Update Node.js to v24

[KubeArchitectBot]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
node	final	major	23 -> 24

---

Release Notes

nodejs/node (node)

v24.11.1: 2025-11-11, Version 24.11.1 'Krypton' (LTS), @​aduh95

Compare Source

Notable Changes

The known issue relating to Buffer.allocUnsafe incorrectly zero-filling buffers
has now been addressed and now returns uninitialized memory as documented in the
Buffer.allocUnsafe
documentation.

Commits

• [0a15ccf3f4] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #​60162
• [a1c7d1dac9] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #​60205
• [99e2acf46b] - benchmark: add vm.SourceTextModule benchmark (Joyee Cheung) #​59396
• [c01c72b407] - benchmark: use non-deprecated WriteUtf8V2 method (Michaël Zasso) #​60173
• [a42dbd138e] - build: ibmi follow aix visibility (SRAVANI GUNDEPALLI) #​60360
• [5673a54a5d] - build: use call command when calling python configure (Jacob Nichols) #​60098
• [c67cb727cb] - build: build v8 with -fvisibility=hidden -fvisibility-inlines-hidden (Joyee Cheung) #​56290
• [b03f7b93b1] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #​60296
• [2505568531] - build, src: fix include paths for vtune files (Rahul) #​59999
• [95330b036f] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #​59956
• [c221d892ef] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #​60550
• [bc00aa4c77] - deps: update simdjson to 4.0.7 (Node.js GitHub Bot) #​59883
• [d03b89ec53] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #​60314
• [b7882090de] - deps: update inspector_protocol to af7f5a8 (Node.js GitHub Bot) #​60312
• [7007f9dd65] - deps: update googletest to 279f847 (Node.js GitHub Bot) #​60219
• [a56aa9ffa8] - deps: upgrade npm to 11.6.2 (npm team) #​60168
• [0bf8952721] - doc: mention more codemods in deprecations.md (Augustin Mauroy) #​60243
• [2473ca77f6] - doc: add missing CAA type to dns.resolveAny() & dnsPromises.resolveAny() (Jimmy Leung) #​58899
• [39ddd8522e] - doc: use any for worker_threads.Worker 'error' event argument err (Jonas Geiler) #​60300
• [eaa825fd97] - doc: update decorator documentation to reflect actual policy (Muhammad Salman Aziz) #​60288
• [a744e42282] - doc: document wildcard supported by tools/test.py (Joyee Cheung) #​60265
• [ec0d5beb09] - doc: add --heap-snapshot-on-oom to useful v8 flag (jakecastelli) #​60260
• [13da0df12a] - doc: fix blob.bytes() heading level (XTY) #​60252
• [8e771632b7] - doc: fix not working code example in vm docs (Artur Gawlik) #​60224
• [70c2080bff] - doc: improve code snippet alternative of url.parse() using WHATWG URL (Steven) #​60209
• [beadcf176e] - doc: createSQLTagStore -> createTagStore (Aviv Keller) #​60182
• [b0da3b9c6a] - doc: use markdown when branch-diff major release (Rafael Gonzaga) #​60179
• [688115aa6b] - doc: update teams in collaborator-guide.md and add links (Bart Louwers) #​60065
• [923082a064] - doc: disambiguate top-level worker_threads module exports (René) #​59890
• [7be4330870] - doc: add known issue to v24.11.0 release notes (Richard Lau) #​60467
• [4d8f62aeaf] - doc, module: change async customization hooks to experimental (Gerhard Stöbich) #​60302
• [d86a118bbd] - http: lazy allocate cookies array (Robert Nagy) #​59734
• [8c256d4139] - http: fix http client leaky with double response (theanarkh) #​60062
• [265e9d59fa] - http2: rename variable to additionalPseudoHeaders (Tobias Nießen) #​60208
• [65bec037e2] - http2: do not crash on mismatched ping buffer length (René) #​60135
• [9b83ef53b7] - inspector: add network payload buffer size limits (Chengzhong Wu) #​60236
• [03ac05c458] - inspector: support handshake response for websocket inspection (Shima Ryuhei) #​60225
• [aa04f06190] - lib: fix typo in createBlobReaderStream (SeokHun) #​60132
• [5aea1a429e] - lib: fix constructor in _errnoException stack tree (SeokHun) #​60156
• [4f7745acc7] - lib: fix typo in QuicSessionStats (SeokHun) #​60155
• [f8725861ea] - lib: remove redundant destroyHook checks (Gürgün Dayıoğlu) #​60120
• [696c20bf3f] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​60325
• [90434ff99a] - meta: loop userland-migrations in deprecations (Chengzhong Wu) #​60299
