chore(deps): update node.js to v24

[thomhurst]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
node (source)	engines	major	>=18.20.8 → >=24.14.1

---

Release Notes

nodejs/node (node)

v24.14.1: 2026-03-24, Version 24.14.1 'Krypton' (LTS), @​RafaelGSS prepared by @​juanarbol

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low

Commits

• [6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828
• [cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #​62271
• [f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #​62233
• [08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #​62035
• [61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #​61994
• [9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #​61892
• [3dab3c4698] - deps: V8: override depot_tools version (Richard Lau) #​62344
• [87521e99d1] - deps: V8: backport 1361b2a (Joyee Cheung) nodejs-private/node-private#828
• [045013366f] - deps: V8: backport 185f0fe (Joyee Cheung) nodejs-private/node-private#828
• [af22629ea8] - deps: V8: backport 0a8b1cd (snek) nodejs-private/node-private#828
• [380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [d6b6051e08] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [bfdecef9da] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [c015edf313] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [cba66c48a5] - (CVE-2026-21712) src: handle url crash on different url formats (RafaelGSS) nodejs-private/node-private#816
• [df8fbfb93d] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

v24.14.0: 2026-02-24, Version 24.14.0 'Krypton' (LTS), @​ruyadorno prepared by @​aduh95

Compare Source

Notable Changes

• [8b6d31d379] - (SEMVER-MINOR) async_hooks: add trackPromises option to createHook() (Joyee Cheung) #​61415
• [68da144b4e] - build,deps: replace cjs-module-lexer with merve (Yagiz Nizipli) #​61456
• [f3a24c76e4] - (SEMVER-MINOR) deps: add LIEF as a dependency (Joyee Cheung) #​61167
• [1948861d23] - (SEMVER-MINOR) events: repurpose events.listenerCount() to accept EventTargets (René) #​60214
• [d6f7c8d06f] - (SEMVER-MINOR) fs: add ignore option to fs.watch (Matteo Collina) #​61433
• [cb54b3ca6e] - (SEMVER-MINOR) http: add http.setGlobalProxyFromEnv() (Joyee Cheung) #​60953
• [35b1759d06] - (SEMVER-MINOR) module: allow subpath imports that start with #/ (Jan Martin) #​60864
• [2d72ea66f2] - (SEMVER-MINOR) process: preserve AsyncLocalStorage in queueMicrotask only when needed (Gürgün Dayıoğlu) #​60913
• [6f4a4f6c8e] - (SEMVER-MINOR) sea: split sea binary manipulation code (Joyee Cheung) #​61167
• [c0ceb9b065] - (SEMVER-MINOR) sqlite: enable defensive mode by default (Bart Louwers) #​61266
• [33d8e8303b] - (SEMVER-MINOR) sqlite: add sqlite prepare options args (Guilherme Araújo) #​61311
• [563ab699eb] - (SEMVER-MINOR) src: add initial support for ESM in embedder API (Joyee Cheung) #​61548
• [4c80031000] - (SEMVER-MINOR) stream: add bytes() method to node:stream/consumers (wantaek) #​60426
• [f5233df4ff] - (SEMVER-MINOR) stream: do not pass readable.compose() output via Readable.from() (René) #​60907
• [345a40fda3] - (SEMVER-MINOR) test: use fixture directories for sea tests (Joyee Cheung) #​61167
• [972f82411d] - (SEMVER-MINOR) test_runner: add env option to run function (Ethan Arrowood) #​61367
• [d77f98c4b6] - (SEMVER-MINOR) test_runner: support expecting a test-case to fail (Jacob Smith) #​60669
• [8e900af6ba] - (SEMVER-MINOR) util: add convertProcessSignalToExitCode utility (Erick Wendel) #​60963

