chore(deps): update all dependencies (major)

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence	Type	Update
@types/node (source)	20.17.19 -> 22.14.1					devDependencies	major
actions/create-github-app-token	v1.11.5 -> v2.0.2					action	major
node (source)	20.18.3 -> 22.14.0						major
pnpm (source)	9.15.4 -> 10.8.1					packageManager	major
wrangler (source)	3.109.1 -> 4.12.0					devDependencies	major

---

Release Notes

actions/create-github-app-token (actions/create-github-app-token)

v2.0.2

Compare Source

Bug Fixes

• improve log messages for token creation (#​226) (eaef294)

v2.0.1

Compare Source

Bug Fixes

• deps: bump the production-dependencies group across 1 directory with 2 updates (#​228) (2411bfc)

v2.0.0

Compare Source

• feat!: remove deprecated inputs (#​213) (5cc811b)

BREAKING CHANGES

• Removed deprecated inputs (app_id, private_key, skip_token_revoke) and made app-id and private-key required in the action configuration.

v1.12.0

Compare Source

Features

• permissions (#​168) (0e0aa99)

v1.11.7

Compare Source

Bug Fixes

• deps: bump undici from 5.28.4 to 7.5.0 (#​214) (a24b46a)

v1.11.6

Compare Source

Bug Fixes

• deps: bump the production-dependencies group with 2 updates (#​210) (1ff1dea)

nodejs/node (node)

v22.14.0: 2025-02-11, Version 22.14.0 'Jod' (LTS), @​aduh95

Compare Source

Notable Changes

• [82a9000e9e] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #​56566
• [b7fe54fc88] - (SEMVER-MINOR) fs: allow exclude option in globs to accept glob patterns (Daeyeon Jeong) #​56489
• [3ac92ef607] - (SEMVER-MINOR) lib: add typescript support to STDIN eval (Marco Ippolito) #​56359
• [1614e8e7bc] - (SEMVER-MINOR) module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX (Marco Ippolito) #​56610
• [6d6cffa9cc] - (SEMVER-MINOR) module: add findPackageJSON util (Jacob Smith) #​55412
• [d35333ae18] - (SEMVER-MINOR) process: add process.ref() and process.unref() methods (James M Snell) #​56400
• [07ff3ddcb5] - (SEMVER-MINOR) sqlite: support TypedArray and DataView in StatementSync (Alex Yang) #​56385
• [94d3fe1b62] - (SEMVER-MINOR) src: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) #​56441
• [5afffb4415] - (SEMVER-MINOR) src,worker: add isInternalWorker (Carlos Espa) #​56469
• [697a851fb3] - (SEMVER-MINOR) test_runner: add TestContext.prototype.waitFor() (Colin Ihrig) #​56595
• [047537b48c] - (SEMVER-MINOR) test_runner: add t.assert.fileSnapshot() (Colin Ihrig) #​56459
• [926cf84e95] - (SEMVER-MINOR) test_runner: add assert.register() API (Colin Ihrig) #​56434
• [c658a8afdf] - (SEMVER-MINOR) worker: add eval ts input (Marco Ippolito) #​56394

