V22.23.2 proposal#64567
Open
juanarbol wants to merge 331 commits into
Open
Conversation
Collaborator
|
Review requested:
|
Closed
juanarbol
force-pushed
the
v22.23.2-proposal
branch
from
July 17, 2026 22:18
aaebb74 to
1b5ffc1
Compare
juanarbol
force-pushed
the
v22.23.2-proposal
branch
from
July 19, 2026 21:01
1b5ffc1 to
c7ce3f2
Compare
Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.1 to 2.14.2. - [Release notes](https://github.com/step-security/harden-runner/releases) - [Commits](step-security/harden-runner@e3f713f...5ef0c07) --- updated-dependencies: - dependency-name: step-security/harden-runner dependency-version: 2.14.2 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #61909 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.32.0 to 4.32.4. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b20883b...89a39a4) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 4.32.4 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #61911 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
PR-URL: #61833 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Replace native methods with primordials. PR-URL: #61219 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Jordan Harband <ljharb@gmail.com> Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Signed-off-by: marcopiraccini <marco.piraccini@gmail.com> PR-URL: #61836 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
The WHATWG Streams spec requires that pipeTo's chunk handling must queue a microtask before calling the write algorithm. This ensures that enqueue() does not synchronously trigger writes. Previously, PipeToReadableStreamReadRequest[kChunk] would synchronously call writableStreamDefaultWriterWrite(), which violated the spec and caused the WPT test "enqueue() must not synchronously call write algorithm" to fail. Fix by wrapping the write operation in queueMicrotask(), which defers it to the next microtask as required by the spec. Refs: whatwg/streams#1243 PR-URL: #61800 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Mattias Buelens <mattias@buelens.com>
Signed-off-by: Igor <igorshevelenkov4@gmail.com> PR-URL: #61525 Fixes: #61462 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Chemi Atlow <chemi@atlow.co.il> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com> Reviewed-By: Jacob Smith <jacob@frende.me>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.3. - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.3) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #61976 Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
As specified in WebIDL (<https://webidl.spec.whatwg.org/#js-dictionary>), the fields of a dictionary need to be read in lexicographical order. PR-URL: #61980 Reviewed-By: Jason Zhang <xzha4350@gmail.com> Reviewed-By: Mattias Buelens <mattias@buelens.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: #61721 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
PR-URL: #61916 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk>
PR-URL: #62020 Reviewed-By: Jacob Smith <jacob@frende.me> Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Bumps [minimatch](https://github.com/isaacs/minimatch) from 3.1.2 to 3.1.3. - [Changelog](http://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.1.2...v3.1.3) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> PR-URL: #61977 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
PR-URL: #62034 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Add validateHeaderName/validateHeaderValue checks for non-link headers and checkInvalidHeaderChar for the Link value in HTTP/1.1 writeEarlyHints, closing a CRLF injection gap where header names and values were concatenated into the raw response without validation. Also tighten linkValueRegExp to reject CR/LF inside the <...> URL portion of Link header values. PR-URL: #61897 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tim Perry <pimterry@gmail.com>
PR-URL: #61972 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: #63483 Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Signed-off-by: Daijiro Wachi <daijiro.wachi@gmail.com> PR-URL: #63511 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: #63373 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63516 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com>
`validateInt32(keylen, 'keylen', 0)` lets `-0` through: `typeof -0` is
`'number'`, `Number.isInteger(-0)` is `true`, and `-0 < 0` is `false`.
The value then reaches the PBKDF2Job binding, whose `IsInt32()` check
fails (V8 boxes `-0` as a HeapNumber rather than a tagged SMI) and
aborts the process with SIGABRT.
Coerce `keylen` to `+0`
after validation so the binding sees a true Int32.
Reachable from any caller that forwards a JSON-parsed value,
since `JSON.parse('{"keylen":-0}').keylen` preserves the sign.
Mirror of the prior pbkdf2 fix. `validateInt32(keylen, 'keylen', 0)`
lets `-0` through (since `-0 < 0` is `false`), and the ScryptJob
binding's `IsInt32()` check at `crypto_scrypt.cc` aborts the process
with SIGABRT because V8 boxes `-0` as a HeapNumber rather than a
tagged SMI. Coerce `keylen` to `+0` after validation.
