2024-03-06, Version 21.7.0 (Current), @RafaelGSS prepared by @marco-ippolito

Text Styling

• util.styleText(format, text): This function returns a formatted text considering the format passed.

A new API has been created to format text based on util.inspect.colors, enabling you to style text in different colors (such as red, blue, ...) and emphasis (italic, bold, ...).

const { styleText } = require('node:util');
const errorMessage = styleText('red', 'Error! Error!');
console.log(errorMessage);

Contributed by Rafael Gonzaga and Hemanth HM in #51850.

Loading and parsing environment variables

• process.loadEnvFile(path):

  • Use this function to load the .env file. If no path is specified, it automatically loads the .env file in the current directory. Example: process.loadEnvFile().
  • Load a specific .env file by specifying its path. Example: process.loadEnvFile('./development.env').

• util.parseEnv(content):

  • Use this function to parse an existing string containing environment variable assignments.
  • Example usage: require('node:util').parseEnv('HELLO=world').

Contributed by Yagiz Nizipli in #51476

Support for multi-line values for .env file

Node.js 21.7.0 will now support multi-line values in the .env file:

MULTI_LINE="HELLO
WORLD"

Contributed by Ilyas Shabi #51289

sea: support embedding assets

Users can now include assets by adding a key-path dictionary
to the configuration as the assets field. At build time, Node.js
would read the assets from the specified paths and bundle them into
the preparation blob. In the generated executable, users can retrieve
the assets using the sea.getAsset() and sea.getAssetAsBlob() API.

{
  "main": "/path/to/bundled/script.js",
  "output": "/path/to/write/the/generated/blob.blob",
  "assets": {
    "a.jpg": "/path/to/a.jpg",
    "b.txt": "/path/to/b.txt"
  }
}

The single-executable application can access the assets as follows:

const { getAsset } = require('node:sea');
// Returns a copy of the data in an ArrayBuffer
const image = getAsset('a.jpg');
// Returns a string decoded from the asset as UTF8.
const text = getAsset('b.txt', 'utf8');
// Returns a Blob containing the asset without copying.
const blob = getAssetAsBlob('a.jpg');

Contributed by Joyee Cheung in #50960

vm: support using the default loader to handle dynamic import()

This patch adds support for using vm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER as the
importModuleDynamically option in all vm APIs that take this option except vm.SourceTextModule. This allows users to have a shortcut to support dynamic import() in the compiled code without missing the compilation cache if they don't need customization of the loading process. We emit an experimental warning when the import() is actually handled by the default loader through this option instead of requiring --experimental-vm-modules.

const { Script, constants } = require('node:vm');
const { resolve } = require('node:path');
const { writeFileSync } = require('node:fs');

// Write test.js and test.txt to the directory where the current script
// being run is located.
writeFileSync(resolve(__dirname, 'test.mjs'),
              'export const filename = "./test.json";');
writeFileSync(resolve(__dirname, 'test.json'),
              '{"hello": "world"}');

// Compile a script that loads test.mjs and then test.json
// as if the script is placed in the same directory.
const script = new Script(
  `(async function() {
    const { filename } = await import('./test.mjs');
    return import(filename, { with: { type: 'json' } })
  })();`,
  {
    filename: resolve(__dirname, 'test-with-default.js'),
    importModuleDynamically: constants.USE_MAIN_CONTEXT_DEFAULT_LOADER,
  });

// { default: { hello: 'world' } }
script.runInThisContext().then(console.log);

Contributed by Joyee Cheung in #51244

crypto: implement crypto.hash()

This patch introduces a helper crypto.hash() that computes
a digest from the input at one shot. This can be 1.2-2x faster
than the object-based createHash() for smaller inputs (<= 5MB)
that are readily available (not streamed) and incur less memory
overhead since no intermediate objects will be created.

const crypto = require('node:crypto');

// Hashing a string and return the result as a hex-encoded string.
const string = 'Node.js';
// 10b3493287f831e81a438811a1ffba01f8cec4b7
console.log(crypto.hash('sha1', string));

Contributed by Joyee Cheung in #51044

Other Notable Changes

• [8ae0eeb7f4] - (SEMVER-MINOR) build: build opt to set local location of headers (Michael Dawson) #51525
• [496776cc78] - crypto: update root certificates to NSS 3.98 (Node.js GitHub Bot) #51794
• [a8c9e6f7e9] - doc: add zcbenz to collaborators (Cheng Zhao) #51812
• [adbf2d3837] - doc: add lemire to collaborators (Daniel Lemire) #51572
• [4b1c6839f4] - (SEMVER-MINOR) http2: add h2 compat support for appendHeader (Tim Perry) #51412
• [d8aa2bac0b] - (SEMVER-MINOR) http2: add server handshake utility (snek) #51172
• [b9275d9039] - (SEMVER-MINOR) http2: receive customsettings (Marten Richter) #51323
• [5a2d2daad5] - (SEMVER-MINOR) lib: move encodingsMap to internal/util (Joyee Cheung) #51044
• [e8d9065262] - (SEMVER-MINOR) sea: support sea.getRawAsset() (Joyee Cheung) #50960
• [47186fbad5] - (SEMVER-MINOR) src: print string content better in BlobDeserializer (Joyee Cheung) #50960
• [119e045053] - (SEMVER-MINOR) src: do not coerce dotenv paths (Tobias Nießen) #51425
• [9ab353af00] - (SEMVER-MINOR) stream: implement min option for ReadableStreamBYOBReader.read (Mattias Buelens) #50888

