Update Node.js to v20 - autoclosed

[descope]

This PR contains the following updates:

Package	Update	Change	OpenSSF
node (source)	major	v18 -> 20

---

Release Notes

nodejs/node (node)

v20.19.5: 2025-09-03, Version 20.19.5 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #​58308
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [3c6206cac9] - doc: add @​geeksilva97 to collaborators (Edy Silva) #​57241

Commits

• [ea20403467] - build: fix uvwasi pkgname (Antoine du Hamel) #​58270
• [c647aa4b30] - build: fix pointer compression builds (Joyee Cheung) #​58171
• [d2c5e609ae] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #​58867
• [84d5c4d244] - build: search for libnode.so in multiple places (Jan Staněk) #​58213
• [068c439552] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #​58942
• [edff105c34] - debugger: fix behavior of plain object exec in debugger repl (Dario Piotrowicz) #​57498
• [0473e35b7f] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #​58628
• [1218dbbea5] - deps: update zlib to 1.3.0.1-motley-780819f (Node.js GitHub Bot) #​57768
• [0e3cd9ec00] - deps: update zlib to 1.3.0.1-motley-788cb3c (Node.js GitHub Bot) #​56655
• [a194dd9bd4] - deps: update archs files for openssl-3.0.16 (Node.js GitHub Bot) #​57335
• [cc9b79ca70] - deps: upgrade openssl sources to quictls/openssl-3.0.16 (Node.js GitHub Bot) #​57335
• [82c46d5358] - deps: update cjs-module-lexer to 2.1.0 (Node.js GitHub Bot) #​57180
• [43e3f9b26b] - deps: update cjs-module-lexer to 2.0.0 (Michael Dawson) #​56855
• [91282ff16b] - deps: update corepack to 0.33.0 (Node.js GitHub Bot) #​58566
• [b76bca6f38] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #​58711
• [ae11481011] - deps: update acorn to 8.14.1 (Node.js GitHub Bot) #​57382
• [142d701201] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #​58712
• [fee082d684] - deps: update llhttp to 9.3.0 (Fedor Indutny) #​58144
• [c06f6f3f05] - dns: remove redundant code using common variable (Deokjin Kim) #​57386
• [cded8e7e77] - dns: fix parse memory leaky (theanarkh) #​58973
• [182ae67233] - dns: fix dns query cache implementation (Ethan Arrowood) #​58404
• [621b66a297] - doc: add review guidelines for collaborator nominations (Antoine du Hamel) #​57449
• [b1009b5b72] - doc: explicit mention arbitrary code execution as a vuln (Rafael Gonzaga) #​57426
• [f5b293ad48] - doc: add JonasBa to collaborators (Jonas Badalic) #​58355
• [4e6ae787c6] - doc: add puskin to collaborators (Giovanni Bucci) #​58308
• [530473f479] - doc: add ovflowd back to core collaborators (Claudio W.) #​58911
• [38e8bbc131] - doc: add info on how project manages social media (Michael Dawson) #​57318
• [d06bb4dcc2] - doc: ping nodejs/tsc for each security pull request (Rafael Gonzaga) #​57309
• [d06db658fc] - doc: add Filip Skokan to TSC (Rafael Gonzaga) #​58499
• [8c3bc156ed] - doc: clarify path.isAbsolute is not path traversal mitigation (Eric Fortis) #​57073
• [e688410bda] - doc: fix rendering of DEP0174 description (David Sanders) #​56835
• [e6a0c6a0fa] - doc: add missing assert return types (Colin Ihrig) #​57219
• [026b3cab6a] - doc: add 1ilsang to triage team (1ilsang) #​57183
• [3c6206cac9] - doc: add @​geeksilva97 to collaborators (Edy Silva) #​57241
• [ef3a4675c7] - doc: fix web.libera.chat link in pull-requests.md (Samuel Bronson) #​57076
• [1db42b76f7] - doc: remove buffered flag from performance hooks examples (Pavel Romanov) #​52607
• [b73a1356ce] - doc: add module namespace object links (Dario Piotrowicz) #​57093
• [09368db20f] - doc: disambiguate pseudo-code statement (Dario Piotrowicz) #​57092
• [2c3dc569a1] - doc: fix wrong articles used to address modules (Dario Piotrowicz) #​57090
• [cd8259cb4e] - doc: modules.md: fix distance definition (Alexander “weej” Jones) #​57046
• [7b0ea9ab2d] - doc: fix wrong verb form (Dario Piotrowicz) #​57091
• [14fcfc242b] - doc: add a note about require('../common') in testing documentation (Aditi) #​56953
• [bc7d18b6ea] - doc: recommend writing tests in new files and including comments (Joyee Cheung) #​57028
• [acd4d7f269] - doc: improve documentation on argument validation (Aditi) #​56954
• [4cd6b3ca73] - doc: buffer: fix typo on Buffer.copyBytesFrom( offset option (tpoisseau) #​57015
