Weekly GitHub Report for Node

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

The current version of this repository is v23.10.0

1.2 Version Information:

On March 13, 2025, this Node.js release introduced the --experimental-config-file feature, allowing developers to use JSON configuration files to simplify flag management for the test runner and other experimental features, enhancing developer experience. Additionally, the update included improvements such as updated root certificates, new TLS and V8 methods, enhanced error handling, and various tooling and documentation refinements.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. [META] Requiring Signed-off-by moving forward: This issue announces a new policy requiring all contributors to explicitly sign off on their commits using the Signed-off-by trailer, which serves as an attestation under the Developer Certificate of Origin (DCO) that they have the right to submit the code under the project's open source license. It explains the rationale, guidelines, exceptions, and how the new commit lint check will enforce this moving forward, while also addressing questions and concerns raised by the community in the comments.

   • The comments clarify enforcement details, confirm that bot commits are exempt, discuss tooling support and integration with GitHub Desktop and VSCode, address common confusions between GPG signing and sign-off trailers, and consider repository settings for commit sign-off policies, with contributors generally supportive but noting some rough edges and the need for iterative improvements.
   • Number of comments this week: 27

2. [FEATURE REQUEST] JSON Schema validation in Node.js core: This issue discusses the proposal to add built-in JSON Schema validation to the Node.js core, aiming to provide native, fast, and reliable validation for configuration files like node.config.json and potentially for userland use without external dependencies. The discussion covers the current lack of schema validation in Node.js, potential use cases, performance considerations, security concerns such as DoS resistance, and ongoing efforts including a draft PR and extensive testing with fuzzing and official test suites.

   • The comments express general support for starting with node.config.json validation, highlight the importance of performance and security especially for untrusted input, and note ongoing work on a validator that passes most official tests and integrates fuzzing; contributors emphasize the need for thorough testing and security review before broader adoption.
   • Number of comments this week: 11

3. [STREAM] Readable stream internal buffer grows unbounded under backpressure (regression vs Node 10): This issue reports that the internal buffer of a readable stream in Node.js versions 24.13.1 and 25.8.1 grows without bound under backpressure, which is a regression compared to Node 10 where the buffer size remained stable. The user provides a proof of concept demonstrating this behavior and contrasts it with the expected bounded buffer growth seen in Node 10, highlighting a potential performance or memory management problem in newer Node versions.

   • The comments discuss observations of the buffer growth behavior, with one user confirming the unbounded increase and another noting a cyclic pattern of buffer size changes, leading to a request for more details about the environment; the original reporter clarifies the OS and Node version used, emphasizing that the issue persists despite these factors.
   • Number of comments this week: 3

4. [FEATURE REQUEST] [SQLITE] sqlite: add serialize() and deserialize() to DatabaseSync: This issue proposes adding serialize() and deserialize() methods to the DatabaseSync class in order to enable extracting a database's contents as a binary buffer and loading a database from such a buffer, facilitating operations like snapshotting, cloning, and transferring databases entirely in memory. The feature aims to provide a more efficient alternative to current file-based workarounds or backup APIs by directly binding existing sqlite3_serialize and sqlite3_deserialize functions.

   • The comments show a user volunteering to implement the feature, noting that the underlying SQLite functions are already compiled in and just need binding. Other participants encourage the effort and highlight the benefits of in-memory database snapshotting and cloning without disk I/O, emphasizing the simplicity and speed improvements over current methods.
   • Number of comments this week: 3

5. [FS] Passing large value for mode option in fs.createWriteStream results in crash: This issue reports a crash occurring when passing a large numeric value for the mode option in fs.createWriteStream, which triggers a native assertion failure instead of a catchable RangeError as expected. The problem appears to be a regression caused by moving mode validation from JavaScript to the C++ layer, where the value exceeds the Int32 range but not the UInt32 range, leading to an unhandled assertion in the native code.

