Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

tls: implement tls.getCACertificates() #57107

Merged
merged 3 commits into from
Mar 6, 2025
Merged

tls: implement tls.getCACertificates() #57107

merged 3 commits into from
Mar 6, 2025
+468 −26

Conversation

joyeecheung
Copy link
Member

To accompany --use-system-ca, this adds a new API that allows querying various kinds of CA certificates.

  • If the first argument type is "default" or undefined, it returns the CA certificates that will be used by Node.js TLS clients by default, which includes the Mozilla CA if --use-bundled-ca is enabled or --use-openssl-ca is not enabled, and the system certificates if --use-system-ca is enabled, and the extra certificates if NODE_EXTRA_CA_CERTS is used.
  • If type is "system" this returns the system certificates, regardless of whether --use-system-ca is enabeld or not.
  • If type is "bundled" this is the same as tls.rootCertificates and returns the Mozilla CA certificates.
  • If type is "extra" this returns the certificates parsed from the path specified by NODE_EXTRA_CA_CERTS.

Drive-by: remove the inaccurate description in tls.rootCertificates about including system certificates, since it in fact does not include them, and also it is contradicting the previous description about tls.rootCertificates always returning the Mozilla CA store and staying the same across platforms.

I've considered just adding the certificates to tls.rootCertificates but ended up going with a new API instead with the following considerations:

  1. tls.rootCertificates has been documented explicitly as:

    An immutable array of strings representing the root certificates (in PEM format)
    from the bundled Mozilla CA store as supplied by the current Node.js version.
    The bundled CA store, as supplied by Node.js, is a snapshot of Mozilla CA store
    that is fixed at release time. It is identical on all supported platforms.

    And users might have been relying on this description and do not expect any other additional certificates to be added in.

  2. Historically, tls.rootCertificates has not been affected by --use-openssl-ca or NODE_EXTRA_CA_CERTS, either, which further enforces the documented invariant. Users might get caught off-guard if we start to add system certificates etc. into this array, especially considering the certificates may contain private information in the issuer and subject part (e.g. employer or other identity information), at least if it's not done in a semver-major.

  3. Unlike the bundled certificates, CA certificates from the system store may or may not be root certificates. So the name tls.rootCertificates is somewhat misleading if it's repurposed to include the intermediate CA certificates.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto
  • @nodejs/net

Sorry, something went wrong.

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. tls Issues and PRs related to the tls subsystem. labels Feb 17, 2025
@codecov Codecov
Copy link

codecov bot commented Feb 17, 2025
edited
Loading

Codecov Report

Attention: Patch coverage is 90.97744% with 12 lines in your changes missing coverage. Please review.

Project coverage is 90.24%. Comparing base (8c2df73) to head (85599bf).
Report is 90 commits behind head on main.

Files with missing lines Patch % Lines
src/crypto/crypto_context.cc 77.77% 6 Missing and 6 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #57107      +/-   ##
==========================================
- Coverage   90.34%   90.24%   -0.11%     
==========================================
  Files         629      630       +1     
  Lines      184403   185278     +875     
  Branches    36040    36232     +192     
==========================================
+ Hits       166607   167197     +590     
- Misses      10919    11089     +170     
- Partials     6877     6992     +115
Files with missing lines Coverage Δ
lib/tls.js 96.00% <100.00%> (+0.84%) ⬆️
src/crypto/crypto_context.cc 69.34% <77.77%> (+4.25%) ⬆️

... and 67 files with indirect coverage changes

🚀 New features to boost your workflow:
  • Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 17, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 17, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65274/

jasnell
jasnell reviewed Feb 18, 2025
View reviewed changes
lib/tls.js
let defaultCACertificates;
function cacheDefaultCACertificates() {
if (defaultCACertificates) { return defaultCACertificates; }
defaultCACertificates = [];
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mostly just a nit so feel free to ignore... it would be nice to be able to allocate the array at once rather than using multiple individual array.push(...) calls.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is different in JS - in JS if the array is preallocated, this becomes a holey array. using array.push keeps it compact, which can have perf implications. See https://v8.dev/blog/elements-kinds

jasnell
jasnell reviewed Feb 18, 2025
View reviewed changes
src/crypto/crypto_context.cc
@@ -812,6 +815,58 @@ void GetRootCertificates(const FunctionCallbackInfo<Value>& args) {
Array::New(env->isolate(), result, arraysize(root_certs)));
}

MaybeLocal<Array> X509sToArrayOfStrings(Environment* env,
const std::vector<X509*>& certs) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since you're using X509View here anyway, it would be nice to move away from the raw pointers in this std::vector. Can we make this an std::vector<ncrypto::X509View>& ?

Copy link
Member Author

@joyeecheung joyeecheung Feb 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've considered this but it seems a bit too complicated for this PR, because we get the raw pointers from the function-local static storage for thread safety. Passing in std::vector<ncrypto::X509View> means doing another loop to convert them into vectors of X509View first, and then this must be called for all the caller before X509sToArrayOfStrings. It seems like a lot of extra code/slight overhead for no particular gains. Unless ncrypto provides some kind of helper to convert vectors of X509 into vectors of X509View automatically.

jasnell
jasnell reviewed Feb 18, 2025
View reviewed changes
@joyeecheung
Copy link
Member Author

There are some failures in the dynamically linked OpenSSL builds that I cannot reproduce locally - I am not sure if it has something to do with the specific configuration of those containers in the CI. Retrying after I did some fix ups in the tests - if it's still failing I'll need to log into the containers to see what's going on.

