Weekly GitHub Report for Node: September 22, 2025 - September 29, 2025 (12:06:23)

Weekly GitHub Report for Node

Thank you for subscribing to our weekly newsletter! Each week, we deliver a comprehensive summary of your GitHub project's latest activity right to your inbox, including an overview of your project's issues, pull requests, contributors, and commit activity.

---

Table of Contents

• I. News
  • 1.1. Recent Version Releases
  • 1.2. Other Noteworthy Updates
• II. Issues
  • 2.1. Top 5 Active Issues
  • 2.2. Top 5 Stale Issues
  • 2.3. Open Issues
  • 2.4. Closed Issues
  • 2.5. Issue Discussion Insights

• III. Pull Requests
  • 3.1. Open Pull Requests
  • 3.2. Closed Pull Requests
  • 3.3. Pull Request Discussion Insights

• IV. Contributors
  • 4.1. Contributors

I. News

1.1 Recent Version Releases:

The current version of this repository is v23.10.0

1.2 Version Information:

Released on March 13, 2025, this version introduces the --experimental-config-file feature, allowing developers to use JSON configuration files to simplify running tests and managing numerous flags, thereby enhancing developer experience. Additionally, it includes updates to root certificates, new TLS and V8 methods, improved error handling, and various tooling and documentation enhancements.

II. Issues

2.1 Top 5 Active Issues:

We consider active issues to be issues that that have been commented on most frequently within the last week. Bot comments are omitted.

1. Use CSPRNG for Math.random(): This issue discusses the proposal to replace the current pseudorandom number generator (PRNG) used by Math.random() with a cryptographically secure pseudorandom number generator (CSPRNG), specifically suggesting the use of ChaCha variants to improve randomness quality without claiming cryptographic security. The conversation highlights concerns about maintaining consistency with other JavaScript engines, the potential confusion around the security guarantees of Math.random(), and the importance of using dedicated CSPRNG APIs for security-sensitive applications.

   • The comments emphasize that Math.random() should behave consistently across environments, reflecting its current non-cryptographic nature, and caution against changing its underlying algorithm to a CSPRNG as it could mislead developers. Participants agree that while a CSPRNG could technically back Math.random(), it is safer to rely on explicit cryptographic APIs for secure randomness, and that the existing specification only requires uniform distribution without mandating a specific algorithm.
   • Number of comments this week: 8

2. 关于node中的http2网络请求调试时直接闪退以及与浏览器网络调试行为不一致的问题: This issue reports a crash occurring in Node.js when debugging HTTP/2 network requests using the experimental network inspection feature, specifically on Windows platforms. The crash happens without any error message whenever a network request that JavaScript has not read is inspected in the Node.js debugging console, and a proposed fix involving changes to base64 encoding logic in the inspector code appears to resolve the problem.

   • The comments clarify the reproduction steps, emphasizing the need to set a user-agent header in fetch requests to trigger the bug, and note that the crash only occurs when the response body is not read. Users confirm the issue consistently impacts debugging, and the original poster shares a code fix generated by AI that safely adjusts buffer allocation in base64 conversion, which successfully prevents the crash.
   • Number of comments this week: 5

3. Buffer#copy (and Buffer.concat) can read/write process memory on certain input: This issue describes a vulnerability in the Buffer#copy and Buffer.concat methods where, given certain crafted inputs with manipulated length properties, these functions can read and write uninitialized or out-of-bounds process memory, potentially exposing sensitive data or allowing memory corruption. The problem appears to be a regression introduced in recent Node.js versions (>=22.7 and 24) and is rooted in the native _copy implementation, with demonstrations showing that this behavior can lead to crashes or unauthorized memory access.

   • The comments discuss the security implications of this behavior, noting that while it is not classified as a security issue under the current Node.js threat model because malicious JavaScript is not considered, it could still be exploited to bypass permission restrictions and cause heap overflows. Participants clarify that the permission model is not designed to defend against malicious code, and similar issues have previously been considered CVE-worthy, emphasizing the potential risks despite the official stance.
   • Number of comments this week: 4

4. Add Promise-based closed(), exited(), and succeeded() to ChildProcess: This issue proposes adding Promise-based helper methods—closed(), exited(), and succeeded()—to the ChildProcess class in Node.js to simplify handling the asynchronous completion of spawned child processes. These methods aim to reduce verbose event listener code by providing convenient promises that resolve or reject based on the child process’s lifecycle events and exit status, improving developer ergonomics when using the spawn API.

