[pull] main from nodejs:main #62
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![pull[bot]](https://avatars.githubusercontent.com/in/12910?s=60&v=4){kind=small}
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
❗ Your organization needs to install the Codecov GitHub app to enable full functionality. Additional details and impacted files@@ Coverage Diff @@
## main #62 +/- ##
==========================================
- Coverage 89.20% 89.20% -0.01%
==========================================
Files 662 662
Lines 191819 191830 +11
Branches 36923 36923
==========================================
+ Hits 171114 171118 +4
+ Misses 13555 13553 -2
- Partials 7150 7159 +9
|
PR-URL: #56607 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Jacob Smith <[email protected]>
PR-URL: #56610 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Geoffrey Booth <[email protected]> Reviewed-By: Ethan Arrowood <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
PR-URL: #56522 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
This simplifies the memory management of ContextifyContext, making all references visible to V8. The destructors don't need to do anything because when the wrapper is going away, the context is already going away or otherwise it would've been holding the wrapper alive, so there's no need to reset the pointers in the context. Also, any global handles to the context would've been empty at this point, and the per-Environment context tracking code is capable of dealing with empty handles from contexts purged elsewhere. To this end, the context tracking code also purges empty handles from the list now, to prevent keeping too many empty handles around. PR-URL: #56522 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
PR-URL: #56614 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Ruy Adorno <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Add return value check for call to SSL_CTX_add_client_CA to be consistent with other places it is called Fixed unused warning in one of the static analysis tools we use at Red Hat even though it is not being reported by coverity in the configuration we run. Signed-off-by: Michael Dawson <[email protected]> PR-URL: #56615 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: #56616 Reviewed-By: Rafael Gonzaga <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]> Reviewed-By: Santiago Gimeno <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ulises Gascón <[email protected]> Reviewed-By: Richard Lau <[email protected]>
PR-URL: #56617 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
DEP0040 is an extremely annoying warning. Most of the people seeing it cannot do anything about it. This commit updates the warning logic to only emit outside of node_modules. This is similar to other warnings such as the Buffer() constructor warning. Ideally, this should be backported to Node 22. Refs: #47202 PR-URL: #56632 Reviewed-By: Jordan Harband <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Joyee Cheung <[email protected]>
Fixes: #55834 PR-URL: #56106 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: #56613 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Fixes: #56611 PR-URL: #56612 Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Benjamin Gruenbaum <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
PR-URL: #56619 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Jake Yuesong Li <[email protected]> Reviewed-By: James M Snell <[email protected]>
Fixes: #56189 PR-URL: #56530 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Yongsheng Zhang <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #56648 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
This is a security release. Notable changes: * CVE-2025-23083: throw on InternalWorker use when permission model is enabled (High) * CVE-2025-23084: fix path traversal in normalize() on Windows (Medium) * CVE-2025-23085: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium) * CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium) PR-URL: nodejs-private/node-private#654
This is a security release. Notable changes: * CVE-2025-23083: throw on InternalWorker use when permission model is enabled (High) * CVE-2025-23084: fix path traversal in normalize() on Windows (Medium) * CVE-2025-23085: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium) * CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium) PR-URL: nodejs-private/node-private#655 Signed-off-by: RafaelGSS <[email protected]>
This is a security release. Notable changes: * CVE-2025-23083 - throw on InternalWorker use when permission model is enabled (High) * CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium) * CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium) * CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium) PR-URL: nodejs-private/node-private#664
This is a security release. Notable changes: * CVE-2025-23084 - fix path traversal in normalize() on Windows (Medium) * CVE-2025-23085 - fix HTTP2 mem leak on premature close and ERR_PROTO * CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium) (Medium) PR-URL: nodejs-private/node-private#659
the section comparing `queueMicrotask()` and `process.nextTick()` doesn't address the different scheduling behavior that the two functions have in cjs and esm modules, the section's introductory mjs example also provides an incorrect output, the changes here address such by explaining the difference between the two module types and updating the example accordingly PR-URL: #56659 Fixes: #45048 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
This commit fixes a memory leak when the socket is suddenly closed by the peer (without GOAWAY notification) and when invalid header (by nghttp2) is identified and the connection is terminated by peer. Refs: https://hackerone.com/reports/2841362 PR-URL: nodejs-private/node-private#650 Reviewed-By: James M Snell <[email protected]> CVE-ID: CVE-2025-23085
Without this patch, on Windows, normalizing a relative path might result in a path that Windows considers absolute. In rare cases, this might lead to path traversal vulnerabilities in user code. We attempt to detect those cases and return a relative path instead. Co-Authored-By: Tobias Nießen <[email protected]> PR-URL: nodejs-private/node-private#555 Backport-PR-URL: nodejs-private/node-private#665 CVE-ID: CVE-2025-23084
Previously this PR it was expected that InternalWorker
usage doesn't require the --allow-worker when the permission
model is enabled. This, however, exposes a vulnerability
whenever the instance gets accessed by the user. For example
through diagnostics_channel.subscribe('worker_threads')
PR-URL: nodejs-private/node-private#629
Refs: https://hackerone.com/reports/2575105
Reviewed-By: Matteo Collina <[email protected]>
Reviewed-By: Robert Nagy <[email protected]>
CVE-ID: CVE-2025-23083
PR-URL: #56695 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Pietro Marchini <[email protected]>
PR-URL: #56685 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Pietro Marchini <[email protected]> Reviewed-By: LiviaMedeiros <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]>
