Weekly GitHub Report for Node: September 15, 2025 - September 22, 2025 (12:09:51)
Weekly GitHub Report for Node
Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.
Table of Contents
I. News
1.1 Recent Version Releases:
The current version of this repository is v23.10.0
1.2 Version Information:
Released on March 13, 2025, this version introduces the --experimental-config-file feature, allowing developers to use JSON configuration files to simplify flag management for the test runner and other experimental features, enhancing developer experience. Additionally, it includes updates to root certificates, new TLS and V8 methods, improved error handling, and various documentation and tooling enhancements.
II. Issues
2.1 Top 5 Active Issues:
We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.
-
import "typescript"slower thanrequire("typescript")due tocjs-module-lexeroverhead: This issue reports that importing thetypescriptpackage using ES moduleimportsyntax is significantly slower—about 100ms more—than using CommonJSrequire, due to overhead from Node.js'scjs-module-lexerparsing step. The problem arises becausetypescriptis a large CommonJS package, and the lexer must parse its huge main file to determine named exports, which impacts performance when usingimport.- The discussion explores potential solutions including renaming files to
.cjs, using a CommonJS wrapper to explicitly define exports, and employingcreateRequireto bypass the lexer overhead. Participants note that fully optimizing the lexer is challenging due to dynamic import patterns and multiple importers, and while converting TypeScript to ESM or using a wrapper could mitigate the issue, these approaches have trade-offs and may take time to implement broadly. - Number of comments this week: 8
- The discussion explores potential solutions including renaming files to
-
createZstdCompress throw error if set constants.ZSTD_c_nbWorkers: This issue reports that using the
createZstdCompressfunction with theconstants.ZSTD_c_nbWorkersparameter set causes anERR_STREAM_PUSH_AFTER_EOFerror during compression, which does not occur if the parameter is omitted. The user provides a minimal reproducible example involving a custom readable stream and notes that the error is consistently reproducible on Windows with Node.js version 22.17.0.- The comments clarify that the error is related to the custom readable stream pushing data after the end-of-stream signal, suggesting adjusting the stream’s
highWaterMarkoption to match the data size to prevent the error. It is also noted that using real files instead of the simulated stream avoids the error, and the problem appears tied to the interaction between the stream buffer size and theZSTD_c_nbWorkersparameter, with some disagreement about file size thresholds and the root cause. - Number of comments this week: 7
- The comments clarify that the error is related to the custom readable stream pushing data after the end-of-stream signal, suggesting adjusting the stream’s
-
Adding a vulnerability scanner as part of the dependency updates: This issue proposes integrating a vulnerability scanner into the dependency update process to ensure that pull requests do not introduce vulnerable dependencies. It also discusses strategies to delay dependency updates for a few days to mitigate risks from recently discovered vulnerabilities or malicious code in new versions.
- The comments focus on coordinating with the security working group, addressing potential race conditions by delaying updates using tools like npm's
--beforeflag or Dependabot's cooldown option, and considering grant funding to support this work, while acknowledging the need to balance security with timely updates. - Number of comments this week: 7
- The comments focus on coordinating with the security working group, addressing potential race conditions by delaying updates using tools like npm's
-
Node.js
--env-filesilently fails to parse large multiline values: This issue reports that the Node.js--env-fileflag in version 20.12.2 fails silently when parsing environment files containing large multiline quoted values, specifically those around 1383 characters or more, causing the variables to be ignored without any error message. The reporter highlights the difficulty in debugging this silent failure and requests either proper error handling or documentation of any size limitations to improve usability and reliability.- The comment acknowledges the issue and provides a clarification that the problematic value length might be closer to 1123 characters rather than 1383, suggesting a possible miscalculation in the original report. The commenter confirms ongoing investigation and requests the reporter to adjust the expected length in their test case accordingly, indicating active engagement in diagnosing the root cause.