Commits

• [180778fb9a] - assert: fix loose deepEqual arrays with undefined and null failing (Ruben Bridgewater) #​61587
• [8b6d31d379] - (SEMVER-MINOR) async_hooks: add trackPromises option to createHook() (Joyee Cheung) #​61415
• [83bcd38d35] - benchmark: add streaming TextDecoder benchmark (Сковорода Никита Андреевич) #​61549
• [4c105844c5] - build: add support for Visual Studio 2026 (Michaël Zasso) #​60727
• [1f84fd91d9] - build: skip sscache action on non-main branches (Joyee Cheung) #​61790
• [30601b680f] - build: add --shared-nbytes configure flag (Antoine du Hamel) #​61341
• [c6253eda49] - build: add --shared-hdr-histogram configure flag (Antoine du Hamel) #​61280
• [584c189037] - build: add --shared-gtest configure flag (Antoine du Hamel) #​61279
• [5998987881] - build: aix: deoptimize implementation-visitor.cc with --shared (Stewart X Addison) #​61550
• [68da144b4e] - build,deps: replace cjs-module-lexer with merve (Yagiz Nizipli) #​61456
• [6a4511bafb] - build,win: fix vs2022 compilation (Stefan Stojanovic) #​61530
• [2d6735db8a] - deps: upgrade npm to 11.9.0 (npm team) #​61685
• [699e2f8f81] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #​61730
• [7be76316d6] - deps: update minimatch to 10.1.2 (Node.js GitHub Bot) #​61732
• [97e5a65013] - deps: update undici to 7.21.0 (Node.js GitHub Bot) #​61683
• [74e4710ee7] - deps: update googletest to 56efe39 (Node.js GitHub Bot) #​61605
• [b5113e2a2a] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #​61603
• [f3a24c76e4] - (SEMVER-MINOR) deps: add LIEF as a dependency (Joyee Cheung) #​61167
• [c370c3dc06] - (SEMVER-MINOR) deps: add tools and scripts to pull LIEF as a dependency (Joyee Cheung) #​61167
• [e54975e17d] - deps: V8: cherry-pick highway@dcc0ca1 (Richard Lau) #​61008
• [625b90b76b] - deps: update undici to 7.19.2 (Node.js GitHub Bot) #​61566
• [05e9a9fb5e] - deps: update undici to 7.19.1 (Node.js GitHub Bot) #​61514
• [3d41643e38] - deps: update undici to 7.19.0 (Node.js GitHub Bot) #​61470
• [17b363a66c] - dns: fix Windows SRV ECONNREFUSED by adjusting c-ares fallback detection (notvivek12) #​61453
• [33d0a8c22d] - doc: clarify EventEmitter error handling in threat model (Matteo Collina) #​61701
• [5b8e72cf85] - doc: mention default option for test runner env (Steven) #​61659
• [f44e67fac2] - doc: fix --inspect security warning section (Tim Perry) #​61675
• [a0e09c9043] - doc: document url.format(urlString) as deprecated under DEP0169 (René) #​61644
• [5e719248fe] - doc: deprecation add more codemod (Augustin Mauroy) #​61642
• [8f5a3e5df4] - doc: fix grammatical error in README.md (ayj8201) #​61653
• [d52b535163] - doc: correct tools README Boxstarter link (Mike McCready) #​61638
• [4889dc4f59] - doc: update server.dropMaxConnection link (YuSheng Chen) #​61584
• [8e48e72f2a] - doc: clean up writing-and-running-benchmarks.md (Hardanish Singh) #​61345
• [1948861d23] - (SEMVER-MINOR) events: repurpose events.listenerCount() to accept EventTargets (René) #​60214
• [d6f7c8d06f] - (SEMVER-MINOR) fs: add ignore option to fs.watch (Matteo Collina) #​61433
• [2d7e5f9581] - http: implement slab allocation for HTTP header parsing (Mert Can Altin) #​61375
• [cb54b3ca6e] - (SEMVER-MINOR) http: add http.setGlobalProxyFromEnv() (Joyee Cheung) #​60953
• [6df8be48ce] - lib: use utf8 fast path for streaming TextDecoder (Сковорода Никита Андреевич) #​61549
• [830fff0aca] - lib: recycle queues (Robert Nagy) #​61461
• [069874bdbd] - lib: use StringPrototypeStartsWith from primordials in locks (Taejin Kim) #​61492
• [7824c7589e] - lib: unify ICU and no-ICU TextDecoder (Сковорода Никита Андреевич) #​61409
