2025-09-25, Version 24.9.0 (Current)

.github/workflows/build-tarball.yml

@@ -51,16 +51,14 @@ jobs:
       - name: Make tarball
         run: |
           export DISTTYPE=nightly
-          export DATESTRING=`date "+%Y-%m-%d"`
+          export DATESTRING=$(date "+%Y-%m-%d")
           export COMMIT=$(git rev-parse --short=10 "$GITHUB_SHA")
-          ./configure && make tar -j8 SKIP_XZ=1
-          mkdir tarballs
-          mv *.tar.gz tarballs
+          ./configure && make tar -j4 SKIP_XZ=1
       - name: Upload tarball artifact
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         with:
           name: tarballs
-          path: tarballs
+          path: '*.tar.gz'
           compression-level: 0
   test-tarball-linux:
     needs: build-tarball
@@ -92,21 +90,9 @@ jobs:
           path: tarballs
       - name: Extract tarball
         run: |
-          tar xzf tarballs/*.tar.gz -C $RUNNER_TEMP
-          echo "TAR_DIR=$RUNNER_TEMP/`basename tarballs/*.tar.gz .tar.gz`" >> $GITHUB_ENV
+          tar xzf tarballs/*.tar.gz -C "$RUNNER_TEMP"
+          echo "TAR_DIR=$RUNNER_TEMP/$(basename tarballs/*.tar.gz .tar.gz)" >> "$GITHUB_ENV"
       - name: Build
-        run: |
-          make -C "$TAR_DIR" build-ci -j4 V=1
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
-        with:
-          persist-credentials: false
-          sparse-checkout: |
-            tools/eslint
-            tools/eslint-rules
-      - name: Move directories needed for testing
-        run: |
-          mv tools/eslint "$TAR_DIR/tools"
-          mv tools/eslint-rules "$TAR_DIR/tools"
+        run: make -C "$TAR_DIR" build-ci -j4 V=1
       - name: Test
-        run: |
-          make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p dots --measure-flakiness 9"
+        run: make -C "$TAR_DIR" run-ci -j4 V=1 TEST_CI_ARGS="-p dots --measure-flakiness 9"

.github/workflows/test-internet.yml

@@ -42,7 +42,7 @@ permissions:
 
 jobs:
   test-internet:
-    if: github.repository == 'nodejs/node' || github.event_name != 'schedule'
+    if: github.event_name == 'schedule' && github.repository == 'nodejs/node' || github.event.pull_request.draft == false
     runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0

.gitignore

@@ -21,6 +21,7 @@
 !.nycrc
 !.yamllint.yaml
 !.configurations/
+!/.npmrc
 
 # === Rules for root dir ===
 /core

.npmrc

@@ -0,0 +1 @@
+ignore-scripts=true

CHANGELOG.md

@@ -40,7 +40,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V24.md#24.8.0">24.8.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V24.md#24.9.0">24.9.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V24.md#24.8.0">24.8.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.7.0">24.7.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.6.0">24.6.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.5.0">24.5.0</a><br/>

Makefile

@@ -1227,6 +1227,7 @@ $(TARBALL): release-only doc-only
 	$(RM) -r $(TARNAME)/tools/cpplint.py
 	$(RM) -r $(TARNAME)/tools/eslint
 	$(RM) -r $(TARNAME)/tools/eslint-rules
+	$(RM) -r $(TARNAME)/test/parallel/test-eslint-*
 	$(RM) -r $(TARNAME)/tools/license-builder.sh
 	$(RM) -r $(TARNAME)/tools/eslint/node_modules
 	$(RM) -r $(TARNAME)/tools/osx-*

SECURITY.md

@@ -15,6 +15,13 @@ you informed of the progress being made towards a fix and full announcement,
 and may ask for additional information or guidance surrounding the reported
 issue.
 
