chore(deps): update node.js to v22

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	Age	Adoption	Passing	Confidence
node	final	major	20-bookworm -> 22-bookworm
@types/node (source)	devDependencies	major	20.16.6 -> 22.10.10

---

Release Notes

nodejs/node (node)

v22.13.1: 2025-01-21, Version 22.13.1 'Jod' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
• CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
• CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

• CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits

• [520da342e0] - (CVE-2025-22150) deps: update undici to v6.21.1 (Matteo Collina) nodejs-private/node-private#662
• [99f217369f] - (CVE-2025-23084) path: fix path traversal in normalize() on Windows (Tobias Nießen) nodejs-private/node-private#555
• [984f735e35] - (CVE-2025-23085) src: fix HTTP2 mem leak on premature close and ERR_PROTO (RafaelGSS) nodejs-private/node-private#650
• [2446870618] - (CVE-2025-23083) src,loader,permission: throw on InternalWorker use (RafaelGSS) nodejs-private/node-private#651

v22.13.0: 2025-01-07, Version 22.13.0 'Jod' (LTS), @​ruyadorno

Compare Source

Notable Changes

Stabilize Permission Model

Upgrades the Permission Model status from Active Development to Stable.

Contributed by Rafael Gonzaga #​56201

Graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable

Following the merge of Curve25519 into the Web Cryptography API Editor's Draft the Ed25519 and X25519 algorithm identifiers are now stable and will no longer emit an ExperimentalWarning upon use.

Contributed by (Filip Skokan) #​56142

Other Notable Changes

• [05d6227a88] - (SEMVER-MINOR) assert: add partialDeepStrictEqual (Giovanni Bucci) #​54630
• [a933103499] - (SEMVER-MINOR) cli: implement --trace-env and --trace-env-[js|native]-stack (Joyee Cheung) #​55604
• [ba9d5397de] - (SEMVER-MINOR) dgram: support blocklist in udp (theanarkh) #​56087
• [f6d0c01303] - doc: stabilize util.styleText (Rafael Gonzaga) #​56265
• [34c68827af] - doc: move typescript support to active development (Marco Ippolito) #​55536
• [dd14b80350] - doc: add LJHarb to collaborators (Jordan Harband) #​56132
• [5263086169] - (SEMVER-MINOR) doc: add report version and history section (Chengzhong Wu) #​56130
• [8cb3c2018d] - (SEMVER-MINOR) doc: sort --report-exclude alphabetically (Rafael Gonzaga) #​55788
• [55239a48b6] - (SEMVER-MINOR) doc,lib,src,test: unflag sqlite module (Colin Ihrig) #​55890
• [7cbe3de1d8] - (SEMVER-MINOR) module: only emit require(esm) warning under --trace-require-module (Joyee Cheung) #​56194
• [6575b76042] - (SEMVER-MINOR) module: add module.stripTypeScriptTypes (Marco Ippolito) #​55282
• [bacfe6d5c9] - (SEMVER-MINOR) net: support blocklist in net.connect (theanarkh) #​56075
• [b47888d390] - (SEMVER-MINOR) net: support blocklist for net.Server (theanarkh) #​56079
• [566f0a1d25] - (SEMVER-MINOR) net: add SocketAddress.parse (James M Snell) #​56076
• [ed7eab1421] - (SEMVER-MINOR) net: add net.BlockList.isBlockList(value) (James M Snell) #​56078
• [ea4891856d] - (SEMVER-MINOR) process: deprecate features.{ipv6,uv} and features.tls_* (René) #​55545
• [01eb308f26] - (SEMVER-MINOR) report: fix typos in report keys and bump the version (Yuan-Ming Hsu) #​56068
• [97c38352d0] - (SEMVER-MINOR) sqlite: aggregate constants in a single property (Edigleysson Silva (Edy)) #​56213
• [b4041e554a] - (SEMVER-MINOR) sqlite: add StatementSync.prototype.iterate method (tpoisseau) #​54213
• [2e3ca1bbdd] - (SEMVER-MINOR) src: add cli option to preserve env vars on diagnostic reports (Rafael Gonzaga) #​55697
• [bcfe9c80fc] - (SEMVER-MINOR) util: add sourcemap support to getCallSites (Marco Ippolito) #​55589

