Merge branch 'main' of https://github.com/nodejs/node

Author: aduh95

.github/workflows/auto-start-ci.yml

@@ -28,13 +28,13 @@ jobs:
       - name: Get Pull Requests
         id: get_prs_for_ci
         run: >
-          numbers=$(gh pr list \
-                  --repo ${{ github.repository }} \
+          echo "numbers=$(gh pr list \
+                  --repo "$GITHUB_REPOSITORY" \
                   --label 'request-ci' \
                   --json 'number' \
+                  --search 'review:approved' \
                   -t '{{ range . }}{{ .number }} {{ end }}' \
-                  --limit 5)
-          echo "numbers=$numbers" >> $GITHUB_OUTPUT
+                  --limit 5)" >> "$GITHUB_OUTPUT"
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   start-ci:

.github/workflows/commit-lint.yml

@@ -1,6 +1,10 @@
 name: First commit message adheres to guidelines
 
-on: [pull_request]
+on:
+  pull_request:
+    branches:
+      - main
+      - v[0-9]+.x-staging
 
 env:
   NODE_VERSION: lts/*

CHANGELOG.md

@@ -41,7 +41,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V25.md#25.8.2">25.8.2</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V25.md#25.9.0">25.9.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V25.md#25.8.2">25.8.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.8.1">25.8.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.8.0">25.8.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.7.0">25.7.0</a><br/>

SECURITY.md

@@ -152,28 +152,33 @@ does not trust is considered a vulnerability:
   the correct use of Node.js APIs.
 * The unavailability of the runtime, including the unbounded degradation of its
   performance.
-* Memory leaks qualify as vulnerabilities when all of the following criteria are met:
-  * The API is being correctly used.
-  * The API doesn't have a warning against its usage in a production environment.
-  * The API is public and documented.
-  * The API is on stable (2.0) status.
-  * The memory leak is significant enough to cause a denial of service quickly
-    or in a context not controlled by the user (for example, HTTP parsing).
-  * The memory leak is directly exploitable by an untrusted source without requiring application mistakes.
-  * The leak cannot be reasonably mitigated through standard operational practices (like process recycling).
-  * The leak occurs deterministically under normal usage patterns rather than edge cases.
-  * The leak occurs at a rate that would cause practical resource exhaustion within a practical timeframe under
-    typical workloads.
-  * The attack demonstrates [asymmetric resource consumption](https://cwe.mitre.org/data/definitions/405.html),
-    where the attacker expends significantly fewer resources than what's required by the server to process the
-    attack. Attacks requiring comparable resources on the attacker's side (which can be mitigated through common
-    practices like rate limiting) may not qualify.
 
 If Node.js loads configuration files or runs code by default (without a
 specific request from the user), and this is not documented, it is considered a
 vulnerability.
 Vulnerabilities related to this case may be fixed by a documentation update.
 
+#### Denial of Service (DoS) vulnerabilities
+
+For a behavior to be considered a DoS vulnerability, the PoC must meet the following criteria:
+
+* The API is being correctly used.
+* The API doesn't have a warning against its usage in a production environment.
+* The API is public and documented. If the API comes from JavaScript, the behavior must be
+  well-defined in the [ECMAScript specification](https://tc39.es/ecma262/).
+* The API has stable (2.0) status.
+* The behavior is significant enough to cause a denial of service quickly
+  or in a context not controlled by the Node.js application developer (for example, HTTP parsing).
+* The behavior is directly exploitable by an untrusted source without requiring application mistakes.
+* The behavior cannot be reasonably mitigated through standard operational practices (like process recycling).
+* The behavior occurs deterministically under normal usage patterns rather than edge cases.
+* The behavior occurs at a rate that would cause practical resource exhaustion within a practical timeframe under
+  typical workloads.
+* The attack demonstrates [asymmetric resource consumption](https://cwe.mitre.org/data/definitions/405.html),
+  where the attacker expends significantly fewer resources than what's required by the server to process the
+  attack. Attacks requiring comparable resources on the attacker's side (which can be mitigated through common
+  practices like rate limiting) may not qualify.
+
 **Node.js does NOT trust**:
 
 * Data received from the remote end of inbound network connections

configure.py

@@ -1452,7 +1452,9 @@ def get_cargo_version(cargo):
   except OSError:
     error('''No acceptable cargo found!
 
-       Please make sure you have cargo installed on your system.''')
+       Please make sure you have cargo installed on your system and/or
+       consider adjusting the CARGO environment variable if you have installed
+       it in a non-standard prefix.''')
 
   with proc:
     cargo_ret = to_utf8(proc.communicate()[0])
@@ -1540,8 +1542,9 @@ def check_compiler(o):
     # Minimum cargo and rustc versions should match values in BUILDING.md.
     min_cargo_ver_tuple = (1, 82)
     min_rustc_ver_tuple = (1, 82)
-    cargo_ver = get_cargo_version('cargo')
-    print_verbose(f'Detected cargo: {cargo_ver}')
+    cargo = os.environ.get('CARGO', 'cargo')
+    cargo_ver = get_cargo_version(cargo)
+    print_verbose(f'Detected cargo (CARGO={cargo}): {cargo_ver}')
     cargo_ver_tuple = tuple(map(int, cargo_ver.split('.')))
     if cargo_ver_tuple < min_cargo_ver_tuple:
       warn(f'cargo {cargo_ver} too old, need cargo {".".join(map(str, min_cargo_ver_tuple))}')
@@ -2751,6 +2754,11 @@ def make_bin_override():
 # will fail to run python scripts.
 gyp_args += ['-Dpython=' + python]
 
