2025-08-28, Version 22.19.0 'Jod' (LTS)

.github/CODEOWNERS

@@ -18,6 +18,7 @@
 /doc/contributing/**/* @nodejs/tsc
 /GOVERNANCE.md @nodejs/tsc
 /SECURITY.md @nodejs/tsc
+/BUILDING.md @nodejs/build @nodejs/tsc
 /LICENSE @nodejs/tsc
 /onboarding.md @nodejs/tsc
 
@@ -223,3 +224,8 @@
 /lib/internal/inspector/* @nodejs/inspector
 /lib/internal/inspector_* @nodejs/inspector
 /lib/inspector.js @nodejs/inspector
+
+# path
+/lib/path.js @nodejs/path
+/lib/path/* @nodejs/path
+/test/parallel/test-path-* @nodejs/path

.github/workflows/coverage-linux-without-intl.yml

@@ -80,6 +80,6 @@ jobs:
       - name: Clean tmp
         run: rm -rf coverage/tmp && rm -rf out
       - name: Upload
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24  # v5.4.3
+        uses: codecov/codecov-action@39a2af19d997be74586469d4062e173ecae614f6  # v5.4.3+
         with:
           directory: ./coverage

.github/workflows/coverage-linux.yml

@@ -80,6 +80,6 @@ jobs:
       - name: Clean tmp
         run: rm -rf coverage/tmp && rm -rf out
       - name: Upload
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24  # v5.4.3
+        uses: codecov/codecov-action@39a2af19d997be74586469d4062e173ecae614f6  # v5.4.3+
         with:
           directory: ./coverage

.github/workflows/coverage-windows.yml

@@ -71,6 +71,6 @@ jobs:
       - name: Clean tmp
         run: npx rimraf ./coverage/tmp
       - name: Upload
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24  # v5.4.3
+        uses: codecov/codecov-action@39a2af19d997be74586469d4062e173ecae614f6  # v5.4.3+
         with:
           directory: ./coverage

.github/workflows/lint-release-proposal.yml

@@ -39,7 +39,7 @@ jobs:
           EXPECTED_TRAILER="^$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/pull/[[:digit:]]+\$"
           echo "Expected trailer format: $EXPECTED_TRAILER"
           PR_URL="$(git --no-pager log -1 --format='%(trailers:key=PR-URL,valueonly)')"
-          echo "Actual: $ACTUAL"
+          echo "Actual: $PR_URL"
           echo "$PR_URL" | grep -E -q "$EXPECTED_TRAILER"
 
           PR_HEAD="$(gh pr view "$PR_URL" --json headRefOid -q .headRefOid)"

.mailmap

@@ -6,6 +6,7 @@ Abdirahim Musse <abdirahim.musse@ibm.com> <33973272+abmusse@users.noreply.github
 Abe Fettig <abefettig@gmail.com> <abe@fettig.net>
 Abhimanyu Vashisht <abhimanyuvashisht.av@gmail.com>
 Adam Langley <agl@imperialviolet.org> <agl@google.com>
+Aditi Singh <aditisingh1400@gmail.com>
 Akhil Marsonya <akhil.marsonya27@gmail.com>
 Akhil Marsonya <akhil.marsonya27@gmail.com> <16393876+marsonya@users.noreply.github.com>
 Akito Ito <akito0107@gmail.com> <akito_ito@r.recruit.co.jp>

