Skip to content

2026-03-03, Version 25.8.0 (Current) #62073

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
richardlau merged 55 commits into from
Mar 3, 2026
Merged

2026-03-03, Version 25.8.0 (Current) #62073

Changes from 1 commit
Commits
Show all changes
55 commits
Select commit Hold shift + click to select a range
f3d3968
Revert "build: add temporal test on GHA windows"
aduh95 Feb 24, 2026
999bf22
repl: keep reference count for `process.on('newListener')`
addaleax Feb 22, 2026
0072b7f
meta: bump actions/stale from 10.1.1 to 10.2.0
dependabot[bot] Feb 22, 2026
59a726a
meta: bump step-security/harden-runner from 2.14.1 to 2.14.2
dependabot[bot] Feb 22, 2026
21d4baf
meta: bump github/codeql-action from 4.32.0 to 4.32.4
dependabot[bot] Feb 22, 2026
f279233
tools: roll back to x86 runner on `scorecard.yml`
aduh95 Feb 24, 2026
dc12a25
doc: rename invalid `function` parameter
Renegade334 Feb 24, 2026
9b483fb
deps: update minimatch to 10.2.2
nodejs-github-bot Feb 24, 2026
192c038
util: add fast path to stripVTControlCharacters
privatenumber Feb 24, 2026
46a6192
doc: support toolchain Visual Studio 2022 & 2026 + Windows 11 SDK
MikeMcC399 Feb 24, 2026
3337b09
crypto: fix potential null pointer dereference when BIO_meth_new() fails
ndossche Feb 24, 2026
243e6b2
test_runner: replace native methods with primordials
Ayoub-Mabrouk Feb 24, 2026
0d97ec4
test_runner: expose worker ID for concurrent test execution
thisalihassan Feb 24, 2026
b771529
child_process: add tracing channel for spawn
marcopiraccini Feb 25, 2026
f53a32a
deps: update acorn to 8.16.0
nodejs-github-bot Feb 25, 2026
4d411d7
deps: update acorn-walk to 8.3.5
nodejs-github-bot Feb 25, 2026
705bbd6
deps: update simdjson to 4.3.1
nodejs-github-bot Feb 25, 2026
dc384f9
crypto: fix handling of null BUF_MEM* in ToV8Value()
ndossche Feb 25, 2026
33a364c
doc: explicitly mention Slack handle
RafaelGSS Feb 25, 2026
46ee1ed
src: add C++ support for diagnostics channels
RafaelGSS Feb 13, 2026
9ddd1a9
src,permission: add --permission-audit
RafaelGSS Feb 17, 2026
ea2df2a
stream: fix pipeTo to defer writes per WHATWG spec
mcollina Feb 26, 2026
fce2930
test_runner: expose expectFailure message
Han5991 Feb 26, 2026
a32a598
crypto: fix missing nullptr check on RSA_new()
ndossche Feb 19, 2026
4890d6b
test_runner: run afterEach on runtime skip
igor-shevelenkov Feb 26, 2026
3c94b56
inspector: unwrap internal/debugger/inspect imports
Renegade334 Feb 26, 2026
0a96a16
tools: bump minimatch from 3.1.2 to 3.1.3 in /tools/eslint
dependabot[bot] Feb 26, 2026
604456c
test: avoid flaky debugger restart waits
inoway46 Feb 27, 2026
8a24c17
lib: improve argument handling in Blob constructor
Ms2ger Feb 27, 2026
7c72a31
test: skip strace test with shared openssl
richardlau Feb 27, 2026
940b58c
buffer: optimize buffer.concat performance
mertcanaltin Feb 27, 2026
4c181e2
sqlite: add limits property to DatabaseSync
mertcanaltin Feb 27, 2026
57dc092
deps: upgrade npm to 11.11.0
npm-cli-bot Feb 27, 2026
31e7936
tools: revert tools GHA workflow to ubuntu-latest
richardlau Feb 28, 2026
e55edde
build, doc: use new api doc tooling
flakey5 Feb 27, 2026
bf1ed7e
tls: forward keepAlive, keepAliveInitialDelay, noDelay to socket
tadjik1 Feb 28, 2026
7508540
doc: update DEP0040 (punycode) to application type deprecation
MikeMcC399 Feb 28, 2026
e6b131f
doc: fix module.stripTypeScriptTypes indentation
Renegade334 Feb 25, 2026
ad96a65
test: skip `test-url` on `--shared-ada` builds
aduh95 Mar 1, 2026
aa0c7b0
test: remove unnecessary `process.exit` calls from test files
aduh95 Mar 1, 2026
a28744c
tools: fix permissions for merve update script
richardlau Mar 1, 2026
ca78ebb
doc: fix small logic error in DETECT_MODULE_SYNTAX
Renegade334 Mar 1, 2026
54a055a
tools: bump minimatch from 3.1.2 to 3.1.3 in `/tools/clang-format`
dependabot[bot] Mar 1, 2026
8aa2fde
deps: update minimatch to 10.2.4
nodejs-github-bot Mar 1, 2026
4e54c10
doc: separate in-types and out-types in SQLite conversion docs
Renegade334 Mar 2, 2026
51ded81
deps: update undici to 7.22.0
nodejs-github-bot Mar 2, 2026
0f15079
tools: remove custom logic for skipping `test-strace-openat-openssl`
aduh95 Mar 2, 2026
0589b0e
build: fix GN for new merve dep
codebytere Mar 2, 2026
aee2a18
src: fix flags argument offset in JSUdpWrap
cuiweixie Feb 23, 2026
dafdc0a
http: validate headers in writeEarlyHints
rsclarke Mar 2, 2026
bdc1894
doc: expand SECURITY.md with non-vulnerability examples
RafaelGSS Mar 2, 2026
3d160cd
module: run require.resolve through module.registerHooks()
joyeecheung Mar 2, 2026
6259abc
http: validate ClientRequest path on set
mcollina Mar 2, 2026
746d0ce
tools: fix parsing of commit trailers in `lint-release-proposal` GHA
aduh95 Mar 2, 2026
ae94abf
2026-03-03, Version 25.8.0 (Current)
nodejs-github-bot Mar 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
doc: expand SECURITY.md with non-vulnerability examples 
PR-URL: #61972
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
  • Loading branch information
@RafaelGSS @richardlau
RafaelGSS authored and richardlau committed Mar 2, 2026
commit bdc18940ad2a41d4e025fce1e37159492481726d
64 changes: 61 additions & 3 deletions SECURITY.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -320,9 +320,17 @@ the community they pose.
* Avoid exposing low-level or dangerous APIs directly to untrusted users.

