Update urgency: SECURITY: There are security fixes in the release.

• (CVE-2025-21605) An unauthenticated client can cause an unlimited growth of output buffers

• #13661 FUNCTION FLUSH - memory leak when using jemalloc
• #13793 WAITAOF returns prematurely
• #13853 SLAVEOF - crash when clients are blocked on lazy free
• #13863 RANDOMKEY - infinite loop during client pause
• #13877 ShardID inconsistency when both primary and replica support it

Update urgency: SECURITY: There are security fixes in the release.

• (CVE-2025-21605) An unauthenticated client can cause an unlimited growth of output buffers

• #12817, #12905 Fix race condition issues between the main thread and module threads
• #13863 RANDOMKEY - infinite loop during client pause
• #13877 ShardID inconsistency when both primary and replica support it

Update urgency: SECURITY: There are security fixes in the release.

• (CVE-2025-21605) An unauthenticated client can cause an unlimited growth of output buffers

• [3c88f3938b] - (SEMVER-MINOR) assert: implement partial error comparison (Ruben Bridgewater) #57370
• [db19a3f9fc] - (SEMVER-MINOR) assert: improve partialDeepStrictEqual (Ruben Bridgewater) #57370
• [1ee5f840b4] - (SEMVER-MINOR) cli: allow --cpu-prof* in NODE_OPTIONS (Carlos Espa) #57018
• [872ee0f2ac] - crypto: update root certificates to NSS 3.108 (Node.js GitHub Bot) #57381
• [03a0f3a56b] - (SEMVER-MINOR) crypto: support --use-system-ca on Windows (Joyee Cheung) #56833
• [94647bbdb2] - (SEMVER-MINOR) crypto: added support for reading certificates from macOS system store (Tim Jacomb) #56599
• [8f7b86a6e7] - deps: update timezone to 2025a (Node.js GitHub Bot) #56876
• [f9f611fb58] - (SEMVER-MINOR) deps,tools: add zstd 1.5.6 (Jan Martin) #52100
• [07a6d5f8cf] - (SEMVER-MINOR) dns: add TLSA record query and parsing (Rithvik Vibhu) #52983
• [d8a83ef2f3] - doc: add @geeksilva97 to collaborators (Edy Silva) #57241
• [6b93ba723b] - (SEMVER-MINOR) module: use synchronous hooks for preparsing in import(cjs) (Joyee Cheung) #55698
• [b2e44a8079] - (SEMVER-MINOR) module: implement module.registerHooks() (Joyee Cheung) #55698
• [dc91ae7471] - (SEMVER-MINOR) process: add execve (Paolo Insogna) #56496
• [bc672fcfdd] - (SEMVER-MINOR) sqlite: allow returning ArrayBufferViews from user-defined functions (René) #56790
• [5edee197ab] - (SEMVER-MINOR) tls: implement tls.getCACertificates() (Joyee Cheung) #57107
• [f9fe0e09ee] - (SEMVER-MINOR) util: expose diff function used by the assertion errors (Giovanni Bucci) #57462
• [673a424180] - (SEMVER-MINOR) v8: add v8.getCppHeapStatistics() method (Aditi) #57146
• [4991e5d826] - (SEMVER-MINOR) zlib: add zstd support (Jan Martin) #52100