Commits

• [bad1ad8650] - assert: make myers_diff function more performant (Giovanni Bucci) #​56303
• [e222e36f3b] - assert: make partialDeepStrictEqual work with urls and File prototypes (Giovanni Bucci) #​56231
• [e232789fe2] - assert: show diff when doing partial comparisons (Giovanni Bucci) #​56211
• [c99de1fdcf] - assert: make partialDeepStrictEqual throw when comparing [0] with [-0] (Giovanni) #​56237
• [2386fd5840] - benchmark: add validateStream to styleText bench (Rafael Gonzaga) #​56556
• [b197dfa7ec] - build: fix GN build for ngtcp2 (Cheng) #​56300
• [2a3cdd34ff] - build: test macos-13 on GitHub actions (Michaël Zasso) #​56307
• [12f716be0a] - build: build v8 with -fvisibility=hidden on macOS (Joyee Cheung) #​56275
• [c5ca15bd34] - child_process: fix parsing messages with splitted length field (Maksim Gorkov) #​56106
• [8346b8fc2c] - crypto: add missing return value check (Michael Dawson) #​56615
• [82a9000e9e] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #​56566
• [890eef20a1] - crypto: fix checkPrime crash with large buffers (Santiago Gimeno) #​56559
• [5edb7b5e87] - crypto: fix warning of ignoring return value (Cheng) #​56527
• [b89f123a0b] - crypto: make generatePrime/checkPrime interruptible (James M Snell) #​56460
• [63c1859e01] - deps: update corepack to 0.31.0 (Node.js GitHub Bot) #​56795
• [a48430d4d3] - deps: move inspector_protocol to deps (Chengzhong Wu) #​56649
• [74cccc824f] - deps: macro ENODATA is deprecated in libc++ (Cheng) #​56698
• [fa869ea0f2] - deps: fixup some minor coverity warnings (James M Snell) #​56612
• [1a4fa2b015] - deps: update amaro to 0.3.0 (Node.js GitHub Bot) #​56568
• [b47076fd82] - deps: update amaro to 0.2.2 (Node.js GitHub Bot) #​56568
• [46bd4b8731] - deps: update simdutf to 6.0.3 (Node.js GitHub Bot) #​56567
• [8ead9c693b] - deps: update simdutf to 5.7.2 (Node.js GitHub Bot) #​56388
• [18d4b502af] - deps: update amaro to 0.2.1 (Node.js GitHub Bot) #​56390
• [d938d7cc86] - deps: update googletest to 7d76a23 (Node.js GitHub Bot) #​56387
• [9761e7dccb] - deps: update googletest to e54519b (Node.js GitHub Bot) #​56370
• [8319dc6bc5] - deps: update ngtcp2 to 1.10.0 (Node.js GitHub Bot) #​56334
• [6eacd19d6a] - deps: update simdutf to 5.7.0 (Node.js GitHub Bot) #​56332
• [28bec2dda3] - diagnostics_channel: capture console messages (Stephen Belanger) #​56292
• [d519d33502] - doc: update macOS and Xcode versions for releases (Michaël Zasso) #​56337
• [fcfe650507] - doc: add note for features using InternalWorker with permission model (Antoine du Hamel) #​56706
• [efbba182b5] - doc: add entry to changelog about SQLite Session Extension (Bart Louwers) #​56318
• [31bf9c7dd9] - doc: move anatoli to emeritus (Michael Dawson) #​56592
• [6096e38c7c] - doc: fix styles of the expandable TOC (Antoine du Hamel) #​56755
• [d423638281] - doc: add "Skip to content" button (Antoine du Hamel) #​56750
• [edeb157d75] - doc: improve accessibility of expandable lists (Antoine du Hamel) #​56749
• [1a79e87687] - doc: add note regarding commit message trailers (Dario Piotrowicz) #​56736
• [927c7e47e4] - doc: fix typo in example code for util.styleText (Robin Mehner) #​56720
• [fade522538] - doc: fix inconsistencies in WeakSet and WeakMap comparison details (Shreyans Pathak) #​56683
• [55533bf147] - doc: add RafaelGSS as latest sec release stewards (Rafael Gonzaga) #​56682
• [8e978bdee1] - doc: clarify cjs/esm diff in queueMicrotask() vs process.nextTick() (Dario Piotrowicz) #​56659
• [ae360c30dc] - doc: WeakSet and WeakMap comparison details (Shreyans Pathak) #​56648
• [acd2a2fda5] - doc: mention prepare --security (Rafael Gonzaga) #​56617
• [d3c0a2831d] - doc: tweak info on reposts in ambassador program (Michael Dawson) #​56589
• [3299505b49] - doc: add type stripping to ambassadors program (Marco Ippolito) #​56598
• [b1a6ffa4e4] - doc: improve internal documentation on built-in snapshot (Joyee Cheung) #​56505
• [1641a28930] - doc: document CLI way to open the nodejs/bluesky PR (Antoine du Hamel) #​56506
• [2042628fda] - doc: add section about using npx with permission model (Rafael Gonzaga) #​56539
• [ace19a0263] - doc: update gcc-version for ubuntu-lts (Kunal Kumar) #​56553
• [4aa57b50f8] - doc: fix parentheses in options (Tobias Nießen) #​56563
• [b40b01b4d3] - doc: include CVE to EOL lines as sec release process (Rafael Gonzaga) #​56520
• [6701360113] - doc: add esm examples to node:trace_events (Alfredo González) #​56514
• [d3207cca3e] - doc: add message for Ambassadors to promote (Michael Dawson) #​56235
