diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
index da85ed78dd6f79..5ef23759b3e18e 100644
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@@ -18,6 +18,7 @@
 /doc/contributing/**/* @nodejs/tsc
 /GOVERNANCE.md @nodejs/tsc
 /SECURITY.md @nodejs/tsc
+/BUILDING.md @nodejs/build @nodejs/tsc
 /LICENSE @nodejs/tsc
 /onboarding.md @nodejs/tsc
 
@@ -223,3 +224,8 @@
 /lib/internal/inspector/* @nodejs/inspector
 /lib/internal/inspector_* @nodejs/inspector
 /lib/inspector.js @nodejs/inspector
+
+# path
+/lib/path.js @nodejs/path
+/lib/path/* @nodejs/path
+/test/parallel/test-path-* @nodejs/path
diff --git a/.mailmap b/.mailmap
index c0aac7e9647a69..0422fba4472601 100644
--- a/.mailmap
+++ b/.mailmap
@@ -6,6 +6,7 @@ Abdirahim Musse <abdirahim.musse@ibm.com> <33973272+abmusse@users.noreply.github
 Abe Fettig <abefettig@gmail.com> <abe@fettig.net>
 Abhimanyu Vashisht <abhimanyuvashisht.av@gmail.com>
 Adam Langley <agl@imperialviolet.org> <agl@google.com>
+Aditi Singh <aditisingh1400@gmail.com>
 Akhil Marsonya <akhil.marsonya27@gmail.com>
 Akhil Marsonya <akhil.marsonya27@gmail.com> <16393876+marsonya@users.noreply.github.com>
 Akito Ito <akito0107@gmail.com> <akito_ito@r.recruit.co.jp>
diff --git a/BUILDING.md b/BUILDING.md
index 4c46468139f7da..3e28e3349950d2 100644
--- a/BUILDING.md
+++ b/BUILDING.md
@@ -272,6 +272,11 @@ export CXX=g++-12
 make -j4
 ```
 
+> \[!IMPORTANT]
+> If you face a compilation error during this process such as
+> `error: no matching conversion for functional-style cast from 'unsigned int' to 'TypeIndex'`
+> Make sure to use a `g++` or `clang` version compatible with C++20.
+
 We can speed up the builds by using [Ninja](https://ninja-build.org/). For more
 information, see
 [Building Node.js with Ninja](doc/contributing/building-node-with-ninja.md).
diff --git a/CHANGELOG.md b/CHANGELOG.md
index eeefd70a36b175..f1983b2ddda791 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -40,7 +40,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V24.md#24.5.0">24.5.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V24.md#24.6.0">24.6.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V24.md#24.5.0">24.5.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.4.1">24.4.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.4.0">24.4.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.3.0">24.3.0</a><br/>
diff --git a/LICENSE b/LICENSE
index 632097c25807e7..4b18b2e40ac606 100644
--- a/LICENSE
+++ b/LICENSE
@@ -2639,3 +2639,28 @@ The externally maintained libraries used by Node.js are:
     OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
     SOFTWARE.
   """
+
+- sonic-boom, located at lib/internal/streams/fast-utf8-stream.js, is licensed as follows:
+  """
+    MIT License
+
+    Copyright (c) 2017 Matteo Collina
+
+    Permission is hereby granted, free of charge, to any person obtaining a copy
+    of this software and associated documentation files (the "Software"), to deal
+    in the Software without restriction, including without limitation the rights
+    to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+    copies of the Software, and to permit persons to whom the Software is
+    furnished to do so, subject to the following conditions:
+
+    The above copyright notice and this permission notice shall be included in all
+    copies or substantial portions of the Software.
+
+    THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+    IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+    FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+    AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+    LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+    OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+    SOFTWARE.
+  """
diff --git a/SECURITY.md b/SECURITY.md
index c023dcd2aaf81f..d5cc79095371e3 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -179,6 +179,11 @@ then untrusted input must not lead to arbitrary JavaScript code execution.
   See <https://nodejs.org/api/modules.html#all-together>.
 * The `node:wasi` module does not currently provide the comprehensive file
   system security properties provided by some WASI runtimes.
+* The execution path is trusted. Additionally, Node.js path manipulation functions
+  such as `path.join()` and `path.normalize()` trust their input. Reports about issues
+  related to these functions that rely on unsanitized input are not considered vulnerabilities
+  requiring CVEs, as it's the user's responsibility to sanitize path inputs according to
+  their security requirements.
