- Fixed multiple security issues including a crypto null‑pointer dereference, URL parsing crash for malformed UNC hostnames, a zlib use‑after‑free on reset, HTTP keep‑alive socket reuse race, and an HTTP/2 file‑handle leak
- Resolved numerous core bugs such as module resolution double‑invocation, source‑map URL parsing, stream chunk boundary checks, and sync resolve hook handling
- Introduced a new ESM feature: separate cache for require('esm') when importing CJS modules, plus upgrades to npm (10.9.8) and OpenSSL (3.5.6)
Open Source changelog digest
May 11 - May 17, 2026. Useful releases, risky migrations, and noisy updates from the Open Source channel.
Open Source updates in 2026-w20
- Cache access is tightened for workflows triggered by forked pull requests.
- Security posture improves, but CI time may increase for some OSS repos.
- Multi-platform builds can reuse cache layers more predictably.
- CI pipelines with ARM and x86 targets may see shorter build times.