Signed-off-by: Jordan Harband <ljharb@gmail.com>
PR-URL: #63531
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This is the [`certdata.txt`][0] from NSS 3.123.1. This is the version of NSS that shipped in Firefox 151.0.1 on 2026-05-21 Certificates removed: - QuoVadis Root CA 2 - QuoVadis Root CA 3 - DigiCert Assured ID Root CA - DigiCert Global Root CA - DigiCert High Assurance EV Root CA - SwissSign Gold CA - G2 - SecureTrust CA - Secure Global CA - COMODO Certification Authority - Certigna - certSIGN ROOT CA - Izenpe.com - AffirmTrust Commercial - AffirmTrust Networking - AffirmTrust Premium - AffirmTrust Premium ECC - TeliaSonera Root CA v1 - Entrust Root Certification Authority - G2 - Entrust Root Certification Authority - EC1 - Trustwave Global Certification Authority - Trustwave Global ECC P256 Certification Authority - Trustwave Global ECC P384 Certification Authority - GLOBALTRUST 2020 - GTS Root R2 - FIRMAPROFESIONAL CA ROOT-A WEB [0]: https://raw.githubusercontent.com/nss-dev/nss/refs/tags/NSS_3_123_1_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #63527 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63515 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Edy Silva <edigleyssonsilva@gmail.com>
The example claimed that posting a URL object via MessageChannel would print an empty object, but since v21.0.0 (commit d920b7c) it throws a DataCloneError. Update the example and surrounding text to reflect the current behavior. Fixes: #60504 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Kit Dallege <xaum.io@gmail.com> PR-URL: #62203 Fixes: #60504 Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #63479 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Signed-off-by: RonGamzu <37371774+RonGamzu@users.noreply.github.com> PR-URL: #63465 Reviewed-By: Stephen Belanger <admin@stephenbelanger.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Original commit message:
Fix a bug causing the session module to dereference a NULL pointer when applying a corrupt changeset.
FossilOrigin-Name: e807d4e3798efd532b3d78d1dfe513ed4fbd3cb793dd0ae5c30cae6031422b10
Refs: https://sqlite.org/src/info/e807d4e3798efd53
Signed-off-by: junius-sec <sksch323@naver.com>
PR-URL: #63525
Refs: https://hackerone.com/reports/3736889
Refs: sqlite/sqlite@b869ed6
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
Guards scheduled jobs in daily.yml, codeql.yml, and scorecard.yml so they only run on nodejs/node, matching the pattern already used in tools.yml, stale.yml, and others. This prevents wasted Actions minutes and failed-run email notifications on forks. Signed-off-by: Jamie Magee <jamie.magee@gmail.com> PR-URL: #63565 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #63405 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #63583 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63586 Refs: nodejs/node-core-utils#1043 Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Signed-off-by: Chengzhong Wu <cwu631@bloomberg.net> PR-URL: #63588 Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Signed-off-by: Chengzhong Wu <legendecas@gmail.com> PR-URL: #63591 Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Forward Node.js tail stream data through a pipe-style data listener instead of manually draining readable events. This keeps compose closer to the stream pipe hot path while preserving backpressure with pause and resume. Signed-off-by: Kamat, Trivikram <16024985+trivikr@users.noreply.github.com> Assisted-by: openai:gpt-5.5 PR-URL: #63593 Reviewed-By: Robert Nagy <ronagy@icloud.com> Reviewed-By: Ethan Arrowood <ethan@arrowood.dev> Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com> Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
Defer non-critical warnings to the next event loop iteration when can_call_into_js() returns false. This prevents crashes when V8 emits warnings during REPL preview evaluation or other contexts where JavaScript execution is temporarily forbidden. When a warning is emitted inside DisallowJavascriptExecutionScope, ProcessEmitWarningGeneric cannot be called immediately. Instead, use env->SetImmediate() to queue the warning emission for after the scope exits. This preserves full warning formatting, deprecation codes, and --redirect-warnings routing. Signed-off-by: Divyanshu Sharma <Divyanshu88999@gmail.com> PR-URL: #63491 Fixes: #63473 Reviewed-By: René <contact.9a5d6388@renegade334.me.uk> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Signed-off-by: Antoine du Hamel <duhamelantoine1995@gmail.com> PR-URL: #63609 Reviewed-By: Michaël Zasso <targos@protonmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Chengzhong Wu <legendecas@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #63621 Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Moshe Atlow <moshe@atlow.co.il> Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Signed-off-by: Joyee Cheung <joyeec9h3@gmail.com> PR-URL: #63650 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Trivikram Kamat <trivikr.dev@gmail.com>
PR-URL: #62962 Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Original commit message:
Fixes #1056
The commit
c-ares/c-ares@1d1b3d4
refactored the function to use wide strings, but didn't touch this
check. Because an empty wide string would now be size 2 and not 1, the
empty string would go on and cause the DNS domain list to be replaced
with nothing.
