forgejo/runner
31
87
Fork 91
Code Issues 38 Pull requests 9 Releases 81 Packages 1 Activity Actions

Update dependency lxc-node to v24 #1285

Merged
viceice merged 1 commit from renovate/lxc-node-24.x into main 2026-01-13 12:22:23 +00:00
Conversation 5 Commits 1 Files changed 1 +1 -1
viceice-bot commented 2026-01-13 11:00:55 +00:00
Member
Copy link

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Update Change
lxc-node (source) major 2024

Release Notes

nodejs/node (lxc-node)

v24.12.0: 2025-12-10, Version 24.12.0 'Krypton' (LTS), @​targos

Compare Source

Notable Changes
  • [1a00b5f68a] - (SEMVER-MINOR) http: add optimizeEmptyRequests server option (Rafael Gonzaga) #​59778
  • [ff5754077d] - (SEMVER-MINOR) lib: add options to util.deprecate (Rafael Gonzaga) #​59982
  • [8987159234] - (SEMVER-MINOR) module: mark type stripping as stable (Marco Ippolito) #​60600
  • [92c484ebf4] - (SEMVER-MINOR) node-api: add napi_create_object_with_properties (Miguel Marcondes Filho) #​59953
  • [b11bc5984e] - (SEMVER-MINOR) sqlite: allow setting defensive flag (Bart Louwers) #​60217
  • [e7da5b4b7d] - (SEMVER-MINOR) src: add watch config namespace (Marco Ippolito) #​60178
  • [a7f7d10c06] - (SEMVER-MINOR) src: add an option to make compile cache portable (Aditi) #​58797
  • [92ea669240] - (SEMVER-MINOR) src,permission: add --allow-inspector ability (Rafael Gonzaga) #​59711
  • [05d7509bd2] - (SEMVER-MINOR) v8: add cpu profile (theanarkh) #​59807
Commits

v24.11.1: 2025-11-11, Version 24.11.1 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

The known issue relating to Buffer.allocUnsafe incorrectly zero-filling buffers
has now been addressed and now returns uninitialized memory as documented in the
Buffer.allocUnsafe
documentation.

Commits

v24.11.0: 2025-10-28, Version 24.11.0 'Krypton' (LTS), @​richardlau

Compare Source

Notable Changes

This release marks the transition of Node.js 24.x into Long Term Support (LTS)
with the codename 'Krypton'. It will continue to receive updates through to
the end of April 2028.

Other than updating metadata, such as the process.release object, to reflect
that the release is LTS, no further changes from Node.js 24.10.0 are included.

Known issue

An issue has been identified in the Node.js 24.x line with Buffer.allocUnsafe
unintentionally returning zero-filled buffers. This API is
documented to return uninitialized memory.
The documented behavior will be restored in the next Node.js 24.x LTS release to bring
it back in line with previous releases. For more information, see
#​60423.

v24.10.0: 2025-10-08, Version 24.10.0 (Current), @​RafaelGSS

Compare Source

Notable Changes
  • [31bb476895] - (SEMVER-MINOR) console: allow per-stream inspectOptions option (Anna Henningsen) #​60082
  • [3b92be2fb8] - (SEMVER-MINOR) lib: remove util.getCallSite (Rafael Gonzaga) #​59980
  • [18c79d9e1c] - (SEMVER-MINOR) sqlite: create authorization api (Guilherme Araújo) #​59928
Commits

v24.9.0: 2025-09-25, Version 24.9.0 (Current), @​targos

Compare Source

Notable Changes
  • [9b043a9096] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
  • [a6456ab90a] - (SEMVER-MINOR) sqlite: cleanup ERM support and export Session class (James M Snell) #​58378
  • [5563361d22] - (SEMVER-MINOR) sqlite: add tagged template (0hm☘️) #​58748
  • [04013ee933] - (SEMVER-MINOR) worker: add heap profile API (theanarkh) #​59846
Commits

v24.8.0: 2025-09-10, Version 24.8.0 (Current), @​targos

Compare Source

Notable Changes
HTTP/2 Network Inspection Support in Node.js

Node.js now supports inspection of HTTP/2 network calls in Chrome DevTools for Node.js.