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 18, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 18, 2025
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@joyeecheung
Copy link
Member Author

joyeecheung commented Feb 23, 2025
edited
Loading

I managed to reproduce the container errors locally, FWIW this is what I used to build the them locally https://gist.github.com/joyeecheung/2a27e16ee47a018504b79b77257937fb - there is some memory error, but I built it on a plane and did not save the build, so will need to rebuild and try debugging later when I am back from vacation.

@joyeecheung
tls: implement tls.getCACertificates()

Verified

This commit was signed with the committer’s verified signature.
joyeecheung Joyee Cheung
GPG key ID: 92B78A53C8303B8D
Verified
Learn about vigilant mode
fc4d62f 
To accompany --use-system-ca, this adds a new API that allows
querying various kinds of CA certificates.

- If the first argument `type` is `"default"` or undefined,
  it returns the CA certificates that will be used by Node.js
  TLS clients by default, which includes the Mozilla CA
  if --use-bundled-ca is enabled or --use-openssl-ca is not
  enabled, and the system certificates if --use-system-ca
  is enabled, and the extra certificates if NODE_EXTRA_CA_CERTS
  is used.
- If `type` is `"system"` this returns the system certificates,
  regardless of whether --use-system-ca is enabeld or not.
- If `type` is `"bundled"` this is the same as `tls.rootCertificates`
  and returns the Mozilla CA certificates.
- If `type` is `"extra"` this returns the certificates parsed
  from the path specified by NODE_EXTRA_CA_CERTS.

Drive-by: remove the inaccurate description in `tls.rootCertificates`
about including system certificates, since it in fact does not include
them, and also it is contradicting the previous description about
`tls.rootCertificates` always returning the Mozilla CA store and
staying the same across platforms.
@joyeecheung
fixup! tls: implement tls.getCACertificates()

Verified

This commit was signed with the committer’s verified signature.
joyeecheung Joyee Cheung
GPG key ID: 92B78A53C8303B8D
Verified
Learn about vigilant mode
Loading
Loading status checks…
4ef5c40
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Feb 24, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Feb 24, 2025
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@joyeecheung
Copy link
Member Author

Somehow it seems uv_fs_req_cleanup can't be called on the unused uv_fs_t, though I recall that uv_fs_req_cleanup was able to handle that...? Anyway this seems to fix the crash, running the CI to verify, though this might be better as a separate PR because it technically fixes --use-system-ca as well.

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 3, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 3, 2025
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@joyeecheung
Copy link
Member Author

Fixed the test runner again to consider the --no flags when skipping test for without-ssl builds..

@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 4, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 4, 2025
@nodejs-github-bot

This comment was marked as outdated.

Sign in to view
@joyeecheung joyeecheung added the request-ci Add this label to start a Jenkins CI on a PR. label Mar 5, 2025
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Mar 5, 2025
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/65585/

@joyeecheung
Copy link
Member Author

This needs a re-approval after the fix. Can you take a look again? Thanks @jasnell

@joyeecheung joyeecheung added commit-queue Add this label to land a pull request using GitHub Actions. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. semver-minor PRs that contain new features and should be released in the next minor version. labels Mar 6, 2025
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Mar 6, 2025
@nodejs-github-bot nodejs-github-bot merged commit a790901 into nodejs:main Mar 6, 2025
70 checks passed
@nodejs-github-bot
Copy link
Collaborator

Landed in a790901

aduh95 pushed a commit that referenced this pull request Mar 9, 2025
@joyeecheung @aduh95
tls: implement tls.getCACertificates()

Verified

This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 21D900FFDB233756
Verified
Learn about vigilant mode
ef2a324 
To accompany --use-system-ca, this adds a new API that allows
querying various kinds of CA certificates.

- If the first argument `type` is `"default"` or undefined,
  it returns the CA certificates that will be used by Node.js
  TLS clients by default, which includes the Mozilla CA
  if --use-bundled-ca is enabled or --use-openssl-ca is not
  enabled, and the system certificates if --use-system-ca
  is enabled, and the extra certificates if NODE_EXTRA_CA_CERTS
  is used.
- If `type` is `"system"` this returns the system certificates,
  regardless of whether --use-system-ca is enabeld or not.
- If `type` is `"bundled"` this is the same as `tls.rootCertificates`
  and returns the Mozilla CA certificates.
- If `type` is `"extra"` this returns the certificates parsed
  from the path specified by NODE_EXTRA_CA_CERTS.

Drive-by: remove the inaccurate description in `tls.rootCertificates`
about including system certificates, since it in fact does not include
them, and also it is contradicting the previous description about
`tls.rootCertificates` always returning the Mozilla CA store and
staying the same across platforms.

PR-URL: #57107
Reviewed-By: James M Snell <jasnell@gmail.com>
aduh95 pushed a commit that referenced this pull request Mar 9, 2025
@joyeecheung @aduh95
tls: implement tls.getCACertificates()

Verified

This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 21D900FFDB233756
Verified
Learn about vigilant mode
75f11ae 
To accompany --use-system-ca, this adds a new API that allows
querying various kinds of CA certificates.

