This is a security release.
Notable Changes
- (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
- (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
- (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
- (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
- (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
- (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
- (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
- (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
Commits
- [
6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828 - [
cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822 - [
80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #62271 - [
f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #62233 - [
08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #62035 - [
61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #61994 - [
9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #61892 - [
3dab3c4698] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344 - [
87521e99d1] - deps: V8: backport 1361b2a49d02 (Joyee Cheung) nodejs-private/node-private#828 - [
045013366f] - deps: V8: backport 185f0fe09b72 (Joyee Cheung) nodejs-private/node-private#828 - [
af22629ea8] - deps: V8: backport 0a8b1cdcc8b2 (snek) nodejs-private/node-private#828 - [
380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821 - [
d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795 - [
bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794 - [
c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832 - [
cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816 - [
df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819