Notable Changes

Upgrade to OpenSSL 3.5

This release is distributed with OpenSSL 3.5.1, following the announcement that
OpenSSL 3.5 will be supported until April 2030, while Node.js 24 will be
supported until April 2028. Read more about OpenSSL support in their blog post:
https://openssl-library.org/post/2025-02-20-openssl-3.5-lts/.

Contributed by Richard Lau in #58100.

Unflag --experimental-wasm-modules

Node.js supports both source phase imports and instance phase imports to WebAssembly
modules and for WASM imports to JavaScript, in line with the current Phase 3
WebAssembly ESM Integration proposal.
The implementation and the specification are still subject to change.

Contributed by Guy Bedford in #57038.

Built-in proxy support in request() and Agent

node:http and node:https now support proxies. When NODE_USE_ENV_PROXY
is set to 1, the default global agent would parse the http_proxy/HTTP_PROXY,
https_proxy/HTTPS_PROXY, no_proxy/NO_PROXY settings from the
environment variables, and proxy the requests sent through the built-in http/https
client accordingly.

To use global proxy support from the command line:

NODE_USE_ENV_PROXY=1 HTTP_PROXY=http://proxy.example.com:8080 HTTPS_PROXY=http://proxy.example.com:8080 NO_PROXY=localhost,127.0.0.1 node client.js

In addition, http.Agent and https.Agent now support the custom proxyEnv options.

const agent = new https.Agent({ proxyEnv: { HTTPS_PROXY: 'http://proxy.example.com:8080' } });

For reference, fetch() already supports NODE_USE_ENV_PROXY as of Node.js 24.0.0.

Contributed by Joyee Cheung in #58980.

Add setDefaultCACertificates() to node:tls

This API allows dynamically configuring CA certificates that will be used by the
Node.js TLS clients by default.

Once called, the provided certificates will become the default CA certificate list
returned by tls.getCACertificates('default') and used by TLS connections that
don't specify their own CA certificates.

To add system CA certificates to the default bundle (which includes the Mozilla
CA certificates):

tls.setDefaultCACertificates(tls.getCACertificates('default').concat(tls.getCACertificates('system')));

Contributed by Joyee Cheung in #58822.

Other notable changes

• [d5640ca58a] - (SEMVER-MINOR) cli: support ${pid} placeholder in --cpu-prof-name (Haram Jeong) #59072
• [c52aaacfc5] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440
• [927742b342] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113
• [f753645cd8] - (SEMVER-MINOR) net: update net.blocklist to allow file save and file management (alphaleadership) #58087
• [9791ff3480] - (SEMVER-MINOR) worker: add web locks api (ishabi) #58666

Commits

• [5457c7a8a1] - benchmark: adjust configuration for string-decoder bench (Rafael Gonzaga) #59187
• [28538f2255] - benchmark: add --track to benchmark (Rafael Gonzaga) #59174
• [a28d804497] - benchmark: small lint fix on _cli.js (Rafael Gonzaga) #59172
• [09717eb68e] - benchmark: drop misc/punycode benchmark (Rafael Gonzaga) #59171
• [ad6757ef02] - benchmark: fix sqlite-is-transaction (Rafael Gonzaga) #59170
• [7fc3143f61] - benchmark: reduce N for diagnostics_channel subscribe benchmark (Arthur Angelo) #59116
• [f2812723a0] - buffer: cache Environment::GetCurrent to avoid repeated calls (Mert Can Altin) #59043
• [e3e729ca60] - build: remove suppressions.supp (Rafael Gonzaga) #59079
• [dc66422768] - build,deps,tools: prepare to update to OpenSSL 3.5 (Richard Lau) #58100
• [f5da4947d9] - cli: add --use-env-proxy (Joyee Cheung) #59151
• [d5640ca58a] - (SEMVER-MINOR) cli: support ${pid} placeholder in --cpu-prof-name (Haram Jeong) #59072
• [eeeb40e95b] - (SEMVER-MINOR) crypto: add tls.setDefaultCACertificates() (Joyee Cheung) #58822
• [135fca5b72] - crypto: avoid copying buffers to UTF-8 strings in crypto.hash() (Renegade334) #59067
• [998cef10e3] - deps: update archs files for openssl-3.5.1 (Node.js GitHub Bot) #59234
• [1f06ca956a] - deps: upgrade openssl sources to openssl-3.5.1 (Node.js GitHub Bot) #59234
• [55a90eed8d] - deps: upgrade npm to 11.5.1 (npm team) #59199
• [2b5d451ae0] - deps: update amaro to 1.1.1 (Node.js GitHub Bot) #59141
• [af789d9b5c] - deps: update undici to 7.12.0 (Node.js GitHub Bot) #59135
• [a34e44545e] - deps: update sqlite to 3.50.3 (Node.js GitHub Bot) #59132
• [bfe4781c7d] - deps: update googletest to 7e17b15 (Node.js GitHub Bot) #59131
• [72adf52e51] - deps: update ada to 3.2.6 (Node.js GitHub Bot) #58966
• [2a5f35b589] - deps: V8: cherry-pick 3d750c2aa9ef (Michaël Zasso) #58750
• [3f813eaba7] - deps: update archs files for openssl-3.0.17 (Node.js GitHub Bot) #59134
• [fb52d0d8df] - deps: upgrade openssl sources to openssl-3.0.17 (Node.js GitHub Bot) #59134
• [f122602f9d] - deps: update corepack to 0.34.0 (Node.js GitHub Bot) #59133
• [c52aaacfc5] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #58440
• [927742b342] - doc: update the instruction on how to verify releases (Antoine du Hamel) #59113
• [9a8d2020ad] - doc: copyedit SECURITY.md (Rich Trott) #59190
• [3da5bc0668] - doc: fix broken sentence in URL.parse (Superchupu) #59164
• [06cd7461e0] - doc: improve onboarding instructions (Joyee Cheung) #59159
• [dfb72d158b] - doc: add constraints for mem leak to threat model (Rafael Gonzaga) #58917
• [51b8dfd5c6] - doc: add Aditi-1400 to collaborators (Aditi) #59157
• [4ffa756ce3] - doc: avoid suggesting testing fast api with intense loop (Chengzhong Wu) #59111
• [6f81b274f7] - doc: fix typo in writing-test.md (SeokHun) #59123
• [88e434e687] - ...