• [ffbc0ae60a] - module: refactor and clarify async loader hook customizations (Joyee Cheung) #​60278
• [6ed6062f7d] - module: handle null source from async loader hooks in sync hooks (Joyee Cheung) #​59929
• [a2871baed2] - msi: fix WiX warnings (Stefan Stojanovic) #​60251
• [6199541d67] - src: fix timing of snapshot serialize callback (Joyee Cheung) #​60434
• [13b687959a] - src: add COUNT_GENERIC_USAGE utility for tests (Joyee Cheung) #​60434
• [a587623b4f] - src: conditionally disable source phase imports by default (Shelley Vohr) #​60364
• [e483267995] - src: use cached primordials_string (Sohyeon Kim) #​60255
• [4c9a64fbaf] - src: replace Environment::GetCurrent with args.GetIsolate (Sohyeon Kim) #​60256
• [eb8a0493d1] - src: initial enablement of IsolateGroups (James M Snell) #​60254
• [463c6450cf] - src: use Utf8Value and TwoByteValue instead of V8 helpers (Anna Henningsen) #​60244
• [b370e02789] - src: add a default branch for module phase (Chengzhong Wu) #​60261
• [4e1c5c5601] - src: make additional cleanups in node locks impl (James M Snell) #​60061
• [f00d4c10fc] - src: update locks to use DictionaryTemplate (James M Snell) #​60061
• [1c8716e97c] - test: increase debugger waitFor timeout on macOS (Chengzhong Wu) #​60367
• [17b4f38e9c] - test: put helper in test-runner-output into common (Joyee Cheung) #​60330
• [43b9ea8389] - test: fix small compile warning in test_network_requests_buffer.cc (xiaocainiao633) #​60281
• [38a62980ad] - test: split test-runner-watch-mode-kill-signal (Joyee Cheung) #​60298
• [34e4c8c84f] - test: fix incorrect calculation in test-perf-hooks.js (Joyee Cheung) #​60271
• [4481feb17b] - test: parallelize test-without-async-context-frame correctly (Joyee Cheung) #​60273
• [91ea9b06e0] - test: skip sea tests on x64 macOS (Joyee Cheung) #​60250
• [cedba09e60] - test: move sea tests into test/sea (Joyee Cheung) #​60250
• [635af55e12] - Revert "test: ensure message event fires in worker message port test" (Luigi Pinca) #​60126
• [68f678028e] - test: skip tests that cause timeouts on IBM i (SRAVANI GUNDEPALLI) #​60148
• [cc3a70598c] - test: deflake test-fs-promises-watch-iterator (Luigi Pinca) #​60060
• [3d784dd766] - test: prepare junit file attribute normalization (sangwook) #​59432
• [84974d97ad] - test: skip failing test on macOS 15.7+ (Antoine du Hamel) #​60419
• [fabf8e4975] - test,crypto: fix conditional SHA3-* skip on BoringSSL (Filip Skokan) #​60379
• [8faa494bf2] - test,crypto: sha3 algorithms aren't supported with BoringSSL (Shelley Vohr) #​60374
• [538a00c0f6] - test,doc: skip --max-old-space-size-percentage on 32-bit platforms (Asaf Federman) #​60144
• [9ac5dbb694] - test_runner: use module.registerHooks in module mocks (Joyee Cheung) #​60326
• [f6ff6e7166] - test_runner: fix suite timeout (Moshe Atlow) #​59853
• [455bfeb52d] - test_runner: add junit file attribute support (sangwook) #​59432
• [223c5e105d] - tools: update gyp-next to 0.20.5 (Node.js GitHub Bot) #​60313
• [2949408fc1] - tools: limit inspector protocol PR title length (Chengzhong Wu) #​60324
• [b36a898650] - tools: fix inspector_protocol updater (Chengzhong Wu) #​60277
• [d60f002b62] - tools: optimize wildcard execution in tools/test.py (Joyee Cheung) #​60266
• [9d4e422419] - tools: add inspector_protocol updater (Chengzhong Wu) #​60245
• [2f93a9894f] - tools: use cooldown property correctly (Rafael Gonzaga) #​60134
• [9468ade95d] - typings: add missing properties and method in Worker (Woohyun Sung) #​60257
• [f611ec0a9e] - typings: add missing properties in HTTPParser (Woohyun Sung) #​60257
• [301c1347a1] - typings: delete undefined property in ConfigBinding (Woohyun Sung) #​60257
• [80fdb3d39b] - typings: add buffer internalBinding typing (방진혁) #​60163
• [8cb3b77039] - util: use more defensive code when inspecting error objects (Antoine du Hamel) #​60139
• [748d4f6430] - util: mark special properties when inspecting them (Ruben Bridgewater) #​60131
• [6183a759d7] - vm: make vm.Module.evaluate() conditionally synchronous (Joyee Cheung) #​60205
• [4b8506628f] - win: upgrade Visual Studio workload from 2019 to 2022 (Jiawen Geng) #​60318