• [ea70a379c3] - assert: improve partialDeepStrictEqual performance (Ruben Bridgewater) #57509
• [2b419d7e79] - (SEMVER-MINOR) assert: implement partial error comparison (Ruben Bridgewater) #57370
• [d817c17fd7] - (SEMVER-MINOR) assert: improve partialDeepStrictEqual (Ruben Bridgewater) #57370
• [7af0440073] - assert: improve myers diff performance (Giovanni Bucci) #57279
• [01cf5fb871] - (SEMVER-MINOR) assert,util: improve performance (Ruben Bridgewater) #57370
• [a58842cee4] - (SEMVER-MINOR) benchmark: adjust assert runtimes (Ruben Bridgewater) #57370
• [b20b3697aa] - (SEMVER-MINOR) benchmark: skip running some assert benchmarks by default (Ruben Bridgewater) #57370
• [ec5570fd1e] - (SEMVER-MINOR) benchmark: add assert partialDeepStrictEqual benchmark (Ruben Bridgewater) #57370
• [b991bf4ca6] - benchmark: add a warmup on bench-openSync (Elves Vieira) #57051
• [4a455bc806] - build: fix update-wpt workflow (Jonas) #57468
• [6ec397e61c] - build: fix compatibility with V8's depot_tools (Richard Lau) #57330
• [475aaca336] - build: print 'Formatting Markdown...' for long task markdown formatting (1ilsang) #57108
• [73fced7a97] - build: fix GN build failure (Cheng) #57013
• [af05f91425] - build: fix GN build of uv (Cheng) #56955
• [fd3053e947] - build: gyp exclude libm linking on macOS (deepak1556) #56901
• [5ec6b9a50f] - build: remove explicit linker call to libm on macOS (deepak1556) #56901
• [a893da9be7] - build: link with Security.framework in GN build (Cheng) #56895
• [02cd8e0a50] - build: do not put commands in sources variables (Cheng) #56885
• [73dc8c2140] - build: add double quotes around <(python) (Luigi Pinca) #56826
• [65a3b5f73c] - build: add build option suppress_all_error_on_warn (Michael Dawson) #56647
• [424aacc942] - build,win: disable node pch with ccache (Stefan Stojanovic) #57224
• [901685c723] - build,win: enable ccache (Stefan Stojanovic) #56847
• [79987676c1] - cli: clarify --cpu-prof-name allowed values (Eugenio Ceschia) #57433
• [503d4237aa] - (SEMVER-MINOR) cli: allow --cpu-prof* in NODE_OPTIONS (Carlos Espa) #57018
• [ada572b733] - crypto: ensure expected JWK alg in SubtleCrypto.importKey RSA imports (Filip Skokan) #57450
• [7e5aabde55] - crypto: update root certificates to NSS 3.108 (Node.js GitHub Bot) #57381
• [7ea6ac1e09] - crypto: add support for intermediate certs in --use-system-ca (Tim Jacomb) #57164
• [44b19ec534] - crypto: support --use-system-ca on non-Windows and non-macOS (Joyee Cheung) #57009
• [e21d126438] - crypto: fix missing OPENSSL_NO_ENGINE guard (Shelley Vohr) #57012
• [2fdf82b357] - crypto: cleanup root certificates and skip PEM deserialization (Joyee Cheung) #56999
• [03a0f3a56b] - (SEMVER-MINOR) crypto: support --use-system-ca on Windows (Joyee Cheung) #56833
• [bbdb10bc2c] - crypto: fix X509* leak in --use-system-ca (Joyee Cheung) #56832
• [5470cab6d3] - crypto: add api to get openssl security level (Michael Dawson) #56601
• [94647bbdb2] - (SEMVER-MINOR) crypto: added support for reading certificates from macOS system store (Tim Jacomb) #56599
• [caf81ca549] - debugger: fix behavior of plain object exec in debugger repl (Dario Piotrowicz) #57498
• [1d703fe220] - deps: update c-ares to v1.34.5 (Node.js GitHub Bot) #57792
• [98457dfea3] - deps: update undici to 6.21.2 (Matteo Collina) #57442
• [4a852ba11b] - deps: V8: cherry-pick c172ffc5bf54 (Choongwoo Han) #57437
• [54a12e0bcc] - deps: update googletest to 0bdccf4 (Node.js GitHub Bot) #57380
• [2e350963e5] - deps: update acorn to 8.14.1 (Node.js GitHub Bot) #57382
• [95e5d01c25] - deps: update amaro to 0.4.1 (marco-ippolito) #57121
• [ef216deb05] - deps: update amaro to 0.3.2 (marco-ippolito) #56916
• [4ef4d6ecf6] - deps: update amaro to 0.3.1 (Node.js GitHub Bot) #56785
• [a8bf5ef4a7] - deps: update simdjson to 3.12.2 (Node.js GitHub Bot) #57084
• [0bd612bb32] - deps: update archs files for openssl-3.0.16 (Node.js GitHub Bot) #57335
• [7d65f79306] - deps: upgrade openssl sources to quictls/openssl-3.0.16 (Node.js GitHub Bot) #57335
• [5c88c52491] - deps: update corepack to 0.32.0 (Node.js GitHub Bot) #57265
• [fa04bf4999] - deps: update gyp file for ngtcp2 1.11.0 (Richard Lau) #57225
• [ca6b07258d] - deps: update cjs-module-lexer to 2.1.0 (Node.js GitHub Bot) #57180
• [0a72b16fe1] - deps: update ngtcp2 to 1.11.0 (Node.js GitHub Bot) #57179
• [600fb41f54] - deps: update sqlite to 3.49.1 (Node.js GitHub Bot) #57178
• [7eb3b44010] - deps: update zlib to 1.3.0.1-motley-788cb3c (Node.js GitHub Bot) #56655
• [257d22e181] - deps: update sqlite to 3.49.0 (Node.js GitHub Bot) #56654
• [53a7bfce01] - deps: V8: cherry-pick 9ab40592f697 (Levi Zim) #56781
• [636f65cb1a] - deps: update cjs-module-lexer to 2.0.0 (Michael Dawson) #56855
• [8f7b86a6e7] - deps: update timezone to 2025a (Node.js GitHub Bot) #56876
• [db31276bfa] - deps: update simdjson to 3.12.0 (Node.js GitHub Bot) #56874
• [d1d58d6198] - deps: update googletest to e235eb3 (Node.js GitHub Bot) #56873
• [05b3dff275] - deps: update simdjson to 3.11.6 (Node.js GitHub Bot) #56250
• [f9f611fb58] - (SEMVER-MINOR) deps,tools: add zstd 1.5.6 (Jan Martin) #52100
• [ef212a41a7] - dns: restore dns query cache ttl (Ethan Arrowood) #57640
• [7a10b01e97] - dns: remove redundant code using common variable (Deokjin Kim) #57386
• [bc2603f086] - (SEMVER-MINOR) dns: add TLSA record query and parsing (Rithvik Vibhu) #52983
• [38a2e5d60b] - doc: add gurgunday as triager (Gürgün Dayıoğlu) #57594
• [b7ac0bd129] - doc: clarify behaviour of node-api adjust function (Michael Dawson) #57463
• [fa834896c8] - doc: remove Corepack documentation (Antoine du Hamel) #57635
• [8988173286] - doc: remove mention of --require not supporting ES modules (Huáng Jùnliàng) #57620
• [3a7d179dbd] - doc: mention reports should align with Node.js CoC (Rafael Gonzaga) #57607
• [983c5087f6] - doc: add section stating that very stale PRs should be closed (Dario Piotrowicz) #57541
• [f4e1f702d4] - doc: add bjohansebas as triager (Sebastian Beltran) #57564
• [9b7fd6b076] - doc: update support channels (Claudio W.) #57538