 
 Any unexpected behavior from the data manipulation from Node.js Internal
 functions may be considered a vulnerability if they are exploitable via
diff --git a/benchmark/calibrate-n.js b/benchmark/calibrate-n.js
new file mode 100644
index 00000000000000..16bb512cc50a8c
--- /dev/null
+++ b/benchmark/calibrate-n.js
@@ -0,0 +1,292 @@
+'use strict';
+
+const path = require('node:path');
+const { fork } = require('node:child_process');
+const fs = require('node:fs');
+const { styleText } = require('node:util');
+
+const DEFAULT_RUNS = 30;        // Number of runs for each n value
+const CV_THRESHOLD = 0.05;      // 5% coefficient of variation threshold
+const MAX_N_INCREASE = 6;       // Maximum number of times to increase n (10**6)
+const INCREASE_FACTOR = 10;     // Factor by which to increase n
+
+const args = process.argv.slice(2);
+if (args.length === 0) {
+  console.log(`
+Usage: node calibrate-n.js [options] <benchmark_path>
+
+Options:
+  --runs=N           Number of runs for each n value (default: ${DEFAULT_RUNS})
+  --cv-threshold=N   Target coefficient of variation threshold (default: ${CV_THRESHOLD})
+  --max-increases=N  Maximum number of n increases to try (default: ${MAX_N_INCREASE})
+  --start-n=N        Initial n value to start with (default: autodetect)
+  --increase=N       Factor by which to increase n (default: ${INCREASE_FACTOR})
+
+Example:
+  node calibrate-n.js buffers/buffer-compare.js
+  node calibrate-n.js --runs=10 --cv-threshold=0.02 buffers/buffer-compare.js
+  `);
+  process.exit(1);
+}
+
+// Extract options
+let benchmarkPath;
+let runs = DEFAULT_RUNS;
+let cvThreshold = CV_THRESHOLD;
+let maxIncreases = MAX_N_INCREASE;
+let startN = 10;
+let increaseFactor = INCREASE_FACTOR;
+
+for (const arg of args) {
+  if (arg.startsWith('--runs=')) {
+    runs = parseInt(arg.substring(7), 10);
+  } else if (arg.startsWith('--cv-threshold=')) {
+    cvThreshold = parseFloat(arg.substring(14));
+  } else if (arg.startsWith('--max-increases=')) {
+    maxIncreases = parseInt(arg.substring(15), 10);
+    if (isNaN(maxIncreases)) {
+      console.error(`Error: Invalid value for --max-increases. Using default: ${MAX_N_INCREASE}`);
+      maxIncreases = MAX_N_INCREASE;
+    }
+  } else if (arg.startsWith('--start-n=')) {
+    startN = parseInt(arg.substring(10), 10);
+    if (isNaN(startN)) {
+      console.error(`Error: Invalid value for --start-n. Using default: 10`);
+      startN = 10;
+    }
+  } else if (arg.startsWith('--increase=')) {
+    increaseFactor = parseInt(arg.substring(11), 10);
+    if (isNaN(increaseFactor)) {
+      console.error(`Error: Invalid value for --increase. Using default: ${INCREASE_FACTOR}`);
+      increaseFactor = INCREASE_FACTOR;
+    }
+  } else {
+    benchmarkPath = arg;
+  }
+}
+
+if (!benchmarkPath) {
+  console.error('Error: No benchmark path specified');
+  process.exit(1);
+}
+
+const fullBenchmarkPath = path.resolve(benchmarkPath);
+if (!fs.existsSync(fullBenchmarkPath)) {
+  console.error(`Error: Benchmark file not found: ${fullBenchmarkPath}`);
+  process.exit(1);
+}
+
+function calculateStats(values) {
+  const mean = values.reduce((sum, val) => sum + val, 0) / values.length;
+
+  const squaredDiffs = values.map((val) => {
+    const diff = val - mean;
+    const squared = diff ** 2;
+    return squared;
+  });
+
+  const variance = squaredDiffs.reduce((sum, val) => sum + val, 0) / values.length;
+  const stdDev = Math.sqrt(variance);
+  const cv = stdDev / mean;
+
+  return { mean, stdDev, cv, variance };
+}
+
+function runBenchmark(n) {
+  return new Promise((resolve, reject) => {
+    const child = fork(
+      fullBenchmarkPath,
+      [`n=${n}`],
+      { stdio: ['inherit', 'pipe', 'inherit', 'ipc'] },
+    );
+
+    const results = [];
+    child.on('message', (data) => {
+      if (data.type === 'report' && data.rate && data.conf) {
+        results.push({
+          rate: data.rate,
+          conf: data.conf,
+        });
+      }
+    });
+
+    child.on('close', (code) => {
+      if (code !== 0) {
+        reject(new Error(`Benchmark exited with code ${code}`));
+      } else {
+        resolve(results);
+      }
+    });
+  });
+}
+
+async function main(n = startN) {
+  let increaseCount = 0;
+  let bestN = n;
+  let bestCV = Infinity;
+  let bestGroupStats = null;
+
+  console.log(`
+--------------------------------------------------------
+Benchmark: ${benchmarkPath}
+--------------------------------------------------------
+What we are trying to find: The optimal number of iterations (n)
+that produces consistent benchmark results without wasting time.
+
+How it works:
+1. Run the benchmark multiple times with a specific n value
+2. Group results by configuration
+3. If overall CV is above 5% or any configuration has CV above 10%, increase n and try again
+
+Configuration:
+- Starting n: ${n.toLocaleString()} iterations
+- Runs per n value: ${runs}
+- Target CV threshold: ${cvThreshold * 100}% (lower CV = more stable results)
+- Max increases: ${maxIncreases}
+- Increase factor: ${increaseFactor}x`);
+
+  while (increaseCount < maxIncreases) {
+    console.log(`\nTesting with n=${n}:`);
+
+    const resultsData = [];
+    for (let i = 0; i < runs; i++) {
+      const results = await runBenchmark(n);
+      // Each run might return multiple results (one per configuration)
+      if (Array.isArray(results) && results.length > 0) {
+        resultsData.push(...results);
+      } else if (results) {
+        resultsData.push(results);
+      }
+      process.stdout.write('.');
+    }
+    process.stdout.write('\n');
+
+    const groupedResults = {};
+    resultsData.forEach((result) => {
+      if (!result || !result.conf) return;
+
+      const confKey = JSON.stringify(result.conf);
+      groupedResults[confKey] ||= {
+        conf: result.conf,
+        rates: [],
+      };
+
+      groupedResults[confKey].rates.push(result.rate);
+    });
+
+    const groupStats = [];
+    for (const [confKey, group] of Object.entries(groupedResults)) {
+      console.log(`\nConfiguration: ${JSON.stringify(group.conf)}`);
+
+      const stats = calculateStats(group.rates);
+      console.log(`  CV: ${(stats.cv * 100).toFixed(2)}% (lower values mean more stable results)`);
+
+      const isStable = stats.cv <= cvThreshold;
+      console.log(`  Stability: ${isStable ?
