Weekly GitHub Report for Node

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

The current version of this repository is v23.10.0

1.2 Version Information:

Released on March 13, 2025, this version introduces the --experimental-config-file feature, allowing developers to use JSON configuration files to simplify flag management for test runners and other features, enhancing developer experience. Additionally, it includes updates to root certificates, new TLS and V8 methods, improved error handling, and various tooling and documentation enhancements.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. [TEST_RUNNER] mock.module.restore fails if module is already present in ESM cache: This issue describes a problem with the mock.module.restore function in the Node.js test runner, where it fails to properly restore modules if they are already present in the ESM cache, causing tests that rely on mocking to fail unpredictably. The user provides examples showing that when tests are run without isolation, the mocked modules are not invalidated correctly, making it difficult to mock modules effectively and leading to performance issues in large projects.

   • The comments discuss a potential fix via an upcoming pull request and suggest workarounds involving query parameters to bypass the ESM cache. Contributors also highlight limitations of these workarounds, especially with nested imports, and propose improvements to the mock loader to better handle cache invalidation and restoration.
   • Number of comments this week: 7

2. The punycode deprecation trace is not useful: This issue reports that the deprecation warning trace for the punycode module in Node.js v24.13.1 is not helpful because it does not indicate which package or file is requiring the deprecated module, making it difficult to identify the source of the warning. The user expects the trace to clearly show the origin of the deprecated usage, but instead, the trace points only to internal Node.js code, and there is also a related problem where the warning appears incorrectly in some scenarios.

   • The comments reveal that this problem is a regression introduced in v24.13.1 and has been fixed in later versions of Node.js and the psl package; the warning should not appear for code inside node_modules in recent Node.js versions. Additionally, the trace does not accurately show the deprecated code location, and there is a documentation mismatch regarding the deprecation type. The issue was confirmed with minimal repro steps, and a documentation update pull request was submitted.
   • Number of comments this week: 5

3. Event Loop poll with no io pending is slow on macos: This issue addresses a performance problem on macOS where the event loop poll experiences a delay of approximately 12 microseconds when no I/O is pending, significantly slowing down throughput for setImmediate calls. The author proposes modifying libuv or applying patches to eliminate this delay, potentially improving event loop efficiency by up to 25 times, and is seeking feedback on the feasibility and implementation details from libuv maintainers.

   • The comments suggest prioritizing targeting libuv first to maximize benefits across projects, acknowledge uncertainty about real-world impact but agree that performance improvements are generally positive, and note that an issue has been created in the libuv repository to track this work.
   • Number of comments this week: 4

4. Using --test causes process.argv[] to lose user-specified CLI flags: This issue reports that when running a Node.js script with the --test flag, user-specified command-line interface (CLI) flags are omitted from process.argv, which does not happen when running the script without --test. This behavior causes problems for testing code that relies on process.argv to access user-provided flags, as the expected flags are missing during test runs.

   • The comments discuss whether this issue existed in earlier Node.js versions, with one user suspecting a similar problem in version 24.4, but it is clarified that the previous issue was related to V8-specific flags and likely unrelated. It is also noted that this behavior is not a regression and appears to have never been supported, with confirmation that the issue reproduces in Node.js versions 22 and 24 as well.
   • Number of comments this week: 3

5. [I18N-API] [ICU] Intl.DateTimeFormat('de-CH', {year, month}) outputs different separators between Node 24.13.0 and 24.13.1: This issue reports that the Intl.DateTimeFormat function for the 'de-CH' locale produces different date separators between Node.js versions 24.13.0 and 24.13.1, changing from a dot to a slash for year and month formatting, which breaks server-side rendering and client hydration in frameworks like Next.js. The expected behavior is consistent locale-specific formatting across versions, but the update in ICU data caused this discrepancy, affecting not only date formatting but also number formatting in the same locale.