Commits

• [e9024779c0] - assert: make Maps be partially compared in partialDeepStrictEqual (Giovanni Bucci) #​56195
• [4c13d8e587] - assert: make partialDeepStrictEqual work with ArrayBuffers (Giovanni Bucci) #​56098
• [a4fa31a86e] - assert: optimize partial comparison of two Sets (Antoine du Hamel) #​55970
• [05d6227a88] - (SEMVER-MINOR) assert: add partialDeepStrictEqual (Giovanni Bucci) #​54630
• [5e1321abd7] - buffer: document concat zero-fill (Duncan) #​55562
• [be5ba7c648] - build: set DESTCPU correctly for 'make binary' on loongarch64 (吴小白) #​56271
• [38cf37ee2d] - build: fix missing fp16 dependency in d8 builds (Joyee Cheung) #​56266
• [dbb7557455] - build: add major release action (Rafael Gonzaga) #​56199
• [27cc90f3be] - build: fix C string encoding for PRODUCT_DIR_ABS (Anna Henningsen) #​56111
• [376561c2b4] - build: use variable for simdutf path (Shelley Vohr) #​56196
• [126ae15000] - build: allow overriding clang usage (Shelley Vohr) #​56016
• [97bb8f7c76] - build: remove defaults for create-release-proposal (Rafael Gonzaga) #​56042
• [a8fb1a06f3] - build: set node_arch to target_cpu in GN (Shelley Vohr) #​55967
• [9f48ca27f1] - build: use variable for crypto dep path (Shelley Vohr) #​55928
• [e47ccd2287] - build: fix GN build for sqlite (Cheng) #​55912
• [8d70b99a5a] - build: compile bundled simdutf conditionally (Jakub Jirutka) #​55886
• [826fd35242] - build: compile bundled simdjson conditionally (Jakub Jirutka) #​55886
• [1015b22085] - build: compile bundled ada conditionally (Jakub Jirutka) #​55886
• [77e2869ca6] - build: use glob for dependencies of out/Makefile (Richard Lau) #​55789
• [a933103499] - (SEMVER-MINOR) cli: implement --trace-env and --trace-env-[js|native]-stack (Joyee Cheung) #​55604
• [72e8e0684e] - crypto: graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable (Filip Skokan) #​56142
• [fe2b344ddb] - crypto: ensure CryptoKey usages and algorithm are cached objects (Filip Skokan) #​56108
• [9ee9f524a7] - crypto: allow non-multiple of 8 in SubtleCrypto.deriveBits (Filip Skokan) #​55296
• [76f242d993] - deps: update nghttp3 to 1.6.0 (Node.js GitHub Bot) #​56258
• [c7ff2ea6b5] - deps: update simdutf to 5.6.4 (Node.js GitHub Bot) #​56255
• [04230be1ef] - deps: update libuv to 1.49.2 (Luigi Pinca) #​56224
• [88589b85b7] - deps: update c-ares to v1.34.4 (Node.js GitHub Bot) #​56256
• [5c2e0618f3] - deps: define V8_PRESERVE_MOST as no-op on Windows (Stefan Stojanovic) #​56238
• [9f8f3c9658] - deps: update sqlite to 3.47.2 (Node.js GitHub Bot) #​56178
• [17b6931d3b] - deps: update ngtcp2 to 1.9.1 (Node.js GitHub Bot) #​56095
• [22b453b619] - deps: upgrade npm to 10.9.2 (npm team) #​56135
• [d7eb41b382] - deps: update sqlite to 3.47.1 (Node.js GitHub Bot) #​56094
• [669c722aa9] - deps: update zlib to 1.3.0.1-motley-82a5fec (Node.js GitHub Bot) #​55980
• [f61a0454d2] - deps: update corepack to 0.30.0 (Node.js GitHub Bot) #​55977
• [d98bf0b891] - deps: update ngtcp2 to 1.9.0 (Node.js GitHub Bot) #​55975
• [fc362624bf] - deps: update simdutf to 5.6.3 (Node.js GitHub Bot) #​55973
• [f61dcc4df4] - deps: upgrade npm to 10.9.1 (npm team) #​55951
• [bfe7982491] - deps: update zlib to 1.3.0.1-motley-7e2e4d7 (Node.js GitHub Bot) #​54432
• [d714367ef8] - deps: update simdjson to 3.10.1 (Node.js GitHub Bot) #​54678
• [ccc9b105ec] - deps: update simdutf to 5.6.2 (Node.js GitHub Bot) #​55889
• [ba9d5397de] - (SEMVER-MINOR) dgram: support blocklist in udp (theanarkh) #​56087