Usage

Write a test.js script that makes HTTP/2 requests.

const http2 = require('node:http2');

const client = http2.connect('https://nghttp2.org');

const req = client.request([
  ':path', '/',
  ':method', 'GET',
]);

Run it with these options:

node --inspect-wait --experimental-network-inspection test.js

Open about:inspect on Google Chrome and click on Open dedicated DevTools for Node.
The Network tab will let you track your HTTP/2 calls.

Contributed by Darshan Sen in #​59611.

Other Notable Changes
  • [7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #​59570
  • [4b631be0b0] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in Web Cryptography (Filip Skokan) #​59570
  • [3e4b1e732c] - (SEMVER-MINOR) crypto: add KMAC Web Cryptography algorithms (Filip Skokan) #​59647
  • [b1d28785b2] - (SEMVER-MINOR) crypto: add Argon2 Web Cryptography algorithms (Filip Skokan) #​59544
  • [430691d1af] - (SEMVER-MINOR) crypto: support SLH-DSA KeyObject, sign, and verify (Filip Skokan) #​59537
  • [d6d05ba397] - (SEMVER-MINOR) worker: add cpu profile APIs for worker (theanarkh) #​59428
Commits

v24.7.0: 2025-08-27, Version 24.7.0 (Current), @​targos

Compare Source

Notable Changes
Post-Quantum Cryptography in node:crypto

OpenSSL 3.5 on 24.x kicked off post-quantum cryptography efforts in Node.js by
allowing use of NIST's post-quantum cryptography standards for future-proofing
applications against quantum computing threats. The following post-quantum
algorithms are now available in node:crypto:

  • ML-KEM (FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard) through new crypto.encapsulate() and crypto.decapsulate() methods.
  • ML-DSA (FIPS 204, Module-Lattice-Based Digital Signature Standard) in the existing crypto.sign() and crypto.verify() methods.

Contributed by Filip Skokan in #​59259 and #​59491.

Modern Algorithms in Web Cryptography API

The second substantial extension to the Web Cryptography API
(globalThis.crypto.subtle) was recently accepted for incubation by WICG.
The following algorithms and methods from this extension are now available in
the Node.js Web Cryptography API implementation:

  • AES-OCB
  • ChaCha20-Poly1305
  • ML-DSA
  • ML-KEM
  • SHA-3
  • SHAKE
  • subtle.getPublicKey()
  • SubtleCrypto.supports()
  • ... with more coming in future releases.

Contributed by Filip Skokan in #​59365, #​59569, #​59461, and #​59539.

Node.js execution argument support in single executable applications

The single executable application configuration now supports additional fields
to specify Node.js execution arguments and control how they can be extended when
the application is run.

  • execArgv takes an array of strings for the execution arguments to be used.
  • execArgvExtension takes one of the following values:
    • "none": No additional execution arguments are allowed.
    • "cli": Additional execution arguments can be provided via a special command-line flag --node-options="--flag1 --flag2=value" at run time.
    • "env" (default): Additional execution arguments can be provided via the NODE_OPTIONS environment variable at run time.

For example, with the following configuration:

{
  "main": "/path/to/bundled/script.js",
  "output": "/path/to/write/the/generated/blob.blob",
  "execArgv": ["--no-warnings"],
  "execArgvExtension": "cli",
}

If the generated single executable application is named sea, then running:

sea --node-options="--max-old-space-size=4096" user-arg1 user-arg2

Would be equivalent to running:

node --no-warnings --max-old-space-size=4096 /path/to/bundled/script.js user-arg1 user-arg2

Contributed by Joyee Cheung in #​59314 and #​59560.

