Last 7 days
0
Features: 0
Changes: 0
Fixes: 0
Deprecations: 0
JavaScript runtime for servers and tools.
Latest Node.js changelog updates, official release notes, breaking changes, security patches, pricing changes, and developer reactions in one product feed.
Follow this Node.js release-notes page to spot useful features, risky migrations, noisy announcements, and source links before they hit your backlog.
Changes.Watch links back to official changelog and release-note sources so summaries stay easy to verify.
Use channels to follow groups of tools around a stack, workflow, or topic.
Rolling windows show how many product updates landed in the last 7, 30, 90, and 365 days, grouped by existing changelog semantics.
0
6
14
Introduced numerous new APIs and enhancements: caller‑supplied readFile buffers, synchronous dgram connect/bind, TCP KEEPINTVL/KEEPCNT in net.setKeepAlive, TLS certificateCompression option, HTTP idle‑socket cleanup, loader package maps,...
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
58
Updated crypto subsystem: new root certificates (NSS 3.123.1), added TurboSHAKE, KangarooTwelve, ML‑KEM and other algorithms, hardened WebCrypto checks and unified key import handling.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed unexpected behavior introduced by the prior security release (22.23.0).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple high‑severity security bugs in TLS, crypto, HTTP/2, DNS, and permission handling (e.g., hostname normalization, WebCrypto output length guard, SNI case‑sensitivity)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Strengthened TLS and DNS security: hostname normalization for server identity, case‑sensitive SNI fix, rejecting hostnames with embedded NUL bytes, and binding reusable sessions to authenticated hosts.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
TLS hardening: normalize hostnames for server identity, fix case‑sensitive SNI matching, and bind reusable sessions to authenticated hosts
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Increase Buffer.poolSize default to 64 KiB and add new Buffer‑related improvements; introduce httpValidation option for stricter header validation and permission.drop API; upgrade crypto root certificates to NSS 3.123.1, harden WebCrypto...
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Implemented crypto.randomUUIDv7() and added Ed25519 context support along with key usage deduplication;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new minor features: Temporal.Instant support in fs Stats/BigIntStats, writeInformation for arbitrary 1xx HTTP status codes, and marked stream.compose as stable
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple security issues including a crypto null‑pointer dereference, URL parsing crash for malformed UNC hostnames, a zlib use‑after‑free on reset, HTTP keep‑alive socket reuse race, and an HTTP/2 file‑handle leak
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Security release updates bundled dependencies and runtime patches.
Community ratings: 32 Useful, 1 Noise, 10 Risky, 1 Broke, 6 Try.
Add experimental node:ffi module for loading native libraries (requires --experimental-ffi flag and appropriate permission; API is unsafe).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Temporal API is now enabled by default, providing a modern date‑time API;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new CLI options (max-heap-size, require module handling) and stabilized require(esm) and module compile cache.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Test runner mock module API unified via MockModuleOptions.exports with automated migration support.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Wrapped SNICallback in try/catch and added timing‑safe HMAC/KMAC comparisons, null‑prototype header objects, and permission checks for pipe, realpath.native, and fs/promises to address several high‑severity CVEs
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix multiple high‑ and medium‑severity CVEs (e.g., null‑prototype headers, SNICallback try/catch, array index hash collision, timing‑safe crypto comparisons, NGHTTP2 flow‑control handling, URL format crash, permission checks for fs.promi...
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Wrap SNICallback invocation in a try/catch to mitigate crashes (CVE‑2026‑21637).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple CVE‑related vulnerabilities including array index hash collisions, timing‑side‑channel issues in Web Crypto HMAC/KMAC, and unsafe header prototypes
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed critical bugs such as use‑after‑free in http, extension‑less CJS handling in ES modules, importKey argument checks, and several stream and crypto issues.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated crypto root certificates to NSS 3.119/3.117 and corrected RSA‑PSS saltLength default, enhancing TLS security
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Build system now tests on Python 3.14 and adds sccache persistence improvements.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added a limits property to SQLite DatabaseSync, C++ support for diagnostics channels, and a permission audit API.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add http1Options and strictSingleValueFields options to http2 for HTTP/1 fallback and relaxed header validation
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add new options and APIs: async_hooks.trackPromises, fs.watch ignore, http.setGlobalProxyFromEnv, module subpath imports starting with '/', stream.bytes() consumer, and test runner env and fail‑expectation options.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Replaced the CJS module lexer with the new merve parser
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added Python 3.14 support and updated build scripts for the new interpreter
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added trackPromises option to async_hooks.createHook() for better promise tracking.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added LIEF dependency and tooling, introduced ignore option for fs.watch, enabled SQLite defensive mode by default, and added direct SEA build support with Node.js binary.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new stable APIs and utilities (require module handling, http.setGlobalProxyFromEnv, convertProcessSignalToExitCode, subpath imports with leading slash, V8.queryObjects)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Implemented multiple CVE fixes: added TLSSocket default error handler, network checks on pipe/wrap connect, stricter symlink read/write permissions, disabled futimes under permission model, rethrown stack overflow exceptions in async hoo...
