Skip to content

2026-03-03, Version 25.8.0 (Current) #62073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
richardlau merged 55 commits into from
Mar 3, 2026
Merged

2026-03-03, Version 25.8.0 (Current) #62073

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
f3d3968
Revert "build: add temporal test on GHA windows"
aduh95 Feb 24, 2026
999bf22
repl: keep reference count for `process.on('newListener')`
addaleax Feb 22, 2026
0072b7f
meta: bump actions/stale from 10.1.1 to 10.2.0
dependabot[bot] Feb 22, 2026
59a726a
meta: bump step-security/harden-runner from 2.14.1 to 2.14.2
dependabot[bot] Feb 22, 2026
21d4baf
meta: bump github/codeql-action from 4.32.0 to 4.32.4
dependabot[bot] Feb 22, 2026
f279233
tools: roll back to x86 runner on `scorecard.yml`
aduh95 Feb 24, 2026
dc12a25
doc: rename invalid `function` parameter
Renegade334 Feb 24, 2026
9b483fb
deps: update minimatch to 10.2.2
nodejs-github-bot Feb 24, 2026
192c038
util: add fast path to stripVTControlCharacters
privatenumber Feb 24, 2026
46a6192
doc: support toolchain Visual Studio 2022 & 2026 + Windows 11 SDK
MikeMcC399 Feb 24, 2026
3337b09
crypto: fix potential null pointer dereference when BIO_meth_new() fails
ndossche Feb 24, 2026
243e6b2
test_runner: replace native methods with primordials
Ayoub-Mabrouk Feb 24, 2026
0d97ec4
test_runner: expose worker ID for concurrent test execution
thisalihassan Feb 24, 2026
b771529
child_process: add tracing channel for spawn
marcopiraccini Feb 25, 2026
f53a32a
deps: update acorn to 8.16.0
nodejs-github-bot Feb 25, 2026
4d411d7
deps: update acorn-walk to 8.3.5
nodejs-github-bot Feb 25, 2026
705bbd6
deps: update simdjson to 4.3.1
nodejs-github-bot Feb 25, 2026
dc384f9
crypto: fix handling of null BUF_MEM* in ToV8Value()
ndossche Feb 25, 2026
33a364c
doc: explicitly mention Slack handle
RafaelGSS Feb 25, 2026
46ee1ed
src: add C++ support for diagnostics channels
RafaelGSS Feb 13, 2026
9ddd1a9
src,permission: add --permission-audit
RafaelGSS Feb 17, 2026
ea2df2a
stream: fix pipeTo to defer writes per WHATWG spec
mcollina Feb 26, 2026
fce2930
test_runner: expose expectFailure message
Han5991 Feb 26, 2026
a32a598
crypto: fix missing nullptr check on RSA_new()
ndossche Feb 19, 2026
4890d6b
test_runner: run afterEach on runtime skip
igor-shevelenkov Feb 26, 2026
3c94b56
inspector: unwrap internal/debugger/inspect imports
Renegade334 Feb 26, 2026
0a96a16
tools: bump minimatch from 3.1.2 to 3.1.3 in /tools/eslint
dependabot[bot] Feb 26, 2026
604456c
test: avoid flaky debugger restart waits
inoway46 Feb 27, 2026
8a24c17
lib: improve argument handling in Blob constructor
Ms2ger Feb 27, 2026
7c72a31
test: skip strace test with shared openssl
richardlau Feb 27, 2026
940b58c
buffer: optimize buffer.concat performance
mertcanaltin Feb 27, 2026
4c181e2
sqlite: add limits property to DatabaseSync
mertcanaltin Feb 27, 2026
57dc092
deps: upgrade npm to 11.11.0
npm-cli-bot Feb 27, 2026
31e7936
tools: revert tools GHA workflow to ubuntu-latest
richardlau Feb 28, 2026
e55edde
build, doc: use new api doc tooling
flakey5 Feb 27, 2026
bf1ed7e
tls: forward keepAlive, keepAliveInitialDelay, noDelay to socket
tadjik1 Feb 28, 2026
7508540
doc: update DEP0040 (punycode) to application type deprecation
MikeMcC399 Feb 28, 2026
e6b131f
doc: fix module.stripTypeScriptTypes indentation
Renegade334 Feb 25, 2026
ad96a65
test: skip `test-url` on `--shared-ada` builds
aduh95 Mar 1, 2026
aa0c7b0
test: remove unnecessary `process.exit` calls from test files
aduh95 Mar 1, 2026
a28744c
tools: fix permissions for merve update script
richardlau Mar 1, 2026
ca78ebb
doc: fix small logic error in DETECT_MODULE_SYNTAX
Renegade334 Mar 1, 2026
54a055a
tools: bump minimatch from 3.1.2 to 3.1.3 in `/tools/clang-format`
dependabot[bot] Mar 1, 2026
8aa2fde
deps: update minimatch to 10.2.4
nodejs-github-bot Mar 1, 2026
4e54c10
doc: separate in-types and out-types in SQLite conversion docs
Renegade334 Mar 2, 2026
51ded81
deps: update undici to 7.22.0
nodejs-github-bot Mar 2, 2026
0f15079
tools: remove custom logic for skipping `test-strace-openat-openssl`
aduh95 Mar 2, 2026
0589b0e
build: fix GN for new merve dep
codebytere Mar 2, 2026
aee2a18
src: fix flags argument offset in JSUdpWrap
cuiweixie Feb 23, 2026
dafdc0a
http: validate headers in writeEarlyHints
rsclarke Mar 2, 2026
bdc1894
doc: expand SECURITY.md with non-vulnerability examples
RafaelGSS Mar 2, 2026
3d160cd
module: run require.resolve through module.registerHooks()
joyeecheung Mar 2, 2026
6259abc
http: validate ClientRequest path on set
mcollina Mar 2, 2026
746d0ce
tools: fix parsing of commit trailers in `lint-release-proposal` GHA
aduh95 Mar 2, 2026
ae94abf
2026-03-03, Version 25.8.0 (Current)
nodejs-github-bot Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
crypto: fix potential null pointer dereference when BIO_meth_new() fails 
This function can return null, which will make the calls to
BIO_meth_set_* trigger a null deref.
Even after fixing this, there is an issue with the
`BIOPointer::New(GetMethod())` call in `NodeBIO::New` because the
`New` method cannot handle a null pointer despite other code already
guarding for this
(e.g. the `NodeBIO::New` function already checks `bio`).
This patch solves the issues by adding more null checks.

PR-URL: #61788
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
  • Loading branch information
@ndossche @aduh95
ndossche authored and aduh95 committed Feb 28, 2026
commit 3337b095dba03e37f0915534dbdb393bb0bcc5f9
1 change: 1 addition & 0 deletions deps/ncrypto/ncrypto.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1470,6 +1470,7 @@ BIOPointer BIOPointer::NewSecMem() {
}

BIOPointer BIOPointer::New(const BIO_METHOD* method) {
if (method == nullptr) return {};
return BIOPointer(BIO_new(method));
}

Expand Down
1 change: 1 addition & 0 deletions src/crypto/crypto_bio.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,6 +226,7 @@ const BIO_METHOD* NodeBIO::GetMethod() {
// Static initialization ensures that this is safe to use concurrently.
static const BIO_METHOD* method = [&]() {
BIO_METHOD* method = BIO_meth_new(BIO_TYPE_MEM, "node.js SSL buffer");
CHECK_NOT_NULL(method);
BIO_meth_set_write(method, Write);
BIO_meth_set_read(method, Read);
BIO_meth_set_puts(method, Puts);
Expand Down