UNCLASSIFIED - NO CUI

Skip to content

Update node Docker tag to v23

POPs-renovate-tools_03Dec2024 requested to merge renovate/node-23.x into development

This MR contains the following updates:

Package Type Update Change
node ironbank-docker major 20.18.0-bookworm -> 23.1.0-bookworm
node stage major 20.18.0-bookworm -> 23.1.0-bookworm

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

Release Notes

nodejs/node (node)

v23.1.0: 2024-10-24, Version 23.1.0 (Current), @​aduh95

Compare Source

Notable Changes
Buffer now work with resizable ArrayBuffer

When a Buffer is created using a resizable ArrayBuffer, the Buffer length will now correctly change as the underlying ArrayBuffer size is changed.

const ab = new ArrayBuffer(10, { maxByteLength: 20 });
const buffer = Buffer.from(ab);
console.log(buffer.byteLength); 10
ab.resize(15);
console.log(buffer.byteLength); 15
ab.resize(5);
console.log(buffer.byteLength); 5

Contributed by James M Snell in #​55377.

MockTimers test runner API is now stable

MockTimers, introduced in April 2023, has just reached stable status. This API provides comprehensive support for mocking Date and all major timers in Node.js, including setTimeout, setInterval, and setImmediate, both from the node:timers, node:timers/promises modules and global objects. After months of refinement, developers can now fully rely on MockTimers for testing time-based operations with confidence, ensuring better control over asynchronous behavior in their Node.js applications.

Example usage with initial Date object as time set:

import { mock } from 'node:test';
mock.timers.enable({ apis: ['Date'], now: new Date('1970-01-01') });

Contributed by Erick Wendel in #​55398.

JSON modules and import attributes are now stable

The two proposals reached stage 4 of the TC39 process, at the October 2024 meeting. The Node.js implementation already matches exactly the semantics required by the proposals.

Contributed by Nicolò Ribaudo by #​55333.

Other Notable Changes
Commits

v23.0.0: 2024-10-16, Version 23.0.0 (Current), @​RafaelGSS

Compare Source

We’re excited to announce the release of Node.js 23! Key highlights include:

  • Enabling require(esm) by default for Node.js applications
  • Removing support for Windows 32-bit systems
  • Stabilizing the node --run command
  • Enhancements to the test runner, including glob pattern support for coverage files

Node.js 23 will replace Node.js 22 as the ‘Current’ release line when Node.js 22 enters long-term support (LTS) later this month. According to the release schedule, Node.js 23 will remain the ‘Current’ release for the next six months, until April 2025.

Other Notable Changes
Semver-Major Commits
Semver-Minor Commits
  • [90e3e5e173] - (SEMVER-MINOR) crypto: add KeyObject.prototype.toCryptoKey (Filip Skokan) #​55262
  • [29f31c6a76] - (SEMVER-MINOR) crypto: add Date fields for validTo and validFrom (Andrew Moon) #​54159
  • [83eb4f2855] - (SEMVER-MINOR) deps: V8: cherry-pick cd10ad7 (Joyee Cheung) #​52535
  • [6c6562ce8b] - (SEMVER-MINOR) http2: expose nghttp2_option_set_stream_reset_rate_limit as an option (Maël Nison) #​54875
  • [d473606040] - (SEMVER-MINOR) lib: propagate aborted state to dependent signals before firing events (jazelly) #​54826
  • [772b35bdc4] - (SEMVER-MINOR) module: support loading entrypoint as url (RedYetiDev) #​54933
  • [06206af181] - (SEMVER-MINOR) module: unflag --experimental-require-module (Joyee Cheung) #​55085
  • [0b9249e335] - (SEMVER-MINOR) module: implement the "module-sync" exports condition (Joyee Cheung) #​54648
  • [62383cd113] - (SEMVER-MINOR) module: implement flushCompileCache() (Joyee Cheung) #​54971
  • [4dfed556ba] - (SEMVER-MINOR) module: throw when invalid argument is passed to enableCompileCache() (Joyee Cheung) #​54971
  • [9a73aa0d15] - (SEMVER-MINOR) module: write compile cache to temporary file and then rename it (Joyee Cheung) #​54971
  • [92a25abca9] - (SEMVER-MINOR) path: add matchGlob method (Aviv Keller) #​52881
  • [b0f025208f] - (SEMVER-MINOR) process: add process.features.require_module (Joyee Cheung) #​55241
  • [bf11e5793b] - (SEMVER-MINOR) test_runner: support custom arguments in run() (Aviv Keller) #​55126
  • [059e08bb21] - (SEMVER-MINOR) test_runner: add 'test:summary' event (Colin Ihrig) #​54851
  • [f79fd03f41] - (SEMVER-MINOR) test_runner: add support for coverage via run() (Chemi Atlow) #​53937
  • [d2ad9b4fb6] - (SEMVER-MINOR) worker: add markAsUncloneable api (Jason Zhang) #​55234
Semver-Patch Commits

v22.11.0: 2024-10-29, Version 22.11.0 'Jod' (LTS), @​richardlau

Compare Source

Notable Changes

This release marks the transition of Node.js 22.x into Long Term Support (LTS) with the codename 'Jod'. The 22.x release line now moves into "Active LTS" and will remain so until October 2025. After that time, it will move into "Maintenance" until end of life in April 2027.

Other than updating metadata, such as the process.release object, to reflect that the release is LTS, no further changes from Node.js 22.10.0 are included.