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add TLSSocket default error handler (CVE‑2025‑59465) and route TLS callback exceptions through error handlers (CVE‑2026‑21637).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple CVE vulnerabilities (disabled futimes with permission model, added TLSSocket default error handler, required full read/write for symlink APIs, rethrown stack overflow in async hooks, removed zero‑fill toggle from unsafe bu...
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new runtime options such as http.optimizeEmptyRequests, watch config namespace, portable compile‑cache flag, sqlite defensive flag, and inspector inspection ability
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated crypto root certificates to NSS 3.114/3.116 and added security escalation and incident response documentation.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Reverts previous change that threw errors on localStorage access, restoring prior behavior
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added configurable options to util.deprecate and marked type‑stripping as a stable module feature.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed Buffer.allocUnsafe to return uninitialized memory as documented, resolving a known issue.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add http server option optimizeEmptyRequests, SQLite defensive flag, and watch config namespace; introduce optional disabling of source‑phase imports and experimental IsolateGroups support
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add passive listener spec compliance and extend SPrintF functions to accept std::string_view, enhancing API flexibility.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Node.js 24.x transitions to LTS (codename Krypton) with support through April 2028.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added built‑in proxy support (CLI env proxy, HTTP/HTTPS request and Agent) and a new `shouldUpgradeCallback` for server‑controlled HTTP upgrades.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade to V8 14.1 adds faster JSON.stringify, built‑in Uint8Array base64/hex conversion, WebAssembly JSPI and other JIT optimizations.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added per‑stream `inspectOptions` to the console API.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add `shouldUpgradeCallback` to HTTP server API, enabling servers to control protocol upgrades and fixing related HTTP/2 upgrade handling.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Update bundled OpenSSL to 3.5.2, extending Node.js 22.x security support through 2027 and updating root certificates to NSS 3.114
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added Chrome DevTools network inspection for HTTP/2 calls in Node.js
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed a SHAKE128/256 crypto bug introduced by OpenSSL 3.4, restoring correct hashing behavior.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduce new CLI options (NODE_USE_SYSTEM_CA, ${pid} placeholder) and a threadCpuUsage API.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added post‑quantum cryptography support (ML KEM, ML DSA) via new crypto.encapsulate/decapsulate methods and extended Web Crypto API with algorithms like AES‑OCB, ChaCha20‑Poly1305, SHA‑3, SHAKE, etc.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add NODE_USE_SYSTEM_CA=1 flag to CLI for using system‑provided TLS root certificates.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade Node.js to ship OpenSSL 3.5.1, extending TLS support and security updates.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Enabled experimental type stripping by default, allowing Node.js to execute TypeScript files without extra configuration (can be disabled with --no-experimental-strip-types).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed CVE‑2025‑27210: prevented Windows reserved device names (CON, PRN, AUX) from bypassing path.normalize() protection.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Fixed CVE‑2025‑27210 by handling Windows reserved device names (CON, PRN, AUX) and tightening path.normalize() traversal protection.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched CVE-2025-27209: mitigated HashDoS in V8 by reverting recent rapidhash changes.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added crypto.hash outputLength option for XOF functions and fixed SHAKE128/256 compatibility with OpenSSL 3.4.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Deprecate instantiating node:http classes without new, passing an empty string to options.shell, and HTTP/2 priority signaling; future versions may error or remove them.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added async iterator handling for burst file system events and introduced the fileURLToPathBuffer API in the URL module.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Graduated WebCryptoAPI Ed25519 and X25519 algorithms to stable and added support for zero‑length HKDF/PBKDF2 and non‑byte‑aligned deriveBits in SubtleCrypto
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Remove HTTP/2 priority signaling (breaking change) and deprecate related APIs
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added explicit Dir resource management and URL support for fs.glob's cwd option (SEMVER minor feature).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Graduated multiple experimental APIs to stable, including import.meta properties, top‑level Wasm, SQLite StatementSync.columns(), and default node.config.json support;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix error handling for async crypto operations to address CVE‑2025‑23166
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix CVE-2025-23166 by correcting error handling on async crypto operations
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed error handling in async crypto operations (CVE‑2025‑23166).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix error handling on async crypto operations (CVE‑2025‑23166) – introduces breaking changes.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Reverted the SlowBuffer move to End‑of‑Life.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade to V8 13.6 and npm 11, bringing new language features (Float16Array, explicit resource management, RegExp.escape, WebAssembly Memory64, Error.isError) and performance/security improvements.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Enhanced the assertion library with partial error comparison, faster partialDeepStrictEqual, and exposed diff utilities.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added partial error comparison and diff support to assert utilities, exposing a diff function for clearer assertion errors.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade OpenSSL to 3.0.16 and refresh root certificates to NSS 3.108, improving TLS security