• [7ddbf94849] - dgram: check udp buffer size to avoid fd leak (theanarkh) #​56084
• [360d68de0f] - doc: fix color contrast issue in light mode (Rich Trott) #​56272
• [f6d0c01303] - doc: stabilize util.styleText (Rafael Gonzaga) #​56265
• [9436c3c949] - doc: clarify util.aborted resource usage (Kunal Kumar) #​55780
• [b1cec2cef9] - doc: add esm examples to node:repl (Alfredo González) #​55432
• [d6a84cf781] - doc: add esm examples to node:readline (Alfredo González) #​55335
• [a11ac1c0f2] - doc: fix 'which' to 'that' and add commas (Selveter Senitro) #​56216
• [5331df7911] - doc: fix winget config path (Alex Yang) #​56233
• [7a8071b43c] - doc: add esm examples to node:tls (Alfredo González) #​56229
• [7d8c1e72d5] - doc: add esm examples to node:perf_hooks (Alfredo González) #​55257
• [ea53c4b1ae] - doc: sea.getRawAsset(key) always returns an ArrayBuffer (沈鸿飞) #​56206
• [7a94100a3e] - doc: update announce documentation for releases (Rafael Gonzaga) #​56200
• [44c4e57e32] - doc: update blog link to /vulnerability (Rafael Gonzaga) #​56198
• [5e5b4b0cbd] - doc: call out import.meta is only supported in ES modules (Anton Kastritskii) #​56186
• [a83de32d35] - doc: add ambassador message - benefits of Node.js (Michael Dawson) #​56085
• [bb880dd21a] - doc: fix incorrect link to style guide (Yuan-Ming Hsu) #​56181
• [39ce902e58] - doc: fix c++ addon hello world sample (Edigleysson Silva (Edy)) #​56172
• [19c72c4acc] - doc: update blog release-post link (Ruy Adorno) #​56123
• [b667cc4669] - doc: fix module.md headings (Chengzhong Wu) #​56131
• [34c68827af] - doc: move typescript support to active development (Marco Ippolito) #​55536
• [c4a97d810b] - doc: mention -a flag for the release script (Ruy Adorno) #​56124
• [dd14b80350] - doc: add LJHarb to collaborators (Jordan Harband) #​56132
• [2feb0781ed] - doc: add create-release-action to process (Rafael Gonzaga) #​55993
• [71f6263942] - doc: rename file to advocacy-ambassador-program.md (Tobias Nießen) #​56046
• [8efa240500] - doc: remove unused import from sample code (Blended Bram) #​55570
• [e64cef8bf4] - doc: add FAQ to releases section (Rafael Gonzaga) #​55992
• [4bb0f30f92] - doc: move history entry to class description (Luigi Pinca) #​55991
• [6d02bd6873] - doc: add history entry for textEncoder.encodeInto() (Luigi Pinca) #​55990
• [e239382ed8] - doc: improve GN build documentation a bit (Shelley Vohr) #​55968
• [78b6aef6bc] - doc: fix deprecation codes (Filip Skokan) #​56018
• [474bf80a44] - doc: remove confusing and outdated sentence (Luigi Pinca) #​55988
• [57381076c5] - doc: deprecate passing invalid types in fs.existsSync (Carlos Espa) #​55892
• [e529cf6b26] - doc: add doc for PerformanceObserver.takeRecords() (skyclouds2001) #​55786
• [a6ef0f6f6e] - doc: add vetted courses to the ambassador benefits (Matteo Collina) #​55934
• [63526049f2] - doc: order node:crypto APIs alphabetically (Julian Gassner) #​55831
• [36080b7b61] - doc: doc how to add message for promotion (Michael Dawson) #​55843
• [12b2ad4287] - doc: add esm example for zlib (Leonardo Peixoto) #​55946
• [352daac296] - doc: fix typo (Alex Yang) #​56125
• [6e7e9a126d] - doc: document approach for building wasm in deps (Michael Dawson) #​55940
• [0b3ac05422] - doc: remove RedYetiDev from triagers team (Aviv Keller) #​55947
• [20be5e2f80] - doc: add esm examples to node:timers (Alfredo González) #​55857
• [3ba9b57436] - doc: fix relative path mention in --allow-fs (Rafael Gonzaga) #​55791