+if options.v8_enable_temporal_support and not options.shared_temporal_capi:
+  cargo = os.environ.get('CARGO')
+  if cargo:
+    gyp_args += ['-Dcargo=' + cargo]
+
 if options.use_ninja:
   gyp_args += ['-f', 'ninja-' + flavor]
 elif flavor == 'win' and sys.platform != 'msys':

deps/crates/crates.gyp

@@ -1,5 +1,6 @@
 {
   'variables': {
+    'cargo%': 'cargo',
     'cargo_vendor_dir': './vendor',
   },
   'conditions': [
@@ -48,7 +49,7 @@
             '<(node_crates_libpath)'
           ],
           'action': [
-            'cargo',
+            '<(cargo)',
             'rustc',
             '<@(cargo_build_flags)',
             '--frozen',

doc/api/async_context.md

@@ -389,7 +389,7 @@ try {
 ### `asyncLocalStorage.withScope(store)`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental
@@ -527,7 +527,7 @@ probably responsible for the context loss.
 ## Class: `RunScope`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental
@@ -543,7 +543,7 @@ exits, whether through normal completion or by throwing an error.
 ### `scope.dispose()`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 Explicitly ends the scope and restores the previous store value. This method

doc/api/cli.md

@@ -1280,7 +1280,7 @@ Enable experimental support for storage inspection
 ### `--experimental-stream-iter`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental
@@ -2784,6 +2784,38 @@ changes:
 Configures the test runner to only execute top level tests that have the `only`
 option set. This flag is not necessary when test isolation is disabled.
 
+### `--test-random-seed`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+Set the seed used to randomize test execution order. This applies to both test
+file execution order and queued tests within each file. Providing this flag
+enables randomization implicitly, even without `--test-randomize`.
+
+The value must be an integer between `0` and `4294967295`.
+
+This flag cannot be used with `--watch` or `--test-rerun-failures`.
+
+### `--test-randomize`
+
+<!-- YAML
+added: REPLACEME
+-->
+
+Randomize test execution order. This applies to both test file execution order
+and queued tests within each file. This can help detect tests that rely on
+shared state or execution order.
+
+The seed used for randomization is printed in the test summary and can be
+reused with `--test-random-seed`.
+
+For detailed behavior and examples, see
+[randomizing tests execution order][].
+
+This flag cannot be used with `--watch` or `--test-rerun-failures`.
+
 ### `--test-reporter`
 
 <!-- YAML
@@ -3702,6 +3734,8 @@ one is included in the list below.
 * `--test-isolation`
 * `--test-name-pattern`
 * `--test-only`
+* `--test-random-seed`
+* `--test-randomize`
 * `--test-reporter-destination`
 * `--test-reporter`
 * `--test-rerun-failures`
@@ -4286,6 +4320,7 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
 [libuv threadpool documentation]: https://docs.libuv.org/en/latest/threadpool.html
 [module compile cache]: module.md#module-compile-cache
 [preloading asynchronous module customization hooks]: module.md#registration-of-asynchronous-customization-hooks
+[randomizing tests execution order]: test.md#randomizing-tests-execution-order
 [remote code execution]: https://www.owasp.org/index.php/Code_Injection
 [running tests from the command line]: test.md#running-tests-from-the-command-line
 [scavenge garbage collector]: https://v8.dev/blog/orinoco-parallel-scavenger

doc/api/deprecations.md

@@ -4488,7 +4488,7 @@ changes:
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/62453
     description: Runtime deprecation.
-  - version: REPLACEME
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/62321
     description: Documentation-only deprecation.
 -->
@@ -4513,7 +4513,7 @@ changes:
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/62453
     description: Runtime deprecation.
-  - version: REPLACEME
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/62321
     description: Documentation-only deprecation.
 -->
@@ -4528,15 +4528,26 @@ deprecated and will throw an error in a future version.
 <!-- YAML
 changes:
   - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/62401
+    description: Runtime deprecation.
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/62395
     description: Documentation-only deprecation.
 -->
 
-Type: Documentation-only
+Type: Runtime
 
 [`module.register()`][] is deprecated. Use [`module.registerHooks()`][]
 instead.
 
+The `module.register()` API provides off-thread async hooks for customizing ES modules;
+the `module.registerHooks()` API provides similar hooks that are synchronous, in-thread, and
+work for all types of modules.
+Supporting async hooks has proven to be complex, involving worker threads orchestration, and there are issues
+that have proven unresolveable. See [caveats of asynchronous customization hooks][]. Please migrate to
+`module.registerHooks()` as soon as possible as `module.register()` will be
+removed in a future version of Node.js.
+
 [DEP0142]: #dep0142-repl_builtinlibs
 [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
 [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3
@@ -4696,6 +4707,7 @@ instead.
 [`zlib.bytesWritten`]: zlib.md#zlibbyteswritten
 [alloc]: buffer.md#static-method-bufferallocsize-fill-encoding
 [alloc_unsafe_size]: buffer.md#static-method-bufferallocunsafesize
+[caveats of asynchronous customization hooks]: module.md#caveats-of-asynchronous-customization-hooks
 [from_arraybuffer]: buffer.md#static-method-bufferfromarraybuffer-byteoffset-length
 [from_string_encoding]: buffer.md#static-method-bufferfromstring-encoding
 [legacy URL API]: url.md#legacy-url-api