Root certificates updated to NSS 3.114

Certificates added:

  • TrustAsia TLS ECC Root CA
  • TrustAsia TLS RSA Root CA
  • SwissSign RSA TLS Root CA 2022 - 1

Certificates removed:

  • GlobalSign Root CA
  • Entrust.net Premium 2048 Secure Server CA
  • Baltimore CyberTrust Root
  • Comodo AAA Services root
  • XRamp Global CA Root
  • Go Daddy Class 2 CA
  • Starfield Class 2 CA
Other Notable Changes
  • [d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #​50353
  • [6ae202fcdf] - (SEMVER-MINOR) http: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #​59315
  • [dafee05358] - (SEMVER-MINOR) http2: add support for raw header arrays in h2Stream.respond() (Tim Perry) #​59455
  • [8dc6f5b696] - (SEMVER-MINOR) stream: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #​59464
Commits

v24.6.0: 2025-08-14, Version 24.6.0 (Current), @​RafaelGSS

Compare Source

Notable Changes
  • [471fe712b3] - (SEMVER-MINOR) cli: add NODE_USE_SYSTEM_CA=1 (Joyee Cheung) #​59276
  • [38aedfbf73] - (SEMVER-MINOR) crypto: support ML-DSA KeyObject, sign, and verify (Filip Skokan) #​59259
  • [201304537e] - (SEMVER-MINOR) zlib: add dictionary support to zstdCompress and zstdDecompress (lluisemper) #​59240
  • [e79c93a5d0] - (SEMVER-MINOR) http: add server.keepAliveTimeoutBuffer option (Haram Jeong) #​59243
  • [c144d69efc] - lib: docs deprecate _http_* (Sebastian Beltran) #​59293
  • [aeb4de55a7] - (SEMVER-MINOR) fs: port SonicBoom module to fs module as Utf8Stream (James M Snell) #​58897
Commits

v24.5.0: 2025-07-31, Version 24.5.0 (Current), @​aduh95

Compare Source

Notable Changes
Upgrade to OpenSSL 3.5

This release is distributed with OpenSSL 3.5.1, following the announcement that
OpenSSL 3.5 will be supported until April 2030, while Node.js 24 will be
supported until April 2028. Read more about OpenSSL support in their blog post:
https://openssl-library.org/post/2025-02-20-openssl-3.5-lts/.

Contributed by Richard Lau in #​58100.

Unflag --experimental-wasm-modules

Node.js supports both source phase imports and instance phase imports to WebAssembly
modules and for WASM imports to JavaScript, in line with the current Phase 3
WebAssembly ESM Integration proposal.
The implementation and the specification are still subject to change.

Contributed by Guy Bedford in #​57038.

Built-in proxy support in request() and Agent

node:http and node:https now support proxies. When NODE_USE_ENV_PROXY
is set to 1, the default global agent would parse the http_proxy/HTTP_PROXY,
https_proxy/HTTPS_PROXY, no_proxy/NO_PROXY settings from the
environment variables, and proxy the requests sent through the built-in http/https
client accordingly.

To use global proxy support from the command line:

NODE_USE_ENV_PROXY=1 HTTP_PROXY=http://proxy.example.com:8080 HTTPS_PROXY=http://proxy.example.com:8080 NO_PROXY=localhost,127.0.0.1 node client.js

In addition, http.Agent and https.Agent now support the custom proxyEnv options.

const agent = new https.Agent({ proxyEnv: { HTTPS_PROXY: 'http://proxy.example.com:8080' } });

For reference, fetch() already supports NODE_USE_ENV_PROXY as of Node.js 24.0.0.

Contributed by Joyee Cheung in #​58980.

Add setDefaultCACertificates() to node:tls

This API allows dynamically configuring CA certificates that will be used by the
Node.js TLS clients by default.

Once called, the provided certificates will become the default CA certificate list
returned by tls.getCACertificates('default') and used by TLS connections that
don't specify their own CA certificates.

To add system CA certificates to the default bundle (which includes the Mozilla
CA certificates):

tls.setDefaultCACertificates(tls.getCACertificates('default').concat(tls.getCACertificates('system')));

Contributed by Joyee Cheung in #​58822.