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental node.config.json support for default flag configuration in test runner and other features
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Enabled require(esm) and module syntax detection by default, removing experimental flags and warnings (can be disabled with no‑experimental options).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Added TLSA record query and parsing support in the dns module (new feature).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated crypto root certificates to NSS 3.107 and added OpenSSL 3.4 compatibility – security fix
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added support for using the system CA certificates store on macOS and Windows via a new flag in the crypto module
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- ESM modules reach stability: import attributes and JSON module are now stable, plus fallback importer and import‑assertion fixes.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated crypto root certificates to NSS 3.107 and made prime generation/check interruptible, enhancing security
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed HTTP/2 memory leak on premature connection close and addressed ERR_PROTO issues (CVE‑2025‑23085).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix multiple CVEs: internal worker permission check (CVE‑2025‑23083), HTTP/2 memory leak and ERR_PROTO (CVE‑2025‑23085), and Windows path traversal in normalize() (CVE‑2025‑23084)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Throw on InternalWorker usage when permission model is enabled (CVE‑2025‑23083)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added permission check that throws on InternalWorker usage when the permission model is enabled (CVE‑2025‑23083).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Permission model status upgraded from Active Development to Stable.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Enabled experimental strip types flag by default, allowing Node.js to execute TypeScript files via STDIN eval and worker eval input (experimental).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
WebCrypto API Ed25519 and X25519 algorithms are now stable, eliminating ExperimentalWarning
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Adds experimental `assert.partialDeepStrictEqual` for partial deep equality checks in tests.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Enabled experimental require(esm) by default in v22.x, removing ERR_REQUIRE_ESM and adding warnings/ERR_REQUIRE_ASYNC_MODULE handling;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added a CLI flag to preserve environment variables during dr and enhanced util.getCallSites with sourcemap support; both are new features.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new benchmark suites (TypeScript, dotenv, ESM detection, ASCII file read) and improved existing benchmarks (deepEqual config, no‑warnings mode).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Node.js 22.x moves to Active LTS (codename 'Jod') with support through April 2027.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Buffer now correctly resizes when backed by a resizable ArrayBuffer
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduce a new "module sync" exports condition for packages to provide a synchronous ES module when require(esm) is enabled, easing the CJS/ESM transition.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Enable require(esm) by default, making ESM loading the standard behavior
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental network inspection support for http/https modules via a flag
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added util.getCallSite() API for retrieving the current execution stack trace.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added `module.enableCompileCache()` API for on‑disk compile caching of modules, replacing the NODE_COMPILE_CACHE env var requirement.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental `--experimental-transform-types` flag enabling TypeScript‑only syntax (enums, namespaces) transformation and default module‑syntax detection for ambiguous .js files.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Adds experimental `require()` support for synchronous ESM modules, loading them as namespace objects when criteria are met.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental "strip types" flag for inline TypeScript type annotation removal, with import handling and file‑extension requirements;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduce process.getBuiltinModule(id) to synchronously load Node.js built‑in modules, bypassing require cache modifications.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix regression from 22.5.0 that caused V8 Object creation context crashes
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new APIs such as http websockets exposure, path.matchesGlob, worker.postMessageToThread, and the node:sqlite module with ES‑module support flag;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched multiple security vulnerabilities (CVE‑2024‑36138, CVE‑2024‑27980, CVE‑2024‑22020, CVE‑2024‑22018, CVE‑2024‑36137, CVE‑2024‑37372) affecting network imports, permission model, and UNC path handling.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Fixed multiple security vulnerabilities (CVE‑2024‑36138,‑27980,‑22020,‑22018,‑36137,‑37372) affecting network imports, permission model, UNC paths, and fs operations
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixes CVE-2024-36138 and CVE-2024-27980 vulnerabilities