v24.11.0: 2025-10-28, Version 24.11.0 'Krypton' (LTS), @​richardlau

Compare Source

Notable Changes

This release marks the transition of Node.js 24.x into Long Term Support (LTS)
with the codename 'Krypton'. It will continue to receive updates through to
the end of April 2028.

Other than updating metadata, such as the process.release object, to reflect
that the release is LTS, no further changes from Node.js 24.10.0 are included.

Known issue

An issue has been identified in the Node.js 24.x line with Buffer.allocUnsafe
unintentionally returning zero-filled buffers. This API is
documented to return uninitialized memory.
The documented behavior will be restored in the next Node.js 24.x LTS release to bring
it back in line with previous releases. For more information, see
#​60423.

v24.10.0: 2025-10-08, Version 24.10.0 (Current), @​RafaelGSS

Compare Source

Notable Changes

• [31bb476895] - (SEMVER-MINOR) console: allow per-stream inspectOptions option (Anna Henningsen) #​60082
• [3b92be2fb8] - (SEMVER-MINOR) lib: remove util.getCallSite (Rafael Gonzaga) #​59980
• [18c79d9e1c] - (SEMVER-MINOR) sqlite: create authorization api (Guilherme Araújo) #​59928

Commits

• [e8cff3d51e] - benchmark: remove unused variable from util/priority-queue (Bruno Rodrigues) #​59872
• [03294252ab] - benchmark: update count to n in permission startup (Bruno Rodrigues) #​59872
• [3c8a609d9b] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #​59872
• [7b2032b13e] - benchmark: adjust dgram offset-length len values (Bruno Rodrigues) #​59708
• [552d887aee] - benchmark: update num to n in dgram offset-length (Bruno Rodrigues) #​59708
• [31bb476895] - (SEMVER-MINOR) console: allow per-stream inspectOptions option (Anna Henningsen) #​60082
• [0bf022d4c0] - console,util: improve array inspection performance (Ruben Bridgewater) #​60037
• [04d568e591] - deps: V8: cherry-pick f93055f (Olivier Flückiger) #​60105
• [621058b3bf] - deps: update archs files for openssl-3.5.4 (Node.js GitHub Bot) #​60101
• [81b3009fe6] - deps: upgrade openssl sources to openssl-3.5.4 (Node.js GitHub Bot) #​60101
• [dc44c9f349] - deps: upgrade npm to 11.6.1 (npm team) #​60012
• [ec0f137198] - deps: update ada to 3.3.0 (Node.js GitHub Bot) #​60045
• [f490f91874] - deps: update amaro to 1.1.4 (pmarchini) #​60044
• [de7a7cd0d7] - deps: update ada to 3.2.9 (Node.js GitHub Bot) #​59987
• [a533e5b5db] - doc: add automated migration info to deprecations (Augustin Mauroy) #​60022
• [7fb8fe4875] - doc: fix typo on child_process.md (Angelo Gazzola) #​60114
• [24c1ef9846] - doc: remove optional title prefixes (Aviv Keller) #​60087
• [08b9eb8e19] - doc: mark .env files support as stable (Santeri Hiltunen) #​59925
• [66d90b8063] - doc: mention reverse proxy and include simple example (Steven) #​59736
• [14aa1119cb] - doc: provide alternative to url.parse() using WHATWG URL (Steven) #​59736
• [f9412324f6] - doc: fix typo of built-in module specifier in worker_threads (Deokjin Kim) #​59992
• [64e738a342] - doc,crypto: reorder ML-KEM in the asymmetric key types table (Filip Skokan) #​60067
• [1b25008b41] - http: improve writeEarlyHints by avoiding for-of loop (Haram Jeong) #​59958
• [35f9b6b28f] - inspector: improve batch diagnostic channel subscriptions (Chengzhong Wu) #​60009
• [3b92be2fb8] - (SEMVER-MINOR) lib: remove util.getCallSite (Rafael Gonzaga) #​59980
• [c495e1fe57] - lib: optimize priority queue (Gürgün Dayıoğlu) #​60039
• [6be31fb9f3] - lib: implement passive listener behavior per spec (BCD1me) #​59995
• [c5e4aa763b] - meta: bump actions/setup-python from 5.6.0 to 6.0.0 (dependabot[bot]) #​60090
• [50fa1f4a76] - meta: bump ossf/scorecard-action from 2.4.2 to 2.4.3 (dependabot[bot]) #​60096
• [def4ce976c] - meta: bump actions/cache from 4.2.4 to 4.3.0 (dependabot[bot]) #​60095
• [24b5abc0e9] - meta: bump step-security/harden-runner from 2.12.2 to 2.13.1 (dependabot[bot]) #​60094
• [8ccf2b0b34] - meta: bump actions/setup-node from 4.4.0 to 5.0.0 (dependabot[bot]) #​60093
