Update node Docker tag to v25

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
node	stage	major	23.6.1-alpine → 25.9.0-alpine
node	final	major	23.6.1-alpine → 25.9.0-alpine

---

Release Notes

nodejs/node (node)

v25.9.0: 2026-04-01, Version 25.9.0 (Current), @​aduh95

Compare Source

Notable Changes

Test runner module mocking improvements

MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.

A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.

An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports

npx codemod @​nodejs/mock-module-exports

Contributed by sangwook in #​61727.

Other notable changes

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on node:domain (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066

Commits

• [312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #​61674
• [bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #​62066
• [c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #​62084
• [e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #​61871
• [2fcd07f1ba] - build: support empty libname flags in configure.py (Antoine du Hamel) #​62477
• [b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #​62280
• [7dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #​62189
• [f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #​62115
• [62d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #​58708
• [ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #​62485
• [d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [3009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #​62254
• [f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #​62218
• [f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #​61875
• [4d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #​62169
• [93d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #​62170
• [3d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #​62414
• [176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #​62164
• [95c7fc67ba] - deps: update googletest to 2461743 (Node.js GitHub Bot) #​62484
• [e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #​62382
• [905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #​62051
• [180c150122] - deps: V8: cherry-pick cf1bce4 (Richard Lau) #​62449
• [bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #​62448
• [f1b28612c4] - deps: V8: cherry-pick b25cd62 (Yagiz Nizipli) #​62354
• [757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #​62284
• [3bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #​62256
• [a9703d194a] - deps: update googletest to 73a63ea (Node.js GitHub Bot) #​61927
• [85138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #​62213
• [231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #​62123
• [0093863664] - doc: deprecate module.register() (DEP0205) (Geoffrey Booth) #​62395
• [0b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #​62456
• [8d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #​62492
• [08ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #​62482
• [61cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #​62423
• [64cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #​62139
• [1020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #​62206
• [9caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #​62374
• [e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #​62302
• [9e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #​62243
• [7f37c17516] - doc: minor typo fix (Jeff Matson) #​62358
• [eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #​62355
• [198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #​62321
• [17e5aee6c5] - doc: fix small environment_variables typo (chris) #​62279
• [193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #​62120
• [4a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #​62208
• [f976c9214d] - doc: clarify that any truthy value of shell is part of DEP0190 (Antoine du Hamel) #​62249
• [4d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #​62202
• [71f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #​62204
• [670c80893b] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #​62075
• [2ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #​62244
• [6c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #​62475
• [1cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #​62415
• [4f4ff15794] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #​62080
• [088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #​62261
• [0250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #​61950
• [b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #​62487
• [ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #​62307
• [92ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #​62226
• [40a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #​62133
• [3ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #​62335
• [3c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #​62371
• [f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #​62188
• [e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #​62165
• [67b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #​61227
• [966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #​62158
• [fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #​62396
• [d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #​62343
• [0e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #​62103
• [02980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #​62410
• [064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #​62268
• [ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #​62281
• [e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #​62066
• [03839fb087] - stream: preserve error over AbortError in pipeline (Marco) #​62113
• [0000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #​62087
• [3796a73719] - test: update WPT for WebCryptoAPI to 2cb332d (Node.js GitHub Bot) #​62483
• [ad8309415b] - test: update WPT for url to fc3e651 (Node.js GitHub Bot) #​62379
• [bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #​62471
• [c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #​62470
• [fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #​62066
• [1b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #​62112
• [cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #​62238
• [abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #​62226
• [47a2132269] - test: update WPT for WebCryptoAPI to 6a1c545 (Node.js GitHub Bot) #​62187
• [2c63d3006c] - test_runner: add exports option for module mocks (sangwook) #​61727
• [44ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #​59272
• [1865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #​62282
• [0252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #​62439
• [3368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #​62437
• [5e47c359f5] - tools: adopt the --check-for-duplicates NCU flag (Antoine du Hamel) #​62478
• [4a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #​62438
• [d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #​62375
• [c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #​62356
• [7a2fcc6d41] - tools: do not swallow error in lint-nix workflow (Antoine du Hamel) #​62292
• [c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #​62093
• [56dfeb06df] - tools: fix timeout errors in lint-nix job (Antoine du Hamel) #​62265
• [22fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #​62255
• [409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #​62250
• [67c69750f4] - tools: validate all commits that are pushed to main (Antoine du Hamel) #​62246
• [7d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #​62167
• [6c8fa42ba2] - typings: rationalise TypedArray types (René) #​62174
• [531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #​61477
• [2000caccde] - util: allow color aliases in styleText (sangwook) #​62180
• [0aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #​62198
• [d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #​62201
• [e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #​62325

v25.8.2: 2026-03-24, Version 25.8.2 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21711) include permission check to pipe_wrap.cc (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

