Weekly GitHub Report for Node

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

The current version of this repository is v23.10.0

1.2 Version Information:

Released on March 13, 2025, this version introduces the --experimental-config-file feature, allowing developers to use JSON configuration files to simplify flag management for the test runner and related features, enhancing developer experience. Additionally, it includes updates to root certificates, new TLS and V8 methods, various error handling improvements, and multiple dependency and documentation enhancements.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. [FEATURE REQUEST] [FR] Disable eval() usage by default: This issue proposes disabling the use of eval() and Function() by default in Node.js to enhance security by preventing accidental or malicious dynamic code execution, with an opt-in flag --enable-eval for legacy or specific use cases. The motivation stems from real-world supply chain attacks involving malware like "glassworm," which exploits the current default enabling of eval() to execute arbitrary code unnoticed.

   • The comments discuss parallels with existing security models like Trusted Types, clarify that disabling eval() by default is a security improvement for less experienced users, debate the feasibility and impact of such a change on JavaScript standards, and highlight that Node.js assumes trusted code execution, meaning disabling eval() alone cannot fully prevent risks from running untrusted code.
   • Number of comments this week: 8

2. Possible NodeJS 22.22.2 regression when installing latest NPM: This issue reports a regression in Node.js version 22.22.2 where installing the latest NPM globally fails with a MODULE_NOT_FOUND error related to the 'promise-retry' module, which does not occur in previous Node.js 22.x versions. The problem consistently reproduces on multiple platforms and appears to be isolated to fresh Node 22.22.2 environments when running npm install -g npm@latest, with incremental NPM version installs working as expected.

   • Comments confirm the issue is reproducible on different operating systems including Ubuntu and macOS, note that other Node.js security releases are unaffected, reference related reports and fixes in the npm CLI repository, and share successful local testing of a proposed fix that resolves the problem.
   • Number of comments this week: 7

3. [FEATURE REQUEST] proposal: add req.signal (AbortSignal) for automatic client disconnect detection: This issue proposes adding a lazy req.signal property to HTTP request objects that provides an AbortSignal which automatically aborts when the client disconnects, simplifying cancellation of async operations like database queries or fetch calls. The feature aims to reduce boilerplate code by integrating abort logic directly into the request object, aligning with web platform standards and handling both socket close and request destruction events.

   • The comments show support for the proposal and discuss the importance of keeping req.signal as a dedicated property to maintain alignment with web standards and cover specific socket events, while also considering a separate general utility for creating abort signals from event emitters as a complementary feature.
   • Number of comments this week: 4

4. [TIMERS] Promise.reject + setTimeout causes UnhandledPromiseRejection error: This issue describes a problem where a rejected promise combined with a delayed resolution using setTimeout causes an UnhandledPromiseRejection error, even though the rejection is caught in a try/catch block after awaiting the timeout. The user expects the test to pass without errors, but the Node.js runtime reports the rejection as unhandled before the catch block executes, leading to a failure in the test.

   • The comments clarify that this behavior is not related to the test runner but is inherent to how unhandled promise rejections are processed in Node.js; the rejection must be handled immediately or an empty .catch() added, or a flag must be set to change the default behavior to avoid the error.
   • Number of comments this week: 3

5. ERR_INTERNAL_ASSERTION when import() and require() load the same ESM dependency: This issue describes a problem where using both import() and require() to load different entry points of the same dual package, which depend on a shared ESM-only dependency, causes an ERR_INTERNAL_ASSERTION error in Node.js v24.x and later. The error arises because the ESM module is not fully loaded when required synchronously after being dynamically imported in the same tick, leading to a race condition that prevents proper module loading.

   • The comments confirm the issue persists in Node.js v25.8.2, reproducing the same internal assertion error, and suggest the problem may be related to the module loader internals, with a mention to notify the relevant Node.js loaders team.
   • Number of comments this week: 3

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

As of our latest update, there are no stale issues for the project this week.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 17

Summarized Issues:

• Promise and asynchronous error handling issues: Multiple issues highlight problems with promise rejection and asynchronous error handling in Node.js. One issue describes an UnhandledPromiseRejection error thrown despite proper try/catch usage after a delayed rejection, while another reports synchronous failure in fs.openAsBlob instead of returning a rejected promise, forcing users to rely on try/catch rather than promise.catch().
• [issues/62412, issues/62418]

• Module loading and ESM-related bugs: Several issues involve problems with module loading and ESM behavior. These include a race condition causing assertion errors when import() and require() load different entry points of the same dual package, infinite recursion and crashes in the ESM loader due to cyclic re-exports, and deepStrictEqual incorrectly rejecting structurally equal arrays due to persistent cycle detection state.
• [issues/62422, issues/62432, issues/62457]