- Number of comments this week: 1
-
In a bundled file when using setSourceMapsSupport prepareStackTrace is not overwritten: This issue reports that when using the
setSourceMapsSupportfunction in a bundled JavaScript file, theprepareStackTracemethod is not properly overwritten, resulting in error stack traces showing minified lines instead of the original source lines. The user expects the stack traces to reflect the original source code lines to aid debugging, especially in environments like AWS Lambda@edge where the--enable-source-mapsflag cannot be used.- The comment explains that the source map cache is only populated when certain module types are loaded or evaluated, and since the current module is not loaded, the cache lookup fails. Consequently, the
prepareStackTraceWithSourceMapsfunction cannot find the source map and returns the original minified lines instead of the mapped source lines. - Number of comments this week: 1
- The comment explains that the source map cache is only populated when certain module types are loaded or evaluated, and since the current module is not loaded, the cache lookup fails. Consequently, the
2.2 Top 5 Stale Issues:
We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.
- Flaky GC-related tests with V8 12.2: This issue addresses flaky garbage collection (GC)-related tests that have become unreliable with the update to V8 version 12.2, specifically mentioning tests like
test-shadow-realm-gc-module,test-shadow-realm-gc, andtest-net-write-fully-async-hex-string. The proposed approach is to skip these tests temporarily due to their instability caused by changes in V8's GC strategy, with plans to find a more robust testing method in the future. - Flaky
test-worker-arraybuffer-zerofillwith V8 12.2: This issue concerns the flaky behavior of thetest-worker-arraybuffer-zerofilltest when running with V8 version 12.2, where the test intermittently fails due to a timeout after approximately 300 seconds. The problem may stem from either a genuine bug or broken timing assumptions causing lost messages, and the current approach is to mark the test as flaky while adding additional logging to aid in debugging. - Support loading dynamic addon modules (
.nodefiles) when embedding the Node.js shared library without needing to link withnode.def: This issue addresses the challenge of loading dynamic Node.js addon modules (.nodefiles) on Windows when Node.js is embedded as a shared library, specifically without requiring the embedding executable to link against thenode.deffile to reexport necessary symbols. The proposed feature suggests enhancing the delay load hook mechanism to optionally use an environment variable to locate the Node.js shared library module handle, thereby enabling addon modules to load correctly without the current linking dependency, though potential security concerns with this approach remain to be evaluated. - Please make Node.js embeddable (e.g. libnode): This issue requests the creation of an embeddable version of Node.js, such as a
libnodelibrary, to allow projects to integrate the Node.js runtime and standard library within other host environments, like Rust-based applications. The current lack of an easily embeddable Node.js runtime forces developers to rely on incomplete alternatives, and this feature would enable better reuse of existing tooling and dependencies without requiring significant rewrites. - unable to sign with external OpenSSL engine after usage of crypto.hash: This issue describes a problem where signing data with an external OpenSSL engine (specifically the gost-engine) fails after using the
crypto.createHashmethod in Node.js version 21.7.1 on a Linux Debian system. The error occurs consistently and produces an "unsupported" digital envelope routines error, which did not happen in earlier versions like 21.6.2, suggesting a regression likely related to recent changes in the Node.js crypto subsystem.
2.3 Open Issues
This section lists, groups, and then summarizes issues that were created within the last week in the repository.
Issues Opened This Week: 14
Summarized Issues:
- Environment Variable Parsing Issues: The
--env-fileflag in Node.js 20.12.2 fails silently when parsing environment files containing large multiline quoted values, causing those variables to be ignored without any error message. This silent failure complicates debugging and negatively impacts applications that rely on large environment variable values. - issues/59897
- Stream and Compression Errors: Using
createZstdCompresswith theconstants.ZSTD_c_nbWorkersparameter triggers a reproducibleERR_STREAM_PUSH_AFTER_EOFerror during compression, while omitting this parameter avoids the error. Additionally, thestream.pipelineAPI shows inconsistency where the callback version does not exposeoptionslike the promisified version, raising questions about intentional design and suggesting alignment for improvement. - issues/59899, issues/59909
- Security and Dependency Management Enhancements: There is a proposal to integrate a vulnerability scanner into the dependency update process to prevent pull requests from introducing vulnerable dependencies. Additional suggestions include delaying updates and monitoring for security fixes to mitigate risks such as supply chain attacks.