- If the first argument `type` is `"default"` or undefined,
  it returns the CA certificates that will be used by Node.js
  TLS clients by default, which includes the Mozilla CA
  if --use-bundled-ca is enabled or --use-openssl-ca is not
  enabled, and the system certificates if --use-system-ca
  is enabled, and the extra certificates if NODE_EXTRA_CA_CERTS
  is used.
- If `type` is `"system"` this returns the system certificates,
  regardless of whether --use-system-ca is enabeld or not.
- If `type` is `"bundled"` this is the same as `tls.rootCertificates`
  and returns the Mozilla CA certificates.
- If `type` is `"extra"` this returns the certificates parsed
  from the path specified by NODE_EXTRA_CA_CERTS.

Drive-by: remove the inaccurate description in `tls.rootCertificates`
about including system certificates, since it in fact does not include
them, and also it is contradicting the previous description about
`tls.rootCertificates` always returning the Mozilla CA store and
staying the same across platforms.

PR-URL: #57107
Reviewed-By: James M Snell <jasnell@gmail.com>
@github-actions github-actions bot mentioned this pull request Mar 12, 2025
Merged
nodejs-github-bot added a commit that referenced this pull request Mar 12, 2025
@nodejs-github-bot
2025-03-13, Version 23.10.0 (Current)

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode
Loading
Loading status checks…
a980eab 
Notable changes:

crypto:
  * update root certificates to NSS 3.108 (Node.js GitHub Bot) #57381
doc:
  * add @geeksilva97 to collaborators (Edy Silva) #57241
src:
  * (SEMVER-MINOR) set default config as node.config.json (Marco Ippolito) #57171
  * (SEMVER-MINOR) create THROW_ERR_OPTIONS_BEFORE_BOOTSTRAPPING (Marco Ippolito) #57016
  * (SEMVER-MINOR) add config file support (Marco Ippolito) #57016
test_runner:
  * (SEMVER-MINOR) change ts default glob (Marco Ippolito) #57359
tls:
  * (SEMVER-MINOR) implement tls.getCACertificates() (Joyee Cheung) #57107
v8:
  * (SEMVER-MINOR) add v8.getCppHeapStatistics() method (Aditi) #57146

PR-URL: #57424
aduh95 pushed a commit that referenced this pull request Mar 13, 2025
@nodejs-github-bot @aduh95
2025-03-13, Version 23.10.0 (Current)

Verified

This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 21D900FFDB233756
Verified
Learn about vigilant mode
Loading
Loading status checks…
7dd084e 
Notable changes:

crypto:
  * update root certificates to NSS 3.108 (Node.js GitHub Bot) #57381
doc:
  * add @geeksilva97 to collaborators (Edy Silva) #57241
src:
  * (SEMVER-MINOR) set default config as node.config.json (Marco Ippolito) #57171
  * (SEMVER-MINOR) create THROW_ERR_OPTIONS_BEFORE_BOOTSTRAPPING (Marco Ippolito) #57016
  * (SEMVER-MINOR) add config file support (Marco Ippolito) #57016
test_runner:
  * (SEMVER-MINOR) change ts default glob (Marco Ippolito) #57359
tls:
  * (SEMVER-MINOR) implement tls.getCACertificates() (Joyee Cheung) #57107
v8:
  * (SEMVER-MINOR) add v8.getCppHeapStatistics() method (Aditi) #57146

PR-URL: #57424
aduh95 pushed a commit that referenced this pull request Mar 13, 2025
@nodejs-github-bot @aduh95
2025-03-13, Version 23.10.0 (Current)

Verified

This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 21D900FFDB233756
Verified
Learn about vigilant mode
Loading
Loading status checks…
39e295d 
Notable changes:

config:
  * (SEMVER-MINOR) add config file support (Marco Ippolito) #57016
  * (SEMVER-MINOR) set default config as `node.config.json` (Marco Ippolito) #57171
crypto:
  * update root certificates to NSS 3.108 (Node.js GitHub Bot) #57381
doc:
  * add geeksilva97 to collaborators (Edy Silva) #57241
src:
  * (SEMVER-MINOR) create `THROW_ERR_OPTIONS_BEFORE_BOOTSTRAPPING` (Marco Ippolito) #57016
test_runner:
  * (SEMVER-MINOR) change ts default glob (Marco Ippolito) #57359
tls:
  * (SEMVER-MINOR) implement `tls.getCACertificates()` (Joyee Cheung) #57107
v8:
  * (SEMVER-MINOR) add `v8.getCppHeapStatistics()` method (Aditi) #57146

PR-URL: #57424
aduh95 pushed a commit that referenced this pull request Mar 13, 2025
@nodejs-github-bot @aduh95
2025-03-13, Version 23.10.0 (Current)

Verified

This commit was signed with the committer’s verified signature.
aduh95 Antoine du Hamel
GPG key ID: 21D900FFDB233756
Verified
Learn about vigilant mode
Loading
Loading status checks…
5d9b63d 
Notable changes:

config:
  * (SEMVER-MINOR) add config file support (Marco Ippolito) #57016
  * (SEMVER-MINOR) set default config as `node.config.json` (Marco Ippolito) #57171
crypto:
  * update root certificates to NSS 3.108 (Node.js GitHub Bot) #57381
doc:
  * add geeksilva97 to collaborators (Edy Silva) #57241
src:
  * (SEMVER-MINOR) create `THROW_ERR_OPTIONS_BEFORE_BOOTSTRAPPING` (Marco Ippolito) #57016
test_runner:
  * (SEMVER-MINOR) change ts default glob (Marco Ippolito) #57359
tls:
  * (SEMVER-MINOR) implement `tls.getCACertificates()` (Joyee Cheung) #57107
v8:
  * (SEMVER-MINOR) add `v8.getCppHeapStatistics()` method (Aditi) #57146

PR-URL: #57424
tmeijn pushed a commit to tmeijn/dotfiles that referenced this pull request Mar 24, 2025
@tmeijn
build(deps): update node to v23.10.0
9e0c93b 
This MR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | minor | `23.9.0` -> `23.10.0` |

MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot).