• [97ece4ae06] - doc: allow request for TSC reviews via the GitHub UI (Antoine du Hamel) #​56493
• [03f25055ab] - doc: add example for piping ReadableStream (Gabriel Schulhof) #​56415
• [516d07482c] - doc: expand description of parseArg's default (Kevin Gibbons) #​54431
• [a6491effcb] - doc: use <ul> instead of <ol> in SECURITY.md (Antoine du Hamel) #​56346
• [e4ec134b21] - doc: clarify that WASM is trusted (Matteo Collina) #​56345
• [0f7aed8a59] - doc: fix the crc32 documentation (Kevin Toshihiro Uehara) #​55898
• [721104a296] - doc: fix links in module.md (Antoine du Hamel) #​56283
• [928540d792] - doc: fix typos (Nathan Baulch) #​55066
• [e69d35f03b] - doc: add history info for Permission Model (Antoine du Hamel) #​56707
• [c6fd867ab5] - esm: fix jsdoc type refs to ModuleJobBase in esm/loader (Jacob Smith) #​56499
• [9cf9046bd7] - Revert "events: add hasEventListener util for validate" (origranot) #​56282
• [b7fe54fc88] - (SEMVER-MINOR) fs: allow exclude option in globs to accept glob patterns (Daeyeon Jeong) #​56489
• [6ca27c2a59] - http2: omit server name when HTTP2 host is IP address (islandryu) #​56530
• [9f1fa199bf] - inspector: roll inspector_protocol (Chengzhong Wu) #​56649
• [0dae4bb3ab] - inspector: add undici http tracking support (Chengzhong Wu) #​56488
• [2c6124cec4] - inspector: report loadingFinished until the response data is consumed (Chengzhong Wu) #​56372
• [96ec862ce2] - lib: refactor execution.js (Marco Ippolito) #​56358
• [3ac92ef607] - (SEMVER-MINOR) lib: add typescript support to STDIN eval (Marco Ippolito) #​56359
• [d5bf3db0cf] - lib: allow skipping source maps in node_modules (Chengzhong Wu) #​56639
• [d33eaf2bcb] - lib: ensure FORCE_COLOR forces color output in non-TTY environments (Pietro Marchini) #​55404
• [dc003218a8] - lib: optimize prepareStackTrace on builtin frames (Chengzhong Wu) #​56299
• [df06524863] - lib: suppress source map lookup exceptions (Chengzhong Wu) #​56299
• [35335a5a66] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​56580
• [1faabdb150] - meta: add codeowners of security release document (Rafael Gonzaga) #​56521
• [b4ece22ef5] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​56342
• [9ec67e7ce0] - meta: move MoLow to TSC regular member (Moshe Atlow) #​56276
• [bae4b2e20a] - module: use more defensive code when handling SWC errors (Antoine du Hamel) #​56646
• [1614e8e7bc] - (SEMVER-MINOR) module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX (Marco Ippolito) #​56610
• [174d88eab1] - module: support eval with ts syntax detection (Marco Ippolito) #​56285
• [299d6fa829] - module: fix jsdoc for format parameter in cjs/loader (pacexy) #​56501
• [0307e4dd59] - module: unify TypeScript and .mjs handling in CommonJS (Joyee Cheung) #​55590
• [1f4f9be93d] - module: fix async resolution error within the sync findPackageJSON (Jacob Smith) #​56382
• [bbedffa0f0] - module: simplify findPackageJSON implementation (Antoine du Hamel) #​55543
• [6d6cffa9cc] - (SEMVER-MINOR) module: add findPackageJSON util (Jacob Smith) #​55412
• [cd7ce18233] - module: fix bad require.resolve with option paths for . and .. (Dario Piotrowicz) #​56735
• [152df4da21] - module: rethrow amaro error message (Marco Ippolito) #​56568
• [acba5dc87e] - module: use buffer.toString base64 (Chengzhong Wu) #​56315
• [01e69be8ff] - node-api: define version 10 (Gabriel Schulhof) #​55676
• [724524528e] - node-api: remove deprecated attribute from napi_module_register (Vladimir Morozov) #​56162
• [c78e11064f] - process: remove support for undocumented symbol (Antoine du Hamel) #​56552
• [3f69b18a23] - process: fix symbol key and mark experimental new node:process methods (Antoine du Hamel) #​56517
• [d35333ae18] - (SEMVER-MINOR) process: add process.ref() and process.unref() methods (James M Snell) #​56400
• [fa49f0f7d5] - punycode: limit deprecation warning (Colin Ihrig) #​56632
• [d77c7073b7] - sqlite: disable memstatus APIs at build time (Colin Ihrig) #​56541
• [07ff3ddcb5] - (SEMVER-MINOR) sqlite: support TypedArray and DataView in StatementSync (Alex Yang) #​56385
• [b6c2e91365] - sqlite: enable SQL math functions (Colin Ihrig) #​56447
• [3462263e8b] - sqlite: pass conflict type to conflict resolution handler (Bart Louwers) #​56352
• [89ba3af743] - src: add nullptr handling from X509_STORE_new() (Burkov Egor) #​56700
• [89a7c82e0c] - src: add default value for RSACipherConfig mode field (Burkov Egor) #​56701
• [7bae51e62e] - src: fix build with GCC 15 (tjuhaszrh) #​56740
• [432a4b8bd6] - src: fix to generate path from wchar_t via wstring (yamachu) #​56696