• [01220607f2] - doc: update cleanup to trust on vuln db automation (Rafael Gonzaga) #​57004
• [77a0505a32] - doc: update post sec release process (Rafael Gonzaga) #​56907
• [77dbcfce5f] - doc: add section about using npx with permission model (Rafael Gonzaga) #​56539
• [73e51407b7] - doc: remove RedYetiDev from triagers team (Aviv Keller) #​55947
• [9a36cbb792] - doc: fix relative path mention in --allow-fs (Rafael Gonzaga) #​55791
• [04d9c5baeb] - doc: add scroll margin to links (Roman Reiss) #​58982
• [959a67f6ff] - doc: make Stability labels not sticky in Stability index (Livia Medeiros) #​58291
• [8757a5532f] - doc: update release key for aduh95 (Antoine du Hamel) #​58877
• [6fa0626327] - doc,src,test: fix typos (Noritaka Kobayashi) #​58477
• [9991788e4a] - http: coerce content-length to number (Marco Ippolito) #​57458
• [ff5cf8a428] - http2: fix check for frame->hd.type (hanguanqiang) #​57644
• [2f333b6c51] - lib: optimize prepareStackTrace on builtin frames (Chengzhong Wu) #​56299
• [cdf985071f] - lib: suppress source map lookup exceptions (Chengzhong Wu) #​56299
• [faa08b14ed] - lib: fixup incorrect argument order in assertEncoding (James M Snell) #​57177
• [a683cd1232] - meta: add IlyasShabi to collaborators (Ilyas Shabi) #​58916
• [b145bb28aa] - meta: bump codecov/codecov-action from 5.4.2 to 5.4.3 (dependabot[bot]) #​58551
• [2c59789001] - meta: bump ossf/scorecard-action from 2.4.1 to 2.4.2 (dependabot[bot]) #​58550
• [4095337e96] - meta: bump rtCamp/action-slack-notify from 2.3.2 to 2.3.3 (dependabot[bot]) #​58108
• [631fed8e39] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​58456
• [7d2f7180b6] - meta: bump codecov/codecov-action from 5.4.0 to 5.4.2 (dependabot[bot]) #​58110
• [1558551ea5] - meta: bump actions/download-artifact from 4.2.1 to 4.3.0 (dependabot[bot]) #​58106
• [e1f12fe737] - meta: ignore mailmap changes in linux ci (Jonas Badalic) #​58356
• [1b78eb1313] - meta: bump actions/setup-node from 4.3.0 to 4.4.0 (dependabot[bot]) #​58111
• [2b8449c39a] - meta: bump actions/setup-python from 5.5.0 to 5.6.0 (dependabot[bot]) #​58107
• [833b70bbc5] - meta: allow penetration testing on live system with prior authorization (Matteo Collina) #​57966
• [c6a88561f5] - meta: bump actions/setup-python from 5.4.0 to 5.5.0 (dependabot[bot]) #​57718
• [9046ef4fb3] - meta: bump peter-evans/create-pull-request from 7.0.7 to 7.0.8 (dependabot[bot]) #​57717
• [46388a4e2a] - meta: bump actions/cache from 4.2.2 to 4.2.3 (dependabot[bot]) #​57715
• [d3970685bd] - meta: bump actions/setup-node from 4.2.0 to 4.3.0 (dependabot[bot]) #​57714
• [47004ef37f] - meta: bump actions/upload-artifact from 4.6.1 to 4.6.2 (dependabot[bot]) #​57713
• [4abe83ec03] - meta: add some clarification to the nomination process (James M Snell) #​57503
• [45e9b88363] - meta: remove collaborator self-nomination (Rich Trott) #​57537
• [d10949b7d8] - meta: edit collaborator nomination process (Antoine du Hamel) #​57483
• [704562fb7a] - meta: move ovflowd to emeritus (Claudio W.) #​57443
• [3f981b8537] - meta: bump codecov/codecov-action from 5.3.1 to 5.4.0 (dependabot[bot]) #​57257
• [7e1ff7b332] - meta: bump ossf/scorecard-action from 2.4.0 to 2.4.1 (dependabot[bot]) #​57253
• [8d4ec412b9] - meta: move RaisinTen back to collaborators, triagers and SEA champion (Darshan Sen) #​57292
• [cc2abb5d17] - meta: bump peter-evans/create-pull-request from 7.0.6 to 7.0.7 (dependabot[bot]) #​57259
• [4fad2b8758] - meta: bump actions/cache from 4.2.0 to 4.2.2 (dependabot[bot]) #​57256
• [5f5bb8b986] - meta: bump actions/upload-artifact from 4.6.0 to 4.6.1 (dependabot[bot]) #​57255
• [e949359a56] - meta: bump actions/setup-python from 5.3.0 to 5.4.0 (dependabot[bot]) #​56867
• [d3c5ad7510] - meta: bump peter-evans/create-pull-request from 7.0.5 to 7.0.6 (dependabot[bot]) #​56866
• [56decfe2d1] - meta: bump codecov/codecov-action from 5.0.7 to 5.3.1 (dependabot[bot]) #​56864
• [52e518444d] - meta: bump actions/cache from 4.1.2 to 4.2.0 (dependabot[bot]) #​56862
• [9cac93d9c3] - meta: bump actions/stale from 9.0.0 to 9.1.0 (dependabot[bot]) #​56860
• [ecf4252f7c] - meta: update last name for jkrems (Jan Martin) #​57006