**Proposed changes to behavior should be submitted there as MRs.**

---

### Release Notes

<details>
<summary>nodejs/node (node)</summary>

### [`v23.10.0`](https://github.com/nodejs/node/releases/tag/v23.10.0): 2025-03-13, Version 23.10.0 (Current), @&#8203;aduh95

[Compare Source](nodejs/node@v23.9.0...v23.10.0)

##### Notable Changes

##### Introducing `--experimental-config-file`

With the introduction of test runner, SEA, and other feature that require a lot
of flags, a JSON config flag would improve by a lot the developer experience and
increase adoption.

You can have a `node.config.json` containing:

```json
{
  "$schema": "https://nodejs.org/dist/v23.10.0/docs/node-config-schema.json",
  "nodeOptions": {
    "test-coverage-lines": 80,
    "test-coverage-branches": 60
  }
}
```

You can run your tests without passing the flags defined in the config file.

```bash
node --experimental-default-config-file --test --experimental-test-coverage
```

or

```bash
node --experimental-config-file=node.config.json --test --experimental-test-coverage
```

Node.js will not sanitize or perform validation on the user-provided configuration,
so only ever use trusted configuration files.

Contributed by Marco Ippolito in [#&#8203;57016](nodejs/node#57016)
and [#&#8203;57171](nodejs/node#57171).

##### Other Notable Changes

-   \[[`323e3ac93c`](nodejs/node@323e3ac93c)] - **crypto**: update root certificates to NSS 3.108 (Node.js GitHub Bot) [#&#8203;57381](nodejs/node#57381)
-   \[[`6fd2ec6816`](nodejs/node@6fd2ec6816)] - **doc**: add `@geeksilva97` to collaborators (Edy Silva) [#&#8203;57241](nodejs/node#57241)
-   \[[`d8937f1742`](nodejs/node@d8937f1742)] - **(SEMVER-MINOR)** **src**: create `THROW_ERR_OPTIONS_BEFORE_BOOTSTRAPPING` (Marco Ippolito) [#&#8203;57016](nodejs/node#57016)
-   \[[`5054fc7941`](nodejs/node@5054fc7941)] - **(SEMVER-MINOR)** **test_runner**: change ts default glob (Marco Ippolito) [#&#8203;57359](nodejs/node#57359)
-   \[[`75f11ae1cc`](nodejs/node@75f11ae1cc)] - **(SEMVER-MINOR)** **tls**: implement `tls.getCACertificates()` (Joyee Cheung) [#&#8203;57107](nodejs/node#57107)
-   \[[`a22c21ceb8`](nodejs/node@a22c21ceb8)] - **(SEMVER-MINOR)** **v8**: add `v8.getCppHeapStatistics()` method (Aditi) [#&#8203;57146](nodejs/node#57146)