BUILDING.md

@@ -281,6 +281,11 @@ export CXX=g++-12
 make -j4
 ```
 
+> \[!IMPORTANT]
+> If you face a compilation error during this process such as
+> `error: no matching conversion for functional-style cast from 'unsigned int' to 'TypeIndex'`
+> Make sure to use a `g++` or `clang` version compatible with C++20.
+
 We can speed up the builds by using [Ninja](https://ninja-build.org/). For more
 information, see
 [Building Node.js with Ninja](doc/contributing/building-node-with-ninja.md).

CHANGELOG.md

@@ -37,7 +37,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V22.md#22.18.0">22.18.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V22.md#22.19.0">22.19.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V22.md#22.18.0">22.18.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.17.1">22.17.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.17.0">22.17.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.16.0">22.16.0</a><br/>

LICENSE

@@ -2100,7 +2100,7 @@ The externally maintained libraries used by Node.js are:
 
 - inspector_protocol, located at deps/inspector_protocol, is licensed as follows:
   """
-    // Copyright 2016 The Chromium Authors. All rights reserved.
+    // Copyright 2016 The Chromium Authors.
     //
     // Redistribution and use in source and binary forms, with or without
     // modification, are permitted provided that the following conditions are
@@ -2639,3 +2639,28 @@ The externally maintained libraries used by Node.js are:
     OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
     SOFTWARE.
   """
+
+- sonic-boom, located at lib/internal/streams/fast-utf8-stream.js, is licensed as follows:
+  """
+    MIT License
+
+    Copyright (c) 2017 Matteo Collina
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE.
+  """

Makefile

@@ -1661,7 +1661,7 @@ HAS_DOCKER ?= $(shell command -v docker > /dev/null 2>&1; [ $$? -eq 0 ] && echo
 
 .PHONY: gen-openssl
 ifeq ($(HAS_DOCKER), 1)
-DOCKER_COMMAND ?= docker run -it -v $(PWD):/node
+DOCKER_COMMAND ?= docker run --rm -u $(shell id -u) -v $(PWD):/node
 IS_IN_WORKTREE = $(shell grep '^gitdir: ' $(PWD)/.git 2>/dev/null)
 GIT_WORKTREE_COMMON = $(shell git rev-parse --git-common-dir)
 DOCKER_COMMAND += $(if $(IS_IN_WORKTREE), -v $(GIT_WORKTREE_COMMON):$(GIT_WORKTREE_COMMON))

README.md

@@ -95,37 +95,27 @@ _docs_ subdirectory. Version-specific documentation is also at
 
 ### Verifying binaries
 
-Download directories contain a `SHASUMS256.txt` file with SHA checksums for the
-files.
+Download directories contain a `SHASUMS256.txt.asc` file with SHA checksums for the
+files and the releaser PGP signature.
 
-To download `SHASUMS256.txt` using `curl`:
+You can get a trusted keyring from nodejs/release-keys, e.g. using `curl`:
 
 ```bash
-curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt
+curl -fsLo "/path/to/nodejs-keyring.kbx" "https://github.com/nodejs/release-keys/raw/HEAD/gpg/pubring.kbx"
 ```
 
-To check that downloaded files match the checksum, use `sha256sum`:
+Alternatively, you can import the releaser keys in your default keyring, see
+[Release keys](#release-keys) for commands to how to do that.
 
-```bash
-sha256sum -c SHASUMS256.txt --ignore-missing
-```
-
-For Current and LTS, the GPG detached signature of `SHASUMS256.txt` is in
-`SHASUMS256.txt.sig`. You can use it with `gpg` to verify the integrity of
-`SHASUMS256.txt`. You will first need to import
-[the GPG keys of individuals authorized to create releases](#release-keys).
-
-See [Release keys](#release-keys) for commands to import active release keys.
-
-Next, download the `SHASUMS256.txt.sig` for the release:
+Then, you can verify the files you've downloaded locally
+(if you're using your default keyring, pass `--keyring="${GNUPGHOME:-~/.gnupg}/pubring.kbx"`):
 
