Skip to content

Releases: nodejs/node

2026-06-23, Version 24.18.0 'Krypton' (LTS), @richardlau prepared by @sxa

23 Jun 23:11
@richardlau richardlau
v24.18.0
This tag was signed with the committer’s verified signature.
richardlau Richard Lau
GPG key ID: C43CEC45C17AB93C
Verified
Learn about vigilant mode.
20da4ae
This commit was signed with the committer’s verified signature.
sxa Stewart X Addison
SSH Key Fingerprint: fletyCoxoW8EOTI1CPAg78hvvnQCteY3dUShDvPqVUk
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-06-23, Version 24.18.0 'Krypton' (LTS), @richardlau prepared by @sxa

Notable Changes

  • [e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527
  • [44c8ebcbd6] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #64004
  • [d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597
  • [bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #62527
  • [b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527
  • [ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183
  • [4c9251fc09] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155
  • [8c989ec4a3] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #63079
  • [3f54c8ba32] - Revert "stream: noop pause/resume on destroyed streams" (Stewart X Addison) #63834

Commits

  • [d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597
  • [9ff36e40f0] - build: add --enable-all-experimentals build flag (Paolo Insogna) #62755
  • [7c22ee23aa] - build: def NODE_USE_NODE_CODE_CACHE only used in node_mksnapshot (Chengzhong Wu) #63588
  • [2551abdb4a] - build,win: enable x64 PGO (Stefan Stojanovic) #62761
  • [e8a55ce9b1] - crypto: strengthen argument CHECKs in TurboSHAKE (Tobias Nießen) #62763
  • [ae61cd68f3] - crypto: harden WebCrypto against prototype pollution (Filip Skokan) #63363
  • [3d05a1d396] - crypto: pass CryptoKey handles to KDF jobs (Filip Skokan) #63363
  • [f9d10a3f6b] - crypto: remove async from WebCrypto methods (Filip Skokan) #63363
  • [e431d93e9e] - crypto: add WebCrypto CryptoJob mode (Filip Skokan) #63363
  • [56e2505e48] - crypto: wire ML-DSA and ML-KEM for use when using BoringSSL (Filip Skokan) #63255
  • [3bac77f2a8] - crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL (Filip Skokan) #63255
  • [1bff901b09] - crypto: wire AES-KW in Web Cryptography when using BoringSSL (Filip Skokan) #63255
  • [4433fca3df] - crypto: harden CryptoKey algorithm slots (Filip Skokan) #63111
  • [b5cf01217a] - crypto: harden KeyObject internal slots (Filip Skokan) #63111
  • [ce84aef37d] - crypto: add guards and adjust tests for BoringSSL (Filip Skokan) #62883
  • [26781689b0] - crypto: reject duplicate ML-KEM JWK key_ops (Filip Skokan) #62905
  • [aeea8f4970] - crypto: add JWK support for ML-KEM and SLH-DSA key types (Filip Skokan) #62706
  • [407cf91656] - crypto: guard against size_t overflow on experimental 32-bit arch (Filip Skokan) #62626
  • [bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #62527
  • [b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527
  • [b46d52b283] - crypto: unify asymmetric key import through KeyObjectHandle::Init (Filip Skokan) #62499
  • [ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183
  • [e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527
  • [61826df455] - crypto: coerce -0 keylen to +0 in pbkdf2 and scrypt (Jordan Harband) #63531
  • [16d2fd3c07] - crypto: align verifyOneShot accepted types (Anshika Jain) #63280
  • [3b8330deda] - crypto: improve system certificate enumeration logic on macOS (Robo) #62576
  • [141de35399] - debugger: add --help to node inspect and improve docs (Joyee Cheung) #63201
  • [b76bfcd4fa] - deps: upgrade npm to 11.16.0 (npm team) #63602
  • [4ec142314c] - deps: SQLite: cherry-pick b869ed6b067d623cb1383549f2a18aa35508385d (Junsu Han) #63525
  • [19e8ce1c36] - deps: upgrade npm to 11.15.0 (npm team) #63463
  • [8a264260e2] - deps: update sqlite to 3.53.1 (Node.js GitHub Bot) #63217
  • [50c8ff3f94] - deps: update simdjson to 4.6.4 (Node.js GitHub Bot) #62811
  • [6e56f01c4b] - deps: V8: cherry-pick 435a2cdf664c (Matthias Liedtke) #63136
  • [3ba813b242] - deps: cherry-pick libuv/libuv@a43e543 (Ali Hassan) #63222
  • [2390e3a5ac] - doc: remove duplicated sentences in large-pull-requests.md (Joyee Cheung) #63650
  • [52a1c18374] - doc: update git node land instructions for security releases (Antoine du Hamel) #63586
  • [3e6b4da037] - doc: drop --experimental from --permission (Rafael Gonzaga) #63583
  • [84d05163b9] - doc: explicitly ask for reproducible in JS (Rafael Gonzaga) #63479
  • [7da2a4450e] - doc: fix URL postMessage example in worker_threads (Kit Dallege) #62203
  • [3d79bd8b29] - doc: clarify filter option of sqlite.database.applyChangeset (Antoine du Hamel) #63515
  • [4f4174aace] - doc: fix double spaces in ERR_TLS_INVALID_PROT...
Read more
Loading