Other notable changes
  • [d5640ca58a] - (SEMVER-MINOR) cli: support ${pid} placeholder in --cpu-prof-name (Haram Jeong) #​59072
  • [c52aaacfc5] - (SEMVER-MINOR) dns: support max timeout (theanarkh) #​58440
  • [927742b342] - doc: update the instruction on how to verify releases (Antoine du Hamel) #​59113
  • [f753645cd8] - (SEMVER-MINOR) net: update net.blocklist to allow file save and file management (alphaleadership) #​58087
  • [9791ff3480] - (SEMVER-MINOR) worker: add web locks api (ishabi) #​58666
Commits

v24.4.1: 2025-07-15, Version 24.4.1 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes
  • (CVE-2025-27209) HashDoS in V8 with new RapidHash algorithm
  • (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()
Commits

v24.4.0: 2025-07-09, Version 24.4.0 (Current), @​RafaelGSS

Compare Source

Notable Changes
  • [22b60e8a57] - (SEMVER-MINOR) crypto: support outputLength option in crypto.hash for XOF functions (Aditi) #​58121
  • [80dec9849d] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #​58719
  • [87f4d078b3] - (SEMVER-MINOR) fs: add disposable mkdtempSync (Kevin Gibbons) #​58516
  • [9623c50b53] - (SEMVER-MINOR) permission: propagate permission model flags on spawn (Rafael Gonzaga) #​58853
  • [797ec4da04] - (SEMVER-MINOR) sqlite: add support for readBigInts option in db connection level (Miguel Marcondes Filho) #​58697
  • [ed966a0215] - (SEMVER-MINOR) src,permission: add support to permission.has(addon) (Rafael Gonzaga) #​58951
  • [fe17f5d285] - (SEMVER-MINOR) watch: add --watch-kill-signal flag (Dario Piotrowicz) #​58719
Commits

v24.3.0: 2025-06-24, Version 24.3.0 (Current), @​RafaelGSS

Compare Source

Notable Changes
  • [841609ac1c] - doc: add islandryu to collaborators (Shima Ryuhei) #​58714
  • [839964ece8] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #​58490
  • [9b28f40834] - (SEMVER-MINOR) module: remove experimental warning from type stripping (Marco Ippolito) #​58643
  • [7cdda927fa] - test: fix test-timeout-flag after revert of auto subtest wait (Pietro Marchini) #​58282
  • [dce1995c55] - Revert "test_runner: remove promises returned by t.test()" (Romain Menke) #​58282
  • [8b0c5edbb6] - Revert "test_runner: remove promises returned by test()" (Romain Menke) #​58282
  • [713fbad7b6] - (SEMVER-MINOR) test_runner: support object property mocking (Idan Goshen) #​58438
  • [ef0230abaf] - (SEMVER-MINOR) url: add fileURLToPathBuffer API (James M Snell) #​58700
Commits

v24.2.0: 2025-06-09, Version 24.2.0 (Current), @​aduh95

Compare Source

Notable Changes
Remove support for HTTP/2 priority signaling

The support for priority signaling has been removed in nghttp2, following its
deprecation in the RFC 9113.
As a consequence of this, priority signaling is deprecated on all release lines of Node.js,
and removed from Node.js 24 so we can include latest updates from nghttp2.

Contributed by Matteo Collina and Antoine du Hamel in
#​58293.

import.meta.main is now available

Boolean value available in ECMAScript modules, which can be used to detect
whether the current module was the entry point of the current process.

export function foo() {
  return 'Hello, world';
}

function main() {
  const message = foo();
  console.log(message);
}

if (import.meta.main) main();
// `foo` can be imported from another module without possible side-effects from `main`

Contributed by Joe and Antoine du Hamel in
#​57804.