• [8c9eaf82f0] - src: initialize FSReqWrapSync in path that uses it (Michaël Zasso) #​56613
• [bcdb42d40b] - src: handle duplicate paths granted (Rafael Gonzaga) #​56591
• [d6a7acc207] - src: update ECKeyPointer in ncrypto (James M Snell) #​56526
• [01922f8b1f] - src: update ECPointPointer in ncrypto (James M Snell) #​56526
• [2a3a36eceb] - src: update ECGroupPointer in ncrypto (James M Snell) #​56526
• [67c10cdacb] - src: update ECDASSigPointer implementation in ncrypto (James M Snell) #​56526
• [17f931c68b] - src: cleaning up more crypto internals for ncrypto (James M Snell) #​56526
• [94d3fe1b62] - (SEMVER-MINOR) src: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) #​56441
• [6594ee8dff] - src: fix undefined script name in error source (Chengzhong Wu) #​56502
• [b46bad3e91] - src: refactor --trace-env to reuse option selection and handling (Joyee Cheung) #​56293
• [76921b822b] - src: minor cleanups on OneByteString usage (James M Snell) #​56482
• [3f0d1dd4fe] - src: move more crypto impl detail to ncrypto dep (James M Snell) #​56421
• [04f623b283] - src: fixup more ToLocalChecked uses in node_file (James M Snell) #​56484
• [5aa436f5a1] - src: make some minor ToLocalChecked cleanups (James M Snell) #​56483
• [6eec5e7ec2] - src: lock the thread properly in snapshot builder (Joyee Cheung) #​56327
• [5614993968] - src: drain platform tasks before creating startup snapshot (Chengzhong Wu) #​56403
• [48493e9fd5] - src: use LocalVector in more places (James M Snell) #​56457
• [7e5ea0681e] - src: use v8::LocalVector consistently with other minor cleanups (James M Snell) #​56417
• [ad3d857f2b] - src: use starts_with in fs_permission.cc (ishabi) #​55811
• [5afffb4415] - (SEMVER-MINOR) src,worker: add isInternalWorker (Carlos Espa) #​56469
• [7d1676e72e] - stream: fix typo in ReadableStreamBYOBReader.readIntoRequests (Mattias Buelens) #​56560
• [e658ea6b26] - stream: validate undefined sizeAlgorithm in WritableStream (Jason Zhang) #​56067
• [e4f133c20c] - test: add ts eval snapshots (Marco Ippolito) #​56358
• [f041742400] - test: remove empty lines from snapshots (Marco Ippolito) #​56358
• [801cde91f6] - test: reduce number of written chunks (Luigi Pinca) #​56757
• [6fdf1879ab] - test: fix invalid common.mustSucceed() usage (Luigi Pinca) #​56756
• [d2bfbfa364] - test: use strict mode in global setters test (Rich Trott) #​56742
• [5c030da42f] - test: cleanup and simplify test-crypto-aes-wrap (James M Snell) #​56748
• [f1442d6eaf] - test: do not use common.isMainThread (Luigi Pinca) #​56768
• [49405bd9e7] - test: make some requires lazy in common/index (James M Snell) #​56715
• [52ef376788] - test: add test that uses multibyte for path and resolves modules (yamachu) #​56696
• [b811dea85a] - test: replace more uses of global with globalThis (James M Snell) #​56712
• [eb97076199] - test: make common/index slightly less node.js specific (James M Snell) #​56712
• [1795202d19] - test: rely less on duplicative common test harness utilities (James M Snell) #​56712
• [5be29a274e] - test: simplify common/index.js (James M Snell) #​56712
• [92e99780f0] - test: move hasMultiLocalhost to common/net (James M Snell) #​56716
• [1c3204a4cc] - test: move crypto related common utilities in common/crypto (James M Snell) #​56714
• [fe79d63be0] - test: add missing test for env file (Jonas) #​56642
• [e08af61537] - test: enforce strict mode in test-zlib-const (Rich Trott) #​56689
• [c96792d7f8] - test: fix localization data for ICU 74.2 (Antoine du Hamel) #​56661
• [48b72f1195] - test: use --permission instead of --experimental-permission (Rafael Gonzaga) #​56685
• [de81d90fce] - test: test-stream-compose.js doesn't need internals (Meghan Denny) #​56619
• [f5b8499ad0] - test: add maxCount and gcOptions to gcUntil() (Joyee Cheung) #​56522
• [d9e5a81041] - test: add line break at end of file (Rafael Gonzaga) #​56588
• [59be346fbf] - test: mark test-worker-prof as flaky on smartos (Joyee Cheung) #​56583
• [12a2cae9e5] - test: update test-child-process-bad-stdio to use node:test (Colin Ihrig) #​56562
• [2dc4a30e19] - test: disable openssl 3.4.0 incompatible tests (Jelle van der Waa) #​56160
• [1950fbf51d] - test: make test-crypto-hash compatible with OpenSSL > 3.4.0 (Jelle van der Waa) #​56160
• [a533420a91] - test: clarify fork inherit permission flags (Rafael Gonzaga) #​56523
• [697e799dc1] - test: add error only reporter for node:test (Carlos Espa) #​56438
• [4844fa212d] - test: mark test-http-server-request-timeouts-mixed as flaky (Joyee Cheung) #​56503