• [f81430702a] - lib: prefer call() over apply() if argument list is not array (Livia Medeiros) #​60796
• [a723f72e1e] - lib: add support for readable byte streams to .toWeb() (Hans Klunder) #​58664
• [b78d814b3d] - meta: persist sccache daemon until end of build workflows (René) #​61639
• [40a872a4b9] - meta: bump github/codeql-action from 4.31.9 to 4.32.0 (dependabot[bot]) #​61622
• [0637bdb3be] - meta: bump step-security/harden-runner from 2.14.0 to 2.14.1 (dependabot[bot]) #​61621
• [e8d9bd9fc5] - meta: bump actions/setup-python from 6.1.0 to 6.2.0 (dependabot[bot]) #​61627
• [c517df2b65] - meta: bump actions/setup-node from 6.1.0 to 6.2.0 (dependabot[bot]) #​61625
• [9a64f2f25d] - meta: bump actions/cache from 5.0.1 to 5.0.3 (dependabot[bot]) #​61624
• [0e5922e95e] - meta: bump peter-evans/create-pull-request from 8.0.0 to 8.1.0 (dependabot[bot]) #​61623
• [5da7b51091] - meta: bump actions/stale from 10.1.0 to 10.1.1 (dependabot[bot]) #​61620
• [c085c8a43f] - meta: bump actions/checkout from 6.0.1 to 6.0.2 (dependabot[bot]) #​61619
• [ce2acf0275] - meta: bump actions/download-artifact from 6.0.0 to 7.0.0 (dependabot[bot]) #​61242
• [629f0eaac5] - meta: bump actions/checkout from 6.0.0 to 6.0.1 (dependabot[bot]) #​61239
• [cd80d369c9] - meta: bump actions/upload-artifact from 5.0.0 to 6.0.0 (dependabot[bot]) #​61238
• [8c75e4e1fa] - meta: bump actions/checkout from 5.0.1 to 6.0.0 (dependabot[bot]) #​60925
• [5a9e9f4127] - meta: bump actions/checkout from 5.0.0 to 5.0.1 (dependabot[bot]) #​60767
• [1519251dd1] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #​61529
• [8d7190b3fe] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #​61479
• [35b1759d06] - (SEMVER-MINOR) module: allow subpath imports that start with #/ (Jan Martin) #​60864
• [7a83b38921] - net: defer synchronous destroy calls in internalConnect (RajeshKumar11) #​61658
• [16bab79421] - process: do not truncate long strings in --print (Mohamed Akram) #​61497
• [2d72ea66f2] - (SEMVER-MINOR) process: preserve AsyncLocalStorage in queueMicrotask only when needed (Gürgün Dayıoğlu) #​60913
• [9cc1c4604f] - repl: fix getters triggering side effects during completion (Dario Piotrowicz) #​61043
• [93703306a1] - repl: tab completion targets <class> instead of new <class> (Đỗ Trọng Hải) #​60319
• [6f4a4f6c8e] - (SEMVER-MINOR) sea: split sea binary manipulation code (Joyee Cheung) #​61167
• [46a2dad4db] - sqlite: avoid extra copy for large text binds (Ali Hassan) #​61580
• [f91a377f7e] - sqlite: use DictionaryTemplate for run() result (Mert Can Altin) #​61432
• [0e7571ae3e] - sqlite: change approach to fix segfault SQLTagStore (Bart Louwers) #​60462
• [8e8f70524a] - sqlite: reserve vectors space (Guilherme Araújo) #​61540
• [c0ceb9b065] - (SEMVER-MINOR) sqlite: enable defensive mode by default (Bart Louwers) #​61266
• [33d8e8303b] - (SEMVER-MINOR) sqlite: add sqlite prepare options args (Guilherme Araújo) #​61311
• [f0d8f37002] - src: elide heap allocation in structured clone implementation (Anna Henningsen) #​61703
• [db478c4336] - src: use simdutf for one-byte string UTF-8 write in stringBytes (Mert Can Altin) #​61696
• [563ab699eb] - (SEMVER-MINOR) src: add initial support for ESM in embedder API (Joyee Cheung) #​61548
• [da13186a15] - src: throw RangeError on failed ArrayBuffer BackingStore allocation (Chengzhong Wu) #​61480
• [4c80031000] - (SEMVER-MINOR) stream: add bytes() method to stream/consumers (wantaek) #​60426
• [f5233df4ff] - (SEMVER-MINOR) stream: do not pass readable.compose() output via Readable.from() (René) #​60907
