2025-08-27, Version 24.7.0 (Current)

.devcontainer.json

@@ -0,0 +1,25 @@
+{
+  "name": "Node.js Core Developer Environment",
+  "runArgs": [
+    "--platform=linux/amd64"
+  ],
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "github.vscode-pull-request-github",
+        "ms-vsliveshare.vsliveshare",
+        "vscode-icons-team.vscode-icons",
+        "visualstudioexptteam.vscodeintellicode"
+      ],
+      "settings": {
+        "terminal.integrated.profiles.linux": {
+          "zsh (login)": {
+            "path": "zsh",
+            "args": ["-l"]
+          }
+        }
+      }
+    }
+  },
+  "image": "nodejs/devcontainer:nightly"
+}

.github/workflows/coverage-linux-without-intl.yml

@@ -79,6 +79,6 @@ jobs:
       - name: Clean tmp
         run: rm -rf coverage/tmp && rm -rf out
       - name: Upload
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24  # v5.4.3
+        uses: codecov/codecov-action@39a2af19d997be74586469d4062e173ecae614f6  # v5.4.3+
         with:
           directory: ./coverage

.github/workflows/coverage-linux.yml

@@ -79,6 +79,6 @@ jobs:
       - name: Clean tmp
         run: rm -rf coverage/tmp && rm -rf out
       - name: Upload
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24  # v5.4.3
+        uses: codecov/codecov-action@39a2af19d997be74586469d4062e173ecae614f6  # v5.4.3+
         with:
           directory: ./coverage

.github/workflows/coverage-windows.yml

@@ -71,6 +71,6 @@ jobs:
       - name: Clean tmp
         run: npx rimraf ./coverage/tmp
       - name: Upload
-        uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24  # v5.4.3
+        uses: codecov/codecov-action@39a2af19d997be74586469d4062e173ecae614f6  # v5.4.3+
         with:
           directory: ./coverage

.gitignore

@@ -7,8 +7,7 @@
 .*
 # Exclude specific dotfiles that we want to track.
 !deps/**/.*
-!.devcontainer/
-!.devcontainer/.devcontainer.json
+!.devcontainer.json
 !test/fixtures/**/.*
 !.clang-format
 !.cpplint

CHANGELOG.md

@@ -40,7 +40,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V24.md#24.6.0">24.6.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V24.md#24.7.0">24.7.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V24.md#24.6.0">24.6.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.5.0">24.5.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.4.1">24.4.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.4.0">24.4.0</a><br/>

SECURITY.md

@@ -102,6 +102,22 @@ vulnerability in the context of the Node.js threat model. In other
 words, it cannot assume that a trusted element (such as the operating
 system) has been compromised.
 
+### Experimental platforms
+
+Node.js maintains a tier-based support system for operating systems and
+hardware combinations (Tier 1, Tier 2, and Experimental). For platforms
+classified as "Experimental" in the [supported platforms](BUILDING.md#supported-platforms)
+documentation:
+
+* Security vulnerabilities that only affect experimental platforms will **not** be accepted as valid security issues.
+* Any issues on experimental platforms will be treated as normal bugs.
+* No CVEs will be issued for issues that only affect experimental platforms
+* Bug bounty rewards are not available for experimental platform-specific issues
+
+This policy recognizes that experimental platforms may not compile, may not
+pass the test suite, and do not have the same level of testing and support
+infrastructure as Tier 1 and Tier 2 platforms.
+
 Being able to cause the following through control of the elements that Node.js
 does not trust is considered a vulnerability:
 
@@ -284,3 +300,8 @@ Security notifications will be distributed via the following methods.
 If you have suggestions on how this process could be improved, please visit
 the [nodejs/security-wg](https://github.com/nodejs/security-wg)
 repository.
+
+## Incident Response Plan
+
+In the event of a security incident, please refer to the
+[Security Incident Response Plan](https://github.com/nodejs/security-wg/blob/main/INCIDENT_RESPONSE_PLAN.md).