Fixes: #56376 PR-URL: #56402 Reviewed-By: Jacob Smith <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Joyee Cheung <[email protected]> Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: #56707 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
PR-URL: #56706 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #56971 Refs: https://github.com/nodejs/node/actions/runs/13220154720/job/36904132463?pr=56970 Reviewed-By: Matteo Collina <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
Replace ToLocalChecked uses. PR-URL: #56977 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
PR-URL: #56978 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]>
the trimming functionality that the dotenv parsing uses currently
only takes into consideration plain spaces (' '), other type of
space characters such as tabs and newlines are not trimmed, this
can cause subtle bugs, so the changes here make sure that such
characters get trimmed as well
Co-authored-by: Yagiz Nizipli <[email protected]>
PR-URL: #56983
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: James M Snell <[email protected]>
PR-URL: #56984 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Jason Zhang <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #56985 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Marco Ippolito <[email protected]>
PR-URL: #56955 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]>
PR-URL: #56804 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Harshitha K P <[email protected]>
Fixes: #56718 PR-URL: #56986 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
PR-URL: #56997 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
PR-URL: #56992 Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
Since nodejs-private/security-release#56 this process has been automated. PR-URL: #57004 Reviewed-By: Marco Ippolito <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
- We do not actually need them in PEM format, so just pass them around as X509 direcrtly. - The cached global X509 structures were previously never cleaned up. Clean them up at process teardown. - Use function-local static to ensure thread-safety in initialization. - Add more comments about how the various options differ. PR-URL: #56999 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]>
Also adds current work email to mailmap. PR-URL: #57006 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Jordan Harband <[email protected]> Reviewed-By: Jason Zhang <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Gerhard Stöbich <[email protected]>
Notable changes: crypto: * (SEMVER-MINOR) support --use-system-ca on Windows (Joyee Cheung) #56833 * (SEMVER-MINOR) added support for reading certificates from macOS system store (Tim Jacomb) #56599 deps: * update timezone to 2025a (Node.js GitHub Bot) #56876 sqlite: * (SEMVER-MINOR) allow returning `ArrayBufferView`s from user-defined functions (René) #56790 src: * set signal inspector io thread name (RafaelGSS) #56416 * set thread name for main thread and v8 worker (RafaelGSS) #56416 * set worker thread name using worker.name (RafaelGSS) #56416 * use a default thread name for inspector (RafaelGSS) #56416 url: * (SEMVER-MINOR) add URLPattern implementation (Yagiz Nizipli) #56452 zlib: * (SEMVER-MINOR) add zstd support (Jan Krems) #52100 PR-URL: #57005
PR-URL: #57012 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Joyee Cheung <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
Previously this would compute the release tag to be something like FIREFOX_134_0.2_RELEASE which would not lead to a valid URL, failing to pull the latest NSS updates from the Firefox release. It should replace all the dots with underscores to compute something like FIREFOX_134_0_2_RELEASE instead. PR-URL: #56843 Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
PR-URL: #57015 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: #56954 Reviewed-By: Joyee Cheung <[email protected]> Reviewed-By: Ulises Gascón <[email protected]>
PR-URL: #57008 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
Ref #56559 PR-URL: #57021 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
PR-URL: #57013 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Joyee Cheung <[email protected]>
The previous phrasing encouraged or did not discourage appending new test cases to existing files - a practice that can reduce the debuggability of the tests over time as they get bigger and bigger, some times thousands of lines long with hundreds of test cases, and make the CI output increasingly difficult to read when one of the test cases fail in a very long test. This patch updates the guideline to explicitly discourage appending test cases this way. Also recommend including an opening comment to describe what the test does to optimize the test towards the scenario when it fails. PR-URL: #57028 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Ulises Gascón <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Jake Yuesong Li <[email protected]> Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Tierney Cyren <[email protected]>
PR-URL: #57064 Reviewed-By: Jordan Harband <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]>
The test is spawning the python test runner directly without considering whether the current build is a debug build or not i.e. does not propage the mode parameter when the test is run with --mode=debug, so it always ends up using the release build to run the test even if the test is being run for debug builds. This patch fixes that. PR-URL: #57034 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
PR-URL: #57026 Reviewed-By: Antoine du Hamel <[email protected]> Reviewed-By: James M Snell <[email protected]>
Fixes: #56993 Signed-off-by: Juan José Arboleda <[email protected]> PR-URL: #56996 Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: James M Snell <[email protected]>
PR-URL: #56953 Reviewed-By: Joyee Cheung <[email protected]> Reviewed-By: Richard Lau <[email protected]>
On other platforms, load from the OpenSSL default certificate file and diretory. This is different from --use-openssl-ca in that it caches the certificates on first load, instead of always reading from disk every time a new root store is needed. When used together with the statically-linked OpenSSL, the default configuration usually leads to this behavior: - If SSL_CERT_FILE is used, load from SSL_CERT_FILE. Otherwise load from /etc/ssl/cert.pem - If SSL_CERT_DIR is used, load from all the files under SSL_CERT_DIR. Otherwise, load from all the files under /etc/ssl/certs PR-URL: #57009 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: James M Snell <[email protected]>
Otherwise it may fail the DCHECK that uses the locked thread as a fast path to get the current thread. PR-URL: #57031 Reviewed-By: Chengzhong Wu <[email protected]> Reviewed-By: Yagiz Nizipli <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Rafael Gonzaga <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.1)
Can you help keep this open source service alive? 💖 Please sponsor : )