From 02104c08bbf5bcb3bbd94541bb62fe2dc0e97cb7 Mon Sep 17 00:00:00 2001 From: Kit Dallege Date: Tue, 24 Mar 2026 11:49:30 +0100 Subject: [PATCH 1/7] doc: fix overstated Date header requirement in response.sendDate The docs stated "HTTP requires the Date header in responses" which oversimplifies the actual requirement. Per RFC 9110 Section 6.6.1, the Date header is required only in most responses (2xx/3xx/4xx from servers with a clock), not all. Reference the specific RFC section. Fixes: https://github.com/nodejs/node/issues/42619 Co-Authored-By: Claude Opus 4.6 PR-URL: https://github.com/nodejs/node/pull/62206 Reviewed-By: Tim Perry Reviewed-By: Luigi Pinca --- doc/api/http.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/api/http.md b/doc/api/http.md index 50f0ad464b562a..23b63ec9d7cd04 100644 --- a/doc/api/http.md +++ b/doc/api/http.md @@ -2319,8 +2319,8 @@ added: v0.7.5 When true, the Date header will be automatically generated and sent in the response if it is not already present in the headers. Defaults to true. -This should only be disabled for testing; HTTP requires the Date header -in responses. +This should only be disabled for testing; the Date header is required in +most HTTP responses (see [RFC 9110 Section 6.6.1][] for details). ### `response.setHeader(name, value)` @@ -4583,6 +4583,7 @@ const agent2 = new http.Agent({ proxyEnv: process.env }); [Built-in Proxy Support]: #built-in-proxy-support [RFC 8187]: https://www.rfc-editor.org/rfc/rfc8187.txt +[RFC 9110 Section 6.6.1]: https://www.rfc-editor.org/rfc/rfc9110#section-6.6.1 [`'ERR_HTTP_CONTENT_LENGTH_MISMATCH'`]: errors.md#err_http_content_length_mismatch [`'checkContinue'`]: #event-checkcontinue [`'finish'`]: #event-finish From 7ca5ad5b3eea87b536aa96a21adb95114938f503 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hu=C3=A1ng=20J=C3=B9nli=C3=A0ng?= Date: Tue, 24 Mar 2026 10:41:33 -0400 Subject: [PATCH 2/7] tools: bump eslint deps PR-URL: https://github.com/nodejs/node/pull/62356 Reviewed-By: Yagiz Nizipli Reviewed-By: Antoine du Hamel --- tools/eslint/package-lock.json | 326 ++++++++++++++++----------------- tools/eslint/package.json | 16 +- 2 files changed, 171 insertions(+), 171 deletions(-) diff --git a/tools/eslint/package-lock.json b/tools/eslint/package-lock.json index 096d3e6e3d96db..56d69e9aae56c5 100644 --- a/tools/eslint/package-lock.json +++ b/tools/eslint/package-lock.json @@ -8,26 +8,26 @@ "name": "eslint-tools", "version": "0.0.0", "dependencies": { - "@babel/core": "^8.0.0-rc.2", - "@babel/eslint-parser": "^8.0.0-rc.2", - "@babel/plugin-syntax-import-source": "^8.0.0-rc.2", + "@babel/core": "^8.0.0-rc.3", + "@babel/eslint-parser": "^8.0.0-rc.3", + "@babel/plugin-syntax-import-source": "^8.0.0-rc.3", "@eslint/js": "^10.0.1", "@eslint/markdown": "^7.5.1", - "@stylistic/eslint-plugin": "^5.9.0", - "eslint": "^10.0.2", + "@stylistic/eslint-plugin": "^5.10.0", + "eslint": "^10.1.0", "eslint-formatter-tap": "^9.0.1", - "eslint-plugin-jsdoc": "^62.7.1", - "eslint-plugin-regexp": "^3.0.0", - "globals": "^17.3.0" + "eslint-plugin-jsdoc": "^62.8.0", + "eslint-plugin-regexp": "^3.1.0", + "globals": "^17.4.0" } }, "node_modules/@babel/code-frame": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-8.0.0-rc.2.tgz", - "integrity": "sha512-zbPFBDbQdChkGN02WRc/BcOvZLDTctFJZVeWkciVr82T5V0GVBXztq4/Wi4Ca+ZKx7U+Kdt5b862cpFJ4Cjf1A==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-8.0.0-rc.3.tgz", + "integrity": "sha512-585nwYQGQKKc+jMIAPeZJ+aGMn4FHmIUUjLZa9zI7mslvYmShnx0u7rFA4gliRip6S2vkwTYrMxPeXadkKW93Q==", "license": "MIT", "dependencies": { - "@babel/helper-validator-identifier": "^8.0.0-rc.2", + "@babel/helper-validator-identifier": "^8.0.0-rc.3", "js-tokens": "^10.0.0" }, "engines": { @@ -35,29 +35,29 @@ } }, "node_modules/@babel/compat-data": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-8.0.0-rc.2.tgz", - "integrity": "sha512-zDrQeMrDVCkisxxjZmP+xeAyGfZCVOwP+7VECgOvMXttb+1pTUMpeEYI0LaozIzeES/Uvu7OqhHLb3oN1qo6Wg==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/compat-data/-/compat-data-8.0.0-rc.3.tgz", + "integrity": "sha512-TlS7d9xYz/93xC8ovkRBwTKPodbwPfzTn7TxUgZo4c3LwpPINnScqIlN0QRDE/x1S4C1bmyqxGmAZUIC0buW0A==", "license": "MIT", "engines": { "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@babel/core": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/core/-/core-8.0.0-rc.2.tgz", - "integrity": "sha512-mlBJdKJJEZNGDE+w+P6B5w+FTMkht1liPkxtB4wk39EpGH01Am5tg1htaNlOU5rO9Ge3psMjAFycpc3ru5uaQw==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/core/-/core-8.0.0-rc.3.tgz", + "integrity": "sha512-ov5mBbHiosqX1eqt8nN0JM7VuhirO6V8lln5rUXNZpNB+a9NnPTVYeDqSTBkf9C6GmFq3fnFlGT8eg3QBI7jJQ==", "license": "MIT", "peer": true, "dependencies": { - "@babel/code-frame": "^8.0.0-rc.2", - "@babel/generator": "^8.0.0-rc.2", - "@babel/helper-compilation-targets": "^8.0.0-rc.2", - "@babel/helpers": "^8.0.0-rc.2", - "@babel/parser": "^8.0.0-rc.2", - "@babel/template": "^8.0.0-rc.2", - "@babel/traverse": "^8.0.0-rc.2", - "@babel/types": "^8.0.0-rc.2", + "@babel/code-frame": "^8.0.0-rc.3", + "@babel/generator": "^8.0.0-rc.3", + "@babel/helper-compilation-targets": "^8.0.0-rc.3", + "@babel/helpers": "^8.0.0-rc.3", + "@babel/parser": "^8.0.0-rc.3", + "@babel/template": "^8.0.0-rc.3", + "@babel/traverse": "^8.0.0-rc.3", + "@babel/types": "^8.0.0-rc.3", "@jridgewell/remapping": "^2.3.5", "@types/gensync": "^1.0.0", "convert-source-map": "^2.0.0", @@ -84,9 +84,9 @@ } }, "node_modules/@babel/eslint-parser": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/eslint-parser/-/eslint-parser-8.0.0-rc.2.tgz", - "integrity": "sha512-hczs5f2oe/BjS3OpQb2ljVVsauEjBIR3UsTmIPNDECIz02olxaVYDHd4mk3GEx0N7PD8gsz2cZ6sqZTctVaMug==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/eslint-parser/-/eslint-parser-8.0.0-rc.3.tgz", + "integrity": "sha512-YsJgMO5TVzHGpX0zNF5WkrKj04QI32kQv0L2r/KKbCOmOt4A/XhM5zctW7WgFiOAEZafWfQyo6dWEwwBjZnHlQ==", "license": "MIT", "dependencies": { "eslint-scope": "^9.1.0", @@ -97,18 +97,18 @@ "node": "^20.19.0 || >=22.12.0" }, "peerDependencies": { - "@babel/core": "^8.0.0-rc.2", + "@babel/core": "^8.0.0-rc.3", "eslint": "^9.0.0 || ^10.0.0" } }, "node_modules/@babel/generator": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-8.0.0-rc.2.tgz", - "integrity": "sha512-oCQ1IKPwkzCeJzAPb7Fv8rQ9k5+1sG8mf2uoHiMInPYvkRfrDJxbTIbH51U+jstlkghus0vAi3EBvkfvEsYNLQ==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-8.0.0-rc.3.tgz", + "integrity": "sha512-em37/13/nR320G4jab/nIIHZgc2Wz2y/D39lxnTyxB4/D/omPQncl/lSdlnJY1OhQcRGugTSIF2l/69o31C9dA==", "license": "MIT", "dependencies": { - "@babel/parser": "^8.0.0-rc.2", - "@babel/types": "^8.0.0-rc.2", + "@babel/parser": "^8.0.0-rc.3", + "@babel/types": "^8.0.0-rc.3", "@jridgewell/gen-mapping": "^0.3.12", "@jridgewell/trace-mapping": "^0.3.28", "@types/jsesc": "^2.5.0", @@ -119,13 +119,13 @@ } }, "node_modules/@babel/helper-compilation-targets": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-8.0.0-rc.2.tgz", - "integrity": "sha512-oMIhKru9gl3mj0eKDyKW6wBDAvyWoZd28d6V/m4JTeeiFsJLfOYnqu+s+cnK4jSo87cg/oj4hsATgkmZ3AzsDQ==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/helper-compilation-targets/-/helper-compilation-targets-8.0.0-rc.3.tgz", + "integrity": "sha512-UXlT7t103KBJjiphN7Ij9DtELX2Q5uk1xMle7oN/eckxR8dmJyvbFsIm5u+cY0KZyF7qNkAiLsJljEPix1yfKg==", "license": "MIT", "dependencies": { - "@babel/compat-data": "^8.0.0-rc.2", - "@babel/helper-validator-option": "^8.0.0-rc.2", + "@babel/compat-data": "^8.0.0-rc.3", + "@babel/helper-validator-option": "^8.0.0-rc.3", "browserslist": "^4.24.0", "lru-cache": "^7.14.1", "semver": "^7.7.3" @@ -135,73 +135,73 @@ } }, "node_modules/@babel/helper-globals": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-8.0.0-rc.2.tgz", - "integrity": "sha512-Q1AIOaW4EOxkI/8wYJKyLI59gfqTK3imFUfIqxuve0Q3GlOSrOTVmvHU6Gb3Y5GxtoS1hIzhO47k5GkfyGTQEQ==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/helper-globals/-/helper-globals-8.0.0-rc.3.tgz", + "integrity": "sha512-rwtdZPunoa/IAlcZhgDoLxROXPW5evSN7SXMdObS8vNt7Wu6fCf8nLPFcuuhLCzeRoIrGNKx08v/XEQ4riQDGg==", "license": "MIT", "engines": { "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@babel/helper-plugin-utils": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-8.0.0-rc.2.tgz", - "integrity": "sha512-APa2p8RHBNGUmNPDYshswXQkS2sMNthL8VZSc9soe5lQfT2RXRXM6TwOLaktQwnNSwdoEy+Xu9q3qMdFrV92sg==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/helper-plugin-utils/-/helper-plugin-utils-8.0.0-rc.3.tgz", + "integrity": "sha512-1+lvhojDf75++IwFRWrch4BBaznB2Z99GCfggHFWEKJ8B40iovZ8KqP0kDeb60ThuAa7WxCbtuYHfP5BtJL1kA==", "license": "MIT", "engines": { "node": "^20.19.0 || >=22.12.0" }, "peerDependencies": { - "@babel/core": "^8.0.0-rc.2" + "@babel/core": "^8.0.0-rc.3" } }, "node_modules/@babel/helper-string-parser": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-8.0.0-rc.2.tgz", - "integrity": "sha512-noLx87RwlBEMrTzncWd/FvTxoJ9+ycHNg0n8yyYydIoDsLZuxknKgWRJUqcrVkNrJ74uGyhWQzQaS3q8xfGAhQ==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/helper-string-parser/-/helper-string-parser-8.0.0-rc.3.tgz", + "integrity": "sha512-AmwWFx1m8G/a5cXkxLxTiWl+YEoWuoFLUCwqMlNuWO1tqAYITQAbCRPUkyBHv1VOFgfjVOqEj6L3u15J5ZCzTA==", "license": "MIT", "engines": { "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@babel/helper-validator-identifier": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-8.0.0-rc.2.tgz", - "integrity": "sha512-xExUBkuXWJjVuIbO7z6q7/BA9bgfJDEhVL0ggrggLMbg0IzCUWGT1hZGE8qUH7Il7/RD/a6cZ3AAFrrlp1LF/A==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-8.0.0-rc.3.tgz", + "integrity": "sha512-8AWCJ2VJJyDFlGBep5GpaaQ9AAaE/FjAcrqI7jyssYhtL7WGV0DOKpJsQqM037xDbpRLHXsY8TwU7zDma7coOw==", "license": "MIT", "engines": { "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@babel/helper-validator-option": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-8.0.0-rc.2.tgz", - "integrity": "sha512-EtxQopsocKue0ZdjnX5INoDiRN+RCBb1TDh3d0N8bM6aX0lyUhQfRNRQaKB+vCx+YvGjXWRf3JD6/YvTsf2qgQ==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/helper-validator-option/-/helper-validator-option-8.0.0-rc.3.tgz", + "integrity": "sha512-wpzZ9KycQDqmJct4ee/ihua2KKdW/MXTDidD4Ya7HdUHL+Jp5zBZTj8oNrxc8wp5Qr4sofKgZF1GIyymfdq7+g==", "license": "MIT", "engines": { "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@babel/helpers": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-8.0.0-rc.2.tgz", - "integrity": "sha512-Cc2IpMRiu8PDBUxtQ6oSkML0etJ27kZGnf3XE+qqAJJFGtVl549kyfvDWLywCAFhq16kHUe2WMZMdFUtPz6kWw==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-8.0.0-rc.3.tgz", + "integrity": "sha512-dbPuulmsPOwIAXP4pGsKiAv1E50pKYmAJfWXYytCwLpgj6IDNUFAzGuVVemaphYP/WniKsCf42+Cfo4xpc4jjQ==", "license": "MIT", "dependencies": { - "@babel/template": "^8.0.0-rc.2", - "@babel/types": "^8.0.0-rc.2" + "@babel/template": "^8.0.0-rc.3", + "@babel/types": "^8.0.0-rc.3" }, "engines": { "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@babel/parser": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-8.0.0-rc.2.tgz", - "integrity": "sha512-29AhEtcq4x8Dp3T72qvUMZHx0OMXCj4Jy/TEReQa+KWLln524Cj1fWb3QFi0l/xSpptQBR6y9RNEXuxpFvwiUQ==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-8.0.0-rc.3.tgz", + "integrity": "sha512-B20dvP3MfNc/XS5KKCHy/oyWl5IA6Cn9YjXRdDlCjNmUFrjvLXMNUfQq/QUy9fnG2gYkKKcrto2YaF9B32ToOQ==", "license": "MIT", "dependencies": { - "@babel/types": "^8.0.0-rc.2" + "@babel/types": "^8.0.0-rc.3" }, "bin": { "parser": "bin/babel-parser.js" @@ -211,46 +211,46 @@ } }, "node_modules/@babel/plugin-syntax-import-source": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-import-source/-/plugin-syntax-import-source-8.0.0-rc.2.tgz", - "integrity": "sha512-aB2h3oetnsvPM1RmH5sm17yuMiQ/vXx4YIJS1gaEWvFoZXrQol/lq/pFh4zVp9Y7uB2XfOOxjAigq9vwrMyIBA==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/plugin-syntax-import-source/-/plugin-syntax-import-source-8.0.0-rc.3.tgz", + "integrity": "sha512-enWWk7TiwxhNMdLgyY1JKYhpsTHoKh5rotU6RHelLGefWCk6vAA1wamfNhu1wWch/tRUm4UCo8imafyzUem1Mg==", "license": "MIT", "dependencies": { - "@babel/helper-plugin-utils": "^8.0.0-rc.2" + "@babel/helper-plugin-utils": "^8.0.0-rc.3" }, "engines": { "node": "^20.19.0 || >=22.12.0" }, "peerDependencies": { - "@babel/core": "^8.0.0-rc.2" + "@babel/core": "^8.0.0-rc.3" } }, "node_modules/@babel/template": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-8.0.0-rc.2.tgz", - "integrity": "sha512-INp+KufeQpvU+V+gxR7xoiVzU6sRRQo8oOsCU/sTe0wtJ/Adrfgyet0i19qvXXSeuyiZ9+PV8IF/eEPzyJ527g==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-8.0.0-rc.3.tgz", + "integrity": "sha512-9iet2svxZhCGgmt/b6M3Fbmy2i+OgjhXMDWNqDTBrNvb9Cc60NgETNIaJq6b0wICiCqpsFdIt8NYXMXyCQU6jA==", "license": "MIT", "dependencies": { - "@babel/code-frame": "^8.0.0-rc.2", - "@babel/parser": "^8.0.0-rc.2", - "@babel/types": "^8.0.0-rc.2" + "@babel/code-frame": "^8.0.0-rc.3", + "@babel/parser": "^8.0.0-rc.3", + "@babel/types": "^8.0.0-rc.3" }, "engines": { "node": "^20.19.0 || >=22.12.0" } }, "node_modules/@babel/traverse": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-8.0.0-rc.2.tgz", - "integrity": "sha512-H9ZChE8gRy4fSloEQaT17ijcFNoayS9JIyE0IUWkjYgldU+Czkg2h5XtuJmfIk6cbuHfDK/FFJox+g/TlmXB7g==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-8.0.0-rc.3.tgz", + "integrity": "sha512-3gvZCynaX+zxYZ2v5odaBBcc9eT4Yr7Gf16l3QSEvvBPVyMSZbYhsGAZfO79kjOCNJY2j6rWvNkWl1ZwYa64lQ==", "license": "MIT", "dependencies": { - "@babel/code-frame": "^8.0.0-rc.2", - "@babel/generator": "^8.0.0-rc.2", - "@babel/helper-globals": "^8.0.0-rc.2", - "@babel/parser": "^8.0.0-rc.2", - "@babel/template": "^8.0.0-rc.2", - "@babel/types": "^8.0.0-rc.2", + "@babel/code-frame": "^8.0.0-rc.3", + "@babel/generator": "^8.0.0-rc.3", + "@babel/helper-globals": "^8.0.0-rc.3", + "@babel/parser": "^8.0.0-rc.3", + "@babel/template": "^8.0.0-rc.3", + "@babel/types": "^8.0.0-rc.3", "obug": "^2.1.1" }, "engines": { @@ -258,13 +258,13 @@ } }, "node_modules/@babel/types": { - "version": "8.0.0-rc.2", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-8.0.0-rc.2.tgz", - "integrity": "sha512-91gAaWRznDwSX4E2tZ1YjBuIfnQVOFDCQ2r0Toby0gu4XEbyF623kXLMA8d4ZbCu+fINcrudkmEcwSUHgDDkNw==", + "version": "8.0.0-rc.3", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-8.0.0-rc.3.tgz", + "integrity": "sha512-mOm5ZrYmphGfqVWoH5YYMTITb3cDXsFgmvFlvkvWDMsR9X8RFnt7a0Wb6yNIdoFsiMO9WjYLq+U/FMtqIYAF8Q==", "license": "MIT", "dependencies": { - "@babel/helper-string-parser": "^8.0.0-rc.2", - "@babel/helper-validator-identifier": "^8.0.0-rc.2" + "@babel/helper-string-parser": "^8.0.0-rc.3", + "@babel/helper-validator-identifier": "^8.0.0-rc.3" }, "engines": { "node": "^20.19.0 || >=22.12.0" @@ -335,35 +335,35 @@ } }, "node_modules/@eslint/config-array": { - "version": "0.23.2", - "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.23.2.tgz", - "integrity": "sha512-YF+fE6LV4v5MGWRGj7G404/OZzGNepVF8fxk7jqmqo3lrza7a0uUcDnROGRBG1WFC1omYUS/Wp1f42i0M+3Q3A==", + "version": "0.23.3", + "resolved": "https://registry.npmjs.org/@eslint/config-array/-/config-array-0.23.3.tgz", + "integrity": "sha512-j+eEWmB6YYLwcNOdlwQ6L2OsptI/LO6lNBuLIqe5R7RetD658HLoF+Mn7LzYmAWWNNzdC6cqP+L6r8ujeYXWLw==", "license": "Apache-2.0", "dependencies": { - "@eslint/object-schema": "^3.0.2", + "@eslint/object-schema": "^3.0.3", "debug": "^4.3.1", - "minimatch": "^10.2.1" + "minimatch": "^10.2.4" }, "engines": { "node": "^20.19.0 || ^22.13.0 || >=24" } }, "node_modules/@eslint/config-helpers": { - "version": "0.5.2", - "resolved": "https://registry.npmjs.org/@eslint/config-helpers/-/config-helpers-0.5.2.tgz", - "integrity": "sha512-a5MxrdDXEvqnIq+LisyCX6tQMPF/dSJpCfBgBauY+pNZ28yCtSsTvyTYrMhaI+LK26bVyCJfJkT0u8KIj2i1dQ==", + "version": "0.5.3", + "resolved": "https://registry.npmjs.org/@eslint/config-helpers/-/config-helpers-0.5.3.tgz", + "integrity": "sha512-lzGN0onllOZCGroKJmRwY6QcEHxbjBw1gwB8SgRSqK8YbbtEXMvKynsXc3553ckIEBxsbMBU7oOZXKIPGZNeZw==", "license": "Apache-2.0", "dependencies": { - "@eslint/core": "^1.1.0" + "@eslint/core": "^1.1.1" }, "engines": { "node": "^20.19.0 || ^22.13.0 || >=24" } }, "node_modules/@eslint/config-helpers/node_modules/@eslint/core": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.0.tgz", - "integrity": "sha512-/nr9K9wkr3P1EzFTdFdMoLuo1PmIxjmwvPozwoSodjNBdefGujXQUF93u1DDZpEaTuDvMsIQddsd35BwtrW9Xw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.1.tgz", + "integrity": "sha512-QUPblTtE51/7/Zhfv8BDwO0qkkzQL7P/aWWbqcf4xWLEYn1oKjdO0gglQBB4GAsu7u6wjijbCmzsUTy6mnk6oQ==", "license": "Apache-2.0", "dependencies": { "@types/json-schema": "^7.0.15" @@ -428,9 +428,9 @@ } }, "node_modules/@eslint/object-schema": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/@eslint/object-schema/-/object-schema-3.0.2.tgz", - "integrity": "sha512-HOy56KJt48Bx8KmJ+XGQNSUMT/6dZee/M54XyUyuvTvPXJmsERRvBchsUVx1UMe1WwIH49XLAczNC7V2INsuUw==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/@eslint/object-schema/-/object-schema-3.0.3.tgz", + "integrity": "sha512-iM869Pugn9Nsxbh/YHRqYiqd23AmIbxJOcpUMOuWCVNdoQJ5ZtwL6h3t0bcZzJUlC3Dq9jCFCESBZnX0GTv7iQ==", "license": "Apache-2.0", "engines": { "node": "^20.19.0 || ^22.13.0 || >=24" @@ -555,9 +555,9 @@ } }, "node_modules/@stylistic/eslint-plugin": { - "version": "5.9.0", - "resolved": "https://registry.npmjs.org/@stylistic/eslint-plugin/-/eslint-plugin-5.9.0.tgz", - "integrity": "sha512-FqqSkvDMYJReydrMhlugc71M76yLLQWNfmGq+SIlLa7N3kHp8Qq8i2PyWrVNAfjOyOIY+xv9XaaYwvVW7vroMA==", + "version": "5.10.0", + "resolved": "https://registry.npmjs.org/@stylistic/eslint-plugin/-/eslint-plugin-5.10.0.tgz", + "integrity": "sha512-nPK52ZHvot8Ju/0A4ucSX1dcPV2/1clx0kLcH5wDmrE4naKso7TUC/voUyU1O9OTKTrR6MYip6LP0ogEMQ9jPQ==", "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.9.1", @@ -713,18 +713,18 @@ "license": "Python-2.0" }, "node_modules/balanced-match": { - "version": "4.0.3", - "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.3.tgz", - "integrity": "sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==", + "version": "4.0.4", + "resolved": "https://registry.npmjs.org/balanced-match/-/balanced-match-4.0.4.tgz", + "integrity": "sha512-BLrgEcRTwX2o6gGxGOCNyMvGSp35YofuYzw9h1IMTRmKqttAZZVU67bdb9Pr2vUHA8+j3i2tJfjO6C6+4myGTA==", "license": "MIT", "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" } }, "node_modules/baseline-browser-mapping": { - "version": "2.10.0", - "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.0.tgz", - "integrity": "sha512-lIyg0szRfYbiy67j9KN8IyeD7q7hcmqnJ1ddWmNt19ItGpNN64mnllmxUNFIOdOm6by97jlL6wfpTTJrmnjWAA==", + "version": "2.10.8", + "resolved": "https://registry.npmjs.org/baseline-browser-mapping/-/baseline-browser-mapping-2.10.8.tgz", + "integrity": "sha512-PCLz/LXGBsNTErbtB6i5u4eLpHeMfi93aUv5duMmj6caNu6IphS4q6UevDnL36sZQv9lrP11dbPKGMaXPwMKfQ==", "license": "Apache-2.0", "bin": { "baseline-browser-mapping": "dist/cli.cjs" @@ -734,15 +734,15 @@ } }, "node_modules/brace-expansion": { - "version": "5.0.2", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.2.tgz", - "integrity": "sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==", + "version": "5.0.4", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.4.tgz", + "integrity": "sha512-h+DEnpVvxmfVefa4jFbCf5HdH5YMDXRsmKflpf1pILZWRFlTbJpxeU55nJl4Smt5HQaGzg1o6RHFPJaOqnmBDg==", "license": "MIT", "dependencies": { "balanced-match": "^4.0.2" }, "engines": { - "node": "20 || >=22" + "node": "18 || 20 || >=22" } }, "node_modules/browserslist": { @@ -780,9 +780,9 @@ } }, "node_modules/caniuse-lite": { - "version": "1.0.30001770", - "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001770.tgz", - "integrity": "sha512-x/2CLQ1jHENRbHg5PSId2sXq1CIO1CISvwWAj027ltMVG2UNgW+w9oH2+HzgEIRFembL8bUlXtfbBHR1fCg2xw==", + "version": "1.0.30001780", + "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001780.tgz", + "integrity": "sha512-llngX0E7nQci5BPJDqoZSbuZ5Bcs9F5db7EtgfwBerX9XGtkkiO4NwfDDIRzHTTwcYC8vC7bmeUEPGrKlR/TkQ==", "funding": [ { "type": "opencollective", @@ -907,9 +907,9 @@ } }, "node_modules/electron-to-chromium": { - "version": "1.5.302", - "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.302.tgz", - "integrity": "sha512-sM6HAN2LyK82IyPBpznDRqlTQAtuSaO+ShzFiWTvoMJLHyZ+Y39r8VMfHzwbU8MVBzQ4Wdn85+wlZl2TLGIlwg==", + "version": "1.5.321", + "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.321.tgz", + "integrity": "sha512-L2C7Q279W2D/J4PLZLk7sebOILDSWos7bMsMNN06rK482umHUrh/3lM8G7IlHFOYip2oAg5nha1rCMxr/rs6ZQ==", "license": "ISC" }, "node_modules/escalade": { @@ -934,18 +934,18 @@ } }, "node_modules/eslint": { - "version": "10.0.2", - "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.0.2.tgz", - "integrity": "sha512-uYixubwmqJZH+KLVYIVKY1JQt7tysXhtj21WSvjcSmU5SVNzMus1bgLe+pAt816yQ8opKfheVVoPLqvVMGejYw==", + "version": "10.1.0", + "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.1.0.tgz", + "integrity": "sha512-S9jlY/ELKEUwwQnqWDO+f+m6sercqOPSqXM5Go94l7DOmxHVDgmSFGWEzeE/gwgTAr0W103BWt0QLe/7mabIvA==", "license": "MIT", "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.2", - "@eslint/config-array": "^0.23.2", - "@eslint/config-helpers": "^0.5.2", - "@eslint/core": "^1.1.0", - "@eslint/plugin-kit": "^0.6.0", + "@eslint/config-array": "^0.23.3", + "@eslint/config-helpers": "^0.5.3", + "@eslint/core": "^1.1.1", + "@eslint/plugin-kit": "^0.6.1", "@humanfs/node": "^0.16.6", "@humanwhocodes/module-importer": "^1.0.1", "@humanwhocodes/retry": "^0.4.2", @@ -954,9 +954,9 @@ "cross-spawn": "^7.0.6", "debug": "^4.3.2", "escape-string-regexp": "^4.0.0", - "eslint-scope": "^9.1.1", + "eslint-scope": "^9.1.2", "eslint-visitor-keys": "^5.0.1", - "espree": "^11.1.1", + "espree": "^11.2.0", "esquery": "^1.7.0", "esutils": "^2.0.2", "fast-deep-equal": "^3.1.3", @@ -967,7 +967,7 @@ "imurmurhash": "^0.1.4", "is-glob": "^4.0.0", "json-stable-stringify-without-jsonify": "^1.0.1", - "minimatch": "^10.2.1", + "minimatch": "^10.2.4", "natural-compare": "^1.4.0", "optionator": "^0.9.3" }, @@ -1002,9 +1002,9 @@ } }, "node_modules/eslint-plugin-jsdoc": { - "version": "62.7.1", - "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-62.7.1.tgz", - "integrity": "sha512-4Zvx99Q7d1uggYBUX/AIjvoyqXhluGbbKrRmG8SQTLprPFg6fa293tVJH1o1GQwNe3lUydd8ZHzn37OaSncgSQ==", + "version": "62.8.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-jsdoc/-/eslint-plugin-jsdoc-62.8.0.tgz", + "integrity": "sha512-hu3r9/6JBmPG6wTcqtYzgZAnjEG2eqRUATfkFscokESg1VDxZM21ZaMire0KjeMwfj+SXvgB4Rvh5LBuesj92w==", "license": "BSD-3-Clause", "dependencies": { "@es-joy/jsdoccomment": "~0.84.0", @@ -1047,9 +1047,9 @@ } }, "node_modules/eslint-plugin-regexp": { - "version": "3.0.0", - "resolved": "https://registry.npmjs.org/eslint-plugin-regexp/-/eslint-plugin-regexp-3.0.0.tgz", - "integrity": "sha512-iW7hgAV8NOG6E2dz+VeKpq67YLQ9jaajOKYpoOSic2/q8y9BMdXBKkSR9gcMtbqEhNQzdW41E3wWzvhp8ExYwQ==", + "version": "3.1.0", + "resolved": "https://registry.npmjs.org/eslint-plugin-regexp/-/eslint-plugin-regexp-3.1.0.tgz", + "integrity": "sha512-qGXIC3DIKZHcK1H9A9+Byz9gmndY6TTSRkSMTZpNXdyCw2ObSehRgccJv35n9AdUakEjQp5VFNLas6BMXizCZg==", "license": "MIT", "dependencies": { "@eslint-community/eslint-utils": "^4.2.0", @@ -1068,9 +1068,9 @@ } }, "node_modules/eslint-scope": { - "version": "9.1.1", - "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-9.1.1.tgz", - "integrity": "sha512-GaUN0sWim5qc8KVErfPBWmc31LEsOkrUJbvJZV+xuL3u2phMUK4HIvXlWAakfC8W4nzlK+chPEAkYOYb5ZScIw==", + "version": "9.1.2", + "resolved": "https://registry.npmjs.org/eslint-scope/-/eslint-scope-9.1.2.tgz", + "integrity": "sha512-xS90H51cKw0jltxmvmHy2Iai1LIqrfbw57b79w/J7MfvDfkIkFZ+kj6zC3BjtUwh150HsSSdxXZcsuv72miDFQ==", "license": "BSD-2-Clause", "dependencies": { "@types/esrecurse": "^4.3.1", @@ -1098,9 +1098,9 @@ } }, "node_modules/eslint/node_modules/@eslint/core": { - "version": "1.1.0", - "resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.0.tgz", - "integrity": "sha512-/nr9K9wkr3P1EzFTdFdMoLuo1PmIxjmwvPozwoSodjNBdefGujXQUF93u1DDZpEaTuDvMsIQddsd35BwtrW9Xw==", + "version": "1.1.1", + "resolved": "https://registry.npmjs.org/@eslint/core/-/core-1.1.1.tgz", + "integrity": "sha512-QUPblTtE51/7/Zhfv8BDwO0qkkzQL7P/aWWbqcf4xWLEYn1oKjdO0gglQBB4GAsu7u6wjijbCmzsUTy6mnk6oQ==", "license": "Apache-2.0", "dependencies": { "@types/json-schema": "^7.0.15" @@ -1110,12 +1110,12 @@ } }, "node_modules/eslint/node_modules/@eslint/plugin-kit": { - "version": "0.6.0", - "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.6.0.tgz", - "integrity": "sha512-bIZEUzOI1jkhviX2cp5vNyXQc6olzb2ohewQubuYlMXZ2Q/XjBO0x0XhGPvc9fjSIiUN0vw+0hq53BJ4eQSJKQ==", + "version": "0.6.1", + "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.6.1.tgz", + "integrity": "sha512-iH1B076HoAshH1mLpHMgwdGeTs0CYwL0SPMkGuSebZrwBp16v415e9NZXg2jtrqPVQjf6IANe2Vtlr5KswtcZQ==", "license": "Apache-2.0", "dependencies": { - "@eslint/core": "^1.1.0", + "@eslint/core": "^1.1.1", "levn": "^0.4.1" }, "engines": { @@ -1123,9 +1123,9 @@ } }, "node_modules/eslint/node_modules/espree": { - "version": "11.1.1", - "resolved": "https://registry.npmjs.org/espree/-/espree-11.1.1.tgz", - "integrity": "sha512-AVHPqQoZYc+RUM4/3Ly5udlZY/U4LS8pIG05jEjWM2lQMU/oaZ7qshzAl2YP1tfNmXfftH3ohurfwNAug+MnsQ==", + "version": "11.2.0", + "resolved": "https://registry.npmjs.org/espree/-/espree-11.2.0.tgz", + "integrity": "sha512-7p3DrVEIopW1B1avAGLuCSh1jubc01H2JHc8B4qqGblmg5gI9yumBgACjWo4JlIc04ufug4xJ3SQI8HkS/Rgzw==", "license": "BSD-2-Clause", "dependencies": { "acorn": "^8.16.0", @@ -1283,9 +1283,9 @@ } }, "node_modules/flatted": { - "version": "3.4.1", - "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.1.tgz", - "integrity": "sha512-IxfVbRFVlV8V/yRaGzk0UVIcsKKHMSfYw66T/u4nTwlWteQePsxe//LjudR1AMX4tZW3WFCh3Zqa/sjlqpbURQ==", + "version": "3.4.2", + "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz", + "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==", "license": "ISC" }, "node_modules/format": { @@ -1324,9 +1324,9 @@ } }, "node_modules/globals": { - "version": "17.3.0", - "resolved": "https://registry.npmjs.org/globals/-/globals-17.3.0.tgz", - "integrity": "sha512-yMqGUQVVCkD4tqjOJf3TnrvaaHDMYp4VlUSObbkIiuCPe/ofdMBFIAcBbCSRFWOnos6qRiTVStDwqPLUclaxIw==", + "version": "17.4.0", + "resolved": "https://registry.npmjs.org/globals/-/globals-17.4.0.tgz", + "integrity": "sha512-hjrNztw/VajQwOLsMNT1cbJiH2muO3OROCHnbehc8eY5JyD2gqz4AcMHPqgaOR59DjgUjYAYLeH699g/eWi2jw==", "license": "MIT", "engines": { "node": ">=18" @@ -2379,9 +2379,9 @@ "license": "MIT" }, "node_modules/node-releases": { - "version": "2.0.27", - "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.27.tgz", - "integrity": "sha512-nmh3lCkYZ3grZvqcCH+fjmQ7X+H0OeZgP40OierEaAptX4XofMh5kwNbWh7lBduUzCcV/8kZ+NDLCwm2iorIlA==", + "version": "2.0.36", + "resolved": "https://registry.npmjs.org/node-releases/-/node-releases-2.0.36.tgz", + "integrity": "sha512-TdC8FSgHz8Mwtw9g5L4gR/Sh9XhSP/0DEkQxfEFXOpiul5IiHgHan2VhYYb6agDSfp4KuvltmGApc8HMgUrIkA==", "license": "MIT" }, "node_modules/object-deep-merge": { diff --git a/tools/eslint/package.json b/tools/eslint/package.json index 1adf4a970c5fa4..75c6ae2346d4d8 100644 --- a/tools/eslint/package.json +++ b/tools/eslint/package.json @@ -3,16 +3,16 @@ "version": "0.0.0", "private": true, "dependencies": { - "@babel/core": "^8.0.0-rc.2", - "@babel/eslint-parser": "^8.0.0-rc.2", - "@babel/plugin-syntax-import-source": "^8.0.0-rc.2", + "@babel/core": "^8.0.0-rc.3", + "@babel/eslint-parser": "^8.0.0-rc.3", + "@babel/plugin-syntax-import-source": "^8.0.0-rc.3", "@eslint/js": "^10.0.1", "@eslint/markdown": "^7.5.1", - "@stylistic/eslint-plugin": "^5.9.0", - "eslint": "^10.0.2", + "@stylistic/eslint-plugin": "^5.10.0", + "eslint": "^10.1.0", "eslint-formatter-tap": "^9.0.1", - "eslint-plugin-jsdoc": "^62.7.1", - "eslint-plugin-regexp": "^3.0.0", - "globals": "^17.3.0" + "eslint-plugin-jsdoc": "^62.8.0", + "eslint-plugin-regexp": "^3.1.0", + "globals": "^17.4.0" } } From 8e8b98d3aafa018f7b30cf7878bef057acf2d235 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 24 Mar 2026 14:41:49 +0000 Subject: [PATCH 3/7] tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint Bumps [flatted](https://github.com/WebReflection/flatted) from 3.4.1 to 3.4.2. - [Commits](https://github.com/WebReflection/flatted/compare/v3.4.1...v3.4.2) --- updated-dependencies: - dependency-name: flatted dependency-version: 3.4.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] PR-URL: https://github.com/nodejs/node/pull/62375 Reviewed-By: Colin Ihrig Reviewed-By: Chemi Atlow Reviewed-By: Luigi Pinca --- tools/eslint/package-lock.json | 4 ---- 1 file changed, 4 deletions(-) diff --git a/tools/eslint/package-lock.json b/tools/eslint/package-lock.json index 56d69e9aae56c5..acf0cbc2ee55b4 100644 --- a/tools/eslint/package-lock.json +++ b/tools/eslint/package-lock.json @@ -48,7 +48,6 @@ "resolved": "https://registry.npmjs.org/@babel/core/-/core-8.0.0-rc.3.tgz", "integrity": "sha512-ov5mBbHiosqX1eqt8nN0JM7VuhirO6V8lln5rUXNZpNB+a9NnPTVYeDqSTBkf9C6GmFq3fnFlGT8eg3QBI7jJQ==", "license": "MIT", - "peer": true, "dependencies": { "@babel/code-frame": "^8.0.0-rc.3", "@babel/generator": "^8.0.0-rc.3", @@ -664,7 +663,6 @@ "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.16.0.tgz", "integrity": "sha512-UVJyE9MttOsBQIDKw1skb9nAwQuR5wuGD3+82K6JgJlm/Y+KI92oNsMNGZCYdDsVtRHSak0pcV5Dno5+4jh9sw==", "license": "MIT", - "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -764,7 +762,6 @@ } ], "license": "MIT", - "peer": true, "dependencies": { "baseline-browser-mapping": "^2.9.0", "caniuse-lite": "^1.0.30001759", @@ -938,7 +935,6 @@ "resolved": "https://registry.npmjs.org/eslint/-/eslint-10.1.0.tgz", "integrity": "sha512-S9jlY/ELKEUwwQnqWDO+f+m6sercqOPSqXM5Go94l7DOmxHVDgmSFGWEzeE/gwgTAr0W103BWt0QLe/7mabIvA==", "license": "MIT", - "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.8.0", "@eslint-community/regexpp": "^4.12.2", From d2be89c08158a01eb220f657952fbeb6b86fde06 Mon Sep 17 00:00:00 2001 From: Antoine du Hamel Date: Sun, 22 Mar 2026 17:06:18 +0100 Subject: [PATCH 4/7] 2026-03-24, Version 22.22.2 'Jod' (LTS) This is a security release. Notable changes: build,test,deps: * (CVE-2026-21717) test array index hash collision crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: https://github.com/nodejs-private/node-private/pull/844 --- CHANGELOG.md | 39 ++------------------------------- doc/changelogs/CHANGELOG_V22.md | 36 ++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 37 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50a03cedef4d72..fb90fe994e41c7 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,43 +41,8 @@ release. -25.8.1
