2 hours ago
node

2026-07-08, Version 26.5.0 (Current), @richardlau

Notable Changes

New release key

Welcome to our newest releaser, Stewart X Addison. Future Node.js releases may be signed with his release key, 655F3B5C1FB3FA8D1A0CA6BDE4A7D232B936D2FD.

Other notable changes

  • [55f48446c7] - (SEMVER-MINOR) buffer: implement blob.textStream() (Matthew Aitken) #64036
  • [b373202efc] - (SEMVER-MINOR) esm: add --experimental-import-text flag (Efe) #62300
  • [39e0c14455] - (SEMVER-MINOR) perf_hooks: sample delay per event loop iteration (Pablo Erhard) #62935
  • [999a83c937] - (SEMVER-MINOR) stream: expose ReadableStreamTee (Matteo Collina) #64195
  • [4e0236dc3d] - (SEMVER-MINOR) tls: report negotiated TLS groups (Filip Skokan) #64119

Commits

  • [87648c0a6c] - benchmark: trim down the argon2 sets (Filip Skokan) #64218
  • [a483bfd3f0] - buffer: remove unreachable overflow check in atob (haramjeong) #60161
  • [6d14279688] - buffer: add fast api for isUtf8 and isAscii (Gürgün Dayıoğlu) #64169
  • [55f48446c7] - (SEMVER-MINOR) buffer: implement blob.textStream() (Matthew Aitken) #64036
  • [a67d9a7a44] - build: allow linting node.1 (Aviv Keller) #64157
  • [06c1fbc25b] - build: enable Maglev for riscv64 (Jamie Magee) #62605
  • [518309c363] - build: suppress clang errors building libffi on Windows (René) #64222
  • [6a80ab485c] - build: add manually-dispatched stress-test workflow (Joyee Cheung) #64118
  • [f4e7bf1f1c] - build: pin envinfo versions in github actions (Joyee Cheung) #64117
  • [66f6ac0d86] - build: support setting an emulator from configure script (Ivan Trubach) #53899
  • [7f26c54aa6] - child_process: fix permission model propagation via NODE_OPTIONS (Matteo Collina) #63972
  • [32bb554f5b] - crypto: fix large DH generator validation (Tobias Nießen) #64092
  • [0908d76ef6] - crypto: reject small-order EdDSA points during verify (Filip Skokan) #64026
  • [7f7e5863c2] - deps: update undici to 8.7.0 (Node.js GitHub Bot) #64282
  • [af91029801] - deps: update nghttp3 to 1.17.0 (Node.js GitHub Bot) #64182
  • [2e500ba7b0] - deps: update googletest to 8b53336594cc52213c6c2c7a0b29194fa896d039 (Node.js GitHub Bot) #64181
  • [74e3aa24ba] - deps: update sqlite to 3.53.3 (Node.js GitHub Bot) #64180
  • [c7e57f55a7] - deps: c-ares: cherry-pick 8ba37af8e3fb (René) #64110
  • [879fdc4daf] - deps: V8: backport da20a197a7f9 (Kevin Gibbons) #64101
  • [a640543a7c] - deps: V8: cherry-pick 0cc9eb22c0b0 (Kevin Gibbons) #64101
  • [feefd179e5] - deps: V8: cherry-pick 1a391f98cc7a (Kevin Gibbons) #64101
  • [8ef643d4b0] - deps: update googletest to 0b1e895ba4226c2fda5ee0178c9b5b1195a741aa (Node.js GitHub Bot) #64039
  • [9e50bb0655] - dgram: skip dns.lookup() for literal IP addresses (Ruben Bridgewater) #64133
  • [dc052c095c] - diagnostics_channel: return original thenable (Stephen Belanger) #62407
  • [a22a840293] - doc: clarify QUIC stream state wording (EduardF1) #63660
  • [8d4bec2d71] - doc: update Http2SecureServer.on("timeout") default value (YuSheng Chen) #64187
  • [da88f70afa] - doc: add note on visibility of CI failures to new contributor guide (Stewart X Addison) #64256
