fix(deps): update node.js to v25.9.0#409
Merged
renovate[bot] merged 1 commit intomainfrom Apr 2, 2026
Merged
Conversation
renovate
bot
added
dependencies
![renovate-approve[bot]](https://avatars.githubusercontent.com/in/7394?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
25.8.0→25.9.0Release Notes
nodejs/node (node)
v25.9.0: 2026-04-01, Version 25.9.0 (Current), @aduh95Compare Source
Notable Changes
Test runner module mocking improvements
MockModuleOptions.defaultExportandMockModuleOptions.namedExportshave beenconsolidated into a single option
MockModuleOptions.exportsto align with userexpectations and other test runners.
A
defaultproperty onMockModuleOptions.exportsrepresents the defaultexport, and own enumerable properties are treated as named exports.
An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports
Contributed by sangwook in #61727.
Other notable changes
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes toAsyncLocalStorage(Stephen Belanger) #6167462d2cd473b] - (SEMVER-MINOR) cli: add--max-heap-sizeoption (tannal) #58708d0ebf0e44b] - (SEMVER-MINOR) crypto: addTurboSHAKEandKangarooTwelveWeb Cryptography algorithms (Filip Skokan) #62183f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #6218867b854d407] - (SEMVER-MINOR) repl: remove dependency onnode:domain(Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066Commits
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #618712fcd07f1ba] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #622807dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #6211562d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #621833009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #618754d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #6216993d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #621703d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #6216495c7fc67ba] - deps: update googletest to2461743(Node.js GitHub Bot) #62484e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051180c150122] - deps: V8: cherry-pickcf1bce4(Richard Lau) #62449bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448f1b28612c4] - deps: V8: cherry-pickb25cd62(Yagiz Nizipli) #62354757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #622843bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256a9703d194a] - deps: update googletest to73a63ea(Node.js GitHub Bot) #6192785138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #621230093863664] - doc: deprecatemodule.register()(DEP0205) (Geoffrey Booth) #623950b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #624568d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #6249208ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #6248261cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #6242364cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #621391020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #622069caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #623029e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #622437f37c17516] - doc: minor typo fix (Jeff Matson) #62358eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #6232117e5aee6c5] - doc: fix small environment_variables typo (chris) #62279193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #621204a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208f976c9214d] - doc: clarify that any truthy value ofshellis part of DEP0190 (Antoine du Hamel) #622494d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #6220271f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #62204670c80893b] - doc: add note (and caveat) formock.moduleabout customization hooks (Jacob Smith) #620752ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #622446c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #624751cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #624154f4ff15794] - esm: fix path normalization infinalizeResolution(Antoine du Hamel) #62080088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #622610250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #61950b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #62487ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #6230792ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #6222640a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #621333ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #623353c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #62371f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #6216567b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #62396d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #623430e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #6210302980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #62410064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #62268ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #62281e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #6206603839fb087] - stream: preserve error over AbortError in pipeline (Marco) #621130000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #620873796a73719] - test: update WPT for WebCryptoAPI to2cb332d(Node.js GitHub Bot) #62483ad8309415b] - test: update WPT for url tofc3e651(Node.js GitHub Bot) #62379bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #62471c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #62470fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #620661b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #62112cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #6222647a2132269] - test: update WPT for WebCryptoAPI to6a1c545(Node.js GitHub Bot) #621872c63d3006c] - test_runner: add exports option for module mocks (sangwook) #6172744ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #592721865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #622820252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #624393368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #624375e47c359f5] - tools: adopt the--check-for-duplicatesNCU flag (Antoine du Hamel) #624784a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #62438d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #62375c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #623567a2fcc6d41] - tools: do not swallow error inlint-nixworkflow (Antoine du Hamel) #62292c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #6209356dfeb06df] - tools: fix timeout errors inlint-nixjob (Antoine du Hamel) #6226522fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #62255409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #6225067c69750f4] - tools: validate all commits that are pushed tomain(Antoine du Hamel) #622467d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #621676c8fa42ba2] - typings: rationalise TypedArray types (René) #62174531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #614772000caccde] - util: allow color aliases in styleText (sangwook) #621800aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #62198d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #62201e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325v25.8.2: 2026-03-24, Version 25.8.2 (Current), @RafaelGSSCompare Source
This is a security release.
