[js] Update Node.js 22.13.0 → 22.14.0

[depfu]

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

Release Notes

22.14.0

Notable Changes

• [82a9000e9e] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #56566
• [b7fe54fc88] - (SEMVER-MINOR) fs: allow exclude option in globs to accept glob patterns (Daeyeon Jeong) #56489
• [3ac92ef607] - (SEMVER-MINOR) lib: add typescript support to STDIN eval (Marco Ippolito) #56359
• [1614e8e7bc] - (SEMVER-MINOR) module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX (Marco Ippolito) #56610
• [6d6cffa9cc] - (SEMVER-MINOR) module: add findPackageJSON util (Jacob Smith) #55412
• [d35333ae18] - (SEMVER-MINOR) process: add process.ref() and process.unref() methods (James M Snell) #56400
• [07ff3ddcb5] - (SEMVER-MINOR) sqlite: support TypedArray and DataView in StatementSync (Alex Yang) #56385
• [94d3fe1b62] - (SEMVER-MINOR) src: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) #56441
• [5afffb4415] - (SEMVER-MINOR) src,worker: add isInternalWorker (Carlos Espa) #56469
• [697a851fb3] - (SEMVER-MINOR) test_runner: add TestContext.prototype.waitFor() (Colin Ihrig) #56595
• [047537b48c] - (SEMVER-MINOR) test_runner: add t.assert.fileSnapshot() (Colin Ihrig) #56459
• [926cf84e95] - (SEMVER-MINOR) test_runner: add assert.register() API (Colin Ihrig) #56434
• [c658a8afdf] - (SEMVER-MINOR) worker: add eval ts input (Marco Ippolito) #56394