• [ad04a469c8] - test: restraint version replacement pattern in snapshots (Chengzhong Wu) #​61748
• [2d3b4a8d65] - test: print stack immediately avoiding GC interleaving (Chengzhong Wu) #​61699
• [38f43a6d4e] - test: fix case-insensitive path matching on Windows (Matteo Collina) #​61682
• [06513f5ff2] - test: fix flaky test-performance-eventloopdelay (Matteo Collina) #​61629
• [9d79c66c61] - test: remove duplicate wpt tests (Filip Skokan) #​61617
• [eac9f4f401] - test: fix race condition in watch mode tests (Matteo Collina) #​61615
• [ecf5947575] - test: update WPT for url to e3c46fd (Node.js GitHub Bot) #​61602
• [356ff5fece] - test: use the skipIfNoWatch() utility function (Luigi Pinca) #​61531
• [4b2187aea2] - test: unify assertSnapshot common patterns (Chengzhong Wu) #​61590
• [8c25489d63] - test: split test-fs-watch-ignore-* (Luigi Pinca) #​61494
• [43b8a2b7e7] - test: add some validation for JSON doc output (Antoine du Hamel) #​61413
• [345a40fda3] - (SEMVER-MINOR) test: use fixture directories for sea tests (Joyee Cheung) #​61167
• [24cf6b8326] - test: reveal wpt evaluation errors in status files (Chengzhong Wu) #​61358
• [d4034dfb62] - test: forbid use of named imports for fixtures (Antoine du Hamel) #​61228
• [4f871ee897] - test: enforce better never-settling-promise detection (Antoine du Hamel) #​60976
• [8e9adedf02] - test: ensure assertions are reached on all tests (Antoine du Hamel) #​60845
• [273832802e] - test: ensure assertions are reached on more tests (Antoine du Hamel) #​60763
• [e06adcb52f] - test: ensure assertions are reached on more tests (Antoine du Hamel) #​60760
• [aeed0ccc02] - test: use RegExp.escape to improve test reliability (Antoine du Hamel) #​60803
• [74bcd0adab] - test: ensure assertions are reached on more tests (Antoine du Hamel) #​60728
• [407807b08e] - test: skip tests not passing without NODE_OPTIONS support (Antoine du Hamel) #​60912
• [a9e70cefb0] - test: ensure assertions are reached on more tests (Antoine du Hamel) #​60634
• [21b23cd0d0] - test_runner: fix test enqueue when test file has syntax error (Edy Silva) #​61573
• [6a4de694b2] - test_runner: fix passing expectFailure (Moshe Atlow) #​61568
• [6640de2b0f] - test_runner: differentiate todo and failure styles (Moshe Atlow) #​61564
• [972f82411d] - (SEMVER-MINOR) test_runner: add env option to run function (Ethan Arrowood) #​61367
• [d77f98c4b6] - (SEMVER-MINOR) test_runner: support expecting a test-case to fail (Jacob Smith) #​60669
• [f98986cbb9] - tools: switch to ARM runners on GHA jobs (Antoine du Hamel) #​61903
• [034589dd93] - tools: avoid building twice in coverage jobs (Antoine du Hamel) #​61899
• [e50e2f00bb] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #​61759
• [f658f48ccb] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #​61734
• [65c77d74ff] - tools: use ubuntu-latest runner in notify-on-push workflow (Antoine du Hamel) #​61742
• [605905556a] - tools: enforce removal of lts-watch-* labels on release proposals (Antoine du Hamel) #​61672
• [f0f98d4c03] - tools: use ubuntu-slim runner in meta GitHub Actions (Tierney Cyren) #​61663
• [ab63ddf354] - tools: add LIEF to license builder (Chengzhong Wu) #​61523
• [8a0f6192c9] - tools: enforce trailing commas in test/es-module (Antoine du Hamel) #​60891
• [4afbbcf39e] - tools: enforce trailing commas in test/sequential (Antoine du Hamel) #​60892
• [4c1abf752c] - tools,win: upgrade install additional tools to Visual Studio 2026 (Mike McCready) #​61562
• [8e900af6ba] - (SEMVER-MINOR) util: add convertProcessSignalToExitCode utility (Erick Wendel) #​60963