   • The comments identify the issue as a regression introduced by a recent change that shifted validation to C++, causing a crash due to an Int32 assertion failure. A contributor proposes two possible fixes: either adjusting the JavaScript validation to match the C++ expectations or adding additional checks specifically in stream constructors, and requests guidance on the preferred approach while planning to add regression tests.
   • Number of comments this week: 2

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

As of our latest update, there are no stale issues for the project this week.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 11

Summarized Issues:

• Native module and memory corruption issues: This topic covers crashes and segmentation faults caused by memory corruption in native addons and internal modules. Issues include a sporadic segmentation fault due to .got.plt corruption in better_sqlite3.node and an assertion failure crash caused by malformed UNC hostnames in the node:url module.
• [issues/62515, issues/62546]

• Stream and buffer handling regressions: This topic involves regressions in stream and buffer management leading to performance and memory issues. It includes unbounded growth of readable stream internal buffers under backpressure and a documentation request to mention node:stream/consumers to prevent redundant implementations.
• [issues/62558, issues/62535]

• Process and child process performance regressions: This topic addresses severe performance regressions in process spawning on macOS, where command resolution via PATH is significantly slower in recent Node.js versions compared to earlier ones.
• [issues/62554]

• Parameter validation and error handling regressions: This topic covers crashes and assertion failures caused by mismatches in parameter validation between JavaScript and C++ layers. It includes a regression where passing a large mode value to fs.createWriteStream causes a native crash instead of a catchable error.
• [issues/62516]

• Feature proposals for improved developer ergonomics: This topic includes proposals to enhance Node.js with new features for better developer experience. Suggestions include adding a standardized runtime key for TypeScript source loading, serialize/deserialize methods for DatabaseSync to support in-memory snapshots, and a built-in JSON Schema validator for native configuration validation.
• [issues/62532, issues/62575, issues/62598]

• Commit and contribution policy enforcement: This topic covers the introduction of a new policy requiring contributors to include a Signed-off-by trailer in commit messages, enforced by commit lint checks to ensure compliance with the Developer Certificate of Origin.
• [issues/62577]

• Encoding implementation bugs: This topic highlights a bug in the TextEncoder.encodeInto method where encoding large UTF-8 subarrays fails due to a 32-bit integer overflow, causing zero bytes to be written, which was fixed in a later Node.js version.
• [issues/62610]

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 8

Summarized Issues:

• AbortSignal and Request Cancellation: This issue proposes adding a lazy req.signal property that provides an AbortSignal to automatically abort asynchronous operations when a client disconnects, simplifying cancellation logic in HTTP request handling. This addition aims to improve the management of request lifecycles by integrating native cancellation support.
• issues/62481

• Continuous Integration Trigger Improvements: This issue requests an improvement to the automation system to allow continuous integration (CI) to be triggered by a specific label applied by collaborators, rather than only by approved pull requests, to facilitate easier testing of changes. This change would enable more flexible and efficient testing workflows in the development process.
• issues/62496

• Temporal API Crash on Specific Platforms: This issue describes a fatal crash caused by running the Temporal API with the --harmony-temporal flag on various Node.js versions when creating a PlainYearMonth object with a Chinese calendar, resulting in an "unreachable code" error on Linux aarch64 and amd64 platforms. The problem affects stability and reliability of the Temporal API on these architectures.
• issues/62520

• UUIDv7 Native Support Proposal: This issue proposes adding native support for generating UUID version 7 (UUIDv7), a time-based UUID format useful for sorting and database distribution, directly within the Node.js Crypto module to avoid reliance on external libraries and align with recent PostgreSQL and Bun implementations. This would enhance the Crypto module's functionality and standardize UUID generation.
• issues/62529

• Web Streams API Documentation and Typings: This issue addresses the omission of the "cancel" method from the TransformStream "transformer" in the Web Streams API documentation and type definitions, despite its support in the underlying code according to the WHATWG streams standard. The inconsistency causes confusion and incomplete API references for developers.
• issues/62540

• Broken Internal Documentation Links: This issue addresses broken internal links on the Node.js child_process documentation page caused by a mismatch between underscores and dashes in anchor references, which appeared after a recent change and affects links outside the table of contents. This issue impacts navigation and usability of the documentation.
• issues/62580

• Prototype Property Assignment Behavior: This issue describes a problem where attempting to extend a class by writing to a non-writable prototype property results in a TypeError, which differs from browser behavior where such an assignment fails silently in non-strict mode. The discrepancy leads to inconsistent behavior between Node.js and browsers.
• issues/62604

• REPL Paste Behavior on WSL2: This issue describes a problem in the Node.js REPL on WSL2 where pasting text in the middle of a line causes the pasted characters to interleave incorrectly with existing content instead of inserting properly. This bug affects user experience and text input reliability in the REPL environment.
• issues/62614

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed issues from the past week.