Notable Changes

Type stripping is enabled by default

Node.js will be able to execute TypeScript files without additional configuration:

$ echo 'const foo: string = 'World'; console.log(`Hello ${foo}!`);' > file.ts
$ node file.ts
Hello World!

There are some limitations in the supported syntax documented at
https://nodejs.org/api/typescript.html#type-stripping.

This feature is experimental and is subject to change. Disable it by passing
--no-experimental-strip-types CLI flag.

Contributed by Marco Ippolito in #56350.

Other notable changes

• [26f3711228] - (SEMVER-MINOR) deps: update amaro to 1.1.0 (Node.js GitHub Bot) #56350
• [d80ef2a71f] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719
• [8ab24d21c9] - doc: add islandryu to collaborators (Shima Ryuhei) #58714
• [430e66b9b8] - (SEMVER-MINOR) esm: implement import.meta.main (Joe) #57804
• [62f7926b6a] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490
• [65f19a00c3] - (SEMVER-MINOR) permission: propagate permission model flags on spawn (Rafael Gonzaga) #58853
• [ccca1517f9] - (SEMVER-MINOR) sqlite: add support for readBigInts option in db connection level (Miguel Marcondes Filho) #58697
• [48003e87e8] - (SEMVER-MINOR) src,permission: add support to permission.has(addon) (Rafael Gonzaga) #58951
• [fe4290a0e6] - (SEMVER-MINOR) url: add fileURLToPathBuffer API (James M Snell) #58700
• [4dc6b4c67a] - (SEMVER-MINOR) watch: add --watch-kill-signal flag (Dario Piotrowicz) #58719
• [8dbc6b210f] - (SEMVER-MINOR) worker: make Worker async disposable (James M Snell) #58385

Commits

• [b19ffebea7] - assert: remove dead code (Yoshiya Hinosawa) #58760
• [5bc828beae] - benchmark: add source map and source map cache (Miguel Marcondes Filho) #58125
• [f7c16985a7] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #58867
• [ba42c72f7f] - build: option to use custom inspector_protocol path (Shelley Vohr) #58839
• [4fd8911653] - build: fix typo 'Stoage' to 'Storage' in help text (ganglike) #58777
• [114cd95919] - crypto: fix inclusion of OPENSSL_IS_BORINGSSL define (Shelley Vohr) #58845
• [6699c75eac] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #58942
• [f99aa748c0] - deps: upgrade npm to 10.9.3 (npm team) #58847
• [02e971190b] - deps: update sqlite to 3.50.2 (Node.js GitHub Bot) #58882
• [de2b85b5ae] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710
• [e7591d7a19] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #58712
• [8c61b96c43] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #58711
• [113f4e2d3c] - deps: update sqlite to 3.50.1 (Node.js GitHub Bot) #58630
• [7ccd848995] - deps: update simdjson to 3.13.0 (Node.js GitHub Bot) #58629
• [e9c51deb5c] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #58628
• [26f3711228] - (SEMVER-MINOR) deps: update amaro to 1.1.0 (Node.js GitHub Bot) #56350
• [752dde182f] - (SEMVER-MINOR) deps: update amaro to 1.0.0 (Node.js GitHub Bot) #56350
• [258534d0dc] - (SEMVER-MINOR) deps: update amaro to 0.5.3 (Node.js GitHub Bot) #56350
• [7fcf675503] - (SEMVER-MINOR) deps: update amaro to 0.5.2 (Node.js GitHub Bot) #56350
• [81a10a67d5] - (SEMVER-MINOR) deps: update amaro to 0.5.1 (Marco Ippolito) #56350
• [25f8682a62] - (SEMVER-MINOR) deps: update amaro to 0.5.0 (nodejs-github-bot) #56350
• [4baf2167e7] - dns: fix parse memory leaky (theanarkh) #58973
• [e8f4a7df22] - dns: set timeout to 1000ms when timeout < 0 (theanarkh) #58441
• [1e373a0a25] - doc: update release key for aduh95 (Antoine du Hamel) #58877
• [d5c104246f] - doc: remove broken link to permission model source code (Juan José) #58972
• [b8885a25ff] - doc: clarify details of TSC public and private meetings (James M Snell) #58925
• [aa05823b37] - doc: mark stability markers consistent in globals.md (Antoine du Hamel) #58932
• [3856aee9b2] - doc: move "Core Promise APIs" to "Completed initiatives" (Antoine du Hamel) #58934
• [c2f9735422] - doc: fix fetch subsections in globals.md (Antoine du Hamel) #58933
• [5f4c7a9d2d] - doc: add missing Class: mentions (Antoine du Hamel) #58931
• [88ee38b37c] - doc: remove myself from security steward rotation (Michael Dawson) #58927
• [02031a9b0d] - doc: add ovflowd back to core collaborators (Claudio W.) #58911
• [9551fa3c8f] - doc: update email address for Richard Lau (Richard Lau) #58910
• [cd6bc982c0] - doc: update vm doc links (Chengzhong Wu) #58885
• [ce49303cd0] - doc: add missing comma in child_process.md (ronijames008) #58862
• [d80ef2a71f] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719
• [f8fcb1c83a] - doc: fix jsdoc definition of assert.ifError() fn in lib/assert.js (jesh) #58573
• [[28fddc04ca](https:/...

