Notable Changes

• [47df4328d7] - build,deps: replace cjs-module-lexer with merve (Yagiz Nizipli) #61456

Commits

• [47df4328d7] - build,deps: replace cjs-module-lexer with merve (Yagiz Nizipli) #61456
• [a727054503] - deps: upgrade npm to 11.9.0 (npm team) #61685
• [c78c49ed6b] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #61730
• [4790816d9b] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #61732
• [8c71740e8a] - deps: update undici to 7.21.0 (Node.js GitHub Bot) #61683
• [e559ef6ab1] - deps: update googletest to 56efe3983185e3f37e43415d1afa97e3860f187f (Node.js GitHub Bot) #61605
• [300de2bb5a] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #61603
• [e71e9505ef] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #61453
• [439b816bc7] - doc: clarify EventEmitter error handling in threat model (Matteo Collina) #61701
• [c1c6641f23] - doc: mention default option for test runner env (Steven) #61659
• [41ec451f98] - doc: fix --inspect security warning section (Tim Perry) #61675
• [bb90ef2356] - doc: document url.format(urlString) as deprecated under DEP0169 (René) #61644
• [513df82e6f] - doc: update to Visual Studio 2026 manual install (Mike McCready) #61655
• [9409d30736] - doc: deprecation add more codemod (Augustin Mauroy) #61642
• [75a7a67151] - doc: fix grammatical error in README.md (ayj8201) #61653
• [821e59e884] - doc: correct tools README Boxstarter link (Mike McCready) #61638
• [4998f539a0] - doc: update server.dropMaxConnection link (YuSheng Chen) #61584
• [9383ac4ab7] - http: implement slab allocation for HTTP header parsing (Mert Can Altin) #61375
• [e90eb1d561] - meta: persist sccache daemon until end of build workflows (René) #61639
• [ade36ac367] - meta: bump github/codeql-action from 4.31.9 to 4.32.0 (dependabot[bot]) #61622
• [26638bd67f] - meta: bump step-security/harden-runner from 2.14.0 to 2.14.1 (dependabot[bot]) #61621
• [eaa9a96cb6] - meta: bump actions/setup-python from 6.1.0 to 6.2.0 (dependabot[bot]) #61627
• [fd98187828] - meta: bump cachix/cachix-action (dependabot[bot]) #61626
• [820c1d021c] - meta: bump actions/setup-node from 6.1.0 to 6.2.0 (dependabot[bot]) #61625
• [72a4136bd5] - meta: bump actions/cache from 5.0.1 to 5.0.3 (dependabot[bot]) #61624
• [e3ef6cb3bc] - meta: bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (dependabot[bot]) #61623
• [020a836202] - meta: bump actions/stale from 10.1.0 to 10.1.1 (dependabot[bot]) #61620
• [0df72f07c8] - meta: bump actions/checkout from 6.0.1 to 6.0.2 (dependabot[bot]) #61619
• [d147c08b83] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #61529
• [a2843f8556] - net: defer synchronous destroy calls in internalConnect (RajeshKumar11) #61658
• [7fb7030781] - repl: fix flaky test-repl-programmatic-history (Matteo Collina) #61614
• [d4c9b5cf5b] - sqlite: avoid extra copy for large text binds (Ali Hassan) #61580
• [aa1b3661d9] - sqlite: use DictionaryTemplate for run() result (Mert Can Altin) #61432
• [9c8ad7e881] - src: elide heap allocation in structured clone implementation (Anna Henningsen) #61703
• [c4ecfef93d] - src: use simdutf for one-byte string UTF-8 write in stringBytes (Mert Can Altin) #61696
• [28905b9734] - src: consolidate C++ ReadFileSync/WriteFileSync utilities (Joyee Cheung) #61662
• [e90cec2f69] - test: restraint version replacement pattern in snapshots (Chengzhong Wu) #61748
• [adce20c0a1] - test: print stack immediately avoiding GC interleaving (Chengzhong Wu) #61699
• [7643bc8999] - test: fix case-insensitive path matching on Windows (Matteo Collina) #61682
• [23d1ecf66f] - test: fix flaky test-performance-eventloopdelay (Matteo Collina) #61629
• [99012a88ed] - test: remove duplicate wpt tests (Filip Skokan) #61617
• [a8b32b8ce1] - test: fix race condition in watch mode tests (Matteo Collina) #61615
• [086a5a5a25] - test: update WPT for url to e3c46fdf55 (Node.js GitHub Bot) #61602
• [f0574fd419] - test: use the skipIfNoWatch() utility function (Luigi Pinca) #61531
• [b064ddc221] - test: unify assertSnapshot common patterns (Chengzhong Wu) #61590
• [17122e521b] - test_runner: fix test enqueue when test file has syntax error (Edy Silva) #61573
• [bad3f02dd9] - tools: enforce removal of lts-watch-* labels on release proposals (Antoine du Hamel) #61672
• [a8f33fd6bd] - tools: use ubuntu-slim runner in meta GitHub Actions (Tierney Cyren) #61663
• [c843e447ca] - tools: test --shared-merve in test-shared workflow (Antoine du Hamel) #61649
• [2fedc03f96] - tools: update OpenSSL to 3.5.5 in test-shared (Antoine du Hamel) #61551
• [1c1db94670]...