Commits

• [4ddb9b33d5] - async_hooks,inspector: implement inspector api without async_wrap (Gabriel Bota) #51501
• [7e06c11f55] - benchmark: update iterations of assert/deepequal-typedarrays.js (Lei Shi) #51419
• [72be232006] - benchmark: update iterations of benchmark/assert/deepequal-map.js (Lei Shi) #51416
• [92e7c310cb] - benchmark: rename startup.js to startup-core.js (Joyee Cheung) #51669
• [c9ada533a2] - build: remove librt libs link for Android compatibility (BuShe Pie) #51632
• [86ac787889] - build: do not rely on gn_helpers in GN build (Cheng Zhao) #51439
• [9be6b7ccf0] - build: fix warning in cares under GN build (Cheng Zhao) #51687
• [d1a8c2e989] - build: fix building js2c with GN (Cheng Zhao) #51818
• [9840715dc0] - build: encode non-ASCII Latin1 characters as one byte in JS2C (Joyee Cheung) #51605
• [8ae0eeb7f4] - (SEMVER-MINOR) build: build opt to set local location of headers (Michael Dawson) #51525
• [1999719877] - build: use macOS m1 machines for testing (Yagiz Nizipli) #51620
• [85f63f3d7d] - build: check before removing %config% link (liudonghua) #51437
• [cc37959232] - build: increase parallel executions in github (Yagiz Nizipli) #51554
• [2921d55121] - build: remove copyright header in node.gni (Cheng Zhao) [#51535](https://gith...

2024-02-14, Version 21.6.2 (Current), @RafaelGSS

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
• CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
• CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• libuv version 1.48.0
• OpenSSL version 3.0.13+quic1

Commits

• [8344719369] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [d093600ac4] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [6cd930e5e8] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [9590c15d3d] - deps: upgrade libuv to 1.48.0 (Santiago Gimeno) #51698
• [666096298c] - deps: disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#528
• [a4edd22e30] - fs: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497
• [6155a1ffaf] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#518
• [777509495e] - lib: use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
• [9d2ac2b3fc] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#538
• [208b3940c7] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [fc2454f29c] - src,deps: disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#528
• [ef3eea20be] - test,doc: clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
• [8547196964] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#540

2024-02-14, Version 20.11.1 'Iron' (LTS), @RafaelGSS prepared by @marco-ippolito

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
• CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
• CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• libuv version 1.48.0
• OpenSSL version 3.0.13+quic1

Commits

• [7079c062bb] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [186a6e1ffb] - deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51737
• [686da19abb] - deps: disable io_uring support in libuv by default (Tobias Nießen) nodejs-private/node-private#529
• [f7b44bfbce] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [7a30fecea2] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [480fc169a8] - fs: protect against modified Buffer internals in possiblyTransformPath (Tobias Nießen) nodejs-private/node-private#497
• [77ac7c3153] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#519
• [ed7d149675] - lib: use cache fs internals against path traversal (RafaelGSS) nodejs-private/node-private#516
• [89bd5fc38f] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#539
• [d01dd4291d] - permission: fix wildcard when children > 1 (Rafael Gonzaga) #51209
• [40ff37dfcc] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [3f6addd590] - src,deps: disable setuid() etc if io_uring enabled (Tobias Nießen) nodejs-private/node-private#529
• [d6da413aa4] - test,doc: clarify wildcard usage (RafaelGSS) nodejs-private/node-private#517
• [c213910aea] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#541

2024-02-14, Version 18.19.1 'Hydrogen' (LTS), @RafaelGSS prepared by @marco-ippolito

Notable changes

This is a security release.