• [78580147ef] - meta: bump actions/stale from 9.1.0 to 10.0.0 (dependabot[bot]) #​60092
• [705686b5c4] - meta: bump codecov/codecov-action from 5.5.0 to 5.5.1 (dependabot[bot]) #​60091
• [423a6bc744] - meta: bump github/codeql-action from 3.30.0 to 3.30.5 (dependabot[bot]) #​60089
• [9d9bd0fb4f] - meta: move Michael to emeritus (Michael Dawson) #​60070
• [dbeee55824] - module: use sync cjs when importing cts (Marco Ippolito) #​60072
• [a722f677ac] - perf_hooks: fix histogram fast call signatures (Renegade334) #​59600
• [b3295b8353] - process: fix wrong asyncContext under unhandled-rejections=strict (Shima Ryuhei) #​60103
• [cff4a7608a] - process: fix default env for process.execve (Richard Lau) #​60029
• [cd034e927f] - process: fix hrtime fast call signatures (Renegade334) #​59600
• [18c79d9e1c] - (SEMVER-MINOR) sqlite: create authorization api (Guilherme Araújo) #​59928
• [d949222043] - sqlite: replace ToLocalChecked and improve filter error handling (Edy Silva) #​60028
• [6417dc879e] - src: bring permissions macros in line with general C/C++ standards (Anna Henningsen) #​60053
• [e273c2020c] - src: update contextify to use DictionaryTemplate (James M Snell) #​60059
• [5f9ff60664] - src: remove AnalyzeTemporaryDtors option from .clang-tidy (iknoom) #​60008
• [9db54adccc] - src: update cares_wrap to use DictionaryTemplates (James M Snell) #​60033
• [fc0ceb7b82] - src: correct the error handling in StatementExecutionHelper (James M Snell) #​60040
• [3e8fdc1d8d] - src: remove unused variables from report (Moonki Choi) #​60047
• [d744324d8e] - src: avoid unnecessary string allocations in SPrintF impl (Anna Henningsen) #​60052
• [de65a5c719] - src: make ToLower/ToUpper input args more flexible (Anna Henningsen) #​60052
• [354026df5a] - src: allow std::string_view arguments to SPrintF() and friends (Anna Henningsen) #​60058
• [42f7d7cb20] - src: remove unnecessary std::string error messages (Anna Henningsen) #​60057
• [30c2c0fedd] - src: remove unnecessary shadowed functions on Utf8Value & BufferValue (Anna Henningsen) #​60056
• [eb99eec09b] - src: avoid unnecessary string -> char* -> string round trips (Anna Henningsen) #​60055
• [c1f1dbdce2] - src: remove useless dereferencing in THROW_... (Anna Henningsen) #​60054
• [ea0f5e575d] - src: fill options_args, options_env after vectors are finalized (iknoom) #​59945
• [415fff217a] - src: use RAII for uv_process_options_t (iknoom) #​59945
• [982b03ecbd] - test: mark test-runner-run-watch flaky on macOS (Richard Lau) #​60115
• [831a0d3d28] - test: ensure that the message event is fired (Luigi Pinca) #​59952
• [5538cfc1e8] - test: replace diagnostics_channel stackframe in output snapshots (Chengzhong Wu) #​60024
• [77ec400d90] - test: mark test-web-locks skip on IBM i (SRAVANI GUNDEPALLI) #​59996
• [1aaadb9e31] - test: ensure message event fires in worker message port test (Jarred Sumner) #​59885
• [1d5cc5e57a] - test: mark sea tests flaky on macOS x64 (Richard Lau) #​60068
• [c412b1855d] - test: expand tls-check-server-identity coverage (Diango Gavidia) #​60002
• [ad87975029] - test: fix typo of test-benchmark-readline.js (Deokjin Kim) #​59993
• [bad4b9b878] - test: add new startNewREPLSever testing utility (Dario Piotrowicz) #​59964
• [ef90b0f456] - test: verify tracing channel doesn't swallow unhandledRejection (Gerhard Stöbich) #​59974
• [d7285459fe] - timers: fix binding fast call signatures (Renegade334) #​59600
• [6529ae9b0c] - tools: add message on auto-fixing js lint issues in gh workflow (Dario Piotrowicz) #​59128
• [1ca116a6ea] - tools: verify signatures when updating nghttp* (Antoine du Hamel) #​60113
• [20d10a2398] - tools: use dependabot cooldown and move tools/doc (Rafael Gonzaga) #​59978
• [275c07064c] - typings: update 'types' binding (René) #​59692
• [8c21c4b286] - wasi: fix WasiFunction fast call signature (Renegade334) #​59600
• [b865074641] - win,tools: add description to signature (Martin Costello) #​59877

