Weekly GitHub Report for Node

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

The current version of this repository is v23.10.0

1.2 Version Information:

Released on March 13, 2025, this version introduces the --experimental-config-file feature, allowing developers to use JSON configuration files to simplify flag management for the test runner and other experimental features, enhancing developer experience. Additionally, it includes updates to root certificates, new TLS and V8 methods, various error handling improvements, and multiple dependency and documentation enhancements.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. The punycode deprecation trace is not useful: This issue reports that the deprecation warning trace for the punycode module in Node.js version 24.13.1 is not helpful because it does not indicate which package or file is requiring the deprecated module, making it difficult to identify the source of the warning. The problem appears to be a regression introduced in this version, where the warning is incorrectly emitted for code inside node_modules and the trace lacks user code context, with fixes planned for future releases.

   • The comments confirm the issue is a regression in v24.13.1 and provide detailed reproduction steps and comparisons across Node.js versions, showing that later versions fix the trace output. They also clarify that the warning should not appear for node_modules usage in recent Node.js versions, discuss related documentation updates, and note that a fix is expected in upcoming releases.
   • Number of comments this week: 7

2. Using --test causes process.argv[] to lose user-specified CLI flags: This issue reports that when running a Node.js script with the --test flag, user-specified command-line interface (CLI) flags are omitted from process.argv, which does not happen when running the script without --test. This behavior causes problems for testing code that relies on process.argv to access user-provided CLI flags, as the flags are consistently missing during test runs.

   • The comments discuss whether this issue existed in earlier Node.js versions, with one user suspecting a similar problem in version 24.4, but it is clarified that the previous issue was related to V8-specific flags and likely unrelated. It is also noted that this behavior is not a regression but rather a longstanding limitation, confirmed to reproduce in Node.js versions 22 and 24 as well.
   • Number of comments this week: 3

3. [I18N-API] [ICU] Intl.DateTimeFormat('de-CH', {year, month}) outputs different separators between Node 24.13.0 and 24.13.1: This issue reports that the Intl.DateTimeFormat function for the 'de-CH' locale produces different date separators between Node.js versions 24.13.0 and 24.13.1, changing from a dot to a slash for year and month formatting. This inconsistency breaks server-side rendering and client hydration in frameworks like Next.js, as the expected locale-specific formatting is not maintained across versions.

   • The comments explain that this change is due to updates in ICU locale data that Node.js inherits, which also affects other formatting like number separators; users note that this discrepancy is unavoidable because browsers and Node.js update locale data independently, and similar changes have been observed in other locales and formatting options.
   • Number of comments this week: 3

4. [FEATURE REQUEST] [TEST_RUNNER] Allow beforeEach in test-global-setup: This issue proposes enhancing the test-global-setup feature to allow the use of beforeEach callbacks within the global setup module, addressing inconsistencies in callback execution order and behavior when using different test isolation modes. The suggested improvements include calling the before callback after globalSetup, loading the global setup module in each test subprocess, and ensuring lifecycle callbacks run in each subprocess without invoking globalSetup and globalTeardown multiple times.

   • The comments suggest using existing flags like --import as a workaround, but also express support for integrating the feature directly into the global setup file for better consistency and ease of use, highlighting benefits such as uniform behavior across isolation modes, simpler migration from other test runners, and improved usability when running tests through IDEs.
   • Number of comments this week: 2

5. [DOC] Clarification needed regarding the http/net Server keepAlive options: This issue requests clarification and improvement of the documentation regarding the keepAlive options in the http and net server modules of Node.js, specifically addressing confusion about the default behavior and timing of keep-alive functionality. It also suggests rephrasing the explanation of the server.keepAliveTimeout option to prevent misinterpretation and to provide more explicit details about its effects and implications.