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental Web Storage API, diagnostics channel events to module loading, and extended util.parseArgs with a `no` flag (new features).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new APIs such as Buffer.bytes(), process.getBuiltinModule(id), EventSource client, and enriched the test runner with snapshot testing, context.fullName, and module mocking support.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Async APIs now throw errors asynchronously, improving error handling.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix regression in http.server.close() that incorrectly closed idle connections
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
CLI now supports running WebAssembly with limited virtual memory and an option to disable the wasm trap handler
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Revert the change that added npm PowerShell script installation on Windows to fix a regression.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Boosted base64/base64url encoding performance and added stack traces to fs/promises errors.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduced NODE_COMPILE_CACHE environment variable enabling automatic on‑disk V8 code caching for faster module reloads
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added require() for synchronous ESM graphs, enabled WebSocket client by default, new CLI `node run <script>` and built‑in glob/globSync APIs;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix CVE‑2024‑27980: command injection vulnerability in child_process.spawn on Windows
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix CVE‑2024‑27980: command injection via child_process.spawn args on Windows
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed CVE‑2024‑27980 command injection in child_process.spawn on Windows
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix high‑severity CVE‑2024‑27983 HTTP/2 server crash and medium‑severity CVE‑2024‑27982 request smuggling
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed high‑severity HTTP/2 server crash (CVE‑2024‑27983) by addressing an assertion failure in Http2Session
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix critical HTTP/2 server crash (CVE‑2024‑27983) and medium‑severity request smuggling (CVE‑2024‑27982)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Added crypto.hash() helper, new process.loadEnvFile/util.parseEnv helpers, and three new net connection attempt events.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added import attributes to replace import assertions and deprecated the `assert` keyword; introduced `dirent.parentPath` replacing `dirent.path`.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Reverted change 51389 to restore t.after() hook execution on empty tests, fixing cleanup behavior
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add util.styleText for color and emphasis styling; new env utilities (process.loadEnvFile, util.parseEnv) with multiline .env support
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple high‑severity vulnerabilities (CVE‑2024‑21892, 2024‑22019, 2024‑21896, 2024‑22017) and several medium‑severity issues.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple high‑severity security vulnerabilities (CVE‑2024‑21892, 22019, 21896, 22017, etc.) including code injection, privilege escalation, DoS, and path‑traversal bugs
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched high and medium severity CVEs (CVE‑2024‑21892, 2024‑22019, 2023‑46809, 2024‑22025) by tightening crypto defaults and request size limits
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed a bug in undici when using WebStreams
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added three new net connection attempt events (connectionAttempt, connectionAttemptFailed, connectionAttemptTimeout) and fixed a bug that could trigger an assertion on failed attempts.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Added new ESM capabilities including import.meta.dirname/filename, shadow‑realm module loader bootstrapping, and removal of the obsolete useCustomLoadersIfPresent flag.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added simdjson support, moved the package resolver to C++ and introduced experimental feature flags for the Node API.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix regression in fs.writeFileSync when using 'utf8' encoding without a flag and the target file does not exist
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduce a new "--disable-warning" flag allowing users to silence specific warning codes or types (e.g., DEP0025, DeprecationWarning).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Bundled npm upgraded to v10.2.3, providing npm 10 support across all release lines.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental flags --experimental-default-type and --experimental-detect-module to control default module behavior and auto‑detect ES module syntax for ambiguous files
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added import.meta.dirname and import.meta.filename to ESM; introduced new navigator properties (language, languages, platform) and a CLI flag to disable experimental global navigator
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Node.js 20.x enters Active LTS (codename "Iron") until October 2024, then moves to Maintenance until April 2026.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduces experimental `--detect-module` flag to auto-detect and run ESM syntax in ambiguous .js or extensionless files, with plans to make it default later.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Node.js 21 ships with V8 11.8, stabilizes fetch and WebStreams, and adds a new experimental flag to default modules to ES‑M (default‑type)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple high‑severity CVEs (nghttp2, undici, path traversal, integrity check bypass, code injection) in version 20.8.1
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched multiple CVEs (nghttp2, undici, integrity check bypass, Wasm export name injection) spanning high to low severity
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Reverted libuv 1.45.0/1.46.0 updates introduced in Node 18.18.0 to fix regressions affecting Windows file handling and webpack thread loader
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Stream API performance improved: writable/readable stream creation/destruction ~15% faster, webstream readable async iterator ~140% and pipeTo ~60% faster