2026-06-23, Version 22.23.1 'Jod' (LTS), @RafaelGSS

23 Jun 16:44
@RafaelGSS RafaelGSS
v22.23.1
This tag was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Verified
Learn about vigilant mode.
bd96dfb
This commit was signed with the committer’s verified signature.
RafaelGSS Rafael Gonzaga
GPG key ID: 8BEAB4DFCF555EF4
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-06-23, Version 22.23.1 'Jod' (LTS), @RafaelGSS

This release includes a fix for an unexpected behavior introduced
by the recent security release (22.23.0).

Commits

  • [41d2ee13be] - build: switch coverage-windows to windows-2022 (Richard Lau) #63940
  • [eaa292549e] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #64004
Loading

2026-06-18, Version 26.3.1 (Current), @aduh95

18 Jun 04:37
@aduh95 aduh95
v26.3.1
This tag was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.
c8d3916
This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-06-18, Version 26.3.1 (Current), @aduh95 Latest
Latest

This is a security release.

Notable Changes

  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low
  • (CVE-2026-48936) permission: guard pipe open and chmod with net scope (RafaelGSS) – Low

Commits

Assets 2
Loading

2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95

18 Jun 04:37
@aduh95 aduh95
v24.17.0
This tag was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.
413e874
This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-06-18, Version 24.17.0 'Krypton' (LTS), @aduh95

This is a security release.

Notable Changes

  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits

Loading

2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95

18 Jun 04:37
@aduh95 aduh95
v22.23.0
This tag was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.
eb77496
This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95

This is a security release.

Notable Changes

  • (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
  • (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
  • (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
  • (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
  • (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
  • (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
  • (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
  • (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
  • (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
  • (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
  • (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits

Loading

2026-06-01, Version 26.3.0 (Current), @aduh95

01 Jun 13:10
@aduh95 aduh95
v26.3.0
This tag was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.
b7e6a5d
This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-06-01, Version 26.3.0 (Current), @aduh95

Notable Changes

Potential changes to macOS Universal Binary availability

With Apple and its ecosystem progressively dropping support for Intel-based
architectures, it has become apparent that the Node.js project may not be able
to maintain the universal binaries we currently distribute for the full lifetime
of Node.js 26. This change serves to communicate that risk. At present, our
intention remains to continue shipping universal binaries supporting both Apple
Silicon and Intel-based Macs for as long as practical.

Contributed by Antoine du Hamel in #63055.