   • The comments explain that this change is due to an unavoidable update in ICU locale data synchronization between browsers and Node.js, with similar formatting changes observed in Firefox. Users report related issues with number formatting in 'de-CH', and it is clarified that these changes stem from a recent ICU update, which has been discussed previously in the Node.js project.
   • Number of comments this week: 3

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

As of our latest update, there are no stale issues for the project this week.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 17

Summarized Issues:

• Test mocking and isolation issues: The mock.module.restore function fails to properly restore mocked modules if they are already cached in ESM, causing tests to fail due to modules not being invalidated or replaced correctly. Additionally, the --test flag causes process.argv to omit user-specified flags, complicating testing scenarios that rely on command-line arguments.
• [issues/61841, issues/61852]

• Test lifecycle callback behavior: There are problems with beforeEach callbacks running outside test suites when test isolation is disabled, causing them to act as global hooks and run before and after every test across files. Enhancements are also proposed to allow lifecycle callbacks like beforeEach in the test-global-setup module to run correctly in each test subprocess under process isolation.
• [issues/61853, issues/61854]

• HTTP and server module inconsistencies: Setting HTTP2ServerRequest headers directly throws an error as expected, but mutating the headers object via Object.assign does not, leading to inconsistent behavior. There is also a request for clearer documentation on the keepAlive options in http and net server modules due to ambiguities about when keep-alive is enabled and timeout interpretations.
• [issues/61850, issues/61851]

• Performance and event loop delays: On macOS, the event loop poll experiences a ~12µs delay when no I/O is pending, which impacts throughput for setImmediate calls. Proposed changes to libuv aim to significantly improve this performance, with feedback sought before submitting a pull request.
• [issues/61843]

• File system and path handling bugs: The fs.cpSync function on Windows fails to copy files when the destination path contains accented characters, completing without errors but copying nothing. Also, piping an HTTPS ServerResponse to a file stream does not fully consume the response data, resulting in smaller-than-expected files and assertion errors comparing file size to content-length.
• [issues/61878, issues/61881]

• Memory leak in HTTP requests: Using http.request with HTTP parsers reused causes a memory leak where AsyncContextFrame instances and data in AsyncLocalStorage are not released, leading to persistent memory usage. This leak does not occur when using fetch or disabling parser reuse.
• [issues/61882]

• Security vulnerability due to outdated OpenSSL: Node.js version 20.20.0 is built with OpenSSL 3.0.17 instead of the patched 3.0.19, leaving it vulnerable to CVE-2025-15467 as detected by AWS inspector in multiple OpenSSL header files.
• [issues/61887]

• Deprecation warning trace clarity: The deprecation warning trace for the punycode module in Node.js v24.13.1 lacks clarity, failing to indicate which package or file requires the deprecated module, making it difficult to identify the source despite using --trace-deprecation.
• [issues/61901]

• Regular expression performance issues: A regular expression in the getDataProtocolModuleFormat function suffers from non-linear (polynomial) backtracking due to interchangeable quantifiers, causing inefficient regex performance and potential super-linear backtracking. A thorough scan of all regex patterns using an ESLint plugin is suggested.
• [issues/61904]

• Unexpected process restart with watch and env-file: Using the --env-file option with --watch-path causes the Node.js process to restart when an unrelated directory is touched, whereas without --env-file no restart occurs, indicating unexpected behavior in the watch mechanism.
• [issues/61906]

• Debugger crash due to octal escape sequences: The presence of octal escape sequences (e.g., \033) in code causes the debugger to crash with a segmentation violation on Linux using Node.js v25.6.1.
• [issues/61917]

• Request for Unix domain datagram socket support: There is a request to reintroduce support for Unix domain datagram sockets in Node.js to enable essential UNIX-like system tasks such as notifying SystemD of service status and logging to Syslog without extra configuration or dependencies.
• [issues/61933]

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 9

Summarized Issues:

• Fetch API file upload changes: Node.js 24 introduced a stricter type check for the fetch() API requiring file uploads to be instances of Blob, which breaks previous functionality that allowed streaming files without buffering them in memory. This change raises concerns about whether it is still possible to send files using fetch() without first buffering them in memory.
• issues/61812

• TLS 1.3 connection reset on macOS: Users experience random and intermittent TLS 1.3 connection reset errors on macOS when using OpenSSL 3.5.x with Node.js v25.4.0, while the issue does not occur with OpenSSL 3.0.x or when limiting TLS to version 1.2. This indicates a compatibility or regression problem specific to the newer OpenSSL version and TLS 1.3.
• issues/61867

• WeakRef garbage collection bug: In Node.js versions v24.13.1 and v25.6.1, WeakRef fails to allow garbage collection of objects set to null, causing references to be retained incorrectly. This bug prevents WeakRef from functioning as a true weak reference, impacting memory management.
• issues/61868

• Out-of-memory error in Vitest tests: Multiple Node.js versions encounter consistent out-of-memory errors when running Vitest test suites, caused by heap exhaustion likely due to creating Promises in an infinite loop within the test code. This issue highlights a critical memory leak scenario during testing.
• issues/61880