  • [20ce359ccb] - doc: clarify HTTP/1.1 response ordering (Matteo Collina) #64213
  • [05eae2835c] - doc: recommend node-stress-single-test for flaky tests (Trivikram Kamat) #64223
  • [3966eb67e7] - doc: fix typo in examples (Vas Sudanagunta) #64184
  • [12a2b9daa3] - doc: fix typo in node-config-schema.json (Hamid Reza Ghavami) #64188
  • [0854482671] - doc: clarify defense-in-depth issues (Matteo Collina) #64215
  • [ef4915fc3a] - doc: fix Fast FFI argument count in ffi.md (Daijiro Wachi) #63960
  • [bb2eed863c] - doc: add sxa GPG key (ed25519) (Stewart X Addison) #64193
  • [b7bf6e3a06] - doc: add guide and answers to FAQs for first-time contributors (Joyee Cheung) #63685
  • [ff537ba858] - doc: update Http2Server.close & Http2SecureServer.close (YuSheng Chen) #63298
  • [f3db304588] - doc: update list of people in SECURITY.md (Richard Lau) #64152
  • [2a126647b0] - doc: clarify vfs is not a sandbox (Matteo Collina) #64143
  • [85fc79dd9b] - doc: fix broken links and duplicate stability label (Antoine du Hamel) #64130
  • [189e830eb3] - doc: add missing option to man page (Richard Lau) #64156
  • [7a16ccccd0] - doc: announce upcoming end of tier 2 support for macOS x64 (Antoine du Hamel) #63931
  • [d5f826045f] - doc: update toolchain for official AIX releases (Richard Lau) #64068
  • [60abc4400f] - doc: fix callback example import in fs docs (Kamal Rawal) #63912
  • [e470c74a6c] - doc: fix keepAliveTimeout default in http.createServer options (Jahanzaib iqbal) #63974
  • [851b460583] - esm: improve ERR_REQUIRE_ASYNC_MODULE (Joyee Cheung) #64260
  • [0cd443df39] - esm: print required top-level await locations without evaluating (Joyee Cheung) #64154
  • [b373202efc] - (SEMVER-MINOR) esm: add --experimental-import-text flag (Efe) #62300
  • [eacfbd0ca5] - http: add CONNECT method handling for default Host header with proxy (Archkon) #64114
  • [aeb539a383] - http: fix drain event with cork/uncork (David Evans) #64038
  • [8e8874b216] - http: document and validate options.path when it's in absolute-form (Joyee Cheung) #64108
  • [eb2e96bc28] - inspector: fix crash when writing to closed inspector socket (ympark2011) #64209
  • [243b0e4e57] - lib: reject string "0" in validatePort when allowZero is false (Daijiro Wachi) #64174
  • [34a537c0ed] - lib: use __proto__: null when calling ObjectDefineProperty (Antoine du Hamel) #64239
  • [1f72393f19] - lib: lazily initialize kEvents and kHandlers maps (Guilherme Araújo) #63702
  • [92a3dc3191] - lib,permission: fix addon permission drop (Martin Wagner) #64007
  • [87b8f2a296] - meta: fix linter warning in stale.yml (Antoine du Hamel) #64281
  • [829c4a5913] - meta: bump actions/cache from 5.0.5 to 6.1.0 (dependabot[bot]) #64248
  • [0808dcd31c] - meta: bump github/codeql-action/autobuild from 4.36.1 to 4.36.2 (dependabot[bot]) #64247
  • [64aa17058f] - meta: bump github/codeql-action/analyze from 4.36.1 to 4.36.2 (dependabot[bot]) #64246
  • [873d1e0412] - meta: bump actions/checkout from 6.0.2 to 7.0.0 (dependabot[bot]) #64245
  • [fe460ccf0b] - meta: bump codecov/codecov-action from 6.0.1 to 7.0.0 (dependabot[bot]) #64244