   • The commenter expressed interest in contributing to the documentation improvements by clarifying the wording and providing more detailed explanations for the keepAlive options and timeout behavior.
   • Number of comments this week: 1

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

As of our latest update, there are no stale issues for the project this week.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 12

Summarized Issues:

• Test lifecycle callback behavior: Multiple issues highlight problems with the handling of beforeEach callbacks and lifecycle hooks in Node.js testing environments. One issue proposes enhancing the global setup to support beforeEach in subprocesses for consistent setup and teardown, while another reports unexpected global hook behavior when test isolation is disabled, complicating migration from other test runners.
• issues/61853, issues/61854

• Locale and formatting inconsistencies: There is a reported inconsistency in the Intl.DateTimeFormat function for the 'de-CH' locale between Node.js versions 24.13.0 and 24.13.1, where different date separators cause issues in server-side rendering and client hydration in frameworks like Next.js.
• issues/61861

• Filesystem operations on Windows with special characters: The fs.cpSync function fails silently to copy files when the destination path contains accented characters on Windows, resulting in no files or directories being copied despite no error being thrown.
• issues/61878

• Memory leaks in HTTP requests with reused parsers: A memory leak occurs due to unreleased AsyncContextFrame instances and data in AsyncLocalStorage when using http.request with HTTP parser reuse enabled, causing persistent memory usage not seen when using fetch or disabling parser reuse.
• issues/61882

• OpenSSL version vulnerability: Node.js version 20.20.0 is built with OpenSSL 3.0.17 instead of the patched 3.0.19, leaving it vulnerable to CVE-2025-15467 as detected by AWS inspector in multiple OpenSSL header files.
• issues/61887

• Unhelpful deprecation warnings for punycode module: The deprecation warning trace for the deprecated punycode module in Node.js 24.13.1 does not show the user code path requiring it, making it difficult to identify the source of deprecated usage, especially when required from within node_modules.
• issues/61901

• Inefficient and exploitable regex backtracking: A regular expression in getDataProtocolModuleFormat uses interchangeable quantifiers causing non-linear polynomial backtracking, leading to inefficient evaluation and potential exploitation. An ESLint plugin is suggested to detect and fix such patterns across the codebase.
• issues/61904

• Unexpected process restarts with --env-file and --watch-path: Using the --env-file option together with --watch-path causes the Node.js process to restart when an unrelated directory is touched, whereas without --env-file no restart occurs, indicating unexpected behavior in the file watching mechanism.
• issues/61906

• Debugger crash due to octal escape sequences: The presence of octal escape sequences (e.g., \033) in code causes a segmentation violation and debugger crash on Linux with Node.js v25.6.1.
• issues/61917

• Request for Unix domain datagram socket support: There is a request to reintroduce support for Unix domain datagram sockets in Node.js to enable essential UNIX-like system tasks such as notifying SystemD and logging to Syslog without extra configuration or dependencies.
• issues/61933

• Atomics.waitAsync() promise does not keep event loop alive: The promise returned by Atomics.waitAsync() fails to keep the Node.js event loop alive, causing premature process exit when it is the only pending asynchronous operation, breaking multithreaded WebAssembly workflows relying on Atomics.notify.
• issues/61941

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 9

Summarized Issues:

• TLS Connection Issues: This issue reports a random and intermittent TLS 1.3 connection reset error on macOS when using OpenSSL 3.5.x with Node.js v25.4.0, which does not occur with OpenSSL 3.0.x or when limiting TLS to version 1.2. The problem affects secure connections and may impact users relying on the latest OpenSSL versions for TLS 1.3 support.
• issues/61867

• Memory Management and Garbage Collection Bugs: A bug in Node.js versions v24.13.1 and v25.6.1 causes WeakRef to prevent garbage collection of objects set to null, resulting in unexpected persistence of references. Additionally, a consistent out-of-memory error occurs when running Vitest test suites due to heap exhaustion from creating Promises in an infinite loop.
• issues/61868, issues/61880

• Stream and Data Handling Problems: Piping an HTTPS ServerResponse to a writable stream does not fully consume the response data, causing file size mismatches because the 'end' event on the response does not guarantee all data is flushed. The correct approach is to listen to the writable stream's 'finish' event to ensure complete data writing.
• issues/61881

• Backporting Feature Requests: There is a request to backport a pull request enabling subpath imports starting with #/ from Node.js version 25.4.0 to earlier versions 22 and 24. This would allow users on older versions to utilize this import feature without upgrading.
• issues/61886

• GitHub Actions Resource Management: The organization is facing exhaustion of free GitHub Actions minutes and needs to disable unnecessary workflows to reduce costs and manage build cache rate limits effectively. This issue highlights the importance of optimizing CI/CD resource usage.
• issues/61890

• Unspecified or Minimal Description Issues: Some issues, including "The TuckShop" and "Poly," were opened and closed without any additional description or comments, providing no further information on their content or purpose.
• issues/61857, issues/61859

• External Platform Mention: An issue references a Yemeni financial consulting platform called RTS, but no further details or context are provided.
• issues/61932

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed issues from the past week.