Other Notable Changes
  • [e13930bbe0] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
  • [984894b38c] - doc: deprecate util.isNativeError in favor of Error.isError (Miguel Marcondes Filho) #​58262
  • [d261274b0f] - doc: deprecate passing an empty string to options.shell (Antoine du Hamel) #​58564
  • [510872a522] - (SEMVER-MINOR) doc: graduate Symbol.dispose/asyncDispose from experimental (James M Snell) #​58467
  • [6f4c9dd423] - (SEMVER-MINOR) fs: add autoClose option to FileHandle readableWebStream (James M Snell) #​58548
  • [32efb63242] - http: deprecate instantiating classes without new (Yagiz Nizipli) #​58518
  • [0234a8ef53] - (SEMVER-MINOR) http2: add diagnostics channel http2.server.stream.finish (Darshan Sen) #​58560
  • [0f1e94f731] - (SEMVER-MINOR) lib: graduate error codes that have been around for years (James M Snell) #​58541
  • [13abca3c26] - (SEMVER-MINOR) perf_hooks: make event loop delay histogram disposable (James M Snell) #​58384
  • [8ea1fc5f3b] - (SEMVER-MINOR) src: support namespace options in configuration file (Pietro Marchini) #​58073
  • [d6ea36ad6c] - src,permission: implicit allow-fs-read to app entrypoint (Rafael Gonzaga) #​58579
  • [5936cef60a] - (SEMVER-MINOR) test: add disposable histogram test (James M Snell) #​58384
  • [7a91f4aaa1] - (SEMVER-MINOR) test: add test for async disposable worker thread (James M Snell) #​58385
  • [532c173cf2] - (SEMVER-MINOR) util: add none style to styleText (James M Snell) #​58437
  • [aeb9ab4c4c] - (SEMVER-MINOR) worker: make Worker async disposable (James M Snell) #​58385
Commits

v24.1.0: 2025-05-21, Version 24.1.0 (Current), @​aduh95

Compare Source

Notable Changes
Commits

v24.0.2: 2025-05-14, Version 24.0.2 (Current), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes
  • (CVE-2025-23166) fix error handling on async crypto operation
Commits

v24.0.1: 2025-05-08, Version 24.0.1 (Current), @​aduh95

Compare Source

Notable Changes
Commits

v24.0.0: 2025-05-06, Version 24.0.0 (Current), @​RafaelGSS and @​juanarbol

Compare Source

We’re excited to announce the release of Node.js 24! This release brings
several significant updates, including the upgrade of the V8 JavaScript
engine to version 13.6 and npm to version 11. Starting with
Node.js 24, support for MSVC has been removed, and ClangCL is now required
to compile Node.js on Windows. The AsyncLocalStorage API now uses
AsyncContextFrame by default, and URLPattern is available globally.
These changes, along with many other improvements, continue to push the
platform forward.

As a reminder, Node.js 24 will enter long-term support (LTS) in October,
but until then, it will be the "Current" release for the next six months.
We encourage you to explore the new features and benefits offered by this
latest release and evaluate their potential impact on your applications.

Notable Changes

V8 13.6

The V8 engine is updated to version 13.6, which includes several new
JavaScript features:

The V8 update was a contribution by Michaël Zasso in #​58070.

npm 11

Node.js 24 comes with npm 11, which includes several improvements and new
features. This update brings enhanced performance, improved security features,
and better compatibility with modern JavaScript packages.

The npm update was a contribution by the npm team in #​56274.

AsyncLocalStorage defaults to AsyncContextFrame

AsyncLocalStorage now uses AsyncContextFrame by default, which provides a
more efficient implementation of asynchronous context tracking.
This change improves performance and makes the API more robust for advanced
use cases.

This change was a contribution by Stephen Belanger in #​55552.

URLPattern as a global

The URLPattern
API is now exposed on the global object, making it easier to use without
explicit imports. This API provides a powerful pattern matching system for URLs,
similar to how regular expressions work for strings.

This feature was a contribution by Jonas Badalič in #​56950.