Commits

• [2086b7477b] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#834
• [0f9332a40a] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [2b6937ddb2] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #​62271
• [bfb8ad5787] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #​62233
• [be6384727f] - deps: upgrade npm to 11.11.1 (npm team) #​62216
• [2feea5bb97] - deps: V8: override depot_tools version (Richard Lau) #​62344
• [86c04784dd] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [5197a56a34] - (CVE-2026-21711) permission: include permission check to pipe_wrap.cc (RafaelGSS) nodejs-private/node-private#820
• [04a886c735] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [9a7f80f2b0] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [d9c9b628cf] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [45b55dc786] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
• [4bfda307c0] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

v25.8.1: 2026-03-11, Version 25.8.1 (Current), @​aduh95

Compare Source

Notable Changes

• [ea87eea71a] - module: fix extensionless CJS files in "type": "module" packages (Matteo Collina) #​62083

Commits

• [bab750d1b3] - build: do not depend on V8 deps on --without-bundled-v8 builds (Antoine du Hamel) #​62033
• [b26d1c7fcb] - crypto: make --use-system-ca per-env rather than per-process (Aditi) #​60678
• [e362635abf] - crypto: add missing AES dictionaries (Filip Skokan) #​62099
• [6f975db8af] - crypto: fix importKey required argument count check (Filip Skokan) #​62099
• [3beaf9c5fc] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #​62151
• [53afb0edd8] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #​62150
• [a13ed052a1] - deps: update merve to 1.2.0 (Node.js GitHub Bot) #​62149
• [2c850577b7] - deps: patch resb crate (Richard Lau) #​62138
• [37862a6728] - deps: V8: cherry-pick aa0b288 (Richard Lau) #​62136
• [09191ad8b4] - deps: update ada to 3.4.3 (Node.js GitHub Bot) #​62049
• [8d63a178fd] - doc: copyedit addons.md (Antoine du Hamel) #​62071
• [83719ffb64] - doc: correct util.convertProcessSignalToExitCode validation behavior (René) #​62134
• [eeee7c7fb1] - doc: add efekrskl as triager (Efe) #​61876
• [db150b2e69] - doc: fix markdown for expectFailure values (Jacob Smith) #​62100
• [d55a441e60] - doc: add title to index (Aviv Keller) #​62046
• [cc46204b48] - doc: include url.resolve() in DEP0169 application deprecation (Mike McCready) #​62002
• [1d91a7261e] - doc,module: add missing doc for syncHooks.deregister() (Joyee Cheung) #​61959
• [5198573bee] - http: fix use-after-free when freeParser is called during llhttp_execute (Gerhard Stöbich) #​62095
• [f8793f80df] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #​61990
• [5439d0e0cf] - meta: bump actions/download-artifact from 7.0.0 to 8.0.0 (dependabot[bot]) #​62063
• [27fd21943a] - meta: bump actions/upload-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #​62062
• [5b266f3295] - meta: bump step-security/harden-runner from 2.14.2 to 2.15.0 (dependabot[bot]) #​62064
• [ea87eea71a] - module: fix extensionless CJS files in "type": "module" packages (Matteo Collina) #​62083
• [851228cd60] - sqlite: handle stmt invalidation (Guilherme Araújo) #​61877
• [19efe60548] - src: expose async context frame debugging helper to JS (Anna Henningsen) #​62103
• [0257e8072f] - src: make AsyncWrap subclass internal field counts explicit (Anna Henningsen) #​62103
• [975dafbe3b] - src: release context frame in AsyncWrap::EmitDestroy (Gerhard Stöbich) #​61995
• [f2c08c7888] - src: use validate_ascii_with_errors instead of validate_ascii (Сковорода Никита Андреевич) #​61122
• [0278461d83] - stream: optimize webstreams pipeTo (Mattias Buelens) #​62079
• [4d62e95bfa] - stream: fix brotli error handling in web compression streams (Filip Skokan) #​62107
• [4bdcaf2865] - stream: improve Web Compression spec compliance (Filip Skokan) #​62107
• [a5b1be2045] - stream: fix UTF-8 character corruption in fast-utf8-stream (Matteo Collina) #​61745
• [5632446c4e] - stream: fix TransformStream race on cancel with pending write (Marco) #​62040
• [f90fa9cd1a] - stream: accept ArrayBuffer in CompressionStream and DecompressionStream (조수민) #​61913
• [00319eaa3a] - test: update WPT for url to c928b19 (Node.js GitHub Bot) #​62148
• [456abc7d20] - test: update WPT for WebCryptoAPI to c9e9558 (Node.js GitHub Bot) #​62147
• [82770cb7d3] - test: improve WPT report runner (Filip Skokan) #​62107
• [cfc847d233] - test: update WPT compression to ae05f5c (Filip Skokan) #​62107
• [80f78f2737] - test: update WPT for WebCryptoAPI to 42e4732 (Node.js GitHub Bot) #​62048
• [8048e0508c] - test: fix skipping behavior for test-runner-run-files-undefined (Antoine du Hamel) #​62026
• [699a6214c6] - tools: revert timezone update GHA workflow to ubuntu-latest (Richard Lau) #​62140
• [1a453b550c] - tools: improve error handling in test426 update script (Rich Trott) #​62121
• [710dde5ee2] - tools: fix --node-builtin-modules-path value in shell.nix (Antoine du Hamel) #​62102
• [dcb1cbb21f] - tools: bump the eslint group across 1 directory with 2 updates (dependabot[bot]) #​62092
• [7d0b758583] - tools: fix daily wpt workflow nighly release version lookup (Filip Skokan) #​62076
• [3e8c816f2e] - tools: fix example in release proposal linter (Richard Lau) #​62074
• [772d3d270d] - tools: bump minimatch from 3.1.3 to 3.1.5 in /tools/clang-format (dependabot[bot]) #​62013
• [92f3b42672] - tools: bump eslint to v10, babel to v8.0.0-rc.2 (Huáng Jùnliàng) #​61905
• [deead95ec5] - url: suppress warnings from url.format/url.resolve inside node_modules (René) #​62005

