Weekly GitHub Report for Node: October 06, 2025 - October 13, 2025 (12:02:25)

Weekly GitHub Report for Node

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

---

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

The current version of this repository is v23.10.0

1.2 Version Information:

On March 13, 2025, this Node.js release introduced the --experimental-config-file feature, allowing developers to use JSON configuration files to simplify flag management for test runners and other experimental features, enhancing developer experience. Additionally, the update included improvements such as updated root certificates, new TLS and V8 methods, enhanced error handling, and various tooling and documentation refinements.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. Update Logo Assets: This issue concerns updating several logo assets in the repository to reflect the new logo design, as some files still use the old version. Additionally, it highlights the lack of documentation on how to generate these logo files, which complicates future updates.

   • The initial comment requests assignment of the issue, but it is clarified that issues are generally not assigned and anyone can contribute. The original poster acknowledges this and commits to working on the update and submitting a pull request soon.
   • Number of comments this week: 3

2. NodeJS fails to build in a FIPS enabled environment: This issue describes a failure to build NodeJS version 22.18.0 on an aarch64 platform when FIPS mode is enabled in OpenSSL, resulting in an unsupported digest error during the build process. The error occurs specifically in the ninja build generator within the gyp-next toolchain, where the use of an unsupported hashing algorithm causes the build to fail consistently.

   • The comments clarify that the problem originates from the ninja generator in gyp-next, which uses a hashing method incompatible with FIPS, unlike the make generator that uses a different hash function also incompatible with FIPS but irrelevant here since the user is building with ninja.
   • Number of comments this week: 2

3. Create a GitHub actions workflow to reduce spammy PRs: This issue proposes creating a GitHub Actions workflow to automatically close spammy pull requests, particularly those arising during Hacktoberfest, to reduce the manual effort required by maintainers. The feature aims to leverage automation, possibly using tools like GitHub's AI moderator, to identify and handle low-quality PRs, while the exact logic for this automation is still under consideration.

   • The comment expresses a preference for manual review over automation due to concerns about fairness and false positives, noting that the volume of spammy PRs during Hacktoberfest has decreased in recent years, suggesting that manual workflows may still be effective.
   • Number of comments this week: 1

4. VM Module linking unclear error message: This issue concerns an unclear and misleading error message encountered when linking VM modules using the SourceTextModule API in Node.js, specifically when a second-layer dependency module without further imports triggers a link failure error. The user reports that the error message incorrectly states a module is "not been linked" despite it actually being linked, and highlights inconsistencies between the documentation and the implementation regarding the presence and use of the .linkRequests method on modules with or without dependencies.

   • The commenter identified that the root cause of the error was the absence of the .linkRequests method on modules without dependencies, which contradicts the documentation suggesting .linkRequests should be available regardless. They noted the need to conditionally call .link when .linkRequests is missing, questioned whether this discrepancy is a documentation or implementation issue, and provided detailed inspection output of module internals to support their findings.
   • Number of comments this week: 1

5. Async_hooks use case: Detecting which async callback blocks the event loop: This issue discusses the need for a supported method to identify which asynchronous callback is causing event loop blocking in Node.js, as the current approach using async_hooks.createHook() is discouraged in the documentation. The user is seeking guidance on whether there is an alternative or planned API that can provide the same level of insight into event loop delays without relying on async_hooks.

   • The single comment suggests using the Node.js inspector (node --inspect "filename.js") as a potential alternative to detect blocking callbacks, indicating interest in debugging tools rather than a direct API replacement.
   • Number of comments this week: 1