Notable changes

• CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
• CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
• CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium)
• CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
• undici version 5.28.3
• npm version 10.2.4

Commits

• [69e0a1dba8] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
• [d3d357ab09] - crypto: disable PKCS#1 padding for privateDecrypt (Michael Dawson) nodejs-private/node-private#525
• [3d27175c42] - deps: fix GHSA-f74f-cvh7-c6q6/CVE-2024-24806 (Santiago Gimeno) #51614
• [331558b8ab] - deps: update archs files for openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [99b77dfb9c] - deps: upgrade openssl sources to quictls/openssl-3.0.13+quic1 (Node.js GitHub Bot) #51614
• [6cdc71bff1] - deps: upgrade npm to 10.2.4 (npm team) #50751
• [911cb33cda] - http: add maximum chunk extension size (Paolo Insogna) nodejs-private/node-private#520
• [f48b89689d] - lib: update undici to v5.28.3 (Matteo Collina) nodejs-private/node-private#536
• [e6b4c105e0] - src: fix HasOnly(capability) in node::credentials (Tobias Nießen) nodejs-private/node-private#505
• [97c49076cd] - test: skip test-child-process-stdio-reuse-readable-stdio on Windows (Joyee Cheung) #49621
• [60affdde8e] - tools: add macOS notarization verification step (Ulises Gascón) #50833
• [ccc676a327] - tools: use macOS keychain to notarize the releases (Ulises Gascón) #50715
• [31f1ceb380] - tools: remove unused file (Ulises Gascon) #50622
• [bd5f6fb92a] - tools: add macOS notarization stapler (Ulises Gascón) #50625
• [4168c4f71b] - tools: improve macOS notarization process output readability (Ulises Gascón) #50389
• [4622f775aa] - tools: remove unused version function (Ulises Gascón) #50390
• [b90804b1e7] - win,tools: upgrade Windows signing to smctl (Stefan Stojanovic) #50956
• [f31d47e135] - zlib: pause stream if outgoing buffer is full (Matteo Collina) nodejs-private/node-private#542

2024-01-22, Version 21.6.1 (Current), @RafaelGSS

Notable Changes

This release fixes a bug in undici using WebStreams

Commits

• [662ac95729] - Revert "stream: fix cloned webstreams not being unref'd" (Matteo Collina) #51491
• [1b8bba8aee] - test: add regression test for 51586 (Matteo Collina) #51491

2024-01-15, Version 21.6.0 (Current), @RafaelGSS

New connection attempt events

Three new events were added in the net.createConnection flow:

• connectionAttempt: Emitted when a new connection attempt is established. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptFailed: Emitted when a connection attempt failed. In case of Happy Eyeballs, this might emitted multiple times.
• connectionAttemptTimeout: Emitted when a connection attempt timed out. In case of Happy Eyeballs, this will not be emitted for the last attempt. This is not emitted at all if Happy Eyeballs is not used.

Additionally, a previous bug has been fixed where a new connection attempt could have been started after a previous one failed and after the connection was destroyed by the user.
This led to a failed assertion.

Contributed by Paolo Insogna in #51045.

Changes to the Permission Model

Node.js 21.6.0 comes with several fixes for the experimental permission model and two new semver-minor commits.
We're adding a new flag --allow-addons to enable addon usage when using the Permission Model.

$ node --experimental-permission --allow-addons

Contributed by Rafael Gonzaga in #51183

And relative paths are now supported through the --allow-fs-* flags.
Therefore, with this release one can use:

$ node --experimental-permission --allow-fs-read=./index.js

To give only read access to the entrypoint of the application.

Contributed by Rafael Gonzaga and Carlos Espa in #50758

Support configurable snapshot through --build-snapshot-config flag

We are adding a new flag --build-snapshot-config to configure snapshots through a custom JSON configuration file.

$ node --build-snapshot-config=/path/to/myconfig.json

When using this flag, additional script files provided on the command line will
not be executed and instead be interpreted as regular command line arguments.

These changes were contributed by Joyee Cheung and Anna Henningsen in #50453

Other Notable Changes

• [c31ed51373] - (SEMVER-MINOR) timers: export timers.promises (Marco Ippolito) #51246