Permission Model Improvements

The experimental Permission Model introduced in Node.js 20 has been improved,
and the flag has been changed from --experimental-permission to simply
--permission, indicating its increasing stability and readiness for broader
adoption.

This change was a contribution by Rafael Gonzaga in #​56240.

Test Runner Enhancements

The test runner module now automatically waits for subtests to finish,
eliminating the need to manually await test promises. This makes writing tests
more intuitive and reduces common errors related to unhandled promises.

The test runner improvements were contributions by Colin Ihrig in #​56664.

Undici 7

Node.js 24 includes Undici 7, which brings numerous improvements to the
HTTP client capabilities, including better performance and support for newer
HTTP features.

Deprecations and Removals

Several APIs have been deprecated or removed in this release:

  • Runtime deprecation of url.parse() - use the WHATWG URL API instead (#​55017)
  • Removal of deprecated tls.createSecurePair (#​57361)
  • Runtime deprecation of SlowBuffer (#​55175)
  • Runtime deprecation of instantiating REPL without new (#​54869)
  • Deprecation of using Zlib classes without new (#​55718)
  • Deprecation of passing args to spawn and execFile in child_process (#​57199)
Semver-Major Commits
  • [c6b934380a] - (SEMVER-MAJOR) src: enable Float16Array on global object (Michaël Zasso) #​58154
  • [69efb81a73] - (SEMVER-MAJOR) src: enable explicit resource management (Michaël Zasso) #​58154
  • [b00ff4270e] - (SEMVER-MAJOR) src,test: unregister the isolate after disposal and before freeing (Joyee Cheung) #​58070
  • [b81697d860] - (SEMVER-MAJOR) src: use non-deprecated WriteUtf8V2() method (Yagiz Nizipli) #​58070
  • [1f06169b87] - (SEMVER-MAJOR) src: use non-deprecated Utf8LengthV2() method (Yagiz Nizipli) #​58070
  • [eae9a296f0] - (SEMVER-MAJOR) src: use V8-owned CppHeap (Joyee Cheung) #​58070
  • [087c254a11] - (SEMVER-MAJOR) test: fix test-fs-write for V8 13.6 (Michaël Zasso) #​58070
  • [9e49bedd8e] - (SEMVER-MAJOR) build: update list of installed cppgc headers (Michaël Zasso) #​58070
  • [93cca8a43e] - (SEMVER-MAJOR) tools: update V8 gypfiles for 13.6 (Michaël Zasso) #​58070
  • [347daa07be] - (SEMVER-MAJOR) tools: update V8 gypfiles for 13.5 (Michaël Zasso) #​58070
  • [2a35d5a86c] - (SEMVER-MAJOR) build: fix V8 TLS config for shared lib builds (Michaël Zasso) #​58070
  • [b0fb5a09cf] - (SEMVER-MAJOR) build: pass -fPIC to linker as well for shared builds (Michaël Zasso) #​58070
  • [dd4c5d6c73] - (SEMVER-MAJOR) src,test: add V8 API to test the hash seed (Michaël Zasso) #​58070
  • [1d5d7b6eed] - (SEMVER-MAJOR) src: use v8::ExternalMemoryAccounter (Michaël Zasso) #​58070
  • [3779e43cce] - (SEMVER-MAJOR) tools: update license-builder and LICENSE for V8 deps (Michaël Zasso) #​58070
  • [82c2255206] - (SEMVER-MAJOR) deps: remove deps/simdutf (Michaël Zasso) #​58070
  • [8a258eb7b1] - (SEMVER-MAJOR) test: handle explicit resource management globals (Michaël Zasso) #​58070
  • [9e0d9b6024] - (SEMVER-MAJOR) test: adapt assert tests to stack trace changes (Michaël Zasso) #​58070
  • [f7406aa56d] - (SEMVER-MAJOR) test: update test-linux-perf-logger (Michaël Zasso) #​58070
  • [c7493fac5e] - (SEMVER-MAJOR) Revert "test: disable fast API call count