* Examples of scenarios that are **not** Node.js vulnerabilities:
* Allowing untrusted users to register SQLite user-defined functions that can
perform arbitrary operations (e.g., closing database connections during query
execution, causing crashes or use-after-free conditions).
* Allowing untrusted users to register SQLite user-defined functions via
`node:sqlite` (`DatabaseSync`) that can perform arbitrary operations
(e.g., closing database connections during query execution, causing crashes
or use-after-free conditions).
* Loading SQLite extensions using the `allowExtension` option in
`DatabaseSync` — this option must be explicitly set to `true` by the
application, and enabling it is the application operator's responsibility.
* Using `node:sqlite` built-in SQL functions or pragmas (e.g.,
`ATTACH DATABASE`) to read or write files — `DatabaseSync` operates with
the same file-system access as the process itself, and it is the
application's responsibility to restrict what SQL is executed.
* Exposing `child_process.exec()` or similar APIs to untrusted users without
proper input validation, allowing command injection.
* Allowing untrusted users to control file paths passed to file system APIs
Expand Down Expand Up @@ -362,6 +370,56 @@ the community they pose.
responsibility to properly handle errors by attaching appropriate
`'error'` event listeners to EventEmitters that may emit errors.

#### Permission Model Boundaries (`--permission`)

The Node.js [Permission Model](https://nodejs.org/api/permissions.html)
(`--experimental-permission`) is an opt-in mechanism that limits which
resources a Node.js process may access. It is designed to reduce the blast
radius of mistakes in trusted application code, **not** to act as a security
boundary against intentional misuse or a compromised process.

The following are **not** vulnerabilities in Node.js:

* **Operator-controlled flags**: Behavior unlocked by flags the operator
explicitly passes (e.g., `--localstorage-file`) is the operator's
responsibility. The permission model does not restrict how Node.js behaves
when the operator intentionally configures it.

* **`node:sqlite` and the permission model**: `DatabaseSync` operates with the
same file-system privileges as the process. Using SQL pragmas or built-in
SQLite mechanisms (e.g., `ATTACH DATABASE`) to access files does not bypass
the permission model — the permission model does not intercept SQL-level
file operations.

* **Path resolution and symlinks**: `fs.realpathSync()`, `fs.realpath()`, and
similar functions resolve a path to its canonical form before the permission
check is applied. Accessing a file through a symlink that resolves to an
allowed path is the intended behavior, not a bypass. TOCTOU races on
symlinks that resolve within the allowed list are similarly not considered
permission model bypasses.

* **`worker_threads` with modified `execArgv`**: Workers inherit the permission
restrictions of their parent process. Passing an empty or modified `execArgv`
to a worker does not grant it additional permissions.

#### V8 Sandbox

The V8 sandbox is an in-process isolation mechanism internal to V8 that is not
a Node.js security boundary. Node.js does not guarantee or document the V8
sandbox as a security feature, and it is not enabled in a way that provides
security guarantees in production Node.js builds. Reports about escaping the V8
sandbox are not considered Node.js vulnerabilities; they should be reported
directly to the [V8 project](https://v8.dev/docs/security-bugs).

#### CRLF Injection in `writeEarlyHints()`

`ServerResponse.writeEarlyHints()` accepts a `link` header value that is set
by the application. Passing arbitrary strings, including CRLF sequences, as
the `link` value is an application-level misuse of the API, not a Node.js
vulnerability. Node.js validates the structure of Early Hints per the HTTP spec
but does not sanitize free-form application data passed to it; that is the
application's responsibility.

## Assessing experimental features reports

Experimental features are eligible for security reports just like any other
Expand Down