+        styleText(['bold', 'green'], '✓ Stable') :
+        styleText(['bold', 'red'], '✗ Unstable')}`);
+
+      groupStats.push({
+        confKey,
+        stats,
+        isStable,
+      });
+    }
+
+    if (groupStats.length > 0) {
+      // Check if any configuration has CV > 10% (too unstable)
+      const tooUnstableConfigs = groupStats.filter((g) => g.stats.cv > 0.10);
+
+      const avgCV = groupStats.reduce((sum, g) => sum + g.stats.cv, 0) / groupStats.length;
+      console.log(`\nOverall average CV: ${(avgCV * 100).toFixed(2)}%`);
+
+      const isOverallStable = avgCV < CV_THRESHOLD;
+      const hasVeryUnstableConfigs = tooUnstableConfigs.length > 0;
+
+      // Check if overall CV is below CV_THRESHOLD and no configuration has CV > 10%
+      if (isOverallStable && !hasVeryUnstableConfigs) {
+        console.log(styleText(['bold', 'green'], `  ✓ Overall CV is below 5% and no configuration has CV above 10%`));
+      } else {
+        if (!isOverallStable) {
+          console.log(styleText(['bold', 'red'], `  ✗ Overall CV (${(avgCV * 100).toFixed(2)}%) is above 5%`));
+        }
+        if (hasVeryUnstableConfigs) {
+          console.log(styleText(['bold', 'red'], `  ✗ ${tooUnstableConfigs.length} configuration(s) have CV above 10%`));
+        }
+      }
+
+      if (avgCV < bestCV || !bestGroupStats) {
+        bestN = n;
+        bestCV = avgCV;
+
+        bestGroupStats = [];
+        for (const group of Object.values(groupedResults)) {
+          if (group.rates.length >= 3) {
+            const stats = calculateStats(group.rates);
+            bestGroupStats.push({
+              conf: group.conf,
+              stats: stats,
+              isStable: stats.cv <= 0.10,
+            });
+          }
+        }
+        console.log(`  → New best n: ${n} with average CV: ${(avgCV * 100).toFixed(2)}%`);
+      } else {
+        console.log(`  → Current best n remains: ${bestN} with average CV: ${(bestCV * 100).toFixed(2)}%`);
+      }
+    }
+
+    // Check if we've reached acceptable stability based on new criteria
+    // 1. Overall CV should be below CV_THRESHOLD
+    // 2. No configuration should have a CV greater than 10%
+    const avgCV = groupStats.length > 0 ?
+      groupStats.reduce((sum, g) => sum + g.stats.cv, 0) / groupStats.length : Infinity;
+    const hasUnstableConfig = groupStats.some((g) => g.stats.cv > 0.10);
+    const isOverallStable = avgCV < CV_THRESHOLD;
+
+    if (isOverallStable && !hasUnstableConfig) {
+      console.log(`\n✓ Found optimal n=${n} (Overall CV=${(avgCV * 100).toFixed(2)}% < 5% and no configuration has CV > 10%)`);
+      console.log('\nFinal CV for each configuration:');
+      groupStats.forEach((g) => {
+        console.log(`  ${JSON.stringify(groupedResults[g.confKey].conf)}: ${(g.stats.cv * 100).toFixed(2)}%`);
+      });
+
+      return n;
+    }
+
+    increaseCount++;
+    n *= increaseFactor;
+  }
+
+  if (increaseCount >= maxIncreases) {
+    const finalAvgCV = bestGroupStats && bestGroupStats.length > 0 ?
+      bestGroupStats.reduce((sum, g) => sum + g.stats.cv, 0) / bestGroupStats.length : Infinity;
+
+    console.log(`Maximum number of increases (${maxIncreases}) reached without achieving target stability`);
+    console.log(`Best n found: ${bestN} with average CV=${(finalAvgCV * 100).toFixed(2)}%`);
+    console.log(`\nCV by configuration at best n:`);
+
+    if (bestGroupStats) {
+      bestGroupStats.forEach((g) => {
+        if (g.conf) {
+          console.log(`  ${JSON.stringify(g.conf)}: ${(g.stats.cv * 100).toFixed(2)}%`);
+          if (g.stats.cv > cvThreshold) {
+            console.log(`    ⚠️ This configuration is above the target threshold of ${cvThreshold * 100}%`);
+          }
+        }
+      });
+    }
+  }
+
+  console.log(`
+Recommendation: You might want to try increasing --max-increases to
+continue testing with larger n values, or adjust --cv-threshold to
+accept the current best result, or investigate if specific configurations
+are contributing to instability.`);
+  return bestN;
+}
+
+main().catch((err) => {
+  console.error('Error:', err);
+  process.exit(1);
+});
diff --git a/benchmark/crypto/create-keyobject.js b/benchmark/crypto/create-keyobject.js
index 1e98ac347d7efc..75988031abf6cc 100644
--- a/benchmark/crypto/create-keyobject.js
+++ b/benchmark/crypto/create-keyobject.js
@@ -18,13 +18,14 @@ function readKeyPair(publicKeyName, privateKeyName) {
 }
 
 const keyFixtures = {
-  ec: readKeyPair('ec_p256_public', 'ec_p256_private'),
-  rsa: readKeyPair('rsa_public_2048', 'rsa_private_2048'),
-  ed25519: readKeyPair('ed25519_public', 'ed25519_private'),
+  'ec': readKeyPair('ec_p256_public', 'ec_p256_private'),
+  'rsa': readKeyPair('rsa_public_2048', 'rsa_private_2048'),
+  'ed25519': readKeyPair('ed25519_public', 'ed25519_private'),
+  'ml-dsa-44': readKeyPair('ml_dsa_44_public', 'ml_dsa_44_private'),
 };
 
 const bench = common.createBenchmark(main, {
-  keyType: ['rsa', 'ec', 'ed25519'],
+  keyType: ['rsa', 'ec', 'ed25519', 'ml-dsa-44'],