Commits

• [13a1241b83] - assert,crypto: make KeyObject and CryptoKey testable for equality (Filip Skokan) #50897
• [4dcc5114aa] - benchmark: remove dependency on unshipped tools (Adam Majer) #51146
• [2eb41f86b3] - build: fix for VScode "Reopen in Container" (Serg Kryvonos) #51271
• [e03ac83c19] - build: fix arm64 cross-compilation (Michaël Zasso) #51256
• [cd61fce34e] - build: add -flax-vector-conversions to V8 build (Michaël Zasso) #51257
• [e5017a522e] - crypto: update CryptoKey symbol properties (Filip Skokan) #50897
• [c0d2e8be11] - deps: update corepack to 0.24.0 (Node.js GitHub Bot) #51318
• [24a9a72492] - deps: update acorn to 8.11.3 (Node.js GitHub Bot) #51317
• [e53cbb22c2] - deps: update ngtcp2 and nghttp3 (James M Snell) #51291
• [f00f1204f1] - deps: update brotli to 1.1.0 (Node.js GitHub Bot) #50804
• [a41dca0c51] - deps: update zlib to 1.3.0.1-motley-40e35a7 (Node.js GitHub Bot) #51274
• [efa12a89c6] - deps: update simdutf to 4.0.8 (Node.js GitHub Bot) #51000
• [25eba3d20b] - deps: V8: cherry-pick de611e69ad51 (Keyhan Vakil) #51200
• [a07d6e23e4] - deps: update simdjson to 3.6.3 (Node.js GitHub Bot) #51104
• [6d1bfcb2dd] - deps: update googletest to 530d5c8 (Node.js GitHub Bot) #51191
• [75e5615c43] - deps: update acorn-walk to 8.3.1 (Node.js GitHub Bot) #50457
• [3ecc7dcc00] - deps: update acorn-walk to 8.3.0 (Node.js GitHub Bot) #50457
• [e2f8d741c8] - deps: update zlib to 1.3.0.1-motley-dd5fc13 (Node.js GitHub Bot) #51105
• [4a5d3bda72] - doc: the GN files should use Node's license (Cheng Zhao) #50694
• [84127514ba] - doc: improve localWindowSize event descriptions (Davy Landman) #51071
• [8ee882a49c] - doc: mark --jitless as experimental (Antoine du Hamel) #51247
• [876743ece1] - doc: run license-builder (github-actions[bot]) #51199
• [ec6fcff009] - doc: fix limitations and known issues in pm (Rafael Gonzaga) #51184
• [c13a5c0373] - doc: mention node:wasi in the Threat Model (Rafael Gonzaga) #51211
• [4b19e62444] - doc: remove ambiguous 'considered' (Rich Trott) #51207
• [5453abd6ad] - doc: set exit code in custom test runner example (Matteo Collina) #51056
• [f9d4e07faf] - doc: remove version from maintaining-dependencies.md (Antoine du Hamel) #51195
• [df8927a073] - doc: mention native addons are restricted in pm (Rafael Gonzaga) #51185
• [e636d83914] - doc: correct note on behavior of stats.isDirectory (Nick Reilingh) #50946
• [1c71435c2a] - doc: fix TestsStream parent class (Jungku Lee) #51181
• [2c227b0d64] - doc: fix simdjson wrong link (Marco Ippolito) #51177
• [efa13e1943] - (SEMVER-MINOR) doc: add documentation for --build-snapshot-config (Anna Henningsen) #50453
• [941aedc6fc] - errors: fix stacktrace of SystemError (uzlopak) #49956
• [47548d9e61] - esm: fix hint on invalid module specifier (Antoine du Hamel) #51223
• [091098f40a] - fs: fix fs.promises.realpath for long paths on Windows (翠 / green) #51032
• [e5a8fa01aa] - fs: make offset, position & length args in fh.read() optional (Pulkit Gupta) #51087
• [c87e5d51cc] - fs: add missing jsdoc parameters to readSync (Yagiz Nizipli) #51225
• [e24249cf37] - fs: remove internalModuleReadJSON binding (Yagiz Nizipli) #51224
• [7421467812] - fs: improve mkdtemp performance for buffer prefix (Yagiz Nizipli) #51078
• [5b229d775f] - fs: validate fd synchronously on c++ (Yagiz Nizipli) #51027
• [[...

2024-01-09, Version 20.11.0 'Iron' (LTS), @UlisesGascon

Notable Changes

• [833190fe7c] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
• [a541b78bdb] - doc: add MrJithil to collaborators (Jithil P Ponnan) #50666
• [d4be8fad83] - doc: add Ethan-Arrowood as a collaborator (Ethan Arrowood) #50393
• [c1a196c897] - (SEMVER-MINOR) esm: add import.meta.dirname and import.meta.filename (James Sumners) #48740
• [aa3209b880] - fs: add c++ fast path for writeFileSync utf8 (CanadaHonk) #49884
• [8e886a2fff] - (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu) #48655
• [21ab3c0f0b] - (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu) #48655
• [29d91b13e3] - (SEMVER-MINOR) src: add --disable-warning option (Ethan Arrowood) #50661
• [11b3e470db] - (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu) #48655
• [621c4d66c2] - (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu) #48655
• [139d6c8d3b] - stream: use Array for Readable buffer (Robert Nagy) #50341
• [6206957e8d] - stream: optimize creation (Robert Nagy) #50337
• [e64378643d] - (SEMVER-MINOR) test_runner: adds built in lcov reporter (Phil Nash) #50018
• [4a830c2d9d] - (SEMVER-MINOR) test_runner: add Date to the supported mock APIs (Lucas Santos) #48638
• [842dc01def] - (SEMVER-MINOR) test_runner, cli: add --test-timeout flag (Shubham Pandey) #50443

