Skip to content

Commit 419a89b

Browse files
digest: add issues for 2026-06-18
1 parent 72c19c1 commit 419a89b

12 files changed

Lines changed: 311 additions & 0 deletions
Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,14 @@
1+
---
2+
date: 2026-06-17
3+
repo: biomejs/biome
4+
size: S
5+
title: "Clarify useValidAnchor docs"
6+
excerpt: "Expanded the anchor accessibility rule docs to better explain invalid hrefs, empty fragments, and when to prefer buttons."
7+
commits: 1
8+
authors: [Th3S4mur41]
9+
commit_authors: {"077585d": Th3S4mur41}
10+
---
11+
12+
### Other misc changes
13+
- Documentation updates for `useValidAnchor` in HTML and JS analyzers to clarify invalid `href` cases and the `href="#"` edge case (077585d)
14+
- Minor wording/formatting cleanup in the rule examples and explanation comments
Lines changed: 66 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,66 @@
1+
---
2+
date: 2026-06-17
3+
repo: denoland/deno
4+
size: L
5+
title: "Node compat, coverage thresholds, install fixes"
6+
excerpt: "Big Node.js compatibility and CLI coverage/install changes, plus several important bug fixes across HTTP, fetch, and core error formatting."
7+
commits: 20
8+
authors: [bartlomieju, divybot, lowlighter, KnorpelSenf, Reububble, fibibot, sanjibani]
9+
commit_authors: {"6516647": bartlomieju, "7479822": bartlomieju, "576c38f": bartlomieju, "ab81178": bartlomieju, "bf4017d": bartlomieju, "e4444d5": bartlomieju, "a249752": divybot, "55f2eee": lowlighter, "bfc32bd": KnorpelSenf, "b40113d": bartlomieju, "f8be21c": bartlomieju, "e19228d": bartlomieju, "cc733e3": Reububble, "82e8ca0": bartlomieju, "792bea4": fibibot, "d32108f": sanjibani, "f2f8666": bartlomieju, "2d710e6": bartlomieju, "adb7a2b": bartlomieju}
10+
---
11+
12+
### **Node HTTP server now respects active streaming timeouts** (576c38f)
13+
Deno's `node:http` layer no longer applies `requestTimeout` to the entire request/response lifetime. That fixes long-lived streaming responses like SSE and proxies getting reset around the default 300s timeout.
14+
15+
### **HTTP/2 works on DENO_SERVE_ADDRESS override listeners** (ab81178)
16+
Node servers behind the address override now accept both HTTP/1.1 and HTTP/2, matching `Deno.serve()`. This fixes a compatibility break where HTTP/2 clients were being answered with HTTP/1.1 errors.
17+
18+
### **`deno serve` now exits cleanly on SIGTERM/SIGINT** (bf4017d)
19+
The serve process now shuts down gracefully instead of leaving termination behavior inconsistent. This matters for containerized and orchestrated deployments that rely on signal handling.
20+
21+
### **Net-deny checks now run against the actual connected peer** (e4444d5)
22+
The fetch connector no longer relies on the earlier task-local port hack to enforce network permissions after DNS resolution. This makes denied IP-literal and resolved-address cases line up more cleanly with the real peer being contacted.
23+
24+
### **npm bin entrypoints no longer inherit the root import map** (a249752)
25+
`npm run` bin main modules are now isolated from the project import map, avoiding accidental resolution changes. This fixes a long-standing bug where package bin execution could pick up unrelated import-map aliases.
26+
27+
### **Doc tests now use `#` as their virtual file sigil** (55f2eee)
28+
The doc-test extraction path switched from `$` to `#` for virtual filenames. That aligns the tooling with the intended marker and fixes a broad set of doc-test/check/coverage edge cases.
29+
30+
### **`util.styleText` stops coloring non-TTY streams** (bfc32bd)
31+
Node-compat `util.styleText` now avoids emitting ANSI color codes when the output stream is not a TTY. This fixes incorrect colored output in logs and other redirected streams.