Commits

• [bad1ad8650] - assert: make myers_diff function more performant (Giovanni Bucci) #56303
• [e222e36f3b] - assert: make partialDeepStrictEqual work with urls and File prototypes (Giovanni Bucci) #56231
• [e232789fe2] - assert: show diff when doing partial comparisons (Giovanni Bucci) #56211
• [c99de1fdcf] - assert: make partialDeepStrictEqual throw when comparing [0] with [-0] (Giovanni) #56237
• [2386fd5840] - benchmark: add validateStream to styleText bench (Rafael Gonzaga) #56556
• [b197dfa7ec] - build: fix GN build for ngtcp2 (Cheng) #56300
• [2a3cdd34ff] - build: test macos-13 on GitHub actions (Michaël Zasso) #56307
• [12f716be0a] - build: build v8 with -fvisibility=hidden on macOS (Joyee Cheung) #56275
• [c5ca15bd34] - child_process: fix parsing messages with splitted length field (Maksim Gorkov) #56106
• [8346b8fc2c] - crypto: add missing return value check (Michael Dawson) #56615
• [82a9000e9e] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #56566
• [890eef20a1] - crypto: fix checkPrime crash with large buffers (Santiago Gimeno) #56559
• [5edb7b5e87] - crypto: fix warning of ignoring return value (Cheng) #56527
• [b89f123a0b] - crypto: make generatePrime/checkPrime interruptible (James M Snell) #56460
• [63c1859e01] - deps: update corepack to 0.31.0 (Node.js GitHub Bot) #56795
• [a48430d4d3] - deps: move inspector_protocol to deps (Chengzhong Wu) #56649
• [74cccc824f] - deps: macro ENODATA is deprecated in libc++ (Cheng) #56698
• [fa869ea0f2] - deps: fixup some minor coverity warnings (James M Snell) #56612
• [1a4fa2b015] - deps: update amaro to 0.3.0 (Node.js GitHub Bot) #56568
• [b47076fd82] - deps: update amaro to 0.2.2 (Node.js GitHub Bot) #56568
• [46bd4b8731] - deps: update simdutf to 6.0.3 (Node.js GitHub Bot) #56567
• [8ead9c693b] - deps: update simdutf to 5.7.2 (Node.js GitHub Bot) #56388
• [18d4b502af] - deps: update amaro to 0.2.1 (Node.js GitHub Bot) #56390
• [d938d7cc86] - deps: update googletest to 7d76a23 (Node.js GitHub Bot) #56387
• [9761e7dccb] - deps: update googletest to e54519b (Node.js GitHub Bot) #56370
• [8319dc6bc5] - deps: update ngtcp2 to 1.10.0 (Node.js GitHub Bot) #56334
• [6eacd19d6a] - deps: update simdutf to 5.7.0 (Node.js GitHub Bot) #56332
• [28bec2dda3] - diagnostics_channel: capture console messages (Stephen Belanger) #56292
• [d519d33502] - doc: update macOS and Xcode versions for releases (Michaël Zasso) #56337
• [fcfe650507] - doc: add note for features using InternalWorker with permission model (Antoine du Hamel) #56706
• [efbba182b5] - doc: add entry to changelog about SQLite Session Extension (Bart Louwers) #56318
• [31bf9c7dd9] - doc: move anatoli to emeritus (Michael Dawson) #56592
• [6096e38c7c] - doc: fix styles of the expandable TOC (Antoine du Hamel) #56755
• [d423638281] - doc: add "Skip to content" button (Antoine du Hamel) #56750
• [edeb157d75] - doc: improve accessibility of expandable lists (Antoine du Hamel) #56749
• [1a79e87687] - doc: add note regarding commit message trailers (Dario Piotrowicz) #56736
• [927c7e47e4] - doc: fix typo in example code for util.styleText (Robin Mehner) #56720
• [fade522538] - doc: fix inconsistencies in WeakSet and WeakMap comparison details (Shreyans Pathak) #56683
• [55533bf147] - doc: add RafaelGSS as latest sec release stewards (Rafael Gonzaga) #56682
• [8e978bdee1] - doc: clarify cjs/esm diff in queueMicrotask() vs process.nextTick() (Dario Piotrowicz) #56659
• [ae360c30dc] - doc: WeakSet and WeakMap comparison details (Shreyans Pathak) #56648
• [acd2a2fda5] - doc: mention prepare --security (Rafael Gonzaga) #56617
• [d3c0a2831d] - doc: tweak info on reposts in ambassador program (Michael Dawson) #56589
• [3299505b49] - doc: add type stripping to ambassadors program (Marco Ippolito) #56598
• [b1a6ffa4e4] - doc: improve internal documentation on built-in snapshot (Joyee Cheung) #56505
• [1641a28930] - doc: document CLI way to open the nodejs/bluesky PR (Antoine du Hamel) #56506
• [2042628fda] - doc: add section about using npx with permission model (Rafael Gonzaga) #56539
• [ace19a0263] - doc: update gcc-version for ubuntu-lts (Kunal Kumar) #56553
• [4aa57b50f8] - doc: fix parentheses in options (Tobias Nießen) #56563
• [b40b01b4d3] - doc: include CVE to EOL lines as sec release process (Rafael Gonzaga) #56520
• [6701360113] - doc: add esm examples to node:trace_events (Alfredo González) #56514
• [d3207cca3e] - doc: add message for Ambassadors to promote (Michael Dawson) #56235
