[pull] main from nodejs:main

.github/workflows/auto-start-ci.yml

@@ -45,10 +45,6 @@ jobs:
     if: needs.get-prs-for-ci.outputs.numbers != ''
     runs-on: ubuntu-slim
     steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
-        with:
-          persist-credentials: false
-
       - name: Install Node.js
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238  # v6.2.0
         with:
@@ -62,14 +58,17 @@ jobs:
           ncu-config set username "$USERNAME"
           ncu-config set token "$GH_TOKEN"
           ncu-config set jenkins_token "$JENKINS_TOKEN"
-          ncu-config set owner "${{ github.repository_owner }}"
-          ncu-config set repo "$(echo ${{ github.repository }} | cut -d/ -f2)"
+          ncu-config set owner "$GITHUB_REPOSITORY_OWNER"
+          ncu-config set repo "$(echo "$GITHUB_REPOSITORY" | cut -d/ -f2)"
         env:
           USERNAME: ${{ secrets.JENKINS_USER }}
           GH_TOKEN: ${{ secrets.GH_USER_TOKEN }}
           JENKINS_TOKEN: ${{ secrets.JENKINS_TOKEN }}
 
       - name: Start the CI
-        run: ./tools/actions/start-ci.sh ${{ needs.get-prs-for-ci.outputs.numbers }}
+        run: |
+          curl -fsSL "https://github.com/${GITHUB_REPOSITORY}/raw/${GITHUB_SHA}/tools/actions/start-ci.sh" \
+          | sh -s -- ${{ needs.get-prs-for-ci.outputs.numbers }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GH_REPO: ${{ github.repository }}

.github/workflows/build-tarball.yml

@@ -100,9 +100,9 @@ jobs:
     needs: build-tarball
     runs-on: ubuntu-24.04
     env:
-      CC: sccache clang-19
-      CXX: sccache clang++-19
-      SCCACHE_GHA_ENABLED: 'true'
+      CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
+      CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
+      SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
       SCCACHE_IDLE_TIMEOUT: '0'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -120,6 +120,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           allow-prereleases: true
       - name: Set up sccache
+        if: github.base_ref == 'main' || github.ref_name == 'main'
         uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
         with:
           version: v0.12.0

.github/workflows/coverage-linux-without-intl.yml

@@ -37,9 +37,9 @@ env:
   PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
   CLANG_VERSION: '19'
-  CC: sccache clang-19
-  CXX: sccache clang++-19
-  SCCACHE_GHA_ENABLED: 'true'
+  CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
+  CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
+  SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
   SCCACHE_IDLE_TIMEOUT: '0'
 
 permissions:
@@ -63,6 +63,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           allow-prereleases: true
       - name: Set up sccache
+        if: github.base_ref == 'main' || github.ref_name == 'main'
         uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
         with:
           version: v0.12.0

.github/workflows/coverage-linux.yml

@@ -37,9 +37,9 @@ env:
   PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
   CLANG_VERSION: '19'
-  CC: sccache clang-19
-  CXX: sccache clang++-19
-  SCCACHE_GHA_ENABLED: 'true'
+  CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
+  CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
+  SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
   SCCACHE_IDLE_TIMEOUT: '0'
 
 permissions:
@@ -63,6 +63,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           allow-prereleases: true
       - name: Set up sccache
+        if: github.base_ref == 'main' || github.ref_name == 'main'
         uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
         with:
           version: v0.12.0

.github/workflows/coverage-windows.yml

@@ -79,10 +79,14 @@ jobs:
           allow-prereleases: true
       - name: Install deps
         run: choco install nasm
+      - name: Install Rust ${{ env.RUSTC_VERSION }}
+        run: |
+          rustup override set "$RUSTC_VERSION"
+          rustup --version
       - name: Environment Information
         run: npx envinfo
       - name: Build
-        run: ./vcbuild.bat clang-cl
+        run: ./vcbuild.bat clang-cl v8temporal
       # TODO(bcoe): investigate tests that fail with coverage enabled
       # on Windows.
       - name: Test

.github/workflows/test-internet.yml

@@ -34,9 +34,9 @@ env:
   PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
   CLANG_VERSION: '19'
-  CC: sccache clang-19
-  CXX: sccache clang++-19
-  SCCACHE_GHA_ENABLED: 'true'
+  CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
+  CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
+  SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
   SCCACHE_IDLE_TIMEOUT: '0'
 
 permissions:
@@ -60,6 +60,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           allow-prereleases: true
       - name: Set up sccache
+        if: github.base_ref == 'main' || github.ref_name == 'main'
         uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
         with:
           version: v0.12.0

.github/workflows/test-linux.yml

@@ -34,9 +34,9 @@ env:
   PYTHON_VERSION: '3.14'
   FLAKY_TESTS: keep_retrying
   CLANG_VERSION: '19'
-  CC: sccache clang-19
-  CXX: sccache clang++-19
-  SCCACHE_GHA_ENABLED: 'true'
+  CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang-19
+  CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} clang++-19
+  SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
   SCCACHE_IDLE_TIMEOUT: '0'
   RUSTC_VERSION: '1.82'
 
