Previously this PR it was expected that InternalWorker
usage doesn't require the --allow-worker when the permission
model is enabled. This, however, exposes a vulnerability
whenever the instance gets accessed by the user. For example
through diagnostics_channel.subscribe('worker_threads')
PR-URL: https://github.com/nodejs-private/node-private/pull/629
Refs: https://hackerone.com/reports/2575105
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
CVE-ID: CVE-2025-23083
the section comparing `queueMicrotask()` and `process.nextTick()`
doesn't address the different scheduling behavior that the two
functions have in cjs and esm modules, the section's introductory mjs
example also provides an incorrect output, the changes here address
such by explaining the difference between the two module types and
updating the example accordingly
PR-URL: https://github.com/nodejs/node/pull/56659
Fixes: https://github.com/nodejs/node/issues/45048
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This is a security release.
Notable changes:
* CVE-2025-23084 - fix path traversal in normalize() on Windows (Medium)
* CVE-2025-23085 - fix HTTP2 mem leak on premature close and ERR_PROTO
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
(Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/659
This is a security release.
Notable changes:
* CVE-2025-23083 - throw on InternalWorker use when permission model is enabled (High)
* CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
* CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/664
This is a security release.
Notable changes:
* CVE-2025-23083: throw on InternalWorker use when permission model is enabled (High)
* CVE-2025-23084: fix path traversal in normalize() on Windows (Medium)
* CVE-2025-23085: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/655
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
This is a security release.
Notable changes:
* CVE-2025-23083: throw on InternalWorker use when permission model is enabled (High)
* CVE-2025-23084: fix path traversal in normalize() on Windows (Medium)
* CVE-2025-23085: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
* CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)
PR-URL: https://github.com/nodejs-private/node-private/pull/654
Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: https://github.com/nodejs/node/pull/56589
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
This commit adds a waitFor() method to the TestContext class in
the test runner. As the name implies, this method allows tests to
more easily wait for things to happen.
PR-URL: https://github.com/nodejs/node/pull/56595
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Align the property names `lineNumber` and `columnNumber`.
PR-URL: https://github.com/nodejs/node/pull/56584
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
PR-URL: https://github.com/nodejs/node/pull/56469
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Bryan English <bryan@bryanenglish.com>
PR-URL: https://github.com/nodejs/node/pull/56506
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
Reviewed-By: Ruy Adorno <ruy@vlt.sh>
This commit adds a new flag `--disable-sigusr1` to prevent
the SignalIOThread to be up listening the SIGUSR1 events and
then starting the debugging session.
PR-URL: https://github.com/nodejs/node/pull/56441
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The `scriptId` is essential to construct chrome devtools protocol
structs like `Network.Initiator`, allowing inspectors to associate
a `CallSite` with a unique script.
PR-URL: https://github.com/nodejs/node/pull/56551
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit updates the documentation and includes
a test to ensure that permission model flags
will be passed to the child process if `fork`
is called
PR-URL: https://github.com/nodejs/node/pull/56523
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The 'coverage output' and 'source map cache' sections were
appearing under the NO_COLOR environment variable instead of
the NODE_V8_COVERAGE enviroment variable where they were intended
to be. This commit fixes that issue.
PR-URL: https://github.com/nodejs/node/pull/56525
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/56517
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/56513
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: https://github.com/nodejs/node/pull/56235
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit adds a t.assert.fileSnapshot() API to the test runner.
This is similar to how snapshot tests work in core, as well as
userland options such as toMatchFileSnapshot().
PR-URL: https://github.com/nodejs/node/pull/56459
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
The `generatePrime` and `checkPrime` functions in the `crypto`
module are only somewhat interruptible. This change makes it
possible to interrupt these more reliably. Note that generating
overly large primes can still take a long time and may not be
interruptible as this mechanism relies on a callback to check
for stopping conditions but OpenSSL may perform a long running
operation without calling the callback right away.
Fixes: https://github.com/nodejs/node/issues/56449
PR-URL: https://github.com/nodejs/node/pull/56460
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Co-authored-by: Antoine du Hamel <duhamelantoine1995@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/56385
Fixes: https://github.com/nodejs/node/issues/56384
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
This commit adds a top level assert.register() API to the test
runner. This function allows users to define their own custom
assertion functions on the TestContext.
Fixes: https://github.com/nodejs/node/issues/52033
PR-URL: https://github.com/nodejs/node/pull/56434
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Snapshot testing was marked stable in #55897. These were
overlooked at the time.
Refs: https://github.com/nodejs/node/pull/55897
PR-URL: https://github.com/nodejs/node/pull/56425
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
When piping a `ReadableStream` created from an `Iterable` into a
`WritableStream`, the sequence of objects in the `Iterable` must
consist of either `Buffer`s, `TypedArray`s, or `DataView`s.
Re: https://github.com/nodejs/node/issues/56297
PR-URL: https://github.com/nodejs/node/pull/56415
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
The `process.ref(...)` and `process.unref(...)` methods are intended
to replace the use of `ref()` and `unref()` methods defined directly
on individual API objects. The existing `ref()` and `unref()` methods
will be marked as legacy and won't be removed but new APIs should use
`process.ref()` and `process.unref()` instead.
Refs: https://github.com/nodejs/node/issues/53266
PR-URL: https://github.com/nodejs/node/pull/56400
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
PR-URL: https://github.com/nodejs/node/pull/56359
Reviewed-By: Jordan Harband <ljharb@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/54431
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Jordan Harband <ljharb@gmail.com>
RafaelGSS
Dario Piotrowicz
Shreyans Pathak
Marco Ippolito
Pietro Marchini
Michael Dawson
Colin Ihrig
Chengzhong Wu
Carlos Espa
Jacob Smith
Antoine du Hamel
Stephen Belanger
Tobias Nießen
Alfredo González
Keeley Hammond
Daeyeon Jeong
James M Snell
Ruy Adorno
Node.js GitHub Bot
Alex Yang
Eddie Abbondanzio
Gabriel Schulhof
Bart Louwers
Kevin Gibbons