- issues/59911
- Module Import Performance and Resolution: Importing the CommonJS-based
typescriptpackage via ES moduleimportis significantly slower than usingrequiredue to overhead from Node.js’scjs-module-lexerparsing step. Separately, a proposal suggests adding an API or extendingrequire.resolveto directly resolve a package name to its directory containingpackage.json, addressing fragile and indirect current methods caused by modern package export restrictions. - issues/59913, issues/59918
- Database and Authorization API Proposals: A proposal exists to expose the SQLite Authorization API through the JavaScript API, enabling users to implement custom authorization or improve integration of SQLite's permission system within Node core.
- issues/59916
- Source Map and Debugging Limitations: When using
setSourceMapsSupportin bundled JavaScript files, theprepareStackTracefunction is not properly overwritten, causing error stack traces to show minified lines instead of original source lines. This issue hinders accurate debugging, especially in environments like AWS Lambda@edge where the--enable-source-mapsflag cannot be used. - issues/59927
- Windows Path Compatibility: A proposal suggests modifying Node.js to use the
C:/path format instead ofC:\\on Windows to resolve compatibility problems encountered when running Node.js within Cygwin environments. - issues/59933
- Permissions API Improvements: There is a proposal to add an "audit mode" to the permissions API that logs permission violations without enforcing them, allowing users to monitor resource access and fine-tune enforced permissions through trial and error without breaking code.
- issues/59935
- Diagnostics and Promise Handling Bugs: The
tracingChannel.tracePromisemethod forcibly converts custom promise implementations into native promises, causing wrapped OpenAI methods using custom promises to crash or lose their custom behavior. - issues/59936
- REPL Input Cursor Bug: In Node.js v25.0.0-pre, the REPL subsystem has a bug where the cursor in multiline input stops moving correctly when pressing the up arrow at the top visible line, causing the input rendering to freeze instead of updating as expected.
- issues/59938
- Test Coverage and Debugging Enhancements: When coverage testing is blocked by a pending promise in Node.js tests, the error report currently lacks detailed information about the origin of that promise. A request has been made to include file, line, and column information to help developers identify and fix the problem more effectively.
- issues/59940
- Flaky Test Failures in Debugger Mode: A flaky failure occurs in the test-watch-mode-inspect test on Linux x64, where the test times out and exits with code -15 during attempts to connect to a child Node process and interact with the debugger.
- issues/59948
2.4 Closed Issues
This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.
Issues Closed This Week: 9
Summarized Issues:
- Issue placeholders and incomplete entries: Several issues serve as placeholders or lack detailed descriptions, indicating incomplete or test entries in the repository. These issues do not provide actionable information or comments and have been closed or remain unresolved.
- [issues/59906, issues/59908]
- Review and pull request process problems: There is a reported problem where a review could not be added to a specific pull request, highlighting issues in the review workflow that require investigation and resolution. This affects the ability to properly manage code contributions and maintain quality control.
- [issues/59907]
- Security feature proposal for npm package installation: A feature request suggests blocking the installation of npm packages published within a configurable recent timeframe to prevent the use of potentially malicious updates before detection. This aims to enhance security by reducing exposure to newly published harmful packages.
- [issues/59912]
- Application demos and prototypes: A demo React Native app for a National Education Management System is described, featuring multi-role login and mock backend data storage, intended as a prototype to be replaced with a real backend in production. This serves as an example application to demonstrate basic functionality and workflows.