OpenSSL 3.x

Official binaries for Node.js 22.x currently include OpenSSL 3.0.x (more specifically, the quictls OpenSSL fork). OpenSSL 3.0.x is the currently designated long term support version that is scheduled to be supported until 7th September 2026, which is within the expected lifetime of Node.js 22.x. We are expecting upstream OpenSSL to announce a successor long term support version prior to that date and since OpenSSL now follows a semantic versioning-like versioning scheme we expect to be able to update to the next long term supported version of OpenSSL during the lifetime of Node.js 22.x.

v22.10.0: 2024-10-16, Version 22.10.0 (Current), @​aduh95

Compare Source

Notable Changes
New "module-sync" exports condition

This release introduces a "module-sync" exports condition that's enabled when require(esm) is enabled, so packages can supply a synchronous ES module to the Node.js module loader, no matter if it's being required or imported. This is similar to the "module" condition that bundlers have been using to support require(esm) in Node.js, and allows dual-package authors to opt into ESM-first only on newer versions of Node.js that supports require(esm) to avoid the dual-package hazard.

{
  "type": "module",
  "exports": {
    "node": {
      // On new version of Node.js, both require() and import get
      // the ESM version
      "module-sync": "./index.js",
      // On older version of Node.js, where "module-sync" and require(esm) are
      // not supported, use the CJS version to avoid dual-package hazard.
      // When package authors think it's time to drop support for older versions of
      // Node.js, they can remove the exports conditions and just use "main": "index.js".
      "default": "./dist/index.cjs"
    },
    // On any other environment, use the ESM version.
    "default": "./index.js"
  }
}

Or if the package is only meant to be run on Node.js and wants to fallback to CJS on older versions that don't have require(esm):

{
  "type": "module",
  "exports": {
    // On new version of Node.js, both require() and import get the ESM version
    "module-sync": "./index.js",
    // On older version of Node.js, where "module-sync" and require(esm) are
    // not supported, use the CJS version to avoid dual-package hazard.
    // When package authors think it's time to drop support for older versions of
    // Node.js, they can remove the exports conditions and just use "main": "index.js".
    "default": "./dist/index.cjs"
  }
}

For package authors: this only serves as a feature-detection mechanism for packages that wish to support both CJS and ESM users during the period when some active Node.js LTS versions support require(esm) while some older ones don't. When all active Node.js LTS lines support require(esm), packages can simplify their distributions by bumping the major version, dropping their CJS exports, and removing the module-sync exports condition (with only main or default targetting the ESM exports). If the package needs to support both bundlers and being run unbundled on Node.js during the transition period, use both module-sync and module and point them to the same ESM file. If the package already doesn't want to support older versions of Node.js that doesn't support require(esm), don't use this export condition.

For bundlers/tools: they should avoid implementing this stop-gap condition. Most existing bundlers implement the de-facto bundler standard module exports condition, and that should be enough to support users who want to bundle ESM from CJS consumers. Users who want both bundlers and Node.js to recognize the ESM exports can use both module/module-sync conditions during the transition period, and can drop module-sync+module when they no longer need to support older versions of Node.js. If tools do want to support this condition, it's recommended to make the resolution rules in the graph pointed by this condition match the Node.js native ESM rules to avoid divergence.

We ended up implementing a condition with a different name instead of reusing "module", because existing code in the ecosystem using the "module" condition sometimes also expect the module resolution for these ESM files to work in CJS style, which is supported by bundlers, but the native Node.js loader has intentionally made ESM resolution different from CJS resolution (e.g. forbidding import './noext' or import './directory'), so it would be breaking to implement a "module" condition without implementing the forbidden ESM resolution rules. For now, this just implements a new condition as semver-minor so it can be backported to older LTS.

Contributed by Joyee Cheung in #​54648.

node --run is now stable

This CLI flag runs a specified command from a package.json's "scripts" object.

For the following package.json:

{
  "scripts": {
    "test": "node --test-reporter junit --test ./test"
  }
}

You can run node --run test and that would start the test suite.

Contributed by Yagiz Nizipli in #​53763.

Other notable changes
  • [f0b441230a] - (SEMVER-MINOR) crypto: add KeyObject.prototype.toCryptoKey (Filip Skokan) #​55262
  • [349d2ed07b] - (SEMVER-MINOR) crypto: add Date fields for validTo and validFrom (Andrew Moon) #​54159
  • [bebc95ed58] - doc: add abmusse to collaborators (Abdirahim Musse) #​55086
  • [914db60159] - (SEMVER-MINOR) http2: expose nghttp2_option_set_stream_reset_rate_limit as an option (Maël Nison) #​54875
  • [f7c3b03759] - (SEMVER-MINOR) lib: propagate aborted state to dependent signals before firing events (jazelly) #​54826
  • [32261fc98a] - (SEMVER-MINOR) module: support loading entrypoint as url (RedYetiDev) #​54933
  • [06957ff355] - (SEMVER-MINOR) module: implement flushCompileCache() (Joyee Cheung) #​54971
  • [2dcf70c347] - (SEMVER-MINOR) module: throw when invalid argument is passed to enableCompileCache() (Joyee Cheung) #​54971
  • [f9b19d7c44] - (SEMVER-MINOR) module: write compile cache to temporary file and then rename it (Joyee Cheung) #​54971
  • [e95163b170] - (SEMVER-MINOR) process: add process.features.require_module (Joyee Cheung) #​55241
  • [4050f68e5d] - (SEMVER-MINOR) process: add process.features.typescript (Aviv Keller) #​54295
  • [86f7cb802d] - (SEMVER-MINOR) test_runner: support custom arguments in run() (Aviv Keller) #​55126
  • [b62f2f8259] - (SEMVER-MINOR) test_runner: add 'test:summary' event (Colin Ihrig) #​54851
  • [d7c708aec5] - (SEMVER-MINOR) test_runner: add support for coverage via run() (Chemi Atlow) #​53937
  • [5fda4a1498] - (SEMVER-MINOR) worker: add markAsUncloneable api (Jason Zhang) #​55234
Commits