• [ef624aff55] - doc: remove cryptoStream API reference (Jonas) #57579
• [4a2afc255a] - doc: module resolution pseudocode corrections (Marcel Laverdet) #57080
• [ee5059426d] - doc: add history entry for DEP0190 in child_process.md (Antoine du Hamel) #57544
• [4deebb4fca] - doc: remove deprecated pattern in child_process.md (Antoine du Hamel) #57568
• [6cd7b37d9c] - doc: mark multiple experimental APIS as stable (James M Snell) #57510
• [c2f1fa0928] - doc: remove mertcanaltin from Triagers (Mert Can Altin) #57531
• [9b6047e520] - doc: recommend watching the collaborators repo in the onboarding doc (Darshan Sen) #57527
• [bf1e297079] - doc: remove mention of visa fees from onboarding doc (Darshan Sen) #57526
• [1041331094] - doc: deprecate passing args to spawn and execFile (Antoine du Hamel) #57389
• [06994d5a75] - doc: remove some inconsistencies in deprecations.md (Antoine du Hamel) #57512
• [707f851ba3] - doc: run license-builder (github-actions[bot]) #57511
• [a7793195d6] - doc: add new writing-docs contributing md (Dario Piotrowicz) #57502
• [30d4a43b3d] - doc: add node.js streams references to Web Streams doc (Dario Piotrowicz) #57393
• [e08365980b] - doc: prefer to sign commits under nodejs repository (Rafael Gonzaga) #57311
• [c35e1f9048] - doc: fixed the incorrect splitting of multiple words (letianpailove) #57454
• [3e1f3bc2bb] - doc: add review guidelines for collaborator nominations (Antoine du Hamel) #57449
• [fef3f82a41] - doc: add history info for --use-system-ca (Darshan Sen) #57432
• [96afdf949d] - doc: remove typo YAML snippet from tls.getCACertificates doc (Darshan Sen) #57459
• [800d61d47e] - doc: fix typo in sqlite.md (Tobias Nießen) #57473
• [4876aee775] - doc: explicit mention arbitrary code execution as a vuln (Rafael Gonzaga) #57426
• [2dd72c658f] - doc: update maintaining-openssl.md for openssl (Richard Lau) #57413
• [a49fd31f04] - doc: add missing deprecated badges in fs.md (Yukihiro Hasegawa) #57384
• [3a4ed77674] - doc: add note about sync nodejs-private branches (Rafael Gonzaga) #57404
• [1025e6dc7c] - doc: update Xcode version used for arm64 and pkg (Michaël Zasso) #57104
• [77b9e04a70] - doc: improve type stripping documentation (Marco Ippolito) #56916
• [3a75e8410d] - doc: specificy support for erasable ts syntax (Marco Ippolito) #56916
• [69f12f9686] - doc: make first parameter optional in util.getCallSites (Deokjin Kim) #57387
• [2b4e737ffb] - doc: fix usage of module.registerSync in comment (Timo Kössler) #57328
• [f320593958] - doc: add Darshan back as voting TSC member (Michael Dawson) #57402
• [2b7765469a] - doc: revise webcrypto.md types, interfaces, and added versions (Filip Skokan) #57376
• [649828c74a] - doc: add info on how project manages social media (Michael Dawson) #57318
• [2a2e1cfd71] - doc: revise tsconfig.json note (Steven) #57353
• [17883b1d46] - doc: use more clear name in getSystemErrorMessage's example (ikuma-t) #57310
• [7feed9989b] - doc: recommend setting noEmit: true in tsconfig.json (Steven) #57320
• [fe707ab162] - doc: ping nodejs/tsc for each security pull request (Rafael Gonzaga) #57309
• [f3c58ab693] - doc: fix Windows ccache section position (Stefan Stojanovic) #57326
• [e69170bacd] - doc: update node-api version matrix (Chengzhong Wu) #57287
• [0bc1fd2245] - doc: recommend erasableSyntaxOnly in ts docs (Rob Palmer) #57271
• [068013744e] - doc: clarify path.isAbsolute is not path traversal mitigation (Eric Fortis) #57073
• [238b0e856e] - doc: fix rendering of DEP0174 description (David Sanders) #56835
• [db0bcefd14] - doc: add 1ilsang to triage team (1ilsang) #57183
• [52a593feab] - doc: add @geeksilva97 to collaborators (Edy Silva) #57241
• [89f4475e32] - doc: add missing assert return types (Colin Ihrig) #57219
• [62b6d94c03] - doc: add streamResetBurst and streamResetRate (Sujal Raj) #57195
• [f150017e70] - doc: add esm examples to node:util (Alfredo González) #56793
• [99465ffa9c] - doc: update options to filehandle.appendFile() (Hasegawa-Yukihiro) #56972
• [6242520a90] - doc: add additional caveat for fs.watch (Michael Dawson) #57150
• [19cda4791a] - doc: fix typo in Windows building instructions (Tim Jacomb) #57158
• [ef206add59] - doc: fix web.libera.chat link in pull-requests.md (Samuel Bronson) #57076
• [7243c1713d] - doc: remove buffered flag from performance hooks examples (Pavel Romanov) #52607
• [617fe71f67] - doc: fix 'introduced_in' version in typescript module (1ilsang) #57109
• [6cc15b8dc9] - doc: fix link and history of SourceMap sections (Antoine du Hamel) #57098
• [6be8189041] - doc: add module namespace object links (Dario Piotrowicz) #57093
• [8611c4a3ea] - doc: disambiguate pseudo-code statement (Dario Piotrowicz) #57092
• [79da145a55] - doc: update clang-cl on Windows building guide (Joyee Cheung) #57087
• [845eaf91be] - doc: fix wrong articles used to address modules (Dario Piotrowicz) #57090
• [42c5e23eb1] - doc: modules.md: fix distance definition (Alexander “weej” Jones) #57046
• [bda851aaa3] - doc: fix wrong verb form (Dario Piotrowicz) #57091
• [64e13fd36e] - doc: fix transpiler loader hooks documentation (Joyee Cheung) #57037
• [51494d8b78] - doc: add a note about require('../common') in testing documentation (Aditi) #56953
• [053b128e9c] - doc: recommend writing tests in new files and including comments (Joyee Cheung) #57028
• [a20c62a00c] - doc: improve documentation on argument validation (Aditi) #56954
• [2921658813] - doc: buffer: fix typo on Buffer.copyBytesFrom( offset option (tpoisseau) #57015
• [6f4ab1c9b2] - doc: update cleanup to trust on vuln db automation (Rafael Gonzaga) #57004
• [5285facb3e] - doc: move stability index after history section for consistency (Antoine du Hamel) #56997
• [a7646e17ff] - doc: add signal to filehandle.writeFile() options (Yukihiro Hasegawa) #56804
• [ba031089e6] - doc: run license-builder (github-actions[bot]) #56985
• [afa6f93a32] - doc: update history of stream.Readable.toWeb() (Jimmy Leung) #56928
