2025-01-07, Version 23.6.0 (Current)

.github/workflows/test-linux.yml

@@ -40,6 +40,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: false
+          path: node
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
@@ -51,6 +52,13 @@ jobs:
       - name: Environment Information
         run: npx envinfo
       - name: Build
-        run: make build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn"
+        run: make -C node build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn"
       - name: Test
-        run: make run-ci -j4 V=1 TEST_CI_ARGS="-p actions --node-args='--test-reporter=spec' --node-args='--test-reporter-destination=stdout' --measure-flakiness 9"
+        run: make -C node run-ci -j4 V=1 TEST_CI_ARGS="-p actions --node-args='--test-reporter=spec' --node-args='--test-reporter-destination=stdout' --measure-flakiness 9"
+      - name: Re-run test in a folder whose name contains unusual chars
+        run: |
+          mv node "$DIR"
+          cd "$DIR"
+          ./tools/test.py --flaky-tests keep_retrying -p actions -j 4
+        env:
+          DIR: dir%20with $unusual"chars?'åß∂ƒ©∆¬…`

.github/workflows/test-macos.yml

@@ -38,7 +38,11 @@ permissions:
 jobs:
   test-macOS:
     if: github.event.pull_request.draft == false
-    runs-on: macos-14
+    strategy:
+      fail-fast: false
+      matrix:
+        macos-version: [macos-13, macos-14]
+    runs-on: ${{ matrix.macos-version }}
     env:
       CC: sccache gcc
       CXX: sccache g++
@@ -47,6 +51,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: false
+          path: node
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b  # v5.3.0
         with:
@@ -64,7 +69,7 @@ jobs:
       # happen anymore running this step here first, that's also useful
       # information.)
       - name: tools/doc/node_modules workaround
-        run: make tools/doc/node_modules
+        run: make -C node tools/doc/node_modules
       # This is needed due to https://github.com/nodejs/build/issues/3878
       - name: Cleanup
         run: |
@@ -80,8 +85,15 @@ jobs:
           df -h
           echo "::endgroup::"
       - name: Build
-        run: make build-ci -j$(getconf _NPROCESSORS_ONLN) V=1 CONFIG_FLAGS="--error-on-warn"
+        run: make -C node build-ci -j$(getconf _NPROCESSORS_ONLN) V=1 CONFIG_FLAGS="--error-on-warn"
       - name: Free Space After Build
         run: df -h
       - name: Test
-        run: make run-ci -j$(getconf _NPROCESSORS_ONLN) V=1 TEST_CI_ARGS="-p actions --node-args='--test-reporter=spec' --node-args='--test-reporter-destination=stdout' --measure-flakiness 9"
+        run: make -C node run-ci -j$(getconf _NPROCESSORS_ONLN) V=1 TEST_CI_ARGS="-p actions --node-args='--test-reporter=spec' --node-args='--test-reporter-destination=stdout' --measure-flakiness 9"
+      - name: Re-run test in a folder whose name contains unusual chars
+        run: |
+          mv node "$DIR"
+          cd "$DIR"
+          ./tools/test.py --flaky-tests keep_retrying -p actions -j 4
+        env:
+          DIR: dir%20with $unusual"chars?'åß∂ƒ©∆¬…`

BUILDING.md

@@ -162,8 +162,8 @@ Binaries at <https://nodejs.org/download/release/> are produced on:
 | Binary package          | Platform and Toolchain                                                                                        |
 | ----------------------- | ------------------------------------------------------------------------------------------------------------- |
 | aix-ppc64               | AIX 7.2 TL04 on PPC64BE with GCC 12[^5]                                                                       |
-| darwin-x64              | macOS 11, Xcode 13 with -mmacosx-version-min=11.0                                                             |
-| darwin-arm64 (and .pkg) | macOS 11 (arm64), Xcode 13 with -mmacosx-version-min=11.0                                                     |
+| darwin-x64              | macOS 13, Xcode 16 with -mmacosx-version-min=11.0                                                             |
+| darwin-arm64 (and .pkg) | macOS 13 (arm64), Xcode 14 with -mmacosx-version-min=11.0                                                     |
 | linux-arm64             | RHEL 8 with gcc-toolset-12[^6]                                                                                |
 | linux-armv7l            | Cross-compiled on RHEL 9 x64 with a [custom GCC toolchain](https://github.com/rvagg/rpi-newer-crosstools)[^7] |
 | linux-ppc64le           | RHEL 8 with gcc-toolset-12[^6]                                                                                |