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 48

Key Open Pull Requests

1. [v24.x backport] doc: remove obsolete Boxstarter automated install: This pull request backports the removal of the obsolete Boxstarter automated install instructions from the Node.js documentation to the v24.x branch, addressing issue #61690 and incorporating reviews from multiple maintainers.

• URL: pull/62586

• Associated Commits: 3f764, 28dcb, 4f6e7, d84dd, e7698, 34640, a706f, 255ea, ade64, 34df4, 1aa23, 34700, 161d0, 0e905, 6e509, 0e59b, 8252b, eabfe, 8caa8, fa51d, 5764c, d5a95, 3c3c8, 45e41, 7e02b, 3fd36, 3d1f8, caaf6, 986f1, dc3c5, cb903, 41ec0, 95350, cf324, 4ca49, b6d23, 310bf, ceec4, 29747, 91c8b, f0158, 3df7d, dda29, 82470, 99b58, 58643, 80b65, dc7dc, 0c625, 40f5b, 37490, 09dcd, 68760, d4907, 17705, b7eda, b9de4, f87f5, d0062, bce42, cd7e1, 45e19, 479eb, 0ae39, c4684, 005a7, 5bd3b, da88e, 5f66d, fe245, 31a42, c27a1, da457, 1faf3, 1ff59, 5c737, 4dfc1, cbcf3, 417e1, 8b7dc, 8cd2f, 28ce0, a8ca1, ee1d6, d84dc, 07084, 375fb, 22e83, bbe55, 02509, 8952b, f1aa5, 532b9, af41b, 893a0, 677fd, b9561, 007e9, 3fa4b, a244c, eae4f, e496f, 8c061, 7f311, eddef, 9cf21, 2b48a, 59868, df6f6, 52a7b, b7dd8, 98f7a, 917b3, b10f7, b6d1d, 62ad1, a19df, 7c9aa, 7b636, dec3a, 1e3e7, a212d, c52ba, 5edd8, 01ba3, e7421, 1d186, 5c5ab, 11a9c, 74bc5, 41e2a, fff40, a0bf4, 366d5, 874aa, 2902f, f08a2, 9708f, 756ce, 88561, fa2a1, 43d60, 1e3e6, 322c5, 8200f, 40dee, 02ae8, c0c07, b5799, 22467, 3aa9f, 9b487, 0691f, 3c154, 060ac, ac323, 9e76f, 604c6, 68669, 0f333, f2dce, a5f3b, e267d, 77a11, eee8a, 6d9fc, a47fe, 4aa1c, f5f22, f9436, d0390, 33ef0, 7b832, 92ced, f5695, 75778, 6be82, 28bec, aaa3c, aff36, 5eea0, d1450, 4891f, fc632, fadb3, 5dfd0, 23265, aa744, 28b47, 4272a, 00682, 4d3f0, f0d71, d7472, f2d79, 73e80, 4055d, 1e9c2, 45aba, 1cfdf, fbc9e, f86cf, c708e, 68461, b0e52, e1673, ed015, 3063b, 60836, 87477, 24fd6, 4bdda

2. deps: update V8 to 14.8: This pull request updates the V8 JavaScript engine to version 14.8 in the Node.js project, including necessary patches, build adjustments, API deprecations handling, and platform-specific fixes to ensure compatibility and prepare for the Node.js 26.0.0 release.