v25.8.0: 2026-03-03, Version 25.8.0 (Current), @​richardlau

Compare Source

Notable Changes

• [e55eddea2a] - build, doc: use new api doc tooling (flakey5) #​57343
• [4c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #​61298
• [46ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #​61869
• [9ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #​61869
• [0d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #​61394

Commits

• [940b58c8c1] - buffer: optimize buffer.concat performance (Mert Can Altin) #​61721
• [0589b0e5a1] - build: fix GN for new merve dep (Shelley Vohr) #​61984
• [f3d3968dcd] - Revert "build: add temporal test on GHA windows" (Antoine du Hamel) #​61810
• [e55eddea2a] - build, doc: use new api doc tooling (flakey5) #​57343
• [b7715292f8] - child_process: add tracing channel for spawn (Marco) #​61836
• [a32a598748] - crypto: fix missing nullptr check on RSA_new() (ndossche) #​61888
• [dc384f95b3] - crypto: fix handling of null BUF_MEM* in ToV8Value() (Nora Dossche) #​61885
• [3337b095db] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #​61788
• [51ded81139] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #​62035
• [8aa2fde931] - deps: update minimatch to 10.2.4 (Node.js GitHub Bot) #​62016
• [57dc092eaf] - deps: upgrade npm to 11.11.0 (npm team) #​61994
• [705bbd60a9] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #​61930
• [4d411d72e5] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #​61928
• [f53a32ab84] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #​61925
• [9b483fbb27] - deps: update minimatch to 10.2.2 (Node.js GitHub Bot) #​61830
• [4e54c103cb] - doc: separate in-types and out-types in SQLite conversion docs (René) #​62034
• [ca78ebbeaa] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #​62025
• [e6b131f3fe] - doc: fix module.stripTypeScriptTypes indentation (René) #​61992
• [7508540e19] - doc: update DEP0040 (punycode) to application type deprecation (Mike McCready) #​61916
• [33a364cb62] - doc: explicitly mention Slack handle (Rafael Gonzaga) #​61986
• [46a61922bd] - doc: support toolchain Visual Studio 2022 & 2026 + Windows 11 SDK (Mike McCready) #​61864
• [dc12a257aa] - doc: rename invalid function parameter (René) #​61942
• [dafdc0a5b8] - http: validate headers in writeEarlyHints (Richard Clarke) #​61897
• [3c94b56fa6] - inspector: unwrap internal/debugger/inspect imports (René) #​61974
• [8a24c17648] - lib: improve argument handling in Blob constructor (Ms2ger) #​61980
• [21d4baf256] - meta: bump github/codeql-action from 4.32.0 to 4.32.4 (dependabot[bot]) #​61911
• [59a726a8e3] - meta: bump step-security/harden-runner from 2.14.1 to 2.14.2 (dependabot[bot]) #​61909
• [0072b7f991] - meta: bump actions/stale from 10.1.1 to 10.2.0 (dependabot[bot]) #​61908
• [999bf22f47] - repl: keep reference count for process.on('newListener') (Anna Henningsen) #​61895
• [4c181e2277] - (SEMVER-MINOR) sqlite: add limits property to DatabaseSync (Mert Can Altin) #​61298