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

1. Flaky GC-related tests with V8 12.2: This issue addresses flaky garbage collection-related tests that have become unreliable with the update to V8 version 12.2, specifically mentioning tests like test-shadow-realm-gc-module, test-shadow-realm-gc, and test-net-write-fully-async-hex-string. The proposed approach is to skip these tests temporarily due to their instability caused by changes in V8's garbage collection strategy, while acknowledging that the current testing methods may not accurately detect native memory leaks and that a more robust solution needs to be developed later.
2. Flaky test-worker-arraybuffer-zerofill with V8 12.2: This issue concerns the flaky behavior of the test-worker-arraybuffer-zerofill test when running with V8 version 12.2, where the test intermittently fails due to a timeout after approximately 300 seconds. The problem may stem from either a genuine bug or broken timing assumptions causing lost messages, and the current approach is to mark the test as flaky while adding additional logging to aid in debugging.
3. Support loading dynamic addon modules (.node files) when embedding the Node.js shared library without needing to link with node.def: This issue addresses the challenge of loading dynamic Node.js addon modules (.node files) on Windows when Node.js is embedded as a shared library, specifically without requiring the embedding executable to link with the node.def file to reexport necessary symbols. The proposed feature suggests enhancing the delay load hook mechanism to optionally use an environment variable to locate the Node.js shared library module handle, thereby enabling addon modules to load correctly without the current linking dependency, though potential security concerns remain to be evaluated.
4. Please make Node.js embeddable (e.g. libnode): This issue requests the creation of an embeddable version of Node.js, such as a libnode library, to allow projects to integrate the Node.js runtime and standard library within other host environments, like Rust-based applications. The current lack of an easily embeddable Node.js runtime forces developers to rely on incomplete alternatives, and this feature would enable better reuse of existing tooling and dependencies without requiring significant rewrites.
5. unable to sign with external OpenSSL engine after usage of crypto.hash: This issue describes a problem where signing data with an external OpenSSL engine (specifically the gost-engine) fails after using the crypto.createHash method in Node.js version 21.7.1 on a Linux Debian system. The user reports that the signature operation throws an "unsupported" error related to digital envelope routines, which did not occur in earlier Node.js versions (21.6.2 and before), indicating a regression likely caused by recent changes in the Node.js crypto subsystem.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 11

Summarized Issues:

• Debugging and Breakpoint Issues: Multiple issues report problems with debugging tools and breakpoints, including flaky test timeouts on macOS, unbound breakpoints in VSCode on Windows, and unclear error messages when linking nested SourceTextModules. These problems cause confusion and hinder effective debugging by producing misleading errors or failing to hit breakpoints as expected.
• issues/60157, issues/60159, issues/60194

• Event Loop and Async Callback Identification: There is a need for a supported method to identify which asynchronous callback is blocking the event loop, as the current reliance on the discouraged async_hooks API is problematic. This issue highlights the lack of alternatives to attribute event loop delays to specific async operations, complicating performance diagnostics.
• issues/60169

• Error Reporting and Assertion Failures: Several issues describe insufficient error reporting and internal assertion errors, including truncated SQL error messages in the sqlite module and an internal assertion error on Windows 10 when starting a program. These problems reduce the ability to diagnose issues effectively and may indicate underlying bugs or misuse of Node.js internals.
• issues/60198, issues/60211

• Module Resolution and Build Failures: Problems with module resolution and building Node.js are reported, such as the incorrect resolution of the chalk package causing ERR_REQUIRE_ESM errors and build failures on aarch64 platforms with OpenSSL FIPS enabled due to unsupported digest algorithms. These issues disrupt development workflows and CI processes by causing unexpected errors.
• issues/60202, issues/60204

• Repository Maintenance and Asset Management: There is a proposal to automate the closing of spammy pull requests during Hacktoberfest to reduce manual workload, alongside a request to update logo assets and improve documentation on generating these files. These efforts aim to improve repository maintenance and streamline asset updates.
• issues/60151, issues/60213

• API Enhancement Suggestions: A suggestion was made to extend the events.listenerCount() function to support both EventEmitters and EventTargets, broadening its utility beyond its current scope. This enhancement would provide a more universal utility for event listener counting.
• issues/60212

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 9

Summarized Issues:

• Feature Requests and Proposals: Several issues involve feature requests or proposals aimed at improving Node.js functionality, such as adding a native JavaScript function for case-insensitive string comparison and a general feature request titled "Uu" addressing a problem "Yu" with a proposed solution "Jujjj." Some proposals were closed due to dependencies on external components like the V8 engine or lack of additional comments.
• issues/60127, issues/60166

• Module and Option Behavior Issues: There is a reported problem with the sqlite module version 22.16.0 where the returnArrays option does not behave as expected, returning an array of objects instead of arrays of values, with the feature only added in version 22.18.0. This highlights version-specific functionality discrepancies affecting module behavior.
• issues/60128

• Security and Vulnerability Concerns: Issues include the addition or improvement of the SECURITY.md file and a security alert regarding Node.js 24.10.0 initially flagged for containing a vulnerable OpenSSL version 3.5.3, which was later confirmed to be patched to 3.5.4, resolving the vulnerability. These issues emphasize ongoing efforts to maintain and communicate security standards.
• issues/60170, issues/60193

• Release and Build Infrastructure Problems: The Node.js 24.10.0 release was missing critical darwin binary files, causing failures in automated workflows and tools relying on dynamic Node.js version downloads, which was resolved after promoting the missing files following a build infrastructure issue. This reflects challenges in release management and build processes.
• issues/60176

• Documentation and Usability Improvements: There is confusion caused by the npx help menu displaying mixed usage instructions from npm exec, prompting calls for clearer and more consistent help documentation to guide users properly. This issue highlights the need for improved user experience in command-line tool documentation.
• issues/60203

• Project Management and Review Requests: A review request was posted by the nodejs-github-bot seeking input from the @nodejs/net team, indicating ongoing collaborative project management and code review processes within the Node.js community.
• issues/60215

• Platform-Specific Command Execution: An issue involves executing a shell command via adb to run a script in the Android data directory for the Shizuku privileged API, showing platform-specific integration and scripting concerns.
• issues/60216

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed issues from the past week.

---

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 34

Key Open Pull Requests

1. benchmark: improve cpu.sh for safety and usability: This pull request improves the benchmark/cpu.sh script by enhancing its safety and usability through adding Linux and root privilege checks, introducing reset and get commands for managing CPU governors, and providing a clearer usage guide with better feedback messages.

• URL: pull/60162

• Merged: No

• Associated Commits: 1de91, 33a28, f3ef1

2. benchmark: allow boolean option values in createBenchmark: This pull request proposes modifying the createBenchmark function to accept boolean option values, updates the related documentation accordingly, and replaces the use of 0/1 with boolean values in the randomUUID benchmark while deprecating the former approach.

• URL: pull/60129

• Merged: No

• Associated Commits: 5f9d0, ad0c9

3. util: do not print getters as regular property using inspect: This pull request ensures that special properties, primarily getters like byteLength and buffer, are not printed as regular properties during inspection by marking them accordingly and using square brackets, while also improving the robustness of inspecting detached DataViews, which previously failed.

• URL: pull/60131

• Merged: No

• Associated Commits: 65997, db620

Other Open Pull Requests

• Performance improvements in styleText function: This pull request optimizes the styleText function by moving the validation for colorization out of a loop to perform it once upfront, enhancing performance. This change reduces redundant checks and streamlines the function's execution.
  • pull/60133

• EventEmitter removeListener bug fix: The fix ensures the removeListener event is emitted when the last listener is removed, particularly for once() listeners, by moving the event emission logic outside a conditional block. Additional test coverage verifies this behavior to prevent regressions.
  • pull/60137

• Error handling improvements in buffer atob(): The atob() function was updated to throw a more specific RangeError with ERR_INVALID_ARG_VALUE on input string overflow, improving robustness and error clarity.
  • pull/60161

• REPL multiline input cursor and screen refresh fix: This change implements viewport-based rendering in the kRefreshLine() function to properly refresh the screen and maintain cursor position consistency when multiline input exceeds terminal height. It ensures only the visible portion of input centered around the cursor is displayed.
  • pull/60171