Other notable changes

  • [a2a4b33dd8] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597
  • [051a2152f7] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527
  • [49462eca37] - (SEMVER-MINOR) http: add httpValidation option to configure header value validation (RajeshKumar11) #61597
  • [97b7ab19bd] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #63079
  • [cfb80a2103] - (SEMVER-MINOR) lib,permission: add permission.drop (Rafael Gonzaga) #62672

Commits

  • [a2a4b33dd8] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #63597
  • [0eff3e23b9] - build: def NODE_USE_NODE_CODE_CACHE only used in node_mksnapshot (Chengzhong Wu) #63588
  • [447ab2d252] - build,win: fix VS2022 arm64 PGO build (Stefan Stojanovic) #63413
  • [86032758e4] - build,win: replace LTCG with Thin LTO for releases (Stefan Stojanovic) #63114
  • [5f4d794052] - build,win: add Rust toolchain automated configuration Windows (Mike McCready) #63381
  • [051a2152f7] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527
  • [d0f65e3579] - crypto: coerce -0 keylen to +0 in pbkdf2 and scrypt (Jordan Harband) #63531
  • [e3ddb326c9] - crypto: harden WebCrypto against prototype pollution (Filip Skokan) #63363
  • [e04cd17dc0] - crypto: pass CryptoKey handles to KDF jobs (Filip Skokan) #63363
  • [64ba74d847] - crypto: remove async from WebCrypto methods (Filip Skokan) #63363
  • [bd230418b4] - crypto: add WebCrypto CryptoJob mode (Filip Skokan) #63363
  • [1a4090a83d] - debugger: surface inspector failures in probe mode (Joyee Cheung) #63437
  • [dbc78ff825] - debugger,test: deflake resume failure test and add debug logs (Joyee Cheung) #63524
  • [4da442f432] - deps: upgrade npm to 11.16.0 (npm team) #63602
  • [63372cfa87] - deps: SQLite: cherry-pick b869ed6b067d623cb1383549f2a18aa35508385d (Junsu Han) #63525
  • [e286fa170d] - deps: upgrade npm to 11.15.0 (npm team) #63463
  • [de996437a5] - doc: downgrade macOS x64 to Tier 2 (Antoine du Hamel) #63055
  • [22ac78750c] - doc: remove duplicated sentences in large-pull-requests.md (Joyee Cheung) #63650
  • [532f7f2085] - doc: update git node land instructions for security releases (Antoine du Hamel) #63586
  • [c61f90dfb9] - doc: drop --experimental from --permission (Rafael Gonzaga) #63583
  • [fd69d7b16a] - doc: improve fs.StatFs properties descriptions (aymanxdev) #62578
  • [693257782c] - doc: generate llms.txt (Guilherme Araújo) #62027
  • [55a57beb26] - doc: explicitly ask for reproducible in JS (Rafael Gonzaga) #63479
  • [4895c2babc] - doc: fix URL postMessage example in worker_threads (Kit Dallege) #62203
  • [0355c36e37] - doc: clarify filter option of sqlite.database.applyChangeset (Antoine du Hamel) #63515
  • [c85ee22df6] - doc: fix double spaces in ERR_TLS_INVALID_PROTOCOL_METHOD (Daijiro Wachi) #63511
  • [62947192f6] - doc: move hyperlinks outside of text blocks (Aviv Keller) #63493
  • [9849690a1d] - doc: edit Rust toolchain general install instructions (Antoine du Hamel) #63488
  • [885d2462e9] - doc: fix double space in modules.md (Daijiro Wachi) #63512
  • [42fbb48bc6] - doc: fix "options" to "option" in tls.createServer (Daijiro Wachi) #63453
  • [05a7b0a301] - doc: add Rust toolchain general install instructions (Mike McCready) #63426
  • [e13dfd7ed0] - doc: update toolchain for official releases (Richard Lau) #63441
  • [82306881cc] - doc: fix typo in deprecations (Daijiro Wachi) #63434
  • [eeb77d217c] - doc,lib: align WebCrypto names with spec (Filip Skokan) #63518
  • [679e13c57f] - errors: handle V8 warnings in DisallowJavascriptExecutionScope (Divyanshu Sharma) #63491
  • [7f41f5d803] - ffi: validate 'void' as parameter type in getFunction and getFunctions (Anshika Jain) #63504
  • [972cd227cb] - ffi: remove function signature property aliases (René) #63482
  • [5d7805e433] - ffi: move DynamicLibrary disposer to native layer (René) #63459
  • [5a0b32dc24] - gyp: update deps gypfiles (Nad Alaba) #63117
  • [49462eca37] - (SEMVER-MINOR) http: add httpValidation option to configure header value validation (RajeshKumar11) #61597
  • [e3c6629ee3] - http2: emit session close before stream close (Matteo Collina) #63414
  • [97b7ab19bd] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #63079
  • [6bef10e7b7] - lib: cleanup stateless diffiehellman key handling (...
Read more
Loading