This is a security release.

Notable Changes

• (CVE-2025-27209) HashDoS in V8 with new RapidHash algorithm
• (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Commits

• [c33223f1a5] - (CVE-2025-27209) deps: V8: revert rapidhash commits (Michaël Zasso) nodejs-private/node-private#713
• [56f9db2aaa] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721

This is a security release.

Notable Changes

• (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Commits

• [8cf5d66ab7] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721
• [9c0cb487ec] - win,build: fix MSVS v17.14 compilation issue (StefanStojanovic) #58902

This is a security release.

Notable Changes

• (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Commits

• [db7b93fcef] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721

Notable Changes

• [22b60e8a57] - (SEMVER-MINOR) crypto: support outputLength option in crypto.hash for XOF functions (Aditi) #58121
• [80dec9849d] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719
• [87f4d078b3] - (SEMVER-MINOR) fs: add disposable mkdtempSync (Kevin Gibbons) #58516
• [9623c50b53] - (SEMVER-MINOR) permission: propagate permission model flags on spawn (Rafael Gonzaga) #58853
• [797ec4da04] - (SEMVER-MINOR) sqlite: add support for readBigInts option in db connection level (Miguel Marcondes Filho) #58697
• [ed966a0215] - (SEMVER-MINOR) src,permission: add support to permission.has(addon) (Rafael Gonzaga) #58951
• [fe17f5d285] - (SEMVER-MINOR) watch: add --watch-kill-signal flag (Dario Piotrowicz) #58719