• [e8beaaaedf] - meta: bump actions/upload-artifact from 4.4.3 to 4.6.0 (dependabot[bot]) #​56861
• [5462c257f8] - meta: bump actions/setup-node from 4.1.0 to 4.2.0 (dependabot[bot]) #​56868
• [89c37891a0] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​56889
• [2a0175c291] - meta: add @​nodejs/url as codeowner (Chengzhong Wu) #​56783
• [c12aae1e78] - meta: bump github/codeql-action from 3.28.18 to 3.29.2 (dependabot[bot]) #​58922
• [4ef09990f1] - meta: bump github/codeql-action from 3.28.16 to 3.28.18 (dependabot[bot]) #​58552
• [889654eb2c] - meta: bump github/codeql-action from 3.28.11 to 3.28.16 (dependabot[bot]) #​58112
• [091e5c1bb9] - meta: bump github/codeql-action from 3.28.10 to 3.28.13 (dependabot[bot]) #​57716
• [01415153de] - meta: bump github/codeql-action from 3.28.8 to 3.28.10 (dependabot[bot]) #​57254
• [72ea8aac34] - meta: bump github/codeql-action from 3.27.5 to 3.28.8 (dependabot[bot]) #​56859
• [99a271e588] - meta: bump step-security/harden-runner from 2.12.0 to 2.12.2 (dependabot[bot]) #​58923
• [b4c4c02490] - meta: bump step-security/harden-runner from 2.11.0 to 2.12.0 (dependabot[bot]) #​58109
• [5361bb9157] - meta: bump step-security/harden-runner from 2.10.4 to 2.11.0 (dependabot[bot]) #​57258
• [28e33acf30] - meta: bump step-security/harden-runner from 2.10.2 to 2.10.4 (dependabot[bot]) #​56863
• [fad773cede] - module: throw error when re-runing errored module jobs (Joyee Cheung) #​58957
• [2531185423] - module: allow cycles in require() in the CJS handling in ESM loader (Joyee Cheung) #​58598
• [ed43b69689] - module: clarify cjs global-like error on ModuleJobSync (Carlos Espa) #​56491
• [6e02db1b12] - module: handle instantiated async module jobs in require(esm) (Joyee Cheung) #​58067
• [badba50d30] - module: fix incorrect formatting in require(esm) cycle error message (haykam821) #​57453
• [939ecf8906] - module: handle cached linked async jobs in require(esm) (Joyee Cheung) #​57187
• [ba7f8a0353] - module: improve error message from asynchronicity in require(esm) (Joyee Cheung) #​57126
• [c1e7fa2586] - module: handle .mjs in .js handler in CommonJS (Joyee Cheung) #​55590
• [41f3dfd21b] - module: fix require.resolve() crash on non-string paths (Aditi) #​56942
• [043dcdd628] - os: fix GetInterfaceAddresses memory lieaky (theanarkh) #​58940
• [9b74e9bfd9] - permission: ignore internalModuleStat on module loading (Rafael Gonzaga) #​55797
• [611a147b45] - readline: fix unresolved promise on abortion (Daniel Venable) #​54030
• [f891ae3421] - repl: avoid deprecated require.extensions in tab completion (baki gul) #​58653
• [7ba44290bf] - repl: fix tab completion not working with computer string properties (Dario Piotrowicz) #​58709
• [eb842048b2] - src: do not format single string argument for THROW_ERR_* (Joyee Cheung) #​57126
• [4f004937ec] - src: fixup errorhandling more in various places (James M Snell) #​57852
• [5daa7fe2e2] - src: fix module buffer allocation (X-BW) #​57738
• [586b1be11b] - src: fix build when using shared simdutf (Antoine du Hamel) #​58407
• [563e61f012] - src: fix possible dereference of null pointer (Eusgor) #​58459
• [cbec07ea0b] - src: fix FIPS init error handling (Tobias Nießen) #​58379
• [80fb80e71b] - src: fix -Wunreachable-code in src/node_api.cc (Shelley Vohr) #​58901
• [5e97719860] - test: skip test-http-imports on macos (Marco Ippolito) #​59745
• [69c43bdfcc] - test: fix internet/test-dns (Michaël Zasso) #​59660
• [6fd58e0338] - tools: update coverage GitHub Actions to fixed version (Rich Trott) #​59512
• [eb7bbce73e] - tools: disable failing coverage jobs (Antoine du Hamel) #​58770
• [65b1669936] - util: fix formatting of objects with built-in Symbol.toPrimitive (Shima Ryuhei) #​57832
• [8a29f13bec] - util: fix parseEnv incorrectly splitting multiple ‘=‘ in value (HEESEUNG) #​57421
• [077d5020c4] - v8: fix missing callback in heap utils destroy (Ruben Bridgewater) #​58846
• [34ae9f8b18] - vm: import call should return a promise in the current context (Chengzhong Wu) #​58309
• [0dd3a8d6d1] - win,build: fix MSVS v17.14 compilation issue (StefanStojanovic) #​58902
• [1b83a2bd2d] - zlib: remove mentions of unexposed Z_TREES constant (Jimmy Leung) #​58371
• [9dc9604502] - zlib: fix pointer alignment (jhofstee) #​57727