v24.9.0: 2025-09-25, Version 24.9.0 (Current), @​targos

Compare Source

Notable Changes

• [9b043a9096] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
• [a6456ab90a] - (SEMVER-MINOR) sqlite: cleanup ERM support and export Session class (James M Snell) #​58378
• [5563361d22] - (SEMVER-MINOR) sqlite: add tagged template (0hm☘️) #​58748
• [04013ee933] - (SEMVER-MINOR) worker: add heap profile API (theanarkh) #​59846

Commits

• [cbec4fd6de] - benchmark: calibrate config dgram multi-buffer (Bruno Rodrigues) #​59696
• [9a4bbdc3c5] - benchmark: calibrate config cluster/echo.js (Nam Yooseong) #​59836
• [0b284d86e8] - build: add the missing macro definitions for OpenHarmony (hqzing) #​59804
• [43e6e54d66] - build: do not include custom ESLint rules testing in tarball (Antoine du Hamel) #​59809
• [039ac19154] - crypto: expose signatureAlgorithm on X509Certificate (Patrick Costa) #​59235
• [647c332704] - crypto: use return await when returning Promises from async functions (Renegade334) #​59841
• [8ed4587cf0] - crypto: use async functions for non-stub Promise-returning functions (Renegade334) #​59841
• [bb051c56ef] - crypto: avoid calls to promise.catch() (Renegade334) #​59841
• [05e560dd25] - deps: update googletest to 50b8600 (Node.js GitHub Bot) #​59955
• [fa40d3a785] - deps: update archs files for openssl-3.5.3 (Node.js GitHub Bot) #​59901
• [8c85570d18] - deps: upgrade openssl sources to openssl-3.5.3 (Node.js GitHub Bot) #​59901
• [b71125664e] - deps: update undici to 7.16.0 (Node.js GitHub Bot) #​59830
• [dea5dd7077] - dgram: restore buffer optimization in fixBufferList (Yoo) #​59934
• [b0c1e67532] - diagnostics_channel: fix race condition with diagnostics_channel and GC (Ugaitz Urien) #​59910
• [0b37b594c3] - doc: use "WebAssembly" instead of "Web Assembly" (Tobias Nießen) #​59954
• [1e723f9c6b] - doc: fix typo in section on microtask order (Tobias Nießen) #​59932
• [a28962a85c] - doc: update V8 fast API guidance (René) #​58999
• [bd767c5d1b] - doc: add security escalation policy (Ulises Gascón) #​59806
• [9df91e59e1] - doc: type improvement of file http.md (yusheng chen) #​58189
• [e4f571680b] - doc: deprecate closing fs.Dir on garbage collection (Livia Medeiros) #​59839
• [e9cb986fa5] - doc: rephrase dynamic import() description (Nam Yooseong) #​59224
• [026d4e33f7] - doc,crypto: update subtle.generateKey and subtle.importKey (Filip Skokan) #​59851
• [2b2591db52] - esm: make hasAsyncGraph non-enumerable (Joyee Cheung) #​59905
• [993f05d323] - fs,win: do not add a second trailing slash in readdir (Gerhard Stöbich) #​59847
• [7aec53b607] - (SEMVER-MINOR) http: add shouldUpgradeCallback to let servers control HTTP upgrades (Tim Perry) #​59824
• [83ae6102e7] - http: optimize checkIsHttpToken for short strings (방진혁) #​59832
• [6695067636] - http,https: handle IPv6 with proxies (Joyee Cheung) #​59894
• [c5d910a0a9] - http2: fix allowHttp1+Upgrade, broken by shouldUpgradeCallback (Tim Perry) #​59924
• [acada1fb82] - inspector: ensure adequate memory allocation for Binary::toBase64 (René) #​59870
• [396cc8ec65] - lib: update inspect output format for subclasses (Miguel Marcondes Filho) #​59687
• [fed1dac8de] - lib: update isDeepStrictEqual to support options (Miguel Marcondes Filho) #​59762
• [d785929fd7] - lib: add source map support for assert messages (Chengzhong Wu) #​59751
• [ff13d1d61e] - lib,src: cache ModuleWrap.hasAsyncGraph (Chengzhong Wu) #​59703
• [b200cd8470] - lib,src: refactor assert to load error source from memory (Chengzhong Wu) #​59751