benchmark/common.js

@@ -81,6 +81,9 @@ class Benchmark {
         if (typeof value === 'number') {
           if (key === 'dur' || key === 'duration') {
             value = 0.05;
+          } else if (key === 'memory') {
+            // minimum Argon2 memcost with 1 lane is 8
+            value = 8;
           } else if (value > 1) {
             value = 1;
           }

benchmark/crypto/argon2.js

@@ -0,0 +1,53 @@
+'use strict';
+
+const common = require('../common.js');
+const { hasOpenSSL } = require('../../test/common/crypto.js');
+const assert = require('node:assert');
+const {
+  argon2,
+  argon2Sync,
+  randomBytes,
+} = require('node:crypto');
+
+if (!hasOpenSSL(3, 2)) {
+  console.log('Skipping: Argon2 requires OpenSSL >= 3.2');
+  process.exit(0);
+}
+
+const bench = common.createBenchmark(main, {
+  mode: ['sync', 'async'],
+  algorithm: ['argon2d', 'argon2i', 'argon2id'],
+  passes: [1, 3],
+  parallelism: [2, 4, 8],
+  memory: [2 ** 11, 2 ** 16, 2 ** 21],
+  n: [50],
+});
+
+function measureSync(n, algorithm, message, nonce, options) {
+  bench.start();
+  for (let i = 0; i < n; ++i)
+    argon2Sync(algorithm, { ...options, message, nonce, tagLength: 64 });
+  bench.end(n);
+}
+
+function measureAsync(n, algorithm, message, nonce, options) {
+  let remaining = n;
+  function done(err) {
+    assert.ifError(err);
+    if (--remaining === 0)
+      bench.end(n);
+  }
+  bench.start();
+  for (let i = 0; i < n; ++i)
+    argon2(algorithm, { ...options, message, nonce, tagLength: 64 }, done);
+}
+
+function main({ n, mode, algorithm, ...options }) {
+  // Message, nonce, secret, associated data & tag length do not affect performance
+  const message = randomBytes(32);
+  const nonce = randomBytes(16);
+  if (mode === 'sync')
+    measureSync(n, algorithm, message, nonce, options);
+  else
+    measureAsync(n, algorithm, message, nonce, options);
+}

benchmark/crypto/create-keyobject.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const common = require('../common.js');
+const { hasOpenSSL } = require('../../test/common/crypto.js');
 const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
@@ -21,11 +22,14 @@ const keyFixtures = {
   'ec': readKeyPair('ec_p256_public', 'ec_p256_private'),
   'rsa': readKeyPair('rsa_public_2048', 'rsa_private_2048'),
   'ed25519': readKeyPair('ed25519_public', 'ed25519_private'),
-  'ml-dsa-44': readKeyPair('ml_dsa_44_public', 'ml_dsa_44_private'),
 };
 
+if (hasOpenSSL(3, 5)) {
+  keyFixtures['ml-dsa-44'] = readKeyPair('ml_dsa_44_public', 'ml_dsa_44_private');
+}
+
 const bench = common.createBenchmark(main, {
-  keyType: ['rsa', 'ec', 'ed25519', 'ml-dsa-44'],
+  keyType: Object.keys(keyFixtures),
   keyFormat: ['pkcs8', 'spki', 'der-pkcs8', 'der-spki', 'jwk-public', 'jwk-private'],
   n: [1e3],
 });