Notable Changes
SNICallbackinvocation intry/catch(Matteo Collina) - HighheadersDistinct/trailersDistinct(Matteo Collina) - Highpipe_wrap.cc(RafaelGSS) - MediumNGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Mediumrealpath.native(RafaelGSS) - Lowlib/fs/promises(RafaelGSS) - LowCommits
2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#8340f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#8222b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #622162feea5bb97] - deps: V8: overridedepot_toolsversion (Richard Lau) #6234486c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#8215197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) nodejs-private/node-private#82004a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#7959a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#83245b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#8164bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819v25.8.1: 2026-03-11, Version 25.8.1 (Current), @aduh95Compare Source
Notable Changes
ea87eea71a] - module: fix extensionless CJS files in"type": "module"packages (Matteo Collina) #62083Commits
bab750d1b3] - build: do not depend on V8 deps on--without-bundled-v8builds (Antoine du Hamel) #62033b26d1c7fcb] - crypto: make --use-system-ca per-env rather than per-process (Aditi) #60678e362635abf] - crypto: add missing AES dictionaries (Filip Skokan) #620996f975db8af] - crypto: fix importKey required argument count check (Filip Skokan) #620993beaf9c5fc] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #6215153afb0edd8] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #62150a13ed052a1] - deps: update merve to 1.2.0 (Node.js GitHub Bot) #621492c850577b7] - deps: patch resb crate (Richard Lau) #6213837862a6728] - deps: V8: cherry-pickaa0b288(Richard Lau) #6213609191ad8b4] - deps: update ada to 3.4.3 (Node.js GitHub Bot) #620498d63a178fd] - doc: copyeditaddons.md(Antoine du Hamel) #6207183719ffb64] - doc: correctutil.convertProcessSignalToExitCodevalidation behavior (René) #62134eeee7c7fb1] - doc: add efekrskl as triager (Efe) #61876db150b2e69] - doc: fix markdown forexpectFailurevalues (Jacob Smith) #62100d55a441e60] - doc: add title to index (Aviv Keller) #62046cc46204b48] - doc: include url.resolve() in DEP0169 application deprecation (Mike McCready) #620021d91a7261e] - doc,module: add missing doc for syncHooks.deregister() (Joyee Cheung) #619595198573bee] - http: fix use-after-free when freeParser is called during llhttp_execute (Gerhard Stöbich) #62095f8793f80df] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #619905439d0e0cf] - meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot[bot]) #6206327fd21943a] - meta: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #620625b266f3295] - meta: bump step-security/harden-runner from 2.14.2 to 2.15.0 (dependabot[bot]) #62064ea87eea71a] - module: fix extensionless CJS files in"type": "module"packages (Matteo Collina) #62083851228cd60] - sqlite: handle stmt invalidation (Guilherme Araújo) #6187719efe60548] - src: expose async context frame debugging helper to JS (Anna Henningsen) #621030257e8072f] - src: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) #62103975dafbe3b] - src: release context frame in AsyncWrap::EmitDestroy (Gerhard Stöbich) #61995f2c08c7888] - src: use validate_ascii_with_errors instead of validate_ascii (Сковорода Никита Андреевич) #611220278461d83] - stream: optimize webstreams pipeTo (Mattias Buelens) #620794d62e95bfa] - stream: fix brotli error handling in web compression streams (Filip Skokan) #621074bdcaf2865] - stream: improve Web Compression spec compliance (Filip Skokan) #62107a5b1be2045] - stream: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) #617455632446c4e] - stream: fix TransformStream race on cancel with pending write (Marco) #62040f90fa9cd1a] - stream: accept ArrayBuffer in CompressionStream and DecompressionStream (조수민) #6191300319eaa3a] - test: update WPT for url toc928b19(Node.js GitHub Bot) #62148456abc7d20] - test: update WPT for WebCryptoAPI toc9e9558(Node.js GitHub Bot) #6214782770cb7d3] - test: improve WPT report runner (Filip Skokan) #62107cfc847d233] - test: update WPT compression toae05f5c(Filip Skokan) #6210780f78f2737] - test: update WPT for WebCryptoAPI to42e4732(Node.js GitHub Bot) #620488048e0508c] - test: fix skipping behavior fortest-runner-run-files-undefined(Antoine du Hamel) #62026699a6214c6] - tools: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) #621401a453b550c] - tools: improve error handling in test426 update script (Rich Trott) #62121710dde5ee2] - tools: fix--node-builtin-modules-pathvalue inshell.nix(Antoine du Hamel) #62102dcb1cbb21f] - tools: bump the eslint group across 1 directory with 2 updates (dependabot[bot]) #620927d0b758583] - tools: fix daily wpt workflow nighly release version lookup (Filip Skokan) #620763e8c816f2e] - tools: fix example in release proposal linter (Richard Lau) #62074772d3d270d] - tools: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot[bot]) #6201392f3b42672] - tools: bump eslint to v10, babel to v8.0.0-rc.2 (Huáng Jùnliàng) #61905deead95ec5] - url: suppress warnings from url.format/url.resolve inside node_modules (René) #62005Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.