-25.8.0
-25.7.0
-25.6.1
-25.6.0
-25.5.0
-25.4.0
-25.3.0
-25.2.1
-25.2.0
-25.1.0
-25.0.0
- - -24.14.0
-24.13.1
-24.13.0
-24.12.0
-24.11.1
-24.11.0
-24.10.0
-24.9.0
-24.8.0
-24.7.0
-24.6.0
-24.5.0
-24.4.1
-24.4.0
-24.3.0
-24.2.0
-24.1.0
-24.0.2
-24.0.1
-24.0.0
- - -22.22.1
+22.22.2
+22.22.1
22.22.0
22.21.1
22.21.0
diff --git a/doc/changelogs/CHANGELOG_V22.md b/doc/changelogs/CHANGELOG_V22.md index 26cdbb7b89535d..31d0fd9dcecf1a 100644 --- a/doc/changelogs/CHANGELOG_V22.md +++ b/doc/changelogs/CHANGELOG_V22.md @@ -9,6 +9,7 @@ +22.22.2
22.22.1
22.22.0
22.21.1
@@ -72,6 +73,41 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95 + +This is a security release. + +### Notable Changes + +* (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High +* (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High +* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium +* (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium +* (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium +* (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low +* (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low + +### Commits + +* \[[`6f14ee5101`](https://github.com/nodejs/node/commit/6f14ee5101)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +* \[[`52a52ef619`](https://github.com/nodejs/node/commit/52a52ef619)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) +* \[[`30a3ab11e2`](https://github.com/nodejs/node/commit/30a3ab11e2)] - **(CVE-2026-21717)** **deps**: V8: cherry-pick aac14dd95e5b (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +* \[[`e3f4d6a42e`](https://github.com/nodejs/node/commit/e3f4d6a42e)] - **(CVE-2026-21717)** **deps**: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +* \[[`7dc00fa5f4`](https://github.com/nodejs/node/commit/7dc00fa5f4)] - **(CVE-2026-21717)** **deps**: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +* \[[`076acd052d`](https://github.com/nodejs/node/commit/076acd052d)] - **(CVE-2026-21717)** **deps**: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#809](https://github.com/nodejs-private/node-private/pull/809) +* \[[`963c60a951`](https://github.com/nodejs/node/commit/963c60a951)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +* \[[`a688117d5d`](https://github.com/nodejs/node/commit/a688117d5d)] - **deps**: upgrade npm to 10.9.7 (npm team) [#62330](https://github.com/nodejs/node/pull/62330) +* \[[`859c8c761b`](https://github.com/nodejs/node/commit/859c8c761b)] - **deps**: update undici to v6.24.1 (Matteo Collina) [#62285](https://github.com/nodejs/node/pull/62285) +* \[[`d5ed384a2f`](https://github.com/nodejs/node/commit/d5ed384a2f)] - **deps**: upgrade npm to 10.9.6 (npm team) [#62215](https://github.com/nodejs/node/pull/62215) +* \[[`a2fe9fd81a`](https://github.com/nodejs/node/commit/a2fe9fd81a)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +* \[[`73deff77c1`](https://github.com/nodejs/node/commit/73deff77c1)] - **lib**: backport `_tls_common` and `_tls_wrap` refactors (Dario Piotrowicz) [#57643](https://github.com/nodejs/node/pull/57643) +* \[[`06fc3436f6`](https://github.com/nodejs/node/commit/06fc3436f6)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) +* \[[`db48d9c675`](https://github.com/nodejs/node/commit/db48d9c675)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) +* \[[`2a6105a63b`](https://github.com/nodejs/node/commit/2a6105a63b)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +* \[[`91b970886f`](https://github.com/nodejs/node/commit/91b970886f)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) + ## 2026-03-05, Version 22.22.1 'Jod' (LTS), @marco-ippolito prepared by @aduh95 From 141d9f15b2ff2860ffb0b10e730a783f587dee7c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Jos=C3=A9=20Arboleda?= Date: Mon, 16 Mar 2026 12:02:03 -0500 Subject: [PATCH 5/7] 2026-03-24, Version 24.14.1 'Krypton' (LTS) This is a security release. Notable changes: build,deps,test: * (CVE-2026-21717) test array index hash collision crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code * (CVE-2026-21712) handle url crash on different url formats tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: https://github.com/nodejs-private/node-private/pull/837 --- CHANGELOG.md | 52 ++++++++++++++++++++++++--------- doc/changelogs/CHANGELOG_V24.md | 38 ++++++++++++++++++++++++ 2 files changed, 77 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fb90fe994e41c7..1110a05deea60b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,19 +41,45 @@ release. -22.22.2
-22.22.1
-22.22.0
-22.21.1
-22.21.0
-22.20.0
-22.19.0
-22.18.0
-22.17.1
-22.17.0
-22.16.0
-22.15.1
-22.15.0
+24.14.1
+24.14.0
+24.13.1
+24.13.0
+24.12.0
+24.11.1
+24.11.0
+24.10.0
+24.9.0
+24.8.0
+24.7.0
+24.6.0
+24.5.0
+24.4.1
+24.4.0
+24.3.0
+24.2.0
+24.1.0
+24.0.2
+24.0.1
+24.0.0
+ + +23.11.0
+23.10.0
+23.9.0
+23.8.0
+23.7.0
+23.6.1
+23.6.0
+23.5.0
+23.4.0
+23.3.0
+23.2.0
+23.1.0
+23.0.0
+ + +22.15.0
22.14.0
22.13.1
22.13.0
diff --git a/doc/changelogs/CHANGELOG_V24.md b/doc/changelogs/CHANGELOG_V24.md index 20030588bc28d2..3d20e759b4d8a4 100644 --- a/doc/changelogs/CHANGELOG_V24.md +++ b/doc/changelogs/CHANGELOG_V24.md @@ -9,6 +9,7 @@ +24.14.1
24.14.0
24.13.1
24.13.0