• [cc644de126] - doc: make MDN links to global classes more consistent (Antoine du Hamel) #56924
• [93bba4eee1] - doc: make MDN links to global classes more consistent in assert.md (Antoine du Hamel) #56920
• [ad03c85f98] - doc: make MDN links to global classes more consistent (Antoine du Hamel) #56923
• [96c2a90dee] - doc: make MDN links to global classes more consistent in util.md (Antoine du Hamel) #56922
• [6bb73c0745] - doc: make MDN links to global classes more consistent in buffer.md (Antoine du Hamel) #56921
• [824cf35475] - doc: update post sec release process (Rafael Gonzaga) #56907
• [027749eb17] - doc: update websocket link to avoid linking to self (Chengzhong Wu) #56897
• [5dcb9d632b] - doc: mark --env-file-if-exists flag as experimental (Juan José) #56893
• [4f6d751bf5] - doc: fix typo in cjs example of util.styleText (Deokjin Kim) #56769
• [313d9db7a5] - doc: clarify sqlite user-defined function behaviour (René) #56786
• [eff42956c4] - doc: correct customization hook types & clarify descriptions (Jacob Smith) #56454
• [64180421c2] - events: getMaxListeners detects 0 listeners (Matthew Aitken) #56807
• [2de27787b4] - fs: apply exclude function to root path (Rich Trott) #57420
• [b6df9e350a] - fs: handle UV_ENOTDIR in fs.statSync with throwIfNoEntry provided (Juan José Arboleda) #56996
• [14b2d496a0] - fs: make FileHandle.readableWebStream always create byte streams (Ian Kerins) #55461
• [10d2f1d898] - http: coerce content-length to number (Marco Ippolito) #57458
• [9192b7fa25] - http: be more generational GC friendly (ywave620) #56767
• [1cf98a8788] - inspector: convert event params to protocol without json (Chengzhong Wu) #57027
• [6dcad868bb] - inspector: skip promise hook in the inspector async hook (Joyee Cheung) #57148
• [787e93f75a] - inspector: add Network.Initiator in inspector protocol (Chengzhong Wu) #56805
• [c7c04d0dc8] - inspector: fix GN build (Cheng) #56798
• [177da9c3c3] - inspector: fix StringUtil::CharacterCount for unicodes (Chengzhong Wu) #56788
• [1b5418eeea] - lib: add warning when binding inspector to public IP (Demian Parkhomenko) #55736
• [cc4d33842b] - lib: limit split function calls to prevent excessive array length (Gürgün Dayıoğlu) #57501
• [0546612d1d] - lib: make getCallSites sourceMap option truly optional (James M Snell) #57388
• [d7d54e6bf3] - lib: optimize priority queue (Gürgün Dayıoğlu) #57100
• [62761c73a1] - lib: fixup incorrect argument order in assertEncoding (James M Snell) #57177
• [5dce55c376] - meta: add some clarification to the nomination process (James M Snell) #57503
• [a2a4cf1d95] - meta: remove collaborator self-nomination (Rich Trott) #57537
• [244f74b844] - meta: edit collaborator nomination process (Antoine du Hamel) #57483
• [dec204bb3f] - meta: move ovflowd to emeritus (Claudio W.) #57443
• [c0b8b84384] - meta: bump codecov/codecov-action from 5.3.1 to 5.4.0 (dependabot[bot]) #57257
• [14cbe292da] - meta: bump github/codeql-action from 3.28.8 to 3.28.10 (dependabot[bot]) #57254
• [69d2dd69e2] - meta: bump ossf/scorecard-action from 2.4.0 to 2.4.1 (dependabot[bot]) #57253
• [5f3428ded6] - meta: move RaisinTen back to collaborators, triagers and SEA champion (Darshan Sen) #57292
• [3eea8c72fc] - meta: bump actions/download-artifact from 4.1.8 to 4.1.9 (dependabot[bot]) #57260
• [2508893edb] - meta: bump peter-evans/create-pull-request from 7.0.6 to 7.0.7 (dependabot[bot]) #57259
• [fc09523f44] - meta: bump step-security/harden-runner from 2.10.4 to 2.11.0 (dependabot[bot]) #57258
• [b162402440] - meta: bump actions/cache from 4.2.0 to 4.2.2 (dependabot[bot]) #57256
• [f781be1332] - meta: bump actions/upload-artifact from 4.6.0 to 4.6.1 (dependabot[bot]) #57255
• [7934ad9fc0] - meta: bump actions/setup-python from 5.3.0 to 5.4.0 (dependabot[bot]) #56867
• [eb4fb9ce90] - meta: bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 (dependabot[bot]) #56866
• [a14e7f1cc4] - meta: bump mozilla-actions/sccache-action from 0.0.6 to 0.0.7 (dependabot[bot]) #56865
• [6c8a9e3d0d] - meta: bump codecov/codecov-action from 5.0.7 to 5.3.1 (dependabot[bot]) #56864
• [f438c27cbf] - meta: bump step-security/harden-runner from 2.10.2 to 2.10.4 (dependabot[bot]) #56863
• [24b7fcb153] - meta: bump actions/cache from 4.1.2 to 4.2.0 (dependabot[bot]) #56862
• [a0afc47988] - meta: bump actions/stale from 9.0.0 to 9.1.0 (dependabot[bot]) #56860
• [8abf4e5d7d] - meta: bump github/codeql-action from 3.27.5 to 3.28.8 (dependabot[bot]) #56859
• [c5bff736e9] - meta: add CODEOWNERS for SQLite (Colin Ihrig) #57147
• [fd2abaa088] - meta: update last name for jkrems (Jan Martin) #57006
• [2383f00aae] - meta: bump actions/upload-artifact from 4.4.3 to 4.6.0 (dependabot[bot]) #56861
• [35b3140d03] - meta: bump actions/setup-node from 4.1.0 to 4.2.0 (dependabot[bot]) #56868
• [815fcef73d] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #56889
• [08001127a2] - meta: add @nodejs/url as codeowner (Chengzhong Wu) #56783
• [3ceda2a035] - module: handle cached linked async jobs in require(esm) (Joyee Cheung) #57187
• [4c29cc7e6b] - module: add dynamic file-specific ESM warnings (Mert Can Altin) #56628
• [d1845edd21] - module: improve error message from asynchronicity in require(esm) (Joyee Cheung) #57126
• [41fa7d3c21] - module: allow omitting context in synchronous next hooks (Joyee Cheung) #57056
• [deddecce3a] - module: fix require.resolve() crash on non-string paths (Aditi) #56942
• [926b887534] - module: fixing url change in load sync hook chain (Vitalii Akimov) #56402
• [6b93ba723b] - (SEMVER-MINOR) module: use synchronous hooks for preparsing in import(cjs) (Joyee Cheung) #55698
• [b2e44a8079] - (SEMVER-MINOR) module: implement module.registerHooks() (Joyee Cheung) #55698
• [e79e67f6dc] - net: validate non-string host for socket.connect (Daeyeon Jeong) #57198
• [e23056212e] - net: replace brand checks with identity checks (Yagiz Nizipli) #57341
• [9c0d5e140b] - net: emit an error when custom lookup resolves to a non-string address (Edy Silva) #57192
• [2ce79787de] - (SEMVER-MINOR) process: add execve (Paolo Insogna) #56496