• [97ece4ae06] - doc: allow request for TSC reviews via the GitHub UI (Antoine du Hamel) #56493
• [03f25055ab] - doc: add example for piping ReadableStream (Gabriel Schulhof) #56415
• [516d07482c] - doc: expand description of parseArg's default (Kevin Gibbons) #54431
• [a6491effcb] - doc: use <ul> instead of <ol> in SECURITY.md (Antoine du Hamel) #56346
• [e4ec134b21] - doc: clarify that WASM is trusted (Matteo Collina) #56345
• [0f7aed8a59] - doc: fix the crc32 documentation (Kevin Toshihiro Uehara) #55898
• [721104a296] - doc: fix links in module.md (Antoine du Hamel) #56283
• [928540d792] - doc: fix typos (Nathan Baulch) #55066
• [e69d35f03b] - doc: add history info for Permission Model (Antoine du Hamel) #56707
• [c6fd867ab5] - esm: fix jsdoc type refs to ModuleJobBase in esm/loader (Jacob Smith) #56499
• [9cf9046bd7] - Revert "events: add hasEventListener util for validate" (origranot) #56282
• [b7fe54fc88] - (SEMVER-MINOR) fs: allow exclude option in globs to accept glob patterns (Daeyeon Jeong) #56489
• [6ca27c2a59] - http2: omit server name when HTTP2 host is IP address (islandryu) #56530
• [9f1fa199bf] - inspector: roll inspector_protocol (Chengzhong Wu) #56649
• [0dae4bb3ab] - inspector: add undici http tracking support (Chengzhong Wu) #56488
• [2c6124cec4] - inspector: report loadingFinished until the response data is consumed (Chengzhong Wu) #56372
• [96ec862ce2] - lib: refactor execution.js (Marco Ippolito) #56358
• [3ac92ef607] - (SEMVER-MINOR) lib: add typescript support to STDIN eval (Marco Ippolito) #56359
• [d5bf3db0cf] - lib: allow skipping source maps in node_modules (Chengzhong Wu) #56639
• [d33eaf2bcb] - lib: ensure FORCE_COLOR forces color output in non-TTY environments (Pietro Marchini) #55404
• [dc003218a8] - lib: optimize prepareStackTrace on builtin frames (Chengzhong Wu) #56299
• [df06524863] - lib: suppress source map lookup exceptions (Chengzhong Wu) #56299
• [35335a5a66] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #56580
• [1faabdb150] - meta: add codeowners of security release document (Rafael Gonzaga) #56521
• [b4ece22ef5] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #56342
• [9ec67e7ce0] - meta: move MoLow to TSC regular member (Moshe Atlow) #56276
• [bae4b2e20a] - module: use more defensive code when handling SWC errors (Antoine du Hamel) #56646
• [1614e8e7bc] - (SEMVER-MINOR) module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX (Marco Ippolito) #56610
• [174d88eab1] - module: support eval with ts syntax detection (Marco Ippolito) #56285
• [299d6fa829] - module: fix jsdoc for format parameter in cjs/loader (pacexy) #56501
• [0307e4dd59] - module: unify TypeScript and .mjs handling in CommonJS (Joyee Cheung) #55590
• [1f4f9be93d] - module: fix async resolution error within the sync findPackageJSON (Jacob Smith) #56382
• [bbedffa0f0] - module: simplify findPackageJSON implementation (Antoine du Hamel) #55543
• [6d6cffa9cc] - (SEMVER-MINOR) module: add findPackageJSON util (Jacob Smith) #55412
• [cd7ce18233] - module: fix bad require.resolve with option paths for . and .. (Dario Piotrowicz) #56735
• [152df4da21] - module: rethrow amaro error message (Marco Ippolito) #56568
• [acba5dc87e] - module: use buffer.toString base64 (Chengzhong Wu) #56315
• [01e69be8ff] - node-api: define version 10 (Gabriel Schulhof) #55676
• [724524528e] - node-api: remove deprecated attribute from napi_module_register (Vladimir Morozov) #56162
• [c78e11064f] - process: remove support for undocumented symbol (Antoine du Hamel) #56552
• [3f69b18a23] - process: fix symbol key and mark experimental new node:process methods (Antoine du Hamel) #56517
• [d35333ae18] - (SEMVER-MINOR) process: add process.ref() and process.unref() methods (James M Snell) #56400
• [fa49f0f7d5] - punycode: limit deprecation warning (Colin Ihrig) #56632
• [d77c7073b7] - sqlite: disable memstatus APIs at build time (Colin Ihrig) #56541
• [07ff3ddcb5] - (SEMVER-MINOR) sqlite: support TypedArray and DataView in StatementSync (Alex Yang) #56385
• [b6c2e91365] - sqlite: enable SQL math functions (Colin Ihrig) #56447
• [3462263e8b] - sqlite: pass conflict type to conflict resolution handler (Bart Louwers) #56352
• [89ba3af743] - src: add nullptr handling from X509_STORE_new() (Burkov Egor) #56700
• [89a7c82e0c] - src: add default value for RSACipherConfig mode field (Burkov Egor) #56701
• [7bae51e62e] - src: fix build with GCC 15 (tjuhaszrh) #56740
• [432a4b8bd6] - src: fix to generate path from wchar_t via wstring (yamachu) #56696