  • [845c63ed50] - meta: bump rtCamp/action-slack-notify from 2.3.3 to 2.4.0 (dependabot[bot]) #64243
  • [2cad2d6de5] - meta: bump github/codeql-action/init from 4.36.1 to 4.36.2 (dependabot[bot]) #64242
  • [0ddde950c7] - meta: bump actions/setup-python from 6.2.0 to 6.3.0 (dependabot[bot]) #64241
  • [c0a8760d2f] - meta: bump github/codeql-action/upload-sarif from 4.36.1 to 4.36.2 (dependabot[bot]) #64240
  • [f49704b9d0] - meta: clarify V8 flags are outside threat model (Matteo Collina) #64224
  • [6b8dc58e6e] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #64057
  • [fe5260cca7] - meta: update status of past strategic initiatives (Joyee Cheung) #63480
  • [7b01040008] - meta: speed up stale bot (Aviv Keller) #64075
  • [874c46c24f] - meta: update sccache version in test-linux-quic (René) #64043
  • [48c5c86363] - module: enable import support for addons by default (Chengzhong Wu) #64221
  • [39e0c14455] - (SEMVER-MINOR) perf_hooks: sample delay per event loop iteration (Pablo Erhard) #62935
  • [f90f1bd032] - perf_hooks: add NODE_PERFORMANCE_GC_MINOR_MARK_SWEEP constant (Attila Szegedi) #63877
  • [bdf32628c7] - process: fix finalization cleanup ref tracking (Trivikram Kamat) #64087
  • [9a65b7fff4] - quic: drop version negotiation packets with oversized CIDs (Mohamed Sayed) #64228
  • [2699fe4706] - quic: fixes undefined handle in QuicStream kInspect (Marten Richter) #64170
  • [00dea28bb3] - repl: lazy-load acorn and defer vm context creation (Daijiro Wachi) #63879
  • [ce659a1cf9] - src: fix escaping of single quotes in task runner (Antoine du Hamel) #64089
  • [dbb3126e5c] - src: abstract tracing agent for both legacy and perfetto (Chengzhong Wu) #64053
  • [12edf1d68d] - src: avoid redundant call to std::get_if<>() (Tobias Nießen) #64094
  • [eda91b6d01] - src: avoid copying source string in TextEncoder.encode (Yagiz Nizipli) #63897
  • [efbbb9a03c] - stream: preserve half-open duplexes in async iteration (Efe) #64275
  • [999a83c937] - (SEMVER-MINOR) stream: expose ReadableStreamTee (Matteo Collina) #64195
  • [ab5ed72903] - stream: reject iter consumers on abort (Trivikram Kamat) #64066
  • [d3fa77c5e2] - stream: fix merge abort for pending sources (Trivikram Kamat) #64013
  • [38b99140ed] - stream: refactor unnecessary optional chaining away (Antoine du Hamel) #64253
  • [c81f894ebe] - stream: cut per-chunk overhead in WHATWG streams (Matteo Collina) #64252
  • [f162234f24] - stream: normalize Broadcast.from() byte inputs (Trivikram Kamat) #64082
  • [1182ad8f3b] - stream: proxy first own method in Readable.wrap() (Daijiro Wachi) #64048
  • [d0b830b382] - stream: observe abort while awaiting pipeTo source (Trivikram Kamat) #64015
  • [f7adcd8359] - stream: respect iter consumer abort signals (Trivikram Kamat) #63997
  • [b09e624c6f] - test: make blob desiredSize assertion robust (Trivikram Kamat) #64106
  • [d0d8f0c774] - test: update WPT for urlpattern to 11a459a2b1 (Node.js GitHub Bot) #64037
  • [ff9122c20c] - test: improve lcov reporter snapshot diagnostics (Trivikram Kamat) #64049
  • [570952d4f3] - test: keep finalization close fixture ref alive (Trivikram Kamat) #64085