32+
33+
### **`deno install` warns on `package.json` engine mismatches** (b40113d)
34+
Install now checks `engines.node` and `engines.deno` and emits warnings when the current runtime doesn't satisfy them. It also rejects invalid engine ranges with a warning, giving users earlier feedback instead of silent mismatch.
35+
36+
### **Coverage can now fail CI below a threshold** (f8be21c)
37+
`deno coverage` and `deno test --coverage` now support minimum coverage thresholds, with config-file support as well. This lets teams enforce coverage gates instead of only reporting numbers.
38+
39+
### **Global installs now resolve package.json dependencies** (7479822)
40+
`deno install --global` now flattens the entrypoint's nearest `package.json` dependencies into the copied config's import map. That fixes bare-specifier failures for globally installed commands that depend on local package.json entries.
41+
42+
### **Error/test formatting preserves custom `.stack` getters** (932bd1d)
43+
Top-level error rendering and test failures now keep custom stack strings instead of collapsing them into a single internal frame. That improves output for libraries and runtimes that define their own stack formatting.
44+
45+
### **`deno upgrade` streams zstd delta patches to reduce OOM risk** (e19228d)
46+
The upgrade path no longer needs to materialize the full decompressed delta patch in memory up front. This is a practical fix for low-memory machines where the old path could hit a 2GiB allocation failure.
47+
48+
### **`TlsListener` now reports the correct transport address** (cc733e3)
49+
TLS listener address metadata is now set correctly, fixing mismatches in server/serve behavior. This is a small but important compatibility fix for code that inspects listener transport details.
50+
51+
### **Node version reporting is now single-sourced** (82e8ca0)
52+
Deno's emulated Node version is now defined once and reused across `process.version`, `process.versions.node`, and the N-API version report. That prevents version drift between Rust and JS shims when the emulated Node release changes.
53+
54+
### **`node:http(s)` proxy requests now enforce target permissions** (2d710e6)
55+
Proxied Node HTTP(S) requests now permission-check the real target host, not just the proxy socket. That closes a security/parity gap where `--allow-net=<proxy>` could otherwise reach disallowed destinations.
56+
57+
### **`npm` cache now trims oversized full packuments** (adb7a2b)
58+
When `minimumDependencyAge` forces a full packument fetch, the cached registry metadata is now slimmed down to avoid ballooning `registry.json`. This reduces cache size and avoids unnecessary disk and memory pressure.
59+
60+
### Other misc changes
61+
- Node compat shim for `node` on PATH when no real Node.js is installed (f2f8666)
62+
- Deprecate no-op `--unstable-node-globals` flag (6516647)
63+
- Fix npm bin import map handling for global installs (a249752)
64+
- LSP tsconfig root/script-name fixes (792bea4)
65+
- Chocolatey install link update (d32108f)
66+
- Misc test updates and dependency bumps
Lines changed: 10 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,10 @@
1+
---
2+
date: 2026-06-17
3+
repo: denoland/std
4+
size: N
5+
title: "No changes"
6+
excerpt: ""
7+
commits: 0
8+
---
9+
10+

src/posts/2026-06-17_jsr-io-jsr.md

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
---
2+
date: 2026-06-17
3+
repo: jsr-io/jsr
4+
size: L
5+
title: "Algolia search migration lands and gets tuned"
6+
excerpt: "JSR switches search infrastructure to Algolia, with a follow-up fix to scope filtering and ranking."
7+
commits: 2
8+
authors: [crowlKats]
9+
commit_authors: {"2ff90f7": crowlKats, "3101df8": crowlKats}
10+
---
11+
12+
### **Algolia search migration replaces Orama** (3101df8)
13+
JSR’s search stack was moved over to Algolia across the frontend, backend config, Terraform, and GitHub Actions. This is a broad infrastructure change that also rewires reindexing jobs and deployment secrets, so it materially affects how package and symbol search is generated and operated.