CHANGELOG.md

@@ -39,7 +39,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V23.md#23.5.0">23.5.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V23.md#23.6.0">23.6.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V23.md#23.5.0">23.5.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V23.md#23.4.0">23.4.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V23.md#23.3.0">23.3.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V23.md#23.2.0">23.2.0</a><br/>

README.md

@@ -180,8 +180,6 @@ For information about the governance of the Node.js project, see
   **Matteo Collina** <<[email protected]>> (he/him)
 * [mhdawson](https://github.com/mhdawson) -
   **Michael Dawson** <<[email protected]>> (he/him)
-* [MoLow](https://github.com/MoLow) -
-  **Moshe Atlow** <<[email protected]>> (he/him)
 * [RafaelGSS](https://github.com/RafaelGSS) -
   **Rafael Gonzaga** <<[email protected]>> (he/him)
 * [richardlau](https://github.com/richardlau) -
@@ -211,6 +209,8 @@ For information about the governance of the Node.js project, see
   **Shelley Vohr** <<[email protected]>> (she/her)
 * [GeoffreyBooth](https://github.com/GeoffreyBooth) -
   **Geoffrey Booth** <<[email protected]>> (he/him)
+* [MoLow](https://github.com/MoLow) -
+  **Moshe Atlow** <<[email protected]>> (he/him)
 * [Trott](https://github.com/Trott) -
   **Rich Trott** <<[email protected]>> (he/him)
 
@@ -451,8 +451,6 @@ For information about the governance of the Node.js project, see
   **Vladimir Morozov** <<[email protected]>> (he/him)
 * [VoltrexKeyva](https://github.com/VoltrexKeyva) -
   **Mohammed Keyvanzadeh** <<[email protected]>> (he/him)
-* [watilde](https://github.com/watilde) -
-  **Daijiro Wachi** <<[email protected]>> (he/him)
 * [zcbenz](https://github.com/zcbenz) -
   **Cheng Zhao** <<[email protected]>> (he/him)
 * [ZYSzys](https://github.com/ZYSzys) -
@@ -707,6 +705,8 @@ For information about the governance of the Node.js project, see
   **Vladimir Kurchatkin** <<[email protected]>>
 * [vsemozhetbyt](https://github.com/vsemozhetbyt) -
   **Vse Mozhet Byt** <<[email protected]>> (he/him)
+* [watilde](https://github.com/watilde) -
+  **Daijiro Wachi** <<[email protected]>> (he/him)
 * [watson](https://github.com/watson) -
   **Thomas Watson** <<[email protected]>>
 * [whitlockjc](https://github.com/whitlockjc) -

SECURITY.md

@@ -82,23 +82,23 @@ Vulnerabilities related to this case may be fixed by a documentation update.
 