v22.9.0: 2024-09-17, Version 22.9.0 (Current), @​RafaelGSS

Compare Source

New API to retrieve execution Stack Trace

A new API getCallSite has been introduced to the util module. This API allows users to retrieve the stacktrace of the current execution. Example:

const util = require('node:util');

function exampleFunction() {
  const callSites = util.getCallSite();

  console.log('Call Sites:');
  callSites.forEach((callSite, index) => {
    console.log(`CallSite ${index + 1}:`);
    console.log(`Function Name: ${callSite.functionName}`);
    console.log(`Script Name: ${callSite.scriptName}`);
    console.log(`Line Number: ${callSite.lineNumber}`);
    console.log(`Column Number: ${callSite.column}`);
  });
  // CallSite 1:
  // Function Name: exampleFunction
  // Script Name: /home/example.js
  // Line Number: 5
  // Column Number: 26

  // CallSite 2:
  // Function Name: anotherFunction
  // Script Name: /home/example.js
  // Line Number: 22
  // Column Number: 3

  // ...
}

// A function to simulate another stack layer
function anotherFunction() {
  exampleFunction();
}

anotherFunction();

Thanks to Rafael Gonzaga for making this work on #​54380.

Disable V8 Maglev

We have seen several crashes/unexpected JS behaviors with maglev on v22 (which ships V8 v12.4). The bugs lie in the codegen so it would be difficult for users to work around them or even figure out where the bugs are coming from. Some bugs are fixed in the upstream while some others probably remain.

As v22 will get stuck with V8 v12.4 as LTS, it will be increasingly difficult to backport patches for them even if the bugs are fixed. So disable it by default on v22 to reduce the churn and troubles for users.

Thanks to Joyee Cheung for making this work on #​54384

Exposes X509_V_FLAG_PARTIAL_CHAIN to tls.createSecureContext

This releases introduces a new option to the API tls.createSecureContext. For now on users can use tls.createSecureContext({ allowPartialTrustChain: true }) to treat intermediate (non-self-signed) certificates in the trust CA certificate list as trusted.

Thanks to Anna Henningsen for making this work on #​54790

Other Notable Changes
  • [5c9599af5a] - src: create handle scope in FastInternalModuleStat (Joyee Cheung) #​54384
  • [e2307d87e8] - (SEMVER-MINOR) stream: relocate the status checking code in the onwritecomplete (YoonSoo_Shin) #​54032
Deprecations
  • [8433032948] - repl: doc-deprecate instantiating node:repl classes without new (Aviv Keller) #​54842
  • [8c4c85cf31] - zlib: deprecate instantiating classes without new (Yagiz Nizipli) #​54708
Commits

v22.8.0: 2024-09-03, Version 22.8.0 (Current), @​RafaelGSS

Compare Source

New JS API for compile cache

This release adds a new API module.enableCompileCache() that can be used to enable on-disk code caching of all modules loaded after this API is called. Previously this could only be enabled by the NODE_COMPILE_CACHE environment variable, so it could only set by end-users. This API allows tooling and library authors to enable caching of their own code. This is a built-in alternative to the v8-compile-cache/v8-compile-cache-lib packages, but have better performance and supports ESM.

Thanks to Joyee Cheung for working on this.

New option for vm.createContext() to create a context with a freezable globalThis

Node.js implements a flavor of vm.createContext() and friends that creates a context without contextifying its global object when vm.constants.DONT_CONTEXTIFY is used. This is suitable when users want to freeze the context (impossible when the global is contextified i.e. has interceptors installed) or speed up the global access if they don't need the interceptor behavior.

Thanks to Joyee Cheung for working on this.

Support for coverage thresholds

Node.js now supports requiring code coverage to meet a specific threshold before the process exits successfully. To use this feature, you need to enable the --experimental-test-coverage flag.

You can set thresholds for the following types of coverage:

  • Branch coverage: Use --test-coverage-branches=<threshold>
  • Function coverage: Use --test-coverage-functions=<threshold>
  • Line coverage: Use --test-coverage-lines=<threshold>

<threshold> should be an integer between 0 and 100. If an invalid value is provided, a TypeError will be thrown.

If the code coverage fails to meet the specified thresholds for any category, the process will exit with code 1.

For instance, to enforce a minimum of 80% line coverage and 60% branch coverage, you can run:

$ node --experimental-test-coverage --test-coverage-lines=80 --test-coverage-branches=60 example.js

Thanks Aviv Keller for working on this.

Other Notable Changes
  • [1f2cc2fa47] - (SEMVER-MINOR) src,lib: add performance.uvMetricsInfo (Rafael Gonzaga) #​54413
  • [1e01bdc0d0] - (SEMVER-MINOR) net: exclude ipv6 loopback addresses from server.listen (Giovanni Bucci) #​54264
  • [97fa075c2e] - (SEMVER-MINOR) test_runner: support running tests in process (Colin Ihrig) #​53927
  • [858b583c88] - (SEMVER-MINOR) test_runner: defer inheriting hooks until run() (Colin Ihrig) #​53927
Commits

v22.7.0: 2024-08-22, Version 22.7.0 (Current), @​RafaelGSS

Compare Source

Experimental transform types support

With the new flag --experimental-transform-types it is possible to enable the transformation of TypeScript-only syntax into JavaScript code.

This feature allows Node.js to support TypeScript syntax such as Enum and namespace.

Thanks to Marco Ippolito for making this work on #​54283.

Module syntax detection is now enabled by default.

Module syntax detection (the --experimental-detect-module flag) is now enabled by default. Use --no-experimental-detect-module to disable it if needed.