v24.13.1: 2026-02-10, Version 24.13.1 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

• [1f64d6841e] - build: add support for Python 3.14 (Christian Clauss) #​59983
• [30e500fc09] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [bc0a55f086] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [8a67c00bf5] - doc: mark --build-snapshot and --build-snapshot-config as stable (Joyee Cheung) #​60954
• [3999c2a910] - meta: add avivkeller to collaborators (Aviv Keller) #​61115
• [fa542fbae6] - meta: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [ff11eda2f2] - meta: add Renegade334 to collaborators (Renegade334) #​60714
• [2e387fb969] - url: update ada to v3.4.2 and support unicode 17 (Yagiz Nizipli) #​61593
• [bb206782d4] - v8: mark v8.queryObjects() as stable (Joyee Cheung) #​60957

Commits

• [a73279c60d] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #​61076
• [6a61bcd73c] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #​61388
• [cf0eabcd42] - assert,util: improve deep comparison performance (Ruben Bridgewater) #​61076
• [ff3b9ac183] - benchmark: add SQLite benchmarks (Guilherme Araújo) #​61401
• [e1f7d68c94] - benchmark: use boolean options in benchmark tests (SeokhunEom) #​60129
• [91127c91cd] - benchmark: allow boolean option values (SeokhunEom) #​60129
• [170fda55f6] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #​60991
• [3976381b41] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #​60841
• [c702fccd76] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #​60663
• [92c517c62d] - buffer: make methods work on Uint8Array instances (Neal Beeken) #​56578
• [be95382edb] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #​60503
• [1f64d6841e] - build: test on Python 3.14 (Christian Clauss) #​59983
• [ea4687981b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #​60369
• [b3a7a8c780] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #​61414
• [7168d0b5e3] - build: add embedtest into native suite (Joyee Cheung) #​61357
• [e00755a977] - build: fix misplaced comma in ldflags (hqzing) #​61294
• [72fcc3ee9d] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #​61329
• [76a73d68fd] - build: expose libplatform symbols in shared libnode (Joyee Cheung) #​61144
• [ef8d26ce5c] - build: fix inconsistent quoting in Makefile (Antoine du Hamel) #​60511
• [2d23968783] - build: remove temporal updater (Chengzhong Wu) #​61151
• [4c2655f1c2] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #​61024
• [eaea6821fc] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #​61073
• [dfd4e12037] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #​60850
• [775c77234b] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #​61321
• [5deafc10fa] - build,win: improve logs when ClangCL is missing (Mike McCready) #​61438
• [e2481c5c6e] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #​61431
• [d2586b7e4c] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #​61344
• [30e500fc09] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [2c7da15612] - cluster: fix port reuse between cluster (Ryuhei Shima) #​60141
• [bc0a55f086] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [2d5f20e9c3] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [fba95be188] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #​61547
• [08697289e0] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #​61547
• [403c50c04d] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #​61510
• [3b24691aeb] - deps: upgrade npm to 11.8.0 (npm team) #​61466
• [2bba7efdc4] - deps: update googletest to 8508785 (Node.js GitHub Bot) #​61417
• [8f8c6f6162] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #​61339
• [c46009053c] - deps: update icu to 78.2 (Node.js GitHub Bot) #​60523