@@ -70,6 +70,7 @@ jobs:
           python-version: ${{ env.PYTHON_VERSION }}
           allow-prereleases: true
       - name: Set up sccache
+        if: github.base_ref == 'main' || github.ref_name == 'main'
         uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
         with:
           version: v0.12.0

.github/workflows/test-macos.yml

@@ -78,9 +78,9 @@ jobs:
       fail-fast: false
     runs-on: macos-15
     env:
-      CC: sccache gcc
-      CXX: sccache g++
-      SCCACHE_GHA_ENABLED: 'true'
+      CC: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} gcc
+      CXX: ${{ (github.base_ref == 'main' || github.ref_name == 'main') && 'sccache' || '' }} g++
+      SCCACHE_GHA_ENABLED: ${{ github.base_ref == 'main' || github.ref_name == 'main' }}
       SCCACHE_IDLE_TIMEOUT: '0'
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
@@ -99,6 +99,7 @@ jobs:
           rustup override set "$RUSTC_VERSION"
           rustup --version
       - name: Set up sccache
+        if: github.base_ref == 'main' || github.ref_name == 'main'
         uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
         with:
           version: v0.12.0

.github/workflows/test-shared.yml

@@ -175,32 +175,28 @@ jobs:
           authToken: ${{ secrets.CACHIX_AUTH_TOKEN }}
 
       - name: Configure sccache
+        if: github.base_ref == 'main' || github.ref_name == 'main'
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd  # v8.0.0
         with:
           script: |
             core.exportVariable('SCCACHE_GHA_ENABLED', 'on');
             core.exportVariable('ACTIONS_CACHE_SERVICE_V2', 'on');
             core.exportVariable('ACTIONS_RESULTS_URL', process.env.ACTIONS_RESULTS_URL || '');
             core.exportVariable('ACTIONS_RUNTIME_TOKEN', process.env.ACTIONS_RUNTIME_TOKEN || '');
-
-      - name: Load shell.nix
-        if: github.event_name != 'workflow_dispatch'
-        run: |
-          mv "$TAR_DIR"/*.nix .
-          mkdir tools
-          mv "$TAR_DIR"/tools/nix tools/.
+            core.exportVariable('NIX_SCCACHE', '(import <nixpkgs> {}).sccache');
 
       - name: Build Node.js and run tests
         run: |
           nix-shell \
-            -I nixpkgs=./tools/nix/pkgs.nix \
+            -I "nixpkgs=$TAR_DIR/tools/nix/pkgs.nix" \
             --pure --keep TAR_DIR --keep FLAKY_TESTS \
             --keep SCCACHE_GHA_ENABLED --keep ACTIONS_CACHE_SERVICE_V2 --keep ACTIONS_RESULTS_URL --keep ACTIONS_RUNTIME_TOKEN \
             --arg loadJSBuiltinsDynamically false \
-            --arg ccache '(import <nixpkgs> {}).sccache' \
+            --arg useSeparateDerivationForV8 true \
+            --arg ccache "${NIX_SCCACHE:-null}" \
             --arg devTools '[]' \
             --arg benchmarkTools '[]' \
             ${{ endsWith(matrix.system, '-darwin') && '--arg withAmaro false --arg withLief false --arg withSQLite false --arg extraConfigFlags ''["--without-inspector" "--without-node-options"]'' \' || '\' }}
             --run '
                 make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9 --skip-tests=$CI_SKIP_TESTS"
-            '
+            ' "$TAR_DIR/shell.nix"

SECURITY.md

@@ -335,6 +335,21 @@ the community they pose.
   proper security boundaries between trusted application logic and untrusted
   user input.
 
+#### Build System Attacks Requiring Control of the Build Environment (CWE-78, CWE-114, CWE-276)
+
+* The Node.js build system (e.g., `configure`, `configure.py`, `Makefile`,
+  `vcbuild.bat`) is designed to run in a trusted build environment.
+  The build environment, including environment variables, the file system,
+  and locally installed tools, is a trusted element in the Node.js threat model.
+* Reports about command injection via environment variables in build scripts
+  (e.g., `CC`, `CXX`, `PKG_CONFIG`, `RUSTC`), path hijacking in build output
+  directories, or file permissions of build artifacts are **not** considered
+  vulnerabilities. These scenarios require the attacker to already have control
+  over the build environment, which means the system is already compromised.
+* Build scripts are not a security boundary. They are expected to execute
+  tools and scripts specified by the environment, and to trust the
+  file system they operate on.
+
 #### Unhandled 'error' Events on EventEmitters (CWE-248)
 