+If you do not receive an acknowledgement of your report within 6 business
+days, or if you cannot find a private security contact for the project, you
+may escalate to the OpenJS Foundation CNA at `security@lists.openjsf.org`.
+
+If the project acknowledges your report but does not provide any further
+response or engagement within 14 days, escalation is also appropriate.
+
 ### Node.js bug bounty program
 
 The Node.js project engages in an official bug bounty program for security

benchmark/cluster/echo.js

@@ -8,7 +8,7 @@ if (cluster.isPrimary) {
     payload: ['string', 'object'],
     sendsPerBroadcast: [1, 10],
     serialization: ['json', 'advanced'],
-    n: [1e5],
+    n: [1e3],
   });
 
   function main({

benchmark/dgram/multi-buffer.js

@@ -5,18 +5,18 @@ const common = require('../common.js');
 const dgram = require('dgram');
 const PORT = common.PORT;
 
-// `num` is the number of send requests to queue up each time.
+// `n` is the number of send requests to queue up each time.
 // Keep it reasonably high (>10) otherwise you're benchmarking the speed of
 // event loop cycles more than anything else.
 const bench = common.createBenchmark(main, {
-  len: [64, 256, 1024],
-  num: [100],
-  chunks: [1, 2, 4, 8],
+  len: [64, 512, 1024],
+  n: [100],
+  chunks: [1, 8],
   type: ['send', 'recv'],
   dur: [5],
 });
 
-function main({ dur, len, num, type, chunks }) {
+function main({ dur, len, n, type, chunks }) {
   const chunk = [];
   for (let i = 0; i < chunks; i++) {
     chunk.push(Buffer.allocUnsafe(Math.round(len / chunks)));
@@ -26,11 +26,11 @@ function main({ dur, len, num, type, chunks }) {
   const socket = dgram.createSocket('udp4');
 
   function onsend() {
-    if (sent++ % num === 0) {
+    if (sent++ % n === 0) {
       // The setImmediate() is necessary to have event loop progress on OSes
       // that only perform synchronous I/O on nonblocking UDP sockets.
       setImmediate(() => {
-        for (let i = 0; i < num; i++) {
+        for (let i = 0; i < n; i++) {
           socket.send(chunk, PORT, '127.0.0.1', onsend);
         }
       });

benchmark/dgram/send-types.js

@@ -0,0 +1,52 @@
+'use strict';
+
+const common = require('../common.js');
+const dgram = require('dgram');
+const { Buffer } = require('buffer');
+
+const bench = common.createBenchmark(main, {
+  type: ['string', 'buffer', 'mixed', 'typedarray'],
+  chunks: [1, 4, 8, 16],
+  len: [64, 512, 1024],
+  n: [1000],
+});
+
+function main({ type, chunks, len, n }) {
+  const socket = dgram.createSocket('udp4');
+
+  let testData;
+  switch (type) {
+    case 'string':
+      testData = Array(chunks).fill('a'.repeat(len));
+      break;
+    case 'buffer':
+      testData = Array(chunks).fill(Buffer.alloc(len, 'a'));
+      break;
+    case 'mixed':
+      testData = [];
+      for (let i = 0; i < chunks; i++) {
+        if (i % 2 === 0) {
+          testData.push(Buffer.alloc(len, 'a'));
+        } else {
+          testData.push('a'.repeat(len));
+        }
+      }
+      break;
+    case 'typedarray':
+      testData = Array(chunks).fill(new Uint8Array(len).fill(97));
+      break;
+  }
+
+  bench.start();
+
+  for (let i = 0; i < n; i++) {
+    socket.send(testData, 12345, 'localhost', (err) => {
+      if (err && err.code !== 'ENOTCONN' && err.code !== 'ECONNREFUSED') {
+        throw err;
+      }
+    });
+  }
+
+  bench.end(n);
+  socket.close();
+}