v20.19.4: 2025-07-15, Version 20.19.4 'Iron' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Commits

• [db7b93fcef] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721

v20.19.3: 2025-06-23, Version 20.19.3 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

• [c535a3c483] - crypto: graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable (Filip Skokan) #​56142
• [af1dc63815] - crypto: update root certificates to NSS 3.108 (Node.js GitHub Bot) #​57381
• [01d63a4ddf] - deps: update timezone to 2025b (Node.js GitHub Bot) #​57857
• [b6daa344eb] - doc: add dario-piotrowicz to collaborators (Dario Piotrowicz) #​58102

Commits

• [fc1fa7a357] - build: use FILE_OFFSET_BITS=64 esp. on 32-bit arch (RafaelGSS) #​58090
• [79e0812181] - build: use glob for dependencies of out/Makefile (Richard Lau) #​55789
• [f56e62851a] - crypto: allow length=0 for HKDF and PBKDF2 in SubtleCrypto.deriveBits (Filip Skokan) #​55866
• [c535a3c483] - crypto: graduate WebCryptoAPI Ed25519 and X25519 algorithms as stable (Filip Skokan) #​56142
• [39925de8b1] - crypto: allow non-multiple of 8 in SubtleCrypto.deriveBits (Filip Skokan) #​55296
• [af1dc63815] - crypto: update root certificates to NSS 3.108 (Node.js GitHub Bot) #​57381
• [d09008add3] - deps: V8: cherry-pick 1a3ecc2 (Michaël Zasso) #​58342
• [fd56652425] - deps: V8: cherry-pick 182d9c0 (Andrey Kosyakov) #​58342
• [447481e829] - deps: V8: cherry-pick third_party/zlib@646b7f5 (Hans Wennborg) #​58342
• [eb447168df] - deps: update simdutf to 6.4.2 (Node.js GitHub Bot) #​57855
• [01d63a4ddf] - deps: update timezone to 2025b (Node.js GitHub Bot) #​57857
• [10fb49f2a9] - deps: update icu to 77.1 (Node.js GitHub Bot) #​57455
• [f1dc7d0205] - deps: update corepack to 0.32.0 (Node.js GitHub Bot) #​57265
• [7a2e64bb8a] - deps: update simdutf to 6.4.0 (Node.js GitHub Bot) #​56764
• [e80669be0d] - doc: mention reports should align with Node.js CoC (Rafael Gonzaga) #​57607
• [7b2c0bc92e] - doc: add gurgunday as triager (Gürgün Dayıoğlu) #​57594
• [791e4879de] - doc: document REPL custom eval arguments (Dario Piotrowicz) #​57690
• [2917f09876] - doc: improved fetch docs (Alessandro Miliucci) #​57296
• [d940b15843] - doc: clarify unhandledRejection events behaviors in process doc (Dario Piotrowicz) #​57654
• [71c664fab7] - doc: update position type to integer | null in fs (Yukihiro Hasegawa) #​57745
• [0c0fbfa9c6] - doc: add missing v0.x changelog entries (Antoine du Hamel) #​57779
• [e99462c9fc] - doc: correct deprecation type of assert.CallTracker (René) #​57997
• [c7e92696ef] - doc: add returns for https.get (Eng Zer Jun) #​58025
• [ccc42b69ce] - doc: fix env variable name in util.styleText (Antoine du Hamel) #​58072
• [b6daa344eb] - doc: add dario-piotrowicz to collaborators (Dario Piotrowicz) #​58102
• [e5d6a3df16] - doc: fix AsyncLocalStorage example response changes after node v18 (Naor Tedgi (Abu Emma)) #​57969
• [f006411998] - doc: fix typo of file zlib.md (yusheng chen) #​58093
• [5193735df4] - doc: add missing options.signal to readlinePromises.createInterface() (Jimmy Leung) #​55456