• URL: pull/62572

• Associated Commits: 26ea5, d7aa9, 58a47, 66aef, 019b1, 67472, 33370, 78897, 89b1f, 5393e, 9fc31, 1e704, fb889, a1472, 96b08, efc83, 5fc6a, 84e5f, e62e3, 0d136, 9257d, 06dca, 0aa2a, a4290, 4a0d1, f1e0d, 501be, cd9f8, 1433e, c56b1, beff1

3. module: synchronously load most ES modules: This pull request implements a synchronous loading mechanism for most ES modules that do not use top-level await, significantly reducing the number of promises created during module evaluation by using a sync path when no async loader hooks or debugging flags are active, while maintaining identical behavior to the existing async loading path and including benchmarks to measure the performance improvements.

• URL: pull/62530

• Associated Commits: 6d13e, 54e90, 0baaf, a6626, e5294

Other Open Pull Requests

• macOS system certificate improvements: This pull request enhances the system certificate enumeration on macOS by fixing trust evaluation defaults, addressing memory leaks, deduplicating certificates, filtering expired certificates, and aligning behavior with Chromium's implementation. It also adds related tests and comments to improve reliability and correctness.
  pull/62576

• JSON Schema validation for node.config.json: This pull request adds the ata-validator (v0.4.3) as a new dependency to validate the node.config.json file before parsing. This integration provides users with clear and specific error messages for invalid configurations, improving configuration error handling.
  pull/62603

• QUIC packet handling refactor: This pull request replaces the shared freelist of ReqWrap objects with a per-Endpoint arena allocator, eliminating per-packet V8 object allocations and shared_ptr atomic operations. The change reduces memory overhead, fragmentation, and garbage collection pressure while improving performance and cache locality in high-throughput scenarios.
  pull/62589

• Build flags to suppress compiler warnings: This pull request adds several build flags to suppress unnecessary compiler warnings, especially on macOS. It updates build configurations and warning matchers for dependencies like V8 and libuv.
  pull/62563

• URL error handling improvements: This pull request improves URL error handling for triggered assertions in Node.js source code, addressing two assertion crashes that are not security issues. It serves as a follow-up to a previous commit.
  pull/62521

• Clarification on process._debugProcess() permissions: This pull request adds a documentation note clarifying that process._debugProcess() is not restricted by the Node.js Permission Model, specifically the kInspector permission scope. It ensures developers understand that cross-process Inspector activation via this method is allowed despite sandbox restrictions.
  pull/62537

• Internal improvements and documentation fixes: This pull request makes Float16Array a first-class primordial in key internal files, fixes typos in documentation files (stream_iter.md and util.md), and adds MDN documentation links for disposables in fs.md.
  pull/62542

• Fix error propagation in nested streams: This pull request addresses and fixes error propagation issues in nested stream compositions within Node.js, as detailed in the linked commits and referenced issue #60083.
  pull/62556

• Backport Wasm ESM JS string constants support: This pull request backports support for importing JavaScript string constants as ECMAScript module imports in WebAssembly modules to the Node.js 24.x branch. It extends Wasm ESM integration to handle static JS string constants from the special import name wasm:js/string-constants.
  pull/62569

• Backport review script enhancements: This pull request improves the backport review script by adding error messages when the gh CLI is not found, allowing CLI arguments to be interpreted by gh, setting up a trap handler to remove temporary files, and adding a prompt to quickly approve backport pull requests.
  pull/62573

• Fix process crash on malformed UNC hostname: This pull request fixes a process crash caused by a malformed UNC hostname in pathToFileURL() by adding a validation check and throwing an ERR_INVALID_URL error instead of crashing.
  pull/62574

• Add serialize/deserialize to SQLite DatabaseSync: This pull request adds serialize() and deserialize() methods to the DatabaseSync class in the SQLite module, enabling extraction and loading of in-memory databases as Uint8Arrays. It wraps underlying C APIs, facilitates snapshots and cloning without filesystem I/O, optimizes memory usage via direct V8 BackingStore integration, and handles sandbox restrictions.
  pull/62579

• Improve tooling output for WTP tests: This pull request improves tooling output to make it easier to identify which tests pass unexpectedly in the WTP test suite.
  pull/62587

• Add monotonic counter to UUIDv7 in crypto: This pull request adds a monotonic counter feature to the UUIDv7 implementation in the crypto module, following up on a previous related change. It also includes a fix for a flaky test.
  pull/62601