##### Commits

-   \[[`2daee76b26`](nodejs/node@2daee76b26)] - **assert**: improve myers diff performance (Giovanni Bucci) [#&#8203;57279](nodejs/node#57279)
-   \[[`2fbd3bbea7`](nodejs/node@2fbd3bbea7)] - **build**: fix compatibility with V8's `depot_tools` (Richard Lau) [#&#8203;57330](nodejs/node#57330)
-   \[[`6a2e4c5fc1`](nodejs/node@6a2e4c5fc1)] - **build,win**: disable node pch with ccache (Stefan Stojanovic) [#&#8203;57224](nodejs/node#57224)
-   \[[`323e3ac93c`](nodejs/node@323e3ac93c)] - **crypto**: update root certificates to NSS 3.108 (Node.js GitHub Bot) [#&#8203;57381](nodejs/node#57381)
-   \[[`906f23d0e7`](nodejs/node@906f23d0e7)] - **crypto**: add support for intermediate certs in --use-system-ca (Tim Jacomb) [#&#8203;57164](nodejs/node#57164)
-   \[[`03cd7920c8`](nodejs/node@03cd7920c8)] - **deps**: update simdjson to 3.12.2 (Node.js GitHub Bot) [#&#8203;57084](nodejs/node#57084)
-   \[[`9e1fce9a5c`](nodejs/node@9e1fce9a5c)] - **deps**: update archs files for openssl-3.0.16 (Node.js GitHub Bot) [#&#8203;57335](nodejs/node#57335)
-   \[[`4056c1f83e`](nodejs/node@4056c1f83e)] - **deps**: upgrade openssl sources to quictls/openssl-3.0.16 (Node.js GitHub Bot) [#&#8203;57335](nodejs/node#57335)
-   \[[`b402799070`](nodejs/node@b402799070)] - **deps**: update corepack to 0.32.0 (Node.js GitHub Bot) [#&#8203;57265](nodejs/node#57265)
-   \[[`ce1cfff79a`](nodejs/node@ce1cfff79a)] - **deps**: update amaro to 0.4.1 (marco-ippolito) [#&#8203;57121](nodejs/node#57121)
-   \[[`0ac977d679`](nodejs/node@0ac977d679)] - **deps**: update gyp file for ngtcp2 1.11.0 (Richard Lau) [#&#8203;57225](nodejs/node#57225)
-   \[[`f34d78df1f`](nodejs/node@f34d78df1f)] - **deps**: update ada to 3.1.3 (Node.js GitHub Bot) [#&#8203;57222](nodejs/node#57222)
-   \[[`4fe9916701`](nodejs/node@4fe9916701)] - **dns**: remove redundant code using common variable (Deokjin Kim) [#&#8203;57386](nodejs/node#57386)
-   \[[`1c271b162b`](nodejs/node@1c271b162b)] - **doc**: make first parameter optional in `util.getCallSites` (Deokjin Kim) [#&#8203;57387](nodejs/node#57387)
-   \[[`77668fffec`](nodejs/node@77668fffec)] - **doc**: fix usage of module.registerSync in comment (Timo Kössler) [#&#8203;57328](nodejs/node#57328)
-   \[[`9b4f7aac69`](nodejs/node@9b4f7aac69)] - **doc**: add Darshan back as voting TSC member (Michael Dawson) [#&#8203;57402](nodejs/node#57402)
-   \[[`d44ccb319c`](nodejs/node@d44ccb319c)] - **doc**: revise webcrypto.md types, interfaces, and added versions (Filip Skokan) [#&#8203;57376](nodejs/node#57376)
-   \[[`f4de7cef01`](nodejs/node@f4de7cef01)] - **doc**: add info on how project manages social media (Michael Dawson) [#&#8203;57318](nodejs/node#57318)
-   \[[`792ef16921`](nodejs/node@792ef16921)] - **doc**: revise `tsconfig.json` note (Steven) [#&#8203;57353](nodejs/node#57353)
-   \[[`4e438c3fa3`](nodejs/node@4e438c3fa3)] - **doc**: use more clear name in getSystemErrorMessage's example (ikuma-t) [#&#8203;57310](nodejs/node#57310)
-   \[[`5c9f1a40e4`](nodejs/node@5c9f1a40e4)] - **doc**: recommend setting `noEmit: true` in `tsconfig.json` (Steven) [#&#8203;57320](nodejs/node#57320)
-   \[[`e178acf9d8`](nodejs/node@e178acf9d8)] - **doc**: ping nodejs/tsc for each security pull request (Rafael Gonzaga) [#&#8203;57309](nodejs/node#57309)
-   \[[`fbe464e28c`](nodejs/node@fbe464e28c)] - **doc**: fix Windows ccache section position (Stefan Stojanovic) [#&#8203;57326](nodejs/node#57326)
-   \[[`3fe8eac0ba`](nodejs/node@3fe8eac0ba)] - **doc**: update node-api version matrix (Chengzhong Wu) [#&#8203;57287](nodejs/node#57287)
-   \[[`d2f49e7fcf`](nodejs/node@d2f49e7fcf)] - **doc**: recommend `erasableSyntaxOnly` in ts docs (Rob Palmer) [#&#8203;57271](nodejs/node#57271)
-   \[[`03844d99f8`](nodejs/node@03844d99f8)] - **doc**: clarify `path.isAbsolute` is not path traversal mitigation (Eric Fortis) [#&#8203;57073](nodejs/node#57073)
-   \[[`0f8cd32986`](nodejs/node@0f8cd32986)] - **doc**: fix rendering of DEP0174 description (David Sanders) [#&#8203;56835](nodejs/node#56835)
-   \[[`f95ecca71f`](nodejs/node@f95ecca71f)] - **doc**: add 1ilsang to triage team (1ilsang) [#&#8203;57183](nodejs/node#57183)
-   \[[`6fd2ec6816`](nodejs/node@6fd2ec6816)] - **doc**: add [@&#8203;geeksilva97](https://github.com/geeksilva97) to collaborators (Edy Silva) [#&#8203;57241](nodejs/node#57241)