Syntax detection attempts to run ambiguous files as CommonJS, and if the module fails to parse as CommonJS due to ES module syntax, Node.js tries again and runs the file as an ES module. Ambiguous files are those with a .js or no extension, where the nearest parent package.json has no "type" field (either "type": "module" or "type": "commonjs"). Syntax detection should have no performance impact on CommonJS modules, but it incurs a slight performance penalty for ES modules; add "type": "module" to the nearest parent package.json file to eliminate the performance cost. A use case unlocked by this feature is the ability to use ES module syntax in extensionless scripts with no nearby package.json.

Thanks to Geoffrey Booth for making this work on #​53619.

Performance Improvements to Buffer

Performance of Node.js Buffers have been optimized through multiple MR's with significant improvements to the Buffer.copy and Buffer.write methods. These are used throughout the codebase and should give a nice boost across the board.

Thanks to Robert Nagy for making this work on #​54311, #​54324, and #​54087.

Other Notable Changes
  • [911de7dd6d] - (SEMVER-MINOR) inspector: support Network.loadingFailed event (Kohei Ueno) #​54246
  • [9ee4b16bd8] - (SEMVER-MINOR) lib: rewrite AsyncLocalStorage without async_hooks (Stephen Belanger) #​48528
Commits

v22.6.0: 2024-08-06, Version 22.6.0 (Current), @​RafaelGSS

Compare Source

Experimental TypeScript support via strip types

Node.js introduces the --experimental-strip-types flag for initial TypeScript support. This feature strips type annotations from .ts files, allowing them to run without transforming TypeScript-specific syntax. Current limitations include:

  • Supports only inline type annotations, not features like enums or namespaces.
  • Requires explicit file extensions in import and require statements.
  • Enforces the use of the type keyword for type imports to avoid runtime errors.
  • Disabled for TypeScript in node_modules by default.

Thanks Marco Ippolito for working on this.

Experimental Network Inspection Support in Node.js

This update introduces the initial support for network inspection in Node.js. Currently, this is an experimental feature, so you need to enable it using the --experimental-network-inspection flag. With this feature enabled, you can inspect network activities occurring within a JavaScript application.

To use network inspection, start your Node.js application with the following command:

$ node --inspect-wait --experimental-network-inspection index.js

Please note that the network inspection capabilities are in active development. We are actively working on enhancing this feature and will continue to expand its functionality in future updates.

Thanks Kohei Ueno for working on this.

Other Notable Changes
Commits

v22.5.1: 2024-07-19, Version 22.5.1 (Current), @​richardlau

Compare Source

Notable Changes

This release fixes a regression introduced in Node.js 22.5.0. The problem is known to display the following symptoms:

  • Crash with FATAL ERROR: v8::Object::GetCreationContextChecked No creation context available #​53902
  • npm errors with npm error Exit handler never called! npm/cli#7657
  • yarn hangs or outputs Usage Error: Couldn't find the node_modules state file - running an install might help (findPackageLocation) yarnpkg/berry#6398
Commits

v22.5.0: 2024-07-17, Version 22.5.0 (Current), @​RafaelGSS prepared by @​aduh95

Compare Source

Notable Changes
Commits

v22.4.1: 2024-07-08, Version 22.4.1 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes
  • CVE-2024-36138 - Bypass incomplete fix of CVE-2024-27980 (High)
  • CVE-2024-22020 - Bypass network import restriction via data URL (Medium)
  • CVE-2024-22018 - fs.lstat bypasses permission model (Low)
  • CVE-2024-36137 - fs.fchown/fchmod bypasses permission model (Low)
  • CVE-2024-37372 - Permission model improperly processes UNC paths (Low)
Commits

v22.4.0: 2024-07-02, Version 22.4.0 (Current), @​targos

Compare Source

Notable Changes
Experimental Web Storage API
  • [9e30724b53] - (SEMVER-MINOR) deps,lib,src: add experimental web storage (Colin Ihrig) #​52435
API stability updates
Other Notable Changes
  • [df4762722c] - doc: doc-only deprecate OpenSSL engine-based APIs (Richard Lau) #​53329
  • [ad5282e196] - inspector: fix disable async hooks on Debugger.setAsyncCallStackDepth (Joyee Cheung) #​53473
  • [e95af740fc] - (SEMVER-MINOR) lib: add diagnostics_channel events to module loading (RafaelGSS) #​44340
  • [50733a1abe] - (SEMVER-MINOR) util: support --no- for argument with boolean type for parseArgs (Zhenwei Jin) #​53107
Commits

v22.3.0: 2024-06-11, Version 22.3.0 (Current), @​RafaelGSS

Compare Source

Notable Changes
Commits

v22.2.0: 2024-05-15, Version 22.2.0 (Current), @​targos

Compare Source

Notable Changes
  • [fb85d38e80] - (SEMVER-MINOR) cli: allow running wasm in limited vmem with --disable-wasm-trap-handler (Joyee Cheung) #​52766
  • [23a0d3339f] - doc: add pimterry to collaborators (Tim Perry) #​52874
  • [7d7a762156] - (SEMVER-MINOR) fs: allow 'withFileTypes' to be used with globs (Aviv Keller) #​52837
  • [8748dd6477] - (SEMVER-MINOR) inspector: introduce the --inspect-wait flag (Kohei Ueno) #​52734
  • [9a7ae9b6c4] - lib,src: remove --experimental-policy (Rafael Gonzaga) #​52583
  • [1f7c2a93fc] - (SEMVER-MINOR) perf_hooks: add deliveryType and responseStatus fields (Matthew Aitken) #​51589
  • [2f59529dc5] - (SEMVER-MINOR) test_runner: support test plans (Colin Ihrig) #​52860
  • [6b4dac3eb5] - (SEMVER-MINOR) zlib: expose zlib.crc32() (Joyee Cheung) #​52692
Commits

v22.1.0: 2024-05-02, Version 22.1.0 (Current), @​targos prepared by @​aduh95

Compare Source

module: implement NODE_COMPILE_CACHE for automatic on-disk code caching

This patch implements automatic on-disk code caching that can be enabled via an environment variable NODE_COMPILE_CACHE=/path/to/cache/dir.