• [e94c57301b] - meta: add .npmrc with ignore-scripts=true (Joyee Cheung) #​59914
• [728472a57b] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #​59874
• [be48760b93] - node-api: added SharedArrayBuffer api (Mert Can Altin) #​59071
• [f006a14522] - node-api: make napi_delete_reference use node_api_basic_env (Jeetu Suthar) #​59684
• [0f46c1c3b0] - repl: fix cpu overhead pasting big strings to the REPL (Ruben Bridgewater) #​59857
• [3eeb7b47ea] - sqlite: fix crash session extension callbacks with workers (Bart Louwers) #​59848
• [0fe53375ec] - (SEMVER-MINOR) sqlite: cleanup ERM support and export Session class (James M Snell) #​58378
• [9a3e58a007] - (SEMVER-MINOR) sqlite: add tagged template (0hm☘️) #​58748
• [f14ed5ab7b] - src: simplify watchdog instantiations via std::optional (Anna Henningsen) #​59960
• [e330f03f84] - src: update crypto objects to use DictionaryTemplate (James M Snell) #​59942
• [69b5607cf4] - src: simplify is_callable by making it a concept (Tobias Nießen) #​58169
• [86150f3401] - src: rename private fields to follow naming convention (Moonki Choi) #​59923
• [d17f299539] - src: use DictionaryTemplate more in URLPattern (James M Snell) #​59892
• [ac784912ac] - src: reduce the nearest parent package JSON cache size (Michael Smith) #​59888
• [abecdcb536] - src: replace FIXED_ONE_BYTE_STRING with Environment-cached strings (Moonki Choi) #​59891
• [2bb152500b] - src: create strings in FIXED_ONE_BYTE_STRING as internalized (Anna Henningsen) #​59826
• [03116a7cd8] - src: remove std::array overload of FIXED_ONE_BYTE_STRING (Anna Henningsen) #​59826
• [8a5325d6e3] - src: ensure v8::Eternal is empty before setting it (Anna Henningsen) #​59825
• [f0c20ccd81] - src: remove unnecessary Environment::GetCurrent() calls (Moonki Choi) #​59814
• [213188e491] - stream: use new AsyncResource instead of bind (Matteo Collina) #​59867
• [ce8435b003] - test: testcase demonstrating issue 59541 (Eric Rannaud) #​59801
• [8f32746142] - test: guard write to proxy client if proxy connection is ended (Joyee Cheung) #​59742
• [6790093fcb] - tls: load bundled and extra certificates off-thread (Joyee Cheung) #​59856
• [f5d3f919d8] - tls: only do off-thread certificate loading on loading tls (Joyee Cheung) #​59856
• [87bbaa23a0] - tools: fix tools/make-v8.sh for clang (Richard Lau) #​59893
• [0d23fd525b] - tools: skip test-internet workflow for draft PRs (Michaël Zasso) #​59817
• [e17c73731a] - tools: copyedit build-tarball.yml (Antoine du Hamel) #​59808
• [97c4e1bac9] - typings: remove unused imports (Nam Yooseong) #​59880
• [8b29bbca76] - url: replaced slice with at (Mikhail) #​59181
• [6458867a6b] - url: add type checking to urlToHttpOptions() (simon-id) #​59753
• [3c62b3886f] - util: inspect objects with throwing Symbol.toStringTag (Ruben Bridgewater) #​59860
• [6133a82875] - util: fix debuglog.enabled not being present with callback logger (Ruben Bridgewater) #​59858
• [9347ddddf4] - vm: explain how to share promises between contexts w/ afterEvaluate (Eric Rannaud) #​59801
• [44ce971619] - vm: "afterEvaluate", evaluate() return a promise from the outer context (Eric Rannaud) #​59801
• [6e586a1409] - vm: expose hasTopLevelAwait on SourceTextModule (Chengzhong Wu) #​59865
• [49747a58a3] - (SEMVER-MINOR) worker: add heap profile API (theanarkh) #​59846
• [b970c0bbc2] - zlib: reduce code duplication (jhofstee) #​57810
• [9782ca2b1b] - zlib: implement fast path for crc32 (Gürgün Dayıoğlu) #​59813