Notable Changes

• [1f64d6841e] - build: add support for Python 3.14 (Christian Clauss) #59983
• [30e500fc09] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956
• [bc0a55f086] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419
• [8a67c00bf5] - doc: mark --build-snapshot and --build-snapshot-config as stable (Joyee Cheung) #60954
• [3999c2a910] - meta: add avivkeller to collaborators (Aviv Keller) #61115
• [fa542fbae6] - meta: add gurgunday to collaborators (Gürgün Dayıoğlu) #61094
• [ff11eda2f2] - meta: add Renegade334 to collaborators (Renegade334) #60714
• [2e387fb969] - url: update ada to v3.4.2 and support unicode 17 (Yagiz Nizipli) #61593
• [bb206782d4] - v8: mark v8.queryObjects() as stable (Joyee Cheung) #60957

Commits

• [a73279c60d] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076
• [6a61bcd73c] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388
• [cf0eabcd42] - assert,util: improve deep comparison performance (Ruben Bridgewater) #61076
• [ff3b9ac183] - benchmark: add SQLite benchmarks (Guilherme Araújo) #61401
• [e1f7d68c94] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129
• [91127c91cd] - benchmark: allow boolean option values (SeokhunEom) #60129
• [170fda55f6] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991
• [3976381b41] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #60841
• [c702fccd76] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663
• [92c517c62d] - buffer: make methods work on Uint8Array instances (Neal Beeken) #56578
• [be95382edb] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #60503
• [1f64d6841e] - build: test on Python 3.14 (Christian Clauss) #59983
• [ea4687981b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #60369
• [b3a7a8c780] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #61414
• [7168d0b5e3] - build: add embedtest into native suite (Joyee Cheung) #61357
• [e00755a977] - build: fix misplaced comma in ldflags (hqzing) #61294
• [72fcc3ee9d] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #61329
• [76a73d68fd] - build: expose libplatform symbols in shared libnode (Joyee Cheung) #61144
• [ef8d26ce5c] - build: fix inconsistent quoting in Makefile (Antoine du Hamel) #60511
• [2d23968783] - build: remove temporal updater (Chengzhong Wu) #61151
• [4c2655f1c2] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #61024
• [eaea6821fc] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #61073
• [dfd4e12037] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #60850
• [775c77234b] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #61321
• [5deafc10fa] - build,win: improve logs when ClangCL is missing (Mike McCready) #61438
• [e2481c5c6e] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #61431
• [d2586b7e4c] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #61344
• [30e500fc09] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956
• [2c7da15612] - cluster: fix port reuse between cluster (Ryuhei Shima) #60141
• [bc0a55f086] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419
• [2d5f20e9c3] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
• [fba95be188] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #61547
• [08697289e0] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #61547
• [403c50c04d] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510
• [3b24691aeb] - deps: upgrade npm to 11.8.0 (npm team) #61466
• [2bba7efdc4] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417
• [8f8c6f6162] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #61339
• [c46009053c] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523
• [b46b8dd91b] - deps: update ada to v3.4.0 (Yagiz Nizipli) #61315
• [88c6b17e18] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135
• [0030c05ba9] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271
• [77437cff89] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #61270
• [fb0f05a937] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138
• [b426a47c05] - **de...

