⬆️ Updates Node.js to v25

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
node (source)	engines	major	>= 8.0.0 → >= 25.9.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

nodejs/node (node)

v25.9.0: 2026-04-01, Version 25.9.0 (Current), @​aduh95

Compare Source

Notable Changes

Test runner module mocking improvements

MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.

A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.

An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports

npx codemod @​nodejs/mock-module-exports

Contributed by sangwook in #​61727.

Other notable changes

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on node:domain (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066

Commits

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #​62066
• [c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #​62084
• [e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #​61871
• [2fcd07f1ba] - build: support empty libname flags in configure.py (Antoine du Hamel) #​62477
• [b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #​62280
• [7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #​62189
• [f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #​62115
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #​62485
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #​62254
• [f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #​62218
• [f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #​61875
• [4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #​62169
• [93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #​62170
• [3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #​62414
• [176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #​62164
• [95c7fc67ba] - deps: update googletest to 2461743 (Node.js GitHub Bot) #​62484
• [e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #​62382
• [905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #​62051
• [180c150122] - deps: V8: cherry-pick cf1bce4 (Richard Lau) #​62449
• [bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #​62448
• [f1b28612c4] - deps: V8: cherry-pick b25cd62 (Yagiz Nizipli) #​62354
• [757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #​62284
• [3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #​62256
• [a9703d194a] - deps: update googletest to 73a63ea (Node.js GitHub Bot) #​61927
• [85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #​62213
• [231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #​62123
• [0093863664] - doc: deprecate module.register() (DEP0205) (Geoffrey Booth) #​62395
• [0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #​62456
• [8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #​62492
• [08ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #​62482
• [61cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #​62423
• [64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #​62139
• [1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #​62206
• [9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #​62374
• [e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #​62302
• [9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #​62243
• [7f37c17516] - doc: minor typo fix (Jeff Matson) #​62358
• [eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #​62355
• [198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #​62321
• [17e5aee6c5] - doc: fix small environment_variables typo (chris) #​62279
• [193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #​62120
• [4a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #​62208
• [f976c9214d] - doc: clarify that any truthy value of shell is part of DEP0190 (Antoine du Hamel) #​62249
• [4d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #​62202
• [71f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #​62204
• [670c80893b] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #​62075
• [2ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #​62244
• [6c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #​62475
• [1cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #​62415
• [4f4ff15794] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #​62080
• [088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #​62261
• [0250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #​61950
• [b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #​62487
• [ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #​62307
• [92ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #​62226
• [40a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #​62133
• [3ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #​62335
• [3c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #​62371
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #​62165
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #​62396
• [d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #​62343
• [0e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #​62103
• [02980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #​62410
• [064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #​62268
• [ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #​62281
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066
• [03839fb087] - stream: preserve error over AbortError in pipeline (Marco) #​62113
• [0000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #​62087
• [3796a73719] - test: update WPT for WebCryptoAPI to 2cb332d (Node.js GitHub Bot) #​62483
• [ad8309415b] - test: update WPT for url to fc3e651 (Node.js GitHub Bot) #​62379
• [bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #​62471
• [c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #​62470
• [fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #​62066
• [1b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #​62112
• [cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #​62238
• [abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #​62226
• [47a2132269] - test: update WPT for WebCryptoAPI to 6a1c545 (Node.js GitHub Bot) #​62187
• [2c63d3006c] - test_runner: add exports option for module mocks (sangwook) #​61727
• [44ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #​59272
• [1865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #​62282
• [0252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #​62439
• [3368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #​62437
• [5e47c359f5] - tools: adopt the --check-for-duplicates NCU flag (Antoine du Hamel) #​62478
• [4a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #​62438
• [d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #​62375
• [c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #​62356
• [7a2fcc6d41] - tools: do not swallow error in lint-nix workflow (Antoine du Hamel) #​62292
• [c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #​62093
• [56dfeb06df] - tools: fix timeout errors in lint-nix job (Antoine du Hamel) #​62265
• [22fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #​62255
• [409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #​62250
• [67c69750f4] - tools: validate all commits that are pushed to main (Antoine du Hamel) #​62246
• [7d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #​62167
• [6c8fa42ba2] - typings: rationalise TypedArray types (René) #​62174
• [531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #​61477
• [2000caccde] - util: allow color aliases in styleText (sangwook) #​62180
• [0aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #​62198
• [d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #​62201
• [e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #​62325

v24.15.0

Compare Source

v24.14.1

Compare Source

v24.14.0

Compare Source

v24.13.1

Compare Source

v24.13.0: 2026-01-13, Version 24.13.0 'Krypton' (LTS), @​marco-ippolito

Compare Source

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Commits

• [2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #​60997
• [3e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #​61283
• [4ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [89adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [7302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [20075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [20591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

