This commit removes two NOTEs that render properly in the GitHub
web interface, but not on the Node.js docs website.
PR-URL: https://github.com/nodejs/node/pull/57484
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Xuguang Mei <meixuguang@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
On other platforms, load from the OpenSSL default certificate
file and diretory.
This is different from --use-openssl-ca in that it caches
the certificates on first load, instead of always reading
from disk every time a new root store is needed.
When used together with the statically-linked OpenSSL, the
default configuration usually leads to this behavior:
- If SSL_CERT_FILE is used, load from SSL_CERT_FILE. Otherwise
load from /etc/ssl/cert.pem
- If SSL_CERT_DIR is used, load from all the files under
SSL_CERT_DIR. Otherwise, load from all the files under
/etc/ssl/certs
PR-URL: https://github.com/nodejs/node/pull/57009
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This patch adds support for --use-system-ca on Windows, the
certificates are collected following Chromium's policy,
though the following are left as TODO and out of this patch.
- Support for user-added intermediate certificates
- Support for distrusted certificates
Since those aren't typically supported by other runtimes/tools
either, and what's implemented in this patch is sufficient for
enough use cases already.
PR-URL: https://github.com/nodejs/node/pull/56833
Reviewed-By: James M Snell <jasnell@gmail.com>
As `--env-file` is experimental, this must be marked as experimental as
well.
Refs: https://github.com/nodejs/node/issues/56887
Signed-off-by: Juan José Arboleda <soyjuanarbol@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/56893
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
This commit adds a new flag `--disable-sigusr1` to prevent
the SignalIOThread to be up listening the SIGUSR1 events and
then starting the debugging session.
PR-URL: https://github.com/nodejs/node/pull/56441
Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/56706
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This commit updates the documentation and includes
a test to ensure that permission model flags
will be passed to the child process if `fork`
is called
PR-URL: https://github.com/nodejs/node/pull/56523
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
The 'coverage output' and 'source map cache' sections were
appearing under the NO_COLOR environment variable instead of
the NODE_V8_COVERAGE enviroment variable where they were intended
to be. This commit fixes that issue.
PR-URL: https://github.com/nodejs/node/pull/56525
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Previously this PR it was expected that InternalWorker
usage doesn't require the --allow-worker when the permission
model is enabled. This, however, exposes a vulnerability
whenever the instance gets accessed by the user. For example
through diagnostics_channel.subscribe('worker_threads')
PR-URL: https://github.com/nodejs-private/node-private/pull/629
Refs: https://hackerone.com/reports/2575105
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Robert Nagy <ronagy@icloud.com>
CVE-ID: CVE-2025-23083
Move permission model from 1.1 (Active Development)
to 2.0 (Stable).
PR-URL: https://github.com/nodejs/node/pull/56201
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Santiago Gimeno <santiago.gimeno@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Stephen Belanger <admin@stephenbelanger.com>
require(esm) is relatively stable now and the experimental warning
has run its course - it's now more troublesome than useful.
This patch changes it to no longer emit a warning unless
`--trace-require-module` is explicitly used. The flag supports
two modes:
- `--trace-require-module=all`: emit warnings for all usages
- `--trace-require-module=no-node-modules`: emit warnings for
usages that do not come from a `node_modules` folder.
PR-URL: https://github.com/nodejs/node/pull/56194
Fixes: https://github.com/nodejs/node/issues/55417
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com>
This implements --trace-env, --trace-env-js-stack and
--trace-env-native-stack CLI options which can be used to find
out what environment variables are accessed and where they are
accessed.
PR-URL: https://github.com/nodejs/node/pull/55604
Reviewed-By: Chengzhong Wu <legendecas@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit marks the test runner's snapshot testing API as
stable.
PR-URL: https://github.com/nodejs/node/pull/55897
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Pietro Marchini <pietro.marchini94@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Reviewed-By: Jacob Smith <jacob@frende.me>
Reviewed-By: Chemi Atlow <chemi@atlow.co.il>
This commit allows the node:sqlite module to be used without
starting Node with a CLI flag. The module is still experimental.
Fixes: https://github.com/nodejs/node/issues/55854
PR-URL: https://github.com/nodejs/node/pull/55890
Reviewed-By: Jake Yuesong Li <jake.yuesong@gmail.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
Reviewed-By: Moshe Atlow <moshe@atlow.co.il>
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Setting of UV_THREADPOOL_SIZE from inside process using
process.env.UV_THREADPOOL_SIZE is not guaranteed to work as
the thread pool would have been created as part of the runtime
initialisation much before user code is run.
update doc/api/cli.md
PR-URL: https://github.com/nodejs/node/pull/55832
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
This improves Permission Model usage when allowing read access to
specifi modules. To achieve that, the permission model check on
internalModuleStat has been removed meaning that on module loading,
uv_fs_stat is performed on files and folders even when the permission
model is enabled. Although a uv_fs_stat is performed, reading/executing
the module will still pass by the permission model check.
Without this PR when an app tries to --allow-fs-read=./a.js
--allow-fs-read=./b.js where `a` attempt to load b, it will fails as
it reads $pwd and no permission has been given to this path.
PR-URL: https://github.com/nodejs/node/pull/55797
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
PR-URL: https://github.com/nodejs/node/pull/55788
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Ulises Gascón <ulisesgascongonzalez@gmail.com>
Huáng Jùnliàng
Antoine du Hamel
Colin Ihrig
Eugenio Ceschia
Darshan Sen
Node.js GitHub Bot
Marco Ippolito
Carlos Espa
RafaelGSS
Joyee Cheung
Juan José
Tim Jacomb
James M Snell
Chengzhong Wu
Pietro Marchini
Geoffrey Booth
Preveen P
Joe Bowbeer