   • The discussion highlights that the existing events.once utility already provides much of the desired functionality for closed() and exited(), which diminishes enthusiasm for adding those methods; however, there is still interest in a succeeded() method or making ChildProcess thenable to allow awaiting a child process directly. A proof-of-concept polyfill for thenable ChildProcess was shared, and the conversation reflects a preference for minimal, non-controversial additions that improve usability without duplicating existing features.
   • Number of comments this week: 3

5. Latest v22 version caused hash update function to behave unusually: This issue reports that the latest v22.20.0 version of the software causes the hash update function in the crypto subsystem to fail with an error when attempting to hash a file, despite the hash output still matching expected results. The problem is reproducible on both Linux and Windows platforms and appears linked to changes introduced with the OpenSSL 3.5.1 update.

   • The comments indicate no obvious cause in the v22.20.0 release notes, but bisecting points to the OpenSSL 3.5.1 update as the source of the failure. Additionally, it is noted that the test code uses an unusual pattern by piping a file stream into the hash and then calling hash.update on the data event, which may contribute to the error.
   • Number of comments this week: 3

2.2 Top 5 Stale Issues:

We consider stale issues to be issues that has had no activity within the last 30 days. The team should work together to get these issues resolved and closed as soon as possible.

1. Flaky GC-related tests with V8 12.2: This issue addresses flaky garbage collection (GC)-related tests that have become unreliable with the update to V8 version 12.2, specifically mentioning tests like test-shadow-realm-gc-module, test-shadow-realm-gc, and test-net-write-fully-async-hex-string. The proposed approach is to skip these tests temporarily due to their instability caused by changes in V8's GC strategy, with plans to find a more robust testing method later, as the current failures are likely due to incorrect test assumptions rather than actual bugs.
2. Flaky test-worker-arraybuffer-zerofill with V8 12.2: This issue concerns the flaky behavior of the test-worker-arraybuffer-zerofill test when running with V8 version 12.2, where the test intermittently fails due to a timeout after approximately 300 seconds. The problem may stem from a genuine bug or broken timing assumptions causing lost messages, and the current approach is to mark the test as flaky while adding additional logging to aid in debugging.
3. Support loading dynamic addon modules (.node files) when embedding the Node.js shared library without needing to link with node.def: This issue addresses the challenge of loading dynamic Node.js addon modules (.node files) on Windows when Node.js is embedded as a shared library, specifically without the need to link the embedding executable with the node.def file to reexport necessary symbols. The proposed feature suggests enhancing the delay load hook mechanism to optionally use an environment variable to locate the Node.js shared library module handle, thereby enabling addon modules to load correctly without requiring the executable to be linked with node.def, though potential security concerns remain to be evaluated.
4. Please make Node.js embeddable (e.g. libnode): This issue requests the creation of an embeddable version of Node.js, such as a libnode library, to allow projects to integrate the Node.js runtime and standard library within other host environments, like Rust-based applications. The current lack of an easily embeddable Node.js runtime forces developers to rely on incomplete alternatives like Deno or attempt complex workarounds, limiting the reuse of existing Node.js tooling and dependencies in various projects.
5. unable to sign with external OpenSSL engine after usage of crypto.hash: This issue describes a problem where signing data with an external OpenSSL engine (specifically the gost-engine) fails after using the crypto.createHash method in Node.js version 21.7.1 on a Linux platform. The user reports that while the signature operation works correctly before creating a hash, it subsequently throws an "unsupported" error related to digital envelope routines, indicating a regression introduced in Node.js versions 21.7.0 and 21.7.1 compared to earlier versions like 21.6.2.

2.3 Open Issues

This section lists, groups, and then summarizes issues that were created within the last week in the repository.

Issues Opened This Week: 23

Summarized Issues:

• Module Loading and Import Errors: Multiple issues describe problems with module loading and import behavior in Node.js, including assertion errors when requiring ESM modules from TypeScript files in nested ESM/CJS contexts, errors caused by chaining asynchronous loaders, and failures when requiring or importing certain NPM modules ending with ".js". These bugs disrupt expected module resolution and cause exceptions or crashes during import operations.
• [issues/59963, issues/59998, issues/60003]

• Network and HTTP/2 Inspection Bugs: Several issues report critical bugs in Node.js's network inspection and HTTP/2 handling, such as crashes when inspecting unread HTTP/2 responses in Chrome DevTools, failure to decompress Brotli-encoded HTTP responses due to case-sensitive header detection, and a race condition causing HTTPS requests to hang. These problems affect network debugging and request reliability.
• [issues/59971, issues/59972, issues/60001]