• Backport request for subpath imports: There is a request to backport a pull request enabling subpath imports starting with #/ from Node.js version 25.4.0 to earlier versions 22 and 24. This reflects a desire to maintain feature parity across supported Node.js versions.
• issues/61886

• GitHub Actions minutes exhaustion: The organization has exhausted its free GitHub Actions minutes, prompting discussions about disabling unnecessary workflows to reduce costs and manage build cache rate limits effectively. This issue addresses resource management and cost control for CI/CD pipelines.
• issues/61890

• Unspecified closed issues: Several issues titled "The TuckShop" and "Poly" are closed with no additional description or comments provided, indicating no further action or discussion.
• issues/61857, issues/61859

• Yemeni financial consulting platform "RTS": An issue references a Yemeni financial consulting platform called "RTS" without further details or context.
• issues/61932

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed issues from the past week.

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 34

Key Open Pull Requests

1. deps: update V8 to 14.6: This pull request updates the V8 JavaScript engine to version 14.6 in the Node.js project, including necessary patches, build configuration changes, API deprecations handling, and support for platform-specific adjustments to ensure compatibility and improved functionality.

• URL: pull/61898

• Associated Commits: fd1ab, c6d60, d014e, 4645c, f2f73, 9e1f1, 0edba, 75442, 68afd, 2373a, 9c80b, 9bea9, 57e57, 1c76f, b9801, 8048a, abb46, db927, ffd71, 25c85

2. tools: update eslint to v10: This pull request updates the project's ESLint tool to version 10 along with the associated Babel packages to 8.0.0-rc.2, revises ESLint rules to accommodate breaking changes in version 10, and temporarily disables the new no-useless-assignment rule due to widespread errors it introduced across the codebase.

• URL: pull/61905

• Associated Commits: 580a2, dd585, 68d04, e199c, 1f482, 9626d, de72b, afff6

3. watch: fix --env-file-if-exists crashing on linux if the file is missing: This pull request fixes a crash on Linux caused by the --env-file-if-exists option combined with --watch when the specified .env file is missing, by implementing error handling to prevent the process from throwing an exception in such cases.

• URL: pull/61870

• Associated Commits: 6e0a5, 635ff, abb5f, 82654, e4851, 3f567, 232e0

Other Open Pull Requests

• CompressionStream and DecompressionStream ArrayBuffer support: This update modifies the CompressionStream and DecompressionStream implementations to accept plain ArrayBuffer inputs by normalizing them to Uint8Array views before passing to the underlying stream. This change aligns with the WHATWG Compression Streams specification and fixes the ERR_INVALID_ARG_TYPE error when writing ArrayBuffer chunks.
  • pull/61913

• Permission audit and diagnostics channel: A new --permission-audit flag was introduced to enable a warning-only permission model by emitting diagnostic messages instead of throwing errors. Additionally, C++ support for diagnostics channels was added to efficiently publish permission check results and other messages from native code without crossing JavaScript boundaries.
  • pull/61869

• Buffer operation performance improvements: Multiple Buffer operations were optimized, including copyBytesFrom, fill with ASCII input, indexOf for ASCII encoding, and swap16/32/64. These optimizations use direct byte offset calculations, V8 Fast API C++ functions, and eliminate unnecessary intermediate allocations, resulting in significant benchmarked speedups without regressions.
  • pull/61871

• Watch mode infinite loop fix: The infinite loop issue in watch mode was resolved by removing the NODE_OPTIONS environment variable from the child process spawn call. This prevents the loop while ensuring other flags in NODE_OPTIONS continue to function correctly.
  • pull/61838

• V8 serialization of DOMException objects: Enhancements were made to preserve DOMException objects during V8 serialization and deserialization by treating them as host objects. A custom serialization escape hatch was implemented similar to the behavior of structuredClone().
  • pull/61856

• Visual Studio 2022 and 2026 support and documentation: Support for Visual Studio 2026 was backported to the v24.x branch, including fixes for proper selection and compilation with Visual Studio 2022 and 2026. The BUILDING.md documentation was updated to explicitly support these toolchains along with Windows 10 and Windows 11 SDKs on 64-bit Windows hosts.
  • pull/61840, pull/61864

• SQLite statement invalidation handling: Issue #61819 was addressed by implementing handling for statement invalidation in the SQLite integration within Node.js.
  • pull/61877

• Null pointer checks in crypto BIO functions: The handling of null BUF_MEM* pointers in the ToV8Value() function was fixed by adding checks for null pointers returned from BIO_get_mem_ptr. This prevents null pointer dereferences and aligns behavior with similar functions like BIO_get_mem_data.
  • pull/61885

• Test runner dot reporter coverage enhancements: The test runner's dot reporter was improved to support displaying coverage failure messages, diagnostic messages, and the coverage report table when coverage thresholds are not met. This addresses previously unhandled test:diagnostic and test:coverage events.
  • pull/61891

• URLSearchParams and querystring encoding optimizations: Serialization and encoding performance of URLSearchParams.prototype.toString() and the internal encodeStr utility were optimized by using pre-allocated arrays and introducing a fast-path for short strings under 10 characters. These changes reduce complexity from quadratic to linear and improve throughput while ensuring full compliance with WHATWG URL standards.
  • pull/61896

• GitHub workflow optimizations: The GitHub workflow was optimized to prevent the Node.js project from being built twice during coverage jobs, reducing build time and improving efficiency. Additionally, workflows were updated to use ARM runners instead of other architectures to improve job completion speed and reduce costs, especially for private repository security release preparations.
  • pull/61899, pull/61903

• OpenSSL dependency update: The OpenSSL dependency was updated to version 3.0.19, including necessary source and architecture file changes to ensure compatibility with the Node.js project.
  • pull/61912

• Buffer.concat and Buffer.copy fix for large indices: Issue #55422 was fixed by correcting Buffer.concat and Buffer.copy to prevent silently producing invalid results when handling indices equal to or greater than 2^32. Changes include using uint64_t for consistency and adding new tests to verify the fix.
  • pull/61914

• Deprecation documentation update for punycode module: The documentation for deprecation DEP0040 (the punycode module) was updated to reflect its change from a runtime deprecation to an application-level deprecation affecting only non-node_modules code. This aligns with changes introduced in Node.js versions 22.14.0 and 23.7.0.
  • pull/61916

• Test runner branch coverage logic improvement: The branch coverage logic was modified to completely exclude branches that are entirely on ignored lines (marked by c8 ignore comments) from the BRDA output and coverage counts. This prevents ignored branches from appearing with zero coverage and polluting coverage reports.
  • pull/61845

• Snapshot path transformation regex fix: An issue in the Node.js test suite was fixed where snapshot path transformations incorrectly matched partial paths within directory names and URLs. A negative lookahead was added to regex patterns to ensure only complete path segments are matched, preventing false replacements.
  • pull/61846

• Race condition fix in fs.promises.writeFile: A race condition causing process crashes when the input stream emitted an error before the file was opened was fixed. A temporary error listener was attached to reject the promise immediately and safely close the file handle to prevent resource leaks.
  • pull/61849

• Introduction of lazy JSON parser: A new lazy JSON parser was introduced in the Node.js source code to improve JSON parsing behavior.
  • pull/61855

• Preservation of user-specified flags in test runner: The test runner was fixed to preserve user-specified flags in process.argv when running tests with the --test flag. Arguments following -- and unrecognized flags starting with - are now correctly passed to the test process.
  • pull/61858

• Webcrypto-modern-algos dictionary property rename: The length property was renamed to outputLength in the CShakeParams and KmacParams dictionaries to align with a recent change in the webcrypto-modern-algos specification. This ensures consistency while maintaining dictionary attribute order.
  • pull/61875

• Addition of triager efekrskl: The user efekrskl was added as a triager to the Node.js project, reflecting their active contributions and commitment to supporting the community.
  • pull/61876

• TCP keepAlive option documentation clarification: Documentation was clarified to specify that the keepAlive option enables TCP keepalive rather than controlling HTTP persistent connections. It was also clarified that setting keepAliveTimeout to 0 disables the timeout without disabling HTTP keep-alive itself.
  • pull/61883

• Null pointer check fix in RSA_new(): A missing nullptr check in the RSA_new() function within the crypto module was fixed to prevent potential null pointer dereferences. This addresses an issue identified by a static-dynamic analyzer.
  • pull/61888

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 31

Key Closed Pull Requests

1. module: fix extensionless entry with explicit type=commonjs: This pull request fixes an issue in the Node.js CommonJS loader where extensionless entry points with ESM syntax in packages explicitly marked as "type": "commonjs" would silently exit without error by ensuring such files are treated as CommonJS and cause a SyntaxError if ESM syntax is present.