• Reference node:stream/consumers in documentation: This pull request adds a brief reference to the node:stream/consumers utility functions in the main stream documentation to improve discoverability. It addresses issue #62535 by highlighting convenient built-in methods for consuming streams.
  pull/62613

• Fix nested cycle-tracking cleanup in assert/util: This pull request fixes an issue where temporary nested cycle-tracking entries were not properly cleaned up after successful deepStrictEqual comparisons. This prevented incorrect failures for equivalent structures by removing stale memo entries after nested comparisons return.
  pull/62509

• Add ability to skip individual WPT subtests: This pull request introduces the ability to skip individual Web Platform Tests (WPT) subtests within a file by specifying exact test names or regular expressions in the skipTests configuration. This allows finer control over test execution to avoid crashes or manage resource-heavy tests in CI environments.
  pull/62517

• Fix filesystem readline issue: This pull request addresses the issue described in nodejs/node#12606 by implementing fixes related to the filesystem's readline functionality.
  pull/62525

• Node.js version update to 26.0.0: This pull request updates the Node.js project to version 26.0.0, marking the release as current as of April 21, 2026.
  pull/62526

• Enhance crypto.diffieHellman input handling: This pull request enhances crypto.diffieHellman() to accept key data directly as options.privateKey and options.publicKey in addition to KeyObject instances. It aligns input handling with other node:crypto functions and includes cleanup of Diffie-Hellman related jobs.
  pull/62527

• Update project metadata for emeritus status: This pull request updates project metadata to move Michael Dawson to emeritus status due to his current unavailability to contribute because of personal and work commitments.
  pull/62536

• Fix fs ReadStream/WriteStream mode validation: This pull request fixes a regression in the fs module by validating the mode option as a signed 32-bit integer before passing it to the C++ layer. It prevents assertion failure crashes and ensures a catchable RangeError is thrown when the mode value exceeds the Int32 maximum.
  pull/62538

• Make pause/resume no-ops on destroyed streams: This pull request modifies the stream module to ensure that calling pause or resume on destroyed streams has no effect, effectively making these operations no-ops.
  pull/62557

• Refactor duplexify to reduce prototype pollution risk: This pull request refactors the duplexify module in the stream library to reduce its susceptibility to prototype pollution vulnerabilities.
  pull/62559

• Mark stream.compose() as stable: This pull request marks the stream.compose() method as stable in the Node.js documentation.
  pull/62562

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 42

Key Closed Pull Requests

1. crypto: implement randomUUIDv7(): This pull request implements the crypto.randomUUIDv7() method to generate RFC 9562 version 7 UUIDs, which encode a millisecond-precision Unix timestamp in the most significant 48 bits for time-sortable UUIDs suitable as database primary keys, and includes various refinements such as direct UUID string construction from bytes, options to disable entropy cache, shared buffer pools with version 4 UUIDs, and updated documentation referencing the RFC.

• URL: pull/62553

• Associated Commits: 62871, 274b1, 87dd2, 82886, e3a4a, 8ddc4, 49dac

• Associated Commits: 62871, 274b1, 87dd2, 82886, e3a4a, 8ddc4, 49dac

2. inspector: auto collect webstorage data: This pull request implements automatic collection of Web Storage data in Node.js's inspector, enabling Web Storage to appear in DevTools by simply using the --experimental-storage-inspection flag without requiring any code changes or explicit event firing.

• URL: pull/62145

• Associated Commits: 1e514, d897b, 5c829, 3a726, 8fc09, 5debe

• Associated Commits: 1e514, d897b, 5c829, 3a726, 8fc09, 5debe

3. http: add req.signal to IncomingMessage: This pull request adds a lazy-initialized req.signal getter to the IncomingMessage class in Node.js, providing an AbortSignal that automatically aborts when the HTTP request is closed or aborted, thereby simplifying cancellation of asynchronous operations on client disconnects and aligning with the Web Fetch API's Request.signal.

• URL: pull/62541

• Associated Commits: e265c, 18f61, b9a13, bdf63, 48d11

• Associated Commits: e265c, 18f61, b9a13, bdf63, 48d11

Other Closed Pull Requests

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.