Commits

• [e40a559ab1] - benchmark: update iterations in benchmark/util/splice-one.js (Liu Jia) #50698
• [00f7a5d26f] - benchmark: increase the iteration number to an appropriate value (Lei Shi) #50766
• [be6ad3f375] - benchmark: rewrite import.meta benchmark (Joyee Cheung) #50683
• [9857364129] - benchmark: add misc/startup-cli-version benchmark (Joyee Cheung) #50684
• [22d729e7f5] - benchmark: remove punycode from require-builtins fixture (Joyee Cheung) #50689
• [4cf10a149a] - benchmark: change iterations in benchmark/es/string-concatenations.js (Liu Jia) #50585
• [15c2ed93a8] - benchmark: add benchmarks for encodings (Aras Abbasi) #50348
• [8a896428ca] - benchmark: add more cases to Readable.from (Raz Luvaton) #50351
• [dbe6c5f354] - benchmark: skip test-benchmark-os on IBMi (Michael Dawson) #50286
• [179b4b6e62] - benchmark: move permission-fs-read to permission-processhas-fs-read (Aki Hasegawa-Johnson) #49770
• [32d65c001d] - buffer: improve Buffer.equals performance (kylo5aby) #50621
• [80ea83757e] - build: add GN configurations for simdjson (Cheng Zhao) #50831
• [904e645bcd] - build: add configuration flag to enable Maglev (Keyhan Vakil) #50692
• [019efa8a5a] - build: fix GN configuration for deps/base64 (Cheng Zhao) #50696
• [a645d5ac54] - build: disable flag v8_scriptormodule_legacy_lifetime (Chengzhong Wu) #50616
• [8705058b09] - build: add GN build files (Cheng Zhao) #47637
• [0a5e9c12cf] - build: fix build with Python 3.12 (Luigi Pinca) #50582
• [ff5713dd43] - build: support Python 3.12 (Shi Pujin) #50209
• [cfd50f229a] - build: fix building when there is only python3 (Cheng Zhao) #48462
• [833190fe7c] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
• [54c46dae9e] - deps: update zlib to 1.2.13.1-motley-5daffc7 (Node.js GitHub Bot) #50803
• [0be84e5a28] - deps: update undici to 5.27.2 (Node.js GitHub Bot) #50813
• [ec67890824] - deps: V8: cherry-pick 0f9ebbc672c7 (Chengzhong Wu) #50867
• [bc2ebb972b] - deps: V8: cherry-pick 13192d6e10fa (Levi Zim) #50552
• [656135d70a] - deps: update zlib to 1.2.13.1-motley-dfc48fc (Node.js GitHub Bot) #50456
• [41ee4bcc5d] - deps: update ada to 2.7.4 (Node.js GitHub Bot) #50815
• [a40948b5c5] - deps: update minimatch to 9.0.3 (Node.js GitHub Bot) #50806
• [7be1222c4a] - deps: update simdutf to 4.0.4 (Node.js GitHub Bot) #50772
• [68e7d49db6] - deps: upgrade npm to 10.2.4 (npm team) #50751
• [3d82d38336] - deps: escape Python strings correctly (Michaël Zasso) #50695
• [d3870ac957] - deps: update base64 to 0.5.1 (Node.js GitHub Bot) #50629
• [4b219b6ece] - deps: update corepack to 0.23.0 (Node.js GitHub Bot) #50563
• [6c41b50922] - deps: update nghttp2 to 1.58.0 (Node.js GitHub Bot) #50441
• [3beee0ae8f] - deps: update acorn to 8.11.2 (Node.js GitHub Bot) #50460
• [220916fa93] - deps: update undici to 5.27.0 (Node.js GitHub Bot) #50463
• [f9960b3545] - deps: update googletest to 116b7e5 (Node.js GitHub Bot) #50324
• [d5c16f897a] - dns: call handle.setServers() with a valid array (Luigi Pinca) #50811
• [1bd6537c97] - doc...

2023-12-19, Version 21.5.0 (Current), @RafaelGSS

Notable Changes

• [0dd53da722] - (SEMVER-MINOR) deps: add simdjson (Yagiz Nizipli) #50322
• [9f54987fbc] - module: merge config with package_json_reader (Yagiz Nizipli) #50322
• [45e4f82912] - src: move package resolver to c++ (Yagiz Nizipli) #50322

Deprecations

• [26ed4ad01f] - doc: deprecate hash constructor (Marco Ippolito) #51077
• [58ca66a1a7] - doc: deprecate dirent.path (Antoine du Hamel) #51020

