Weekly GitHub Report for Node

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

The current version of this repository is v23.10.0

1.2 Version Information:

Released on March 13, 2025, this version introduces the --experimental-config-file feature, allowing developers to use JSON configuration files to simplify running tests and managing numerous flags, thereby enhancing developer experience. Additionally, it includes updates to root certificates, new TLS and V8 methods, improved error handling, and various tooling and documentation enhancements.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. [FEATURE REQUEST] [PERMISSION] Runtime Permission Dropping (process.permission.drop(): This issue proposes adding a runtime permission dropping feature to Node.js, allowing processes to start with broad permissions for initialization and then irreversibly drop unnecessary permissions before entering the main event loop, thereby narrowing the permission scope dynamically. The feature aims to improve security by limiting access to resources after startup, although it is acknowledged that this is not a hard security boundary and cannot prevent malicious code with arbitrary JavaScript execution from bypassing these restrictions.

   • The comments discuss the implications of dropping permissions on existing resources, clarifying that resources opened before dropping permissions remain accessible, and emphasize the need for clear documentation that this feature is not a foolproof security mechanism. Contributors express support for the idea, raise concerns about the security model's limitations, and volunteer to work on the implementation.
   • Number of comments this week: 10

2. [NEEDS MORE INFO] Node.js v24.14.0 (linux-arm64) crashes with heap memory corruption / double free or corruption (out) on aarch64 — possible allocator bug in ARM64 build: This issue reports that Node.js version 24.14.0 on Linux aarch64 consistently crashes with a heap memory corruption error characterized by a "double free or corruption (out)" message, suggesting a possible allocator bug specific to the ARM64 build. The problem is reproducible across multiple unrelated Node.js projects and is suspected to stem from the Node.js runtime's memory allocator or related components rather than user code, with additional context indicating that clearing the npm cache may temporarily avoid the crash.

   • Commenters requested detailed environment information including the output of uname -a, OS version, hardware model, and whether the system is bare metal or virtualized, emphasizing the need for a proper bug report template and clarification on the exact scripts run; no further diagnostic data has been provided yet, limiting progress on the issue.
   • Number of comments this week: 4

3. [FEATURE REQUEST] [SQLITE] sqlite: interrupt(): This issue proposes adding support for the sqlite.interrupt() function to enable canceling ongoing database requests in Node.js, addressing the problem of blocking and single-threaded SQLite operations. The feature aims to provide a mechanism to interrupt long-running queries, potentially improving responsiveness and control over database interactions.

   • The comments discuss the feasibility of implementing query interruptability given the blocking nature of Node.js SQLite operations, suggesting the use of sqlite3_progress_handler with an AbortSignal to trigger interrupts, but noting potential overhead. A pseudo-code example is provided to illustrate intended usage, followed by clarification that the synchronous nature of exec may limit the effectiveness of db.interrupt().
   • Number of comments this week: 3

4. [V8 ENGINE] V8 Maglev JIT causes STATUS_STACK_BUFFER_OVERRUN (0xC0000409) on Windows 11 Insider build 26200: This issue reports that Node.js processes crash with a STATUS_STACK_BUFFER_OVERRUN error on Windows 11 Insider build 26200 due to the V8 engine's Maglev JIT compiler tier, which causes instability when running non-trivial applications. The problem is mitigated by disabling the Maglev tier with the --no-maglev flag, which prevents the crash while maintaining functionality of other features like TurboFan and fetch().

   • The comments briefly acknowledge the issue and suggest it might be related to a known Chromium bug, but no further detailed discussion or resolution is provided.
   • Number of comments this week: 3

5. [GITHUB_ACTIONS] lint-nix action is currently unreliable: This issue describes a problem where the lint-nix GitHub Action is intermittently failing by hanging and timing out after 15 minutes without producing a clear failure indicator, making it difficult to track. The problem appears to have started after a recent commit and may be temporarily mitigated by switching the runner to ubuntu-latest, though this is considered a workaround rather than a true fix.

   • The comments discuss that switching to ubuntu-latest removes the timeout but does not solve the underlying issue, suggest limiting lint-nix runs to PRs affecting .nix files to reduce impact, and note that the hang occurs suddenly after normal progress rather than a gradual slowdown.
   • Number of comments this week: 2

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

As of our latest update, there are no stale issues for the project this week.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 14

Summarized Issues:

• HTTP Header and Protocol Parsing Issues: Several issues highlight problems with HTTP header handling and protocol compliance in Node.js. These include failure to strip trailing tab characters from the Content-Length header causing 400 errors, and acceptance of invalid HTTP status lines missing required spaces, both violating HTTP/1.1 and RFC9112 specifications.
• issues/62192, issues/62193