• [b46b8dd91b] - deps: update ada to v3.4.0 (Yagiz Nizipli) #​61315
• [88c6b17e18] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #​61135
• [0030c05ba9] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #​61271
• [77437cff89] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #​61270
• [fb0f05a937] - deps: update timezone to 2025c (Node.js GitHub Bot) #​61138
• [b426a47c05] - deps: nghttp2: revert 7784fa9 (Antoine du Hamel) #​61136
• [c07a38f700] - deps: update nghttp2 to 1.68.0 (nodejs-github-bot) #​61136
• [c2ddc9a18b] - deps: update simdjson to 4.2.4 (Node.js GitHub Bot) #​61056
• [f38cd6da8e] - deps: update googletest to 065127f (Node.js GitHub Bot) #​61055
• [a9a6a4cdb2] - deps: brotli: cherry-pick e230f47 (liujiahui) #​61003
• [5a40023aae] - deps: upgrade npm to 11.7.0 (npm team) #​61011
• [4121e7a413] - deps: update sqlite to 3.51.1 (Node.js GitHub Bot) #​60899
• [e8a09fc896] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #​60898
• [8df5862ee5] - deps: upgrade npm to 11.6.4 (npm team) #​60853
• [6c1c8cbdcc] - deps: update sqlite to 3.51.0 (Node.js GitHub Bot) #​60614
• [2d1efc7c1b] - deps: upgrade npm to 11.6.3 (npm team) #​60785
• [3a2de1c23b] - deps: update brotli to 1.2.0 (Node.js GitHub Bot) #​60540
• [58c5d40bd1] - deps: update simdjson to 4.2.2 (Node.js GitHub Bot) #​60740
• [e6b607ef50] - deps: update googletest to 1b96fa1 (Node.js GitHub Bot) #​60739
• [650c9e0305] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #​60543
• [ef1951d5d5] - deps: update inspector_protocol to 1b1bcbb (Node.js GitHub Bot) #​60705
• [eb068305dd] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #​60646
• [ee1d99131c] - deps: update simdjson to 4.2.1 (Node.js GitHub Bot) #​60644
• [23582967b7] - deps: V8: cherry-pick 1441665 (Domagoj Stolfa) #​60989
• [155eaedff2] - deps: V8: cherry-pick 394a805 (Lu Yahan) #​60962
• [c95a4a0f43] - deps: V8: backport bbaae8e (Lu Yahan) #​60962
• [6f123f186d] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #​61495
• [2e3337d15b] - doc: added requestOCSP option to tls.connect (ikeyan) #​61064
• [f505f81577] - doc: restore @​ChALkeR to collaborators (Сковорода Никита Андреевич) #​61553
• [12fb95d0c9] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #​61588
• [283ab61ed2] - doc: align Buffer.concat documentation with behavior (Gürgün Dayıoğlu) #​60405
• [fc9c906d5f] - doc: remove v prefix for version references (Mike McCready) #​61488
• [4a88ed09e8] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #​60253
• [9b29d56491] - doc: add CVE delay mention (Rafael Gonzaga) #​61465
• [4815e4ac52] - doc: update previous version links in BUILDING (Mike McCready) #​61457
• [8a43244e6c] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #​61454
• [89a7f184a1] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #​61366
• [b4041aba1c] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #​61434
• [fa7830bac0] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #​61355
• [45663c8956] - doc: update Python 3.14 manual install instructions (Windows) (Mike McCready) #​61428
• [0248357f26] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #​61373
• [b254bab513] - doc: refine WebAssembly error documentation (sangwook) #​61382
• [8aca37c6ef] - doc: add deprecation history for url.parse (Eng Zer Jun) #​61389
• [8047ac3aac] - doc: add marco and rafael in last sec release (Marco Ippolito) #​61383
• [61190bf4b4] - doc: packages: example of private import switch to internal (coderaiser) #​61343
• [346311c42f] - doc: add esm and cjs examples to node:v8 (Alfredo González) #​61328
• [c07c80717c] - doc: add

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[claude]

Code Review

This is a Renovate-generated PR that updates docs/package.json engines constraint from >=18.0 to >=24.14.1.