-   \[[`b74e0ff7d7`](nodejs/node@b74e0ff7d7)] - **doc**: add missing assert return types (Colin Ihrig) [#&#8203;57219](nodejs/node#57219)
-   \[[`83eed33562`](nodejs/node@83eed33562)] - **doc**: add streamResetBurst and streamResetRate (Sujal Raj) [#&#8203;57195](nodejs/node#57195)
-   \[[`7f48811295`](nodejs/node@7f48811295)] - **doc**: add esm examples to node:util (Alfredo González) [#&#8203;56793](nodejs/node#56793)
-   \[[`5c20dcc166`](nodejs/node@5c20dcc166)] - **esm**: fix module.exports export on CJS modules (Guy Bedford) [#&#8203;57366](nodejs/node#57366)
-   \[[`041a217a4d`](nodejs/node@041a217a4d)] - **fs**: fix rmSync error code (Paul Schwabauer) [#&#8203;57103](nodejs/node#57103)
-   \[[`cea50b7f39`](nodejs/node@cea50b7f39)] - **lib**: optimize priority queue (Gürgün Dayıoğlu) [#&#8203;57100](nodejs/node#57100)
-   \[[`5204d495ae`](nodejs/node@5204d495ae)] - **meta**: bump codecov/codecov-action from 5.3.1 to 5.4.0 (dependabot\[bot]) [#&#8203;57257](nodejs/node#57257)
-   \[[`89599be988`](nodejs/node@89599be988)] - **meta**: bump github/codeql-action from 3.28.8 to 3.28.10 (dependabot\[bot]) [#&#8203;57254](nodejs/node#57254)
-   \[[`66cd3850bc`](nodejs/node@66cd3850bc)] - **meta**: bump ossf/scorecard-action from 2.4.0 to 2.4.1 (dependabot\[bot]) [#&#8203;57253](nodejs/node#57253)
-   \[[`6c22e446bc`](nodejs/node@6c22e446bc)] - **meta**: set nodejs/config as codeowner (Marco Ippolito) [#&#8203;57237](nodejs/node#57237)
-   \[[`ee5ce5ccde`](nodejs/node@ee5ce5ccde)] - **meta**: move RaisinTen back to collaborators, triagers and SEA champion (Darshan Sen) [#&#8203;57292](nodejs/node#57292)
-   \[[`0b0c9cc0f5`](nodejs/node@0b0c9cc0f5)] - **meta**: bump actions/download-artifact from 4.1.8 to 4.1.9 (dependabot\[bot]) [#&#8203;57260](nodejs/node#57260)
-   \[[`e6a98af8bd`](nodejs/node@e6a98af8bd)] - **meta**: bump peter-evans/create-pull-request from 7.0.6 to 7.0.7 (dependabot\[bot]) [#&#8203;57259](nodejs/node#57259)
-   \[[`91394aaf3d`](nodejs/node@91394aaf3d)] - **meta**: bump step-security/harden-runner from 2.10.4 to 2.11.0 (dependabot\[bot]) [#&#8203;57258](nodejs/node#57258)
-   \[[`63dbbe7c91`](nodejs/node@63dbbe7c91)] - **meta**: bump actions/cache from 4.2.0 to 4.2.2 (dependabot\[bot]) [#&#8203;57256](nodejs/node#57256)
-   \[[`d5ccf174ad`](nodejs/node@d5ccf174ad)] - **meta**: bump actions/upload-artifact from 4.6.0 to 4.6.1 (dependabot\[bot]) [#&#8203;57255](nodejs/node#57255)
-   \[[`46b06be9a3`](nodejs/node@46b06be9a3)] - **module**: handle cached linked async jobs in require(esm) (Joyee Cheung) [#&#8203;57187](nodejs/node#57187)
-   \[[`718305db6f`](nodejs/node@718305db6f)] - **module**: add dynamic file-specific ESM warnings (Mert Can Altin) [#&#8203;56628](nodejs/node#56628)
-   \[[`4762f4ada5`](nodejs/node@4762f4ada5)] - **net**: validate non-string host for socket.connect (Daeyeon Jeong) [#&#8203;57198](nodejs/node#57198)
-   \[[`d07bd79ac5`](nodejs/node@d07bd79ac5)] - **net**: replace brand checks with identity checks (Yagiz Nizipli) [#&#8203;57341](nodejs/node#57341)
-   \[[`a757f00747`](nodejs/node@a757f00747)] - **net**: emit an error when custom lookup resolves to a non-string address (Edy Silva) [#&#8203;57192](nodejs/node#57192)
-   \[[`984f7ef5bd`](nodejs/node@984f7ef5bd)] - **readline**: add support for `Symbol.dispose` (Antoine du Hamel) [#&#8203;57276](nodejs/node#57276)
-   \[[`21b6423b9b`](nodejs/node@21b6423b9b)] - **sqlite**: reset statement immediately in run() (Colin Ihrig) [#&#8203;57350](nodejs/node#57350)
-   \[[`e80bbb7355`](nodejs/node@e80bbb7355)] - **sqlite,test,doc**: allow Buffer and URL as database location (Edy Silva) [#&#8203;56991](nodejs/node#56991)
-   \[[`3dc3207298`](nodejs/node@3dc3207298)] - **src**: do not pass nullptr to std::string ctor (Charles Kerr) [#&#8203;57354](nodejs/node#57354)
-   \[[`5e51c62569`](nodejs/node@5e51c62569)] - **src**: fix process exit listeners not receiving unsettled tla codes (Dario Piotrowicz) [#&#8203;56872](nodejs/node#56872)
-   \[[`bf788d9d86`](nodejs/node@bf788d9d86)] - **src**: refactor SubtleCrypto algorithm and length validations (Filip Skokan) [#&#8203;57319](nodejs/node#57319)
-   \[[`37664e8485`](nodejs/node@37664e8485)] - **src**: fix node_config_file.h compilation error in GN build (Cheng) [#&#8203;57210](nodejs/node#57210)