2026-05-21, Version 24.16.0 'Krypton' (LTS), @aduh95

21 May 13:24
@aduh95 aduh95
v24.16.0
This tag was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.
c7d1015
This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-05-21, Version 24.16.0 'Krypton' (LTS), @aduh95

Notable Changes

  • [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553
  • [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #62713
  • [9705f628d9] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #57775
  • [40ccfdecf9] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #62277
  • [d7188af5c9] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #63082
  • [aa1d8a9afc] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #62541
  • [6f37f7e240] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #61098
  • [d14029be7f] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #61747
  • [d142c584cd] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #62820
  • [01a9552585] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #60751
  • [00705a459a] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #61556

Commits

  • [dd72df060d] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #62509
  • [add94f4bc3] - build: track PDL files as inputs in inspector GN build (Robo) #62888
  • [1b1eb9e334] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #62667
  • [8752b604ec] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #62902
  • [341947e7fd] - crypto: reject unintended raw key format string input (Filip Skokan) #62974
  • [28a78747fc] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #62863
  • [16e8c2b54d] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #62839
  • [eeae754a87] - crypto: reject inherited key type names (Jonathan Lopes) #62875
  • [9dd5540325] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #59051
  • [b267f6bca3] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553
  • [7597d204c1] - crypto: add support for Ed25519 context parameter (Filip Skokan) #62474
  • [4bf85845da] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #63013
  • [ec2451b9cd] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #62713
  • [83e98f77b7] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #63375
  • [ec8c6b939a] - deps: V8: cherry-pick 657d8de27427 (Guy Bedford) #62784
  • [722c0c3274] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #61187
  • [5304db93d3] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #60046
  • [e073b3811d] - deps: update nghttp3 to 1.11.0 (James M Snell) #59249
  • [1d00313fb2] - deps: update ngtcp2 to 1.14.0 (James M Snell) #59249
  • [8b3a4fc18f] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #63090
  • [62fe0cfcd1] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045
  • [137e09c8e9] - deps: update corepack to 0.34.7 (Node.js GitHub Bot) #62810
  • [14a4cb8fbc] - deps: update timezone to 2026b (Node.js GitHub Bot) #62962
  • [3e1036583a] - deps: upgrade npm to 11.13.0 (npm team) #62898
  • [01dfe5961c] - deps: cherry-pick libuv/libuv@439a54b (skooch) #62881
  • [6cd368b10c] - deps: update sqlite to 3.53.0 (Node.js GitHub Bot) #62699
  • [f218a4f553] - deps: update nbytes to 0.1.4 (Node.js GitHub Bot) #62698
  • [b47688524a] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #62629
  • [d202e2d343] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #62629
  • [2faba66341] - deps: update minimatch to 10.2.5 (Node.js GitHub Bot) #62594
  • [fa46c90c5d] - deps: update googletest to d72f9c8aea6817cdf1ca0ac10887f328de7f3da2 (Node.js GitHub Bot) #62593
  • [099ded5713] - deps: update simdjson to 4.6.1 (Node.js GitHub Bot) #62592
  • [7ce95afe96] - deps: libuv: cherry-pick aabb7651de (Santiago Gimeno) #62561
  • [57ef845623] - deps: update icu to 78.3 (Node.js GitHub Bot) #62324
  • [493ac40e12] - deps: update libuv to 1.52.1 (Node.js GitHub Bot) #61829
  • [b39508b368] - deps: update undici to 7.25.0 (Node.js GitHub Bot) #63011
  • [cb67a925e9] - deps: use npm undici@seven tag in update-undici.sh (Matteo Collina) #62739
  • [aa1e0bc28b] - doc: fix typos and inconsistencies in crypto.md and webcrypto.md (Filip Skokan) #62828
  • [f2a1735ed9] - doc: fix duplicate word "to to" in util.styleText (Daijiro Wachi) #62917
  • [b6378e215c] - doc: fix node-config-schema (Сковорода Никита Андреевич) #61596
  • [233894a9ce] - doc: fix the TypeScript Execute (tsx) project li...
Read more
Loading