14+
15+
### **Scope filters and ranking were corrected after the migration** (2ff90f7)
16+
Search now strips a leading `@` from `scope:` queries, so `scope:@std` and `scope:std` behave the same. The Algolia index also ranks `scope` ahead of `name`, restoring the old behavior where `std` should prefer `@std/*` packages over merely similarly named results.
17+
18+
### Other misc changes
19+
- Reindexed search workflow names/inputs updated for Algolia.
20+
- CI and deployment environment variables swapped from Orama-specific settings to Algolia settings.
21+
- Search-related refactors and lockfile/docs updates from the migration.
Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,30 @@
1+
---
2+
date: 2026-06-17
3+
repo: leanprover/lean4
4+
size: L
5+
title: "Lean4 tightens mvcgen and adds Float models"
6+
excerpt: "A new Float logical model lands alongside mvcgen fixes for specs, dependent lattices, and partial-correctness proofs."
7+
commits: 9
8+
authors: [sgraf812, Kha, TwoFX, Garmelon]
9+
commit_authors: {"8233528": sgraf812, "2b6ce0d": sgraf812, "9226d79": Kha, "314925d": Kha, "b3ba0f0": sgraf812, "e61bb27": sgraf812, "c64b560": TwoFX, "9c8794d": Garmelon}
10+
---
11+
12+
### **Float logical models added for `Float` and `Float32`** (c64b560)
13+
Lean now has `Float.Model` and `Float32.Model` as logical models for the native floating-point types, with substantial supporting infrastructure for unpacking, formatting, comparisons, arithmetic, and conversions. This is a major groundwork change for reasoning about floats in the logic, even though the models are not yet wired in as the official logical model.
14+
15+
### **`mvcgen'` now fails cleanly on dependent assertion lattices** (2b6ce0d)
16+
`mvcgen'` no longer loops forever when its assertion lattice is a dependent function type; it now reports a clear error instead. The solver also treats the function-lattice peel step as optional, which avoids trying to apply `le_of_forall_le` where it cannot work.
17+
18+
### **`@[spec]` support was unified and priority-aware** (b3ba0f0)
19+
Equational and unfold-style `@[spec]` annotations are now registered into the internal spec database at annotation time, preserving their annotated priority for `mvcgen'`. This also rejects malformed specs earlier and avoids repeatedly reconstructing the rule set from `mvcgen_simp` at each call.
20+
21+
### **Specs defined through reducible abbreviations now work** (e61bb27)
22+
`mvcgen` and `mvcgen'` can now recognize `@[spec]` proofs whose type is a reducible abbreviation wrapping a Hoare triple. That fixes cases where the spec was registered but then dropped during lookup because the abbreviation was never reduced.
23+
24+
### **`Std.Do.Triple.observe` adds a partial-correctness bridge** (8233528)
25+
A new lemma lets you turn a triple about an “observed” stateless program into a triple for a different program, which is useful for object-language specifications in `do`-notation. The new tests show it being used to thread boolean monadic predicates through `mvcgen`/`mvcgen'` proofs.
26+
27+
### Other misc changes
28+
- CI now always uses the GitHub-hosted Linux ARM runner for aarch64 (9226d79).
29+
- `requiresModule` test script portability fix for `sed` and shell setup (314925d).
30+
- Stage0 and development-cycle preparation updates (492d7e8, 9c8794d).
Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,19 @@
1+
---
2+
date: 2026-06-17
3+
repo: microsoft/typescript-go
4+
size: L
5+
title: "Watch build overhaul and packaging notice fix"
6+
excerpt: "Build mode was reworked around fswatch, and native preview packages now ship NOTICE.txt correctly."