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 38

Key Open Pull Requests

1. V22.22.1 proposal: This pull request is a proposal for the Node.js version 22.22.1 release, including updates such as testing on Python 3.14, marking the --heapsnapshot-near-heap-limit CLI option as stable, updating root certificates to NSS versions 3.117 and 3.119, and adding new collaborators to the project.

• URL: pull/61947

• Associated Commits: f8a61, 3809b, 4ef2b, 85bf8, ef1b4, 94951, 6ede5, 90869, eb0d2, 9e19c, d7667, cd496, e3a90, f86c8, d7d90, 0a8ef, c026a, 8b2c2, 56b03, 210bf, 55cac, 1300a, 2b85a, f5379, df46f, 9f835, 45eab, fba74, 6e26c, 17156, f6c62, 300b8, 64aec, 99d98, 1aebd, 8762a, b2024, f5b88, 0afd9, b45e4, d782a, 5d03d, ad510, 461be, c4a64, a658e, f237e, 14112, 9fee8, 5d1ab, a033c, 09b55, d527a, cde1d, bc415, a7770, 01a5e, 522c4, 66102, e8f9e, ce660, b0929, f447d, d2670, 8149d, 6d373, ae651, 2f265, 09448, fdd30, 160e0, 9b2b3, d7ad3, d1092, 53bb6, c755e, 6944e, a64f6, 5efc4, 5eec1, 3a313, ddf75, 5b3c4, 9b824, fe964, 268fd, 91ff1, 65166, 94c74, 895e3, 7a278, d6573, 2c0e6, 85958, 5c536, 073ea, 0660d, 24968, cad31, 3743b, 615c8, 61ec8, 05417, c2088, 4e321, 05ec8, 1e4a9, b0c63, 02a9c, d7eab, 3932c, 8c050, 86b97, 6baa7, fe4db, 580ce, 15eb8, 8df3a, 64fc2, 9abdd, cadf0, d635f, 9129a, 7ca3e, b6c8c, 772cd, 9b23f, 78bd0, e23f4, 9dc1e, 60164, de2bd, c9830, 1545b, 509d4, c4dba, 519b8, 631a5, 1754d, 60e7d, 2c16f, 4742b, 3cca6, 7bdcc, a8801, 1dc62, 4cf4c, ed53b, 0be72, 0451c, 71a6c, 9c503, 53c0f, 2b985, d8f64, 9c290, 622c5, 61242, 40607, e0f75, 6946f, 86731, 46dd4, 58676, 950d1, ab445, c0ef2, ddad6, 3ab41, 3433b, ec9b2, ab39b, ed8da, 0d8c4, 0fba4, 5478a, e8d35, c4941, 5c2af, 18e71, cc1ff, 4646a, dc63c, b748a, e3dc2, 253e9, 96867, a5d38, 6267e, b0078, a61bb, f9cd1, d8fef, 3595d, a4693, af330, a3597, d5e4b, 9951c, 517f2, d898a, 4ee53, 0d73d, 14f39, 5ae70, 8167d, b21d0, 10c44, 18488, 1daff, 3e96f, ac28e, 52ca6, 0f6af, 5da45, 6a0c9, 1865f, 18be8, f68d1, 73101, 5ca93, 29324, c4486, dda05, 540c6, 68770, 0d794, 059b2, 6ef66, 1cc10, 52d1b, fc6c4, 98f9b, 58456, 25c6c, bdc55, 737d3, 24192, 70cfb, a7675, 234f8, 2bc43, ab53c, 80ee8, 6ef0d, 96ca6, 4ef42, 1ceee, 95451, 2cc28

2. deps: update V8 to 14.6: This pull request updates the V8 JavaScript engine to version 14.6 in the Node.js project, including necessary patches, build configuration changes, API deprecations handling, and support for platform-specific adjustments to ensure compatibility and improved functionality.