• [843c2389b9] - test: update error code in tls-psk-circuit for for OpenSSL 3.4 (sebastianas) #​56420
• [ccb2ddbd83] - test: update compiled sqlite tests to match other tests (Colin Ihrig) #​56446
• [b40f50324d] - test: add initial test426 coverage (Chengzhong Wu) #​56436
• [059f81e4fd] - test: update test-set-http-max-http-headers to use node:test (Colin Ihrig) #​56439
• [ec2940b418] - test: update test-child-process-windows-hide to use node:test (Colin Ihrig) #​56437
• [0362924880] - test: use unusual chars in the path to ensure our tests are robust (Antoine du Hamel) #​48409
• [b6c3869910] - test: improve abort signal dropping test (Edy Silva) #​56339
• [cc648ef923] - test: enable ts test on win arm64 (Marco Ippolito) #​56349
• [68819b4997] - test: deflake test-watch-file-shared-dependency (Luigi Pinca) #​56344
• [ca6ed2190c] - test: skip test-sqlite-extensions when SQLite is not built by us (Antoine du Hamel) #​56341
• [8ffeb8b58c] - test: increase spin for eventloop test on s390 (Michael Dawson) #​56228
• [6ae9950f08] - test: migrate message eval tests from Python to JS (Yiyun Lei) #​50482
• [4352bf69e9] - test: check typescript loader (Marco Ippolito) #​54657
• [406e7db9c3] - test: remove async-hooks/test-writewrap flaky designation (Luigi Pinca) #​56048
• [fa56ab2bba] - test: deflake test-esm-loader-hooks-inspect-brk (Luigi Pinca) #​56050
• [8e149aac99] - test: add test case for listeners (origranot) #​56282
• [a3f5ef22cd] - test: make test-permission-sqlite-load-extension more robust (Antoine du Hamel) #​56295
• [8cbb7cc838] - test_runner: print failing assertion only once with spec reporter (Pietro Marchini) #​56662
• [1f426bad9a] - test_runner: remove unused errors (Pietro Marchini) #​56607
• [697a851fb3] - (SEMVER-MINOR) test_runner: add TestContext.prototype.waitFor() (Colin Ihrig) #​56595
• [047537b48c] - (SEMVER-MINOR) test_runner: add t.assert.fileSnapshot() (Colin Ihrig) #​56459
• [19b4aa4b14] - test_runner: run single test file benchmark (Pietro Marchini) #​56479
• [926cf84e95] - (SEMVER-MINOR) test_runner: add assert.register() API (Colin Ihrig) #​56434
• [fb4661a4cf] - test_runner: finish marking snapshot testing as stable (Colin Ihrig) #​56425
• [900c6c3940] - tls: fix error stack conversion in cryptoErrorListToException() (Joyee Cheung) #​56554
• [e9f185b658] - tools: update doc to new version (Node.js GitHub Bot) #​56259
• [7644c7e619] - tools: update inspector_protocol roller (Chengzhong Wu) #​56649
• [362272b0a4] - tools: do not throw on missing create-release-proposal.sh (Antoine du Hamel) #​56704
• [df8b835953] - tools: fix tools-deps-update (Daniel Lemire) #​56684
• [feba5d3274] - tools: do not throw on missing create-release-proposal.sh (Antoine du Hamel) #​56695
• [9827f7d395] - tools: fix permissions in lint-release-proposal workflow (Antoine du Hamel) #​56614
• [14c562c0dc] - tools: remove github reporter (Carlos Espa) #​56468
• [ed1785d0ae] - tools: edit create-release-proposal workflow (Antoine du Hamel) #​56540
• [294e4c42f5] - tools: validate commit list as part of lint-release-commit (Antoine du Hamel) #​56291
• [98d3474267] - tools: fix loong64 build failed (Xiao-Tao) #​56466
• [3e729ceec8] - tools: disable unneeded rule ignoring in Python linting (Rich Trott) #​56429
• [d5c05328e2] - tools: use a configurable value for number of open dependabot PRs (Antoine du Hamel) #​56427
• [1705cbe002] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #​56426
• [53b29b0469] - tools: fix require-common-first lint rule from subfolder (Antoine du Hamel) #​56325
• [105c4ed4fb] - tools: add release line label when opening release proposal (Antoine du Hamel) #​56317
• [30f61f4aa5] - url: use resolved path to convert UNC paths to URL (Antoine du Hamel) #​56302
• [a0aef4dfb6] - util: inspect: do not crash on an Error stack that contains a Symbol (Jordan Harband) #​56573
• [a8a060341f] - util: inspect: do not crash on an Error with a regex name (Jordan Harband) #​56574
• [ea66bf3553] - util: rename CallSite.column to columnNumber (Chengzhong Wu) #​56584
• [9cdc3b373c] - util: do not crash on inspecting function with Symbol name (Jordan Harband) #​56572
• [0bfbb68569] - util: expose CallSite.scriptId (Chengzhong Wu) #​56551
• [5dd7116e09] - watch: reload env file for --env-file-if-exists (Jonas) #​56643
• [c658a8afdf] - (SEMVER-MINOR) worker: add eval ts input (Marco Ippolito) #​56394
• [2e5d038f48] - worker: refactor stdio to improve performance (Matteo Collina) #​56630
• [f959805d01] - worker: flush stdout and stderr on exit (Matteo Collina) #​56428