Commits

• [a118bfc536] - assert: remove dead code (Yoshiya Hinosawa) #58760
• [31252b9af1] - benchmark: add source map and source map cache (Miguel Marcondes Filho) #58125
• [4170359bcd] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #58938
• [c76585d10e] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #58867
• [049c838609] - build: option to use custom inspector_protocol path (Shelley Vohr) #58839
• [22b60e8a57] - (SEMVER-MINOR) crypto: support outputLength option in crypto.hash for XOF functions (Aditi) #58121
• [77712ae2a1] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #58942
• [93e1a33b81] - crypto: fix inclusion of OPENSSL_IS_BORINGSSL define (Shelley Vohr) #58845
• [573171deb0] - deps: V8: cherry-pick 0ce2edb7adfd (Levi Zim) #58773
• [bf66291382] - deps: V8: cherry-pick 1d7159580156 (Michaël Zasso) #58749
• [f735b8b8d0] - deps: update sqlite to 3.50.2 (Node.js GitHub Bot) #58882
• [8e9622e494] - deps: update undici to 7.11.0 (Node.js GitHub Bot) #58859
• [8741da81c7] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #58710
• [028ce40e25] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #58712
• [3afb15b715] - dns: fix parse memory leaky (theanarkh) #58973
• [f40ac32f3e] - dns: set timeout to 1000ms when timeout < 0 (theanarkh) #58441
• [921b563999] - doc: remove broken link to permission model source code (Juan José) #58972
• [78628d6158] - doc: clarify details of TSC public and private meetings (James M Snell) #58925
• [ab834a8b94] - doc: mark stability markers consistent in globals.md (Antoine du Hamel) #58932
• [8d4f6a0016] - doc: move "Core Promise APIs" to "Completed initiatives" (Antoine du Hamel) #58934
• [94725fced5] - doc: fix fetch subsections in globals.md (Antoine du Hamel) #58933
• [a7a4870014] - doc: add missing Class: mentions (Antoine du Hamel) #58931
• [98f29fa2fd] - doc: remove myself from security steward rotation (Michael Dawson) #58927
• [710e13d436] - doc: add ovflowd back to core collaborators (Claudio W.) #58911
• [8b93008dc0] - doc: update email address for Richard Lau (Richard Lau) #58910
• [9ff81d21ed] - doc: update vm doc links (Chengzhong Wu) #58885
• [ff2efd266d] - doc: fix links in test.md (Vas Sudanagunta) #58876
• [5e854e1f61] - doc: add missing comma in child_process.md (ronijames008) #58862
• [48f5d6d686] - doc: add guidelines for introduction of ERM support (James M Snell) #58526
• [80dec9849d] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #58719
• [b36fa0fda1] - doc: fix jsdoc definition of assert.ifError() fn in lib/assert.js (jesh) #58573
• [cebb93ea12] - doc: add array type in http request headers (Michael Henrique) #58049
• [6e6b373da1] - doc: add missing colon to headers in globals.md (Aviv Keller) #58825
• [1519b75191] - doc: fix stream.md section order (Antoine du Hamel) #58811
• [87f4d078b3] - (SEMVER-MINOR) fs: add disposable mkdtempSync (Kevin Gibbons) #58516
• [b378fc3ac0] - fs: close dir before throwing if options.bufferSize is invalid (Livia Medeiros) #58856
• [23bd4d1867] - fs: special input -1 on chown, lchown and fchown (Alex Yang) #58836
• [d07ce8e90c] - fs: throw ERR_INVALID_THIS on illegal invocations (Livia Medeiros) #58848
• [0d969a66dc] - inspector: support undici traffic data inspection (Chengzhong Wu) #58953
• [839b25e371] - lib: expose setupInstance method on WASI class (toyobayashi) #57214
• [d8f3f649c2] - lib: fix getTypeScriptParsingMode jsdoc (沈鸿飞) #58681
• [d534706211] - meta: bump step-security/harden-runner from 2.12.0 to 2.12.2 (dependabot[bot]) #58923
• [3ec5fe04d0] - meta: bump github/codeql-action from 3.28.18 to 3.29.2 (dependabot[bot]) #58922
• [bd4a1a5b06] - meta: add IlyasShabi to collaborators (Ilyas Shabi) #58916
  ...

Notable Changes

• [841609ac1c] - doc: add islandryu to collaborators (Shima Ryuhei) #58714
• [839964ece8] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490
• [9b28f40834] - (SEMVER-MINOR) module: remove experimental warning from type stripping (Marco Ippolito) #58643
• [7cdda927fa] - test: fix test-timeout-flag after revert of auto subtest wait (Pietro Marchini) #58282
• [dce1995c55] - Revert "test_runner: remove promises returned by t.test()" (Romain Menke) #58282
• [8b0c5edbb6] - Revert "test_runner: remove promises returned by test()" (Romain Menke) #58282
• [713fbad7b6] - (SEMVER-MINOR) test_runner: support object property mocking (Idan Goshen) #58438
• [ef0230abaf] - (SEMVER-MINOR) url: add fileURLToPathBuffer API (James M Snell) #58700