• [8c9eaf82f0] - src: initialize FSReqWrapSync in path that uses it (Michaël Zasso) #56613
• [bcdb42d40b] - src: handle duplicate paths granted (Rafael Gonzaga) #56591
• [d6a7acc207] - src: update ECKeyPointer in ncrypto (James M Snell) #56526
• [01922f8b1f] - src: update ECPointPointer in ncrypto (James M Snell) #56526
• [2a3a36eceb] - src: update ECGroupPointer in ncrypto (James M Snell) #56526
• [67c10cdacb] - src: update ECDASSigPointer implementation in ncrypto (James M Snell) #56526
• [17f931c68b] - src: cleaning up more crypto internals for ncrypto (James M Snell) #56526
• [94d3fe1b62] - (SEMVER-MINOR) src: add --disable-sigusr1 to prevent signal i/o thread (Rafael Gonzaga) #56441
• [6594ee8dff] - src: fix undefined script name in error source (Chengzhong Wu) #56502
• [b46bad3e91] - src: refactor --trace-env to reuse option selection and handling (Joyee Cheung) #56293
• [76921b822b] - src: minor cleanups on OneByteString usage (James M Snell) #56482
• [3f0d1dd4fe] - src: move more crypto impl detail to ncrypto dep (James M Snell) #56421
• [04f623b283] - src: fixup more ToLocalChecked uses in node_file (James M Snell) #56484
• [5aa436f5a1] - src: make some minor ToLocalChecked cleanups (James M Snell) #56483
• [6eec5e7ec2] - src: lock the thread properly in snapshot builder (Joyee Cheung) #56327
• [5614993968] - src: drain platform tasks before creating startup snapshot (Chengzhong Wu) #56403
• [48493e9fd5] - src: use LocalVector in more places (James M Snell) #56457
• [7e5ea0681e] - src: use v8::LocalVector consistently with other minor cleanups (James M Snell) #56417
• [ad3d857f2b] - src: use starts_with in fs_permission.cc (ishabi) #55811
• [5afffb4415] - (SEMVER-MINOR) src,worker: add isInternalWorker (Carlos Espa) #56469
• [7d1676e72e] - stream: fix typo in ReadableStreamBYOBReader.readIntoRequests (Mattias Buelens) #56560
• [e658ea6b26] - stream: validate undefined sizeAlgorithm in WritableStream (Jason Zhang) #56067
• [e4f133c20c] - test: add ts eval snapshots (Marco Ippolito) #56358
• [f041742400] - test: remove empty lines from snapshots (Marco Ippolito) #56358
• [801cde91f6] - test: reduce number of written chunks (Luigi Pinca) #56757
• [6fdf1879ab] - test: fix invalid common.mustSucceed() usage (Luigi Pinca) #56756
• [d2bfbfa364] - test: use strict mode in global setters test (Rich Trott) #56742
• [5c030da42f] - test: cleanup and simplify test-crypto-aes-wrap (James M Snell) #56748
• [f1442d6eaf] - test: do not use common.isMainThread (Luigi Pinca) #56768
• [49405bd9e7] - test: make some requires lazy in common/index (James M Snell) #56715
• [52ef376788] - test: add test that uses multibyte for path and resolves modules (yamachu) #56696
• [b811dea85a] - test: replace more uses of global with globalThis (James M Snell) #56712
• [eb97076199] - test: make common/index slightly less node.js specific (James M Snell) #56712
• [1795202d19] - test: rely less on duplicative common test harness utilities (James M Snell) #56712
• [5be29a274e] - test: simplify common/index.js (James M Snell) #56712
• [92e99780f0] - test: move hasMultiLocalhost to common/net (James M Snell) #56716
• [1c3204a4cc] - test: move crypto related common utilities in common/crypto (James M Snell) #56714
• [fe79d63be0] - test: add missing test for env file (Jonas) #56642
• [e08af61537] - test: enforce strict mode in test-zlib-const (Rich Trott) #56689
• [c96792d7f8] - test: fix localization data for ICU 74.2 (Antoine du Hamel) #56661
• [48b72f1195] - test: use --permission instead of --experimental-permission (Rafael Gonzaga) #56685
• [de81d90fce] - test: test-stream-compose.js doesn't need internals (Meghan Denny) #56619
• [f5b8499ad0] - test: add maxCount and gcOptions to gcUntil() (Joyee Cheung) #56522
• [d9e5a81041] - test: add line break at end of file (Rafael Gonzaga) #56588
• [59be346fbf] - test: mark test-worker-prof as flaky on smartos (Joyee Cheung) #56583
• [12a2cae9e5] - test: update test-child-process-bad-stdio to use node:test (Colin Ihrig) #56562
• [2dc4a30e19] - test: disable openssl 3.4.0 incompatible tests (Jelle van der Waa) #56160
• [1950fbf51d] - test: make test-crypto-hash compatible with OpenSSL > 3.4.0 (Jelle van der Waa) #56160
• [a533420a91] - test: clarify fork inherit permission flags (Rafael Gonzaga) #56523
• [697e799dc1] - test: add error only reporter for node:test (Carlos Espa) #56438
• [4844fa212d] - test: mark test-http-server-request-timeouts-mixed as flaky (Joyee Cheung) #56503