  • [1b4f213380] - test: fix typo from overriden to overridden (parkhojeong) #63403
  • [4c91090b8b] - test: fix typo from funciton to function (parkhojeong) #63403
  • [bf080c7917] - test: mark hr-time WPT flaky on macos15-x64 (Trivikram Kamat) #64054
  • [24e32098c5] - test: use one-off agent in http consumed timeout test (Trivikram Kamat) #64052
  • [3229886de2] - test: fix flaky test-runner coverage threshold test (Trivikram Kamat) #64051
  • [83b91ea6ec] - test_runner: filter execArgv fallback for child tests (Trivikram Kamat) #64056
  • [269b609a3d] - test_runner: improve coverage failure diagnostics (Trivikram Kamat) #64050
  • [0342744c34] - test_runner: add timestamp to JUnit reporter testsuites (sangwook) #64029
  • [086741d121] - timers: reuse Timeout objects in setStreamTimeout (Matteo Collina) #64254
  • [4e0236dc3d] - (SEMVER-MINOR) tls: report negotiated TLS groups (Filip Skokan) #64119
  • [3bdd7e20be] - tls: handle large RSA exponents in X.509 cert (Tobias Nießen) #64093
  • [c96c838977] - tools: update RUSTC_VERSION for remaining GHA workflows (René) #64325
  • [ee873b7aaf] - tools: bump temporal_rs version (Antoine du Hamel) #63281
  • [ea3b870155] - tools: remove envinfo from our workflows (Antoine du Hamel) #64259
  • [d940f02e8b] - tools: bump the eslint group in /tools/eslint with 8 updates (dependabot[bot]) #64249
  • [fe0ea2bb5d] - tools: bump @node-core/doc-kit (dependabot[bot]) #64010
  • [4dceefde1e] - tools: bump undici from 6.24.1 to 6.27.0 in /tools/doc (dependabot[bot]) #64031
  • [6e187db7d7] - tools: update c-ares updater script (Antoine du Hamel) #64194
  • [657a35f5a2] - tools: validate version number in release proposal commit message lint (Antoine du Hamel) #64070
  • [17228a861c] - tools: add GHA benchmark runner (Antoine du Hamel) #60293
  • [6d11a71d91] - tools: update build-shared/action.yml to a reusable workflow (Antoine du Hamel) #64059
  • [7a17c50b7f] - tools: update libffi updater script (Antoine du Hamel) #64046
  • [28047a3e71] - tools: exclude libffi changes from test-shared GHA CI (Antoine du Hamel) #64047
  • [58d9685acc] - typings: add typing for crypto (Filip Skokan) #64122
  • [7a9dcad44d] - util: fix OOM in inspect color stack formatting (Ijtihed Kilani) #64022
  • [d5f01bbbde] - vfs: reject rename into descendant directory (Trivikram Kamat) #64285
  • [0b6af91081] - vfs: handle current-position sentinel in memory files (Trivikram Kamat) #64163
  • [322230d641] - vfs: support writeFileSync with virtual fds (Trivikram Kamat) #64165
  • [9395d209c7] - vfs: avoid recursive readdir symlink cycles (Matteo Collina) #64168
  • [bbdd7643b6] - vfs: read RealFSProvider files from open fd (Trivikram Kamat) #64104
  • [92859b8097] - vm: fix copying PropertyDescriptor (Chengzhong Wu) #64073
  • [9046035475] - zlib: validate flush king for all streams (Ic3b3rg) #63746
  • [98be4304a3] - zlib: validate flush kind for brotli streams (Ic3b3rg) #63746
  • [90007a59a9] - zlib: expose rejectGarbageAfterEnd option (Filip Skokan) #64023
  • [5933516066] - zlib: reject trailing gzip members in web streams (Filip Skokan) #64023
12 hours ago
incubator-shenyu