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added ESM import flag, abortSignal listener support, autoSelectFamily getter/setter, and initial Symbol.dispose/asyncDispose implementations across core modules (fs, stream, dgram, net, etc.)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added support for multiple .env file declarations and multiple allow‑fs flags for permissions.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix ESM loader to correctly load CommonJS modules
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add native .env file support for loading environment variables and NODE_OPTIONS via a CLI flag
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched multiple high‑, medium‑ and low‑severity CVEs that bypass Node.js permission model (e.g., module load, process.binding, Buffer paths).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed policy bypass CVEs (CVE‑2023‑32002, 32006, 32559) by tightening Module loading and process.binding handling
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple policy bypass CVEs (2023‑32002, 2023‑32006, 2023‑32559)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added abort‑signal safety APIs and abortable support (addAbortListener, asyncDispose, Symbol.dispose) across core modules like events, dgram, http2, net, stream, and timers (SEMVER minor).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Integrated Ada 2.0 as the new URL parser, delivering significant performance gains and eliminating the ICU requirement; added URL.canParse API.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added MockTimers API to reliably mock setTimeout/setInterval across globals, node:timers, and node:timers/promises with time‑advancing controls
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple high‑ and medium‑severity CVEs (CVE‑2023‑30581, ‑30585, ‑30588, ‑30589, ‑30590) and several c‑ares security issues
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple high and medium severity CVEs affecting the experimental permission model, OpenSSL handling, and HTTP request processing
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple CVEs (CVE‑2023‑30581, 30585, 30588, 30589, 30590) and several c‑ares vulnerabilities
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade libuv to 1.45.0 with major Linux file‑system performance improvements and refresh many core dependencies (openssl, zlib, etc.).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- HTTP module now blocks writing to the response body when the HTTP spec disallows it (SEMVER MINOR).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added several new FS, DNS, HTTP, and stream features (recursive readdir/opendir, cp mode flag, dns.getDefaultResultOrder, http.createServer highWaterMark, stream.compose object mode preservation).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Adds experimental Permission Model, runs custom ESM loader hooks on a dedicated thread, makes import.meta.resolve() synchronous, and promotes the test runner module to stable.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added initial support for compiling JavaScript into a single‑executable application.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added high‑performance TracingChannel to diagnostics and introduced URL.canParse API for URL validation.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated core dependencies: undici to 5.20.0, c‑ares to 1.19.0, npm to 8.19.4, and corepack to 0.17.0.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Reverted the vm.compileFunction leak fix introduced in v19.8.0 that caused application crashes
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new APIs such as Buffer.copyBytesFrom, AsyncLocalStorage.bind/snapshot, fs.openAsBlob, automatic DHE TLS support, URLSearchParams.size getter, WASI version parameter, and worker name visibility in inspector/trace events.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added extensive test runner enhancements including built‑in reporters, initial code coverage support, describe.only/it.only shorthands, nested describes, improved diagnostics and async error handling.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added abort handling APIs (aborted() utility, abort signals for streams) and expanded embedder snapshot capabilities, including per‑Isolate build snapshots and code‑generation policy control.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade npm to version 9.5.0 (and 9.4.0)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed CVE‑2023‑23919, CVE‑2023‑23918, and CVE‑2023‑23920 addressing OpenSSL error handling, experimental policy bypass, and insecure ICU data loading
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple CVEs affecting permissions policies, OpenSSL error handling, fetch API CRLF injection, and ICU data loading
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple CVEs (permissions policy bypass, OpenSSL error handling, ICU data loading, fetch API CRLF injection, regex DoS)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed CVE‑2023‑23918 (policy bypass via process.mainModule) and CVE‑2023‑23920 (ICU data loading) along with several other CVEs
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated bundled npm to 9.3.1 with expanded Node engine support and removal of automatic file ownership handling.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added ESM loader chaining support and a new "install strategy=linked" option; upgraded bundled npm to 9.4.0.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new crypto APIs (Symbol.toStringTag for CryptoKey/KeyObject, cipher validation, auth tag handling) and enhanced stream support with finished() for Readable/Writable streams and webstreams in Duplex.from()
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new APIs: buffer.isUtf8 for UTF‑8 validation, os.availableParallelism(), and net.autoSelectFamily global getter/setter; improved HTTP timeout defaults handling and added a fast‑path for TextDecoder’s fatal flag.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added support for externalizing JavaScript built‑ins (including WASM) in custom Node.js builds
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated npm to 9.2.0, bringing many breaking changes originally introduced in npm 9.0.0 (engine support, filesystem permission handling, stricter auth config, separate login/adduser commands, defined tarball ignore order, and revamped ti...