Commits

• [2ba2c93dee] - build: fix typo 'Stoage' to 'Storage' in help text (ganglike) #58777
• [11811c15da] - deps: update nghttp2 to 1.66.0 (Node.js GitHub Bot) #58786
• [7643ce9322] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #58711
• [4b61f10eb6] - deps: V8: cherry-pick e3df60f3f5ab (Chengzhong Wu) #58691
• [fa6854f083] - deps: update amaro to 1.1.0 (Node.js GitHub Bot) #58754
• [68671f4314] - deps: upgrade npm to 11.4.2 (npm team) #58696
• [450f4815b3] - deps: update amaro to 1.0.0 (Node.js GitHub Bot) #58639
• [3aa2762e96] - deps: update sqlite to 3.50.1 (Node.js GitHub Bot) #58630
• [80eac147e6] - deps: update simdjson to 3.13.0 (Node.js GitHub Bot) #58629
• [dc1023878c] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #58628
• [97fbfd82af] - doc: fix stability 1.x links excluding the decimal digit (Dario Piotrowicz) #58783
• [e2e88d4971] - doc: fix wrong RFC number in http2 (Deokjin Kim) #58753
• [7bb1246c8f] - doc: add history entry for TS support in hooks (Antoine du Hamel) #58732
• [f125310d3a] - doc: run license-builder (github-actions[bot]) #58722
• [841609ac1c] - doc: add islandryu to collaborators (Shima Ryuhei) #58714
• [1cc77c7ee6] - doc: punctuation fix for Node-API versioning clarification (Jiacai Liu) #58599
• [d59680348e] - doc: add path rules and validation for export targets in package.json (0hm☘️) #58604
• [b6760b3379] - esm: syncify default path of ModuleLoader.load (Jacob Smith) #57419
• [96c78d726c] - fs: make Dir disposers idempotent (René) #58692
• [62b5879d88] - fs: avoid computing time coefficient constants in runtime (Livia Medeiros) #58728
• [af18c0e81a] - fs: remove IIFE in glob (LiviaMedeiros) #58418
• [fb4378b72e] - fs: add UV_ENOSPC to list of things to pass to err directly (Jacky Zhao) #56918
• [839964ece8] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #58490
• [c9dc0a8903] - http: fix keep-alive not timing out after post-request empty line (Shima Ryuhei) #58178
• [b11da1115e] - http2: fix DEP0194 message (KaKa) #58669
• [b1f60d2f18] - http2: add diagnostics channel 'http2.server.stream.close' (Darshan Sen) #58602
• [be93091694] - inspector: add protocol methods retrieving sent/received data (Chengzhong Wu) #58645
• [20089e2a2e] - lib: rename validateInternalField into validateThisInternalField (LiviaMedeiros) #58765
• [74983832f9] - lib: make validateInternalField() throw ERR_INVALID_THIS (LiviaMedeiros) #58765
• [081c70878f] - lib: make domexception a native error (Chengzhong Wu) #58691
• [6390f70da2] - lib,src: support DOMException ser-des (Chengzhong Wu) #58649
• [4c2c100f63] - meta: add @nodejs/inspector as codeowner (Chengzhong Wu) #58790
• [ff8a3691c4] - module: fix typescript import.meta.main (Marco Ippolito) #58661
• [45f7d160ed] - module: refactor commonjs typescript loader (Marco Ippolito) #58657
• [9b28f40834] - (SEMVER-MINOR) module: remove experimental warning from type stripping (Marco Ippolito) #58643
• [a3c7a63c73] - module: allow cycles in require() in the CJS handling in ESM loader (Joyee Cheung) #58598
• [d0e42ffa58] - repl: avoid deprecated require.extensions in tab completion (baki gul) #58653
• [82b18ba890] - repl: fix tab completion not working with computer string properties (Dario Piotrowicz) #58709
• [8c2089683e] - src: add FromV8Value<T>() for integral and enum types (Aditi) #57931
• [a0b1378a20] - src: pass resource on permission checks for spawn (Rafael Gonzaga) #58758
• [dfb0144490] - src: enhance error messages for unknown options (Pietro Marchini) #58677
• [e9c6fa514c] - src: replace std::array with static arrays in contextify (Mert Can Altin) #58580
• [4347ce3dba] - src: add new CopyUtimes function to reduce code duplication (Dario Piotrowicz) #58625...

Notable Changes

⚠️ Deprecations

Instantiating node:http classes without new

Constructing classes like IncomingMessage or ServerResponse without the new
keyword is now discouraged. This clarifies API expectations and aligns with standard
JavaScript behavior. It may warn or error in future versions.

Contributed by Yagiz Nizipli in #58518.

options.shell = "" in node:child_process

Using an empty string for shell previously had undefined behavior. This change
encourages explicit choices (e.g., shell: true or a shell path) and avoids
relying on implementation quirks.

Contributed by Antoine du Hamel and Renegade334 #58564.

HTTP/2 priority signaling

The HTTP/2 prioritization API (e.g., stream.priority) is now deprecated due to
poor real-world support. Applications should avoid using priority hints and expect future removal.

Contributed by Matteo Collina and Antoine du Hamel #58313.

✅ Features graduated to stable

assert.partialDeepStrictEqual()

This method compares only a subset of properties in deep object comparisons,
useful for flexible test assertions. Its stabilization means it's now safe for
general use and won't change unexpectedly in future releases.

Contributed by Ruben Bridgewater in #57370.

Miscellaneous

• dirent.parentPath
• filehandle.readableWebStream()
• fs.glob()
• fs.openAsBlob()
• node:readline/promises
• port.hasRef()
• readable.compose()
• readable.iterator()
• readable.readableAborted
• readable.readableDidRead
• Duplex.fromWeb()
• Duplex.toWeb()
• Readable.fromWeb()
• Readable.isDisturbed()
• Readable.toWeb()
• stream.isErrored()
• stream.isReadable()
• URL.createObjectURL()
• URL.revokeObjectURL()
• v8.setHeapSnapshotNearHeapLimit()
• Writable.fromWeb()
• Writable.toWeb()
• writable.writableAborted
• Startup Snapshot API
• ERR_INPUT_TYPE_NOT_ALLOWED
• ERR_UNKNOWN_FILE_EXTENSION
• ERR_UNKNOWN_MODULE_FORMAT
• ERR_USE_AFTER_CLOSE

Contributed by James M Snell in
#57513 and
#58541.

Semver-minor features

🔧 fs.FileHandle.readableWebStream gets autoClose option

This gives developers explicit control over whether the file descriptor should
be closed when the stream ends. Helps avoid subtle resource leaks.

Contributed by James M Snell in #58548.

🔧 fs.Dir now supports explicit resource management

This improves ergonomics around async iteration of directories. Developers can
now manually control when a directory is closed using .close() or with Symbol.asyncDispose.

Contributed by Antoine du Hamel in #58206.

📊 http2 gains diagnostics channel: http2.server.stream.finish

Adds observability support for when a stream finishes. Useful for logging,
monitoring, and debugging HTTP/2 behavior without patching internals.

Contributed by Darshan Sen in #58560.