Notable Changes

• [796ff46ae6] - (SEMVER-MINOR) async_hooks: add trackPromises option to createHook() (Joyee Cheung) #61415
• [4cf94fae17] - (SEMVER-MINOR) net: add setTOS and getTOS to Socket (Amol Yadav) #61503
• [dce657071e] - (SEMVER-MINOR) src: add initial support for ESM in embedder API (Joyee Cheung) #61548
• [e62608bbcf] - src: improve TextEncoder encode performance with simdutf (Mert Can Altin) #61496
• [93938a4738] - (SEMVER-MINOR) stream: add bytes() method to node:stream/consumers (wantaek) #60426
• [5fe2582329] - (SEMVER-MINOR) test_runner: add env option to run function (Ethan Arrowood) #61367
• [a181d0c43d] - url: update Ada to v3.4.2 and support Unicode 17 (Yagiz Nizipli) #61593

Commits

• [9c8d1b0278] - assert: fix loose deepEqual arrays with undefined and null failing (Ruben Bridgewater) #61587
• [796ff46ae6] - (SEMVER-MINOR) async_hooks: add trackPromises option to createHook() (Joyee Cheung) #61415
• [d23ee89693] - benchmark: add streaming TextDecoder benchmark (Сковорода Никита Андреевич) #61549
• [8759db9d21] - buffer: disallow ArrayBuffer transfer on pooled buffer (Chengzhong Wu) #61372
• [b2fb82946b] - build: add --shared-lief configure flag (Antoine du Hamel) #61536
• [0ef99de9da] - build: aix: deoptimize implementation-visitor.cc with --shared (Stewart X Addison) #61550
• [8f2083e73a] - build: enable -DV8_ENABLE_CHECKS flag (Ryuhei Shima) #61327
• [150910da70] - build,test: add tests for binary linked with shared libnode (Joyee Cheung) #61463
• [fb7868ba98] - build,win: fix vs2022 compilation (Stefan Stojanovic) #61530
• [2c39a9234c] - deps: update undici to 7.19.2 (Node.js GitHub Bot) #61566
• [2a74379367] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #61547
• [9e26a15c29] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #61547
• [f16b532e97] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510
• [780e65c5c5] - deps: V8: cherry-pick c5ff7c4d6cde (Chengzhong Wu) #61372
• [2eb8e9d760] - deps: update nghttp3 to 1.15.0 (Node.js GitHub Bot) #61512
• [a999edd8fd] - deps: update ngtcp2 to 1.20.0 (Node.js GitHub Bot) #61511
• [eedd3bb6b6] - deps: update undici to 7.19.1 (Node.js GitHub Bot) #61514
• [7d2bd59984] - deps: update undici to 7.19.0 (Node.js GitHub Bot) #61470
• [3ad4d9b11b] - doc: align Buffer.concat documentation with behavior (Gürgün Dayıoğlu) #60405
• [7e3eab5963] - doc: fix node-config-schema (Сковорода Никита Андреевич) #61596
• [cbcfaf9a35] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #61588
• [3d68811d1a] - doc: regenerate node.1 using doc-kit (Aviv Keller) #61535
• [71702c581a] - doc: restore @ChALkeR to collaborators (Сковорода Никита Андреевич) #61553
• [0ceb8cad59] - doc: added requestOCSP option to tls.connect (ikeyan) #61064
• [da93e2178c] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #61495
• [4bea821b4c] - lib: use utf8 fast path for streaming TextDecoder (Сковорода Никита Андреевич) #61549
• [f05bad91d8] - lib: recycle queues (Robert Nagy) #61461
• [44b1927938] - lib: use StringPrototypeStartsWith from primordials in locks (Taejin Kim) #61492
• [a78259828a] - lib: unify ICU and no-ICU TextDecoder (Сковорода Никита Андреевич) #61409
• [a28ddd4594] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #61479
• [4cf94fae17] - (SEMVER-MINOR) net: add setTOS and getTOS to Socket (Amol Yadav) #61503
• [b861451d57] - process: do not truncate long strings in --print (Mohamed Akram) #61497
• [4a2e184753] - sea: print error information when fs operations fail (Joyee Cheung) #61581
• [45d25c47da] - sqlite: change approach to fix segfault SQLTagStore (Bart Louwers) #60462
• [6993386320] - sqlite: reserve vectors space (Guilherme Araújo) #61540
• [dce657071e] - (SEMVER-MINOR) src: add initial support for ESM in embedder API (Joyee Cheung) #61548
• [e62608bbcf] - src: improve textEncoder encode performance with simdutf (Mert Can Altin) #61496
• [0fce52d22c] - src: expose help texts into node-config-schema.json (Pietro Marchini) #58680
• [be644e2569] - src: throw RangeError on failed ArrayBuffer BackingStore allocation (Chengzhong Wu) #61480
• [93938a4738] - (SEMVER-MINOR) stream: add bytes() method to stream/consumers (wantaek) #60426
• [83b2bf8ea2] - test: split test-fs-watch-ignore-* (Luigi Pinca) #61494
• [4726627443] - test: aix: unflake test_threadsafe_function/test flaky on AIX (Stewart X Addison) #61560
• [6fbb0b7572] - test: delay writing the files only on macOS (Luigi Pinca) #61532
• [0a952b88bb] - test: ensure removeListener event fires for once() listeners (sangwook) [#60137](https://git...