• [3e6b3a9a8b] - doc: include git node release --promote to steps (Rafael Gonzaga) #​55835
• [5bdfde8dc6] - doc: add history entry for import assertion removal (Antoine du Hamel) #​55883
• [c842146c05] - doc: add a note on console stream behavior (Gireesh Punathil) #​55616
• [5263086169] - (SEMVER-MINOR) doc: add report version and history section (Chengzhong Wu) #​56130
• [8cb3c2018d] - (SEMVER-MINOR) doc: sort --report-exclude alphabetically (Rafael Gonzaga) #​55788
• [55239a48b6] - (SEMVER-MINOR) doc,lib,src,test: unflag sqlite module (Colin Ihrig) #​55890
• [04d7c7a349] - fs: make mutating options in Callback readdir() not affect results (LiviaMedeiros) #​56057
• [92bcd528e7] - fs: make mutating options in Promises readdir() not affect results (LiviaMedeiros) #​56057
• [3a55bd9448] - fs: lazily load ReadFileContext (Gürgün Dayıoğlu) #​55998
• [0331b3fdd3] - fs,win: fix readdir for named pipe (Hüseyin Açacak) #​56110
• [79152b54e9] - http: add setDefaultHeaders option to http.request (Tim Perry) #​56112
• [19782855a8] - http: don't emit error after destroy (Robert Nagy) #​55457
• [8494512c17] - http2: remove duplicate codeblock (Vitaly Aminev) #​55915
• [d2f82223d1] - http2: support ALPNCallback option (ZYSzys) #​56187
• [2616f1247a] - http2: fix memory leak caused by premature listener removing (ywave620) #​55966
• [598fe048f2] - lib: remove redundant global regexps (Gürgün Dayıoğlu) #​56182
• [a3c8739530] - lib: clean up persisted signals when they are settled (Edigleysson Silva (Edy)) #​56001
• [11144ab158] - lib: handle Float16Array in node:v8 serdes (Bartek Iwańczuk) #​55996
• [81c94a32e4] - lib: disable default memory leak warning for AbortSignal (Lenz Weber-Tronic) #​55816
• [68dda61420] - lib: add validation for options in compileFunction (Taejin Kim) #​56023
• [d2007aec28] - lib: fix fs.readdir recursive async (Rafael Gonzaga) #​56041
• [0571d5556f] - lib: avoid excluding symlinks in recursive fs.readdir with filetypes (Juan José) #​55714
• [843943d0ce] - meta: bump github/codeql-action from 3.27.0 to 3.27.5 (dependabot[bot]) #​56103
• [1529027f03] - meta: bump actions/checkout from 4.1.7 to 4.2.2 (dependabot[bot]) #​56102
• [8e265de9f5] - meta: bump step-security/harden-runner from 2.10.1 to 2.10.2 (dependabot[bot]) #​56101
• [0fba3a3b9b] - meta: bump actions/setup-node from 4.0.3 to 4.1.0 (dependabot[bot]) #​56100
• [2e3fdfdb19] - meta: add releasers as CODEOWNERS to proposal action (Rafael Gonzaga) #​56043
• [7cbe3de1d8] - (SEMVER-MINOR) module: only emit require(esm) warning under --trace-require-module (Joyee Cheung) #​56194
• [8a5429c9b3] - module: prevent main thread exiting before esm worker ends (Shima Ryuhei) #​56183
• [6575b76042] - (SEMVER-MINOR) module: add module.stripTypeScriptTypes (Marco Ippolito) #​55282
• [0794861bc3] - module: simplify ts under node_modules check (Marco Ippolito) #​55440
• [28a11adf14] - module: mark evaluation rejection in require(esm) as handled (Joyee Cheung) #​56122
• [bacfe6d5c9] - (SEMVER-MINOR) net: support blocklist in net.connect (theanarkh) #​56075
• [566f0a1d25] - (SEMVER-MINOR) net: add SocketAddress.parse (James M Snell) #​56076
• [ed7eab1421] - (SEMVER-MINOR) net: add net.BlockList.isBlockList(value) (James M Snell) #​56078
• [b47888d390] - (SEMVER-MINOR) net: support blocklist for net.Server (theanarkh) #​56079
• [481770a38f] - node-api: allow napi_delete_reference in finalizers (Chengzhong Wu) #​55620