Commits

• [1bbdbdfbeb] - benchmark: update iterations in benchmark/perf_hooks (Lei Shi) #50869
• [087fb0908e] - benchmark: update iterations in benchmark/crypto/aes-gcm-throughput.js (Lei Shi) #50929
• [53b16c71fb] - benchmark: update iteration and size in benchmark/crypto/randomBytes.js (Lei Shi) #50868
• [38fd0ca753] - benchmark: add undici websocket benchmark (Chenyu Yang) #50586
• [b148c43244] - benchmark: add create-hash benchmark (Joyee Cheung) #51026
• [fdd8c18f96] - benchmark: update interations and len in benchmark/util/text-decoder.js (Lei Shi) #50938
• [a9972057ac] - benchmark: update iterations of benchmark/util/type-check.js (Lei Shi) #50937
• [b80bb1329b] - benchmark: update iterations in benchmark/util/normalize-encoding.js (Lei Shi) #50934
• [dbee03d646] - benchmark: update iterations in benchmark/util/inspect-array.js (Lei Shi) #50933
• [f2d83a3a84] - benchmark: update iterations in benchmark/util/format.js (Lei Shi) #50932
• [2581fce553] - bootstrap: improve snapshot unsupported builtin warnings (Joyee Cheung) #50944
• [735bad3694] - build: fix warnings from uv for gn build (Cheng Zhao) #51069
• [8da9d969f9] - deps: V8: cherry-pick 0fd478bcdabd (Joyee Cheung) #50572
• [429fbb37c1] - deps: update simdjson to v3.6.2 (Yagiz Nizipli) #50986
• [9950103253] - deps: update zlib to 1.3-22124f5 (Node.js GitHub Bot) #50910
• [0b61823e8b] - deps: update undici to 5.28.2 (Node.js GitHub Bot) #51024
• [95d8a273cc] - deps: cherry-pick bfbe4e38d7 from libuv upstream (Abdirahim Musse) #50650
• [06038a489e] - deps: update libuv to 1.47.0 (Node.js GitHub Bot) #50650
• [0dd53da722] - (SEMVER-MINOR) deps: add simdjson (Yagiz Nizipli) #50322
• [04eaa5cdd7] - doc: run license-builder (github-actions[bot]) #51111
• [26ed4ad01f] - doc: deprecate hash constructor (Marco Ippolito) #51077
• [637ffce4c4] - doc: add note regarding --experimental-detect-module (Shubherthi Mitra) #51089
• [838179b096] - doc: correct tracingChannel.traceCallback() (Gerhard Stöbich) #51068
• [539bee4f0a] - doc: use length argument in pbkdf2Key (Tobias Nießen) #51066
• [c45a9a3187] - doc: add deprecation notice to dirent.path (Antoine du Hamel) #51059
• [58ca66a1a7] - doc: deprecate dirent.path (Antoine du Hamel) #51020
• [c2b6edf9ab] - esm: fix hook name in error message (Bruce MacNaughton) #50466
• [35e8f26f07] - fs: throw fchownSync error from c++ (Yagiz Nizipli) #51075
• [c3c8237089] - fs: update params in jsdoc for createReadStream and createWriteStream (Jungku Lee) #51063
• [3f7f3ce8c9] - fs: improve error performance of readvSync (IlyasShabi) #50100
• [7f95926f17] - http: handle multi-value content-disposition header (Arsalan Ahmad) #50977
• [7a8a2d5632] - lib: don't parse windows drive letters as schemes (华) #50580
• [aa2be4bb76] - module: load source maps in commonjs translator (Hiroki Osame) #51033
• [c0e5e74876] - module: document parentURL in register options (Hiroki Osame) #51039
• [4eedf5e694] - module: fix recently introduced coverity warning (Michael Dawson) #50843
• [9f54987fbc] - module: merge config with package_json_reader (Yagiz Nizipli) #50322
• [5f95dca638] - node-api: introduce experimental feature flags (Gabriel Schulhof) #50991
• [3fb7fc909e] - quic: further implementation details (James M Snell) #48244
• [fa25e069fc] - src: implement countObjectsWithPrototype (Joyee Cheung) #50572
• [abe90527e4] - src: register udp_wrap external references (Joyee Cheung) #50943
• [84e2f51d14] - src: register spawn_sync external references (Joyee Cheung) #50943
• [2cfee53d7b] - src: register process_wrap external references (Joyee Cheung) #50943
• [9b7f79a8bd] - src: fix double free reported by coverity (Michael Dawson) #51046
• [fc5503246e] - src: remove unused headers in node_file.cc (Jungku Lee) #50927
• [c3abdc58af] - src: implement --trace-promises (Joyee Cheung) #50899
• [f90fc83e97] - src: fix dynamically linked zlib version (Richard Lau) #51007
• [9bf144379f] - src: omit bool values of package.json main field (Yagiz Nizipli) #50965
• [45e4f82912] - src:...

2023-12-05, Version 21.4.0 (Current), @targos

Notable Changes

This release fixes a regression introduced in v21.3.0 that caused the fs.writeFileSync
method to throw when called with 'utf8' encoding, no flag option, and if the target file didn't exist yet.

• [32acafeeb6] - (SEMVER-MINOR) fs: introduce dirent.parentPath (Antoine du Hamel) #50976
• [724548674d] - fs: use default w flag for writeFileSync with utf8 encoding (Murilo Kakazu) #50990