v2.7.1

What's Changed

New Contributors

Full Changelog: https://github.com/apache/shenyu/compare/v2.7.0.3...v2.7.1

12 hours ago
shenyu

v2.7.1

What's Changed

New Contributors

Full Changelog: https://github.com/apache/shenyu/compare/v2.7.0.3...v2.7.1

13 hours ago
zuul

v4.0.0

Zuul 4.0.0 replaces the RxJava Observable based async filter execution with CompletableFuture. RxJava 1.x is long past end-of-life, and moving to CompletableFuture lets the filter runner drop its custom RxJava Scheduler and Observer for plain JDK primitives.

Breaking changes

  • ZuulFilter.applyAsync now returns CompletableFuture<O> instead of Observable<O>. The Observable-based method is renamed to applyAsyncObservable and deprecated. Both have default bridge implementations on the interface, so a filter can override either one (#2075)
  • The debugRouting / debugRequest infrastructure is removed (#2078)
  • Connection draining is now event-based rather than channel-attribute based (#2161). Zuul-core fires a ConnectionCloseEvent down the pipeline instead of setting a channel attribute that every write has to check, so a graceful shutdown starts immediately on the event instead of waiting for the next response (an idle HTTP/1.1 connection can be closed right away), and OOS closes get random jitter to spread them out. The close handlers were reworked and CLOSE_AFTER_RESPONSE was removed - see Connection draining below
  • SessionContext no longer extends HashMap<String, Object>; it now wraps one via composition (#2171) and is @NullMarked (#2174). The common Map methods are re-exposed directly, but code that relied on it being a Map needs updating, and nullmarking turns the accessors @Nullable which can surface new NullAway warnings in consumers. The getRouteHost / setRouteHost / removeRouteHost accessors are removed - use the generic get/set with your own Key<T>.

Migrating a filter

A filter overriding applyAsync to return an Observable will not compile against 4.0.0. The minimal fix is a one-line rename:

Before:

@Override
public Observable<HttpResponseMessage> applyAsync(HttpRequestMessage request) {
    return service.call(request).map(this::toResponse);
}

After:

@Override
public Observable<HttpResponseMessage> applyAsyncObservable(HttpRequestMessage request) {
    return service.call(request).map(this::toResponse);
}

The default applyAsync bridges applyAsyncObservable back to a CompletableFuture, so the rest of the filter keeps working unchanged. The filter should be rewritten to return a CompletableFuture directly and delete applyAsyncObservable. applyAsyncObservable will be removed entirely in a later 4.x release.

Connection draining

Consumers that build their own channel pipelines need small updates:

  • The close and expiry handlers moved to the com.netflix.netty.common.close package
  • HTTP/2 connection close now lives on the connection pipeline, not the stream - drop any stream-level close-handler wiring
  • CLOSE_AFTER_RESPONSE / the allow_then_close rejection type is gone; throttled connections just close

Additional Changes

Also in this release: lazy hashCode caching (#2085), Objects.requireNonNull / @NonNull over preconditions (#2090), removal of unused classes (#2153), and a switch to typed SessionContext.Key<T> keys instead of stringly-typed context keys, both in the filter runner (#2167) and across SessionContext's own internal state (#2174).

Full Changelog: https://github.com/Netflix/zuul/compare/v3.6.21...v4.0.0

15 hours ago
zuul

v3.6.21

What's Changed

Full Changelog: https://github.com/Netflix/zuul/compare/v3.6.20...v3.6.21

2 days ago
seaweedfs

4.38

What's Changed

Erasure Coding & Scrub

The largest theme — Rust volume-server scrub parity plus EC correctness.

EC scrub

  • #10130 Fix scrubbing of deleted needles on EC volumes
  • #10144 EC LOCAL needle walk (split from FULL)
  • #10147 suppress deleted-needle size mismatch in EC LOCAL scrub
  • #10149 EC FULL scrub — distributed local+remote needle walk
  • #10152 correct EC FULL scrub for deleted needles, shard-location cache, parity coverage
  • #10154 EC bitrot CHECKSUM scrub on the Rust volume server
  • #10172 reject oversized bitrot payload before narrowing to u32
  • #10176 expose force_deleted_needles_check in ScrubEcVolume RPC and shell

Volume scrub (Rust parity)

  • #10141 correct backwards FULL/LOCAL mode comments in Rust
  • #10142 align Rust INDEX scrub to Go's idx.CheckIndexFile
  • #10143 walk the on-disk .idx in Volume::scrub
  • #10148 don't flag offset-0 logical tombstones

EC storage / read paths

  • #10140 honor wide EC ratios in Rust read_ec_shard_config
  • #10145 search sibling disk locations when rebuilding missing EC shards + .ecx
  • #10187 read chunk-manifest chunks stored on EC volumes (Rust)
  • #10217 detect truncated .ecx instead of treating it as clean EOF

Rust volume server (non-scrub)

  • #10128 parse master lookup when publicUrl is omitted
  • #10139 test coverage for type=replicate fan-out writes
  • #10189 compare live compaction_revision instead of stale last_compact_revision
  • #10233 pin rustls to aws-lc-rs so TLS gRPC startup doesn't panic