Signed-off-by: @dankmeme01
Refs: c-ares/c-ares@8ba37af
PR-URL: #64110
Fixes: #62347
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Tim Perry <pimterry@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
PR-URL: #64330 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <richard.lau@ibm.com>
Signed-off-by: Matteo Collina <hello@matteocollina.com> PR-URL: #63752 Reviewed-By: Tim Perry <pimterry@gmail.com> Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> Reviewed-By: Gürgün Dayıoğlu <hey@gurgun.day>
juanarbol
force-pushed
the
v22.23.2-proposal
branch
from
July 19, 2026 22:53
c7ce3f2 to
743915d
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
2026-07-22, Version 22.23.2 'Jod' (LTS), @juanarbol
Notable Changes
f0a40d436d] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #63527Commits
90f90ae20e] - assert,util: fix stale nested cycle memo entries (Ruben Bridgewater) #6250938984dfc94] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084c19212397c] - benchmark: add startup benchmark for ESM entrypoint (Joyee Cheung) #617699310acbaa6] - benchmark: add streaming TextDecoder benchmark (Сковорода Никита Андреевич) #615498ec00f4711] - buffer: optimize buffer.concat performance (Mert Can Altin) #61721f957397cd2] - build: defNODE_USE_NODE_CODE_CACHEonly used in node_mksnapshot (Chengzhong Wu) #63588830dd0d6ff] - build: track PDL files as inputs in inspector GN build (Robo) #628883bc2bac693] - build: remove redundant -fuse-linker-plugin from GCC LTO flags (Daniel Lando) #626673e8ad4c05f] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477d27545601d] - build: fix timezone-update path references (Chengzhong Wu) #62280aa9c749048] - build: use path-ignore in GHA coverage-windows.yml (Chengzhong Wu) #61811bf1769ea0c] - build: generate_config_gypi.py generates valid JSON (Shelley Vohr) #617913df472c6db] - build: build with v8 gdbjit support on supported platform (Joyee Cheung) #610104fe705f33b] - build: add --debug-symbols to build with -g without enabling DCHECKs (Joyee Cheung) #611006923e097f6] - build: aix: deoptimize implementation-visitor.cc with --shared (Stewart X Addison) #6155056b1198459] - build: expose libplatform symbols in shared libnode (Joyee Cheung) #6114416535de5a7] - build: ibmi follow aix visibility (SRAVANI GUNDEPALLI) #6036086c44d5109] - build: build v8 with -fvisibility=hidden -fvisibility-inlines-hidden (Joyee Cheung) #56290afb7270785] - child_process: add tracing channel for spawn (Marco) #61836f0a40d436d] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #635270249248863] - crypto: coerce -0 keylen to +0 in pbkdf2 and scrypt (Jordan Harband) #63531ac2f8f340c] - crypto: improve system certificate enumeration logic on macOS (Robo) #625767ea06c192b] - crypto: fix unsigned conversion of 4-byte RSA publicExponent (DeepView Autofix) #62839f417abd4e4] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254...truncated, see the whole changelog here