From 1dfd45e5c406bc8918a1c6e548bf9b8f5fcf278d Mon Sep 17 00:00:00 2001
From: Luna <279187109+lunadogbot@users.noreply.github.com>
Date: Wed, 29 Apr 2026 11:46:01 +0000
Subject: [PATCH 1/2] docs: document NODE_EXTRA_CA_CERTS env var (2.8)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Adds NODE_EXTRA_CA_CERTS to the special-environment-variables table.
Notes that the certs are honored at the root store level by fetch(),
Deno.connectTls(), and Node compat APIs (node:https, node:tls), and
that missing/invalid files only warn — matching Node.js behavior.
Refs denoland/deno#33148
---
runtime/reference/env_variables.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/runtime/reference/env_variables.md b/runtime/reference/env_variables.md
index 8769046bc..fcf1f377a 100644
--- a/runtime/reference/env_variables.md
+++ b/runtime/reference/env_variables.md
@@ -143,6 +143,7 @@ The Deno runtime has these special environment variables.
| DENO_AUTH_TOKENS | A semi-colon separated list of bearer tokens and hostnames to use when fetching remote modules from private repositories
(e.g. `abcde12345@deno.land;54321edcba@github.com`) |
| DENO_TLS_CA_STORE | Comma-separated list of order dependent certificate stores.
Possible values: `system`, `mozilla`. Defaults to `mozilla`. |
| DENO_CERT | Load certificate authority from PEM encoded file |
+| NODE_EXTRA_CA_CERTS | Path to a PEM file with extra certificate authorities. Loaded at the root certificate store level, so the certs are honored by `fetch()`, `Deno.connectTls()`, and Node compat APIs (`node:https`, `node:tls`). Available in Deno 2.8+. Missing or invalid files emit a warning rather than failing — matching Node.js. |
| DENO_COVERAGE_DIR | Set the directory for collecting coverage profile data. This option only works for [`deno test` subcommand](/runtime/reference/cli/test/). |
| DENO_DIR | Set the cache directory |
| DENO_INSTALL_ROOT | Set deno install's output directory (defaults to `$HOME/.deno/bin`) |
From bd12012bc31b413f145f1ed97fd7b8cf6ae6242c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bartek=20Iwa=C5=84czuk?=
Date: Wed, 20 May 2026 15:54:43 +0200
Subject: [PATCH 2/2] docs: add DENO_AUDIT_PERMISSIONS and NODE_EXTRA_CA_CERTS
to cli/env_variables.md
This page lists env vars as prose sections in addition to the table on
runtime/reference/env_variables.md; keep the two in sync.
---
runtime/reference/cli/env_variables.md | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/runtime/reference/cli/env_variables.md b/runtime/reference/cli/env_variables.md
index e76cbbf4b..9b9d1ba64 100644
--- a/runtime/reference/cli/env_variables.md
+++ b/runtime/reference/cli/env_variables.md
@@ -1,10 +1,18 @@
---
-last_modified: 2024-10-07
+last_modified: 2026-05-20
title: "Configuring Deno behavior"
---
There are several environment variables which can impact the behavior of Deno:
+### DENO_AUDIT_PERMISSIONS
+
+Audit every permission access (allowed or denied). Set to a file path to write a
+JSONL audit log, or to the literal value `otel` to emit each access as an
+OpenTelemetry log record via the configured exporter. See
+[permissions](/runtime/fundamentals/security/#permission-flags) for the field
+set and the OTel attribute names.
+
### DENO_AUTH_TOKENS
A list of authorization tokens which can be used to allow Deno to access remote
@@ -86,6 +94,14 @@ permission to read the environment variables by checking the value of
Indicates hosts which should bypass the proxy set in the other environment
variables. See the [Proxies](#proxies) section for more information.
+### NODE_EXTRA_CA_CERTS
+
+Path to a PEM file with extra certificate authorities. Loaded at the root
+certificate store level, so the certs are honored by `fetch()`,
+`Deno.connectTls()`, and the Node compat APIs (`node:https`, `node:tls`).
+Available in Deno 2.8+. Missing or invalid files emit a warning rather than
+failing, matching Node.js semantics.
+
### NPM_CONFIG_REGISTRY
The npm registry to use when loading modules via