• [712db2232c] - readline: add support for Symbol.dispose (Antoine du Hamel) #57276
• [55fb81c0f1] - readline: fix unresolved promise on abortion (Daniel Venable) #54030
• [dfcd9b1ac2] - sea: suppress builtin warning with disableExperimentalSEAWarning option (koooge) #57086
• [bd5c90654a] - sqlite: add support for unknown named parameters (Colin Ihrig) #57552
• [ec571382a4] - sqlite: add DatabaseSync.prototype.isOpen (Colin Ihrig) #57522
• [bb3bbed126] - sqlite: add DatabaseSync.prototype[Symbol.dispose]() (Colin Ihrig) #57506
• [6067bea027] - sqlite: restore changes from #55373 (Colin Ihrig) #56908
• [bc672fcfdd] - (SEMVER-MINOR) sqlite: allow returning ArrayBufferViews from user-defined functions (René) #56790
• [227603dc30] - sqlite,test,doc: allow Buffer and URL as database location (Edy Silva) #56991
• [9dd324467a] - src: cleanup aliased_buffer.h (Mohammed Keyvanzadeh) #57395
• [45a2b8532b] - src: do not pass nullptr to std::string ctor (Charles Kerr) #57354
• [854370a06c] - src: fix process exit listeners not receiving unsettled tla codes (Dario Piotrowicz) #56872
• [f7fb259193] - src: refactor SubtleCrypto algorithm and length validations (Filip Skokan) #57319
• [c7bcc2d6c8] - src: allow embedder customization of OOMErrorHandler (Shelley Vohr) #57325
• [fbd8862156] - src: use Maybe<void> in ProcessEmitWarningSync (Daeyeon Jeong) #57250
• [04de550289] - src: make even more improvements to error handling (James M Snell) #57264
• [f1c5e46f89] - src: use cached emit v8::String (Daeyeon Jeong) #57249
• [65b8e12689] - src: refactor SubtleCrypto algorithm and length validations (Filip Skokan) #57273
• [b6091a8b21] - src: make more error handling improvements (James M Snell) #57262
• [3bd8a6c76e] - src: fix typo in comment (Antoine du Hamel) #57291
• [f7e39385ae] - src: improve error handling in node_messaging.cc (James M Snell) #57211
• [1bb561bede] - src: improve error handling in tty_wrap.cc (James M Snell) #57211
• [567d321a40] - src: improve error handling in tcp_wrap.cc (James M Snell) #57211
• [f8bee871f7] - src: fix ThrowInvalidURL call in PathToFileURL (Daniel M Brasil) #57141
• [817f7d0e2e] - src: improve error handling in buffer and dotenv (James M Snell) #57189
• [11ef7f9d9c] - src: improve error handling in module_wrap (James M Snell) #57188
• [3b08d718b1] - src: improve error handling in spawn_sync (James M Snell) #57185
• [9221c2ad87] - src: detect whether the string is one byte representation or not (theweipeng) #56147
• [e323694772] - src: fix crash when lazy getter is invoked in a vm context (Chengzhong Wu) #57168
• [9363b05a91] - src: do not format single string argument for THROW_ERR_* (Joyee Cheung) #57126
• [5d6a1bc35b] - src: move instead of copy shared pointer in node_blob (Michaël Zasso) #57120
• [5dab48fd9f] - src: replace NewFromUtf8 with OneByteString where appropriate (James M Snell) #57096
• [0fe60b478d] - src: port defineLazyProperties to native code (Antoine du Hamel) #57081
• [792959db1d] - src: improve error handling in node_blob (James M Snell) #57078
• [e05e2cfb1e] - src: fix accessing empty string (Cheng) #57014
• [619e52ce8d] - src: lock the isolate properly in IsolateData destructor (Joyee Cheung) #57031
• [844a4a884d] - src: add self-assigment memcpy checks (Burkov Egor) #56986
• [0d1e79740f] - src: improve node::Dotenv trimming (Dario Piotrowicz) #56983
• [50f164e23b] - src: improve error handling in string_bytes/decoder (James M Snell) #56978
• [93aa4393a4] - src: improve error handling in process_wrap (James M Snell) #56977
• [c1c824e38d] - src: use args.This() in zlib (Michaël Zasso) #56988
• [0a8e474bdc] - src: add nullptr handling for NativeKeyObject (Burkov Egor) #56900
• [1ea6198a5a] - src: disallow copy/move fns/constructors (Yagiz Nizipli) #56811
• [e4100853cb] - src: add a hard dependency v8_inspector_headers (Chengzhong Wu) #56805
• [a1f92898c0] - src: improve error handling in encoding_binding.cc (James M Snell) #56915
• [dee8793d94] - src: improve error handling in permission.cc (James M Snell) #56904
• [f41bc4cfd7] - src: improve error handling in node_sqlite (James M Snell) #56891
• [e4df6181bf] - src: improve error handling in node_os by removing ToLocalChecked (James M Snell) #56888
• [2c96e7a32c] - src: improve error handling in node_url (James M Snell) #56886
• [36926ae8d8] - src: add check for Bignum in GroupOrderSize (Burkov Egor) #56702
• [a68f127a30] - src: reduce string allocations on sqlite (Yagiz Nizipli) #57227
• [e41b1735f1] - stream: fix sizeAlgorithm validation in WritableStream (Daeyeon Jeong) #57280
• [3bc877dc5c] - test: add more number cases for buffer.indexOf (Meghan Denny) #57200
• [cac9a4e832] - test: update parallel/test-tls-dhe for OpenSSL 3.5 (Richard Lau) #57477
• [3082ab3a64] - test: module syntax should throw (Marco Ippolito) #57121
• [9b0dfc9a44] - test: update snapshots for amaro v0.3.2 (Marco Ippolito) #56916
• [2defc35ea8] - test: test runner run plan (Pietro Marchini) #57304
• [ccb3df70be] - test: update WPT for WebCryptoAPI to edd42c005c (Node.js GitHub Bot) #57365
• [528103c5d0] - test: simplify test-tls-connect-abort-controller.js (Yagiz Nizipli) #57338
• [17e21e6eb5] - test: use assert.match in test-esm-import-meta (Antoine du Hamel) #57290
• [77bbee5184] - test: update compression wpt (Yagiz Nizipli) #56960
• [4fe88f8f53] - Revert "test: temporary remove resource check from fs read-write" (Rafael Gonzaga) #56906
• [766efc7758] - test: more common.mustNotCall in net, tls (Meghan Denny) #57246
• [562e635e11] - test: swap assert.strictEqual() parameters (Luigi Pinca) #57217
• [64fdfd5622] - test: assert write return values in buffer-bigint64 (Meghan Denny) #57212
• [dd538e7cf1] - test: allow embedder running async context frame test (Shelley Vohr) #57193
• [937bbeb2b6] - test: resolve race condition in test-net-write-fully-async-* (Matteo Collina) #57022
• [32df9f27d8] - test: add doAppendAndCancel test (Hasegawa-Yukihiro) #56972