 ```bash
-curl -O https://nodejs.org/dist/vx.y.z/SHASUMS256.txt.sig
+curl -fsO "https://nodejs.org/dist/${VERSION}/SHASUMS256.txt.asc" \
+&& gpgv --keyring="/path/to/nodejs-keyring.kbx" --output SHASUMS256.txt < SHASUMS256.txt.asc \
+&& shasum --check SHASUMS256.txt --ignore-missing
 ```
 
-Then use `gpg --verify SHASUMS256.txt.sig SHASUMS256.txt` to verify
-the file's signature.
-
 ## Building Node.js
 
 See [BUILDING.md](BUILDING.md) for instructions on how to build Node.js from
@@ -289,6 +279,8 @@ For information about the governance of the Node.js project, see
   **Abdirahim Musse** <<abdirahim.musse@ibm.com>>
 * [addaleax](https://github.com/addaleax) -
   **Anna Henningsen** <<anna@addaleax.net>> (she/her)
+* [Aditi-1400](https://github.com/Aditi-1400) -
+  **Aditi Singh** <<aditisingh1400@gmail.com>> (she/her)
 * [aduh95](https://github.com/aduh95) -
   **Antoine du Hamel** <<duhamelantoine1995@gmail.com>> (he/him) - [Support me](https://github.com/sponsors/aduh95)
 * [anonrig](https://github.com/anonrig) -
@@ -383,8 +375,6 @@ For information about the governance of the Node.js project, see
   **Chengzhong Wu** <<legendecas@gmail.com>> (he/him)
 * [lemire](https://github.com/lemire) -
   **Daniel Lemire** <<daniel@lemire.me>>
-* [Linkgoron](https://github.com/Linkgoron) -
-  **Nitzan Uziely** <<linkgoron@gmail.com>>
 * [LiviaMedeiros](https://github.com/LiviaMedeiros) -
   **LiviaMedeiros** <<livia@cirno.name>>
 * [ljharb](https://github.com/ljharb) -
@@ -424,7 +414,7 @@ For information about the governance of the Node.js project, see
 * [Qard](https://github.com/Qard) -
   **Stephen Belanger** <<admin@stephenbelanger.com>> (he/him)
 * [RafaelGSS](https://github.com/RafaelGSS) -
-  **Rafael Gonzaga** <<rafael.nunu@hotmail.com>> (he/him)
+  **Rafael Gonzaga** <<rafael.nunu@hotmail.com>> (he/him) - [Support me](https://github.com/sponsors/RafaelGSS)
 * [RaisinTen](https://github.com/RaisinTen) -
   **Darshan Sen** <<raisinten@gmail.com>> (he/him) - [Support me](https://github.com/sponsors/RaisinTen)
 * [richardlau](https://github.com/richardlau) -
@@ -597,6 +587,8 @@ For information about the governance of the Node.js project, see
   **Lance Ball** <<lball@redhat.com>> (he/him)
 * [Leko](https://github.com/Leko) -
   **Shingo Inoue** <<leko.noor@gmail.com>> (he/him)
+* [Linkgoron](https://github.com/Linkgoron) -
+  **Nitzan Uziely** <<linkgoron@gmail.com>>
 * [lucamaraschi](https://github.com/lucamaraschi) -
   **Luca Maraschi** <<luca.maraschi@gmail.com>> (he/him)
 * [lundibundi](https://github.com/lundibundi) -
@@ -806,8 +798,11 @@ Primary GPG keys for Node.js Releasers (some Releasers sign with subkeys):
 * **Ulises Gascón** <<ulisesgascongonzalez@gmail.com>>
   `A363A499291CBBC940DD62E41F10027AF002F8B0`
 
-To import the full set of trusted release keys (including subkeys possibly used
-to sign releases):
+You can use the keyring the project maintains at
+<https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg-only-active-keys/pubring.kbx>.
+Alternatively, you can import them from a public key server. Have in mind that
+the project cannot guarantee the availability of the server nor the keys on
+that server.
 
 ```bash
 gpg --keyserver hkps://keys.openpgp.org --recv-keys 5BE8A3F6C8A5C01D106C0AD820B1A390B168D356 # Antoine du Hamel
@@ -867,6 +862,9 @@ verify a downloaded file.
 * **Timothy J Fontaine** <<tjfontaine@gmail.com>>
   `7937DFD2AB06298B2293C3187D33FF9D0246406D`
 
+The project maintains a keyring able to verify all past releases of Node.js at
+<https://github.com/nodejs/release-keys/raw/refs/heads/main/gpg/pubring.kbx>.
+
 </details>
 
 ### Security release stewards
@@ -882,6 +880,9 @@ releases on a rotation basis as outlined in the
 * [Datadog](https://www.datadoghq.com/)
   * [bengl](https://github.com/bengl) -
     **Bryan English** <<bryan@bryanenglish.com>> (he/him)
+* [HeroDevs](https://www.herodevs.com/)
+  * [marco-ippolito](https://github.com/marco-ippolito) -
+    **Marco Ippolito** <<marcoippolito54@gmail.com>> (he/him)
 * [NodeSource](https://nodesource.com/)
   * [juanarbol](https://github.com/juanarbol) -
     **Juan José Arboleda** <<soyjuanarbol@gmail.com>> (he/him)

SECURITY.md

@@ -109,6 +109,22 @@ does not trust is considered a vulnerability:
   the correct use of Node.js APIs.
 * The unavailability of the runtime, including the unbounded degradation of its
   performance.
+* Memory leaks qualify as vulnerabilities when all of the following criteria are met:
+  * The API is being correctly used.
+  * The API doesn't have a warning against its usage in a production environment.
+  * The API is public and documented.
+  * The API is on stable (2.0) status.
+  * The memory leak is significant enough to cause a denial of service quickly
+    or in a context not controlled by the user (for example, HTTP parsing).
+  * The memory leak is directly exploitable by an untrusted source without requiring application mistakes.
+  * The leak cannot be reasonably mitigated through standard operational practices (like process recycling).
+  * The leak occurs deterministically under normal usage patterns rather than edge cases.
+  * The leak occurs at a rate that would cause practical resource exhaustion within a practical timeframe under
+    typical workloads.
+  * The attack demonstrates [asymmetric resource consumption](https://cwe.mitre.org/data/definitions/405.html),
+    where the attacker expends significantly fewer resources than what's required by the server to process the
+    attack. Attacks requiring comparable resources on the attacker's side (which can be mitigated through common
+    practices like rate limiting) may not qualify.
 