• Stream and Worker Thread Errors: Node.js exhibits bugs related to stream handling and worker thread permissions. Duplex.fromWeb with TransformStream can cause unhandled rejections and process termination due to internal TypeErrors, while proposals aim to enforce permission inheritance and runtime permission dropping in worker threads to improve security.
• issues/62199, issues/62222, issues/62223

• Security and Permission Management Proposals: There are proposals to enhance Node.js security by adding runtime permission dropping and ensuring worker threads inherit parent thread permissions. These features aim to restrict resource access dynamically and maintain consistent permission states across threads.
• issues/62222, issues/62223

• Crashes and Memory Corruption: Multiple critical crashes are reported, including a fatal heap corruption on Linux aarch64 builds causing double free errors, and a Windows 11 crash triggered by the V8 Maglev JIT compiler resulting in a stack buffer overrun. These issues cause process aborts and require workarounds or fixes in underlying components.
• issues/62253, issues/62260

• Node.js Startup and Configuration Failures: Node.js fails to start properly when the /etc/ssl directory is inaccessible due to permission issues, exiting with a fatal error instead of ignoring the OpenSSL config loading failure as expected. This behavior disrupts startup in restricted environments.
• issues/62230

• Linting and CI Workflow Instability: The lint-nix GitHub Action intermittently hangs and times out after 15 minutes without clear failure signals, causing difficult-to-diagnose CI failures. A temporary workaround involves switching runners, but the root cause remains unresolved.
• issues/62219

• SQLite Integration Bugs and Feature Requests: Issues include a bug in DatabaseSync::ApplyChangeset() where a lambda captures a filter function by reference leading to dangling references, and a feature request to add support for sqlite.interrupt() to cancel ongoing database requests.
• issues/62227, issues/62276

• Feature Requests for Shared Memory and Interrupts: Requests have been made to add support for creating shared array buffers backed by external memory, enhancing Node.js capabilities for shared memory management.
• issues/62259

• Watch Mode and Worker Module Reloading Issues: When running scripts with Worker modules under watch mode, changes to the worker or its dependencies do not trigger restarts, although changes to the main script do. This inconsistency affects development workflows relying on automatic reloads.
• issues/62275

• Deprecated Format Aliases in util.styleText(): The util.styleText() function no longer accepts format aliases like "grey" in Node.js 25.7.0 and later, causing TypeErrors, whereas previous versions accepted these aliases without error.
• issues/62177

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 9

Summarized Issues:

• ESM Module and Timer Mocking Issues: Mocking built-in timers in ESM modules does not affect already-imported ESM namespace objects, causing timer-based tests to fail by not advancing time as expected. This problem contrasts with CommonJS modules where the same code works correctly, highlighting a discrepancy in timer mocking behavior between module systems.
• issues/62081

• Documentation and Comment Linking Problems: An unclosed link in the Test Runner documentation causes all subsequent text to be underlined and clickable, affecting user experience on the page. Additionally, a related issue references a specific comment on this documentation problem, indicating ongoing discussion and investigation.
• issues/62154, issues/62172, issues/62172

• Proposal for Native JWT API: There is a proposal to add a native, zero-dependency JSON Web Token (JWT) API to Node.js to enable built-in support for signing, verification, and safe decoding of JWTs. This addition aims to improve performance, reduce reliance on third-party libraries, and integrate directly with Node’s native cryptographic APIs.
• issues/62182

• Missing Documentation for fs.stat Option: The Node.js fs.stat and fsPromises.stat API documentation lacks mention that the throwIfNoEntry option was introduced in version 25.7.0. This omission may cause confusion among users about the availability and behavior of this option.
• issues/62185

• ESM Import Regression Causing Segmentation Fault: A regression in Node.js v24.14.0 causes a segmentation fault when using ESM import() to load a large CommonJS webpack bundle due to a change from cjs-module-lexer to merve. This crash during module export analysis did not occur in v24.13.0 and can be avoided by using require() instead.
• issues/62212

• Error Type Detection Discrepancy: The Error.isError method fails to detect legacy error types created with util.inherits, although instanceof Error correctly identifies them. This highlights an inconsistency in error type detection methods within Node.js.
• issues/62224

• --env-file and --watch-path Interaction Bug: Using the --env-file option together with --watch-path causes the Node.js process to restart when files outside the specified watch path are changed. This behavior is contrary to expectations, as changes outside the watch path should be ignored.
• issues/62229

• Incorrect os.machine() on Windows arm64: On Windows arm64, Node.js version 24.14.0’s os.machine() function incorrectly returns unknown instead of arm64 due to a detection fallback problem in libuv. This issue was later fixed by using the Windows API GetSystemInfo(), while os.arch() correctly identifies the architecture.
• issues/62232

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed issues from the past week.