Topology, balancing & placement

  • #10161 keep physical disk 0 distinct in SplitByPhysicalDisk
  • #10166 report empty disks (per-disk type + capacity in heartbeat)
  • #10162 volume.balance: gate on real physical disk usage
  • #10167 skip physically near-full disks when placing EC shards
  • #10169 share replica-placement logic between shell and worker
  • #10171 worker: project the moved volume when gating on disk fullness
  • #10174 extract the bytes-aware density metric to a shared package

Master

  • #10202 let the growth initiator wait instead of shedding itself
  • #10226 repair the lookup index after a vacuum that raced a disconnect

Volume server (Go)

  • #10185 drop stale volume-location cache on under-replication
  • #10229 bound intra-cluster HTTP so an unresponsive peer can't hang reads/writes

S3 API

  • #10156 invalidate stale reader-cache locations on chunk read failure
  • #10186 return IncompleteBody instead of 500 for truncated PUT bodies
  • #10192 embedded IAM inline policy honors prefix-scoped resources
  • #10207 surface transient store errors during multipart resume/copy
  • #10213 lazy, bounded, entry-free per-bucket caches
  • #10214 paginate ListBuckets and serve from a bucket owner index
  • #10224 enforce bucket quota on logical size + read-only state in Admin UI
  • #10225 answer directory-path probes like AWS (Flink savepoint restore)
  • #10236 FULL_OBJECT checksumming for CRC

Filer

  • #10158 use DROP TABLE IF EXISTS in SQL stores
  • #10190 avoid ReaderCache WaitGroup reuse race between reads and destroy
  • #10196 applyStorageDefaultsToEntry before CreateEntry
  • #10203 stream offloaded metadata-log entries to fix concurrent-write OOM
  • #10232 default filemeta CREATE TABLE for postgres2/mysql2 when unset
  • #10234 default cassandra2 timeout and ydb prefix for env-var configs

Admin UI

  • #10150 remove non-functional EC repair button
  • #10155 restore cluster volume page CSV export
  • #10170 respect filerGroup for cluster discovery
  • #10175 fix 'send on closed channel' panic in worker gRPC server
  • #10227 browse Iceberg table data

Shell commands

  • #10126 avoid duplicate volume.list parent headers
  • #10129 collection pattern to delete empty volumes
  • #10159 honor explicit fs.mergeVolumes from/to direction
  • #10204 add ec.shard.unmount command
  • #10219 pass collection in ec.shard.unmount --delete request

Remote storage & sync

  • #10151 remote/gcs: tolerate already-deleted object in DeleteFile
  • #10184 remote.meta.sync: sync directories and remove remote-deleted files
  • #10228 add -delete option to remote.copy.local
  • #10177 filer.sync.verify: reclassify chunk-slice-order ETag diffs as CHUNK_REORDER

Kubernetes / Helm

  • #10198 add certificates.dnsNames for custom SANs in cert-manager certs
  • #10205 filer HTTP + gRPC ingress for the Helm chart
  • #10223 Traefik IngressRouteTCP for gRPC with TLS passthrough

KMS

  • #10173 cache decrypted data keys so cache_enabled/cache_ttl take effect

Core / networking / util

  • #10164 centralize genUploadUrl in UploadOption
  • #10212 don't let the activity timeout clobber externally-set conn deadlines

Tests & CI

  • #10208 fuse-tests: don't declare mount ready before it is mounted
  • #10215 fuse-tests: pass glog flags before the mount subcommand
  • #10209 keep mini-allocated ports below the ephemeral floor

New Contributors

Full Changelog: https://github.com/seaweedfs/seaweedfs/compare/4.37...4.38

2 days ago
orientdb

3.2.54

Small patch release with fixes in query engine and hardening in the binary protocol

Changes

Core

  • fix: correctly handled null position when execute order by using indexes, issue #10807

Remote

  • Hardening of binary protocol, directly close connection in case of first request miss authentication

Artifacts

orientdb-community-3.2.54.tar.gz orientdb-community-3.2.54.zip

orientdb-tp3-3.2.54.tar.gz orientdb-tp3-3.2.54.zip

agent-3.2.54.jar