Notable Changes

• [99a4e51f93] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419
• [fbe4da5725] - (SEMVER-MINOR) deps: add LIEF as a dependency (Joyee Cheung) #61167
• [0feab0f083] - (SEMVER-MINOR) deps: add tools and scripts to pull LIEF as a dependency (Joyee Cheung) #61167
• [e91b296001] - (SEMVER-MINOR) fs: add ignore option to fs.watch (Matteo Collina) #61433
• [b351910af1] - (SEMVER-MINOR) sea: add --build-sea to generate SEA directly with Node.js binary (Joyee Cheung) #61167
• [957292e233] - (SEMVER-MINOR) sea: split sea binary manipulation code (Joyee Cheung) #61167
• [f289817ff8] - (SEMVER-MINOR) sqlite: enable defensive mode by default (Bart Louwers) #61266
• [069f3603e2] - (SEMVER-MINOR) sqlite: add sqlite prepare options args (Guilherme Araújo) #61311
• [5a984b9a09] - src: use node- prefix on thread names (Stewart X Addison) #61307
• [75c06bc2a8] - (SEMVER-MINOR) test: migrate to --build-sea in existing SEA tests (Joyee Cheung) #61167
• [cabd58f1cb] - (SEMVER-MINOR) test: use fixture directories for sea tests (Joyee Cheung) #61167
• [ff1fcabfc9] - (SEMVER-MINOR) test_runner: support expecting a test-case to fail (Jacob Smith) #60669