🔐 Permissions: implicit allow-fs-read to entrypoint

Node.js permissions model now allows read access to the entry file by default.
It makes running permission-restricted apps smoother while preserving security.

Contributed by Rafael Gonzaga in #58579.

🎨 util.styleText() adds 'none' style

This lets developers remove styling cleanly without hacks. Useful for overriding
inherited terminal styles when composing styled strings.

Contributed by James M Snell in #58437.

🧑‍💻 Community updates

• [0105c13556] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #58499
• [3b857735ef] - doc: add JonasBa to collaborators (Jonas Badalic) #58355
• [fdf7612735] - doc: add puskin to collaborators (Giovanni Bucci) #58308

Commits

• [ffe7e1ace0] - (SEMVER-MINOR) assert: mark partialDeepStrictEqual() as stable (Ruben Bridgewater) #57370
• [269931f289] - async_hooks: ensure AsyncLocalStore instances work isolated (Gerhard Stöbich) #58149
• [9e0746a4ff] - benchmark: fix broken fs.cpSync benchmark (Dario Piotrowicz) #58472
• [dee8cb5bcb] - benchmark: add more options to cp-sync (Sonny) #58278
• [e840fd5b85] - benchmark: fix typo in method name for error-stack (Miguel Marcondes Filho) #58128
• [b9a16e97e0] - buffer: give names to Buffer.prototype.*Write() functions (Livia Medeiros) #58258
• [d56a5e40af] - buffer: use constexpr where possible (Yagiz Nizipli) #58141
• [215587feca] - build: add support for OpenHarmony operating system (hqzing) #58350
• [9bcef6821c] - build: fix uvwasi pkgname (Antoine du Hamel) #58270
• [7c3883c2ae] - build: search for libnode.so in multiple places (Jan Staněk) #58213
• [3f954accb3] - build: fix pointer compression builds (Joyee Cheung) #58171
• [04c8f59f84] - build: use FILE_OFFSET_BITS=64 esp. on 32-bit arch (RafaelGSS) #58090
• [8c2cf3a372] - build: use //third_party/simdutf by default in GN (Shelley Vohr) #58115
• [cff8006792] - child_process: give names to ChildProcess functions (Livia Medeiros) #58370
• [6816d779b6] - child_process: give names to promisified exec() and execFile() (LiviaMedeiros) #57916
• [5572cecca4] - crypto: expose crypto.constants.OPENSSL_IS_BORINGSSL (Shelley Vohr) #58387
• [d6aa02889c] - deps: use proper C standard when building libuv (Yaksh Bariya) #58587
• [375a6413d5] - deps: update simdjson to 3.12.3 (Node.js GitHub Bot) #57682
• [e0cd138e52] - deps: update googletest to e9092b1 (Node.js GitHub Bot) #58565
• [31e592631f] - deps: update corepack to 0.33.0 (Node.js GitHub Bot) #58566
• [386c24260b] - deps: update sqlite to 3.50.0 (Node.js GitHub Bot) #58272
• [f84998d40b] - deps: update OpenSSL gen container to Ubuntu 22.04 (Michaël Zasso) #58432
• [d49fd29859] - deps: update llhttp to 9.3.0 (Fedor Indutny) #58144
• [e397980a1a] - deps: update libuv to 1.51.0 (Node.js GitHub Bot) #58124
• [a28c33645c] - dns: fix dns query cache implementation (Ethan Arrowood) #58404
• [6939b0c624] - doc: fix the order of process.md sections (Allon Murienik) #58403
• [1ca253c363] - doc: add support link for panva (Filip Skokan) #58591
• [8319edbcf6] - doc: update metadata for _transformState deprecation (James M Snell) #58530
• [697d258136] - doc: deprecate passing an empty string to options.shell (Antoine du Hamel) #58564
• [[132fc804e8](https://gi...

Notable Changes

• [c535a3c483] - crypto: graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable (Filip Skokan) #56142
• [af1dc63815] - crypto: update root certificates to NSS 3.108 (Node.js GitHub Bot) #57381
• [01d63a4ddf] - deps: update timezone to 2025b (Node.js GitHub Bot) #57857
• [b6daa344eb] - doc: add dario-piotrowicz to collaborators (Dario Piotrowicz) #58102

