2025-07-29, Version 22.18.0 'Jod' (LTS)

.github/CODEOWNERS

@@ -216,3 +216,10 @@
 /src/node_options.* @nodejs/config
 /test/parallel/test-config-* @nodejs/config
 /test/parallel/test-dotenv-* @nodejs/config
+
+# Inspector
+/src/inspector/* @nodejs/inspector
+/src/inspector_* @nodejs/inspector
+/lib/internal/inspector/* @nodejs/inspector
+/lib/internal/inspector_* @nodejs/inspector
+/lib/inspector.js @nodejs/inspector

.github/workflows/codeql.yml

@@ -27,15 +27,15 @@ jobs:
 
       # Initializes the CodeQL tools for scanning.
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.18
+        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b  # v3.29.2
         with:
           languages: ${{ matrix.language }}
           config-file: ./.github/codeql-config.yml
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.18
+        uses: github/codeql-action/autobuild@181d5eefc20863364f96762470ba6f862bdef56b  # v3.29.2
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.18
+        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b  # v3.29.2
         with:
           category: /language:${{matrix.language}}

.github/workflows/commit-queue.yml

@@ -1,6 +1,6 @@
 # This action requires the following secrets to be set on the repository:
-#   GH_USER_NAME: GitHub user whose Jenkins and GitHub token are defined below
 #   GH_USER_TOKEN: GitHub user token, to be used by ncu and to push changes
+#   JENKINS_USER: GitHub user whose Jenkins token is defined below
 #   JENKINS_TOKEN: Jenkins token, to be used to check CI status
 
 name: Commit Queue
@@ -34,24 +34,24 @@ jobs:
         id: get_mergeable_prs
         run: |
           prs=$(gh pr list \
-                  --repo ${{ github.repository }} \
-                  --base ${{ github.ref_name }} \
+                  --repo "$GITHUB_REPOSITORY" \
+                  --base "$GITHUB_REF_NAME" \
                   --label 'commit-queue' \
                   --json 'number' \
                   --search "created:<=$(date --date="2 days ago"  +"%Y-%m-%dT%H:%M:%S%z") -label:blocked" \
                   -t '{{ range . }}{{ .number }} {{ end }}' \
                   --limit 100)
           fast_track_prs=$(gh pr list \
-                  --repo ${{ github.repository }} \
-                  --base ${{ github.ref_name }} \
+                  --repo "$GITHUB_REPOSITORY" \
+                  --base "$GITHUB_REF_NAME" \
                   --label 'commit-queue' \
                   --label 'fast-track' \
                   --search "-label:blocked" \
                   --json 'number' \
                   -t '{{ range . }}{{ .number }} {{ end }}' \
                   --limit 100)
           numbers=$(echo $prs' '$fast_track_prs | jq -r -s 'unique | join(" ")')
-          echo "numbers=$numbers" >> $GITHUB_OUTPUT
+          echo "numbers=$numbers" >> "$GITHUB_OUTPUT"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   commitQueue:
@@ -61,9 +61,6 @@ jobs:
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
-          # Needs the whole git history for ncu to work
-          # See https://github.com/nodejs/node-core-utils/pull/486
-          fetch-depth: 0
           # A personal token is required because pushing with GITHUB_TOKEN will
           # prevent commits from running CI after they land. It needs
           # to be set here because `checkout` configures GitHub authentication
@@ -80,24 +77,23 @@ jobs:
 
       - name: Set variables
         run: |
-          echo "REPOSITORY=$(echo ${{ github.repository }} | cut -d/ -f2)" >> $GITHUB_ENV
-          echo "OWNER=${{ github.repository_owner }}" >> $GITHUB_ENV
+          echo "REPOSITORY=$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)" >> "$GITHUB_ENV"
 
       - name: Configure @node-core/utils
         run: |
-          ncu-config set branch ${GITHUB_REF_NAME}
+          ncu-config set branch "${GITHUB_REF_NAME}"
           ncu-config set upstream origin
           ncu-config set username "$USERNAME"
-          ncu-config set token "$GH_TOKEN"
+          ncu-config set token "$GITHUB_TOKEN"
           ncu-config set jenkins_token "$JENKINS_TOKEN"
           ncu-config set repo "${REPOSITORY}"
-          ncu-config set owner "${OWNER}"
+          ncu-config set owner "${GITHUB_REPOSITORY_OWNER}"
         env:
           USERNAME: ${{ secrets.JENKINS_USER }}
-          GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}
           JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }}
 