Commits

• [778a56f3c9] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388
• [32cd18e37f] - async_hooks: enabledHooksExist shall return if hooks are enabled (Gerhard Stöbich) #61054
• [482b2568bc] - benchmark: add SQLite benchmarks (Guilherme Araújo) #61401
• [e9a34263bb] - buffer: make methods work on Uint8Array instances (Neal Beeken) #56578
• [8255cdefcf] - build: add --shared-nbytes configure flag (Antoine du Hamel) #61341
• [8dd379d110] - build: update android-patches/trap-handler.h.patch (Mo Luo) #60369
• [1b4b5eb0e4] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #61414
• [86e2a763ad] - build: infer cargo mode with gyp var build_type directly (Chengzhong Wu) #61354
• [7e211e6942] - build: add embedtest into native suite (Joyee Cheung) #61357
• [637470e79f] - build: fix misplaced comma in ldflags (hqzing) #61294
• [a1a0f77a45] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #61329
• [d597b8e342] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #61321
• [b5cdc27ba4] - build,win: improve logs when ClangCL is missing (Mike McCready) #61438
• [ef01f0c033] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #61431
• [d8a1cdeefe] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #61344
• [588b00fafa] - cluster: fix port reuse between cluster (Ryuhei Shima) #60141
• [99a4e51f93] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #61419
• [048f7a5c9c] - deps: upgrade npm to 11.8.0 (npm team) #61466
• [fbe4da5725] - (SEMVER-MINOR) deps: add LIEF as a dependency (Joyee Cheung) #61167
• [0feab0f083] - (SEMVER-MINOR) deps: add tools and scripts to pull LIEF as a dependency (Joyee Cheung) #61167
• [4bb00d7e3c] - deps: update googletest to 85087857ad10bd407cd6ed2f52f7ea9752db621f (Node.js GitHub Bot) #61417
• [6a3c614f27] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #61339
• [13c0397d6d] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523
• [098ec6f196] - deps: update ada to v3.4.0 (Yagiz Nizipli) #61315
• [320b576125] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135
• [98f5e7cf51] - deps: V8: cherry-pick highway@dcc0ca1cd42 (Richard Lau) #61008
• [e326df79c9] - deps: V8: backport 209d2db9e24a (Zhijin Zeng) #61322
• [ccfd9d9b30] - doc: remove v prefix for version references (Mike McCready) #61488
• [b6cc5d77a1] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #60253
• [236d7ee635] - doc: add CVE delay mention (Rafael Gonzaga) #61465
• [0729fb6ee7] - doc: update previous version links in BUILDING (Mike McCready) #61457
• [0fb464252f] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #61454
• [3331bdca7c] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #61366
• [94b34c38e2] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #61434
• [a17016ee81] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #61355
• [214fac9d7e] - doc: update Python 3.14 manual install instructions (Windows) (Mike McCready) #61428
• [6a32a685a6] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #61373
• [2a8e8dfaf3] - doc: refine WebAssembly error documentation (sangwook) #61382
• [f3caf27f8b] - doc: add deprecation history for url.parse (Eng Zer Jun) #61389
• [[`5ab80578...

Notable Changes

• [8f6fada8f1] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959
• [bf8e738df4] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956
• [7930d7a19b] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
• [44f61dfb92] - doc: add @avivkeller to collaborators (Aviv Keller) #61115
• [45903ee884] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #61094
• [77faa14d99] - doc: mark --build-snapshot and --build-snapshot-config as stable (Joyee Cheung) #60954
• [aefbe4ba47] - (SEMVER-MINOR) events: repurpose events.listenerCount() to accept EventTargets (René) #60214
• [8470e2993b] - (SEMVER-MINOR) http: add http.setGlobalProxyFromEnv() (Joyee Cheung) #60953
• [24384d7438] - meta: add Renegade334 to collaborators (Renegade334) #60714
• [c1acef6d0f] - module: mark require(esm) as stable (Joyee Cheung) #60959
• [2e39f3ed6b] - module: mark module compile cache as stable (Joyee Cheung) #60971
• [e6a05cfb4f] - (SEMVER-MINOR) module: allow subpath imports that start with #/ (Jan Martin) #60864
• [fa927c31da] - (SEMVER-MINOR) process: preserve AsyncLocalStorage in queueMicrotask only when needed (Gürgün Dayıoğlu) #60913
• [bd0942f4f5] - (SEMVER-MINOR) stream: do not pass readable.compose() output via Readable.from() (René) #60907
• [5051d90100] - (SEMVER-MINOR) util: add convertProcessSignalToExitCode utility (Erick Wendel) #60963
• [408f024906] - v8: mark v8.queryObjects() as stable (Joyee Cheung) #60957