   keyFormat: ['pkcs8', 'spki', 'der-pkcs8', 'der-spki', 'jwk-public', 'jwk-private'],
   n: [1e3],
 });
diff --git a/benchmark/crypto/oneshot-sign.js b/benchmark/crypto/oneshot-sign.js
index 88e67b9dfb1cf9..97372606a10ade 100644
--- a/benchmark/crypto/oneshot-sign.js
+++ b/benchmark/crypto/oneshot-sign.js
@@ -6,10 +6,15 @@ const fs = require('fs');
 const path = require('path');
 const fixtures_keydir = path.resolve(__dirname, '../../test/fixtures/keys/');
 
+function readKey(name) {
+  return fs.readFileSync(`${fixtures_keydir}/${name}.pem`, 'utf8');
+}
+
 const keyFixtures = {
-  ec: fs.readFileSync(`${fixtures_keydir}/ec_p256_private.pem`, 'utf-8'),
-  rsa: fs.readFileSync(`${fixtures_keydir}/rsa_private_2048.pem`, 'utf-8'),
-  ed25519: fs.readFileSync(`${fixtures_keydir}/ed25519_private.pem`, 'utf-8'),
+  'ec': readKey('ec_p256_private'),
+  'rsa': readKey('rsa_private_2048'),
+  'ed25519': readKey('ed25519_private'),
+  'ml-dsa-44': readKey('ml_dsa_44_private'),
 };
 
 const data = crypto.randomBytes(256);
@@ -18,7 +23,7 @@ let pems;
 let keyObjects;
 
 const bench = common.createBenchmark(main, {
-  keyType: ['rsa', 'ec', 'ed25519'],
+  keyType: ['rsa', 'ec', 'ed25519', 'ml-dsa-44'],
   mode: ['sync', 'async', 'async-parallel'],
   keyFormat: ['pem', 'der', 'jwk', 'keyObject', 'keyObject.unique'],
   n: [1e3],
@@ -90,6 +95,7 @@ function main({ n, mode, keyFormat, keyType }) {
       digest = 'sha256';
       break;
     case 'ed25519':
+    case 'ml-dsa-44':
       break;
     default:
       throw new Error('not implemented');
diff --git a/benchmark/crypto/oneshot-verify.js b/benchmark/crypto/oneshot-verify.js
index 121be28d4d9578..9569d5168f60ce 100644
--- a/benchmark/crypto/oneshot-verify.js
+++ b/benchmark/crypto/oneshot-verify.js
@@ -18,9 +18,10 @@ function readKeyPair(publicKeyName, privateKeyName) {
 }
 
 const keyFixtures = {
-  ec: readKeyPair('ec_p256_public', 'ec_p256_private'),
-  rsa: readKeyPair('rsa_public_2048', 'rsa_private_2048'),
-  ed25519: readKeyPair('ed25519_public', 'ed25519_private'),
+  'ec': readKeyPair('ec_p256_public', 'ec_p256_private'),
+  'rsa': readKeyPair('rsa_public_2048', 'rsa_private_2048'),
+  'ed25519': readKeyPair('ed25519_public', 'ed25519_private'),
+  'ml-dsa-44': readKeyPair('ml_dsa_44_public', 'ml_dsa_44_private'),
 };
 
 const data = crypto.randomBytes(256);
@@ -29,7 +30,7 @@ let pems;
 let keyObjects;
 
 const bench = common.createBenchmark(main, {
-  keyType: ['rsa', 'ec', 'ed25519'],
+  keyType: ['rsa', 'ec', 'ed25519', 'ml-dsa-44'],
   mode: ['sync', 'async', 'async-parallel'],
   keyFormat: ['pem', 'der', 'jwk', 'keyObject', 'keyObject.unique'],
   n: [1e3],
@@ -104,6 +105,7 @@ function main({ n, mode, keyFormat, keyType }) {
       digest = 'sha256';
       break;
     case 'ed25519':
+    case 'ml-dsa-44':
       break;
     default:
       throw new Error('not implemented');
diff --git a/benchmark/es/spread-assign.js b/benchmark/es/spread-assign.js
deleted file mode 100644
index f0dcd56bb606b1..00000000000000
--- a/benchmark/es/spread-assign.js
+++ /dev/null
@@ -1,42 +0,0 @@
-'use strict';
-
-const common = require('../common.js');
-const util = require('util');
-
-const bench = common.createBenchmark(main, {
-  method: ['spread', 'assign', '_extend'],
-  count: [5, 10, 20],
-  n: [1e6],
-});
-
-function main({ n, context, count, rest, method }) {
-
-  const src = {};
-  for (let n = 0; n < count; n++)
-    src[`p${n}`] = n;
-
-  let obj;
-
-  switch (method) {
-    case '_extend':
-      bench.start();
-      for (let i = 0; i < n; i++)
-        obj = util._extend({}, src);
-      bench.end(n);
-      break;
-    case 'assign':
-      bench.start();
-      for (let i = 0; i < n; i++)
-        obj = Object.assign({}, src);
-      bench.end(n);
-      break;
-    case 'spread':
-      bench.start();
-      for (let i = 0; i < n; i++)
-        obj = { ...src }; // eslint-disable-line no-unused-vars
-      bench.end(n);
-      break;
-    default:
-      throw new Error('Unexpected method');
-  }
-}
diff --git a/benchmark/fs/writefile-promises.js b/benchmark/fs/writefile-promises.js
index 41c029051bc04d..f271d837115406 100644
--- a/benchmark/fs/writefile-promises.js
+++ b/benchmark/fs/writefile-promises.js
@@ -39,8 +39,17 @@ function main({ encodingType, duration, concurrent, size }) {
   let writes = 0;
   let waitConcurrent = 0;
 
-  const startedAt = Date.now();
-  const endAt = startedAt + (duration * 1000);
+  let startedAt = Date.now();
+  let endAt = startedAt + duration * 1000;
+
+  // fs warmup
+  for (let i = 0; i < concurrent; i++) write();
+
+  writes = 0;
+  waitConcurrent = 0;
+
+  startedAt = Date.now();
+  endAt = startedAt + duration * 1000;
 
   bench.start();
 
@@ -59,7 +68,8 @@ function main({ encodingType, duration, concurrent, size }) {
   }
 
   function write() {
-    fs.promises.writeFile(`${filename}-${filesWritten++}`, chunk, encoding)
+    fs.promises
+      .writeFile(`${filename}-${filesWritten++}`, chunk, encoding)
       .then(() => afterWrite())
       .catch((err) => afterWrite(err));
