- Security patches address multiple Lua RCE vulnerabilities (CVE‑2025‑49844, 46817‑46819) and other critical issues.
- Adds new VSIM EPSILON argument for max distance and enables Intel‑optimised SVS build flag.
- Fixes numerous stability bugs (Lua defrag crashes, memory usage reporting, XGROUP entry limits, JSON.DEL, TDigest OOM, shard restart, ACL crashes) and improves RESP3 serialization performance.
Node.js changelog digest
Sep 29 - Oct 5, 2025. Useful releases, risky migrations, and noisy updates from the Node.js channel.
No matching updates in this bucket.
Node.js updates in 2025-w40
- Critical security updates addressing multiple CVEs in Lua scripting (remote code execution, integer overflow, context execution, out‑of‑bounds read)
- Added VSIM EPSILON argument to specify maximum distance
- Fixed numerous stability issues including use‑after‑free, pub/sub crashes, client unblock behavior, vector set endian compatibility, and replication/TTL handling
- Fix multiple critical Lua‑related security vulnerabilities (CVE‑2025‑49844, CVE‑2025‑46817/46818/46819).
- Resolve use‑after‑free and crash bugs in pubsub, Lua defragmentation, and EVAL error handling.
- Correct HINCRBYFLOAT replication issue that stripped field expiration on replicas.
- Patched several critical Lua script vulnerabilities (CVE-2025-49844, CVE-2025-46817, CVE-2025-46818, CVE-2025-46819).
- Fixed an out-of-bounds read issue in the Lua engine.
- Fix multiple Lua script vulnerabilities (CVE‑2025‑49844, CVE‑2025‑46817‑46819)
- Patch integer overflow and remote code execution paths in Lua engine
- Resolve out‑of‑bounds read issue affecting Lua script execution
- Recreated the tag to point to the correct commit; the npm package already had the correct content.
- Fixed the issues query for TypeScript 5.9.0 (Beta) and 5.9.1 (RC); 5.9.2 stable introduces no further changes.
- Downloads are provided through npm.
- Recreated tag to point to the correct commit; npm package contains the proper content.
- Release notes available via the announcement; includes fixes for issues introduced in TypeScript 5.9.0 (Beta) and 5.9.1 (RC).
- Download the RC build directly from npm.
- Recreated the tag to point to the correct commit, while the npm package already contains the proper content.
- Published the TypeScript 5.9.0 beta on npm and linked release notes in the announcement.
- Fixed the issue‑query functionality for the new 5.9.0 beta.
- Tag recreated to point at the correct commit, npm package already contains correct content
- Release notes are available in the official announcement
- Fixed issues query across Typescript 5.8.0‑5.8.3 releases
- Tag was recreated to point to the correct commit; the npm package already contained the proper content.
- No new features; includes bugfixes and issue‑query fixes for the 5.9.0‑5.9.3 series.
- Release is available via npm.
- Fixed missing JSON null type definitions in Prisma Client’s browser entrypoint.
- Restored pre‑6.13.0 migration behavior by not adding a default schema namespace unless explicitly defined.
- Re‑enabled negative `take` in `findFirst`, aligned self‑signed certificate handling in Accelerate, and fixed event listener leak in @prisma/adapter‑mariadb.