• [843c2389b9] - test: update error code in tls-psk-circuit for for OpenSSL 3.4 (sebastianas) #56420
• [ccb2ddbd83] - test: update compiled sqlite tests to match other tests (Colin Ihrig) #56446
• [b40f50324d] - test: add initial test426 coverage (Chengzhong Wu) #56436
• [059f81e4fd] - test: update test-set-http-max-http-headers to use node:test (Colin Ihrig) #56439
• [ec2940b418] - test: update test-child-process-windows-hide to use node:test (Colin Ihrig) #56437
• [0362924880] - test: use unusual chars in the path to ensure our tests are robust (Antoine du Hamel) #48409
• [b6c3869910] - test: improve abort signal dropping test (Edy Silva) #56339
• [cc648ef923] - test: enable ts test on win arm64 (Marco Ippolito) #56349
• [68819b4997] - test: deflake test-watch-file-shared-dependency (Luigi Pinca) #56344
• [ca6ed2190c] - test: skip test-sqlite-extensions when SQLite is not built by us (Antoine du Hamel) #56341
• [8ffeb8b58c] - test: increase spin for eventloop test on s390 (Michael Dawson) #56228
• [6ae9950f08] - test: migrate message eval tests from Python to JS (Yiyun Lei) #50482
• [4352bf69e9] - test: check typescript loader (Marco Ippolito) #54657
• [406e7db9c3] - test: remove async-hooks/test-writewrap flaky designation (Luigi Pinca) #56048
• [fa56ab2bba] - test: deflake test-esm-loader-hooks-inspect-brk (Luigi Pinca) #56050
• [8e149aac99] - test: add test case for listeners (origranot) #56282
• [a3f5ef22cd] - test: make test-permission-sqlite-load-extension more robust (Antoine du Hamel) #56295
• [8cbb7cc838] - test_runner: print failing assertion only once with spec reporter (Pietro Marchini) #56662
• [1f426bad9a] - test_runner: remove unused errors (Pietro Marchini) #56607
• [697a851fb3] - (SEMVER-MINOR) test_runner: add TestContext.prototype.waitFor() (Colin Ihrig) #56595
• [047537b48c] - (SEMVER-MINOR) test_runner: add t.assert.fileSnapshot() (Colin Ihrig) #56459
• [19b4aa4b14] - test_runner: run single test file benchmark (Pietro Marchini) #56479
• [926cf84e95] - (SEMVER-MINOR) test_runner: add assert.register() API (Colin Ihrig) #56434
• [fb4661a4cf] - test_runner: finish marking snapshot testing as stable (Colin Ihrig) #56425
• [900c6c3940] - tls: fix error stack conversion in cryptoErrorListToException() (Joyee Cheung) #56554
• [e9f185b658] - tools: update doc to new version (Node.js GitHub Bot) #56259
• [7644c7e619] - tools: update inspector_protocol roller (Chengzhong Wu) #56649
• [362272b0a4] - tools: do not throw on missing create-release-proposal.sh (Antoine du Hamel) #56704
• [df8b835953] - tools: fix tools-deps-update (Daniel Lemire) #56684
• [feba5d3274] - tools: do not throw on missing create-release-proposal.sh (Antoine du Hamel) #56695
• [9827f7d395] - tools: fix permissions in lint-release-proposal workflow (Antoine du Hamel) #56614
• [14c562c0dc] - tools: remove github reporter (Carlos Espa) #56468
• [ed1785d0ae] - tools: edit create-release-proposal workflow (Antoine du Hamel) #56540
• [294e4c42f5] - tools: validate commit list as part of lint-release-commit (Antoine du Hamel) #56291
• [98d3474267] - tools: fix loong64 build failed (Xiao-Tao) #56466
• [3e729ceec8] - tools: disable unneeded rule ignoring in Python linting (Rich Trott) #56429
• [d5c05328e2] - tools: use a configurable value for number of open dependabot PRs (Antoine du Hamel) #56427
• [1705cbe002] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #56426
• [53b29b0469] - tools: fix require-common-first lint rule from subfolder (Antoine du Hamel) #56325
• [105c4ed4fb] - tools: add release line label when opening release proposal (Antoine du Hamel) #56317
• [30f61f4aa5] - url: use resolved path to convert UNC paths to URL (Antoine du Hamel) #56302
• [a0aef4dfb6] - util: inspect: do not crash on an Error stack that contains a Symbol (Jordan Harband) #56573
• [a8a060341f] - util: inspect: do not crash on an Error with a regex name (Jordan Harband) #56574
• [ea66bf3553] - util: rename CallSite.column to columnNumber (Chengzhong Wu) #56584
• [9cdc3b373c] - util: do not crash on inspecting function with Symbol name (Jordan Harband) #56572
• [0bfbb68569] - util: expose CallSite.scriptId (Chengzhong Wu) #56551
• [5dd7116e09] - watch: reload env file for --env-file-if-exists (Jonas) #56643
• [c658a8afdf] - (SEMVER-MINOR) worker: add eval ts input (Marco Ippolito) #56394
• [2e5d038f48] - worker: refactor stdio to improve performance (Matteo Collina) #56630
• [f959805d01] - worker: flush stdout and stderr on exit (Matteo Collina) #56428