• Memory Safety and Buffer Handling Vulnerabilities: There are serious security concerns where Buffer methods like Buffer#copy and Buffer.concat can read or write out-of-bounds memory due to crafted inputs, potentially exposing or corrupting process memory. Additionally, a memory leak in HTTPParser causes ClientRequest objects to remain in memory indefinitely under certain conditions.
• [issues/59985, issues/60025]

• Profiling and Event Emission Issues: Profiling native addons built with Node-API misattributes function calls, and sockets no longer emit expected removeListener events in recent Node.js versions, breaking profiling accuracy and event-driven behavior in applications.
• [issues/59976, issues/59977]

• Child Process and Test Runner Behavior: Problems with child process management include the lack of Promise-based helper methods for common events, and test runner hangs or empty coverage reports when using isolation: "none" in cluster child processes or with coverage enabled. These issues complicate asynchronous process handling and test reliability.
• [issues/59994, issues/60020, issues/60023]

• Security and Cryptography Enhancements and Failures: Proposals and bugs related to cryptography include adding secure memory management features to clear sensitive data, a cryptographically secure PRNG proposal to replace Math.random(), and a reproducible unhandled error in the crypto hash update function linked to OpenSSL 3.5.1. These affect security and cryptographic robustness.
• [issues/59965, issues/60011, issues/60013]

• Readline and Module Resolution Bugs: The readline subsystem fails to respect the preserveCursor parameter causing output overwrites, and requiring the built-in node:fs module with custom resolution hooks triggers a TypeError due to undefined exports, indicating issues in core module handling and terminal output behavior.
• [issues/60004, issues/60005]

• Syntax and Compilation Errors: A bogus syntax error occurs in TypeScript scripts due to a bug in the SWC compiler, and regex modifier syntax behaves incorrectly causing case-insensitive matches where not expected, affecting code correctness and developer experience.
• [issues/60007, issues/60030]

• Thread-Safe Function Finalizer Race Condition: The user-provided finalizer callback for Thread-Safe Functions may run before the queue is fully drained when aborted, potentially causing invalid pointer usage and unsafe cleanup, risking crashes or undefined behavior in native addon callbacks.
• [issues/60026]

• Async Hook and Crash on Unhandled Rejections: A crash occurs in Node.js 20.19.0+ due to async hook stack corruption triggered by unhandled promise rejections combined with asynchronous file reading, causing native assertion failures and process aborts instead of graceful error handling.
• [issues/60034]

• Virtual File System and Single Executable Applications: A proposal to implement Virtual File System hooks aims to provide a standardized way for Single Executable Applications to override read-only filesystem operations, addressing current challenges with monkey-patching and compatibility.
• [issues/60021]

2.4 Closed Issues

This section lists, groups, and then summarizes issues that were closed within the last week in the repository. This section also links the associated pull requests if applicable.

Issues Closed This Week: 7

Summarized Issues:

• Spam and Unexplained Closures: Some issues, such as spam content submissions and vague or empty issue reports, have been closed without any comments or explanations, leading to a lack of transparency in issue management. This includes issues that provide no useful information or context, which are quickly dismissed without community engagement.
• issues/59975, issues/60035

• User Support and Learning Requests: Users have sought help with learning Node.js and creating APIs, with some community members providing helpful resources like installation guides. These interactions highlight the community's role in supporting newcomers despite the informal nature of such requests.
• issues/60010

• Concerns About AI Code Assistants: There are serious concerns about AI coding assistants modifying user code without explanations, which introduces significant commercial risks due to the absence of transparency and accountability. This issue underscores the need for safeguards when integrating AI-generated code changes.
• issues/60015

• Feature Proposals for SQL Tag Templates: Proposals have been made to add features such as creating SQL tag templates using in-memory database instances, aiming to enhance Node.js functionality for database operations. These feature requests reflect ongoing efforts to improve developer experience with database integrations.
• issues/60018

• Compatibility and Legacy Support: Questions have been raised about the compatibility of legacy Node.js versions, like 8.11.3, with newer operating systems such as Windows 11, despite these versions being officially unsupported. Users seek information on known issues or workarounds to maintain legacy environment functionality.
• issues/60019

• Console.log Optimization Discussions: Discussions about improving the console.log function have occurred, inspired by external logging optimization techniques, but were closed due to maintainers' views that the current implementation is already optimized and the lack of actionable suggestions.
• issues/60032

2.5 Issue Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed issues that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

1. AI coding assistants change code without explanation—this is a fucking severe problem with catastrophic commercial risk
   • Toxicity Score: 0.65 (Rapid escalation, explicit language, unresolved frustration)
   • This GitHub conversation begins with a user expressing strong frustration and urgency regarding an issue with AI coding assistants altering code without explanations, emphasizing the severe commercial risks involved. The tone is intense and critical, with explicit language underscoring the seriousness of the problem. A subsequent comment briefly acknowledges the origin of the code but does not engage with the concerns raised, leading to a lack of resolution or de-escalation. The initial emotional intensity and lack of constructive dialogue suggest potential for further tension.