   }
@@ -72,7 +82,7 @@ function main({ encodingType, duration, concurrent, size }) {
     writes++;
     const benchEnded = Date.now() >= endAt;
 
-    if (benchEnded && (++waitConcurrent) === concurrent) {
+    if (benchEnded && ++waitConcurrent === concurrent) {
       stop();
     } else if (!benchEnded) {
       write();
diff --git a/common.gypi b/common.gypi
index 9c3707d46cb053..4a78c9029a4523 100644
--- a/common.gypi
+++ b/common.gypi
@@ -38,7 +38,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.21',
+    'v8_embedder_string': '-node.24',
 
     ##### V8 defaults for Node.js #####
 
diff --git a/deps/ada/ada.cpp b/deps/ada/ada.cpp
index 16e3fe27271f90..b796823b1397e9 100644
--- a/deps/ada/ada.cpp
+++ b/deps/ada/ada.cpp
@@ -1,4 +1,4 @@
-/* auto-generated on 2025-07-16 22:15:14 -0400. Do not edit! */
+/* auto-generated on 2025-07-27 12:29:50 -0400. Do not edit! */
 /* begin file src/ada.cpp */
 #include "ada.h"
 /* begin file src/checkers.cpp */
@@ -9511,12 +9511,14 @@ bool is_label_valid(const std::u32string_view label) {
       for (size_t i = 0; i <= last_non_nsm_char; i++) {
         const direction d = find_direction(label[i]);
 
+        // NOLINTBEGIN(bugprone-assignment-in-if-condition)
         // In an RTL label, if an EN is present, no AN may be present, and vice
         // versa.
         if ((d == direction::EN && ((has_en = true) && has_an)) ||
             (d == direction::AN && ((has_an = true) && has_en))) {
           return false;
         }
+        // NOLINTEND(bugprone-assignment-in-if-condition)
 
         if (!(d == direction::R || d == direction::AL || d == direction::AN ||
               d == direction::EN || d == direction::ES || d == direction::CS ||
@@ -10908,6 +10910,7 @@ bool percent_encode(const std::string_view input, const uint8_t character_set[],
   }
   ada_log("percent_encode appending ", std::distance(input.begin(), pointer),
           " bytes");
+  // NOLINTNEXTLINE(bugprone-suspicious-stringview-data-usage)
   out.append(input.data(), std::distance(input.begin(), pointer));
   ada_log("percent_encode processing ", std::distance(pointer, input.end()),
           " bytes");
@@ -10942,6 +10945,7 @@ bool to_ascii(std::optional<std::string>& out, const std::string_view plain,
 std::string percent_encode(const std::string_view input,
                            const uint8_t character_set[], size_t index) {
   std::string out;
+  // NOLINTNEXTLINE(bugprone-suspicious-stringview-data-usage)
   out.append(input.data(), index);
   auto pointer = input.begin() + index;
   for (; pointer != input.end(); pointer++) {
@@ -12008,6 +12012,7 @@ ada_warn_unused std::string to_string(ada::state state) {
 
 #include <numeric>
 #include <algorithm>
+#include <iterator>
 #include <ranges>
 #include <string>
 #include <string_view>
@@ -12570,6 +12575,7 @@ ada_really_inline void url::parse_path(std::string_view input) {
   if (has_search()) {
     answer.append(",\n");
     answer.append("\t\"query\":\"");
+    // NOLINTNEXTLINE(bugprone-unchecked-optional-access)
     helpers::encode_json(query.value(), back);
     answer.append("\"");
   }
@@ -13316,6 +13322,7 @@ result_type parse_url_impl(std::string_view user_input,
 
         // If c is U+002F (/), then set state to relative slash state.
         if ((input_position != input_size) &&
+            // NOLINTNEXTLINE(bugprone-branch-clone)
             (url_data[input_position] == '/')) {
           ada_log(
               "RELATIVE_SCHEME if c is U+002F (/), then set state to relative "
@@ -13848,6 +13855,7 @@ template url_aggregator parse_url<url_aggregator>(
 /* end file src/parser.cpp */
 /* begin file src/url_components.cpp */
 
+#include <iterator>
 #include <string>
 
 namespace ada {
@@ -13897,6 +13905,7 @@ namespace ada {
 /* end file src/url_components.cpp */
 /* begin file src/url_aggregator.cpp */
 
+#include <iterator>
 #include <ranges>
 #include <string>
 #include <string_view>
diff --git a/deps/ada/ada.h b/deps/ada/ada.h
index e0be62fec53e85..a525f93bba3c0d 100644
--- a/deps/ada/ada.h
+++ b/deps/ada/ada.h
@@ -1,4 +1,4 @@
-/* auto-generated on 2025-07-16 22:15:14 -0400. Do not edit! */
+/* auto-generated on 2025-07-27 12:29:50 -0400. Do not edit! */
 /* begin file include/ada.h */
 /**
  * @file ada.h
@@ -947,7 +947,7 @@ constexpr uint8_t WWW_FORM_URLENCODED_PERCENT_ENCODE[32] = {
     // 50     51     52     53     54     55     56     57
     0x00 | 0x00 | 0x00 | 0x00 | 0x00 | 0x00 | 0x00 | 0x00,
     // 58     59     5A     5B     5C     5D     5E     5F
-    0x00 | 0x00 | 0x00 | 0x08 | 0x00 | 0x20 | 0x40 | 0x00,
+    0x00 | 0x00 | 0x00 | 0x08 | 0x10 | 0x20 | 0x40 | 0x00,
     // 60     61     62     63     64     65     66     67
     0x01 | 0x00 | 0x00 | 0x00 | 0x00 | 0x00 | 0x00 | 0x00,
     // 68     69     6A     6B     6C     6D     6E     6F
@@ -6641,6 +6641,7 @@ inline std::ostream &operator<<(std::ostream &out, const ada::url &u) {
   out.protocol_end = uint32_t(get_protocol().size());
 
   // Trailing index is always the next character of the current one.