- [issues/59915]
- Runtime errors and bug fixes in Node.js: Several issues describe runtime errors such as an intermittent internal assertion failure resolved by updating Node.js, and a TypeError in the HTTP/2 server related to WebSocket upgrade handling, which was fixed by a pull request. These highlight ongoing maintenance and bug resolution efforts in the Node.js runtime.
- [issues/59921, issues/59922]
- Basic application development with Express.js: An issue outlines the implementation of a simple inventory application using Express.js with RESTful API endpoints and in-memory storage, demonstrating basic CRUD operations. This reflects development of example or starter applications within the repository.
- [issues/59930]
- Intermittent test failures in performance testing: A flaky test failure is reported in the performance event loop delay test on Linux x64, caused by an assertion error related to histogram minimum values, leading to intermittent test instability. This points to challenges in maintaining reliable automated testing under certain conditions.
- [issues/59949]
2.5 Issue Discussion Insights
This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.
Based on our analysis, there are no instances of toxic discussions in the project's open or closed issues from the past week.
III. Pull Requests
3.1 Open Pull Requests
This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.
Pull Requests Opened This Week: 25
Key Open Pull Requests
1. sqlite: create authorization api: This pull request introduces a new authorization API for SQLite in the Node.js project, including the creation of an authorization method, improved error handling, and comprehensive documentation for the setauthorizer method, while also addressing code formatting and cleanup.
- URL: pull/59928
- Merged: No
2. Benchmark/add workflow to test all configs: This pull request introduces a new environment variable NODE_RUN_ALL_BENCH_TESTS to enable running all benchmark configurations during tests, adds benchmark tests for multiple modules, updates documentation with details on writing benchmark tests and environment variables, and renames inconsistent test files to use underscores instead of dashes.
- URL: pull/59919
- Merged: No
3. node-api: Add node_api_create_object_with_properties method: This pull request introduces the node_api_create_object_with_properties method to the Node.js API, aiming to provide an engine-agnostic yet optimized way to create objects with properties, accompanied by benchmarks and tests demonstrating significant performance improvements over the previous method.
- URL: pull/59953
- Merged: No
Other Open Pull Requests
- Configuration file parsing fixes: This backport to the v22.x branch fixes issues with parsing configuration files for flags that default to true, adds support for namespace options, improves error messages for unknown options, and cleans up code to prevent unreachable code warnings. These changes collectively enhance the reliability and clarity of configuration handling.
- QUIC implementation testing: This pull request adds ngtcp2 client and server sample binaries to project dependencies to enable continuous integration testing of the QUIC implementation and verify interoperability with existing implementations. This addition supports more robust testing of QUIC features.
- IPv6 support in proxy and NO_PROXY handling: Multiple pull requests improve IPv6 support by adding comprehensive IPv6 address range handling to the
NO_PROXYenvironment variable and simplifying proxy configuration handling for HTTP and HTTPS to properly support IPv6 addresses. These changes include new helper functions, updated proxy bypass logic, removal of unnecessary properties, and added tests to verify correct functionality and error handling.
- REPL improvements: One pull request moves REPL completion logic into a dedicated internal module to improve maintainability and clarity, while another resolves issues with multi-line input history navigation and cursor movement to ensure smooth and consistent user experience. These changes enhance both code structure and interactive usability of the REPL.
- worker_threads documentation clarification: This pull request clarifies the
worker_threadsmodule documentation by distinguishing between the top-level module exports and the Worker prototype properties, which were previously both referred to asworker.*, reducing confusion for users.
- sqlite module backport improvements: This backport cleans up ERM support, exports the Session class, updates Session to support Symbol.dispose, and moves dispose method definitions to C++ to address an open TODO. These changes improve the sqlite module's resource management and API completeness.
- Node.js v25.0.0 release plan: This pull request proposes the release plan and detailed semver-major changes for Node.js version 25.0.0, including end-of-life deprecations, dependency updates like V8, build system changes, and various API removals and runtime deprecations across core modules.