• [fd44af730f] - doc: fix misaligned options in vm.compileFunction() (Jimmy Leung) #​58145
• [0fdcc0ddcd] - doc: add ambassaor message (Brian Muenzenmeyer) #​57600
• [5ca9616bd3] - doc: increase z-index of header element (Dario Piotrowicz) #​57851
• [81342d10f0] - doc: fix deprecation type for DEP0148 (Livia Medeiros) #​57785
• [776becfe01] - doc: remove mention of --require not supporting ES modules (Huáng Jùnliàng) #​57620
• [3140a8f133] - doc: add missing deprecated badges in fs.md (Yukihiro Hasegawa) #​57384
• [441ce24ae3] - doc: deprecate passing invalid types in fs.existsSync (Carlos Espa) #​55892
• [0556f54544] - http: correctly translate HTTP method (Paolo Insogna) #​52701
• [c2c6d2b035] - http: be more generational GC friendly (ywave620) #​56767
• [cdf3fa241c] - http2: skip writeHead if stream is closed (Shima Ryuhei) #​57686
• [bbd5aec785] - http2: fix graceful session close (Kushagra Pandey) #​57808
• [b427ae4f34] - meta: remove build-windows.yml (Aviv Keller) #​54662
• [49e624f554] - os: fix netmask format check condition in getCIDR function (Wiyeong Seo) #​57324
• [d582954434] - src: remove unused variable in crypto_x509.cc (Michaël Zasso) #​57754
• [234a505e96] - src: allow embedder customization of OOMErrorHandler (Shelley Vohr) #​57325
• [c0252cd380] - src: fix -Wunreachable-code-return in node_sea (Shelley Vohr) #​57664
• [fcd1622fc1] - src: fix kill signal 0 on Windows (Stefan Stojanovic) #​57695
• [850192b06b] - test: skip broken sea on rhel8 (Marco Ippolito) #​58761
• [3cf7cfb695] - test: update WPT for WebCryptoAPI to edd42c0 (Node.js GitHub Bot) #​57365
• [f57765bdcf] - test: mark test-without-async-context-frame flaky on windows (James M Snell) #​56753
• [275ea8e7ef] - test: force GC in test-file-write-stream4 (Luigi Pinca) #​57930
• [da6a13c338] - test: deflake test-http2-options-max-headers-block-length (Luigi Pinca) #​57959
• [56fce6691e] - test: prevent extraneous HOSTNAME substitution in test-runner-output (René) #​58076
• [c9c0be5596] - test: update expected error message for macOS (Antoine du Hamel) #​57742
• [3cbf5f93d2] - test: fix missing edge case in test-blob-slice-with-large-size (Joyee Cheung) #​58414
• [bffd4ec379] - test: skip in test-buffer-tostring-rangeerror on allocation failure (Joyee Cheung) #​58415
• [8237346fb7] - test,crypto: update WebCryptoAPI WPT (Filip Skokan) #​54593
• [b90c4ab937] - tools: remove unused osx-pkg-postinstall.sh (Antoine du Hamel) #​57667
• [414013dcfb] - tools: edit create-release-proposal workflow to handle pr body length (Elves Vieira) #​57841
• [7c449ed6b3] - tools: fix tarball testing directory (Marco Ippolito) #​57994
• [d164dc2d38] - tools: update sccache version to v0.10.0 (Marco Ippolito) #​57994
• [debd3c2cc0] - tools: disable failing test envs in test-linux CI (Antoine du Hamel) #​58351
• [152112505a] - typings: fix ImportModuleDynamicallyCallback return type (Chengzhong Wu) #​57160
• [363bf744ab] - worker: flush stdout and stderr on exit (Matteo Collina) #​56428