2026-05-20, Version 26.2.0 (Current), @aduh95

20 May 13:02
@aduh95 aduh95
v26.2.0
This tag was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.
cfd7920
This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-05-20, Version 26.2.0 (Current), @aduh95

Notable Changes

  • [189d43a193] - doc: mark stream.compose stable (Matteo Collina) #62562
  • [f858c6140e] - (SEMVER-MINOR) fs: add Temporal.Instant support to Stats and BigIntStats (Livia Medeiros) #60789
  • [0cbb3895df] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #63155

Commits

  • [9a394bab84] - benchmark: respect stream/iter broadcast backpressure (Trivikram Kamat) #63314
  • [ad98b4620b] - crypto: align verifyOneShot accepted types (Anshika Jain) #63280
  • [ba0736a847] - crypto: wire ML-DSA and ML-KEM for use when using BoringSSL (Filip Skokan) #63255
  • [5573a6a4a8] - crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL (Filip Skokan) #63255
  • [7dc563b8d6] - crypto: wire AES-KW in Web Cryptography when using BoringSSL (Filip Skokan) #63255
  • [b55e2b1f4d] - crypto: improve system certificate enumeration logic on macOS (Robo) #62576
  • [fd509a755a] - crypto: harden CryptoKey algorithm slots (Filip Skokan) #63111
  • [8657df39e7] - crypto: harden KeyObject internal slots (Filip Skokan) #63111
  • [729274e046] - crypto: reject invalid raw key imports (Filip Skokan) #63134
  • [8fc9cb9c01] - crypto: improve accuracy of SubtleCrypto.supports (Filip Skokan) #63104
  • [288065cb3f] - crypto: optimize normalizeAlgorithm dispatch hot path (Filip Skokan) #62756
  • [ecf3797d09] - debugger: disambiguate probe location binding (Joyee Cheung) #63286
  • [bdc57135fd] - debugger: add --help to node inspect and improve docs (Joyee Cheung) #63201
  • [2a6e6058e9] - deps: update undici to 8.3.0 (Node.js GitHub Bot) #63377
  • [327b927271] - deps: update corepack to 0.35.0 (Node.js GitHub Bot) #63375
  • [5828fadf52] - deps: update sqlite to 3.53.1 (Node.js GitHub Bot) #63217
  • [fe127a999b] - deps: update simdjson to 4.6.4 (Node.js GitHub Bot) #62811
  • [a34c4ea159] - deps: V8: cherry-pick 435a2cdf664c (Matthias Liedtke) #63136
  • [ad91efcc43] - deps: cherry-pick libuv/libuv@a43e543 (Ali Hassan) #63222
  • [5ea6c3ee7e] - deps: add missing static linking targets for libffi (Paolo Insogna) #63168
  • [c1f6ba22b4] - deps: update ngtcp2 to 1.22.1 (Node.js GitHub Bot) #62812
  • [7b8767ef76] - doc: remove unsupported template type from v8.md (René) #63410
  • [b2ec1880b1] - doc: fix promise nomenclature in stream_iter.md (Antoine du Hamel) #63406
  • [cf6cbbd39d] - doc: fix article usage before vowel-sound acronyms (joao-oliveira-softtor) #62696
  • [da05065d98] - doc: remove the bi-monthly contributor spotlight section (Claudio Wunder) #62734
  • [c31f320fba] - doc: update http2's push and trailers events with rawHeaders param (YuSheng Chen) #63259
  • [f0d008439b] - doc: add Rust toolchain manual installation instructions Windows (Mike McCready) #63367
  • [68b1220fbd] - doc: remove inactive members from Triagers list (Antoine du Hamel) #63329
  • [189d43a193] - doc: mark stream.compose stable (Matteo Collina) #62562
  • [c4fb894039] - doc: fix CHANGELOG (Richard Lau) #63292
  • [9f319a77e4] - doc: reference correct function in Module docs (Robin Malfait) #63247
  • [2c13acc88e] - doc: replace Visual Studio 2022 Evergreen version reference with 17.14 (Mike McCready) #63211
  • [7e42c336c9] - doc: recommend explicitly Tier 1 or 2 for production applications (Mike McCready) #63187
  • [d99e0bb6d5] - doc: document Temporal configure flags in BUILDING.md (ChrisJr404) #63248
  • [c0ea77b305] - doc: run license-builder (github-actions[bot]) #63232
  • [8265aba0f4] - doc: add large pull requests contributing guide (Matteo Collina) #62829
  • [be241bacc8] - doc: remove unnecessary <!-- eslint- magic comments (Antoine du Hamel) #63200
  • [e0b1f092c3] - doc: fix inconsistencies in CJS code snippets (Antoine du Hamel) #63199
  • [a3feb15871] - doc: clarify SEA platform support excludes darwin-x64 (MJSHANG) #63181
  • [cafd7667fc] - doc: improve quic documentation (James M Snell) #63157
  • [3c784edb6f] - doc: update release steps when post-release fails (Rafael Gonzaga) #63131
  • [9de954e9be] - doc: fix deprecation list in 26.0.0 changelog (Antoine du Hamel) #63147
  • [20c553e456] - doc: add Hmac.digest() documentation-only deprecation (DEP0206) (Anshika Jain) #63121
  • [3494eae2c8] - doc: document the latest-vX.x schema (Marco Ippolito) #63033
  • [c02413d29d] - doc: remove list of versions in BUILDING.md (Antoine du Hamel) #63113
  • [53f9a902a1] - doc,sqlite: document entryPoint argument for loadExtension (Edy Silva) #63152
  • [f858c6140e] - (SEMVER-MINOR) fs: add Temporal.Instant support to Stats and BigIntStats (Livia Medeiros) #60789
  • [b2ba62ca0e] - fs: make Date properties on Stats enumerable (LiviaMedeiros) #63328
  • [[0cbb3895df](0cbb3895d...
Read more
Loading