+  // NOLINTNEXTLINE(clang-analyzer-deadcode.DeadStores)
   size_t running_index = out.protocol_end;
 
   if (host.has_value()) {
@@ -10514,14 +10515,14 @@ constructor_string_parser<regex_provider>::parse(std::string_view input) {
 #ifndef ADA_ADA_VERSION_H
 #define ADA_ADA_VERSION_H
 
-#define ADA_VERSION "3.2.6"
+#define ADA_VERSION "3.2.7"
 
 namespace ada {
 
 enum {
   ADA_VERSION_MAJOR = 3,
   ADA_VERSION_MINOR = 2,
-  ADA_VERSION_REVISION = 6,
+  ADA_VERSION_REVISION = 7,
 };
 
 }  // namespace ada
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
index cb6b6ab4a6137b..a2bfe874650fd5 100644
--- a/deps/ncrypto/ncrypto.cc
+++ b/deps/ncrypto/ncrypto.cc
@@ -1897,6 +1897,31 @@ EVPKeyPointer EVPKeyPointer::NewRawPrivate(
       EVP_PKEY_new_raw_private_key(id, nullptr, data.data, data.len));
 }
 
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+EVPKeyPointer EVPKeyPointer::NewRawSeed(
+    int id, const Buffer<const unsigned char>& data) {
+  if (id == 0) return {};
+
+  OSSL_PARAM params[] = {
+      OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_ML_DSA_SEED,
+                                        const_cast<unsigned char*>(data.data),
+                                        data.len),
+      OSSL_PARAM_END};
+
+  EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new_id(id, nullptr);
+  if (ctx == nullptr) return {};
+
+  EVP_PKEY* pkey = nullptr;
+  if (ctx == nullptr || EVP_PKEY_fromdata_init(ctx) <= 0 ||
+      EVP_PKEY_fromdata(ctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) {
+    EVP_PKEY_CTX_free(ctx);
+    return {};
+  }
+
+  return EVPKeyPointer(pkey);
+}
+#endif
+
 EVPKeyPointer EVPKeyPointer::NewDH(DHPointer&& dh) {
   if (!dh) return {};
   auto key = New();
@@ -1942,7 +1967,16 @@ EVP_PKEY* EVPKeyPointer::release() {
 
 int EVPKeyPointer::id(const EVP_PKEY* key) {
   if (key == nullptr) return 0;
-  return EVP_PKEY_id(key);
+  int type = EVP_PKEY_id(key);
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+  // https://github.com/openssl/openssl/issues/27738#issuecomment-3013215870
+  if (type == -1) {
+    if (EVP_PKEY_is_a(key, "ML-DSA-44")) return EVP_PKEY_ML_DSA_44;
+    if (EVP_PKEY_is_a(key, "ML-DSA-65")) return EVP_PKEY_ML_DSA_65;
+    if (EVP_PKEY_is_a(key, "ML-DSA-87")) return EVP_PKEY_ML_DSA_87;
+  }
+#endif
+  return type;
 }
 
 int EVPKeyPointer::base_id(const EVP_PKEY* key) {
@@ -1998,6 +2032,31 @@ DataPointer EVPKeyPointer::rawPublicKey() const {
   return {};
 }
 
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+DataPointer EVPKeyPointer::rawSeed() const {
+  if (!pkey_) return {};
+  switch (id()) {
+    case EVP_PKEY_ML_DSA_44:
+    case EVP_PKEY_ML_DSA_65:
+    case EVP_PKEY_ML_DSA_87:
+      break;
+    default:
+      unreachable();
+  }
+
+  size_t seed_len = 32;
+  if (auto data = DataPointer::Alloc(seed_len)) {
+    const Buffer<unsigned char> buf = data;
+    size_t len = data.size();
+    if (EVP_PKEY_get_octet_string_param(
+            get(), OSSL_PKEY_PARAM_ML_DSA_SEED, buf.data, len, &seed_len) != 1)
+      return {};
+    return data;
+  }
+  return {};
+}
+#endif
+
 DataPointer EVPKeyPointer::rawPrivateKey() const {
   if (!pkey_) return {};
   if (auto data = DataPointer::Alloc(rawPrivateKeySize())) {
@@ -2453,7 +2512,18 @@ bool EVPKeyPointer::isRsaVariant() const {
 bool EVPKeyPointer::isOneShotVariant() const {
   if (!pkey_) return false;
   int type = id();
-  return type == EVP_PKEY_ED25519 || type == EVP_PKEY_ED448;
+  switch (type) {
+    case EVP_PKEY_ED25519:
+    case EVP_PKEY_ED448:
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+    case EVP_PKEY_ML_DSA_44:
+    case EVP_PKEY_ML_DSA_65:
+    case EVP_PKEY_ML_DSA_87:
+#endif
+      return true;
+    default:
+      return false;
+  }
 }
 
 bool EVPKeyPointer::isSigVariant() const {
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
index 28e836f0bdb989..82af70798f3171 100644
--- a/deps/ncrypto/ncrypto.h
+++ b/deps/ncrypto/ncrypto.h
@@ -30,6 +30,9 @@
 
 #if OPENSSL_VERSION_MAJOR >= 3
 #define OSSL3_CONST const
+#if OPENSSL_VERSION_MINOR >= 5
+#include <openssl/core_names.h>
+#endif
 #else
 #define OSSL3_CONST
 #endif
@@ -817,6 +820,10 @@ class EVPKeyPointer final {
                                     const Buffer<const unsigned char>& data);
   static EVPKeyPointer NewRawPrivate(int id,
                                      const Buffer<const unsigned char>& data);
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+  static EVPKeyPointer NewRawSeed(int id,
+                                  const Buffer<const unsigned char>& data);
+#endif
   static EVPKeyPointer NewDH(DHPointer&& dh);
   static EVPKeyPointer NewRSA(RSAPointer&& rsa);
 
@@ -910,6 +917,10 @@ class EVPKeyPointer final {
   DataPointer rawPrivateKey() const;
   BIOPointer derPublicKey() const;
 
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+  DataPointer rawSeed() const;
+#endif
+
   Result<BIOPointer, bool> writePrivateKey(
       const PrivateKeyEncodingConfig& config) const;
   Result<BIOPointer, bool> writePublicKey(
diff --git a/deps/openssl/config/archs/BSD-x86/asm/configdata.pm b/deps/openssl/config/archs/BSD-x86/asm/configdata.pm
index 8b1d446c084f87..f019538bfaea44 100644
--- a/deps/openssl/config/archs/BSD-x86/asm/configdata.pm
+++ b/deps/openssl/config/archs/BSD-x86/asm/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -233,7 +233,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -286,11 +286,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "BSD-x86",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.h b/deps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.h
index 1d999982130022..a23ea3eae8cc8b 100644
--- a/deps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/BSD-x86/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: BSD-x86"