• URL: pull/61600

• Associated Commits: 27ba1, 682ec, 06a7a, 98a51, 79cdb

• Associated Commits: 27ba1, 682ec, 06a7a, 98a51, 79cdb

2. lib: include ESM loader in the built-in snapshot: This pull request includes the ESM loader in the built-in snapshot to improve startup performance by enabling real-world applications to deserialize the ESM loader instead of initializing it from scratch, resulting in measurable benchmark improvements especially for non-empty scripts.

• URL: pull/61769

• Associated Commits: fa816, 92d6e, d00ee, 9cd87, f3311

• Associated Commits: fa816, 92d6e, d00ee, 9cd87, f3311

3. Audit of Node.js Technical Improvements and Bug Fixes: This pull request presents a detailed audit of the Node.js repository identifying and addressing technical improvements and bug fixes related to Web API parity, test modernization, performance optimizations at the C++/JavaScript boundary, and documentation accuracy, including spec compliance corrections in WritableStream, performance enhancements in async_hooks and fs, and reduced test flakiness.

• URL: pull/61935

• Associated Commits: 32a62, 7a73c, 56863

• Associated Commits: 32a62, 7a73c, 56863

Other Closed Pull Requests

• Socket error handling improvements: This pull request fixes an issue where socket errors could be unhandled during a brief window between synchronous socket creation and asynchronous error handler attachment by synchronously attaching the socketErrorListener in the onSocket method. This ensures that early emitted errors, such as those from blocklist checks or custom lookups, are properly caught and forwarded to the request's error handler.
  • pull/61770

• Deprecation and documentation updates: Multiple pull requests propose deprecating the url.resolve method due to its reliance on insecure APIs and simplify documentation examples by updating them to use newer language features like the using keyword. Additionally, documentation reorganizations improve clarity, such as moving the Temporal support section in BUILDING.md and cleaning up globals.md with reordered entries and fixed links.
  • pull/61780, pull/61842, pull/61805, pull/61822

• Build and CI workflow optimizations: Several pull requests update the build and continuous integration workflows by switching caching strategies from sccache to Nix/Cachix, skipping sscache on non-main branches to reduce cache thrashing, adding temporal tests and path-ignore rules for Windows workflows, and optimizing the auto-start CI workflow by downloading only required files to reduce runtime. These changes aim to improve build speed, reduce unnecessary triggers, and optimize caching efficiency.
  • pull/61860, pull/61790, pull/61810, pull/61811, pull/61874, pull/61900

• Bug fixes and code correctness: Fixes include correcting the fromList() function to prevent over-consumption of chunks causing stream corruption and a TypeError crash, removing redundant HTTP server option assignments to maintain a single source of truth, and fixing the generate_config_gypi.py script to produce valid JSON output. These changes improve stability and maintainability of the codebase.
  • pull/61884, pull/61743, pull/61791

• Performance improvements: Internal fast paths were introduced for ReadableStreamDefaultReader.read() and pipeTo() methods to significantly boost webstreams performance, achieving benchmarked speed increases of approximately 11% for pipeTo and 17-20% for buffered reads. Additionally, the util.styleText function was optimized for cases when validateStream is false, enhancing performance without changing the API.
  • pull/61807, pull/61792

• Module and environment enhancements: Support for ECMAScript Module (ESM) entry points was added to the SEA environment using a new embedder API and a "mainFormat" configuration field, aligning with CommonJS behavior while deferring caching and snapshot support. The SQLite module was marked as a release candidate by removing its experimental warning, signaling readiness for broader use.
  • pull/61813, pull/61262

• Documentation corrections and additions: Typographical errors in the --disable-wasm-trap-handler option documentation were fixed for consistency, and documentation was added for five previously undocumented PerformanceResourceTiming properties. Also, an incorrect mention of module-keyword namespaces was removed to clarify that Node/Amaro never supported them.
  • pull/61820, pull/61844, pull/61839

• Security and threat model clarifications: The project's threat model was updated to clarify that the build environment is trusted and explicitly categorize certain build system attack vectors, such as command injection via environment variables and path hijacking, as non-vulnerabilities. This addresses recurring HackerOne reports that incorrectly assume these scenarios are exploitable.
  • pull/61865

• Memory leak fix in REPL module: A memory leak was addressed by refactoring the process.on('newListener') event listener in the REPL module to keep a reference count, allowing the listener to be declared outside the REPLServer class and properly cleaned up when no longer needed.
  • pull/61895

• Removal of outdated configurations: Outdated OpenSSL architecture configurations that had been previously eliminated but remained in the dependency tree were fully removed to clean up the project.
  • pull/61834

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.

Access Last Week's Newsletter:

• Link