• [aee2a18257] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #​61948
• [46ee1eddd7] - (SEMVER-MINOR) src: add C++ support for diagnostics channels (RafaelGSS) #​61869
• [9ddd1a9c27] - (SEMVER-MINOR) src,permission: add --permission-audit (RafaelGSS) #​61869
• [ea2df2a16f] - stream: fix pipeTo to defer writes per WHATWG spec (Matteo Collina) #​61800
• [aa0c7b09e0] - test: remove unnecessary process.exit calls from test files (Antoine du Hamel) #​62020
• [ad96a6578f] - test: skip test-url on --shared-ada builds (Antoine du Hamel) #​62019
• [7c72a31e4b] - test: skip strace test with shared openssl (Richard Lau) #​61987
• [604456c163] - test: avoid flaky debugger restart waits (Yuya Inoue) #​61773
• [4890d6bd43] - test_runner: run afterEach on runtime skip (Igor Shevelenkov) #​61525
• [fce2930110] - test_runner: expose expectFailure message (sangwook) #​61563
• [0d97ec4044] - (SEMVER-MINOR) test_runner: expose worker ID for concurrent test execution (Ali Hassan) #​61394
• [243e6b2009] - test_runner: replace native methods with primordials (Ayoub Mabrouk) #​61219
• [bf1ed7e647] - tls: forward keepAlive, keepAliveInitialDelay, noDelay to socket (Sergey Zelenov) #​62004
• [0f15079d94] - tools: remove custom logic for skipping test-strace-openat-openssl (Antoine du Hamel) #​62038
• [54a055a59d] - tools: bump minimatch from 3.1.2 to 3.1.3 in /tools/clang-format (dependabot[bot]) #​61977
• [a28744cb62] - tools: fix permissions for merve update script (Richard Lau) #​62023
• [31e7936354] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #​62024
• [0a96a16e1f] - tools: bump minimatch from 3.1.2 to 3.1.3 in /tools/eslint (dependabot[bot]) #​61976
• [f279233412] - tools: roll back to x86 runner on scorecard.yml (Antoine du Hamel) #​61944
• [192c0382f4] - util: add fast path to stripVTControlCharacters (Hiroki Osame) #​61833

v25.7.0: 2026-02-24, Version 25.7.0 (Current), @​ruyadorno prepared by @​aduh95

Compare Source

Notable Changes

• [b0a79b10f0] - (SEMVER-MINOR) http2: add http1Options for HTTP/1 fallback configuration (Amol Yadav) #​61713
• [2d874dfb8e] - (SEMVER-MINOR) sea: support ESM entry point in SEA (Joyee Cheung) #​61813
• [ee59127664] - sqlite: mark as release candidate (Matteo Collina) #​61262
• [608736e19e] - (SEMVER-MINOR) stream: rename Duplex.toWeb() type option to readableType (René) #​61632
• [a43375999f] - (SEMVER-MINOR) test_runner: show interrupted test on SIGINT (Matteo Collina) #​61676

Commits

• [ab4375e141] - benchmark: add startup benchmark for ESM entrypoint (Joyee Cheung) #​61769
• [8d83d8026b] - build: add temporal test on GHA windows (Chengzhong Wu) #​61810
• [aab153eec3] - build: skip sscache action on non-main branches (Joyee Cheung) #​61790
• [9e40fb93bc] - build: use path-ignore in GHA coverage-windows.yml (Chengzhong Wu) #​61811
• [4896653361

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}