• URL: pull/61898

• Associated Commits: fd1ab, c6d60, d014e, 4645c, f2f73, 9e1f1, 0edba, 75442, 68afd, 2373a, 9c80b, 9bea9, 57e57, 1c76f, b9801, 8048a, abb46, db927, ffd71, 25c85

3. tools: update eslint to v10: This pull request updates the project's ESLint tool to version 10 along with Babel to version 8.0.0-rc.2, revises ESLint rules to accommodate breaking changes in ESLint v10, and temporarily disables the new no-useless-assignment rule due to widespread errors across the codebase.

• URL: pull/61905

• Associated Commits: 580a2, dd585, 68d04, e199c, 1f482, 9626d, de72b, afff6, 8c849

Other Open Pull Requests

• Crash Fix for Missing .env File with --watch: This pull request fixes a crash on Linux that occurs when using the --env-file-if-exists option combined with --watch if the specified .env file is missing by implementing error handling to prevent the crash. It also adds related tests and documentation to ensure stability and clarity.
  • pull/61870

• CompressionStream and DecompressionStream ArrayBuffer Support: This update modifies the CompressionStream and DecompressionStream implementations to accept plain ArrayBuffer inputs by normalizing them to Uint8Array views before passing to the underlying stream. This aligns with the WHATWG Compression Streams specification and fixes the ERR_INVALID_ARG_TYPE error when writing ArrayBuffer chunks.
  • pull/61913

• Permission Model Audit Mode and Diagnostics Channel: A new --permission-audit flag is introduced to enable a warning-only mode for the permission model by emitting diagnostic messages instead of throwing errors. Additionally, C++ support for diagnostics channels is added to efficiently publish permission check results and other messages from native code without crossing JavaScript boundaries.
  • pull/61869

• Buffer Operations Performance Improvements: This pull request optimizes multiple Buffer operations such as copyBytesFrom, fill with ASCII input, indexOf for ASCII encoding, and swap16/32/64 by using direct byte offset calculations and V8 Fast API C++ functions. These changes eliminate unnecessary intermediate allocations and result in significant benchmarked speedups without regressions.
  • pull/61871

• V8 Serialization of DOMException Objects: Enhancements to the V8 serialization and deserialization process preserve DOMException objects by treating them as host objects and implementing a custom serialization escape hatch similar to structuredClone(). This ensures proper handling of these exceptions during serialization.
  • pull/61856

• Windows Build Documentation Update: The BUILDING.md documentation is updated to explicitly support only Visual Studio 2022 and 2026 toolchains on Windows with either the Windows 10 or Windows 11 SDK. This reflects the actual compatibility of the build scripts and Microsoft's current SDK support.
  • pull/61864

• SQLite Statement Invalidation Handling: This pull request addresses issue #61819 by implementing handling for statement invalidation in the SQLite integration within the Node.js project.
  • pull/61877

• Crypto Module Null Pointer Dereference Fixes: Fixes are made to prevent null pointer dereferences in the crypto module by adding proper checks for null BUF_MEM* pointers in ToV8Value() and a missing nullptr check in RSA_new(). These changes improve the robustness and stability of the crypto code.
  • pull/61885, pull/61888

• Test Runner Enhancements for Coverage and Diagnostics: The test runner's dot reporter is enhanced to support displaying coverage failure messages, diagnostic messages, and the coverage report table when coverage thresholds are not met. This addresses previously unhandled test:diagnostic and test:coverage events.
  • pull/61891

• URLSearchParams and querystring Encoding Performance: Serialization and encoding performance of URLSearchParams.prototype.toString() and the internal encodeStr utility in the querystring module are optimized by refactoring to an O(N) pre-allocated array approach and adding a fast-path for short strings under 10 characters. This results in significant throughput improvements and resolves a quadratic complexity issue.
  • pull/61896

• OpenSSL Dependency Update: The OpenSSL dependency in the Node.js project is updated to version 3.0.19, including necessary source upgrades and architecture file modifications.
  • pull/61912

• Buffer.concat and Buffer.copy Fix for Large Indices: This pull request fixes issue #55422 by correcting Buffer.concat and Buffer.copy to prevent silently producing invalid results when handling indices equal to or greater than 2^32. It includes changes to use uint64_t for consistency and adds new tests to verify the fix.
  • pull/61914

• DEP0040 Punycode Module Documentation Update: Documentation for DEP0040 is updated to reflect its change from a runtime deprecation to an application-level deprecation affecting only non-node_modules code. This aligns with changes introduced in Node.js versions 22.14.0 and 23.7.0.
  • pull/61916