Commits

• [e61cfdbf50] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076
• [11861084fd] - assert,util: improve comparison performance (Ruben Bridgewater) #61176
• [4ef4f759cb] - assert,util: fix deep comparing invalid dates skipping properties (Ruben Bridgewater) #61076
• [c8fccd585f] - assert,util: improve deep comparison performance (Ruben Bridgewater) #61076
• [13661a0123] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129
• [36dead3433] - benchmark: allow boolean option values (SeokhunEom) #60129
• [376056eaef] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991
• [22d3e85b7a] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #60841
• [5016f75522] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663
• [012a08f6eb] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #60503
• [65696e42ba] - build: add --shared-hdr-histogram configure flag (Antoine du Hamel) #61280
• [6155b8836e] - build: add --shared-gtest configure flag (Antoine du Hamel) #61279
• [e80127f49c] - build: expose libplatform symbols in shared libnode (Joyee Cheung) #61144
• [d99805049e] - build: fix inconsistent quoting in Makefile (Antoine du Hamel) #60511
• [3213de08e8] - build: support building crates (temporal) on windows (沈鸿飞) #61163
• [1ad8788391] - build: remove temporal updater (Chengzhong Wu) #61151
• [e6e25d65be] - build: add --debug-symbols to build with -g without enabling DCHECKs (Joyee Cheung) #61100
• [7040ec94c8] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #61024
• [990da3518d] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #61073
• [3259e395c9] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #60850
• [af42ca569f] - build: ignore built-in temporal when building with shared lib (Chengzhong Wu) #60703
• [bec7fce07a] - build: add temporal_capi gyp (Chengzhong Wu) #60703
• [d2f50047f7] - build: fix OpenSSL version parsing for OpenSSL < 3 (Richard Lau) #60775
• [91b20c52df] - build: add flag to compile V8 with Temporal support (Antoine du Hamel) #60701
• [0aaed248f0] - build: add support for Visual Studio 2026 (Michaël Zasso) #60727
• [8f6fada8f1] - cli: add --require-module/--no-require-module (Joyee Cheung) #60959
• [bf8e738df4] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #60956
• [7930d7a19b] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741
• [1b15453602] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271
• [118fa97c95] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #61270
• [9b136db814] - deps: update ngtcp2 to 1.19.0 (Node.js GitHub Bot) #61156
• [5635f23a50] - deps: update nghttp3 to 1.14.0 (Node.js GitHub Bot) #61187
• [9ec35c0977] - deps: update nghttp3 to 1.13.1 (Node.js GitHub Bot) #60046
• [4d7d37f701] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138
• [2c1e3ab19d] - deps: nghttp2: revert 7784fa979d0b (Antoine du Hamel) #61136
• [[56a6513648](56a651364...

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750
  permission:
• (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790

Commits

• [a6a74b89a7] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997
• [5100614e26] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #61283
• [f0a8916887] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750
• [b4b887c5f7] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [26be208039] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [bdf5873d44] - (CVE-2026-21636) permission: add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784
• [0578e3e921] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [4d6b55a6d1] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [c357a39e14] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Commits

• [2092785d01] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997
• [3e58b7f2af] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #61283
• [4ba536a5a6] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [89adaa21fd] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [7302b4dae1] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ac030753c4] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [20075692fe] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [20591b0618] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

This is a security release.

Notable Changes

lib:

• (CVE-2025-59465) add TLSSocket default error handler
• (CVE-2025-55132) disable futimes when permission model is enabled
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers

Commits

• [6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997
• [37509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791
• [eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
• [6b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [25d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

This is a security release.

Notable Changes

lib:

• (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802
• (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
  lib,permission:
• (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
  src:
• (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
  src,lib:
• (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
  tls:
• (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Commits

• [8f9ba3f623] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997
• [97fc9b0eb7] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#792
• [14fbbb510c] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#802
• [1febc48d5b] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797
• [494f62dc23] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
• [d7a5c587c0] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
• [51f4de4b4a] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
• [85f73e7057] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796

Notable Changes

• [1a00b5f68a] - (SEMVER-MINOR) http: add optimizeEmptyRequests server option (Rafael Gonzaga) #59778
• [ff5754077d] - (SEMVER-MINOR) lib: add options to util.deprecate (Rafael Gonzaga) #59982
• [8987159234] - (SEMVER-MINOR) module: mark type stripping as stable (Marco Ippolito) #60600
• [92c484ebf4] - (SEMVER-MINOR) node-api: add napi_create_object_with_properties (Miguel Marcondes Filho) #59953
• [b11bc5984e] - (SEMVER-MINOR) sqlite: allow setting defensive flag (Bart Louwers) #60217
• [e7da5b4b7d] - (SEMVER-MINOR) src: add watch config namespace (Marco Ippolito) #60178
• [a7f7d10c06] - (SEMVER-MINOR) src: add an option to make compile cache portable (Aditi) #58797
• [92ea669240] - (SEMVER-MINOR) src,permission: add --allow-inspector ability (Rafael Gonzaga) #59711
• [05d7509bd2] - (SEMVER-MINOR) v8: add cpu profile (theanarkh) #59807