Concern: Over-constraining the Node.js engine requirement

The jump from >=18.0 to >=24.14.1 skips two active LTS versions — Node 20 (EOL April 2026) and Node 22 (current LTS, EOL April 2027). Requiring >=24.14.1 means anyone running the docs tooling on Node 20 or Node 22 would get an engines warning/error, even though the docs tooling almost certainly works fine on those versions.

Why this matters:

• Node 24.14.1 is a security release for the Node 24 LTS line, but the CVEs it fixes (HTTP/2 flow control, SNI callback, HMAC timing, etc.) are low-relevance for a static docs generator.
• Pegging to a very specific patch version (>=24.14.1) as the floor is unusual and will break any CI or contributor environment on Node 22 or Node 20.
• Node 18 genuinely reached EOL in April 2025, so dropping it is correct — but there's no reason to skip Node 20 and 22 at the same time.

Suggested alternative:

"engines": {
  "node": ">=22.0.0"
}

This drops the EOL'd Node 18, retains compatibility with the current LTS (Node 22), and doesn't pin to a patch version that Renovate will rapidly supersede with the next security release anyway.

If there's a specific incompatibility with Node 22 in the docs tooling, it would be worth calling that out explicitly — but absent that, I'd recommend a less aggressive bump here.

[claude]

Code Review

This Renovate PR updates docs/package.json engines from >=18.0 to >=24.14.1.

Concern: Over-constraining the Node.js engine requirement

The jump skips two active LTS versions — Node 20 (EOL April 2026) and Node 22 (current LTS, EOL April 2027). Requiring >=24.14.1 means anyone running the docs tooling on Node 20 or Node 22 would get an engines error, even though the docs tooling almost certainly works fine on those versions.

Why this matters:

• Node 24.14.1 is a security release for the Node 24 line, but the CVEs fixed (HTTP/2 flow control, SNI, HMAC timing, etc.) are low-relevance for a static docs generator.
• Pegging to a specific patch version as the minimum floor is unusual; Renovate will open another PR with the next security release, creating churn.
• Node 18 genuinely reached EOL in April 2025, so dropping it is correct — but there is no reason to also drop Node 20 and 22.

Suggested alternative:

"engines": {
  "node": ">=22.0.0"
}

This drops EOL'd Node 18, keeps compatibility with the current LTS (Node 22), and avoids patch-version pinning. If there is a known incompatibility with Node 22 in the docs tooling, that would be worth documenting — but absent that, a less aggressive bump is preferable.

[claude]

Code Review (Follow-up)

The previous reviews from this session raised a concern that has not been addressed: the jump from >=18.20.8 to >=24.14.1 skips two actively-supported LTS versions (Node 20, EOL April 2026; Node 22, current LTS, EOL April 2027).

The change is still as-submitted. The concern stands:

• Patch-version pinning as a floor (>=24.14.1) is unusual and will trigger another Renovate PR with every Node 24 security release, creating unnecessary churn.
• Dropping Node 22 support for a docs static site is overly aggressive — there is no documented incompatibility to justify it.
• Node 18 EOL is the only real motivation here, and that's fully addressed by bumping to >=20.0.0 or >=22.0.0.

Recommended alternative:

"engines": {
  "node": ">=22.0.0"
}

This cleanly drops EOL'd Node 18, retains the current LTS (Node 22), and avoids patch-pinning. If Node 24-specific APIs are actually required by the docs tooling, please document that in the PR — otherwise this bump is unnecessarily restrictive.