v24.8.0: 2025-09-10, Version 24.8.0 (Current), @​targos

Compare Source

Notable Changes

HTTP/2 Network Inspection Support in Node.js

Node.js now supports inspection of HTTP/2 network calls in Chrome DevTools for Node.js.

Usage

Write a test.js script that makes HTTP/2 requests.

const http2 = require('node:http2');

const client = http2.connect('https://nghttp2.org');

const req = client.request([
  ':path', '/',
  ':method', 'GET',
]);

Run it with these options:

node --inspect-wait --experimental-network-inspection test.js

Open about:inspect on Google Chrome and click on Open dedicated DevTools for Node.
The Network tab will let you track your HTTP/2 calls.

Contributed by Darshan Sen in #​59611.

Other Notable Changes

• [7a8e2c251d] - (SEMVER-MINOR) crypto: support Ed448 and ML-DSA context parameter in node:crypto (Filip Skokan) #​59570
• [[4b631be0b0](https://redirec

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[changeset-bot]

⚠️ No Changeset found

Latest commit: ec71ead

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

Base image in node/Dockerfile changed from node:23@sha256:990d0ab35ae15d8a322ee1eeaf4f7cf14e367d3d0ee2f472704b7b3df4c9e7c1 to node:24@sha256:9a2ed90cd91b1f3412affe080b62e69b057ba8661d9844e143a6bbd76a23260f. No other Dockerfile instructions were modified.

Changes

Cohort / File(s)	Change Summary
Node.js Runtime Update node/Dockerfile	Updated FROM base image from node:23@sha256:990d0ab35ae15d8a322ee1eeaf4f7cf14e367d3d0ee2f472704b7b3df4c9e7c1 to node:24@sha256:9a2ed90cd91b1f3412affe080b62e69b057ba8661d9844e143a6bbd76a23260f; all other lines unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

• Single-file, single-line image digest/tag update.
• Quick checks: compatibility with Node 24, CI/build verification, confirm digest authenticity.

Possibly related PRs

• Update Node.js to c29271c #32 — updates the same node/Dockerfile FROM line to a different Node base image/digest.
• Update Node.js to 990d0ab #34 — previously modified the node/Dockerfile base image digest that this change replaces.
• Update Node.js to b33cf70 #24 — also changes the Node.js base image declaration in node/Dockerfile.

Suggested reviewers

• RelativeSure

Poem

🐰 I hopped a layer up the tree,

From twenty-three to twenty-four with glee,
A tiny swap, a careful chew,
The build hums on — a morning dew,
🥕 hop, test, and off I flee.

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update Node.js to v24' directly and clearly summarizes the main change in the changeset—upgrading the Node.js base image from v23 to v24 in the Dockerfile.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/node-node-24.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 57d5ea0 and b62599a.