       - name: Start the Commit Queue
-        run: ./tools/actions/commit-queue.sh ${{ env.OWNER }} ${{ env.REPOSITORY }} ${{ needs.get_mergeable_prs.outputs.numbers }}
+        run: ./tools/actions/commit-queue.sh "${GITHUB_REPOSITORY_OWNER}" "${REPOSITORY}" ${{ needs.get_mergeable_prs.outputs.numbers }}
         env:
           GITHUB_TOKEN: ${{ secrets.GH_USER_TOKEN }}

.github/workflows/scorecard.yml

@@ -33,7 +33,7 @@ jobs:
 
     steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0  # v2.12.0
+        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49  # v2.12.2
         with:
           egress-policy: audit  # TODO: change to 'egress-policy: block' after couple of runs
 
@@ -73,6 +73,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@ff0a06e83cb2de871e5a09832bc6a81e7276941f  # v3.28.18
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b  # v3.29.2
         with:
           sarif_file: results.sarif

.mailmap

@@ -436,7 +436,8 @@ Rebecca Turner <[email protected]> <[email protected]>
 Refael Ackermann <[email protected]> <[email protected]>
 Reza Akhavan <[email protected]>
 Ricardo Sánchez Gregorio <[email protected]>
-Richard Lau <[email protected]> <[email protected]>
+Richard Lau <[email protected]> <[email protected]>
+Richard Lau <[email protected]> <[email protected]>
 Rick Olson <[email protected]>
 rickyes <[email protected]> <[email protected]>
 rickyes <[email protected]> <[email protected]>

CHANGELOG.md

@@ -37,7 +37,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V22.md#22.17.1">22.17.1</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V22.md#22.18.0">22.18.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V22.md#22.17.1">22.17.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.17.0">22.17.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.16.0">22.16.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.15.1">22.15.1</a><br/>

GOVERNANCE.md

@@ -97,9 +97,17 @@ Charter need approval by the OpenJS Foundation Cross-Project Council (CPC).
 The TSC meets in a video conference call. Each year, the TSC elects a chair to
 run the meetings. The TSC streams its meetings for public viewing on YouTube.
 
+TSC meetings may consist of a public portion and a private portion. The private
+portion is used to discuss sensitive topics, such as personnel issues,
+security vulnerabilities, or other confidential matters. Private discussions
+should be avoided as much as possible, and the TSC should strive to keep
+discussions in the public portion of the meeting, but there are times when
+private discussions are necessary.
+
 The TSC agenda includes issues that are at an impasse. The intention of the
 agenda is not to review or approve all patches. Collaborators review and approve
-patches on GitHub.
+patches on GitHub. The preference is to minimize the need for TSC meetings to
+make decisions that can otherwise be made by collaborators on GitHub.
 
 Any community member can create a GitHub issue asking that the TSC review
 something. If consensus-seeking fails for an issue, a collaborator may apply the
@@ -109,21 +117,55 @@ Before each TSC meeting, the meeting chair will share the agenda with members of
 the TSC. TSC members can also add items to the agenda at the beginning of each
 meeting. The meeting chair and the TSC cannot veto or remove items.
 
-The TSC may invite people to take part in a non-voting capacity.
-
-During the meeting, the TSC chair ensures that someone takes minutes. After the
-meeting, the TSC chair ensures that someone opens a pull request with the
-minutes.
-
-The TSC seeks to resolve as many issues as possible outside meetings using
-[the TSC issue tracker](https://github.com/nodejs/TSC/issues). The process in
-the issue tracker is:
+The TSC may invite people to take part in a non-voting capacity in either the
+public or private portions of the meeting.
+
+During the public portion of the meeting, the TSC chair ensures that someone
+takes minutes that include a summary of the discussion and any
+decisions made. After the meeting, the TSC chair ensures that someone opens a
+public pull request with the minutes from the public portion of the meeting.
+
+The public portion of the TSC meeting is expected to be recorded and made
+available for live streaming during the meeting or download by anyone after.
+This expectation is to be announced to all participants at the start of the
+each meeting before the recording is started. Continued participation in the
+public portion of the meeting after this announcement is interpreted as consent to the
+recording.
+
+For the private portion of the meeting, the TSC chair ensures that someone
+produces a summary of the discussions, gets it reviewed by the attendees,
+and shares it to all the TSC members once approved by the attendees via a
+private discussion channel such as the TSC private mailing list. The summary
+may be made public if there is consensus within the TSC and the non-TSC
+attendees to make it public.
+
+Recording the private portion of a meeting or maintaining or publishing a
+detailed transcript is only permitted when all participants present during the
+private portion of the meeting explicitly agree to the recording and/or
+transcript, in order to comply to privacy regulations.
+
+All discussions made during meetings are considered provisional, receiving no
+objections from folks at the TSC meeting to take an action is not equivalent to
+the TSC endorsing that action.
+
+If a quorum of TSC voting members is present, it is possible to call for an
+explicit vote, and take the vote immediately if there are no objections. The
+decision is considered confirmed once the rest of the TSC voting members have
+been informed and no objection for taking that vote has been raised in 48 hours.
+To clarify, TSC voting members can object to the vote taking place during the
+meeting, but not to the vote itself.
+
+For discussions outside of meetings, the TSC uses
+[the TSC issue tracker](https://github.com/nodejs/TSC/issues) for public
+issues, and the private TSC email list for private matters. The process for
+public issues in the issue tracker is:
 