 If Node.js loads configuration files or runs code by default (without a
 specific request from the user), and this is not documented, it is considered a
@@ -125,7 +141,7 @@ Vulnerabilities related to this case may be fixed by a documentation update.
 * The data received from the remote end of outbound network connections
   that are created through the use of Node.js APIs and
   which is transformed/validated by Node.js before being passed
-  to the application EXCEPT with respect to payload length. Node.js trusts
+  to the application **except** with respect to payload length. Node.js trusts
   that applications make connections/requests which will avoid payload
   sizes that will result in a Denial of Service.
   * HTTP APIs (all flavors) client APIs.
@@ -146,9 +162,9 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
 
 **Node.js trusts everything else**. Examples include:
 
-* The developers and infrastructure that runs it.
+* The developers and infrastructure that run it.
 * The operating system that Node.js is running under and its configuration,
-  along with anything under control of the operating system.
+  along with anything under the control of the operating system.
 * The code it is asked to run, including JavaScript, WASM and native code, even
   if said code is dynamically loaded, e.g., all dependencies installed from the
   npm registry.
@@ -163,6 +179,11 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
   See <https://nodejs.org/api/modules.html#all-together>.
 * The `node:wasi` module does not currently provide the comprehensive file
   system security properties provided by some WASI runtimes.
+* The execution path is trusted. Additionally, Node.js path manipulation functions
+  such as `path.join()` and `path.normalize()` trust their input. Reports about issues
+  related to these functions that rely on unsanitized input are not considered vulnerabilities
+  requiring CVEs, as it's the user's responsibility to sanitize path inputs according to
+  their security requirements.
 
 Any unexpected behavior from the data manipulation from Node.js Internal
 functions may be considered a vulnerability if they are exploitable via
@@ -184,12 +205,12 @@ the community they pose.
 
 * Node.js provides APIs to validate handling of Subject Alternative Names (SANs)
   in certificates used to connect to a TLS/SSL endpoint. If certificates can be
-  crafted which result in incorrect validation by the Node.js APIs that is
+  crafted that result in incorrect validation by the Node.js APIs that is
   considered a vulnerability.
 
 #### Inconsistent Interpretation of HTTP Requests (CWE-444)
 
-* Node.js provides APIs to accept http connections. Those APIs parse the
+* Node.js provides APIs to accept HTTP connections. Those APIs parse the
   headers received for a connection and pass them on to the application.
   Bugs in parsing those headers which can result in request smuggling are
   considered vulnerabilities.
@@ -202,9 +223,9 @@ the community they pose.
 
 #### External Control of System or Configuration Setting (CWE-15)
 
-* If Node.js automatically loads a configuration file which is not documented
+* If Node.js automatically loads a configuration file that is not documented
   and modification of that configuration can affect the confidentiality of
-  data protected using the Node.js APIs this is considered a vulnerability.
+  data protected using the Node.js APIs, then this is considered a vulnerability.
 
 ### Examples of non-vulnerabilities
 
@@ -227,7 +248,7 @@ the community they pose.
 
 #### External Control of System or Configuration Setting (CWE-15)
 
-* If Node.js automatically loads a configuration file which is documented
+* If Node.js automatically loads a configuration file that is documented,
   no scenario that requires modification of that configuration file is
   considered a vulnerability.
 
@@ -247,9 +268,9 @@ the community they pose.
 
 ## Assessing experimental features reports
 
-Experimental features are eligible to reports as any other stable feature of
-Node.js. They will also be susceptible to receiving the same severity score
-as any other stable feature.
+Experimental features are eligible for security reports just like any other
+stable feature of Node.js. They may also receive the same severity score that a
+stable feature would.
 
 ## Receiving security updates
 

benchmark/_cli.js

@@ -140,8 +140,8 @@ CLI.prototype.getCpuCoreSetting = function() {
   const isValid = /^(\d+(-\d+)?)(,\d+(-\d+)?)*$/.test(value);
   if (!isValid) {
     throw new Error(`
-        Invalid CPUSET format: "${value}". Please use a single core number (e.g., "0"), 
-        a range of cores (e.g., "0-3"), or a list of cores/ranges 
+        Invalid CPUSET format: "${value}". Please use a single core number (e.g., "0"),
+        a range of cores (e.g., "0-3"), or a list of cores/ranges
         (e.g., "0,2,4" or "0-2,4").\n\n${this.usage}
     `);
   }