Commits

• [b24ee15fb2] - benchmark: update iterations in benchmark/crypto/hkdf.js (Lei Shi) #50866
• [f79b54e60e] - benchmark: update iterations in benchmark/crypto/get-ciphers.js (Lei Shi) #50863
• [dc049acbbb] - benchmark: update number of iterations for util.inspect (kylo5aby) #50651
• [d7c562ae38] - deps: update googletest to 76bb2af (Node.js GitHub Bot) #50555
• [59a45ddbef] - deps: update googletest to b10fad3 (Node.js GitHub Bot) #50555
• [099ebdb781] - deps: update undici to 5.28.1 (Node.js GitHub Bot) #50975
• [4b1bed04f7] - deps: update undici to 5.28.0 (Node.js GitHub Bot) #50915
• [b281e98b1e] - doc: add additional details about --input-type (Shubham Pandey) #50796
• [b7036f2028] - doc: add procedure when CVEs don't get published (Rafael Gonzaga) #50945
• [7adf239af0] - doc: fix some errors in esm resolution algorithms (Christopher Jeffrey (JJ)) #50898
• [759ebcaead] - doc: reserve 121 for Electron 29 (Shelley Vohr) #50957
• [cedc3427fa] - doc: run license-builder (github-actions[bot]) #50926
• [30a6f19769] - doc: document non-node_modules-only runtime deprecation (Joyee Cheung) #50748
• [eecab883f0] - doc: add doc for Unix abstract socket (theanarkh) #50904
• [ec74b93b38] - doc: remove flicker on page load on dark theme (Dima Demakov) #50942
• [724548674d] - fs: use default w flag for writeFileSync with utf8 encoding (Murilo Kakazu) #50990
• [32acafeeb6] - (SEMVER-MINOR) fs: introduce dirent.parentPath (Antoine du Hamel) #50976
• [c1ee506454] - fs: remove workaround for esm package (Yagiz Nizipli) #50907
• [1cf087dfb3] - lib: refactor to use validateFunction in diagnostics_channel (Deokjin Kim) #50955
• [c37d18d5e1] - lib: streamline process.binding() handling (Joyee Cheung) #50773
• [246cf73631] - lib,src: replace toUSVString with toWellFormed() (Yagiz Nizipli) #47342
• [9bc79173a0] - loader: speed up line length calc used by moduleProvider (Mudit) #50969
• [812ab9e4f8] - meta: bump step-security/harden-runner from 2.6.0 to 2.6.1 (dependabot[bot]) #50999
• [1dbe1af19a] - meta: bump github/codeql-action from 2.22.5 to 2.22.8 (dependabot[bot]) #50998
• [bed1b93f8a] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #50931
• [1e7d101428] - src: make ModifyCodeGenerationFromStrings more robust (Joyee Cheung) #50763
• [709ac479eb] - src: disable uncaught exception abortion for ESM syntax detection (Yagiz Nizipli) #50987
• [f6ff11c9f9] - src: fix backtrace with tail [[noreturn]] abort (Chengzhong Wu) #50849
• [74f5a1cbc9] - src: print MKSNAPSHOT debug logs to stderr (Joyee Cheung) #50759
• [3a1c664a97] - test: replace forEach to for.. test-webcrypto-export-import-cfrg.js (Angelo Parziale) #50785
• [ac3a6eefe3] - test: log more information in SEA tests (Joyee Cheung) #50759
• [94462d42f5] - test: consolidate utf8 text fixtures in tests (Joyee Cheung) #50732
• [8e1a70a347] - tools: add triggers to update release links workflow (Moshe Atlow) #50974
• [ca10cbb774] - tools: update lint-md-dependencies to [email protected] (Node.js GitHub Bot) #50913
• [1e40c4a366] - tools: fix current version check (Marco Ippolito) #50951
• [3faed331e1] - typings: fix JSDoc in internal/modules/esm/hooks (Alex Yang) #50887
• [6a087ceffa] - url: throw error if argument length of revokeObjectURL is 0 (DylanTet) #50433

2023-11-30, Version 21.3.0 (Current), @RafaelGSS

Notable Changes

New --disable-warning flag

This version adds a new --disable-warning option that allows users to disable specific warnings either by code
(i.e. DEP0025) or type (i.e. DeprecationWarning, ExperimentalWarning).

This option works alongside existing --warnings and --no-warnings.

For example, the following script will not emit DEP0025 require('node:sys') when executed with
node --disable-warning=DEP0025:

import sys from 'node:sys';

Contributed by Ethan-Arrowood in #50661

Update Root Certificates to NSS 3.95

This is the certdata.txt from NSS 3.95, released on 2023-11-16.

This is the version of NSS that will ship in Firefox 121 on
2023-12-19.

Certificates added:

• TrustAsia Global Root CA G3
• TrustAsia Global Root CA G4
• CommScope Public Trust ECC Root-01
• CommScope Public Trust ECC Root-02
• CommScope Public Trust RSA Root-01
• CommScope Public Trust RSA Root-02

Certificates removed:

• Autoridad de Certificacion Firmaprofesional CIF A62634068

Fast fs.writeFileSync with UTF-8 Strings

Enhanced writeFileSync functionality by implementing a highly efficient fast path primarily in C++ for UTF8-encoded string data.
Additionally, optimized the appendFileSync method by leveraging the improved writeFileSync functionality.
For simplicity and performance considerations, the current implementation supports only string data,
as benchmark results raise concerns about the efficacy of using Buffer for this purpose.
Future optimizations and expansions may be explored, but for now, the focus is on maximizing efficiency for string data operations.