benchmark/zlib/crc32.js

@@ -0,0 +1,47 @@
+'use strict';
+
+const common = require('../common.js');
+const { crc32 } = require('zlib');
+
+// Benchmark crc32 on Buffer and String inputs across sizes.
+// Iteration count is scaled inversely with input length to keep runtime sane.
+// Example:
+//   node benchmark/zlib/crc32.js type=buffer len=4096 n=4000000
+//   ./out/Release/node benchmark/zlib/crc32.js --test
+
+const bench = common.createBenchmark(main, {
+  type: ['buffer', 'string'],
+  len: [32, 256, 4096, 65536],
+  n: [4e6],
+});
+
+function makeBuffer(size) {
+  const buf = Buffer.allocUnsafe(size);
+  for (let i = 0; i < size; i++) buf[i] = (i * 1103515245 + 12345) & 0xff;
+  return buf;
+}
+
+function makeAsciiString(size) {
+  const chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789-_';
+  let out = '';
+  for (let i = 0, j = 0; i < size; i++, j = (j + 7) % chars.length) out += chars[j];
+  return out;
+}
+
+function main({ type, len, n }) {
+  // Scale iterations so that total processed bytes roughly constant around n*4096 bytes.
+  const scale = 4096 / len;
+  const iters = Math.max(1, Math.floor(n * scale));
+
+  const data = type === 'buffer' ? makeBuffer(len) : makeAsciiString(len);
+
+  let acc = 0;
+  for (let i = 0; i < Math.min(iters, 10000); i++) acc ^= crc32(data, 0);
+
+  bench.start();
+  let sum = 0;
+  for (let i = 0; i < iters; i++) sum ^= crc32(data, 0);
+  bench.end(iters);
+
+  if (sum === acc - 1) process.stderr.write('');
+}

deps/googletest/include/gtest/internal/gtest-port.h

@@ -1385,9 +1385,9 @@ class GTEST_API_ Mutex {
   Mutex();
   ~Mutex();
 
-  void Lock();
+  void lock();
 
-  void Unlock();
+  void unlock();
 
   // Does nothing if the current thread holds the mutex. Otherwise, crashes
   // with high probability.
@@ -1424,9 +1424,9 @@ class GTEST_API_ Mutex {
 // "MutexLock l(&mu)".  Hence the typedef trick below.
 class GTestMutexLock {
  public:
-  explicit GTestMutexLock(Mutex* mutex) : mutex_(mutex) { mutex_->Lock(); }
+  explicit GTestMutexLock(Mutex* mutex) : mutex_(mutex) { mutex_->lock(); }
 
-  ~GTestMutexLock() { mutex_->Unlock(); }
+  ~GTestMutexLock() { mutex_->unlock(); }
 
  private:
   Mutex* const mutex_;
@@ -1641,14 +1641,14 @@ class ThreadLocal : public ThreadLocalBase {
 class MutexBase {
  public:
   // Acquires this mutex.
-  void Lock() {
+  void lock() {
     GTEST_CHECK_POSIX_SUCCESS_(pthread_mutex_lock(&mutex_));
     owner_ = pthread_self();
     has_owner_ = true;
   }
 
   // Releases this mutex.
-  void Unlock() {
+  void unlock() {
     // Since the lock is being released the owner_ field should no longer be
     // considered valid. We don't protect writing to has_owner_ here, as it's
     // the caller's responsibility to ensure that the current thread holds the
@@ -1716,9 +1716,9 @@ class Mutex : public MutexBase {
 // "MutexLock l(&mu)".  Hence the typedef trick below.
 class GTestMutexLock {
  public:
-  explicit GTestMutexLock(MutexBase* mutex) : mutex_(mutex) { mutex_->Lock(); }
+  explicit GTestMutexLock(MutexBase* mutex) : mutex_(mutex) { mutex_->lock(); }
 
-  ~GTestMutexLock() { mutex_->Unlock(); }
+  ~GTestMutexLock() { mutex_->unlock(); }
 
  private:
   MutexBase* const mutex_;
@@ -1864,8 +1864,8 @@ class GTEST_API_ ThreadLocal {
 class Mutex {
  public:
   Mutex() {}
-  void Lock() {}
-  void Unlock() {}
+  void lock() {}
+  void unlock() {}
   void AssertHeld() const {}
 };
 