v20.19.2: 2025-05-14, Version 20.19.2 'Iron' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• (CVE-2025-23166) fix error handling on async crypto operation
• (CVE-2025-23167) (SEMVER-MAJOR) update llhttp to 9.2.0
• (CVE-2025-23165) add missing call to uv_fs_req_cleanup

Commits

• [eb25047b1b] - deps: update llhttp to 9.2.0 (Node.js GitHub Bot) #​51719
• [12dcd8db08] - deps: update llhttp to 9.1.3 (Node.js GitHub Bot) #​50080
• [190e45a291] - (SEMVER-MAJOR) (CVE-2025-23167) deps: update llhttp to 9.1.2 (Paolo Insogna) #​48981
• [fc68c44e6a] - fs: added test for missing call to uv_fs_req_cleanup (Justin Nietzel) #​57811
• [9e13bf0a81] - (CVE-2025-23165) fs: add missing call to uv_fs_req_cleanup (Justin Nietzel) #​57811
• [bd0aa5d44c] - (CVE-2024-27982) http: do not allow OBS fold in headers by default (Paolo Insogna) nodejs-private/node-private#556
• [6c57465920] - (CVE-2025-23166) src: fix error handling on async crypto operations (RafaelGSS) nodejs-private/node-private#710

v20.19.1: 2025-04-22, Version 20.19.1 'Iron' (LTS), @​UlisesGascon prepared by @​RafaelGSS

Compare Source

Notable Changes

• [d5e73ce0f8] - deps: update undici to 6.21.2 (Matteo Collina) #​57442
• [e4a6323ab2] - deps: update c-ares to v1.34.5 (Node.js GitHub Bot) #​57792