Contributed by CanadaHonk in #49884.

Other Notable Changes

• [c7a7493ca2] - (SEMVER-MINOR) module: bootstrap module loaders in shadow realm (Chengzhong Wu) #48655
• [bc3f7b5401] - (SEMVER-MINOR) module: remove useCustomLoadersIfPresent flag (Chengzhong Wu) #48655
• [aadff07e59] - (SEMVER-MINOR) src: create per isolate proxy env template (Chengzhong Wu) #48655
• [91aa9dd23a] - (SEMVER-MINOR) src: create fs_dir per isolate properties (Chengzhong Wu) #48655
• [5c5834190a] - (SEMVER-MINOR) src: create worker per isolate properties (Chengzhong Wu) #48655
• [4a1ce45181] - (SEMVER-MINOR) src: make process binding data weak (Chengzhong Wu) #48655

Commits

• [4a20912279] - benchmark: update iterations in benchmark/util/splice-one.js (Liu Jia) #50698
• [36380eb53d] - benchmark: increase the iteration number to an appropriate value (Lei Shi) #50766
• [23f56d8bb3] - benchmark: rewrite import.meta benchmark (Joyee Cheung) #50683
• [f7245d73d9] - benchmark: add misc/startup-cli-version benchmark (Joyee Cheung) #50684
• [c81d2acfe0] - benchmark: remove punycode from require-builtins fixture (Joyee Cheung) #50689
• [5849f09874] - build: add GN configurations for simdjson (Cheng Zhao) #50831
• [12605e8f7d] - build: add configuration flag to enable Maglev (Keyhan Vakil) #50692
• [43da9ea9e5] - build: fix GN configuration for deps/base64 (Cheng Zhao) #50696
• [465f75b58a] - build: disable flag v8_scriptormodule_legacy_lifetime (Chengzhong Wu) #50616
• [d2c0dfb1b7] - crypto: update root certificates to NSS 3.95 (Node.js GitHub Bot) #50805
• [8d3a1d8911] - deps: update zlib to 1.2.13.1-motley-5daffc7 (Node.js GitHub Bot) #50803
• [e02f304de7] - deps: V8: cherry-pick 0f9ebbc672c7 (Chengzhong Wu) #50867
• [c31ad5ceaa] - deps: update icu to 74.1 (Node.js GitHub Bot) #50515
• [3ff2bda34e] - deps: update ada to 2.7.4 (Node.js GitHub Bot) #50815
• [221f02df6d] - deps: update undici to 5.27.2 (Node.js GitHub Bot) #50813
• [ee69c613a2] - deps: update minimatch to 9.0.3 (Node.js GitHub Bot) #50806
• [00dab30fd2] - deps: V8: cherry-pick 475c8cdf9a95 (Keyhan Vakil) #50680
• [a0c01b23b4] - deps: update simdutf to 4.0.4 (Node.js GitHub Bot) #50772
• [071e46ae56] - deps: upgrade npm to 10.2.4 (npm team) #50751
• [5d28f8d18f] - deps: escape Python strings correctly (Michaël Zasso) #50695
• [3731f836ed] - deps: V8: cherry-pick 8f0b94671ddb (Lu Yahan) #50654
• [6dfe1023c3] - dns: call handle.setServers() with a valid array (Luigi Pinca) #50811
• [2f13db475e] - doc: make theme consistent across api and other docs (Dima Demakov) #50877
• [8c4976b732] - doc: add a section regarding instanceof in primordials.md (Antoine du Hamel) #50874
• [6485687642] - doc: update email to reflect affiliation (Yagiz Nizipli) #50856
• [bc31375a09] - doc: shard not supported with watch mode (Pulkit Gupta) #50640
• [08c3b0ab20] - doc: get rid of unnecessary eslint-skip comments (Antoine du Hamel) #50829
• [98fb1faff1] - doc: create deprecation code for isWebAssemblyCompiledModule (Marco Ippolito) #50486
• [e116fcdb01] - doc: add CanadaHonk to triagers (CanadaHonk) #50848
• [a37d9ee1e3] - doc: fix typos in --allow-fs-* (Tobias Nießen) #50845
• [8468daf1a9] - doc: update Crypto API doc for x509.keyUsage (Daniel Meechan) #50603
• [b4935dde60] - doc: fix fs.writeFileSync return value documentation (Ryan Zimmerman) #50760
• [ead9879a04] - doc: update print results(detail) in PerformanceEntry (Jungku Lee) #50723
• [6b7403c5df] - doc: fix Buffer.allocUnsafe documentation (Mert Can Altın) #50686
• [713fdf1fc3] - doc: run license-builder (github-actions[bot]) #50691
• [50f336c06f] - esm: fallback to getSource when load returns nullish source (Antoine du Hamel) #50825...