When set, whenever Node.js compiles a CommonJS or a ECMAScript Module, it will use on-disk V8 code cache persisted in the specified directory to speed up the compilation. This may slow down the first load of a module graph, but subsequent loads of the same module graph may get a significant speedup if the contents of the modules do not change. Locally, this speeds up loading of test/fixtures/snapshot/typescript.js from ~130ms to ~80ms.

To clean up the generated code cache, simply remove the directory. It will be recreated the next time the same directory is used for NODE_COMPILE_CACHE.

Compilation cache generated by one version of Node.js may not be used by a different version of Node.js. Cache generated by different versions of Node.js will be stored separately if the same directory is used to persist the cache, so they can co-exist.

Caveat: currently when using this with V8 JavaScript code coverage, the coverage being collected by V8 may be less precise in functions that are deserialized from the code cache. It's recommended to turn this off when running tests to generate precise coverage.

Contributed by Joyee Cheung in #​52535.

Other Notable Changes
  • [44ee04cf9f] - buffer: improve base64 and base64url performance (Yagiz Nizipli) #​52428
  • [3c37ce5710] - (SEMVER-MINOR) dns: add order option and support ipv6first (Paolo Insogna) #​52492
  • [3026401be1] - events,doc: mark CustomEvent as stable (Daeyeon Jeong) #​52618
  • [64428dc1c9] - (SEMVER-MINOR) lib, url: add a windows option to path parsing (Aviv Keller) #​52509
  • [d79ae74f71] - (SEMVER-MINOR) net: add CLI option for autoSelectFamilyAttemptTimeout (Paolo Insogna) #​52474
  • [43fa6a1a45] - (SEMVER-MINOR) src: add string_view overload to snapshot FromBlob (Anna Henningsen) #​52595
  • [c6fe433d42] - src,permission: throw async errors on async APIs (Rafael Gonzaga) #​52730
  • [e247a61d15] - (SEMVER-MINOR) test_runner: add --test-skip-pattern cli option (Aviv Keller) #​52529
  • [9b18df9dcb] - (SEMVER-MINOR) url: implement parse method for safer URL parsing (Ali Hassan) #​52280
Commits

v22.0.0: 2024-04-24, Version 22.0.0 (Current), @​RafaelGSS and @​marco-ippolito

Compare Source

We're excited to announce the release of Node.js 22! Highlights include require()ing ESM graphs, WebSocket client, updates of the V8 JavaScript engine, and more! As a reminder, Node.js 22 will enter long-term support (LTS) in October, but until then, it will be the "Current" release for the next six months. We encourage you to explore the new features and benefits offered by this latest release and evaluate their potential impact on your applications.

Other Notable Changes
Semver-Major Commits
Semver-Minor Commits
  • [128c60d906] - (SEMVER-MINOR) cli: implement node --run <script-in-package-json> (Yagiz Nizipli) #​52190
  • [f69946b905] - (SEMVER-MINOR) deps: update simdutf to 5.0.0 (Daniel Lemire) #​52138
  • [828ad42eee] - (SEMVER-MINOR) deps: update undici to 6.3.0 (Node.js GitHub Bot) #​51462
  • [05f8172188] - (SEMVER-MINOR) deps: update undici to 6.2.1 (Node.js GitHub Bot) #​51278
  • [a0c466810a] - (SEMVER-MINOR) doc: deprecate fs.Stats public constructor (Marco Ippolito) #​51879
  • [151d365ad1] - (SEMVER-MINOR) fs: expose glob and globSync (Moshe Atlow) #​51912
  • [5f7fad2605] - (SEMVER-MINOR) module: support require()ing synchronous ESM graphs (Joyee Cheung) #​51977
  • [009665fb56] - (SEMVER-MINOR) report: add --report-exclude-network option (Ethan Arrowood) #​51645
  • [80f86e5d02] - (SEMVER-MINOR) src: add C++ ProcessEmitWarningSync() (Joyee Cheung) #​51977
  • [78be0d0f1c] - (SEMVER-MINOR) src: add uv_get_available_memory to report and process (theanarkh) #​52023
  • [b34512e38e] - (SEMVER-MINOR) src: preload function for Environment (Cheng Zhao) #​51539
  • [7d258db1d7] - (SEMVER-MINOR) stream: support typed arrays (IlyasShabi) #​51866
  • [5276c0d5d4] - (SEMVER-MINOR) test_runner: add suite() (Colin Ihrig) #​52127
  • [84de97a61e] - (SEMVER-MINOR) test_runner: support forced exit (Colin Ihrig) #​52038
  • [aac5ad901d] - (SEMVER-MINOR) test_runner: add test:complete event to reflect execution order (Moshe Atlow) #​51909
  • [9a1e01c4ce] - (SEMVER-MINOR) util: support array of formats in util.styleText (Marco Ippolito) #​52040
  • [7f2d61f82a] - (SEMVER-MINOR) v8: implement v8.queryObjects() for memory leak regression testing (Joyee Cheung) #​51927
  • [d1d5da22e4] - (SEMVER-MINOR) vm: harden module type checks (Chengzhong Wu) #​52162
Semver-Patch Commits

v21.7.3: 2024-04-10, Version 21.7.3 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes
  • CVE-2024-27980 - Command injection via args parameter of child_process.spawn without shell option enabled on Windows
Commits

v21.7.2: 2024-04-03, Version 21.7.2 (Current), @​RafaelGSS prepared by @​marco-ippolito

Compare Source

This is a security release.