22.13.1

This is a security release.

Notable Changes

• CVE-2025-23083 - src,loader,permission: throw on InternalWorker use when permission model is enabled (High)
• CVE-2025-23085 - src: fix HTTP2 mem leak on premature close and ERR_PROTO (Medium)
• CVE-2025-23084 - path: fix path traversal in normalize() on Windows (Medium)

Dependency update:

• CVE-2025-22150 - Use of Insufficiently Random Values in undici fetch() (Medium)

Commits

• [520da342e0] - (CVE-2025-22150) deps: update undici to v6.21.1 (Matteo Collina) nodejs-private/node-private#662
• [99f217369f] - (CVE-2025-23084) path: fix path traversal in normalize() on Windows (Tobias Nießen) nodejs-private/node-private#555
• [984f735e35] - (CVE-2025-23085) src: fix HTTP2 mem leak on premature close and ERR_PROTO (RafaelGSS) nodejs-private/node-private#650
• [2446870618] - (CVE-2025-23083) src,loader,permission: throw on InternalWorker use (RafaelGSS) nodejs-private/node-private#651

---

All Depfu comment commands

@​depfu refresh

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Pauses all engine updates and closes this PR

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 89.33%. Comparing base (bf13288) to head (c136c14).

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #4680      +/-   ##
===========================================
- Coverage    89.42%   89.33%   -0.09%     
===========================================
  Files         1406     1406              
  Lines        30226    30226              
===========================================
- Hits         27030    27003      -27     
- Misses        3196     3223      +27     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.