• Security and permission model enhancements: Proposed improvements focus on enhancing Node.js security by restricting environment variable access with an --allow-env flag and disabling eval() and Function() by default to prevent dynamic code execution, while allowing opt-in via command-line flags.
• [issues/62424, issues/62434]

• NPM and script execution problems on Windows: Issues report failures related to NPM installation and PowerShell script execution on Windows. One describes a regression causing global NPM install failures due to missing modules, and another details PowerShell execution policy errors caused by unsigned bundled scripts designed for PowerShell Core rather than Windows PowerShell 5.1.
• [issues/62425, issues/62427]

• Build and platform-specific failures: There are build failures on specific architectures and path handling problems. One issue describes a PPC64 build failure due to an assembler operand out of range error, and another reports an EISDIR error when Node.js fails to handle extended Windows paths prefixed with \\?\.
• [issues/62445, issues/62446]

• Memory management and resource leaks: Problems with memory pressure and leaks are reported, including out-of-memory errors caused by creating many ShadowRealms combined with heap snapshots, and a memory leak due to unbounded growth of pending promises from repeated DNS lookup failures saturating the libuv thread pool.
• [issues/62433, issues/62503]

• Deprecation and feature transition proposals: Proposals include adding a deprecation notice option for the --disable-proto flag to ease transition away from Object.prototype.__proto__ usage, and adding a lazy-initialized req.signal property to HTTP requests to simplify cancellation tied to client disconnects.
• [issues/62461, issues/62481]

• CI automation improvements: A proposal suggests adding a label to indicate pull requests suitable for CI testing and improving automation to trigger CI runs without formal approval when the label is applied by collaborators.
• [issues/62496]

• Codebase maintenance warnings: One issue reports the use of a deprecated C++ API involving char_traits<unsigned char>, which triggers warnings and requires migration to avoid future removal.
• [issues/62506]

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 4

Summarized Issues:

• HTTP Server Request Handling: HTTP servers incorrectly reject requests containing a trailing tab character after the Content-Length header, resulting in a 400 Bad Request response. This behavior contradicts the HTTP/1.1 specification, which states that such tabs should be ignored rather than causing an error.
• issues/62192

• Tooling and Latency Detection: The usefulness of the lshaz tool for detecting latency hazards in Node.js's C++ codebase is questioned, particularly given its primary focus on x64 architectures. The discussion centers on whether adopting this tool would benefit the project despite potential architectural limitations.
• issues/62416

• NPM Installation Errors: Running npm i -g npm@latest on version v22.22.2 results in a "Cannot find module 'promise-retry'" error, blocking the installation of the latest npm version on MacOS and Ubuntu. This issue prevents users from upgrading npm globally using the standard command.
• issues/62430

• Docker Image Pull Failures: The Docker image node:22.22.2-alpine could not be pulled on Linux amd64 platforms due to a missing manifest, causing a "no matching manifest for linux/amd64" error. This problem did not affect the previous version 22.22.1-alpine and was eventually resolved.
• issues/62444

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

1. Thoughts on lshaz and usefulness to Node.js?
   • Toxicity Score: 0.65 (Rapid escalation, aggressive language)
   • This GitHub conversation features a single comment from a user expressing frustration and suspicion towards the original poster, questioning the relevance of their message and suggesting they are spamming. The tone is dismissive and somewhat hostile, triggered by the perceived off-topic nature of the initial post.

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 37

Key Open Pull Requests

1. src: disable default eval (notable-change): This pull request introduces a new --enable-eval CLI flag to Node.js that disables the use of eval() and new Function() by default to enhance security, requires explicit opt-in to allow dynamic code generation from strings, updates the runtime and documentation to reflect this change, and includes tests to verify the correct behavior of the flag.

• URL: pull/62436

• Associated Commits: 1c014, 902c8, bee7a, 0e5b1

2. stream: fix addAbortSignal() for web streams: This pull request fixes the addAbortSignal() method for web streams by replacing the incorrect kControllerErrorFunction with appropriate internal abort hooks for each stream controller type, ensuring proper abort behavior and updating tests to cover various abort scenarios.

• URL: pull/62450

• Associated Commits: ac820, bb0c0, e65f3, ec815

3. stream: stream/iter node.js streams interop: This pull request implements prototype integration points to enable interoperability between experimental stream/iter protocols and Node.js stream.Readable and stream.Writable classes, including methods like toAsyncStreamable, fromStreamIter, and toStreamIterWriter.