Notable changes
  • CVE-2024-27983 - Assertion failed in node::http2::Http2Session::~Http2Session() leads to HTTP/2 server crash- (High)
  • CVE-2024-27982 - HTTP Request Smuggling via Content Length Obfuscation- (Medium)
  • llhttp version 9.2.1
  • undici version 6.11.1
Commits

v21.7.1: 2024-03-08, Version 21.7.1 (Current), @​targos

Compare Source

Notable Changes

This release reverts #​51389, which landed in Node.js 21.7.0. It is a documented feature that t.after() hooks are run even if a test has no subtests. The hook can be used to clean up the test itself.

Commits

v21.7.0: 2024-03-06, Version 21.7.0 (Current), @​RafaelGSS prepared by @​marco-ippolito

Compare Source

Text Styling
  • util.styleText(format, text): This function returns a formatted text considering the format passed.

A new API has been created to format text based on util.inspect.colors, enabling you to style text in different colors (such as red, blue, ...) and emphasis (italic, bold, ...).

const { styleText } = require('node:util');
const errorMessage = styleText('red', 'Error! Error!');
console.log(errorMessage);

Contributed by Rafael Gonzaga and Hemanth HM in #​51850.

Loading and parsing environment variables

  • process.loadEnvFile(path):

    • Use this function to load the .env file. If no path is specified, it automatically loads the .env file in the current directory. Example: process.loadEnvFile().
    • Load a specific .env file by specifying its path. Example: process.loadEnvFile('./development.env').

  • util.parseEnv(content):

    • Use this function to parse an existing string containing environment variable assignments.
    • Example usage: require('node:util').parseEnv('HELLO=world').

Contributed by Yagiz Nizipli in #​51476

Support for multi-line values for .env file

Node.js 21.7.0 will now support multi-line values in the .env file:

MULTI_LINE="HELLO
WORLD"

Contributed by Ilyas Shabi #​51289

sea: support embedding assets

Users can now include assets by adding a key-path dictionary to the configuration as the assets field. At build time, Node.js would read the assets from the specified paths and bundle them into the preparation blob. In the generated executable, users can retrieve the assets using the sea.getAsset() and sea.getAssetAsBlob() API.

{
  "main": "/path/to/bundled/script.js",
  "output": "/path/to/write/the/generated/blob.blob",
  "assets": {
    "a.jpg": "/path/to/a.jpg",
    "b.txt": "/path/to/b.txt"
  }
}

The single-executable application can access the assets as follows:

const { getAsset } = require('node:sea');
// Returns a copy of the data in an ArrayBuffer
const image = getAsset('a.jpg');
// Returns a string decoded from the asset as UTF8.
const text = getAsset('b.txt', 'utf8');
// Returns a Blob containing the asset without copying.
const blob = getAssetAsBlob('a.jpg');

Contributed by Joyee Cheung in #​50960

vm: support using the default loader to handle dynamic import()

This patch adds support for using vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER as the importModuleDynamically option in all vm APIs that take this option except vm.SourceTextModule. This allows users to have a shortcut to support dynamic import() in the compiled code without missing the compilation cache if they don't need customization of the loading process. We emit an experimental warning when the import() is actually handled by the default loader through this option instead of requiring --experimental-vm-modules.

const { Script, constants } = require('node:vm');
const { resolve } = require('node:path');
const { writeFileSync } = require('node:fs');

// Write test.js and test.txt to the directory where the current script
// being run is located.
writeFileSync(resolve(__dirname, 'test.mjs'),
              'export const filename = "./test.json";');
writeFileSync(resolve(__dirname, 'test.json'),
              '{"hello": "world"}');

// Compile a script that loads test.mjs and then test.json
// as if the script is placed in the same directory.
const script = new Script(
  `(async function() {
    const { filename } = await import('./test.mjs');
    return import(filename, { with: { type: 'json' } })
  })();`,
  {
    filename: resolve(__dirname, 'test-with-default.js'),
    importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER,
  });

// { default: { hello: 'world' } }
script.runInThisContext().then(console.log);

Contributed by Joyee Cheung in #​51244

crypto: implement crypto.hash()

This patch introduces a helper crypto.hash() that computes a digest from the input at one shot. This can be 1.2-2x faster than the object-based createHash() for smaller inputs (<= 5MB) that are readily available (not streamed) and incur less memory overhead since no intermediate objects will be created.

const crypto = require('node:crypto');

// Hashing a string and return the result as a hex-encoded string.
const string = 'Node.js';
// 10b3493287f831e81a438811a1ffba01f8cec4b7
console.log(crypto.hash('sha1', string));

Contributed by Joyee Cheung in #​51044

Other Notable Changes
Commits

v21.6.2: 2024-02-14, Version 21.6.2 (Current), @​RafaelGSS

Compare Source

Notable changes

This is a security release.

Notable changes
  • CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
  • CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
  • CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
  • CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
  • CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
  • CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
  • CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
  • CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
  • undici version 5.28.3
  • libuv version 1.48.0
  • OpenSSL version 3.0.13+quic1
Commits

v21.6.1: 2024-01-22, Version 21.6.1 (Current), @​RafaelGSS

Compare Source

Notable Changes

This release fixes a bug in undici using WebStreams

Commits

v21.6.0: 2024-01-15, Version 21.6.0 (Current), @​RafaelGSS

Compare Source

New connection attempt events

Three new events were added in the net.createConnection flow:

  • connectionAttempt: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
  • connectionAttemptFailed: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
  • connectionAttemptTimeout: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.

Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user. This led to a failed assertion.

Contributed by Paolo Insogna in #​51045.

Changes to the Permission Model

Node.js 21.6.0 comes with several fixes for the experimental permission model and two new semver-minor commits. We're adding a new flag --allow-addons to enable addon usage when using the Permission Model.

$ node --experimental-permission --allow-addons

Contributed by Rafael Gonzaga in #​51183

And relative paths are now supported through the --allow-fs-* flags. Therefore, with this release one can use:

$ node --experimental-permission --allow-fs-read=./index.js

To give only read access to the entrypoint of the application.

Contributed by Rafael Gonzaga and Carlos Espa in #​50758

Support configurable snapshot through --build-snapshot-config flag

We are adding a new flag --build-snapshot-config to configure snapshots through a custom JSON configuration file.

$ node --build-snapshot-config=/path/to/myconfig.json

When using this flag, additional script files provided on the command line will not be executed and instead be interpreted as regular command line arguments.

These changes were contributed by Joyee Cheung and Anna Henningsen in #​50453

Other Notable Changes
Commits

v21.5.0: 2023-12-19, Version 21.5.0 (Current), @​RafaelGSS

Compare Source

Notable Changes
Deprecations
Commits

v21.4.0: 2023-12-05, Version 21.4.0 (Current), @​targos

Compare Source

Notable Changes

This release fixes a regression introduced in v21.3.0 that caused the fs.writeFileSync method to throw when called with 'utf8' encoding, no flag option, and if the target file didn't exist yet.

  • [32acafeeb6] - (SEMVER-MINOR) fs: introduce dirent.parentPath (Antoine du Hamel) #​50976
  • [724548674d] - fs: use default w flag for writeFileSync with utf8 encoding (Murilo Kakazu) #​50990
Commits

v21.3.0: 2023-11-30, Version 21.3.0 (Current), @​RafaelGSS

Compare Source

Notable Changes
New --disable-warning flag

This version adds a new --disable-warning option that allows users to disable specific warnings either by code (i.e. DEP0025) or type (i.e. DeprecationWarning, ExperimentalWarning).

This option works alongside existing --warnings and --no-warnings.

For example, the following script will not emit DEP0025 require('node:sys') when executed with node --disable-warning=DEP0025:

import sys from 'node:sys';

Contributed by Ethan-Arrowood in #​50661

Update Root Certificates to NSS 3.95

This is the certdata.txt from NSS 3.95, released on 2023-11-16.

This is the version of NSS that will ship in Firefox 121 on 2023-12-19.

Certificates added:

  • TrustAsia Global Root CA G3
  • TrustAsia Global Root CA G4
  • CommScope Public Trust ECC Root-01
  • CommScope Public Trust ECC Root-02
  • CommScope Public Trust RSA Root-01
  • CommScope Public Trust RSA Root-02

Certificates removed:

  • Autoridad de Certificacion Firmaprofesional CIF A626340
Fast fs.writeFileSync with UTF-8 Strings

Enhanced writeFileSync functionality by implementing a highly efficient fast path primarily in C++ for UTF8-encoded string data. Additionally, optimized the appendFileSync method by leveraging the improved writeFileSync functionality. For simplicity and performance considerations, the current implementation supports only string data, as benchmark results raise concerns about the efficacy of using Buffer for this purpose. Future optimizations and expansions may be explored, but for now, the focus is on maximizing efficiency for string data operations.

Contributed by CanadaHonk in #​49884.

Other Notable Changes
  • [c7a7493ca2] - (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu) #​48655
  • [bc3f7b5401] - (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu) #​48655
  • [aadff07e59] - (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu) #​48655
  • [91aa9dd23a] - (SEMVER-MINOR) src: create fs_dir per isolate properties (Chengzhong Wu) #​48655
  • [5c5834190a] - (SEMVER-MINOR) src: create worker per isolate properties (Chengzhong Wu) #​48655
  • [4a1ce45181] - (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu) #​48655
Commits

v21.2.0: 2023-11-14, Version 21.2.0 (Current), @​targos

Compare Source

Notable Changes
Commits

v21.1.0: 2023-10-24, Version 21.1.0 (Current), @​targos

Compare Source

Notable Changes
Automatically detect and run ESM syntax

The new flag --experimental-detect-module can be used to automatically run ES modules when their syntax can be detected. For “ambiguous” files, which are .js or extensionless files with no package.json with a type field, Node.js will parse the file to detect ES module syntax; if found, it will run the file as an ES module, otherwise it will run the file as a CommonJS module. The same applies to string input via --eval or STDIN.

We hope to make detection enabled by default in a future version of Node.js. Detection increases startup time, so we encourage everyone — especially package authors — to add a type field to package.json, even for the default "type": "commonjs". The presence of a type field, or explicit extensions such as .mjs or .cjs, will opt out of detection.

Contributed by Geoffrey Booth in #​50096.

Other Notable Changes
  • [3729e33358] - doc: add H4ad to collaborators (Vinícius Lourenço) #​50217
  • [18862e4d5d] - (SEMVER-MINOR) fs: add flush option to appendFile() functions (Colin Ihrig) #​50095
  • [5a52c518ef] - (SEMVER-MINOR) lib: add navigator.userAgent (Yagiz Nizipli) #​50200
  • [789372a072] - (SEMVER-MINOR) stream: allow pass stream class to stream.compose (Alex Yang) #​50187
  • [f3a9ea0bc4] - stream: improve performance of readable stream reads (Raz Luvaton) #​50173
  • [dda33c2bf1] - vm: reject in importModuleDynamically without --experimental-vm-modules (Joyee Cheung) #​50137
  • [3999362c59] - vm: use internal versions of compileFunction and Script (Joyee Cheung) #​50137
  • [a54179f0e0] - vm: unify host-defined option generation in vm.compileFunction (Joyee Cheung) #​50137
Commits

v21.0.0: 2023-10-17, Version 21.0.0 (Current), @​RafaelGSS and @​targos

Compare Source

We're excited to announce the release of Node.js 21! Highlights include updates of the V8 JavaScript engine to 11.8, stable fetch and WebStreams, a new experimental flag to change the interpretation of ambiguous code from CommonJS to ES modules (--experimental-default-type), many updates to our test runner, and more!