@@ -2322,6 +2322,13 @@ const char* StringFromGTestEnv(const char* flag, const char* default_val);
 }  // namespace internal
 }  // namespace testing
 
+#if GTEST_INTERNAL_HAVE_CPP_ATTRIBUTE(clang::annotate)
+#define GTEST_INTERNAL_DEPRECATE_AND_INLINE(msg) \
+  [[deprecated(msg), clang::annotate("inline-me")]]
+#else
+#define GTEST_INTERNAL_DEPRECATE_AND_INLINE(msg) [[deprecated(msg)]]
+#endif
+
 #if defined(__cpp_lib_span) || (GTEST_INTERNAL_HAS_INCLUDE(<span>) && \
                                 GTEST_INTERNAL_CPLUSPLUS_LANG >= 202002L)
 #define GTEST_INTERNAL_HAS_STD_SPAN 1

deps/googletest/src/gtest-port.cc

@@ -320,13 +320,13 @@ Mutex::~Mutex() {
   }
 }
 
-void Mutex::Lock() {
+void Mutex::lock() {
   ThreadSafeLazyInit();
   ::EnterCriticalSection(critical_section_);
   owner_thread_id_ = ::GetCurrentThreadId();
 }
 
-void Mutex::Unlock() {
+void Mutex::unlock() {
   ThreadSafeLazyInit();
   // We don't protect writing to owner_thread_id_ here, as it's the
   // caller's responsibility to ensure that the current thread holds the

deps/ncrypto/ncrypto.cc

@@ -8,7 +8,9 @@
 #include <openssl/rand.h>
 #include <openssl/x509v3.h>
 #include <algorithm>
+#include <array>
 #include <cstring>
+#include <string_view>
 #if OPENSSL_VERSION_MAJOR >= 3
 #include <openssl/core_names.h>
 #include <openssl/params.h>
@@ -1094,6 +1096,29 @@ BIOPointer X509View::getValidTo() const {
   return bio;
 }
 
+std::optional<std::string_view> X509View::getSignatureAlgorithm() const {
+  if (cert_ == nullptr) return std::nullopt;
+  int nid = X509_get_signature_nid(cert_);
+  if (nid == NID_undef) return std::nullopt;
+  const char* ln = OBJ_nid2ln(nid);
+  if (ln == nullptr) return std::nullopt;
+  return std::string_view(ln);
+}
+
+std::optional<std::string> X509View::getSignatureAlgorithmOID() const {
+  if (cert_ == nullptr) return std::nullopt;
+  const X509_ALGOR* alg = nullptr;
+  X509_get0_signature(nullptr, &alg, cert_);
+  if (alg == nullptr) return std::nullopt;
+  const ASN1_OBJECT* obj = nullptr;
+  X509_ALGOR_get0(&obj, nullptr, nullptr, alg);
+  if (obj == nullptr) return std::nullopt;
+  std::array<char, 128> buf{};
+  int len = OBJ_obj2txt(buf.data(), buf.size(), obj, 1);
+  if (len < 0 || static_cast<size_t>(len) >= buf.size()) return std::nullopt;
+  return std::string(buf.data(), static_cast<size_t>(len));
+}
+
 int64_t X509View::getValidToTime() const {
 #ifdef OPENSSL_IS_BORINGSSL
   // Boringssl does not implement ASN1_TIME_to_tm in a public way,

deps/ncrypto/ncrypto.h

@@ -1191,6 +1191,8 @@ class X509View final {
   BIOPointer getInfoAccess() const;
   BIOPointer getValidFrom() const;
   BIOPointer getValidTo() const;
+  std::optional<std::string_view> getSignatureAlgorithm() const;
+  std::optional<std::string> getSignatureAlgorithmOID() const;
   int64_t getValidFromTime() const;
   int64_t getValidToTime() const;
   DataPointer getSerialNumber() const;