Commits

• [fc1fa7a357] - build: use FILE_OFFSET_BITS=64 esp. on 32-bit arch (RafaelGSS) #58090
• [79e0812181] - build: use glob for dependencies of out/Makefile (Richard Lau) #55789
• [f56e62851a] - crypto: allow length=0 for HKDF and PBKDF2 in SubtleCrypto.deriveBits (Filip Skokan) #55866
• [c535a3c483] - crypto: graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable (Filip Skokan) #56142
• [39925de8b1] - crypto: allow non-multiple of 8 in SubtleCrypto.deriveBits (Filip Skokan) #55296
• [af1dc63815] - crypto: update root certificates to NSS 3.108 (Node.js GitHub Bot) #57381
• [d09008add3] - deps: V8: cherry-pick 1a3ecc2483b2 (Michaël Zasso) #58342
• [fd56652425] - deps: V8: cherry-pick 182d9c05e78b (Andrey Kosyakov) #58342
• [447481e829] - deps: V8: cherry-pick third_party/zlib@646b7f569718 (Hans Wennborg) #58342
• [eb447168df] - deps: update simdutf to 6.4.2 (Node.js GitHub Bot) #57855
• [01d63a4ddf] - deps: update timezone to 2025b (Node.js GitHub Bot) #57857
• [10fb49f2a9] - deps: update icu to 77.1 (Node.js GitHub Bot) #57455
• [f1dc7d0205] - deps: update corepack to 0.32.0 (Node.js GitHub Bot) #57265
• [7a2e64bb8a] - deps: update simdutf to 6.4.0 (Node.js GitHub Bot) #56764
• [e80669be0d] - doc: mention reports should align with Node.js CoC (Rafael Gonzaga) #57607
• [7b2c0bc92e] - doc: add gurgunday as triager (Gürgün Dayıoğlu) #57594
• [791e4879de] - doc: document REPL custom eval arguments (Dario Piotrowicz) #57690
• [2917f09876] - doc: improved fetch docs (Alessandro Miliucci) #57296
• [d940b15843] - doc: clarify unhandledRejection events behaviors in process doc (Dario Piotrowicz) #57654
• [71c664fab7] - doc: update position type to integer | null in fs (Yukihiro Hasegawa) #57745
• [0c0fbfa9c6] - doc: add missing v0.x changelog entries (Antoine du Hamel) #57779
• [e99462c9fc] - doc: correct deprecation type of assert.CallTracker (René) #57997
• [c7e92696ef] - doc: add returns for https.get (Eng Zer Jun) #58025
• [ccc42b69ce] - doc: fix env variable name in util.styleText (Antoine du Hamel) #58072
• [b6daa344eb] - doc: add dario-piotrowicz to collaborators (Dario Piotrowicz) #58102
• [e5d6a3df16] - doc: fix AsyncLocalStorage example response changes after node v18 (Naor Tedgi (Abu Emma)) #57969
• [f006411998] - doc: fix typo of file zlib.md (yusheng chen) #58093
• [5193735df4] - doc: add missing options.signal to readlinePromises.createInterface() (Jimmy Leung) #55456
• [fd44af730f] - doc: fix misaligned options in vm.compileFunction() (Jimmy Leung) #58145
• [0fdcc0ddcd] - doc: add ambassaor message (Brian Muenzenmeyer) #57600
• [5ca9616bd3] - doc: increase z-index of header element (Dario Piotrowicz) #57851
• [81342d10f0] - doc: fix deprecation type for DEP0148 (Livia Medeiros) #57785
• [776becfe01] - doc: remove mention of --require not supporting ES modules (Huáng Jùnliàng) #57620
• [3140a8f133] - doc: add missing deprecated badges in fs.md (Yukihiro Hasegawa) #57384
• [441ce24ae3] - doc: deprecate passing invalid types in fs.existsSync (Carlos Espa) #55892
• [0556f54544] - http: correctly translate HTTP method (Paolo Insogna) #52701
• [c2c6d2b035] - http: be more generational GC friendly (ywave620) #56767
• [cdf3fa241c] - http2: skip writeHead if stream is closed (Shima Ryuhei) #57686
• [bbd5aec785] - http2: fix graceful session close (Kushagra Pandey) #57808
• [b427ae4f34] - meta: remove build-windows.yml (Aviv Keller) #54662
• [49e624f554] - os: fix netmask format check condition in getCIDR function (Wiyeong Seo) #57324
• [d582954434] - src: remove unused variable in crypto_x509.cc (Michaël Zasso) #57754
• [234a505e96] - src: allow embedder customization of OOMErrorHandler (Shelley Vohr) #57325
• [c0252cd380] - src: fix -Wunreachable-code-return in node_sea (Shelley Vohr) #57664
• [fcd1622fc1] - src: fix kill signal 0 on Windows (Stefan Stojanovic) #57695
• [850192b06b] - test: skip broken sea on rhel8 (Marco Ippolito) #58761
• [3cf7cfb695] - test: update WPT for WebCryptoAPI to edd42c005c (Node.js GitHub Bot) #57365
• [f57765bdcf] - test: mark test-without-async-context-frame flaky on windows (James M Snell) #56753
  *...

Notable Changes

Remove support for HTTP/2 priority signaling

The support for priority signaling has been removed in nghttp2, following its
deprecation in the RFC 9113.
As a consequence of this, priority signaling is deprecated on all release lines of Node.js,
and removed from Node.js 24 so we can include latest updates from nghttp2.

Contributed by Matteo Collina and Antoine du Hamel in
#58293.

import.meta.main is now available

Boolean value available in ECMAScript modules, which can be used to detect
whether the current module was the entry point of the current process.

export function foo() {
  return 'Hello, world';
}

function main() {
  const message = foo();
  console.log(message);
}

if (import.meta.main) main();
// `foo` can be imported from another module without possible side-effects from `main`

Contributed by Joe and Antoine du Hamel in
#57804.