 * EventEmitters that can emit `'error'` events require the application to

benchmark/fixtures/import-builtins.mjs

@@ -0,0 +1,34 @@
+import 'node:async_hooks';
+import 'node:assert';
+import 'node:buffer';
+import 'node:child_process';
+import 'node:console';
+import 'node:constants';
+import 'node:crypto';
+import 'node:cluster';
+import 'node:dgram';
+import 'node:dns';
+import 'node:domain';
+import 'node:events';
+import 'node:fs';
+import 'node:http';
+import 'node:http2';
+import 'node:https';
+import 'node:module';
+import 'node:net';
+import 'node:os';
+import 'node:path';
+import 'node:perf_hooks';
+import 'node:process';
+import 'node:querystring';
+import 'node:readline';
+import 'node:repl';
+import 'node:stream';
+import 'node:string_decoder';
+import 'node:timers';
+import 'node:tls';
+import 'node:tty';
+import 'node:url';
+import 'node:util';
+import 'node:vm';
+import 'node:zlib';

benchmark/misc/startup-core.js

@@ -7,9 +7,11 @@ let Worker;  // Lazy loaded in main
 
 const bench = common.createBenchmark(main, {
   script: [
-    'benchmark/fixtures/require-builtins',
-    'test/fixtures/semicolon',
-    'test/fixtures/snapshot/typescript',
+    'benchmark/fixtures/empty.mjs',
+    'benchmark/fixtures/import-builtins.mjs',
+    'benchmark/fixtures/require-builtins.js',
+    'test/fixtures/semicolon.js',
+    'test/fixtures/snapshot/typescript.js',
   ],
   mode: ['process', 'worker'],
   n: [30],
@@ -58,7 +60,7 @@ function spawnWorker(script, bench, state) {
 }
 
 function main({ n, script, mode }) {
-  script = path.resolve(__dirname, '../../', `${script}.js`);
+  script = path.resolve(__dirname, '../../', `${script}`);
   const warmup = 3;
   const state = { n, finished: -warmup };
   if (mode === 'worker') {

benchmark/webstreams/readable-read-buffered.js

@@ -0,0 +1,54 @@
+'use strict';
+const common = require('../common.js');
+const { ReadableStream } = require('node:stream/web');
+
+// Benchmark for reading from a pre-buffered ReadableStream.
+// This measures the fast path optimization where data is already
+// queued in the controller, avoiding DefaultReadRequest allocation.
+
+const bench = common.createBenchmark(main, {
+  n: [1e5],
+  bufferSize: [1, 10, 100, 1000],
+});
+
+async function main({ n, bufferSize }) {
+  let enqueued = 0;
+
+  const rs = new ReadableStream({
+    start(controller) {
+      // Pre-fill the buffer
+      for (let i = 0; i < bufferSize; i++) {
+        controller.enqueue('a');
+        enqueued++;
+      }
+    },
+    pull(controller) {
+      // Refill buffer when pulled
+      const toEnqueue = Math.min(bufferSize, n - enqueued);
+      for (let i = 0; i < toEnqueue; i++) {
+        controller.enqueue('a');
+        enqueued++;
+      }
+      if (enqueued >= n) {
+        controller.close();
+      }
+    },
+  }, {
+    // Use buffer size as high water mark to allow pre-buffering
+    highWaterMark: bufferSize,
+  });
+
+  const reader = rs.getReader();
+  let x = null;
+  let reads = 0;
+
+  bench.start();
+  while (reads < n) {
+    const { value, done } = await reader.read();
+    if (done) break;
+    x = value;
+    reads++;
+  }
+  bench.end(reads);
+  console.assert(x);
+}

configure.py

@@ -2064,10 +2064,16 @@ def configure_v8(o, configs):
   o['variables']['node_enable_v8windbg'] = b(options.enable_v8windbg)
   if options.enable_d8:
     o['variables']['test_isolation_mode'] = 'noop'  # Needed by d8.gyp.
-  if options.without_bundled_v8 and options.enable_d8:
-    raise Exception('--enable-d8 is incompatible with --without-bundled-v8.')
-  if options.without_bundled_v8 and options.enable_v8windbg:
-    raise Exception('--enable-v8windbg is incompatible with --without-bundled-v8.')
+  if options.without_bundled_v8:
+    if options.enable_d8:
+      raise Exception('--enable-d8 is incompatible with --without-bundled-v8.')
+    if options.enable_v8windbg:
+      raise Exception('--enable-v8windbg is incompatible with --without-bundled-v8.')
+    (pkg_libs, pkg_cflags, pkg_libpath, _) = pkg_config("v8")
+    if pkg_libs and pkg_libpath:
+      output['libraries'] += [pkg_libpath] + pkg_libs.split()
+    if pkg_cflags:
+      output['include_dirs'] += [flag for flag in [flag.strip() for flag in pkg_cflags.split('-I')] if flag]
   if options.static_zoslib_gyp:
     o['variables']['static_zoslib_gyp'] = options.static_zoslib_gyp
   if flavor != 'linux' and options.v8_enable_hugepage: