by Joyee Cheung and Anna Henningsen in #50453

Text Styling

• util.styleText(format, text): This function returns a formatted text considering the format passed.

A new API has been created to format text based on util.inspect.colors, enabling you to style text in different colors (such as red, blue, ...) and emphasis (italic, bold, ...).

const { styleText } = require('node:util');
const errorMessage = styleText('red', 'Error! Error!');
console.log(errorMessage);

Contributed by Rafael Gonzaga in #51850.

vm: support using the default loader to handle dynamic import()

This patch adds support for using vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER as the
importModuleDynamically option in all vm APIs that take this option except vm.SourceTextModule. This allows users to have a shortcut to support dynamic import() in the compiled code without missing the compilation cache if they don't need customization of the loading process. We emit an experimental warning when the import() is actually handled by the default loader through this option instead of requiring --experimental-vm-modules.

const { Script, constants } = require('node:vm');
const { resolve } = require('node:path');
const { writeFileSync } = require('node:fs');

// Write test.js and test.txt to the directory where the current script
// being run is located.
writeFileSync(resolve(__dirname, 'test.mjs'),
              'export const filename = "./test.json";');
writeFileSync(resolve(__dirname, 'test.json'),
              '{"hello": "world"}');

// Compile a script that loads test.mjs and then test.json
// as if the script is placed in the same directory.
const script = new Script(
  `(async function() {
    const { filename } = await import('./test.mjs');
    return import(filename, { with: { type: 'json' } })
  })();`,
  {
    filename: resolve(__dirname, 'test-with-default.js'),
    importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER,
  });

// { default: { hello: 'world' } }
script.runInThisContext().then(console.log);

Contributed by Joyee Cheung in #51244.

Root certificates updated to NSS 3.98

Certificates added:

• Telekom Security TLS ECC Root 2020
• Telekom Security TLS RSA Root 2023

Certificates removed:

• Security Communication Root CA

Updated dependencies

• acorn updated to 8.11.3.
• ada updated to 2.7.6.
• base64 updated to 0.5.2.
• brotli updated to 1.1.0.
• c-ares updated to 1.27.0.
• corepack updated to 0.25.2.
• ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
• nghttp2 updated to 1.60.0.
• npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
• simdutf8 updated to 4.0.8.
• Timezone updated to 2024a.
• zlib updated to 1.3.0.1-motley-40e35a7.

Other notable changes

• [4f49e9d000] - (SEMVER-MINOR) build: build opt to set local location of headers (Michael Dawson) #51525
• [ccdb01187b] - doc: add zcbenz to collaborators (Cheng Zhao) #51812
• [481af53aea] - doc: add lemire to collaborators (Daniel Lemire) #51572
• [5ba4d96525] - (SEMVER-MINOR) http2: add h2 compat support for appendHeader (Tim Perry) #51412
• [0861498e8b] - (SEMVER-MINOR) http2: add server handshake utility (snek) #51172
• [6b08d006ee] - (SEMVER-MINOR) http2: receive customsettings (Marten Richter) #51323
• [7894989bf0] - (SEMVER-MINOR) lib: move encodingsMap to internal/util (Joyee Cheung) #51044
• [a58c98ea85] - (SEMVER-MINOR) src: print string content better in BlobDeserializer (Joyee Cheung) #50960
• [c3c0a3ee5c] - (SEMVER-MINOR) src: support multi-line values for .env file (IlyasShabi) #51289
• [2a921966c6] - (SEMVER-MINOR) src: do not coerce dotenv paths (Tobias Nießen) #51425
• [0dee86f295] - (SEMVER-MINOR) src: support configurable snapshot (Joyee Cheung) #50453
• [ade6614067] - (SEMVER-MINOR) stream: add support for deflate-raw format to webstreams compression (Damian Krzeminski) #50097
• [[`...

2024-03-26, Version 18.20.0 'Hydrogen' (LTS), @richardlau

Notable Changes

Added support for import attributes

Support has been added for import attributes, to replace the old import
assertions syntax. This will aid migration by making the new syntax available
across all currently supported Node.js release lines.

This adds the with keyword which should be used in place of the previous
assert keyword, which will be removed in a future semver-major Node.js
release.

For example,

import "foo" assert { ... }

should be replaced with

import "foo" with { ... }

For more details, see

• #50134
• #51622

Contributed by Nicolò Ribaudo in #51136
and Antoine du Hamel in #50140.

Doc deprecation for dirent.path

Please use newly added dirent.parentPath instead.

Contributed by Antoine du Hamel in #50976
and #51020.

Experimental node-api feature flags

Introduces an experimental feature to segregate finalizers that affect GC state.
A new type called node_api_nogc_env has been introduced as the const version
of napi_env and node_api_nogc_finalize as a variant of napi_finalize that
accepts a node_api_nogc_env as its first argument.

This feature can be turned off by defining
NODE_API_EXPERIMENTAL_NOGC_ENV_OPT_OUT.

Contributed by Gabriel Schulhof in #50060.

Root certificates updated to NSS 3.98

Certificates added:

• Telekom Security TLS ECC Root 2020
• Telekom Security TLS RSA Root 2023

Certificates removed:

• Security Communication Root CA

Updated dependencies

• ada updated to 2.7.6.
• base64 updated to 0.5.2.
• c-ares updated to 1.27.0.
• corepack updated to 0.25.2.
• ICU updated to 74.2. Includes CLDR 44.1 and Unicode 15.1.
• npm updated to 10.5.0. Fixes a regression in signals not being passed onto child processes.
• simdutf8 updated to 4.0.8.
• Timezone updated to 2024a.
• zlib updated to 1.3.0.1-motley-40e35a7.

vm: fix V8 compilation cache support for vm.Script

Previously repeated compilation of the same source code using vm.Script
stopped hitting the V8 compilation cache after v16.x when support for
importModuleDynamically was added to vm.Script, resulting in a performance
regression that blocked users (in particular Jest users) from upgrading from
v16.x.

The recent fixes allow the compilation cache to be hit again
for vm.Script when --experimental-vm-modules is not used even in the
presence of the importModuleDynamically option, so that users affected by the
performance regression can now upgrade. Ongoing work is also being done to
enable compilation cache support for vm.CompileFunction.

Contributed by Joyee Cheung in #49950
and #50137.

Commits

• [c70383b8d4] - build: support Python 3.12 (Shi Pujin) #50209
• [4b960c3a4a] - build: fix incorrect g++ warning message (Richard Lau) #51695
• [8fdea67694] - crypto: update root certificates to NSS 3.98 (Node.js GitHub Bot) #51794
• [812b126dd9] - deps: V8: cherry-pick d90d4533b053 (Michaël Zasso) #50077
• [9ab8c3db87] - deps: update c-ares to 1.27.0 (Node.js GitHub Bot) #51846
• [c688680387] - deps: update c-ares to 1.26.0 (Node.js GitHub Bot) #51582
• [9498ac8a47] - deps: compile c-ares with C11 support (Michaël Zasso) #51410
• [8fb743642f] - deps: update c-ares to 1.25.0 (Node.js GitHub Bot) #51385
• [7bea2d7c12] - deps: update zlib to 1.3.0.1-motley-40e35a7 (Node.js GitHub Bot) #51274
• [57a38c8f75] - deps: update zlib to 1.3.0.1-motley-dd5fc13 (Node.js GitHub Bot) #51105
• [b0ca084a6b] - deps: update zlib to 1.3-22124f5 (Node.js GitHub Bot) #50910
• [4b43823f37] - deps: update zlib to 1.2.13.1-motley-5daffc7 (Node.js GitHub Bot) #50803
• [f0da591812] - deps: update zlib to 1.2.13.1-motley-dfc48fc (Node.js GitHub Bot) #50456
• [16d28a883a] - deps: update base64 to 0.5.2 (Node.js GitHub Bot) #51455
• [13a9e81cb6] - deps: update base64 to 0.5.1 (Node.js GitHub Bot) #50629
• [b4502d3ac5] - deps: update simdutf to 4.0.8 (Node.js GitHub Bot) #51000
• [183cf8a74a] - deps: update simdutf to 4.0.4 (Node.js GitHub Bot) #50772
• [11ba8593ea] - deps: update ada to 2.7.6 (Node.js GitHub Bot) #51542
• [73a946d55c] - deps: update ada to 2.7.5 (Node.js GitHub Bot) #51542
• [cc434c1a39] - deps: update ada to 2.7.4 (Node.js GitHub Bot) #50815
• [3a3808a6ae] - deps: upgrade npm to 10.5.0 (npm team) #51913
• [c8876d765c] - deps: upgrade npm to 10.3.0 (npm team) #51431
• [5aec3af460] - deps: update corepack to 0.25.2 (Node.js GitHub Bot) #51810
• [a593985326] - deps: update corepack to 0.24.1 (Node.js GitHub Bot) #51459
• [d1a9237bf5] - deps: update corepack to 0.24.0 (Node.js GitHub Bot) #51318
• [adac0c7a63] - deps: update corepack to 0.23.0 (Node.js GitHub Bot) #50563
• [4a6f83e32a] - deps: escape Python strings correctly (Michaël Zasso) #50695
• [c13969e52a] - deps: V8: cherry-pick ea996ad04a68 (Nicolò Ribaudo) #51136
• [6fbf0ba5c3] - deps: V8: cherry-pick a0fd3209dda8 (Nicolò Ribaudo) #51136
• [68fd7516e1] - deps: update timezone to 2024a (Michaël Zasso) #51723
• [f9b229ebe1] - deps: update icu to 74.2 (Michaël Zasso) #51723
• [90c73d2eb4] - deps: update timezone to 2023d (Node.js GitHub Bot) #51461
• [2a2bf57028] - deps: update icu to 74.1 (Node.js GitHub Bot) #50515
• [425e011e52] - deps: add v8::Object::SetInternalFieldForNodeCore() (Joyee Cheung) #49874
• [58c70344a2] - deps: V8: cherry-pick 705e374124ae (Joyee Cheung) #51004
• [b0e88899e1] - deps: V8: cherry-pick 1fada6b36f8d (Joyee Cheung) #51004
• [d87a810b81] - deps: V8: cherry-pick 3dd9576ce336 (Joyee Cheung) #51004
• [6d50966876] - deps: V8: cherry-pick 94e8282325a1 (Joyee Cheung) [#51004](https://githu...