• GitHub Actions Runner Architecture Reversion: The GitHub Actions runner configuration in the scorecard.yml file is reverted from ARM back to the x86 architecture due to failures encountered on the ARM runner.
  • pull/61944

• Automated Removal of lts-watch-* Labels: An automated tool is introduced to remove lts-watch-* labels from release proposals, eliminating the manual and error-prone process of label triaging. This addresses issues where commits in release proposals may not ultimately be included in the release.
  • pull/61953

• Lazy JSON Parser Introduction: A new lazy JSON parser is introduced in the Node.js source code to improve JSON parsing efficiency.
  • pull/61855

• Test Runner Argument Preservation Fix: This pull request fixes an issue where user-specified flags were stripped from process.argv when running tests with the --test flag. It ensures that arguments following -- and unrecognized flags starting with - are preserved and correctly passed to the test process.
  • pull/61858

• Webcrypto Dictionary Property Rename: The length property is renamed to outputLength in the CShakeParams and KmacParams dictionaries to align with a recent change in the webcrypto-modern-algos specification. This maintains consistency while preserving dictionary attribute order.
  • pull/61875

• New Triager Addition: The user efekrskl is added as a triager to the Node.js project, reflecting their motivation to contribute and agreement to the project's Code of Conduct and Triage Guide.
  • pull/61876

• TCP KeepAlive Documentation Clarification: Documentation is clarified to specify that the keepAlive option enables TCP keepalive rather than controlling HTTP persistent connections. It also clarifies that setting keepAliveTimeout to 0 disables the timeout without disabling HTTP keep-alive itself.
  • pull/61883

• Security Fix for writeEarlyHints(): This pull request addresses a security vulnerability in the writeEarlyHints() function by adding validation for header names and values to prevent CRLF injection. It tightens the regular expression for Link header URLs and ensures user-supplied headers are properly checked before inclusion in the raw HTTP 103 Early Hints response.
  • pull/61897

• Debugger Test Timeout Increase: The debugger test timeout is increased from 15 seconds to 30 seconds on macOS and Windows to address flakiness in the test-debugger-restart-message test caused by slow asynchronous operations during debug session initialization on CI machines.
  • pull/61902

• OpenTelemetry Tracing Module Introduction: A new module, node:otel, is introduced to add foundational support for OpenTelemetry tracing with a programmatic API to enable and disable tracing. This lays the groundwork for future enhancements including custom instrumentation while avoiding the OpenTelemetry SDK to minimize bloat.
  • pull/61907

• HTTP HEAD Response Content-Length Fix: This pull request ensures that HTTP HEAD responses from http.createServer include a Content-Length header by default when the response has no body. This fixes broken keep-alive connections caused by missing Content-Length headers in such responses.
  • pull/61919

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 34

Key Closed Pull Requests

1. module: fix extensionless entry with explicit type=commonjs: This pull request fixes an issue in the Node.js CommonJS loader where extensionless entry points in packages explicitly marked with "type": "commonjs" would silently exit without error when containing ESM syntax, by ensuring such files are treated as CommonJS and that ESM syntax triggers a SyntaxError instead of failing silently.

• URL: pull/61600

• Associated Commits: 27ba1, 682ec, 06a7a, 98a51, 79cdb

• Associated Commits: 27ba1, 682ec, 06a7a, 98a51, 79cdb

2. lib: include ESM loader in the built-in snapshot: This pull request includes the ESM loader in the built-in snapshot to improve startup performance by enabling real-world applications to deserialize the ESM loader instead of initializing it from scratch, resulting in measurable benchmark improvements especially for non-empty scripts.

• URL: pull/61769

• Associated Commits: fa816, 92d6e, d00ee, 9cd87, f3311

• Associated Commits: fa816, 92d6e, d00ee, 9cd87, f3311

3. tools: switch to ARM runners on GHA jobs: This pull request updates the GitHub Actions workflows to use ARM runners instead of other architectures, aiming to improve job completion speed and reduce costs, particularly benefiting private repository security release preparations.

• URL: pull/61903

• Associated Commits: 09076, 124bd, e7821

• Associated Commits: 09076, 124bd, e7821

Other Closed Pull Requests

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.