v24.12.0: 2025-12-10, Version 24.12.0 'Krypton' (LTS), @​targos

Compare Source

Notable Changes

• [1a00b5f68a] - (SEMVER-MINOR) http: add optimizeEmptyRequests server option (Rafael Gonzaga) #​59778
• [ff5754077d] - (SEMVER-MINOR) lib: add options to util.deprecate (Rafael Gonzaga) #​59982
• [8987159234] - (SEMVER-MINOR) module: mark type stripping as stable (Marco Ippolito) #​60600
• [92c484ebf4] - (SEMVER-MINOR) node-api: add napi_create_object_with_properties (Miguel Marcondes Filho) #​59953
• [b11bc5984e] - (SEMVER-MINOR) sqlite: allow setting defensive flag (Bart Louwers) #​60217
• [e7da5b4b7d] - (SEMVER-MINOR) src: add watch config namespace (Marco Ippolito) #​60178
• [a7f7d10c06] - (SEMVER-MINOR) src: add an option to make compile cache portable (Aditi) #​58797
• [92ea669240] - (SEMVER-MINOR) src,permission: add --allow-inspector ability (Rafael Gonzaga) #​59711
• [05d7509bd2] - (SEMVER-MINOR) v8: add cpu profile (theanarkh) #​59807

Commits

• [e4a23a35ac] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #​60603
• [b6114ae5c9] - benchmark: add per-suite setup option (Joyee Cheung) #​60574
• [ac8e90af7c] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #​60399
• [acbc8ca13e] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #​59984
• [f97a609a07] - console: optimize single-string logging (Gürgün Dayıoğlu) #​60422
• [6cd9bdc580] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #​60662
• [0fafe24d9b] - crypto: fix argument validation in crypto.timingSafeEqual fast path (Joyee Cheung) #​60538
• [54421e0419] - debugger: fix event listener leak in the run command (Joyee Cheung) #​60464
• [c361a628b4] - deps: V8: cherry-pick 72b0e27 (pthier) #​60732
• [c70f4588dd] - deps: V8: cherry-pick 6bb32bd (Erik Corry) #​60732
• [881fe784c5] - deps: V8: cherry-pick 0dd2318 (Erik Corry) #​60732
• [457c33efcc] - deps: V8: cherry-pick df20105 (Erik Corry) #​60732
• [0bf45a829c] - deps: V8: backport e5dbbba (Darshan Sen) #​60524
• [4993bdc476] - deps: V8: cherry-pick 5ba9200 (Juan José Arboleda) #​60620
• [1e9abe0078] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #​60842
• [3f704ed08f] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #​60643
• [04e360fdb1] - deps: V8: cherry-pick 06bf293, 146962d and e0fb10b (Michaël Zasso) #​60713
• [fcbd8dbbde] - deps: patch V8 to 13.6.233.17 (Michaël Zasso) #​60712
• [28e9433f39] - deps: V8: cherry-pick 8735658 (Joyee Cheung) #​60069
• [3cac85b243] - deps: V8: backport 2e4c5cf (Michaël Zasso) #​60654
• [1daece1970] - deps: call OPENSSL_free after ANS1_STRING_to_UTF8 (Rafael Gonzaga) #​60609
• [5f55a9c9ea] - deps: nghttp2: revert 7784fa9 (Antoine du Hamel) #​59790
• [1d9e7c1f4d] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #​59790
• [3140415068] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #​60542
• [d911f9f1b8] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #​60541
• [daaaf04a32] - deps: V8: cherry-pick 2abc613 (Richard Lau) #​60177
• [b4f63ee5f8] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #​60650
• [effcf7a8ab] - doc: fix link in --env-file=file section (N. Bighetti) #​60563
• [7011736703] - doc: fix linter issues (Antoine du Hamel) #​60636
• [5cc79d8945] - doc: add missing history entry for sqlite.md (Antoine du Hamel) #​60607
• [bbc649057c] - doc: correct values/references for buffer.kMaxLength (René) #​60305
• [ea7ecb517b] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #​60017
• [58bff04cc2] - doc: highlight module loading difference between import and require (Ajay A) #​59815
• [bbcbff9b4d] - doc: add CJS code snippets in sqlite.md (Allon Murienik) #​60395
• [f8af33d5a7] - doc: fix typo in process.unref documentation (우혁) #​59698
• [df105dc351] - doc: add some entries to glossary.md (Mohataseem Khan) #​59277
• [4955cb2b5b] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #​58205
• [6283bb5cc9] - doc: fix pseudo code in modules.md (chirsz) #​57677
• [d5059ea537] - doc: add missing variable in code snippet (Koushil Mankali) #​55478
• [900de373ae] - doc: add missing word in single-executable-applications.md (Konstantin Tsabolov) #​53864
• [5735044c8b] - doc: fix typo in http.md (Michael Solomon) #​59354
• [2dee6df831] - doc: update devcontainer.json and add documentation (Joyee Cheung) #​60472
• [8f2d98d7d2] - doc: add haramj as triager (Haram Jeong) #​60348
• [bbd7fdfff4] - doc: clarify require(esm) description (dynst) #​60520
• [33ad11a764] - doc: instantiate resolver object (Donghoon Nam) #​60476
• [81a61274f3] - doc: correct module loading descriptions (Joyee Cheung) #​60346
• [77911185fe] - doc: clarify --use-system-ca support status (Joyee Cheung) #​60340
• [185f6e95d9] - doc,crypto: link keygen to supported types (Filip Skokan) #​60585
• [772d6c6608] - doc,src,lib: clarify experimental status of Web Storage support (Antoine du Hamel) #​60708
• [ad98e11ac2] - esm: use sync loading/resolving on non-loader-hook thread (Joyee Cheung) #​60380
• [1a00b5f68a] - (SEMVER-MINOR) http: add optimizeEmptyRequests server option (Rafael Gonzaga) #​59778
• [5703ce68bc] - http: replace startsWith with strict equality (btea) #​59394