benchmark/crypto/kem.js

@@ -0,0 +1,140 @@
+'use strict';
+
+const common = require('../common.js');
+const { hasOpenSSL } = require('../../test/common/crypto.js');
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const fixtures_keydir = path.resolve(__dirname, '../../test/fixtures/keys/');
+
+function readKey(name) {
+  return fs.readFileSync(`${fixtures_keydir}/${name}.pem`, 'utf8');
+}
+
+const keyFixtures = {};
+
+if (hasOpenSSL(3, 5)) {
+  keyFixtures['ml-kem-512'] = readKey('ml_kem_512_private');
+  keyFixtures['ml-kem-768'] = readKey('ml_kem_768_private');
+  keyFixtures['ml-kem-1024'] = readKey('ml_kem_1024_private');
+}
+if (hasOpenSSL(3, 2)) {
+  keyFixtures['p-256'] = readKey('ec_p256_private');
+  keyFixtures['p-384'] = readKey('ec_p384_private');
+  keyFixtures['p-521'] = readKey('ec_p521_private');
+  keyFixtures.x25519 = readKey('x25519_private');
+  keyFixtures.x448 = readKey('x448_private');
+}
+if (hasOpenSSL(3, 0)) {
+  keyFixtures.rsa = readKey('rsa_private_2048');
+}
+
+if (Object.keys(keyFixtures).length === 0) {
+  console.log('no supported key types available for this OpenSSL version');
+  process.exit(0);
+}
+
+const bench = common.createBenchmark(main, {
+  keyType: Object.keys(keyFixtures),
+  mode: ['sync', 'async', 'async-parallel'],
+  keyFormat: ['keyObject', 'keyObject.unique'],
+  op: ['encapsulate', 'decapsulate'],
+  n: [1e3],
+}, {
+  combinationFilter(p) {
+    // "keyObject.unique" allows to compare the result with "keyObject" to
+    // assess whether mutexes over the key material impact the operation
+    return p.keyFormat !== 'keyObject.unique' ||
+      (p.keyFormat === 'keyObject.unique' && p.mode === 'async-parallel');
+  },
+});
+
+function measureSync(n, op, privateKey, keys, ciphertexts) {
+  bench.start();
+  for (let i = 0; i < n; ++i) {
+    const key = privateKey || keys[i];
+    if (op === 'encapsulate') {
+      crypto.encapsulate(key);
+    } else {
+      crypto.decapsulate(key, ciphertexts[i]);
+    }
+  }
+  bench.end(n);
+}
+
+function measureAsync(n, op, privateKey, keys, ciphertexts) {
+  let remaining = n;
+  function done() {
+    if (--remaining === 0)
+      bench.end(n);
+    else
+      one();
+  }
+
+  function one() {
+    const key = privateKey || keys[n - remaining];
+    if (op === 'encapsulate') {
+      crypto.encapsulate(key, done);
+    } else {
+      crypto.decapsulate(key, ciphertexts[n - remaining], done);
+    }
+  }
+  bench.start();
+  one();
+}
+
+function measureAsyncParallel(n, op, privateKey, keys, ciphertexts) {
+  let remaining = n;
+  function done() {
+    if (--remaining === 0)
+      bench.end(n);
+  }
+  bench.start();
+  for (let i = 0; i < n; ++i) {
+    const key = privateKey || keys[i];
+    if (op === 'encapsulate') {
+      crypto.encapsulate(key, done);
+    } else {
+      crypto.decapsulate(key, ciphertexts[i], done);
+    }
+  }
+}
+
+function main({ n, mode, keyFormat, keyType, op }) {
+  const pems = [...Buffer.alloc(n)].map(() => keyFixtures[keyType]);
+  const keyObjects = pems.map(crypto.createPrivateKey);
+
+  let privateKey, keys, ciphertexts;
+
+  switch (keyFormat) {
+    case 'keyObject':
+      privateKey = keyObjects[0];
+      break;
+    case 'keyObject.unique':
+      keys = keyObjects;
+      break;
+    default:
+      throw new Error('not implemented');
+  }
+
+  // Pre-generate ciphertexts for decapsulate operations
+  if (op === 'decapsulate') {
+    if (privateKey) {
+      ciphertexts = [...Buffer.alloc(n)].map(() => crypto.encapsulate(privateKey).ciphertext);
+    } else {
+      ciphertexts = keys.map((key) => crypto.encapsulate(key).ciphertext);
+    }
+  }
+
+  switch (mode) {
+    case 'sync':
+      measureSync(n, op, privateKey, keys, ciphertexts);
+      break;
+    case 'async':
+      measureAsync(n, op, privateKey, keys, ciphertexts);
+      break;
+    case 'async-parallel':
+      measureAsyncParallel(n, op, privateKey, keys, ciphertexts);
+      break;
+  }
+}

benchmark/crypto/oneshot-sign.js

@@ -1,6 +1,7 @@
 'use strict';
 
 const common = require('../common.js');
+const { hasOpenSSL } = require('../../test/common/crypto.js');
 const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
@@ -14,16 +15,19 @@ const keyFixtures = {
   'ec': readKey('ec_p256_private'),
   'rsa': readKey('rsa_private_2048'),
   'ed25519': readKey('ed25519_private'),
-  'ml-dsa-44': readKey('ml_dsa_44_private'),
 };
 
+if (hasOpenSSL(3, 5)) {
+  keyFixtures['ml-dsa-44'] = readKey('ml_dsa_44_private');
+}
+
 const data = crypto.randomBytes(256);
 
 let pems;
 let keyObjects;
 
 const bench = common.createBenchmark(main, {
-  keyType: ['rsa', 'ec', 'ed25519', 'ml-dsa-44'],
+  keyType: Object.keys(keyFixtures),
   mode: ['sync', 'async', 'async-parallel'],
   keyFormat: ['pem', 'der', 'jwk', 'keyObject', 'keyObject.unique'],
   n: [1e3],