Commits

• [e4a23a35ac] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #60603
• [b6114ae5c9] - benchmark: add per-suite setup option (Joyee Cheung) #60574
• [ac8e90af7c] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #60399
• [acbc8ca13e] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #59984
• [f97a609a07] - console: optimize single-string logging (Gürgün Dayıoğlu) #60422
• [6cd9bdc580] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #60662
• [0fafe24d9b] - crypto: fix argument validation in crypto.timingSafeEqual fast path (Joyee Cheung) #60538
• [54421e0419] - debugger: fix event listener leak in the run command (Joyee Cheung) #60464
• [c361a628b4] - deps: V8: cherry-pick 72b0e27bd936 (pthier) #60732
• [c70f4588dd] - deps: V8: cherry-pick 6bb32bd2c194 (Erik Corry) #60732
• [881fe784c5] - deps: V8: cherry-pick 0dd2318b5237 (Erik Corry) #60732
• [457c33efcc] - deps: V8: cherry-pick df20105ccf36 (Erik Corry) #60732
• [0bf45a829c] - deps: V8: backport e5dbbbadcbff (Darshan Sen) #60524
• [4993bdc476] - deps: V8: cherry-pick 5ba9200cd046 (Juan José Arboleda) #60620
• [1e9abe0078] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842
• [3f704ed08f] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #60643
• [04e360fdb1] - deps: V8: cherry-pick 06bf293610ef, 146962dda8d2 and e0fb10b5148c (Michaël Zasso) #60713
• [fcbd8dbbde] - deps: patch V8 to 13.6.233.17 (Michaël Zasso) #60712
• [28e9433f39] - deps: V8: cherry-pick 87356585659b (Joyee Cheung) #60069
• [3cac85b243] - deps: V8: backport 2e4c5cf9b112 (Michaël Zasso) #60654
• [1daece1970] - deps: call OPENSSL_free after ANS1_STRING_to_UTF8 (Rafael Gonzaga) #60609
• [5f55a9c9ea] - deps: nghttp2: revert 7784fa979d0b (Antoine du Hamel) #59790
• [1d9e7c1f4d] - deps: update nghttp2 to 1.67.1 (nodejs-github-bot) #59790
• [3140415068] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #60542
• [d911f9f1b8] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #60541
• [daaaf04a32] - deps: V8: cherry-pick 2abc61361dd4 (Richard Lau) #60177
• [b4f63ee5f8] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #60650
• [effcf7a8ab] - doc: fix link in --env-file=file section (N. Bighetti) #60563
• [7011736703] - doc: fix linter issues (Antoine du Hamel) #60636
• [5cc79d8945] - doc: add missing history entry for sqlite.md (Antoine du Hamel) #60607
• [bbc649057c] - doc: correct values/references for buffer.kMaxLength (René) #60305
• [ea7ecb517b] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #60017
• [58bff04cc2] - doc: highlight module loading difference between import and require (Ajay A) #59815
• [bbcbff9b4d] - doc: add CJS code snippets in sqlite.md (Allon Murienik) #60395
• [f8af33d5a7] - doc: fix typo in process.unref documentation (우혁) #59698
• [df105dc351] - doc: add some entries to glossary.md (Mohataseem Khan) #59277
• [4955cb2b5b] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #58205
• [6283bb5cc9] - doc: fix pseudo code in modules.md (chirsz) #57677
• [d5059ea537] - doc: add missing variable in code snippet (Koushil Mankali) #55478
• [900de373ae] - doc: add missing word in single-executable-applications.md (Konstantin Tsabolov) #53864
• [5735044c8b] - doc: fix typo in http.md (Michael Solomon) #59354
• [2dee6df831] - doc: update devcontainer.json and add documentation (Joyee Cheung) #60472
• [8f2d98d7d2] - doc: add haramj as triager (Haram Jeong) #60348
• [[bbd7fdfff4](https://gith...