- Module format exposure: This pull request proposes exposing the
module.formatproperty to assist users relying onrequire.cachein determining the format of cached modules, improving module inspection capabilities.
- HTTP/2 header validation option: A new
strictSingleValueFieldsoption is introduced in HTTP/2 to relax strict validation that prevents sending multiple values for headers or trailers defined as single-value. This allows more flexible handling of such headers in edge cases while preserving default behavior.
- Command-line options stabilization: This pull request proposes marking the
--env-fileand--env-file-if-existscommand-line options as stable features in the documentation, reflecting their readiness for official use.
- Synchronous hooks validation relaxation: This pull request relaxes validation in synchronous hooks to accept a nullish source returned by the default step of the asynchronous loader for CommonJS modules, introducing a more sensible synchronous default load step that reduces excessive disk reloading when no customization hooks are registered.
- enableCompileCache API improvements: This pull request fixes the option name to
directoryin the enableCompileCache() API for consistency, adds support for environment variable overrides, and improves documentation for the new options.
- Documentation typo fix: This pull request corrects a typographical error in the documentation section concerning the order of microtasks.
- Buffer performance optimization: This pull request restores the Buffer.isBuffer() check in the fixBufferList function to prevent unnecessary Buffer.from() calls, improving performance by 30-50% in buffer-heavy UDP operations and includes benchmark tests verifying improvements across data types and chunk sizes.
- WebAssembly JS Promise Integration: This pull request enables the WebAssembly JS Promise Integration (JSPI) Stage 4 proposal, currently supported in Chrome, and adds a new Wasm test to verify correct functionality.
- Crypto object update: This pull request updates crypto objects in the source code to use the v8::DictionaryTemplate for improved implementation consistency.
- diagnostics_channel.tracePromise() behavior fix: This pull request fixes behavioral inconsistencies in
diagnostics_channel.tracePromise()by ensuring it always returns the original function's return value unmodified, eliminating state-dependent polymorphism and preserving tracing semantics without altering promises or non-thenable values.
- Memory management refactor: This pull request refactors memory management of
uv_process_options_tby replacing manualnew[]/delete[]allocations with RAII techniques to prevent memory leaks inProcessWrap::Spawn()and ensure automatic resource release.
- V8 Fast API guidelines update: This pull request updates the V8 Fast API contribution guidelines by removing outdated information about the
fallbackoption, which no longer exists inFastApiCallbackOptions, preventing misunderstandings.
- Event message test addition: This pull request adds a test using
common.mustCallAtLeast()to verify that the'message'event is properly fired.
3.2 Closed Pull Requests
This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.
Pull Requests Closed This Week: 16
Key Closed Pull Requests
1. quic: multiple quic updates, update ngtcp2 dependency: This pull request makes multiple updates and cleanups to the QUIC implementation in Node.js, including refactoring transport parameters, packets, sessions, and streams, migrating QUIC tests to the mjs format, and updating the ngtcp2 dependency to version 1.15.1.
- URL: pull/59884
- Merged: Yes
2. tools: fix tools/make-v8.sh for clang: This pull request updates the tools/make-v8.sh script to support building with both gcc and clang by adding clang-specific settings when the CC/CXX environment variables are set accordingly, disabling warnings treated as errors, and removing goma and machine-specific settings which have been relocated to Jenkins job configuration.
- URL: pull/59893
- Merged: Yes
3. src: reduce the nearest parent package JSON cache size: This pull request reduces the memory usage of the nearest parent package JSON cache in Node.js by reverting the cache mapping from individual module file paths to their parent package.json objects back to a more efficient map keyed by package.json file paths, thereby managing cache size and improving heap usage without significant runtime performance impact.