• Node-API instanceof tests decoupling from V8: The pull request copies and adapts V8 test files locally to make Node-API instanceof tests independent from V8 code, facilitating reuse across different JavaScript engines and runtimes.
  • pull/60190

• SQLite defensive flag support: Adds support for the SQLITE_DBCONFIG_DEFENSIVE API to enable enhanced security against untrusted SQL queries, including documentation and tests to verify the feature.
  • pull/60217

• Revert worker message port test change: This pull request reverts a previous commit that added a test ensuring the message event fires in the worker message port test, undoing the changes introduced by that commit.
  • pull/60126

• Typo fix in createBlobReaderStream: Corrects a misspelling of "proecss" to "process" in the createBlobReaderStream function to improve code clarity.
  • pull/60132

• Defensive coding in error object inspection: Introduces more defensive coding practices in the utility module when inspecting error objects to address a previously reported issue.
  • pull/60139

• Cluster module port reuse fix: Fixes port reuse issues in the cluster module by excluding message.index from the handle key except when the port is 0, ensuring only the latest handle for a successfully acquired port is stored.
  • pull/60141

• Test suite assertion reachability improvements: Enhances test reliability and coverage by ensuring assertions in the test/addons directory and test/client-proxy file are reachable.
  • pull/60142, pull/60175

• TLS ALPNProtocols documentation correction: Clarifies that valid array elements for TLS ALPNProtocols types are strings, correcting imprecise wording introduced in the initial feature commit.
  • pull/60143

• Enable libm trigonometric functions in V8: Enables use of libm trigonometric functions in V8 within Node.js to potentially improve performance on some platforms, supported by benchmarks and CI tests.
  • pull/60153

• Stack trace constructor name bug fix: Corrects the constructor name in the stack trace for the _errnoException in the Node.js library to fix a bug.
  • pull/60156

• Watch feature testing improvement: Adds a watch configuration namespace to improve the testing experience for the watch feature, which is currently difficult to test.
  • pull/60178

• Module system package.json "type" field validation: Adds validation to warn users when the "type" field in package.json contains invalid values like incorrect casing, improving clarity by displaying warnings about expected values "commonjs" or "module".
  • pull/60180

• Memory leak fixes in Promise and HTTP client parser: Fixes a memory leak in Promise.race() and Promise.any() by adding early returns in the C++ PromiseRejectCallback(), and also fixes a memory leak in the HTTP client parser by freeing the parser immediately upon detecting double HTTP responses in a single TCP chunk.
  • pull/60184, pull/60187

• ShadowRealm memory leak fix: Removes strong C++ references to ShadowRealm instances to allow V8’s garbage collector to reclaim native objects properly, fixing a memory leak in the ShadowRealm implementation.
  • pull/60188

• ESM vs CommonJS startup performance documentation: Adds a note explaining the startup performance differences between ECMAScript Modules (ESM) and CommonJS in Node.js.
  • pull/60192

• Pull request template confirmation step: Proposes adding a non-tutorial confirmation step to the pull request template to discourage submission of useless pull requests.
  • pull/60196

• vm.SourceTextModule link error message improvements: Improves error messages related to vm.SourceTextModule link errors by providing hints about the module identifier to aid debugging.
  • pull/60199

• SQLTagStore documentation corrections and expansions: Clarifies that SQLTagStore functions prepare query strings with placeholders rather than performing string interpolation, fixes argument types for tagged query methods, and repairs the StatementSync class definition block to improve documentation tooling.
  • pull/60200

• Use std::string_view in WriteReport(): Updates the WriteReport() function to use std::string_view for its arguments, aligning with a previous change to TriggerNodeReport().
  • pull/60201

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 32

Key Closed Pull Requests

1. Defend against crashing getters in util.inspect: fix error when logging DOMException.prototype (#60107): This pull request addresses a bug in Node.js where accessing getters on DOMException.prototype during inspection would throw a TypeError and crash the process, by updating the util.inspect function to safely handle exceptions thrown by property getters and instead output a readable error message without crashing.