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade OpenSSL to 1.1.1s and refresh root certificates (add several new roots, remove old ones); update timezone data to 2022f with DST changes for Fiji and Mexico.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated OpenSSL to 1.1.1s and refreshed the root certificate store to NSS 3.85, adding new trusted CAs and removing obsolete ones
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated timezone data to 2022f, fixing DST changes for Fiji and Mexico.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added function mocking support to the built‑in node:test runner and introduced recursive file watching (fs.watch) on Linux via the recursive:true option.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched high‑severity CVE‑2022‑3602 and CVE‑2022‑3786 (X.509 email address buffer overflows) and medium‑severity CVE‑2022‑43548 (DNS rebinding).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed high severity X.509 email address buffer overflow CVEs 2022‑3602 and 2022‑3786
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Security release fixing CVE‑2022‑43548 (DNS rebinding via invalid octal IP address)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched CVE‑2022‑43548 (DNS rebinding via invalid octal IP address) in the inspector module.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add OpenSSL shared configuration option across source, docs, and tests (SEMVER MAJOR)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Node.js 18.x enters Active LTS phase under the codename "Hydrogen"
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
HTTP/1.1 Keep‑Alive is enabled by default for client agents, improving throughput
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental watch mode to the CLI, which restarts the process when imported files change.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add new diagnostic and API features: callTracker getCalls/reset, ReadableByteStream.tee(), Set/Map maxArrayLength option, test runner hooks, and idle HTTP parser configurability.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Deprecate the weak MODP groups (modp1, modp2, modp5) in crypto APIs and documentation.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple security vulnerabilities (CVE-2022-32212, 32222, 32213, 32215, 35255, 35256) affecting DNS rebinding, OpenSSL config handling, and HTTP request smuggling
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed CVE-2022-32212 (DNS rebinding on macOS), CVE-2022-32213 (OBS fold bypass), CVE-2022-35255 (weak randomness in WebCrypto), and CVE-2022-35256 (HTTP request smuggling).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple CVEs: DNS rebinding on macOS (CVE‑2022‑32212), OBS fold bypass (CVE‑2022‑32213), and HTTP request smuggling (CVE‑2022‑35256).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added diagnostics channel for process and worker, new OS.machine() method, and exposed Report and environment RequestInterrupt native APIs
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added runtime user‑land snapshots via build‑snapshot and snapshot‑blob APIs
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental util.parseArgs helper and ESM loader hooks API with chaining support, expanding command‑line and module loading capabilities.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new CustomEvent API (global exposure via CLI flag) and drop request event for HTTP servers, plus token support in parseArgs
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental ESM Loader Hooks API with support for chaining multiple custom loaders, enabling more flexible module loading.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade OpenSSL to 1.1.1q and add OpenSSL config appname, a major breaking change;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added OpenSSL config appname and shared config option, introducing breaking changes (SEMVER MAJOR).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade OpenSSL to 1.1.1q and update related architecture files
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Crypto module: removed Node‑specific WebCrypto extensions and added support for CFRG curves and raw key imports.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduced new APIs: `util.parseArgs`, `http` uniqueHeaders option, optional parameters for fs write methods, and a TCP socket reset feature in `net`.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated bundled npm to version 8.11.0 (including incremental upgrades from 8.6.0 to 8.10.0).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated npm to 8.11.0 (with intermediate upgrades) and upgraded OpenSSL to 1.1.1o, including arch file updates
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated OpenSSL to version 1.1.1o (not classified as a security release for Node.js 14).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated OpenSSL to 3.0.3 (incl. QUIC) – treated as a security release
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated npm to v6.14.17 and added a new release key for Bryan English (docs).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Implemented the WebAssembly Web API and integrated it with lib/src, marking a new feature in the release.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental fetch API globals (fetch, Request, Response, Headers, FormData) and FormData support when enabled
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Node.js 18 ships with V8 10.1, global fetch and Web Streams APIs enabled by default, and an experimental core test runner module.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Make authTagLength optional for AES‑GCM (CC20P1305) in the crypto API (SEMVER minor)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Final Node.js 12 LTS release; reaches End‑of‑Life on 30 Apr 2022, urging migration to Node 14/16.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduced HTTP client tracing via perf hooks (minor feature).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated OpenSSL to 3.0.2 (quic) addressing CVE‑2022‑0778 – a high severity infinite loop in BN mod sqrt when parsing certificates.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated OpenSSL to 1.1.1n, fixing high‑severity CVE‑2022‑0778 (infinite loop in BN mod sqrt when parsing certificates).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade OpenSSL to 1.1.1n, fixing CVE‑2022‑0778 (infinite loop in BN mod sqrt())
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated OpenSSL to 1.1.1n, addressing high‑severity CVE‑2022‑0778 (infinite loop in BN mod sqrt).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated build scripts for new platforms (removed Windows 2022 runner, added Z/OS support, fixed Android ARM64 libuv) and upgraded npm to 8.5.0.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed regression in url.resolve() affecting URLs containing '@' introduced in Node.js v17.7.0