7+
commits: 2
8+
authors: [jakebailey, johnfav03]
9+
commit_authors: {"241df12": jakebailey, "2fb5d4c": johnfav03}
10+
---
11+
12+
### **Rebuilt build mode around `fswatch`** (2fb5d4c)
13+
Build watching was substantially refactored to use the new `fswatch`/watchmanager plumbing instead of the older timestamp-tracking approach. This changes how build mode detects file changes, config updates, and watcher races, and it ships with a broad set of updated watch-mode baselines to cover the new behavior.
14+
15+
### **Include NOTICE.txt in native preview packages** (241df12)
16+
The packaging scripts now copy `NOTICE.txt` into the main native preview package and ensure it is listed in the packaged files. This fixes license/compliance metadata so downstream consumers actually receive the notice that was previously omitted.
17+
18+
### Other misc changes
19+
- None beyond the two high-impact commits.
Lines changed: 26 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,26 @@
1+
---
2+
date: 2026-06-17
3+
repo: nodejs/node
4+
size: L
5+
title: "Node adds sync UDP connect, crypto tightening"
6+
excerpt: "A synchronous dgram connect lands, crypto deprecations turn end-of-life, and Web Crypto/DH behavior gets stricter."
7+
commits: 8
8+
authors: [panva, guybedford, anonrig, jasnell, emmayusufu]
9+
commit_authors: {"eea8d72": guybedford, "4d09c04": panva, "3fd0e11": anonrig, "b03e6e0": jasnell, "9d50432": panva, "5402b5e": panva, "63907e1": panva, "ef42d32": emmayusufu}
10+
---
11+
12+
### **dgram: add synchronous `Socket.connectSync()` (eea8d72)**
13+
Node now exposes a synchronous UDP connect path that binds if needed, validates numeric IP literals, and throws immediately for local setup errors. It also guarantees `remoteAddress()` is available right after the call, with the `'connect'` event deferred to the next tick.
14+
15+
### **crypto: move CryptoKey support to End-of-Life and tighten Web Crypto inputs (4d09c04, 9d50432, 63907e1, 5402b5e)**
16+
Several crypto surfaces were hardened: passing `CryptoKey` into many `node:crypto` APIs is now End-of-Life, resizable ArrayBuffer-backed Web Crypto inputs are rejected, and Diffie-Hellman `computeSecret()` now throws when the instance has no private key instead of returning an empty buffer. The same crypto docs also mark Argon2 and encapsulation/decapsulation APIs as stable.
17+
18+
### **stream iter backpressure semantics refined (b03e6e0)**
19+
The stream/iter bridge now treats sync write paths more strictly: `writeSync`/`writevSync` only succeed when data is accepted immediately, and thrown sync errors are no longer treated as a silent fallback into async handling. This clarifies backpressure behavior across classic, pull, push, and consumer helpers.
20+
21+
### **New child_process benchmarks added (3fd0e11)**
22+
Three microbenchmarks were added for spawn option marshalling, IPC round-trips, and `execFile()` maxBuffer behavior. These give the child_process work a clearer performance baseline for JS-to-C++ hot paths.
23+
24+
### Other misc changes
25+
- Docs fix for test runner mock examples (ef42d32)
26+
- Crypto docs marked Argon2 and encap/decap stable (5402b5e)
Lines changed: 48 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,48 @@
1+
---
2+
date: 2026-06-17
3+
repo: oven-sh/bun
4+
size: L
5+
title: "Bun ships major Node parity and bug fixes"
6+
excerpt: "Big day for HTTP, net/tls, crypto, streams, and install correctness, plus several crash and leak fixes."
7+
commits: 18
8+
authors: [robobun, cirospaciari, dylan-conway, alii, Jarred-Sumner]
9+
commit_authors: {"797d565": robobun, "92311e1": alii, "65f12bd": dylan-conway, "1ee0960": robobun, "899168a": cirospaciari, "1ecbea9": robobun, "7765caf": robobun, "c4a937c": cirospaciari, "be38df3": robobun, "3b4f286": robobun, "3b24ca9": robobun, "76d5d28": robobun, "bd8edc7": cirospaciari}
10+
---
11+
12+
### **node:http gets a full socket-based client rewrite** (c4a937c)
13+
Bun replaces the fetch-based `ClientRequest` with a port of Node’s real HTTP client on `net`/`tls`, llhttp, and an `Agent` socket pool. This is a large compatibility shift that also brings client proxy support and a big jump in Node test parity.