 * A TSC member opens an issue explaining the proposal/issue and @-mentions
   @nodejs/tsc.
 * The proposal passes if, after 72 hours, there are two or more TSC voting
   member approvals and no TSC voting member opposition.
-* If there is an extended impasse, a TSC member may make a motion for a vote.
+* If there is an extended impasse, a TSC member may ask for the issue to be
+  added to the TSC agenda, or make a motion for a vote.
 
 ## Collaborator nominations
 

LICENSE

@@ -1545,9 +1545,9 @@ The externally maintained libraries used by Node.js are:
 - zlib, located at deps/zlib, is licensed as follows:
   """
     zlib.h -- interface of the 'zlib' general purpose compression library
-    version 1.3.0.1, August xxth, 2023
+    version 1.3.1, January 22nd, 2024
 
-    Copyright (C) 1995-2023 Jean-loup Gailly and Mark Adler
+    Copyright (C) 1995-2024 Jean-loup Gailly and Mark Adler
 
     This software is provided 'as-is', without any express or implied
     warranty.  In no event will the authors be held liable for any damages

Makefile

@@ -220,7 +220,7 @@ testclean: ## Remove test artifacts.
 distclean: ## Remove all build and test artifacts.
 	$(RM) -r out
 	$(RM) config.gypi icu_config.gypi
-	$(RM) config.mk
+	$(RM) config.mk config.status
 	$(RM) -r $(NODE_EXE) $(NODE_G_EXE)
 	$(RM) -r node_modules
 	$(RM) -r deps/icu

README.md

@@ -187,7 +187,7 @@ For information about the governance of the Node.js project, see
 * [RaisinTen](https://github.com/RaisinTen) -
   **Darshan Sen** <<[email protected]>> (he/him)
 * [richardlau](https://github.com/richardlau) -
-  **Richard Lau** <<rlau@redhat.com>>
+  **Richard Lau** <<richard.lau@ibm.com>>
 * [ronag](https://github.com/ronag) -
   **Robert Nagy** <<[email protected]>>
 * [ruyadorno](https://github.com/ruyadorno) -
@@ -355,6 +355,10 @@ For information about the governance of the Node.js project, see
   **Harshitha K P** <<[email protected]>> (she/her)
 * [himself65](https://github.com/himself65) -
   **Zeyu "Alex" Yang** <<[email protected]>> (he/him)
+* [IlyasShabi](https://github.com/IlyasShabi) -
+  **Ilyas Shabi** <<[email protected]>> (he/him)
+* [islandryu](https://github.com/islandryu) -
+  **Ryuhei Shima** <<[email protected]>> (he/him)
 * [jakecastelli](https://github.com/jakecastelli) -
   **Jake Yuesong Li** <<[email protected]>> (he/him)
 * [JakobJingleheimer](https://github.com/JakobJingleheimer) -
@@ -407,6 +411,8 @@ For information about the governance of the Node.js project, see
   **Moshe Atlow** <<[email protected]>> (he/him)
 * [MrJithil](https://github.com/MrJithil) -
   **Jithil P Ponnan** <<[email protected]>> (he/him)
+* [ovflowd](https://github.com/ovflowd) -
+  **Claudio Wunder** <<[email protected]>> (he/they)
 * [panva](https://github.com/panva) -
   **Filip Skokan** <<[email protected]>> (he/him) - [Support me](https://github.com/sponsors/panva)
 * [pimterry](https://github.com/pimterry) -
@@ -422,7 +428,7 @@ For information about the governance of the Node.js project, see
 * [RaisinTen](https://github.com/RaisinTen) -
   **Darshan Sen** <<[email protected]>> (he/him) - [Support me](https://github.com/sponsors/RaisinTen)
 * [richardlau](https://github.com/richardlau) -
-  **Richard Lau** <<rlau@redhat.com>>
+  **Richard Lau** <<richard.lau@ibm.com>>
 * [rluvaton](https://github.com/rluvaton) -
   **Raz Luvaton** <<[email protected]>> (he/him)
 * [ronag](https://github.com/ronag) -
@@ -635,8 +641,6 @@ For information about the governance of the Node.js project, see
   **Alexis Campailla** <<[email protected]>>
 * [othiym23](https://github.com/othiym23) -
   **Forrest L Norvell** <<[email protected]>> (they/them/themself)
-* [ovflowd](https://github.com/ovflowd) -
-  **Claudio Wunder** <<[email protected]>> (he/they)
 * [oyyd](https://github.com/oyyd) -
   **Ouyang Yadong** <<[email protected]>> (he/him)
 * [petkaantonov](https://github.com/petkaantonov) -
@@ -786,7 +790,7 @@ responding to new issues.
 Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
 