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Introduced several minor features: ESM flag for remote https/http fetch, fs.cp/cpSync now copy relative symlinks, FormData global when fetch is enabled, and readline Ctrl+6 redo binding.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental Fetch API globals (fetch, Request, Response, Headers) via a new flag.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Experimental import assertions are now required to import JSON modules (behind the experimental flag) and add stage‑3 proposal support.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade npm to 6.14.16.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Corepack is now bundled with Node.js, allowing Yarn and pnpm to be used without separate installation
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new developer-facing APIs: child_process fork now accepts URLs, crypto now aliases webcrypto.subtle and getRandomValues, events now support captureRejections and include EventEmitterAsyncResource, loader can return package format, ...
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed improper handling of URI Subject Alternative Names to prevent certificate verification bypass (CVE‑2021‑44531).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix improper handling of URI Subject Alternative Names, disabling URI SAN checks to prevent certificate verification bypass (CVE‑2021‑44531).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix improper handling of URI Subject Alternative Names, preventing certificate verification bypass (CVE‑2021‑44531).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed improper handling of URI SAN types, preventing certificate verification bypass (CVE‑2021‑44531).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated OpenSSL to 3.0.1 (quic) fixing CVE‑2021‑4044, improving security posture.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated c‑ares to 1.18.1 to resolve a regression with CNAME records containing underscores.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgraded npm to 8.1.2 and c‑ares to 1.18.1, fixing a regression with CNAME records containing underscores.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Expose async_wrap providers in async hooks and add reason property to AbortSignal
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated c‑ares to 1.18.1, fixing a regression with CNAME records containing underscores.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added JSON import assertion support to ES modules
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Node.js 16.x transitions to Long Term Support (LTS) with codename “Gallium”.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Include missing V8 headers in the distribution to enable native addon builds.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Node 17 upgrades to OpenSSL 3.0 (with FIPS) and V8 9.5, tightening algorithm restrictions and introducing possible ERR_OSSL_EVP_UNSUPPORTED errors, a breaking security change.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix CVE-2021-22959: Reject HTTP headers with a space before the colon to prevent request smuggling.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed HTTP request smuggling via spaced headers (CVE‑2021‑22959)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated root certificate bundle and fixed crypto edge cases (e.g., randomBytes callback handling, initEDRaw pkey failure).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new Buffer Blob support and base64url encoding; enhanced child_process APIs (URL cwd, spawn/exec timeout, cancellable exec, overlapped stdio flag) and added process worker event and source‑map enable APIs.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added RSA‑PSS key generation parameters and multiple crypto fixes (default saltLength, MGF1 hash handling, key‑type validation) enhancing security;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix regression introduced by the V8 9.3 update in Node.js 16.9.0
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Integrated Corepack into Node.js, enabling use of Yarn and pnpm without separate installation.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Security patch addressing multiple CVEs (2021‑32803, 2021‑32804, 2021‑37701, 2021‑37712, 2021‑37713, 2021‑39134, 2021‑39135) in node‑tar, arborist, and npm CLI.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple CVEs (2021‑32803, 2021‑32804, 2021‑37701, 2021‑37712, 2021‑37713, 2021‑39134, 2021‑39135) in node‑tar, npm‑arborist, and npm CLI
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added new stream utilities: Duplex.from constructor, isDisturbed helper, and duplexify support;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added experimental recursive `fs.cp` method, new `dns` "tries" option, `crypto.randomUUID`, and `URL.createObjectURL` APIs.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix CVE-2021-22931: add proper handling of atypical characters in DNS hostnames to prevent remote code execution, XSS, and domain hijacking.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed high‑severity CVE‑2021‑22931: added proper validation of atypical characters in DNS hostnames to prevent RCE, XSS and domain hijacking.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed CVE‑2021‑22931: added strict hostname validation in DNS library to prevent RCE, XSS and domain‑hijacking risks.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Updated npm to 7.20.3 and reverted a V8 9.2 ABI breaking change that could affect native modules
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade V8 to 9.2 adding Array.prototype.at (including TypedArrays and strings)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Security release addressing CVE‑2021‑22930 (use‑after‑free in http2 stream canceling).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched high‑severity CVE‑2021‑22930 (use‑after‑free in http2 stream cancel handling).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added an experimental Web Streams API implementation accessed via the new `stream/web` module (emits a process‑wide experimental warning).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix regression in Windows installer on non‑English locales
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix regression in Windows MSI installer on non‑English locales introduced in 12.22.2
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed regression in Windows installer for non‑English locales introduced in Node.js 16.4.1
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix out-of-bounds read vulnerability in libuv (CVE‑2021‑22918)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched libuv to fix an out-of-bounds read vulnerability (CVE‑2021‑22918) affecting Node's dns.lookup().