-   \[[`274c18a365`](nodejs/node@274c18a365)] - **(SEMVER-MINOR)** **src**: set default config as node.config.json (Marco Ippolito) [#&#8203;57171](nodejs/node#57171)
-   \[[`433657de8c`](nodejs/node@433657de8c)] - **src**: namespace config file flags (Marco Ippolito) [#&#8203;57170](nodejs/node#57170)
-   \[[`d8937f1742`](nodejs/node@d8937f1742)] - **(SEMVER-MINOR)** **src**: create THROW_ERR_OPTIONS_BEFORE_BOOTSTRAPPING (Marco Ippolito) [#&#8203;57016](nodejs/node#57016)
-   \[[`9fd217daa9`](nodejs/node@9fd217daa9)] - **(SEMVER-MINOR)** **src**: add config file support (Marco Ippolito) [#&#8203;57016](nodejs/node#57016)
-   \[[`b17163b130`](nodejs/node@b17163b130)] - **src**: allow embedder customization of OOMErrorHandler (Shelley Vohr) [#&#8203;57325](nodejs/node#57325)
-   \[[`6f1c622466`](nodejs/node@6f1c622466)] - **src**: use Maybe\<void> in ProcessEmitWarningSync (Daeyeon Jeong) [#&#8203;57250](nodejs/node#57250)
-   \[[`4d86a42aa4`](nodejs/node@4d86a42aa4)] - **src**: remove redundant qualifiers in src/quic (Yagiz Nizipli) [#&#8203;56967](nodejs/node#56967)
-   \[[`41ea5a2864`](nodejs/node@41ea5a2864)] - **src**: make even more improvements to error handling (James M Snell) [#&#8203;57264](nodejs/node#57264)
-   \[[`7a554d9bf3`](nodejs/node@7a554d9bf3)] - **src**: use cached `emit` v8::String (Daeyeon Jeong) [#&#8203;57249](nodejs/node#57249)
-   \[[`b10ac9a958`](nodejs/node@b10ac9a958)] - **src**: refactor SubtleCrypto algorithm and length validations (Filip Skokan) [#&#8203;57273](nodejs/node#57273)
-   \[[`90cd780ca6`](nodejs/node@90cd780ca6)] - **src**: make more error handling improvements (James M Snell) [#&#8203;57262](nodejs/node#57262)
-   \[[`17c9e76722`](nodejs/node@17c9e76722)] - **src**: fix typo in comment (Antoine du Hamel) [#&#8203;57291](nodejs/node#57291)
-   \[[`35c283a3f3`](nodejs/node@35c283a3f3)] - **src**: reduce string allocations on sqlite (Yagiz Nizipli) [#&#8203;57227](nodejs/node#57227)
-   \[[`185d1ffe93`](nodejs/node@185d1ffe93)] - **src**: improve error handling in `node_messaging.cc` (James M Snell) [#&#8203;57211](nodejs/node#57211)
-   \[[`96b2bfb88c`](nodejs/node@96b2bfb88c)] - **src**: improve error handling in `tty_wrap.cc` (James M Snell) [#&#8203;57211](nodejs/node#57211)
-   \[[`f845ad953e`](nodejs/node@f845ad953e)] - **src**: improve error handling in `tcp_wrap.cc` (James M Snell) [#&#8203;57211](nodejs/node#57211)
-   \[[`350f62de6c`](nodejs/node@350f62de6c)] - **src**: fix ThrowInvalidURL call in PathToFileURL (Daniel M Brasil) [#&#8203;57141](nodejs/node#57141)
-   \[[`936a9997b2`](nodejs/node@936a9997b2)] - **src**: improve error handling in buffer and dotenv (James M Snell) [#&#8203;57189](nodejs/node#57189)
-   \[[`975e2a5c1d`](nodejs/node@975e2a5c1d)] - **src**: improve error handling in module_wrap (James M Snell) [#&#8203;57188](nodejs/node#57188)
-   \[[`3d103ecfbe`](nodejs/node@3d103ecfbe)] - **src**: improve error handling in spawn_sync (James M Snell) [#&#8203;57185](nodejs/node#57185)
-   \[[`98d328a1d6`](nodejs/node@98d328a1d6)] - **src**: detect whether the string is one byte representation or not (theweipeng) [#&#8203;56147](nodejs/node#56147)
-   \[[`15d7908656`](nodejs/node@15d7908656)] - **stream**: fix sizeAlgorithm validation in WritableStream (Daeyeon Jeong) [#&#8203;57280](nodejs/node#57280)
-   \[[`b866755299`](nodejs/node@b866755299)] - **test**: test runner run plan (Pietro Marchini) [#&#8203;57304](nodejs/node#57304)
-   \[[`e05e0e5772`](nodejs/node@e05e0e5772)] - **test**: update WPT for urlpattern to [`3b6b198`](nodejs/node@3b6b19853a) (Node.js GitHub Bot) [#&#8203;57377](nodejs/node#57377)
-   \[[`36542b5611`](nodejs/node@36542b5611)] - **test**: update WPT for WebCryptoAPI to [`edd42c0`](nodejs/node@edd42c005c) (Node.js GitHub Bot) [#&#8203;57365](nodejs/node#57365)
-   \[[`28792ee59a`](nodejs/node@28792ee59a)] - **test**: skip `test-config-json-schema` with quic (Richard Lau) [#&#8203;57225](nodejs/node#57225)
-   \[[`5a21fa4573`](nodejs/node@5a21fa4573)] - **test**: add more coverage to node_config_file (Marco Ippolito) [#&#8203;57170](nodejs/node#57170)
-   \[[`99b2369142`](nodejs/node@99b2369142)] - **test**: simplify test-tls-connect-abort-controller.js (Yagiz Nizipli) [#&#8203;57338](nodejs/node#57338)