-#define DATE "built on: Sun Jul 27 00:45:42 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:10:12 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/BSD-x86/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/BSD-x86/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/BSD-x86/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/BSD-x86/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/BSD-x86/asm_avx2/configdata.pm b/deps/openssl/config/archs/BSD-x86/asm_avx2/configdata.pm
index 2c387c9b408429..260f82e60bbd7e 100644
--- a/deps/openssl/config/archs/BSD-x86/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/BSD-x86/asm_avx2/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -233,7 +233,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -286,11 +286,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "BSD-x86",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/BSD-x86/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/BSD-x86/asm_avx2/crypto/buildinf.h
index ebf5cf73d837f5..0ca22b342cc4bd 100644
--- a/deps/openssl/config/archs/BSD-x86/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/BSD-x86/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: BSD-x86"
-#define DATE "built on: Sun Jul 27 00:45:59 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:10:29 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/BSD-x86/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/BSD-x86/no-asm/configdata.pm b/deps/openssl/config/archs/BSD-x86/no-asm/configdata.pm
index 12f21f9bb1709d..8095282e98bb40 100644
--- a/deps/openssl/config/archs/BSD-x86/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/BSD-x86/no-asm/configdata.pm
@@ -169,7 +169,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -232,7 +232,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -286,11 +286,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "BSD-x86",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/BSD-x86/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/BSD-x86/no-asm/crypto/buildinf.h
index de0eaa6301ea35..59f3e49bdc4cd8 100644
--- a/deps/openssl/config/archs/BSD-x86/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/BSD-x86/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: BSD-x86"
-#define DATE "built on: Sun Jul 27 00:46:16 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:10:45 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/BSD-x86/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/BSD-x86/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/BSD-x86/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/BSD-x86/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/BSD-x86_64/asm/configdata.pm b/deps/openssl/config/archs/BSD-x86_64/asm/configdata.pm
index 296e7ec4b58b3b..8cc29549bf25ca 100644
--- a/deps/openssl/config/archs/BSD-x86_64/asm/configdata.pm
+++ b/deps/openssl/config/archs/BSD-x86_64/asm/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -233,7 +233,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -286,11 +286,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "BSD-x86_64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/BSD-x86_64/asm/crypto/buildinf.h b/deps/openssl/config/archs/BSD-x86_64/asm/crypto/buildinf.h
index 838ea3d5a083b1..4ae7a06068e541 100644
--- a/deps/openssl/config/archs/BSD-x86_64/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/BSD-x86_64/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: BSD-x86_64"
-#define DATE "built on: Sun Jul 27 00:46:32 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:11:01 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/BSD-x86_64/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/BSD-x86_64/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/BSD-x86_64/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/BSD-x86_64/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/BSD-x86_64/asm_avx2/configdata.pm b/deps/openssl/config/archs/BSD-x86_64/asm_avx2/configdata.pm
index 6d722f8643473a..b38b2d3d4a4fdc 100644
--- a/deps/openssl/config/archs/BSD-x86_64/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/BSD-x86_64/asm_avx2/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -233,7 +233,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -286,11 +286,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "BSD-x86_64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/BSD-x86_64/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/BSD-x86_64/asm_avx2/crypto/buildinf.h
index 71709472aac895..57bc2b60b47000 100644
--- a/deps/openssl/config/archs/BSD-x86_64/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/BSD-x86_64/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: BSD-x86_64"
-#define DATE "built on: Sun Jul 27 00:46:56 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:11:25 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/BSD-x86_64/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/BSD-x86_64/no-asm/configdata.pm b/deps/openssl/config/archs/BSD-x86_64/no-asm/configdata.pm
index 35c1e9ed9f36f8..8569950cf04e6e 100644
--- a/deps/openssl/config/archs/BSD-x86_64/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/BSD-x86_64/no-asm/configdata.pm
@@ -169,7 +169,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -232,7 +232,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -286,11 +286,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "BSD-x86_64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/BSD-x86_64/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/BSD-x86_64/no-asm/crypto/buildinf.h
index b7e9fa3e33a1d9..9b634a8f3f102a 100644
--- a/deps/openssl/config/archs/BSD-x86_64/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/BSD-x86_64/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: BSD-x86_64"
-#define DATE "built on: Sun Jul 27 00:47:16 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:11:44 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/BSD-x86_64/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/VC-WIN32/asm/configdata.pm b/deps/openssl/config/archs/VC-WIN32/asm/configdata.pm