v22.13.1: 2025-01-21, Version 22.13.1 'Jod' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
• CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
• CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

• CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits

• [520da342e0] - (CVE-2025-22150) deps: update undici to v6.21.1 (Matteo Collina) nodejs-private/node-private#662
• [99f217369f] - (CVE-2025-23084) path: fix path traversal in normalize() on Windows (Tobias Nießen) nodejs-private/node-private#555
• [984f735e35] - (CVE-2025-23085) src: fix HTTP2 mem leak on premature close and ERR_PROTO (RafaelGSS) nodejs-private/node-private#650
• [2446870618] - (CVE-2025-23083) src,loader,permission: throw on InternalWorker use (RafaelGSS) nodejs-private/node-private#651

v22.13.0: 2025-01-07, Version 22.13.0 'Jod' (LTS), @​ruyadorno

Compare Source

Notable Changes

Stabilize Permission Model

Upgrades the Permission Model status from Active Development to Stable.

Contributed by Rafael Gonzaga #​56201

Graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable

Following the merge of Curve25519 into the Web Cryptography API Editor's Draft the Ed25519 and X25519 algorithm identifiers are now stable and will no longer emit an ExperimentalWarning upon use.

Contributed by (Filip Skokan) #​56142

Other Notable Changes

• [05d6227a88] - (SEMVER-MINOR) assert: add partialDeepStrictEqual (Giovanni Bucci) #​54630
• [a933103499] - (SEMVER-MINOR) cli: implement --trace-env and --trace-env-[js|native]-stack (Joyee Cheung) #​55604
• [[ba9d5397de](https://redirect.github.com/nodejs/node/commit/b

---

Configuration

📅 Schedule: Branch creation - "before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cloudflare-workers-and-pages]

Deploying astro-tips with    Cloudflare Pages

Latest commit:	3039935
Status:	🚫  Build failed.

View logs