---

III. Pull Requests

3.1 Open Pull Requests

This section provides a summary of pull requests that were opened in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Opened This Week: 32

Key Open Pull Requests

1. lib: optimize FixedQueue by reusing one segment: This pull request optimizes the FixedQueue implementation by reusing a spare FixedCircularBuffer segment when available instead of allocating new ones, thereby reducing memory allocations and garbage collection during typical usage patterns without changing the data structure's behavior, capacity, or API.

• URL: pull/60031

• Merged: No

• Associated Commits: 336bd, 99e53, 53343, 2b71a, f91c8

2. lib: implement passive listener behavior per spec: This pull request implements Web API specification-compliant behavior for passive event listeners by ensuring that calls to preventDefault() and setting returnValue are ignored during passive listener execution, adds internal tracking of passive listener state, fixes related test cases, and addresses state cleanup on errors to prevent incorrect passive state propagation.

• URL: pull/59995

• Merged: No

• Associated Commits: a159a, 6f140, 402d8, 15ac7

3. tools: use dependabot cooldown and move tools/doc: This pull request proposes using Dependabot cooldown settings and reorganizing the tools/doc directory within the Node.js project to improve dependency management and project structure.

• URL: pull/59978

• Merged: No

• Associated Commits: 6efef, 60f3b, 3c699

Other Open Pull Requests

• Deprecation and Documentation Updates: Multiple pull requests focus on improving deprecation handling and documentation. These include adding automated migration information to the deprecation page, removing the experimental util.getCallSite API in favor of util.getCallSites(), and adding missing documentation for util.deprecate options.
  • pull/60022, pull/59980, pull/59982

• Performance and Optimization Improvements: Several pull requests optimize performance by caching object properties, improving Buffer handling, and enhancing cryptographic functions. These changes reduce memory allocations, improve argument validation, and achieve significant performance gains in cipher algorithms.
  • pull/59968, pull/59969, pull/60036

• Testing Enhancements and Fixes: A group of pull requests improve testing infrastructure and compatibility. They add support for Python 3.14 release candidate, fix inspector test issues with URI-encoded paths, skip tests on unsupported platforms, and update test snapshots to avoid false failures.
  • pull/59983, pull/59991, pull/59993, pull/60024

• Build and Tooling Updates: These pull requests address build system improvements and tooling updates. They fix VTune header paths for V8 version 8 compatibility, remove deprecated clang-tidy options, and upgrade Python linting rules to enhance code quality.
  • pull/59996, pull/60006, pull/59984

• Network and Protocol Handling Fixes: Several pull requests improve network module behavior and protocol handling. They fix process.execve environment defaults, improve batch diagnostic channel subscriptions, and correctly handle HTTP Upgrade requests with bodies.
  • pull/60029, pull/60008, pull/60016

• Source Code Modernization and Safety: Multiple pull requests modernize source code usage and improve safety. These include replacing ToLocalChecked with ToLocal to prevent crashes, updating report APIs to use std::string_view, and updating cares_wrap to use DictionaryTemplates.
  • pull/60024, pull/60006, pull/60033

• Module Linking and WebAssembly Adjustments: These pull requests fix module static linking issues when module requests share specifiers but differ in attributes, and revert a previous change enabling JSPI in WebAssembly due to its default enablement in the latest V8.
  • pull/59999, pull/60009

• TLS and Security Test Coverage: One pull request expands test coverage for the TLS checkServerIdentity function by adding cases for various edge scenarios involving domain name patterns and wildcards.
  • pull/60002

• Child Process Event Handling Documentation: A pull request updates documentation to recommend using events.once for handling child process events, clarifying a common misconception and reducing boilerplate code.
  • pull/60017

3.2 Closed Pull Requests

This section provides a summary of pull requests that were closed in the repository over the past week. The top three pull requests with the highest number of commits are highlighted as 'key' pull requests. Other pull requests are grouped based on similar characteristics for easier analysis. Up to 25 pull requests are displayed in this section, while any remaining pull requests beyond this limit are omitted for brevity.

Pull Requests Closed This Week: 15

Key Closed Pull Requests

1. test: expand tls-check-server-identity coverage: This pull request aims to expand the test coverage for the TLS checkServerIdentity function by adding cases that handle various edge patterns in certificate SAN and CN fields, including falsy patterns, empty strings, invalid labels, non-ASCII characters, multiple wildcards, and prefix mismatches.

