·
592 commits
to main
since this release
This is a security release.
Notable Changes
lib:
- (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750
permission: - (CVE-2026-21636) add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784
- (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760
- (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748
src: - (CVE-2025-59466) rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773
src,lib: - (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759
tls: - (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790
Commits
- [
a6a74b89a7] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #60997 - [
5100614e26] - deps: update undici to 7.18.2 (Node.js GitHub Bot) #61283 - [
f0a8916887] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#750 - [
b4b887c5f7] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#748 - [
26be208039] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760 - [
bdf5873d44] - (CVE-2026-21636) permission: add network check on pipe_wrap connect (RafaelGSS) nodejs-private/node-private#784 - [
0578e3e921] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773 - [
4d6b55a6d1] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#759 - [
c357a39e14] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#790