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 43

Key Open Pull Requests

1. [v24.x backport] sea: add --build-sea and support ESM entry point: This pull request backports to the v24.x branch the addition of the --build-sea CLI flag for generating Single Executable Applications (SEA) directly with the Node.js binary, along with support for ECMAScript Module (ESM) entry points and related improvements such as enhanced error reporting, default executable path fixes, and embedder module features.

• URL: pull/62190

• Associated Commits: 4003d, af272, d6e7b, 097f9, 19a57, fb276, 99b98

2. loader: implement package maps: This pull request implements a new --experimental-package-map=<path> flag in Node.js that enables package resolution based on a static JSON file describing package locations and dependencies, aiming to address limitations of the traditional node_modules resolution algorithm by providing stricter, more efficient, and compatible package mapping that supports static analysis and better dependency isolation without fully replacing existing resolution features.

• URL: pull/62239

• Associated Commits: f6a40, 08a9f, 19b9e, 74bac, bc122, 58ade, 72ed5

3. sqlite: add trace sql hook: This pull request introduces a trace SQL hook named DatabaseSync to the SQLite integration for enhanced logging and debugging, including renaming and refining the verbose option, adding related test cases and documentation, and utilizing the diagnostic channel for improved traceability.

• URL: pull/62241

• Associated Commits: d8784, df281, 51a3e, 0e8bf, b68b4, 0d78a, 83627

Other Open Pull Requests

• Cryptography API Enhancements: Multiple pull requests improve cryptographic functionality by adding new digest algorithms TurboSHAKE and KangarooTwelve, integrating raw key formats into KeyObject APIs and Web Cryptography APIs, and introducing a dsaNonceType option for deterministic signatures. Additionally, a new native C++ API provides addons direct access to OpenSSL contexts, replacing unsupported JavaScript fields to enhance native addon integration.
  • pull/62183, pull/62240, pull/62252, pull/62254

• OpenSSL and TLS Improvements: One pull request enables OpenSSL compression features by removing the no-comp build option and adding an opt-in certificateCompression option for TLS contexts to reduce handshake size and fingerprintability, while keeping record compression disabled for security. This update includes changes to OpenSSL build configurations, tests, and related APIs.
  • pull/62217

• Stream and Pipeline Reliability: Enhancements include validation of streams used in pipelines to improve reliability, and promotion of a runtime deprecation warning (DEP0201) in the stream module. These changes aim to increase robustness and clarify deprecated features during execution.
  • pull/62214, pull/62173

• Documentation Clarifications and Fixes: Several pull requests clarify and correct documentation across various modules, including fs.ReadStream and fs.WriteStream construction, socket.setKeepAlive initialDelay argument, HTTP Date header requirements, readable._read() method behavior, worker_threads postMessage example, diffieHellman.generateKeys() behavior, and perf_hooks module metadata and examples. These updates improve accuracy and user understanding.
  • pull/62208, pull/62171, pull/62206, pull/62196, pull/62203, pull/62194, pull/62181, pull/62262, pull/62263

• Test Runner and Tooling Fixes: Improvements to the test runner include adding context subtests with features like expectFailure, only, skip, and todo, and fixing issues where programmatic use of run() with isolation="none" ignored certain options. Additionally, a tooling fix resolves timeout errors in the lint-nix job.
  • pull/62263, pull/62265

• Child Process and Security Updates: The documentation example recommending the use of child_process.spawn() with the shell option for running Windows batch files is removed due to deprecation and shell injection risks, while alternatives like exec() and direct cmd.exe spawning remain supported.
  • pull/62243

• Blob and Module Loading Fixes: Fixes include correcting the Blob constructor to properly handle sequence arguments using WebIDL infrastructure, and resolving rendering issues of consecutive ES module code blocks in documentation to prevent incorrect grouping by the highlighter.
  • pull/62179, pull/62176

• Heap Profiling Enhancements: A new heap profiling API is added to the V8 engine, improving support for heap sampling parameters on both main and worker threads, building on previous related work.
  • pull/62273

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 41

Key Closed Pull Requests

1. doc: fix outdated debugger, worker_threads, and fs.stat docs: This pull request updates the Node.js documentation by removing outdated references to Chrome 66 and the archived ndb debugger tool in debugger.md, correcting a misleading example in worker_threads.md that incorrectly showed posting a URL object via MessageChannel without error, and adding missing YAML version history entries for the throwIfNoEntry option in fs.stat and fsPromises.stat introduced in v25.7.0.

• URL: pull/62197

• Associated Commits: 81713, 6f6d8, 453df

• Associated Commits: 81713, 6f6d8, 453df

2. wasm: support js string constant esm import: This pull request adds support for the new wasm:js/string-constants import in the WebAssembly ESM integration, enabling the import of constant JavaScript strings during both the source and instance phases of WebAssembly module loading, as specified in the latest WebAssembly ESM integration proposal.