2026-05-13, Version 22.22.3 'Jod' (LTS), @marco-ippolito

13 May 18:44
@marco-ippolito marco-ippolito
v22.22.3
This tag was signed with the committer’s verified signature.
marco-ippolito Marco Ippolito
GPG key ID: 27F5E38D5B0A215F
Verified
Learn about vigilant mode.
fdfa0ff
This commit was signed with the committer’s verified signature.
marco-ippolito Marco Ippolito
GPG key ID: 27F5E38D5B0A215F
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-05-13, Version 22.22.3 'Jod' (LTS), @marco-ippolito

Commits

Read more
Loading

2026-05-07, Version 26.1.0 (Current), @aduh95

07 May 10:08
@aduh95 aduh95
v26.1.0
This tag was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.
e7da6f0
This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 20B1A390B168D356
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
2026-05-07, Version 26.1.0 (Current), @aduh95

Notable Changes

Experimental node:ffi module

Node.js now includes an experimental node:ffi module for loading dynamic
libraries and calling native symbols from JavaScript.

The API is gated behind the --experimental-ffi flag and, when the Permission
Model is enabled, requires --allow-ffi.

This API is inherently unsafe. Invalid pointers, incorrect signatures, or accessing memory
after it has been freed can crash the process or corrupt memory.

Contributed by Paolo Insogna in #62072.