 * **Antoine du Hamel** <<[email protected]>>
-  `C0D6248439F1D5604AAFFB4021D900FFDB233756`
+  `5BE8A3F6C8A5C01D106C0AD820B1A390B168D356`
 * **Juan José Arboleda** <<[email protected]>>
   `DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7`
 * **Marco Ippolito** <<[email protected]>>
@@ -795,7 +799,7 @@ Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
   `8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600`
 * **Rafael Gonzaga** <<[email protected]>>
   `890C08DB8579162FEE0DF9DB8BEAB4DFCF555EF4`
-* **Richard Lau** <<rlau@redhat.com>>
+* **Richard Lau** <<richard.lau@ibm.com>>
   `C82FA3AE1CBEDC6BE46B9360C43CEC45C17AB93C`
 * **Ruy Adorno** <<[email protected]>>
   `108F52B48DB57BB0CC439B2997B01419BD92F80A`
@@ -806,7 +810,7 @@ To import the full set of trusted release keys (including subkeys possibly used
 to sign releases):
 
 ```bash
-gpg --keyserver hkps://keys.openpgp.org --recv-keys C0D6248439F1D5604AAFFB4021D900FFDB233756 # Antoine du Hamel
+gpg --keyserver hkps://keys.openpgp.org --recv-keys 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 # Antoine du Hamel
 gpg --keyserver hkps://keys.openpgp.org --recv-keys DD792F5973C6DE52C432CBDAC77ABFA00DDBF2B7 # Juan José Arboleda
 gpg --keyserver hkps://keys.openpgp.org --recv-keys CC68F5A3106FF448322E48ED27F5E38D5B0A215F # Marco Ippolito
 gpg --keyserver hkps://keys.openpgp.org --recv-keys 8FCCA13FEF1D0C2E91008E09770F7A9A5AE15600 # Michaël Zasso
@@ -823,6 +827,8 @@ verify a downloaded file.
 
 <summary>Other keys used to sign some previous releases</summary>
 
+* **Antoine du Hamel** <<[email protected]>>
+  `C0D6248439F1D5604AAFFB4021D900FFDB233756`
 * **Beth Griggs** <<[email protected]>>
   `4ED778F539E3634C779C87C6D7062848A1AB005C`
 * **Bryan English** <<[email protected]>>

benchmark/source_map/source-map-cache.js

@@ -0,0 +1,60 @@
+'use strict';
+
+const common = require('../common.js');
+const assert = require('assert');
+const fixtures = require('../../test/common/fixtures');
+
+const bench = common.createBenchmark(
+  main,
+  {
+    operation: [
+      'findSourceMap-valid',
+      'findSourceMap-generated-source',
+    ],
+    n: [1e5],
+  },
+);
+
+function main({ operation, n }) {
+  const Module = require('node:module');
+
+  Module.setSourceMapsSupport(true, {
+    generatedCode: true,
+  });
+  const validFileName = fixtures.path('test-runner/source-maps/line-lengths/index.js');
+
+  const fileNameKey = '/source-map/disk.js';
+  const generatedFileName = fixtures.path(fileNameKey);
+  const generatedFileContent = fixtures.readSync(fileNameKey, 'utf8');
+  const sourceMapUrl = generatedFileName.replace(/\.js$/, '.map');
+  const sourceWithGeneratedSourceMap =
+    `${generatedFileContent}\n//# sourceMappingURL=${sourceMapUrl}\n//# sourceURL=${generatedFileName}`;
+  const generatedExpectedUrl = `file://${generatedFileName}`;
+
+  let sourceMap;
+  switch (operation) {
+    case 'findSourceMap-valid':
+      require(validFileName);
+
+      bench.start();
+      for (let i = 0; i < n; i++) {
+        sourceMap = Module.findSourceMap(validFileName);
+      }
+      bench.end(n);
+      break;
+
+    case 'findSourceMap-generated-source':
+      eval(sourceWithGeneratedSourceMap);
+
+      bench.start();
+      for (let i = 0; i < n; i++) {
+        sourceMap = Module.findSourceMap(generatedExpectedUrl);
+      }
+      bench.end(n);
+      break;
+
+    default:
+      throw new Error(`Unknown operation: ${operation}`);
+  }
+  assert.ok(sourceMap);
+}