📒 Files selected for processing (1)

• node/Dockerfile (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: generate-config

🔇 Additional comments (4)

node/Dockerfile (4)

1-1: AI-generated summary SHA mismatch.

The AI summary references digest 0c4b1219e836193f8ff099c43a36cb6ebf1bfe4a9a391e9f9eca5b4c96fae5b3, but the actual code uses aa648b387728c25f81ff811799bbf8de39df66d7e2d9b3ab55cc6300cb9175d9. Please confirm which digest is correct and up-to-date.

---

1-1: pnpm@latest-10 + Node 24 compatibility appears sound.

Based on the available documentation, pnpm supports Corepack since Node.js v16.13, and pnpm v10 is designed to work with modern Node.js versions including v24. However, test the image build and execution to confirm:

1. Dockerfile builds successfully with docker build node/
2. npm --version, node --version, and pnpm --version return without errors
3. pnpm install succeeds in a sample project (if applicable)

---

1-1: I cannot verify the SHA256 digest directly without Docker access. Let me search for information about Node 24 breaking changes and the Buffer.allocUnsafe behavior mentioned in the review.

Based on my web search verification, I can now provide a more informed assessment:

An issue has been identified in the Node.js 24.x line with Buffer.allocUnsafe unintentionally returning zero-filled buffers. This API is documented to return uninitialized memory. However, the known issue relating to Buffer.allocUnsafe incorrectly zero-filling buffers has now been addressed in Node.js v24.11.1 and returns uninitialized memory as documented.

This means the criticality of the Buffer.allocUnsafe concern depends on which Node 24 minor version your Dockerfile is pinned to. The Dockerfile shows node:24@sha256:... without specifying a minor version, which means it likely pulls the latest v24.x patch available.

Regarding compatibility: pnpm requires at least Node.js v18.12 to run, so pnpm v10 should work with Node 24. No compatibility issues were found between pnpm v10 and Node 24.

The remaining concern is the SHA256 digest discrepancy—I cannot verify it without Docker access, but this is a secondary concern compared to the Buffer.allocUnsafe issue being addressed in v24.11.1+.

Update the Dockerfile to explicitly pin Node.js v24.11.1 or later to ensure the Buffer.allocUnsafe fix is included.

If you're already using v24.11.1+, the critical Buffer.allocUnsafe issue is resolved. Otherwise, ensure your build uses a patched version.

---

1-1: Additional verification needed for corepack:

Both pnpm v10 and corepack@latest are confirmed compatible with Node.js 24.

Corepack is distributed with Node.js up to (but not including) 25.0.0, which includes Node.js 24, and Corepack remains in Node.js 24 as an experimental feature. pnpm v10 has already been confirmed as compatible with Node.js 24 LTS. The setup is sound; no action needed.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

Critical: Verify the Node.js 24 image patch version.

There was a known issue in Node.js 24.x with Buffer.allocUnsafe unintentionally returning zero-filled buffers, while the API is documented to return uninitialized memory. The v24.11.1 LTS release addressed this issue and returns uninitialized memory as documented.

Your Dockerfile uses node:24@sha256:aa648b38..., but the AI summary references a different digest (0c4b1219...). This discrepancy is concerning—if the image is v24.11.0 (the initial LTS release), it contains the Buffer.allocUnsafe bug. If any of your application code or dependencies rely on the zero-filled behavior, upgrading will expose uninitialized memory and may cause data leaks or correctness issues.

Verify:

1. Which patch version (v24.11.0 vs v24.11.1+) corresponds to the SHA you're using
2. Whether your application or dependencies depend on Buffer.allocUnsafe behavior
3. Why the AI summary SHA differs from the actual code

🤖 Prompt for AI Agents

In node/Dockerfile around line 1, the pinned image digest may correspond to a
vulnerable Node.js 24 patch (v24.11.0) that contained a Buffer.allocUnsafe
behavior bug; verify which patch version your sha256 maps to by querying the
registry (docker pull or manifest inspect) and compare the image's Node.js
version; if it is v24.11.0, update the Dockerfile to use a v24.11.1+ image
(either the explicit tag node:24.11.1 or the exact sha256 for that release) to
ensure the fix, then run your test suite and dependency checks to confirm no
code relies on zero-filled buffers; finally reconcile why the AI summary SHA
differs by checking where the summary came from (different registry, cached
manifest, or typo) and ensure CI uses the corrected pinned digest.