• [2beb4f1f8c] - permission: ignore internalModuleStat on module loading (Rafael Gonzaga) #​55797
• [ea4891856d] - (SEMVER-MINOR) process: deprecate features.{ipv6,uv} and features.tls_* (René) #​55545
• [c907b2f358] - quic: update more QUIC implementation (James M Snell) #​55986
• [43c25e2e0d] - quic: multiple updates to quic impl (James M Snell) #​55971
• [01eb308f26] - (SEMVER-MINOR) report: fix typos in report keys and bump the version (Yuan-Ming Hsu) #​56068
• [1cfa31fb82] - sea: only assert snapshot main function for main threads (Joyee Cheung) #​56120
• [97c38352d0] - (SEMVER-MINOR) sqlite: aggregate constants in a single property (Edigleysson Silva (Edy)) #​56213
• [2268c1ea8b] - sqlite: add support for custom functions (Colin Ihrig) #​55985
• [f5c6955722] - sqlite: support db.loadExtension (Alex Yang) #​53900
• [9a60bea6b7] - sqlite: deps include sqlite3ext.h (Alex Yang) #​56010
• [b4041e554a] - (SEMVER-MINOR) sqlite: add StatementSync.prototype.iterate method (tpoisseau) #​54213
• [2889e8da04] - src: fix outdated js2c.cc references (Chengzhong Wu) #​56133
• [5ce020b0c9] - src: use spaceship operator in SocketAddress (James M Snell) #​56059
• [a32fa30847] - src: add missing qualifiers to env.cc (Yagiz Nizipli) #​56062
• [974b7b61ef] - src: use std::string_view for process emit fns (Yagiz Nizipli) #​56086
• [4559fac862] - src: remove dead code in async_wrap (Gerhard Stöbich) #​56065
• [e42e4b20be] - src: avoid copy on getV8FastApiCallCount (Yagiz Nizipli) #​56081
• [c188660e8b] - src: fix check fd (theanarkh) #​56000
• [d894cb76ff] - src: safely remove the last line from dotenv (Shima Ryuhei) #​55982
• [2ca9f4b65a] - src: fix kill signal on Windows (Hüseyin Açacak) #​55514
• [2e3ca1bbdd] - (SEMVER-MINOR) src: add cli option to preserve env vars on dr (Rafael Gonzaga) #​55697
• [359fff1c4e] - src,build: add no user defined deduction guides of CTAD check (Chengzhong Wu) #​56071
• [57bb983215] - (SEMVER-MINOR) src,lib: stabilize permission model (Rafael Gonzaga) #​56201
• [d352b0465a] - stream: commit pull-into descriptors after filling from queue (Mattias Buelens) #​56072
• [eef9bd1bf6] - test: remove test-sqlite-statement-sync flaky designation (Luigi Pinca) #​56051
• [8718135a5d] - test: use --permission over --experimental-permission (Rafael Gonzaga) #​56239
• [9c68d4f180] - test: remove exludes for sea tests on PPC (Michael Dawson) #​56217
• [c5d0472968] - test: fix test-abortsignal-drop-settled-signals flakiness (Edigleysson Silva (Edy)) #​56197
• [4adf518689] - test: move localizationd data from test-icu-env to external file (Livia Medeiros) #​55618
• [02383b4267] - test: update WPT for url to 6fa3fe8 (Node.js GitHub Bot) #​56136
• [0e24eebf24] - test: remove hasOpenSSL3x utils (Antoine du Hamel) #​56164
• [381e705385] - test: update streams wpt (Mattias Buelens) #​56072
• [ad107ca0d9] - test: remove test-fs-utimes flaky designation (Luigi Pinca) #​56052
• [e15c5dab79] - test: ensure cli.md is in alphabetical order (Antoine du Hamel) #​56025
• [d0302e7d2d] - test: update WPT for WebCryptoAPI to 3e3374e (Node.js GitHub Bot) #​56093
• [a0b1e8f400] - test: update WPT for WebCryptoAPI to 76dfa54 (Node.js GitHub Bot) #​56093
• [211f058a12] - test: move test-worker-arraybuffer-zerofill to parallel (Luigi Pinca) #​56053
• [c52bc5d71c] - test: update WPT for url to 67880a4 (Node.js GitHub Bot) #​55999
• [1a78bde8d4] - test: make HTTP/1.0 connection test more robust (Arne Keller) #​55959