-   \[[`4af2f7f9a8`](nodejs/node@4af2f7f9a8)] - **test**: use `assert.match` in `test-esm-import-meta` (Antoine du Hamel) [#&#8203;57290](nodejs/node#57290)
-   \[[`99abfb6172`](nodejs/node@99abfb6172)] - **test**: update compression wpt (Yagiz Nizipli) [#&#8203;56960](nodejs/node#56960)
-   \[[`f8dde3a391`](nodejs/node@f8dde3a391)] - **test**: skip uv-thread-name on IBM i (Abdirahim Musse) [#&#8203;57299](nodejs/node#57299)
-   \[[`3bf546c317`](nodejs/node@3bf546c317)] - ***Revert*** "**test**: temporary remove resource check from fs read-write" (Rafael Gonzaga) [#&#8203;56906](nodejs/node#56906)
-   \[[`8d0f1a7dbf`](nodejs/node@8d0f1a7dbf)] - **test**: module syntax should throw (Marco Ippolito) [#&#8203;57121](nodejs/node#57121)
-   \[[`0fd3d91e3a`](nodejs/node@0fd3d91e3a)] - **test**: more common.mustNotCall in net, tls (Meghan Denny) [#&#8203;57246](nodejs/node#57246)
-   \[[`f803d6ca29`](nodejs/node@f803d6ca29)] - **test**: swap assert.strictEqual() parameters (Luigi Pinca) [#&#8203;57217](nodejs/node#57217)
-   \[[`eb3576fde0`](nodejs/node@eb3576fde0)] - **test**: assert write return values in buffer-bigint64 (Meghan Denny) [#&#8203;57212](nodejs/node#57212)
-   \[[`a08981025a`](nodejs/node@a08981025a)] - **test**: allow embedder running async context frame test (Shelley Vohr) [#&#8203;57193](nodejs/node#57193)
-   \[[`20c032ed98`](nodejs/node@20c032ed98)] - **test**: resolve race condition in test-net-write-fully-async-\* (Matteo Collina) [#&#8203;57022](nodejs/node#57022)
-   \[[`5054fc7941`](nodejs/node@5054fc7941)] - **(SEMVER-MINOR)** **test_runner**: change ts default glob (Marco Ippolito) [#&#8203;57359](nodejs/node#57359)
-   \[[`0ad450f295`](nodejs/node@0ad450f295)] - **timers**: simplify the compareTimersLists function (Gürgün Dayıoğlu) [#&#8203;57110](nodejs/node#57110)
-   \[[`75f11ae1cc`](nodejs/node@75f11ae1cc)] - **(SEMVER-MINOR)** **tls**: implement tls.getCACertificates() (Joyee Cheung) [#&#8203;57107](nodejs/node#57107)
-   \[[`2b2267f203`](nodejs/node@2b2267f203)] - **tools**: add config subspace (Marco Ippolito) [#&#8203;57239](nodejs/node#57239)
-   \[[`8e64d38e91`](nodejs/node@8e64d38e91)] - **tools**: import rather than require ESLint plugins (Michaël Zasso) [#&#8203;57315](nodejs/node#57315)
-   \[[`2569e56b95`](nodejs/node@2569e56b95)] - **tools**: switch back to official OpenSSL (Richard Lau) [#&#8203;57301](nodejs/node#57301)
-   \[[`fd49144378`](nodejs/node@fd49144378)] - **tools**: extract target abseil to abseil.gyp (Chengzhong Wu) [#&#8203;57289](nodejs/node#57289)
-   \[[`77e1a85d24`](nodejs/node@77e1a85d24)] - **tools**: revert to use [@&#8203;stylistic/eslint-plugin-js](https://github.com/stylistic/eslint-plugin-js) v3 (Joyee Cheung) [#&#8203;57314](nodejs/node#57314)
-   \[[`2fa6e65262`](nodejs/node@2fa6e65262)] - **tools**: add more details about rolling inspector_protocol (Chengzhong Wu) [#&#8203;57167](nodejs/node#57167)
-   \[[`5788574cdf`](nodejs/node@5788574cdf)] - **tools**: bump the eslint group in /tools/eslint with 5 updates (dependabot\[bot]) [#&#8203;57261](nodejs/node#57261)
-   \[[`5955acadba`](nodejs/node@5955acadba)] - **tools**: remove deps/zlib/GN-scraper.py (Chengzhong Wu) [#&#8203;57238](nodejs/node#57238)
-   \[[`a22c21ceb8`](nodejs/node@a22c21ceb8)] - **(SEMVER-MINOR)** **v8**: add v8.getCppHeapStatistics() method (Aditi) [#&#8203;57146](nodejs/node#57146)
-   \[[`17d4074114`](nodejs/node@17d4074114)] - **win,build**: add option to enable Control Flow Guard (Hüseyin Açacak) [#&#8203;56605](nodejs/node#56605)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this MR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box

---

This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMDAuMiIsInVwZGF0ZWRJblZlciI6IjM5LjIwMC4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJSZW5vdmF0ZSBCb3QiXX0=-->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasnell jasnell

Assignees
No one assigned
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. commit-queue-squash Add this label to instruct the Commit Queue to squash all the PR commits into the first one. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. semver-minor PRs that contain new features and should be released in the next minor version. tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@joyeecheung @nodejs-github-bot @jasnell