• [2b696ffad8] - http2: add diagnostics channels for client stream request body (Darshan Sen) #​60480
• [dbdf4cb5a5] - inspector: inspect HTTP response body (Chengzhong Wu) #​60572
• [9dc9a7d33d] - inspector: support inspecting HTTP/2 request and response bodies (Darshan Sen) #​60483
• [89fa2befe4] - inspector: fix crash when receiving non json message (Shima Ryuhei) #​60388
• [ff5754077d] - (SEMVER-MINOR) lib: add options to util.deprecate (Rafael Gonzaga) #​59982
• [33baaf42c8] - lib: replace global SharedArrayBuffer constructor with bound method (Renegade334) #​60497
• [b047586a08] - meta: bump actions/download-artifact from 5.0.0 to 6.0.0 (dependabot[bot]) #​60532
• [64192176d7] - meta: bump actions/upload-artifact from 4.6.2 to 5.0.0 (dependabot[bot]) #​60531
• [af6d4a6b9b] - meta: bump github/codeql-action from 3.30.5 to 4.31.2 (dependabot[bot]) #​60533
• [c17276fd24] - meta: bump actions/setup-node from 5.0.0 to 6.0.0 (dependabot[bot]) #​60529
• [6e8b52a7dc] - meta: bump actions/stale from 10.0.0 to 10.1.0 (dependabot[bot]) #​60528
• [a12658595b] - meta: call create-release-post.yml post release (Aviv Keller) #​60366
• [8987159234] - (SEMVER-MINOR) module: mark type stripping as stable (Marco Ippolito) #​60600
• [36da413663] - module: fix directory option in the enableCompileCache() API (Joyee Cheung) #​59931
• [92c484ebf4] - (SEMVER-MINOR) node-api: add napi_create_object_with_properties (Miguel Marcondes Filho) #​59953
• [545162b0d4] - node-api: use local files for instanceof test (Vladimir Morozov) #​60190
• [526c011d89] - perf_hooks: fix stack overflow error (Antoine du Hamel) #​60084
• [1de0476939] - perf_hooks: move non-standard performance properties to perf_hooks (Chengzhong Wu) #​60370
• [07ec1239ef] - repl: fix pasting after moving the cursor to the left (Ruben Bridgewater) #​60470
• [b11bc5984e] - (SEMVER-MINOR) sqlite: allow setting defensive flag (Bart Louwers) #​60217
• [273c9661fd] - sqlite,doc: fix StatementSync section (Edy Silva) #​60474
• [d92ec21a4c] - src: use CP_UTF8 for wide file names on win32 (Fedor Indutny) #​60575
• [baef0468ed] - src: move Node-API version detection to where it is used (Anna Henningsen) #​60512
• [e7da5b4b7d] - (SEMVER-MINOR) src: add watch config namespace (Marco Ippolito) #​60178
• [a7f7d10c06] - (SEMVER-MINOR) src: add an option to make compile cache portable (Aditi) #​58797
• [566add0b19] - src: avoid C strings in more C++ exception throws (Anna Henningsen) #​60592
• [9b796347c1] - src: add internal binding for constructing SharedArrayBuffers (Renegade334) #​60497
• [3b01cbb411] - src: move napi_addon_register_func to node_api_types.h (Anna Henningsen) #​60512
• [02fb7f4ecb] - src: remove unconditional NAPI_EXPERIMENTAL in node.h (Chengzhong Wu) #​60345
• [bd09ae24e4] - src: clean up generic counter implementation (Anna Henningsen) #​60447
• [cd6bf51dbd] - src: add enum handle for ToStringHelper + formatting (Burkov Egor) #​56829
• [92ea669240] - (SEMVER-MINOR) src,permission: add --allow-inspector ability (Rafael Gonzaga) #​59711
• [ac3dbe48f7] - stream: don't try to read more if reading (Robert Nagy) #​60454
• [790288a93b] - test: ensure assertions are reachable in test/internet (Antoine du Hamel) #​60513
• [0a85132989] - test: fix status when compiled without inspector (Antoine du Hamel) #​60289
• [2f57673172] - test: deflake test-perf-hooks-timerify-histogram-sync (Joyee Cheung) #​60639
• [09726269de] - test: apply a delay to watch-mode-kill-signal tests (Joyee Cheung) #​60610
• [45537b9562] - test: async iife in repl (Tony Gorez) #​44878
• [4ca81f101d] - test: parallelize sea tests when there's enough disk space (Joyee Cheung) #​60604
• [ea71e96191] - test: only show overridden env in child process failures (Joyee Cheung) #​60556
• [06b2e348c7] - test: ensure assertions are reached on more tests (Antoine du Hamel) #​60498
• [de9c8cb670] - test: ensure assertions are reachable in test/es-module (Antoine du Hamel) #​60501
• [75bc40fced] - test: ensure assertions are reached on more tests (Antoine du Hamel) #​60485
• [1a6084cfd3] - test: ensure assertions are reached on more tests (Antoine du Hamel) #​60500
• [2c651c90cf] - test: split test-perf-hooks-timerify (Joyee Cheung) #​60568
• [6e8b5f7345] - test: add more logs to test-esm-loader-hooks-inspect-wait (Joyee Cheung) #​60466
• [9dea7ffa30] - test: mark stringbytes-external-exceed-max tests as flaky on AIX (Joyee Cheung) #​60565
• [0b3c3b710a] - test: split test-esm-wasm.js (Joyee Cheung) #​60491
• [a15b795b34] - test: correct conditional secure heap flags test (Shelley Vohr) #​60385
• [38b77b3a44] - test: fix flaky test-watch-mode-kill-signal-* (Joyee Cheung) #​60443
• [e8d7598057] - test: capture stack trace in debugger timeout errors (Joyee Cheung) #​60457
• [674befeb81] - test: ensure assertions are reachable in test/sequential (Antoine du Hamel) #​60412
• [952c08a735] - test: ensure assertions are reachable in more folders (Antoine du Hamel) #​60411
• [bbca57584b] - test: split test-runner-watch-mode (Joyee Cheung) [#​60391](https://redirect.github.com/node