• URL: pull/59989

• Merged: No

• Associated Commits: 434b1, 96e80, de261, 21653, 6f217

2. [v22.x-backport] lib: make domexception a native error: This pull request aims to backport changes that make DOMException a native error in the Node.js lib, including support for DOMException subclassing and enabling host-defined serialization of JSError to unblock related DOMException improvements.

• URL: pull/59957

• Merged: No

• Associated Commits: 2ec88, f8d13, d04e2

3. doc: fix typo of built-in module specifier in worker_threads: This pull request fixes a typo in the documentation of the built-in module specifier for worker_threads by correcting "node::" to "node:".

• URL: pull/59992

• Merged: Yes

• Associated Commits: 545f5, 0bf31, cd4ed

Other Closed Pull Requests

• Lightweight high-speed inner database implementation: These pull requests introduce a lightweight database implemented in the /lib folder using a hash-table structure that supports O(1) data selection and nearest-point searches. They also add asynchronous IO operations via SQLite with queued batch processing for secure data handling, exposing a single function, executeprompt(), for SQL-like queries.
• [pull/59990, pull/59970]

• Documentation correction for WebAssembly terminology: This pull request updates the documentation to consistently use the correct term "WebAssembly" instead of the incorrect "Web Assembly," ensuring terminology accuracy across the codebase.
• [pull/59954]

• BaseObjects tracking optimization: This pull request proposes tracking BaseObjects in the Node.js source code using a more efficient list data structure to improve performance and management.
• [pull/59959]

• Watchdog object instantiation simplification: This pull request simplifies watchdog object instantiation by replacing duplicated conditional logic with std::optional and explicitly deletes move and copy constructors to prevent unintended copying.
• [pull/59960]

• Experimental addon modules support in ECMAScript modules: This pull request proposes adding experimental support for addon modules in the ECMAScript module system of Node.js, addressing related issues and including multiple reviews, but it was not merged.
• [pull/59961]

• Import attributes exposure and deprecation of dependencySpecifiers: This pull request exposes import attributes on vm.SourceTextModule.moduleRequests and deprecates vm.SourceTextModule.dependencySpecifiers because it does not support import attributes.
• [pull/59962]

• HTTPS agent session cache optimization: This pull request optimizes the HTTPS agent session cache by caching frequently accessed properties in local variables within the _cacheSession and _evictSession methods, significantly reducing property lookups and improving performance in high-throughput HTTPS scenarios.
• [pull/59967]

• TracingChannel tracePromise unhandledRejection test: This pull request adds a test to ensure that the TracingChannel.tracePromise method does not swallow unhandledRejection events when the user has not set a then or catch handler.
• [pull/59974]

• Expanded hostname matching test coverage: This pull request expands test coverage for hostname matching by including edge cases such as falsy patterns via SAN, empty strings in CN arrays, empty and non-ASCII labels, multiple wildcards in the first label, and prefix mismatches with single wildcards.
• [pull/59979]

• Removal of deprecated util.isArray API: This pull request proposes the complete removal of the deprecated util.isArray API from the codebase.
• [pull/59981]

• Test fix for process execve environment variables: This pull request addresses an issue in the parallel/test-process-execve-no-args test where the nop binary requires environment variables like LD_LIBRARY_PATH to run when linked against shared external libraries, modifying the test to propagate these variables if node is configured accordingly.
• [pull/60027]

3.3 Pull Request Discussion Insights

This section will analyze the tone and sentiment of discussions within this project's open and closed pull requests that occurred within the past week. It aims to identify potentially heated exchanges and to maintain a constructive project environment.

Based on our analysis, there are no instances of toxic discussions in the project's open or closed pull requests from the past week.

---

IV. Contributors

4.1 Contributors

Active Contributors:

We consider an active contributor in this project to be any contributor who has made at least 1 commit, opened at least 1 issue, created at least 1 pull request, or made more than 2 comments in the last month.

If there are more than 10 active contributors, the list is truncated to the top 10 based on contribution metrics for better clarity.

Contributor	Commits	Pull Requests	Issues	Comments
jasnell	32	6	2	22
addaleax	15	4	0	32
legendecas	23	10	0	16
joyeecheung	20	8	1	17
miguelmarcondesf	25	3	0	7
aduh95	17	3	0	15
targos	20	3	0	10
Renegade334	11	8	2	11
RafaelGSS	16	10	0	3
BridgeAR	17	4	1	6