- URL: pull/59888
- Merged: Yes
- Associated Commits: 16d38
Other Closed Pull Requests
- String Handling Optimization: This pull request replaces the use of
FIXED_ONE_BYTE_STRING(isolate, "...")literals in the source code with Environment-cached strings to improve string handling efficiency. The change aims to optimize how strings are managed internally for better performance.
pull/59891
- URLPattern Implementation Update: This pull request completes the update of the
URLPatternimplementation to utilizeDictionaryTemplatemore extensively in the source code. This enhances the internal structure and maintainability of the URLPattern feature.
pull/59892
- Error Handling Improvement for process.cwd(): This pull request aims to catch the ENOENT error from process.cwd(), rethrow it as an ERR_SYSTEM_ERROR with detailed context including the syscall and error code, preserve the original error as the cause, and thereby provide a clearer, more actionable message and improved stack trace when the current working directory has been deleted or unmounted. This improves debugging and error clarity for users encountering this specific issue.
pull/59902
- README.md Updates (Unmerged): Multiple pull requests propose updates to the README.md file of the Node.js project but were not merged. These attempts indicate ongoing efforts to improve documentation, though none have been integrated yet.
pull/59903, pull/59920, pull/59926
- ECMAScript Module Debugging Fix: This pull request modifies the
hasAsyncGraphproperty in the ECMAScript module implementation to be non-enumerable in order to prevent debug() calls from attempting to display it and causing errors. This change improves the debugging experience by avoiding unnecessary errors during inspection.
pull/59905
- Diagnostics Channel Race Condition Fix: This pull request fixes a race condition in the diagnostics_channel module related to the asynchronous execution of FinalizationRegistry callbacks during garbage collection, ensuring that channel instances are correctly preserved in the WeakRefMap even when objects are garbage collected and recreated within the same event loop. This ensures stability and correctness in diagnostics data handling.
pull/59910
- npm Installation Script Configuration: This pull request adds a .npmrc configuration file with the setting ignore-scripts=true to prevent automatic execution of dependency scripts during installation, while allowing exceptions by explicitly adding --no-ignore-scripts in specific scripts if needed. This enhances security and control over npm install behavior.
pull/59914
- ProcessRunner Naming Convention Update: This pull request renames the private fields of the
ProcessRunnerclass to adhere to thesnake_case_naming convention as outlined in the project's C++ style guide. This aligns the codebase with established style guidelines for consistency.
pull/59923
- HTTP/2 WebSocket Upgrade Fix: This pull request fixes the HTTP/2 implementation to correctly support HTTP/1 websocket upgrades by addressing a break caused by the recent addition of the
shouldUpgradeCallback, ensuring compatibility for websockets over HTTP/1 on HTTP/2 servers and also includes a fix for the websocket test server's connection shutdown to prevent errors introduced by an update to the Undici library. This restores expected websocket functionality and test stability.
pull/59924
- Contribution and Issue Reference (Unmerged): This pull request references and addresses issues from the Node.js and Undici projects, includes a review by James M Snell, and follows the Node.js contribution guidelines, but it has not been merged. It reflects ongoing collaboration and review processes.
pull/59937
- GitHub Actions Workflow Addition: This pull request proposes the creation of a new GitHub Actions workflow file named webpack.yml intended to set up or configure webpack-related automation for the project. This aims to enhance CI/CD automation related to webpack.
pull/59939
3.3 Pull Request Discussion Insights
This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.
Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.
IV. Contributors
4.1 Contributors
Active Contributors:
We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.
If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.
| Contributor | Commits | Pull Requests | Issues | Comments |
|---|---|---|---|---|
| joyeecheung | 42 | 10 | 6 | 24 |
| jasnell | 29 | 4 | 2 | 26 |
| Renegade334 | 21 | 8 | 3 | 12 |
| panva | 33 | 4 | 0 | 4 |
| legendecas | 22 | 4 | 0 | 13 |
| targos | 25 | 3 | 0 | 11 |
| addaleax | 14 | 3 | 0 | 22 |
| aduh95 | 20 | 3 | 0 | 8 |
| brunocroh | 25 | 4 | 0 | 0 |
| RafaelGSS | 20 | 6 | 0 | 2 |