• [90c98df258] - test: fix test-without-async-context-frame.mjs in debug mode (Joyee Cheung) #57034
• [974817c9fc] - test: make eval snapshot comparison more flexible (Shelley Vohr) #57020
• [09741cd129] - test: simplify test-http2-client-promisify-connect-error (Luigi Pinca) #57144
• [89f3feb364] - test: improve error output of test-http2-client-promisify-connect-error (Antoine du Hamel) #57135
• [25751eba4d] - test: add case for unrecognised fields within pjson "exports" (Jacob Smith) #57026
• [bf0b9fa7c0] - test: remove unnecessary assert requiring from tests (Dario Piotrowicz) #57008
• [8cfb2df466] - test: reduce flakiness on test-net-write-fully-async-buffer (Yagiz Nizipli) #56971
• [43c8c101da] - test: remove flakiness on macOS test (Yagiz Nizipli) #56971
• [bd47178f7f] - test: improve timeout duration for debugger events (Yagiz Nizipli) #56970
• [65694aa2fd] - test: remove unnecessary syscall to cpuinfo (Yagiz Nizipli) #56968
• [5633c4b2df] - test: update webstorage wpt (Yagiz Nizipli) #56963
• [2244a2776a] - test: execute shell directly for refresh() (Yagiz Nizipli) #55051
• [afae4b1216] - test: change jenkins reporter (Carlos Espa) #56808
• [b26592a7c4] - test: fix race condition in test-child-process-bad-stdio (Colin Ihrig) #56845
• [72c2279649] - test: adjust check to use OpenSSL sec level (Michael Dawson) #56819
• [9551b27651] - test: test-crypto-scrypt.js doesn't need internals (Meghan Denny) #56673
• [3095db84be] - test: set test-fs-cp as flaky (Stefan Stojanovic) #56799
• [31f98d7ccd] - test: search cctest files (Chengzhong Wu) #56791
• [267f17d5f6] - test: convert test_encoding_binding.cc to a JS test (Chengzhong Wu) #56791
• [a875d7bdd1] - test: test-crypto-prime.js doesn't need internals (Meghan Denny) #56675
• [85482d69c6] - test: temporary remove resource check from fs read-write (Rafael Gonzaga) #56789
• [ec63d72f16] - test: mark test-without-async-context-frame flaky on windows (James M Snell) #56753
• [f16acc8521] - test: remove unnecessary code (Luigi Pinca) #56784
• [0573c19a97] - test: mark test-esm-loader-hooks-inspect-wait flaky (Richard Lau) #56803
• [48e0fd3f13] - test: update WPT for url to a23788b77a (Node.js GitHub Bot) #56779
• [642959b87f] - test: remove duplicate error reporter from ci (Carlos Espa) #56739
• [2023237b4e] - test,crypto: make tests work for BoringSSL (Shelley Vohr) #57021
• [1b33b976ec] - test_runner: refactor testPlan counter increse (Pietro Marchini) #56765
• [d860f2bf42] - test_runner: differentiate test types in enqueue dequeue events (Eddie Abbondanzio) #54049
• [993bab646c] - test_runner: print formatted errors on summary (Pietro Marchini) #56911
• [3ed3ba438f] - test_runner: allow special characters in snapshot keys (Carlos Espa) #57017
• [d1da9a3a2f] - timers: optimize timer functions with improved argument handling (Gürgün Dayıoğlu) #57072
• [44aa13990a] - timers: remove unnecessary allocation of _onTimeout (Gürgün Dayıoğlu) #57497
• [401b965977] - timers: remove unused parameter from insertGuarded (Gürgün Dayıoğlu) #57251
• [9eac9c02c9] - timers: simplify the compareTimersLists function (Gürgün Dayıoğlu) #57110
• [01215af350] - tls: remove unnecessary type check on normalize (Yagiz Nizipli) #57336
• [f5e2b12a60] - (SEMVER-MINOR) tls: implement tls.getCACertificates() (Joyee Cheung) #57107
• [7a777cdb58] - tools: fix WPT update cron string (Antoine du Hamel) #57665
• [c6d90dbf9b] - tools: remove stalled label on unstalled issues and PRs (Rich Trott) #57630
• [96f7f64602] - tools: update sccache to support GH cache changes (Michaël Zasso) #57573
• [0b87027520] - tools: bump @babel/helpers from 7.26.9 to 7.26.10 in /tools/eslint (dependabot[bot]) #57444
• [7d561eb90c] - tools: add config subspace (Marco Ippolito) #57239
• [46efdbf59f] - tools: import rather than require ESLint plugins (Michaël Zasso) #57315
• [502bfaf876] - tools: switch back to official OpenSSL (Richard Lau) #57301
• [ea821f419d] - tools: revert to use @stylistic/eslint-plugin-js v3 (Joyee Cheung) #57314
• [bb857615d3] - tools: add more details about rolling inspector_protocol (Chengzhong Wu) #57167
• [3f29d39c1b] - tools: bump the eslint group in /tools/eslint with 5 updates (dependabot[bot]) #57261
• [b3caac83d4] - tools: remove deps/zlib/GN-scraper.py (Chengzhong Wu) #57238
• [ace99ffe79] - tools: run Linux tests on GitHub arm64 runners as well (Dennis Ameling) #57162
• [e65e6269b7] - tools: consolidate 'introduced_in' check for docs (1ilsang) #57109
• [890841e64b] - tools: do not run major-release workflow on forks (Rich Trott) #57064
• [e3f86c5a0c] - tools: fix release URL computation in update-root-certs.mjs (Joyee Cheung) #56843
• [280316f773] - tools: add support for import source syntax in linter (Antoine du Hamel) #56992
• [998b2ae3cd] - tools: bump eslint version (dependabot[bot]) #56869
• [ca4121b95a] - tools: remove test-asan/ubsan workflows (Michaël Zasso) #56823
• [866ac37255] - tools: run macOS test workflow with Xcode 16.1 (Michaël Zasso) #56831
• [55ca46ad8e] - tools: update sccache and sccache-action (Michaël Zasso) #56815
• [be9c1c93a8] - tools: fix license-builder for inspector_protocol (Michaël Zasso) #56814
• [6dab980fab] - typings: fix ImportModuleDynamicallyCallback return type (Chengzhong Wu) #57160
• [e301098854] - util: avoid run debug when enabled is false (fengmk2) #57494
• [17016d7722] - (SEMVER-MINOR) util: expose diff function used by the assertion errors (Giovanni Bucci) #57462
• [42b9e19f6b] - util: enforce shouldColorize in styleText array arg (Marco Ippolito) #56722
• [5ed6d8be40] - (SEMVER-MINOR) v8: add v8.getCppHeapStatistics() method (Aditi) #57146
• [c06d218b23] - win,build: add option to enable Control Flow Guard (Hüseyin Açacak) #56605
• [8202211140] - win,test: disable test case failing with ClangCL (Stefan Stojanovic) #57397
• [1a12b4c119] - zlib: use modern class syntax for zstd classes (Yagiz Nizipli) #56965
• [f9b3680268] - zlib: make all zstd functions experimental (Yagiz Nizipli) #56964
• [4991e5d826] - (SEMVER-MINOR) zlib: add zstd support (Jan Martin) #52100