Node.js 21 will replace Node.js 20 as our ‘Current’ release line when Node.js 20 enters long-term support (LTS) later this month. As per the release schedule, Node.js 21 will be ‘Current' release for the next 6 months, until April 2024.

Other Notable Changes
Semver-Major Commits
  • [ac2a68c76b] - (SEMVER-MAJOR) build: drop support for Visual Studio 2019 (Michaël Zasso) #​49051
  • [4e3983031a] - (SEMVER-MAJOR) build: bump supported macOS and Xcode versions (Michaël Zasso) #​49164
  • [5a0777776d] - (SEMVER-MAJOR) crypto: do not overwrite _writableState.defaultEncoding (Tobias Nießen) #​49140
  • [162a0652ab] - (SEMVER-MAJOR) deps: bump minimum ICU version to 73 (Michaël Zasso) #​49639
  • [17a74ddd3d] - (SEMVER-MAJOR) deps: update V8 to 11.8.172.13 (Michaël Zasso) #​49639
  • [e9ff81016d] - (SEMVER-MAJOR) deps: update llhttp to 9.1.2 (Paolo Insogna) #​48981
  • [7ace5aba75] - (SEMVER-MAJOR) events: validate options of on and once (Deokjin Kim) #​46018
  • [b3ec13d449] - (SEMVER-MAJOR) fs: adjust position validation in reading methods (Livia Medeiros) #​42835
  • [1948dce707] - (SEMVER-MAJOR) fs: add globSync implementation (Moshe Atlow) #​47653
  • [d68d0eacaa] - (SEMVER-MAJOR) http: reduce parts in chunked response when corking (Robert Nagy) #​50167
  • [c5b0b894ed] - (SEMVER-MAJOR) lib: mark URL/URLSearchParams as uncloneable and untransferable (Chengzhong Wu) #​47497
  • [3205b1936a] - (SEMVER-MAJOR) lib: remove aix directory case for package reader (Yagiz Nizipli) #​48605
  • [b40f0c3074] - (SEMVER-MAJOR) lib: add navigator.hardwareConcurrency (Yagiz Nizipli) #​47769
  • [4b08c4c047] - (SEMVER-MAJOR) lib: runtime deprecate punycode (Yagiz Nizipli) #​47202
  • [3ce51ae9c0] - (SEMVER-MAJOR) module: harmonize error code between ESM and CJS (Antoine du Hamel) #​48606
  • [7202859402] - (SEMVER-MAJOR) net: do not treat server.maxConnections=0 as Infinity (ignoramous) #​48276
  • [c15bafdaf4] - (SEMVER-MAJOR) net: only defer _final call when connecting (Jason Zhang) #​47385
  • [6ffacbf0f9] - (SEMVER-MAJOR) node-api: rename internal NAPI_VERSION definition (Chengzhong Wu) #​48501
  • [11af089b14] - (SEMVER-MAJOR) src: update NODE_MODULE_VERSION to 120 (Michaël Zasso) #​49639
  • [d920b7c94b] - (SEMVER-MAJOR) src: throw DOMException on cloning non-serializable objects (Chengzhong Wu) #​47839
  • [64549731b6] - (SEMVER-MAJOR) src: throw DataCloneError on transfering untransferable objects (Chengzhong Wu) #​47604
  • [dac8de689b] - (SEMVER-MAJOR) stream: use private properties for strategies (Yagiz Nizipli) #​47218
  • [1fa084ecdf] - (SEMVER-MAJOR) stream: use private properties for encoding (Yagiz Nizipli) #​47218
  • [4e93247079] - (SEMVER-MAJOR) stream: use private properties for compression (Yagiz Nizipli) #​47218
  • [527589b755] - (SEMVER-MAJOR) test_runner: disallow array in run options (Raz Luvaton) #​49935
  • [7cd4e70948] - (SEMVER-MAJOR) test_runner: support passing globs (Moshe Atlow) #​47653
  • [2ef170254b] - (SEMVER-MAJOR) tls: use validateNumber for options.minDHSize (Deokjin Kim) #​49973
  • [092fb9f541] - (SEMVER-MAJOR) tls: use validateFunction for options.checkServerIdentity (Deokjin Kim) #​49896
  • [ccca547e28] - (SEMVER-MAJOR) util: runtime deprecate promisify-ing a function returning a Promise (Antoine du Hamel) #​49609
  • [4038cf0513] - (SEMVER-MAJOR) vm: freeze dependencySpecifiers array (Antoine du Hamel) #​49720
Semver-Minor Commits
  • [3227d7327c] - (SEMVER-MINOR) deps: update uvwasi to 0.0.19 (Node.js GitHub Bot) #​49908
  • [e28dbe1c2b] - (SEMVER-MINOR) lib: add WebSocket client (Matthew Aitken) #​49830
  • [9f9c58212e] - (SEMVER-MINOR) test_runner, cli: add --test-concurrency flag (Colin Ihrig) #​49996
  • [d37b0d267f] - (SEMVER-MINOR) wasi: updates required for latest uvwasi version (Michael Dawson) #​49908
Semver-Patch Commits

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about these updates again.

  • [ ] If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Merge request reports

UNCLASSIFIED - NO CUI