 **Node.js does NOT trust**:
 
-1. Data received from the remote end of inbound network connections
-   that are accepted through the use of Node.js APIs and
-   which is transformed/validated by Node.js before being passed
-   to the application. This includes:
-   * HTTP APIs (all flavors) server APIs.
-2. The data received from the remote end of outbound network connections
-   that are created through the use of Node.js APIs and
-   which is transformed/validated by Node.js before being passed
-   to the application EXCEPT with respect to payload length. Node.js trusts
-   that applications make connections/requests which will avoid payload
-   sizes that will result in a Denial of Service.
-   * HTTP APIs (all flavors) client APIs.
-   * DNS APIs.
-3. Consumers of data protected through the use of Node.js APIs (for example,
-   people who have access to data encrypted through the Node.js crypto APIs).
-4. The file content or other I/O that is opened for reading or writing by the
-   use of Node.js APIs (ex: stdin, stdout, stderr).
+* Data received from the remote end of inbound network connections
+  that are accepted through the use of Node.js APIs and
+  which is transformed/validated by Node.js before being passed
+  to the application. This includes:
+  * HTTP APIs (all flavors) server APIs.
+* The data received from the remote end of outbound network connections
+  that are created through the use of Node.js APIs and
+  which is transformed/validated by Node.js before being passed
+  to the application EXCEPT with respect to payload length. Node.js trusts
+  that applications make connections/requests which will avoid payload
+  sizes that will result in a Denial of Service.
+  * HTTP APIs (all flavors) client APIs.
+  * DNS APIs.
+* Consumers of data protected through the use of Node.js APIs (for example,
+  people who have access to data encrypted through the Node.js crypto APIs).
+* The file content or other I/O that is opened for reading or writing by the
+  use of Node.js APIs (ex: stdin, stdout, stderr).
 
 In other words, if the data passing through Node.js to/from the application
 can trigger actions other than those documented for the APIs, there is likely
@@ -108,23 +108,23 @@ lead to a loss of confidentiality, integrity, or availability.
 
 **Node.js trusts everything else**. Examples include:
 
-1. The developers and infrastructure that runs it.
-2. The operating system that Node.js is running under and its configuration,
-   along with anything under control of the operating system.
-3. The code it is asked to run, including JavaScript and native code, even if
-   said code is dynamically loaded, e.g., all dependencies installed from the
-   npm registry.
-   The code run inherits all the privileges of the execution user.
-4. Inputs provided to it by the code it is asked to run, as it is the
-   responsibility of the application to perform the required input validations,
-   e.g. the input to `JSON.parse()`.
-5. Any connection used for inspector (debugger protocol) regardless of being
-   opened by command line options or Node.js APIs, and regardless of the remote
-   end being on the local machine or remote.
-6. The file system when requiring a module.
-   See <https://nodejs.org/api/modules.html#all-together>.
-7. The `node:wasi` module does not currently provide the comprehensive file
-   system security properties provided by some WASI runtimes.
+* The developers and infrastructure that runs it.
+* The operating system that Node.js is running under and its configuration,
+  along with anything under control of the operating system.
+* The code it is asked to run, including JavaScript, WASM and native code, even
+  if said code is dynamically loaded, e.g., all dependencies installed from the
+  npm registry.
+  The code run inherits all the privileges of the execution user.
+* Inputs provided to it by the code it is asked to run, as it is the
+  responsibility of the application to perform the required input validations,
+  e.g. the input to `JSON.parse()`.
+* Any connection used for inspector (debugger protocol) regardless of being
+  opened by command line options or Node.js APIs, and regardless of the remote
+  end being on the local machine or remote.
+* The file system when requiring a module.
+  See <https://nodejs.org/api/modules.html#all-together>.
+* The `node:wasi` module does not currently provide the comprehensive file
+  system security properties provided by some WASI runtimes.
 
 Any unexpected behavior from the data manipulation from Node.js Internal
 functions may be considered a vulnerability if they are exploitable via

benchmark/fixtures/simple-error-stack.ts

@@ -5,11 +5,13 @@
 const lorem = 'Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum.';
 
 function simpleErrorStack() {
-  try {
-    (lorem as any).BANG();
-  } catch (e) {
-    return e.stack;
-  }
+  [1].map(() => {
+    try {
+      (lorem as any).BANG();
+    } catch (e) {
+      return e.stack;
+    }
+  })
 }
 
 export {

benchmark/ts/strip-typescript.js

@@ -12,7 +12,7 @@ const bench = common.createBenchmark(main, {
   filepath: [ts, js],
   n: [1e4],
 }, {
-  flags: ['--experimental-strip-types', '--disable-warning=ExperimentalWarning'],
+  flags: ['--disable-warning=ExperimentalWarning'],
 });
 
 async function main({ n, filepath }) {