• URL: pull/62469

• Associated Commits: 31f3c, 70210, e16af

Other Open Pull Requests

• String encoding optimization: This pull request introduces stack allocation for small string encoding in the StringBytes::Encode() function by using 512-byte stack buffers for small inputs across all encoding paths, improving performance by reducing heap allocations. The change achieves significant speedups in various buffer-to-string encoding benchmarks.
  pull/62431

• Error handling improvements: A new experimental error code ERR_REQUIRE_ESM_RACE_CONDITION replaces the inappropriate use of ERR_INTERNAL_ASSERTION for race conditions in the esm module, improving error handling and closing issue #62432. Additionally, the requireStack property and "Require stack:" section were added to MODULE_NOT_FOUND errors during ESM exports resolution to include call stack information similar to CommonJS.
  pull/62462, pull/62417

• Cryptography enhancements: The import of asymmetric cryptographic keys was unified into a single C++ entry point, removing redundant JS-to-C++ conversions and enabling direct handling of JWK and raw formats. Support for the Ed25519 context parameter and recognition of raw key formats in key generation were also added, building on previous work without requiring documentation changes.
  pull/62499, pull/62474, pull/62480

• Debugger test reliability: Multiple pull requests addressed flakiness in debugger tests by adding checks for port availability, waiting for debugger prompts before initial breaks, and ensuring the process waits for reattachment before the initial break. These changes improve test stability and prevent CI failures caused by timing issues during debugger startup.
  pull/62472, pull/62488, pull/62489

• Documentation clarifications and fixes: Documentation was clarified to distinguish between experimental and deprecated feature statuses, and a typographical error was corrected in the doc/api/quic.md file. The SQLite type conversion documentation was also moved to a more appropriate location under the module header to improve structure and emphasis.
  pull/62456, pull/62492, pull/62482

• Build and environment improvements: The build process was modified to use the CARGO environment variable when enabling Temporal support, allowing compatibility with systems where the Cargo binary includes a version suffix. This change improves build flexibility on platforms like Ubuntu 24.04.
  pull/62421

• EventEmitter deprecation and warnings: The legacy fallback code for the prependListener method on EventEmitter was deprecated by removing unnecessary internal manipulations and associated tests. A runtime deprecation warning was introduced for piping to emitters lacking prependListener, signaling the removal of legacy behavior since Node.js v6.0.0.
  pull/62435

• Network error message formatting: The readability of network error messages involving IPv6 addresses was improved by enclosing IPv6 addresses in square brackets before the port number. This change clarifies messages such as transforming "connect ECONNREFUSED 2001:db8::1337:443" into "connect ECONNREFUSED [2001:db8::1337]:443".
  pull/62442

• Util.inspect output behavior: The single-line output behavior of util.inspect() when breakLength is set to Infinity and depth is unlimited was restored, preserving existing behavior for explicit non-default compact settings. Regression tests were added to ensure correct handling of these cases.
  pull/62452

• SQLite memory leak fix: A memory leak in the SQLite integration was fixed by properly releasing a sqlite3_stmt object when StatementSync::Create failed to allocate a JavaScript object, preventing null pointers from being inserted into the statement cache.
  pull/62419

• c-ares DNS server validation: Validation was added for the default c-ares DNS servers during the first query to ensure proper server configuration and reliability.
  pull/62411

• Commit-queue tool update: The commit-queue tool was updated to respect a 7-day waiting period allowing pull requests with only one approval to be landed. This ensures the commit-queue label can be applied without failing due to the lack of a second review after the PR has been open for more than seven days.
  pull/62498

• VM context creation change: The vm.createContext function was modified to avoid contextifying by default when no contextObject is provided, reducing script semantic breakage caused by interceptors and improving maintainability of spec-compliant behavior.
  pull/62459

• Timer behavior clarification: The behavior of setTimeout was clarified by documenting that timer delays are tracked with millisecond precision internally, which can cause callbacks to appear up to 1ms early when measured with sub-millisecond clocks due to rounding. This addresses a long-standing source of confusion without changing the timer implementation.
  pull/62468

• Target inspection refactor: The Target.getTargets method was added for worker inspection targets, and the target state and session lookup logic were extracted from TargetAgent into a new dedicated TargetManager class, improving code organization.
  pull/62487

• File system test improvement: The test-fs-utimes was improved by capturing the expected modification time immediately before each utimes/lutimes/futimes call to prevent false test failures caused by normalization of negative numeric timestamps to the current time.
  pull/62490

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 31

Key Closed Pull Requests

1. buffer: improve performance of multiple Buffer operations: This pull request improves the performance of multiple Buffer operations in Node.js by optimizing methods such as copyBytesFrom, fill with ASCII input, indexOf for ASCII encoding, and swap16/32/64 through direct byte offset calculations, V8 Fast API C++ functions, and eliminating unnecessary intermediate allocations, resulting in significant benchmarked speedups without regressions.