• Bump @springio/antora-extensions from 1.14.2 to 1.14.4 in /docs #1916
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.16 to 1.0.0-alpha.17 in /docs #1943
• Bump com.fasterxml.jackson:jackson-bom from 2.18.2 to 2.18.3 #1922
• Bump io.spring.security.release from 1.0.3 to 1.0.4 #1966
• Bump io.spring.security.release from 1.0.4 to 1.0.5 #1988
• Bump org.springframework.security:spring-security-bom from 6.4.3 to 6.4.4 #1936
• Bump org.springframework.security:spring-security-bom from 6.4.4 to 6.4.5 #1989
• Bump org.springframework:spring-framework-bom from 6.2.3 to 6.2.4 #1933
• Bump org.springframework:spring-framework-bom from 6.2.4 to 6.2.5 #1939
• Bump org.springframework:spring-framework-bom from 6.2.5 to 6.2.6 #1980
• Bump spring-io/spring-doc-actions from 0.0.18 to 0.0.19 #1947

• Bump @springio/antora-extensions from 1.14.2 to 1.14.4 in /docs #1919
• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.16 to 1.0.0-alpha.17 in /docs #1945
• Bump io.spring.security.release from 1.0.3 to 1.0.4 #1967
• Bump io.spring.security.release from 1.0.4 to 1.0.5 #1985
• Bump org.springframework.security:spring-security-bom from 6.3.7 to 6.3.8 #1934
• Bump org.springframework.security:spring-security-bom from 6.3.8 to 6.3.9 #1986
• Bump org.springframework:spring-framework-bom from 6.1.17 to 6.1.18 #1932
• Bump org.springframework:spring-framework-bom from 6.1.18 to 6.1.19 #1978