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgraded libuv to fix CVE‑2021‑22918 out‑of‑bounds read in DNS lookup.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Stabilized AsyncLocalStorage and added support for URL‑based cwd in child_process; introduced CLI flag negation and new debugger error codes
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Updated ICU to 69.1 and incorporated several V8 cherry‑picks, refreshing core dependencies.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
CLI adds the -C alias for the --conditions flag.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added async hooks support for new V8 PromiseHook API and introduced 'worker' event in process module.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Added a new API allowing fsPromises.fileHandle.read() to be called with no parameters (feature, minor).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Removed many legacy APIs: permissive fs.rmdir recursive option, module.createRequireFromPath, Python 2 support, and several process.binding internals, causing breaking changes;
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
- Fixed high‑severity OpenSSL vulnerabilities (CVE‑2021‑3450, CVE‑2021‑3449) and npm y18n prototype‑pollution issue (CVE‑2020‑7774) across all 15.x, 14.x, 12.x, and 10.x releases.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix high‑severity OpenSSL CVE‑2021‑3450 and CVE‑2021‑3449 by upgrading OpenSSL to 1.1.1k
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched OpenSSL CVE-2021-3450 (CA certificate check bypass) and CVE-2021-3449 (NULL pointer deref).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched high‑severity OpenSSL vulnerabilities (CVE‑2021‑3450, CVE‑2021‑3449) and npm y18n prototype‑pollution issue (CVE‑2020‑7774).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added Buffer btoa/atob functions, http.ClientRequest.getRawHeaderNames(), child_process spawn/fork timeout options, and stream.pipeline Buffer support; performance and AbortController improvements were also introduced.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Enabled FIPS-related crypto options by default and refactored crypto internals to avoid unsafe array iteration.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed multiple high‑severity vulnerabilities (CVE‑2021‑22883, CVE‑2021‑22884, CVE‑2021‑23840) in HTTP/2, inspector DNS rebinding, and OpenSSL integer overflow.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix CVE‑2021‑22883: HTTP/2 unknownProtocol DoS via resource exhaustion
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched CVE‑2021‑22883 (HTTP/2 unknownProtocol DoS), CVE‑2021‑22884 (inspector DNS rebinding), and CVE‑2021‑23840 (OpenSSL integer overflow).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Patched CVE-2021-22883, CVE-2021-22884, and CVE-2021-23840 to prevent denial‑of‑service and OpenSSL overflow issues.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added JWK export support to Crypto KeyObject and new TLS X509Certificate getters, plus async iteration for timers and fsPromises.watch() with AbortSignal support.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade npm to version 6.14.11
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed crash in crypto module when calling digest after piping.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Upgrade npm to 6.14.11 and backport V8 changes.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added crypto APIs: generatePrime/checkPrime and experimental Ed25519/Ed448 key support.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Synchronize release keys with the main branch
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Added Blob support to Buffer and a new base64url encoding option
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Add overlapped stdio flag for child processes and support AbortSignal in fork and server.listen
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Imported from changelog source; review and generate a concise summary before publishing.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fix use‑after‑free in TLSWrap (CVE‑2020‑8265)
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed high‑severity OpenSSL and TLS vulnerabilities (CVE‑2020‑1971, CVE‑2020‑8265).
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.
Fixed high‑severity use‑after‑free bug in TLSWrap (CVE‑2020‑8265) preventing potential DoS or memory corruption.
Community ratings: 0 Useful, 0 Noise, 0 Risky, 0 Broke, 0 Try.