This is a security release.
Notable Changes
- (CVE-2026-21717) fix array index hash collision (Joyee Cheung)
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan)
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina)
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS)pull/795>
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS)
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS)
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina)
Commits
- [
cfb51fa9ce] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#831 - [
f333d0be5f] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
2acd5d1226] - deps: update undici to v6.24.1 (Matteo Collina) #62285 - [
af5c144ebc] - (CVE-2026-21717) deps,build,test: fix array index hash collision (Joyee Cheung) nodejs-private/node-private#834 - [
00ad47a28e] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
0123309566] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#840 - [
00830712bc] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#838 - [
a0c73425da] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
cc3f294507] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#839