Commits

• [d5e73ce0f8] - deps: update undici to 6.21.2 (Matteo Collina) #​57442
• [e4a6323ab2] - deps: update c-ares to v1.34.5 (Node.js GitHub Bot) #​57792
• [b2b9eb36af] - dns: restore dns query cache ttl (Ethan Arrowood) #​57640
• [07a99a5c0b] - doc: correct status of require(esm) warning in v20 changelog (Joyee Cheung) #​57529
• [d45517ccbf] - meta: bump Mozilla-Actions/sccache-action from 0.0.8 to 0.0.9 (dependabot[bot]) #​57720
• [fa93bb2633] - test: update parallel/test-tls-dhe for OpenSSL 3.5 (Richard Lau) #​57477
• [29c032403c] - tools: update sccache to support GH cache changes (Michaël Zasso) #​57573

v20.19.0: 2025-03-13, Version 20.19.0 'Iron' (LTS), @​marco-ippolito

Compare Source

Notable Changes

require(esm) is now enabled by default

Support for loading native ES modules using require() had been available on v20.x under the command line flag --experimental-require-module, and available by default on v22.x and v23.x. In this release, it is now no longer behind a flag on v20.x.

This feature has been tested on v23.x and v22.x, and we are looking for user feedback from v20.x to make more final tweaks before fully stabilizing it.
It now no longer emits a warning unless --trace-require-module is explicitly used.
If there happens to be any regressions caused by this feature, users can report it to the Node.js issue tracker. Meanwhile this feature can also be disabled using --no-experimental-require-module as a workaround.

With this feature enabled, Node.js will no longer throw ERR_REQUIRE_ESM if require() is used to load a ES module. It can, however, throw ERR_REQUIRE_ASYNC_MODULE if the ES module being loaded or its dependencies contain top-level await. When the ES module is loaded successfully by require(), the returned object will either be a ES module namespace object similar to what's returned by import(), or what gets exported as "module.exports" in the ES module.

Users can check process.features.require_module to see whether require(esm) is enabled in the current Node.js instance. For packages, the "module-sync" exports condition can be used as a way to detect require(esm) support in the current Node.js instance and allow both require() and import to load the same native ES module. See the documentation for more details about this feature.

Contributed by Joyee Cheung in #​55085

Module syntax detection is now enabled by default

Module syntax detection (the --experimental-detect-module flag) is now
enabled by default. Use --no-experimental-detect-module to disable it if
needed.

Syntax detection attempts to run ambiguous files as CommonJS, and if the module
fails to parse as CommonJS due to ES module syntax, Node.js tries again and runs
the file as an ES module.
Ambiguous files are those with a .js or no extension, where the nearest parent
package.json has no "type" field (either "type": "module" or
"type": "commonjs").
Syntax detection should have no performance impact on CommonJS modules, but it
incurs a slight performance penalty for ES modules; add "type": "module" to
the nearest parent package.json file to eliminate the performance cost.
A use case unlocked by this feature is the ability to use ES module syntax in
extensionless scripts with no nearby package.json.

Thanks to Geoffrey Booth for making this work on #​53619.

Other Notable Changes

• [285bb4ee14] - crypto: update root certificates to NSS 3.107 (Node.js GitHub Bot) #​56566
• [73b5c16684] - (SEMVER-MINOR) worker: add postMessageToThread (Paolo Insogna) #​53682
• [de313b2336] - (SEMVER-MINOR) module: only emit require(esm) warning under --trace-require-module (Joyee Cheung) #​56194
• [4fba01911d] - (SEMVER-MINOR) process: add process.features.require_module (Joyee Cheung) #​55241
• [df8a045afe] - (SEMVER-MINOR) module: implement the "module-sync" exports condition (Joyee Cheung) #​54648
• [f9dc1eaef5] - (SEMVER-MINOR) module: add __esModule to require()'d ESM (Joyee Cheung) #​52166

Commits

• [d84be843e3] - benchmark: add validateStream to styleText bench (Rafael Gonzaga) #​56556
• [d8eaf5b9b8] - build: fix compatibility with V8's depot_tools (Richard Lau) #​57330
• [1ee4bf9690] - build: test macos-13 on GitHub actions (Michaël Zasso) #​56307
• [1cc8d69882] - build: build v8 with -fvisibility=hidden on macOS (Joyee Cheung) #​56275
• [52f1f7e22b] - child_process: fix parsing messages with splitted

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, on day 1 of the month ( * 0-3 1 * * ) in timezone Asia/Jerusalem, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Never, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.