• URL: pull/61871

• Associated Commits: 495fe, 01ba7, c705a, 6b3cf, f5c87, 59f5d

• Associated Commits: 495fe, 01ba7, c705a, 6b3cf, f5c87, 59f5d

2. crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms: This pull request adds the TurboSHAKE and KangarooTwelve digest algorithms, based on RFC 9861 and using an adapted OpenSSL keccak1600 implementation, to the Web Cryptography API with tests verifying correctness against RFC test vectors and PyCryptodome-generated data, pending future native OpenSSL support for stable integration in node:crypto.

• URL: pull/62183

• Associated Commits: f80cc, dfeb5, e5d25, 44087, 95d3e

• Associated Commits: f80cc, dfeb5, e5d25, 44087, 95d3e

3. buffer: optimize Buffer.copy: This pull request aims to optimize the Buffer.copy method by reducing overhead through extending the V8 API, resulting in significant performance improvements in various buffer copy scenarios.

• URL: pull/62491

• Associated Commits: 785a5, 415af, 68bf4, 7da38

• Associated Commits: 785a5, 415af, 68bf4, 7da38

Other Closed Pull Requests

• KeyObject API raw key format support: Multiple pull requests enhance the KeyObject APIs by adding support for raw key formats such as raw-public, raw-private, and raw-seed. These updates include integration with Web Cryptography APIs, removal of asynchronous KeyExportJob classes to reduce overhead, and partial backporting to the v25.x branch with updated Web Platform Tests.
  • pull/62240, pull/62454

• OpenSSL 4.0 compatibility and configuration: Pull requests enable Node.js to compile and link with OpenSSL 4.0 by addressing failing tests, updating error code expectations, and allowing configuration to link against OpenSSL 4.0 alpha and beta versions. Additionally, a parameter is added to nix-shell configurations to select different OpenSSL versions.
  • pull/62410, pull/62464

• Documentation updates and policies: Several pull requests update the documentation by switching to the npm-published doc-kit, adding a documentation policy banning LLM-generated content in commits, and adding Rafael as the steward for the latest security release.
  • pull/62139, pull/62447, pull/62423

• Test runner coverage fixes: Pull requests fix issues in the test runner to exclude branch coverage (BRDA) entries from lcov output for lines marked with coverage ignore comments, ensuring accurate branch coverage percentages and aligning behavior with the c8 tool.
  • pull/62440, pull/62443

• Event emitter performance improvements: A pull request optimizes the event emitter implementation by cloning the listeners array only when adding or removing listeners and skipping cloning if not currently emitting, resulting in better performance demonstrated by benchmarks.
  • pull/62261

• Bug fixes in ECMAScript module loader: A pull request fixes a bug where the ensurePhase() function incorrectly evicts entries from the loadCache during phase upgrades, preventing ERR_MODULE_LINK_MISMATCH errors by avoiding deletion when a cache entry exists.
  • pull/62415

• Test and CI stability improvements: Pull requests address flaky tests by forcibly closing open connections on Windows to mitigate race conditions in HTTPS and network tests, disable a flaky WPT Blob test on AIX due to a V8 race condition, and fix debugger test race conditions by ensuring full reattachment before proceeding.
  • pull/62449, pull/62466, pull/62470

• Deprecations in crypto and HTTP modules: Pull requests implement runtime deprecation of crypto module features identified by DEP0203 and DEP0204, and propose deprecating the CRLF constant in the '_http_common' module in favor of using the string '\r\n' directly.
  • pull/62453, pull/62451

• Developer workflow and contribution compliance: Pull requests propose adding a Developer Certificate of Origin (DCO) sign-off check to enforce commit sign-offs and ban LLM-generated content in commits to reduce reviewer burden and ensure DCO compatibility.
  • pull/62447, pull/62473

• Miscellaneous minor updates and fixes: Pull requests include a typo fix in the ESM worker loader hook comment, a V8 engine cherry-pick fixing WebAssembly initializer handling on big-endian systems, and several unmerged minor edits and README updates.
  • pull/62475, pull/62449, pull/62426, pull/62428, pull/62429, pull/62441

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.