• URL: pull/60210

• Merged: No

• Associated Commits: cea0f, c2100, 5083a, 54cd2

2. quic: continue working on quic api bits: This pull request continues the development of the QUIC API by improving API components, better handling QUIC constants, and adding a test and fix for IPv6-only handshakes.

• URL: pull/60123

• Merged: Yes

• Associated Commits: 419c8, 4eb70, bc19a

3. tools: add lint rule to ensure assertions are reached: This pull request introduces a new lint rule that prevents writing unreachable test assertions by ensuring assertions within callbacks are wrapped with common.mustCall, thereby improving test robustness in selected test subdirectories with plans to expand coverage in future updates.

• URL: pull/60125

• Merged: Yes

• Associated Commits: 747d5, bd14a, 16ea1

Other Closed Pull Requests

• VM Module Refactoring and Memory Leak Fixes: This pull request refactors the vm.SourceTextModule linkage process by splitting the asynchronous module.link(linker) operation into two synchronous steps, enabling fully synchronous creation and dependency resolution of VM modules. It also addresses memory leaks by clearing linked module caches upon instantiation and allows controlled overriding of linked requests in ModuleWrap.
  pull/60152

• Documentation Updates and Corrections: Multiple pull requests update documentation files including README.md and index.md, with some changes not merged into the main branch. These updates include switching to markdown formatting for branch differences, correcting method names, and small documentation and data changes contributed by a user.
  pull/60179, pull/60154, pull/60158, pull/60167, pull/60172, pull/60181, pull/60182, pull/60183, pull/60185

• Bug Fixes in Core Modules and Tools: Several pull requests fix bugs including a crash in the http2 module caused by mismatched ping buffer length, a cooldown property usage issue in tools, and build errors related to VTune support due to outdated paths. These fixes improve stability and correctness in various parts of the codebase.
  pull/60134, pull/60135, pull/60140

• Test Skips and Improvements on Specific Platforms: Pull requests skip problematic tests on IBM i and 32-bit platforms to avoid timeouts and integer overflow issues, and improve test reliability by ensuring assertions in async-hooks tests are reachable. These changes help maintain test suite stability across different environments.
  pull/60144, pull/60148, pull/60150, pull/60160

• Dependabot Configuration Fixes: A pull request fixes errors in the Dependabot configuration file by addressing reported issues and switching to the default-days setting to follow the DRY principle, improving automated dependency update management.
  pull/60147

• TypeScript Typings Addition: One pull request adds TypeScript typings for the internalBinding function related to the buffer module, enhancing type safety and developer experience.
  pull/60163

• V8 API and Code Modernization: Pull requests update deprecated V8 API calls to their newer variants and replace deprecated methods in benchmark code to maintain compatibility with the latest V8 engine and ensure use of up-to-date APIs.
  pull/60173, pull/60174

• Error Handling and Crash Prevention in Native Code: Pull requests propose removing unsafe uses of ToLocalChecked() in native code, replacing them with safer alternatives that return error codes on failure, thereby preventing unexpected crashes and aligning with existing error-handling macros.
  pull/60164, pull/60165

• Critical Memory Leak Fix in AbortSignal.any(): A pull request addresses a critical memory leak by removing premature addition of signals to the gcPersistentSignals set when no abort listeners are registered, enabling proper garbage collection and eliminating out-of-memory crashes without breaking backward compatibility.
  pull/60183

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

---

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.

Contributor	Commits	Pull Requests	Issues	Comments
jasnell	31	12	1	11
addaleax	25	1	0	25
Renegade334	14	8	2	12
joyeecheung	18	7	0	10
aduh95	13	9	0	12
richardlau	9	4	1	14
legendecas	14	5	0	9
targos	17	3	1	3
gurgunday	14	6	1	2
RafaelGSS	13	6	0	3