• Add authorization server metadata for DPoP support #1951
• Add authorization server metadata for OAuth 2.0 Pushed Authorization Requests (PAR) #1975
• Enforce one-time use for request_uri used in PAR #1974
• request_uri used in PAR must be bound to the client #1971
• Use OAuth2ParameterNames.REQUEST_URI #1991
• Validate expiry for request_uri used in PAR #1973
• Verify DPoP Proof public key during refresh_token grant for public clients #1949

• Bump @springio/asciidoctor-extensions from 1.0.0-alpha.16 to 1.0.0-alpha.17 in /docs #1944
• Bump io.spring.security.release from 1.0.3 to 1.0.4 #1968
• Bump io.spring.security.release from 1.0.4 to 1.0.5 #1987
• Bump org.springframework.security:spring-security-bom from 6.5.0-M3 to 6.5.0-RC1 #1990
• Bump org.springframework:spring-framework-bom from 6.2.4 to 6.2.5 #1940
• Bump org.springframework:spring-framework-bom from 6.2.5 to 6.2.6 #1979
• Bump spring-io/spring-doc-actions from 0.0.18 to 0.0.19 #1942

Download page What's new highlights

• Azure Monitor: Filter namespaces by resource group #103654, @alyssabull
• Azure: Add support for custom namespace and custom metrics variable queries #103650, @aangelisc
• Azure: Resource picker improvements #103638, @aangelisc
• Azure: Support more complex variable interpolation #103651, @aangelisc
• Azure: Variable editor and resource picker improvements #103657, @aangelisc
• Chore: Update CVE-affected dependencies #102709, @grambbledook
• DashboardScenePage: Correct slug in self referencing data links #103853, @Sergej-Vlasov
• Dependencies: Bump github.com/redis/go-redis/v9 to 9.6.3 to address CVE-2025-29923 #102865, @macabu
• Go: Bump to 1.24.2 #103525, @Proximyst
• Go: Bump to 1.24.2 (Enterprise)
• Prometheus: Add support for cloud partners Prometheus data sources #103942, @kevinwcyu

• InfluxDB: Fix nested variable interpolation #104095, @aangelisc
• LDAP test: Fix page crash #102683, @ashharrison90
• Security: Fix CVE-2025-3454
• Security: Fix CVE-2025-2703