---

Configuration

📅 Schedule: (in timezone Europe/Moscow)

• Branch creation
  • "after 10pm every weekday,before 5am every weekday,every weekend"
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: package-lock.json

[github-actions]

🏷️ [bumpr]
Next version:v2.0.3
Changes:v2.0.2...AlexRogalskiy:renovate/node-25.x

[github-actions]

Thanks for the PR!

This section of the codebase is owner by https://github.com/AlexRogalskiy/ - if they write a comment saying "LGTM" then it will be merged.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm json-schema is vulnerable to Prototype Pollution CVE: GHSA-896r-f27r-55mw json-schema is vulnerable to Prototype Pollution (CRITICAL) Affected versions: < 0.4.0 Patched version: 0.4.0 From: package-lock.json → npm/@semantic-release/npm@7.0.10 → npm/jest@27.0.0-next.2 → npm/jest-circus@26.6.3 → npm/json-schema@0.2.3 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json-schema@0.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Prototype Pollution in npm minimist CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 1.2.6 From: package-lock.json → npm/editorconfig-checker@3.3.0 → npm/folio@0.3.18 → npm/cz-conventional-changelog@3.3.0 → npm/@semantic-release/npm@7.0.10 → npm/jest@27.0.0-next.2 → npm/eslint-plugin-import@2.22.1 → npm/jest-circus@26.6.3 → npm/@semantic-release/release-notes-generator@9.0.1 → npm/minimist@1.2.5 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@1.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm npm is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: package-lock.json → npm/@semantic-release/npm@7.0.10 → npm/npm@6.14.11 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm@6.14.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pretty-quick@​3.1.0
	prettier@​2.2.1
	semantic-release@​17.3.9
	lint-staged@​10.5.4

View full report