@@ -62,6 +63,43 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2026-03-24, Version 24.14.1 'Krypton' (LTS), @RafaelGSS prepared by @juanarbol + +This is a security release. + +### Notable Changes + +* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High +* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High +* (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium +* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium +* (CVE-2026-21714) handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) - Medium +* (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium +* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low +* (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low + +### Commits + +* \[[`6fae244080`](https://github.com/nodejs/node/commit/6fae244080)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +* \[[`cc0910c62e`](https://github.com/nodejs/node/commit/cc0910c62e)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) +* \[[`80cb042cf3`](https://github.com/nodejs/node/commit/80cb042cf3)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271) +* \[[`f5b8667dc2`](https://github.com/nodejs/node/commit/f5b8667dc2)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233) +* \[[`08852637d9`](https://github.com/nodejs/node/commit/08852637d9)] - **deps**: update undici to 7.22.0 (Node.js GitHub Bot) [#62035](https://github.com/nodejs/node/pull/62035) +* \[[`61097db9fb`](https://github.com/nodejs/node/commit/61097db9fb)] - **deps**: upgrade npm to 11.11.0 (npm team) [#61994](https://github.com/nodejs/node/pull/61994) +* \[[`9ac0f9f81e`](https://github.com/nodejs/node/commit/9ac0f9f81e)] - **deps**: upgrade npm to 11.10.1 (npm team) [#61892](https://github.com/nodejs/node/pull/61892) +* \[[`3dab3c4698`](https://github.com/nodejs/node/commit/3dab3c4698)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +* \[[`87521e99d1`](https://github.com/nodejs/node/commit/87521e99d1)] - **deps**: V8: backport 1361b2a49d02 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +* \[[`045013366f`](https://github.com/nodejs/node/commit/045013366f)] - **deps**: V8: backport 185f0fe09b72 (Joyee Cheung) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +* \[[`af22629ea8`](https://github.com/nodejs/node/commit/af22629ea8)] - **deps**: V8: backport 0a8b1cdcc8b2 (snek) [nodejs-private/node-private#828](https://github.com/nodejs-private/node-private/pull/828) +* \[[`380ea72eef`](https://github.com/nodejs/node/commit/380ea72eef)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +* \[[`d6b6051e08`](https://github.com/nodejs/node/commit/d6b6051e08)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) +* \[[`bfdecef9da`](https://github.com/nodejs/node/commit/bfdecef9da)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) +* \[[`c015edf313`](https://github.com/nodejs/node/commit/c015edf313)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +* \[[`cba66c48a5`](https://github.com/nodejs/node/commit/cba66c48a5)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816) +* \[[`df8fbfb93d`](https://github.com/nodejs/node/commit/df8fbfb93d)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) + ## 2026-02-24, Version 24.14.0 'Krypton' (LTS), @ruyadorno prepared by @aduh95 From d88a46aa280c72a00dbee6171abf9469c3694e13 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Fri, 20 Mar 2026 14:29:07 -0300 Subject: [PATCH 6/7] 2026-03-24, Version 25.8.2 (Current) This is a security release. Notable changes: build,deps,test: * (CVE-2026-21717) test array index hash collision crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21711) include permission check to pipe_wrap.cc * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code * (CVE-2026-21712) handle url crash on different url formats tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: https://github.com/nodejs-private/node-private/pull/843 --- CHANGELOG.md | 15 ++++++++++++++ doc/changelogs/CHANGELOG_V25.md | 35 +++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1110a05deea60b..7c51f7ebf6cfac 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -41,6 +41,21 @@ release. +25.8.2
+25.8.1
+25.8.0
+25.7.0
+25.6.1
+25.6.0
+25.5.0
+25.4.0
+25.3.0
+25.2.1
+25.2.0
+25.1.0
+25.0.0
+ + 24.14.1
24.14.0
24.13.1
diff --git a/doc/changelogs/CHANGELOG_V25.md b/doc/changelogs/CHANGELOG_V25.md index 57e64d0202a542..fbd24d6c72f2f8 100644 --- a/doc/changelogs/CHANGELOG_V25.md +++ b/doc/changelogs/CHANGELOG_V25.md @@ -8,6 +8,7 @@ +25.8.2
25.8.1
25.8.0
25.7.0
@@ -51,6 +52,40 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2026-03-24, Version 25.8.2 (Current), @RafaelGSS + +This is a security release. + +### Notable Changes + +* (CVE-2026-21637) wrap `SNICallback` invocation in `try`/`catch` (Matteo Collina) - High +* (CVE-2026-21710) use null prototype for `headersDistinct`/`trailersDistinct` (Matteo Collina) - High +* (CVE-2026-21711) include permission check to `pipe_wrap.cc` (RafaelGSS) - Medium +* (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium +* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium +* (CVE-2026-21714) handle `NGHTTP2_ERR_FLOW_CONTROL` error code (RafaelGSS) - Medium +* (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium +* (CVE-2026-21715) add permission check to `realpath.native` (RafaelGSS) - Low +* (CVE-2026-21716) include permission check on `lib/fs/promises` (RafaelGSS) - Low + +### Commits + +* \[[`2086b7477b`](https://github.com/nodejs/node/commit/2086b7477b)] - **(CVE-2026-21717)** **build,test**: test array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834) +* \[[`0f9332a40a`](https://github.com/nodejs/node/commit/0f9332a40a)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) [nodejs-private/node-private#822](https://github.com/nodejs-private/node-private/pull/822) +* \[[`2b6937ddb2`](https://github.com/nodejs/node/commit/2b6937ddb2)] - **deps**: update undici to 7.24.4 (Node.js GitHub