• URL: pull/62198

• Associated Commits: dbe59, 5bde1, 98a6c

• Associated Commits: dbe59, 5bde1, 98a6c

3. lib: prefer primordials in SubtleCrypto: This pull request proposes changes to prefer using primordials in the SubtleCrypto library and includes additional regression tests to address Promise.prototype.then pollution issues in WebCrypto, although it was not merged.

• URL: pull/62226

• Associated Commits: a90c2, f9f70, 1c6d5

• Associated Commits: a90c2, f9f70, 1c6d5

Other Closed Pull Requests

• Coverage branch ignoring fix: This pull request modifies the coverage logic to correctly exclude branches marked with /* node:coverage ignore next */ comments from LCOV reports. It addresses issues caused by V8's branch ranges including structural lines covered by parent scopes, preventing inaccurate branch coverage counts.
  pull/62264

• Documentation improvements: Multiple pull requests enhance documentation by clarifying content and fixing formatting issues. These include making the addons.md introduction less C++-centric with simpler build examples, adding examples for mocking error-throwing functions, clarifying the shell option in DEP0190, fixing markdown link tags in the Test Runner docs, and adding notes on mock.module customization hooks.
  pull/62071, pull/62152, pull/62249, pull/62168, pull/62075

• WebCrypto AEAD refactor and crypto optimizations: This set of pull requests refactors authentication tag handling in WebCrypto AEAD algorithms by passing full data to C++ for internal splitting and validation, fixing edge cases with detached ArrayBuffers. Additionally, the crypto module's normalizeAlgorithm function is optimized to read the algorithm name property only once, improving efficiency.
  pull/62169, pull/62170

• Node.js REPL error and keyboard protocol handling: These pull requests introduce customizable error handling in the REPL to control exceptions thrown after closure and fix key handling issues in the REPL and readline when using VS Code's integrated terminal with the kitty keyboard protocol. They add support for kitty CSI-u key parsing, enable the kitty keyboard protocol automatically, restore legacy mode on close, and add a new API with regression tests.
  pull/62188, pull/62186

• Platform-specific fixes: Pull requests address platform-specific issues including fixing the os.machine() function on Windows ARM64 to correctly return 'arm64' by using Windows API calls, patching the vendored resb crate for big endian platforms, and preventing crashes on Windows caused by V8's Maglev JIT when hardware CET shadow stacks are active but unsupported by disabling Maglev automatically.
  pull/62235, pull/62138, pull/62272

• Stream and performance improvements: This pull request replaces the use of onwrite.bind(undefined, stream) with an arrow function for the onwrite callback in stream creation, resulting in significant performance improvements in writable and duplex stream creation.
  pull/62087

• Backports and build fixes: These pull requests backport watch functionality improvements to Node.js 24.x and fix issues with the --node-builtin-modules-path build configuration flag that stopped detecting JavaScript changes without re-running make. The build fix was generated with AI assistance.
  pull/62108, pull/62115

• Diagnostics channel enhancements: This pull request adds diagnostics channel support for the locks.request() method, enabling visibility into the lock request lifecycle by emitting four specific events: locks.request.start, locks.request.grant, locks.request.miss, and locks.request.end.
  pull/62123

• ESM and module handling fixes: These pull requests fix handling of extensionless CommonJS files within packages marked as type: "module" by restoring the documented exception for recognizing such files as CommonJS modules. They also ensure ESM imports of node:timers/promises are properly synchronized and mocked when using mock.timers.enable().
  pull/62083, [pull/62141](https://github.com/nodejs/node/pull/62141]

• SEA ESM code caching support: This pull request implements support for code caching in the ESM entrypoint of SEA by generating the code cache at build time from C++ and embedding it into the SEA blob, then consuming it at runtime through specialized compilation routines, paralleling the existing approach used for the CJS SEA entrypoint.
  pull/62158

• Uncaught exception behavior restoration: This pull request restores the previous behavior of handling uncaught exceptions thrown from the async context after the REPL has been closed, reversing a recent change that caused such exceptions to be treated as process-level uncaught exceptions, with plans for more granular handling in the future.
  pull/62165

• Build tool updates: This pull request updates the Merve tool while ensuring that GN build configuration files are preserved during the update process.
  pull/62167

• Child process documentation correction: This pull request corrects the child_process module documentation by fixing the incorrect description of stdin as writable and stdout/stderr as readable, properly stating that stdin is readable and stdout/stderr are writable, and amends the related example accordingly.
  pull/62175

• OpenSSL provider configuration update: This pull request updates the OpenSSL provider configuration to default to exporting ML-KEM and ML-DSA private keys containing a seed in the seed-only PKCS#8 format, while keys without a seed continue using the private-only format, improving compatibility by moving away from the unsupported both format.
  pull/62178

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.