14+
15+
### **net/tls compatibility expands with half-open, callbacks, and local bind support** (bd8edc7)
16+
The networking stack picks up broad Node parity work: half-open/reset/write behavior, server `TLSSocket` wrapping, session/keylog handling, SNICallback/ALPNCallback, pfx, OpenSSL error shapes, `addCACert`, and local binding. It also adds connect-time `localAddress`/`localPort` binding and updates the underlying socket implementation accordingly.
17+
18+
### **node:stream gains async iterator support and broader parity fixes** (899168a)
19+
Bun vendors the full upstream stream suite for Node v26.3.0 and implements the experimental `stream/iter` and `zlib/iter` APIs behind `--experimental-stream-iter`. The runtime changes fill several semantics gaps around reads, compose/pipeline, web adapters, and HTTP/fs/net integration.
20+
21+
### **HTTP proxy tunnel bugs are fixed, including a use-after-free and a dead-socket assertion** (1ecbea9, 7765caf)
22+
Two separate proxy-tunnel failure paths are hardened: one avoids a use-after-free when response bytes and `close_notify` arrive together, and the other stops asserting when the outer socket dies mid-handshake and now returns `ConnectionClosed`. These are correctness fixes for real proxy traffic that could previously hang or crash.
23+
24+
### **Postgres query cleanup no longer leaks on error paths** (92311e1)
25+
The Postgres SQL query runner now centralizes teardown so failed execute/bind paths release query and statement refs consistently. That prevents event-loop hangs and ref leaks when synchronous errors occur during query dispatch.
26+
27+
### **Install now trusts root `file:` overrides and reports newer lockfiles clearly** (797d565, 1ee0960)
28+
`bun install` now treats `file:` paths from root `package.json` overrides/resolutions as user-authored and safe even when they point outside the package tree, fixing a false-positive unsafe-path rejection. It also gives a much clearer error when a `bun.lock` was written by a newer Bun, including a suggestion to run `bun upgrade`.
29+
30+
### **Crypto hashing accepts SHAKE aliases** (76d5d28)
31+
`createHash` and `crypto.hash` now accept `shake-128`/`shake-256` aliases in addition to the shorter forms. This matches Node/OpenSSL behavior and removes an unnecessary incompatibility for SHAKE users.
32+
33+
### **Crash handler fixes baseline platform reporting** (65f12bd)
34+
Baseline builds were emitting the wrong trace-string platform character because the code checked a nonexistent Cargo feature. That broke crash-symbolication on bun.report for baseline x86_64 builds, so this fixes the metadata at the source.
35+
36+
### **Web globals become readonly accessors** (be38df3)
37+
`navigator.userAgent`, `navigator.platform`, and `navigator.hardwareConcurrency` are now getter-only instead of writable data properties. That aligns Bun with browser semantics and Node-like expectations, preventing accidental reassignment.
38+
39+
### **Microtask and websocket API correctness fixes** (3b24ca9, 3b4f286)
40+
`queueMicrotask.length` is corrected from 2 to 1, matching the spec and other runtimes. `ServerWebSocket.cork()` also now passes the websocket instance into the callback as documented.
41+
42+
### Other misc changes
43+
- Reproducible build path remapping for Rust (`--remap-path-prefix`) and related build-script tweaks
44+
- `StatWatcherScheduler` double-push guard for Node fs
45+
- `moduleLoaderImportModule` TLA referrer async-order fix
46+
- `bun.lock` version error message improvement
47+
- CI/machine/bootstrap comment and metadata updates
48+
- Minor HTTP/stream/internal refactors and test additions

0 commit comments

Comments
 (0)