Other Notable Changes

  • [34a6454fe3] - (SEMVER-MINOR) buffer: add end parameter (Robert Nagy) #62390
  • [073e84d7fe] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527
  • [5b9cb10a5f] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553
  • [98f9becd16] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #62713
  • [06defaa2ea] - (SEMVER-MINOR) fs: add signal option to fs.stat() (Mert Can Altin) #57775
  • [db66a963bf] - (SEMVER-MINOR) fs: expose frsize field in statfs (Jinho Jang) #62277
  • [87adb3472b] - (SEMVER-MINOR) http: harden ClientRequest options merge (Matteo Collina) #63082
  • [9047ec12ce] - (SEMVER-MINOR) http: add req.signal to IncomingMessage (Akshat) #62541
  • [ab66de8eaa] - (SEMVER-MINOR) process: throw on execve(2) failure instead of aborting (Bryan English) #62878
  • [8273682c87] - (SEMVER-MINOR) src: allow empty --experimental-config-file (Marco Ippolito) #61610
  • [fbff28f7e6] - (SEMVER-MINOR) stream: propagate destruction in duplexPair (Ahmed Elhor) #61098
  • [a8c773a0c7] - (SEMVER-MINOR) test_runner: align mock timeout api (sangwook) #62820
  • [b883a5eaea] - (SEMVER-MINOR) test_runner: add mock-timers support for AbortSignal.timeout (DeveloperViraj) #60751
  • [a21ae1771e] - (SEMVER-MINOR) test_runner: support test order randomization (Pietro Marchini) #61747
  • [b85c73ff10] - (SEMVER-MINOR) util: colorize text with hex colors (Guilherme Araújo) #61556

Commits

  • [1b959d02c2] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #62509
  • [bbeb38d210] - buffer: fix end parameter bugs in indexOf/lastIndexOf (Robert Nagy) #62711
  • [34a6454fe3] - (SEMVER-MINOR) buffer: add end parameter (Robert Nagy) #62390
  • [8b91526cd5] - build: track PDL files as inputs in inspector GN build (Robo) #62888
  • [da40ed7842] - build: remove armv6 from experimental platforms (René) #63063
  • [b36e55a23e] - build: make test-addons dependency-free (Joyee Cheung) #62388
  • [c27f3cf8f2] - build: add --enable-all-experimentals build flag (Paolo Insogna) #62755
  • [0d73b63a76] - build: fix cargo check when Temporal is disabled (Antoine du Hamel) #62730
  • [d8f97e6f7b] - build: fix ffi dependency compilation (Paolo Insogna) #62731
  • [d1eb7b340f] - build: fix stray debug string in LIEF defines (Om Ghante) #62683
  • [845283009d] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #62667
  • [a6e99879f4] - build,win: enable x64 PGO (Stefan Stojanovic) #62761
  • [38befee0fb] - crypto: add JWK support for ML-KEM and SLH-DSA key types (Filip Skokan) #62706
  • [b10653ad87] - crypto: add guards and adjust tests for BoringSSL (Filip Skokan) #62883
  • [2a7a69c6b0] - crypto: reject unintended raw key format string input (Filip Skokan) #62974
  • [bad1e2fe6a] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #62839
  • [c9d5bae598] - crypto: remove Argon2 KDF derivation from its job setup (Filip Skokan) #62863
  • [6eea52426f] - crypto: reject duplicate ML-KEM JWK key_ops (Filip Skokan) #62905
  • [80d4836616] - crypto: deduplicate and canonicalize CryptoKey usages (Filip Skokan) #62902
  • [8950247027] - crypto: reject inherited key type names (Jonathan Lopes) #62875
  • [3f42f9615a] - crypto: strengthen argument CHECKs in TurboSHAKE (Tobias Nießen) #62763
  • [28346d999b] - crypto: guard against size_t overflow on experimental 32-bit arch (Filip Skokan) #62626
  • [d4cec263c4] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #62527
  • [073e84d7fe] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #62527
  • [518b578fe7] - crypto: add memory tracking for secureContext openssl objects (Mert Can Altin) #59051
  • [5b9cb10a5f] - (SEMVER-MINOR) crypto: implement randomUUIDv7() (nabeel378) #62553
  • [7133826053] - debugger: move ProbeInspectorSession and helpers to separate files (Joyee Cheung) #63013
  • [98f9becd16] - (SEMVER-MINOR) debugger: add edit-free runtime expression probes to node inspect (Joyee Cheung) #62713
  • [94ac62a2d1] - deps: update undici to 8.2.0 (Node.js GitHub Bot) #63092
  • [ef71de87e6] - deps: update amaro to 1.1.9 (Node.js GitHub Bot) #63090
  • [c4f0ef881a] - deps: update llhttp to 9.4.1 (Node.js GitHub Bot) #63045
  • [d29fbc0029] - deps: fix integration issues with the latest nghttp2 (Tim Perry) #62891
  • [[`5...
Read more
Loading