• [ff7b1445a0] - test: convert readdir test to use test runner (Thomas Chetwin) #​55750
• [b296b5a4e4] - test: make x509 crypto tests work with BoringSSL (Shelley Vohr) #​55927
• [97458ad74b] - test: fix determining lower priority (Livia Medeiros) #​55908
• [bb4aa7a296] - test,crypto: update WebCryptoAPI WPT (Filip Skokan) #​55997
• [fb98fa4967] - test_runner: refactor Promise chain in run() (Colin Ihrig) #​55958
• [18c94961f8] - test_runner: refactor build Promise in Suite() (Colin Ihrig) #​55958
• [bf3967fd3a] - test_runner: simplify hook running logic (Colin Ihrig) #​55963
• [8c065dc61e] - test_runner: mark context.plan() as stable (Colin Ihrig) #​55895
• [8ff082cf48] - test_runner: mark snapshot testing as stable (Colin Ihrig) #​55897
• [7ae125cef4] - tools: fix node: enforcement for docs (Antoine du Hamel) #​56284
• [0b489116a3] - tools: update github_reporter to 1.7.2 (Node.js GitHub Bot) #​56205
• [5306819fac] - tools: add REPLACEME check to workflow (Mert Can Altin) #​56251
• [4e3cab44cb] - tools: use github.actor instead of bot username for release proposals (Antoine du Hamel) #​56232
• [3e8938463a] - Revert "tools: disable automated libuv updates" (Luigi Pinca) #​56223
• [98ea499e36] - tools: update gyp-next to 0.19.1 (Anna Henningsen) #​56111
• [2e76cd2a8b] - tools: fix release proposal linter to support more than 1 folk preparing (Antoine du Hamel) #​56203
• [9fa0e41665] - tools: enable linter for tools/icu/** (Livia Medeiros) #​56176
• [d6e1efcc59] - tools: use commit title as PR title when creating release proposal (Antoine du Hamel) #​56165
• [a88e4ce55e] - tools: update gyp-next to 0.19.0 (Node.js GitHub Bot) #​56158
• [bd0760efbc] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #​56099
• [c5b1cf4b12] - tools: improve release proposal PR opening (Antoine du Hamel) #​56161
• [12baefb13d] - tools: update create-release-proposal workflow (Antoine du Hamel) #​56054
• [e6e1495f1a] - tools: fix update-undici script (Michaël Zasso) #​56069
• [ed635c90da] - tools: allow dispatch of tools.yml from forks (Antoine du Hamel) #​56008
• [1e628d1f37] - tools: fix nghttp3 updater script (Antoine du Hamel) #​56007
• [1af3599b7e] - tools: filter release keys to reduce interactivity (Antoine du Hamel) #​55950
• [1893be4a9c] - tools: update WPT updater (Antoine du Hamel) #​56003
• [f89bd2ba8a] - tools: add WPT updater for specific subsystems (Mert Can Altin) #​54460
• [61901372d5] - tools: use tokenless Codecov uploads (Michaël Zasso) #​55943
• [312bb4dff8] - tools: lint js in doc/**/*.md (Livia Medeiros) #​55904
• [7b476f637c] - tools: add linter for release commit proposals (Antoine du Hamel) #​55923
• [22d7017191] - tools: fix riscv64 build failed (Lu Yahan) #​52888
• [f4f777f4d2] - tools: bump cross-spawn from 7.0.3 to 7.0.5 in /tools/eslint (dependabot[bot]) #​55894
• [a648e4c44a] - util: harden more built-in classes against prototype pollution (Antoine du Hamel) #​56225
• [4a1b51b5a9] - util: fix Latin1 decoding to return string output (Mert Can Altin) #​56222
• [9e98e86604] - util: do not rely on mutable Object and Function' constructor prop (Antoine du Hamel) #​56188
• [374eb415fd] - util: add fast path for Latin1 decoding (Mert Can Altin) #​55275
• [bcfe9c80fc] - (SEMVER-MINOR) util: add sourcemap support to getCallSites (Marco Ippolito) #​55589
• [2aa77c8a8f] - v8,tools: expose experimental wasm revectorize feature (Yolanda-Chen) #​54896
• [bfd11d7661] - worker: fix crash when a worker joins after exit (Stephen Belanger) #​56191