Bot) [#62271](https://github.com/nodejs/node/pull/62271) +* \[[`bfb8ad5787`](https://github.com/nodejs/node/commit/bfb8ad5787)] - **deps**: update undici to 7.24.3 (Node.js GitHub Bot) [#62233](https://github.com/nodejs/node/pull/62233) +* \[[`be6384727f`](https://github.com/nodejs/node/commit/be6384727f)] - **deps**: upgrade npm to 11.11.1 (npm team) [#62216](https://github.com/nodejs/node/pull/62216) +* \[[`2feea5bb97`](https://github.com/nodejs/node/commit/2feea5bb97)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +* \[[`86c04784dd`](https://github.com/nodejs/node/commit/86c04784dd)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +* \[[`5197a56a34`](https://github.com/nodejs/node/commit/5197a56a34)] - **(CVE-2026-21711)** **permission**: include permission check to pipe\_wrap.cc (RafaelGSS) [nodejs-private/node-private#820](https://github.com/nodejs-private/node-private/pull/820) +* \[[`04a886c735`](https://github.com/nodejs/node/commit/04a886c735)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#795](https://github.com/nodejs-private/node-private/pull/795) +* \[[`9a7f80f2b0`](https://github.com/nodejs/node/commit/9a7f80f2b0)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#794](https://github.com/nodejs-private/node-private/pull/794) +* \[[`d9c9b628cf`](https://github.com/nodejs/node/commit/d9c9b628cf)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +* \[[`45b55dc786`](https://github.com/nodejs/node/commit/45b55dc786)] - **(CVE-2026-21712)** **src**: handle url crash on different url formats (RafaelGSS) [nodejs-private/node-private#816](https://github.com/nodejs-private/node-private/pull/816) +* \[[`4bfda307c0`](https://github.com/nodejs/node/commit/4bfda307c0)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#819](https://github.com/nodejs-private/node-private/pull/819) + ## 2026-03-11, Version 25.8.1 (Current), @aduh95 From 7be0e28b6800ee0d06a9194e5a81123fdf589375 Mon Sep 17 00:00:00 2001 From: Marco Ippolito Date: Thu, 19 Mar 2026 13:29:55 +0100 Subject: [PATCH 7/7] 2026-03-24, Version 20.20.2 'Iron' (LTS) This is a security release. Notable changes: crypto: * (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC deps: * update undici to v6.24.1 * (CVE-2026-21717) fix array index hash collision http: * (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct permission: * (CVE-2026-21716) include permission check on lib/fs/promises * (CVE-2026-21715) add permission check to realpath.native src: * (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code tls: * (CVE-2026-21637) wrap SNICallback invocation in try/catch PR-URL: https://github.com/nodejs-private/node-private/pull/842 --- CHANGELOG.md | 3 ++- doc/changelogs/CHANGELOG_V20.md | 29 +++++++++++++++++++++++++++++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 7c51f7ebf6cfac..9f93f5dc6e1142 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -115,7 +115,8 @@ release. 22.0.0
-20.20.1
+20.20.2
+20.20.1
20.20.0
20.19.6
20.19.5
diff --git a/doc/changelogs/CHANGELOG_V20.md b/doc/changelogs/CHANGELOG_V20.md index 5aad80bc24779c..a091c0a06d5c89 100644 --- a/doc/changelogs/CHANGELOG_V20.md +++ b/doc/changelogs/CHANGELOG_V20.md @@ -9,6 +9,7 @@ +20.20.2
20.20.1
20.20.0
20.19.6
@@ -82,6 +83,34 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) + + +## 2026-03-24, Version 20.20.2 'Iron' (LTS), @marco-ippolito + +This is a security release. + +### Notable Changes + +* (CVE-2026-21717) fix array index hash collision (Joyee Cheung) +* (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) +* (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) +* (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) +* (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) +* (CVE-2026-21714) handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) +* (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) + +### Commits + +* \[[`cfb51fa9ce`](https://github.com/nodejs/node/commit/cfb51fa9ce)] - **(CVE-2026-21713)** **crypto**: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) [nodejs-private/node-private#831](https://github.com/nodejs-private/node-private/pull/831) +* \[[`f333d0be5f`](https://github.com/nodejs/node/commit/f333d0be5f)] - **deps**: V8: override `depot_tools` version (Richard Lau) [#62344](https://github.com/nodejs/node/pull/62344) +* \[[`2acd5d1226`](https://github.com/nodejs/node/commit/2acd5d1226)] - **deps**: update undici to v6.24.1 (Matteo Collina) [#62285](https://github.com/nodejs/node/pull/62285) +* \[[`af5c144ebc`](https://github.com/nodejs/node/commit/af5c144ebc)] - **(CVE-2026-21717)** **deps,build,test**: fix array index hash collision (Joyee Cheung) [nodejs-private/node-private#834](https://github.com/nodejs-private/node-private/pull/834) +* \[[`00ad47a28e`](https://github.com/nodejs/node/commit/00ad47a28e)] - **(CVE-2026-21710)** **http**: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://github.com/nodejs-private/node-private/pull/821) +* \[[`0123309566`](https://github.com/nodejs/node/commit/0123309566)] - **(CVE-2026-21716)** **permission**: include permission check on lib/fs/promises (RafaelGSS) [nodejs-private/node-private#840](https://github.com/nodejs-private/node-private/pull/840) +* \[[`00830712bc`](https://github.com/nodejs/node/commit/00830712bc)] - **(CVE-2026-21715)** **permission**: add permission check to realpath.native (RafaelGSS) [nodejs-private/node-private#838](https://github.com/nodejs-private/node-private/pull/838) +* \[[`a0c73425da`](https://github.com/nodejs/node/commit/a0c73425da)] - **(CVE-2026-21714)** **src**: handle NGHTTP2\_ERR\_FLOW\_CONTROL error code (RafaelGSS) [nodejs-private/node-private#832](https://github.com/nodejs-private/node-private/pull/832) +* \[[`cc3f294507`](https://github.com/nodejs/node/commit/cc3f294507)] - **(CVE-2026-21637)** **tls**: wrap SNICallback invocation in try/catch (Matteo Collina) [nodejs-private/node-private#839](https://github.com/nodejs-private/node-private/pull/839) + ## 2026-03-05, Version 20.20.1 'Iron' (LTS), @marco-ippolito