Other Notable Changes

• [e13930bbe0] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #58499
• [984894b38c] - doc: deprecate util.isNativeError in favor of Error.isError (Miguel Marcondes Filho) #58262
• [d261274b0f] - doc: deprecate passing an empty string to options.shell (Antoine du Hamel) #58564
• [510872a522] - (SEMVER-MINOR) doc: graduate Symbol.dispose/asyncDispose from experimental (James M Snell) #58467
• [6f4c9dd423] - (SEMVER-MINOR) fs: add autoClose option to FileHandle readableWebStream (James M Snell) #58548
• [32efb63242] - http: deprecate instantiating classes without new (Yagiz Nizipli) #58518
• [0234a8ef53] - (SEMVER-MINOR) http2: add diagnostics channel http2.server.stream.finish (Darshan Sen) #58560
• [0f1e94f731] - (SEMVER-MINOR) lib: graduate error codes that have been around for years (James M Snell) #58541
• [13abca3c26] - (SEMVER-MINOR) perf_hooks: make event loop delay histogram disposable (James M Snell) #58384
• [8ea1fc5f3b] - (SEMVER-MINOR) src: support namespace options in configuration file (Pietro Marchini) #58073
• [d6ea36ad6c] - src,permission: implicit allow-fs-read to app entrypoint (Rafael Gonzaga) #58579
• [5936cef60a] - (SEMVER-MINOR) test: add disposable histogram test (James M Snell) #58384
• [7a91f4aaa1] - (SEMVER-MINOR) test: add test for async disposable worker thread (James M Snell) #58385
• [532c173cf2] - (SEMVER-MINOR) util: add none style to styleText (James M Snell) #58437
• [aeb9ab4c4c] - (SEMVER-MINOR) worker: make Worker async disposable (James M Snell) #58385

Commits

• [6c92329b1b] - Revert "benchmark: fix broken fs.cpSync benchmark" (Yuesong Jake Li) #58476
• [8bc045264e] - benchmark: fix broken fs.cpSync benchmark (Dario Piotrowicz) #58472
• [46aa079cce] - benchmark: add callback-based fs.glob to glob benchmark (Livia Medeiros) #58417
• [a57b05e105] - benchmark: add more options to cp-sync (Sonny) #58278
• [8b5ada4b31] - buffer: use Utf8LengthV2() instead of Utf8Length() (Tobias Nießen) #58156
• [22e97362f3] - build: search for libnode.so in multiple places (Jan Staněk) #58213
• [0b4056c573] - build: add support for OpenHarmony operating system (hqzing) #58350
• [db7f413dd3] - build: fix pointer compression builds (Joyee Cheung) #58171
• [7ff37183e5] - build: fix defaults for shared llhttp (Antoine du Hamel) #58269
• [b8c33190fe] - build,win: fix dll build (Stefan Stojanovic) #58357
• [ef9ecbe8a6] - child_process: give names to ChildProcess functions (Livia Medeiros) #58370
• [cec9d9d016] - crypto: forward auth tag to OpenSSL immediately (Tobias Nießen) #58547
• [9fccb0609f] - crypto: expose crypto.constants.OPENSSL_IS_BORINGSSL (Shelley Vohr) #58387
• [e7c69b9345] - deps: update nghttp2 to 1.65.0 (Node.js GitHub Bot) #57269
• [d0b89598a3] - deps: use proper C standard when building libuv (Yaksh Bariya) #58587
• [8a1fe7bc6a] - deps: update simdjson to 3.12.3 (Node.js GitHub Bot) #57682
• [36b639b1eb] - deps: update googletest to e9092b1 (Node.js GitHub Bot) #58565
• [f8a2a1ef52] - deps: update corepack to 0.33.0 (Node.js GitHub Bot) #58566
• [efb28f7895] - deps: V8: cherry-pick 249de887a8d3 (Michaël Zasso) #58561
• [88e621ea97] - deps: update sqlite to 3.50.0 (Node.js GitHub Bot) #58272
• [8d2ba386f1] - deps: update OpenSSL gen container to Ubuntu 22.04 (Michaël Zasso) #58432
• [7e62a77a7f] - deps: update undici to 7.10.0 (Node.js GitHub Bot) #58445
• [87eebd7bad] - deps: keep required OpenSSL doc files (Michaël Zasso) #58431
• [10910660f6] - deps: update undici to 7.9.0 (Node.js GitHub Bot) #58268
• [5e27078ca2] - deps: update ada to 3.2.4 (Node.js GitHub Bot) #58152
• [3b1e4bdbbb] - deps: update libuv to 1.51.0 (Node.js GitHub Bot) #58124
• [6bddf587ae] - dns: fix dns query cache implementation (Ethan Arrowood) #58404
• [984894b38c] - doc: deprecate utilisNativeError in favor of ErrorisError (Miguel Marcondes Filho) #58262
• [377ef3ce3a] - doc: add support link for panva (Filip Skokan) #58591
• [33a69ff9e4] - doc: update metadata for _transformState deprecation (James M Snell) #58530
• [d261274b0f] - doc: deprecate passing an empty string to options.shell (Antoine du Hamel) [#58564]...