v22.12.0

Compare Source

v22.11.0: 2024-10-29, Version 22.11.0 'Jod' (LTS), @​richardlau

Compare Source

Notable Changes

This release marks the transition of Node.js 22.x into Long Term Support (LTS)
with the codename 'Jod'. The 22.x release line now moves into "Active LTS"
and will remain so until October 2025. After that time, it will move into
"Maintenance" until end of life in April 2027.

Other than updating metadata, such as the process.release object, to reflect
that the release is LTS, no further changes from Node.js 22.10.0 are included.

OpenSSL 3.x

Official binaries for Node.js 22.x currently include OpenSSL 3.0.x (more
specifically, the quictls OpenSSL fork).
OpenSSL 3.0.x is the currently designated long term support version that is
scheduled to be supported until 7th September 2026, which is within the expected
lifetime of Node.js 22.x. We are expecting upstream OpenSSL to announce a
successor long term support version prior to that date and since OpenSSL now
follows a semantic versioning-like versioning scheme we expect to be able to
update to the next long term supported version of OpenSSL during the lifetime of
Node.js 22.x.

v22.10.0: 2024-10-16, Version 22.10.0 (Current), @​aduh95

Compare Source

Notable Changes

New "module-sync" exports condition

This release introduces a "module-sync" exports condition that's enabled when
require(esm) is enabled, so packages can supply a synchronous ES module to the
Node.js module loader, no matter if it's being required or imported. This is
similar to the "module" condition that bundlers have been using to support
require(esm) in Node.js, and allows dual-package authors to opt into ESM-first
only on newer versions of Node.js that supports require(esm) to avoid the
dual-package hazard.

{
  "type": "module",
  "exports": {
    "node": {
      // On new version of Node.js, both require() and import get
      // the ESM version
      "module-sync": "./index.js",
      // On older version of Node.js, where "module-sync" and require(esm) are
      // not supported, use the CJS version to avoid dual-package hazard.
      // When package authors think it's time to drop support for older versions of
      // Node.js, they can remove the exports conditions and just use "main": "index.js".
      "default": "./dist/index.cjs"
    },
    // On any other environment, use the ESM version.
    "default": "./index.js"
  }
}

Or if the package is only meant to be run on Node.js and wants to fallback to
CJS on older versions that don't have require(esm):

{
  "type": "module",
  "exports": {
    // On new version of Node.js, both require() and import get the ESM version
    "module-sync": "./index.js",
    // On older version of Node.js, where "module-sync" and require(esm) are
    // not supported, use the CJS version to avoid dual-package hazard.
    // When package authors think it's time to drop support for older versions of
    // Node.js, they can remove the exports conditions and just use "main": "index.js".
    "default": "./dist/index.cjs"
  }
}

For package authors: this only serves as a feature-detection mechanism for
packages that wish to support both CJS and ESM users during the period when some
active Node.js LTS versions support require(esm) while some older ones don't.
When all active Node.js LTS lines support require(esm), packages can simplify
their distributions by bumping the major version, dropping their CJS exports,
and removing the module-sync exports condition (with only main or default
targetting the ESM exports). If the package needs to support both bundlers and
being run unbundled on Node.js during the transition period, use both
module-sync and module and point them to the same ESM file. If the package
already doesn't want to support older versions of Node.js that doesn't support
require(esm), don't use this export condition.

For bundlers/tools: they should avoid implementing this stop-gap condition.
Most existing bundlers implement the de-facto bundler standard
module
exports condition, and that should be enough to support users who want to bundle
ESM from CJS consumers. Users who want both bundlers and Node.js to recognize
the ESM exports can use both module/module-sync conditions during the
transition period, and can drop module-sync+module when they no longer need
to support older versions of Node.js. If tools do want to support this
condition, it's recommended to make the resolution rules in the graph pointed by
this condition match the Node.js native ESM rules to avoid divergence.

We ended up implementing a condition with a different name instead of reusing
"module", because existing code in the ecosystem using the "module"
condition sometimes also expect the module resolution for these ESM files to
work in CJS style, which is supported by bundlers, but the native Node.js loader
has intentionally made ESM resolution different from CJS resolution (e.g.
forbidding import './noext' or import './directory'), so it would be
breaking to implement a "module" condition without implementing the forbidden
ESM resolution rules. For now, this just implements a new condition as
semver-minor so it can be backported to older LTS.

Contributed by Joyee Cheung in #​54648.

node --run is now stable

This CLI flag runs a

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
shortvid	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jan 23, 2025 9:37pm