2024-03-08, Version 21.7.1 (Current), @targos

Notable Changes

This release reverts #51389, which
landed in Node.js 21.7.0. It is a documented feature that t.after() hooks are
run even if a test has no subtests. The hook can be used to clean up the test
itself.

Commits

• [0dfe810ac7] - benchmark: update iterations of benchmark/async_hooks/async-local- (Lei Shi) #51420
• [625c9e0ac9] - benchmark: update iterations of benchmark/domain/domain-fn-args.js (Lei Shi) #51408
• [7ff3551bad] - build: fix arm64 host cross-compilation in GN (Cheng Zhao) #51903
• [fd86ea8b71] - Revert "build: workaround for node-core-utils" (Richard Lau) #51975
• [23c32ab3a7] - build: respect the NODE env variable in Makefile (Antoine du Hamel) #51743
• [9617adc064] - Revert "build: fix warning in cares under GN build" (Luigi Pinca) #51865
• [5864534095] - deps: update nghttp2 to 1.60.0 (Node.js GitHub Bot) #51948
• [fcf235d623] - doc: add policy for distribution (Geoffrey Booth) #51918
• [87d2acc8b1] - doc: fix actual result of example is different in events (Deokjin Kim) #51925
• [5908c121c6] - doc: clarify Corepack threat model (Antoine du Hamel) #51917
• [20e0ba3b94] - doc,module: clarify hook chain execution sequence (Jacob Smith) #51884
• [4d997971ac] - lib: make sure close net server (theanarkh) #51929
• [fcc6d54aa3] - lib: return directly if udp socket close before lookup (theanarkh) #51914
• [10aaabd158] - meta: bump github/codeql-action from 3.23.2 to 3.24.6 (dependabot[bot]) #51942
• [78f38a0143] - meta: bump actions/upload-artifact from 4.3.0 to 4.3.1 (dependabot[bot]) #51941
• [42ca5452c4] - meta: bump codecov/codecov-action from 4.0.1 to 4.1.0 (dependabot[bot]) #51940
• [015a157375] - meta: bump actions/cache from 4.0.0 to 4.0.1 (dependabot[bot]) #51939
• [e476cb4a32] - meta: bump actions/download-artifact from 4.1.1 to 4.1.3 (dependabot[bot]) #51938
• [67e8001790] - meta: bump actions/setup-node from 4.0.1 to 4.0.2 (dependabot[bot]) #51937
• [50343636e8] - src: fix --disable-single-executable-application (Joyee Cheung) #51808
• [a48c9ca0db] - stream: do not defer construction by one microtick (Matteo Collina) #52005
• [bee3b364f9] - test: add regression test for test_runner after hook (Colin Ihrig) #51998
• [fff7f48f50] - test: reduce flakiness of test-runner-output (Antoine du Hamel) #51952
• [57ba8f5acb] - test: fix flaky http-chunk-extensions-limit test (Ethan Arrowood) #51943
• [9d2c03990a] - test: remove flaky designation (Luigi Pinca) #51736
• [e992af81d3] - test: skip SEA tests when SEA generation fails (Joyee Cheung) #51887
• [85aa6ca850] - Revert "test_runner: do not invoke after hook when test is empty" (Colin Ihrig) #51998