index 4e6a966fb2cfc9..de1296a33fcf51 100644
--- a/deps/openssl/config/archs/VC-WIN32/asm/configdata.pm
+++ b/deps/openssl/config/archs/VC-WIN32/asm/configdata.pm
@@ -179,7 +179,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -244,7 +244,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -297,11 +297,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "VC-WIN32",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "lib",
@@ -316,7 +316,7 @@ our %target = (
     "LDFLAGS" => "/nologo /debug",
     "MT" => "mt",
     "MTFLAGS" => "-nologo",
-    "RANLIB" => "CODE(0x55e0c94592c0)",
+    "RANLIB" => "CODE(0x55b0427d15f0)",
     "RC" => "rc",
     "_conf_fname_int" => [
         "Configurations/00-base-templates.conf",
diff --git a/deps/openssl/config/archs/VC-WIN32/asm/crypto/buildinf.h b/deps/openssl/config/archs/VC-WIN32/asm/crypto/buildinf.h
index 7e41e912a20927..f3bbe05ba095ff 100644
--- a/deps/openssl/config/archs/VC-WIN32/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/VC-WIN32/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: "
-#define DATE "built on: Sun Jul 27 00:59:38 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:23:53 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/VC-WIN32/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/VC-WIN32/asm/include/openssl/opensslv.h
index a26d4e609af1b7..8f0439fc042ad0 100644
--- a/deps/openssl/config/archs/VC-WIN32/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/VC-WIN32/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/VC-WIN32/asm_avx2/configdata.pm b/deps/openssl/config/archs/VC-WIN32/asm_avx2/configdata.pm
index 76d54ff3d0471e..e1133e0ee10d60 100644
--- a/deps/openssl/config/archs/VC-WIN32/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/VC-WIN32/asm_avx2/configdata.pm
@@ -179,7 +179,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -244,7 +244,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -297,11 +297,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "VC-WIN32",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "lib",
@@ -316,7 +316,7 @@ our %target = (
     "LDFLAGS" => "/nologo /debug",
     "MT" => "mt",
     "MTFLAGS" => "-nologo",
-    "RANLIB" => "CODE(0x55b8f3b4a600)",
+    "RANLIB" => "CODE(0x563b017ccb20)",
     "RC" => "rc",
     "_conf_fname_int" => [
         "Configurations/00-base-templates.conf",
diff --git a/deps/openssl/config/archs/VC-WIN32/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/VC-WIN32/asm_avx2/crypto/buildinf.h
index 3af6d1b67ee2a4..10629cfd854ae4 100644
--- a/deps/openssl/config/archs/VC-WIN32/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/VC-WIN32/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: "
-#define DATE "built on: Sun Jul 27 00:59:53 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:24:08 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/opensslv.h
index a26d4e609af1b7..8f0439fc042ad0 100644
--- a/deps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/VC-WIN32/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/VC-WIN32/no-asm/configdata.pm b/deps/openssl/config/archs/VC-WIN32/no-asm/configdata.pm
index 4217efcd6a39c7..219b5327aece52 100644
--- a/deps/openssl/config/archs/VC-WIN32/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/VC-WIN32/no-asm/configdata.pm
@@ -177,7 +177,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -243,7 +243,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -297,11 +297,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "VC-WIN32",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "lib",
@@ -316,7 +316,7 @@ our %target = (
     "LDFLAGS" => "/nologo /debug",
     "MT" => "mt",
     "MTFLAGS" => "-nologo",
-    "RANLIB" => "CODE(0x55b60cdb1fe0)",
+    "RANLIB" => "CODE(0x560312a74440)",
     "RC" => "rc",
     "_conf_fname_int" => [
         "Configurations/00-base-templates.conf",
diff --git a/deps/openssl/config/archs/VC-WIN32/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/VC-WIN32/no-asm/crypto/buildinf.h
index 83e554abae5a07..d730439975be6b 100644
--- a/deps/openssl/config/archs/VC-WIN32/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/VC-WIN32/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: "
-#define DATE "built on: Sun Jul 27 01:00:07 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:24:22 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/opensslv.h
index a26d4e609af1b7..8f0439fc042ad0 100644
--- a/deps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/VC-WIN32/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/configdata.pm b/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/configdata.pm
index 57067d499d9a6f..33318d92ed21fa 100644
--- a/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/configdata.pm
@@ -177,7 +177,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -241,7 +241,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -295,11 +295,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "VC-WIN64-ARM",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "lib",
@@ -312,7 +312,7 @@ our %target = (
     "LDFLAGS" => "/nologo /debug",
     "MT" => "mt",
     "MTFLAGS" => "-nologo",
-    "RANLIB" => "CODE(0x55e53022af60)",
+    "RANLIB" => "CODE(0x556add68de40)",
     "RC" => "rc",
     "_conf_fname_int" => [
         "Configurations/00-base-templates.conf",
diff --git a/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/crypto/buildinf.h
index b7803dee833f15..ab1de909dfc1be 100644
--- a/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: VC-WIN64-ARM"
-#define DATE "built on: Sun Jul 27 01:00:21 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:24:36 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/opensslv.h
index a26d4e609af1b7..8f0439fc042ad0 100644
--- a/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/VC-WIN64-ARM/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/VC-WIN64A/asm/configdata.pm b/deps/openssl/config/archs/VC-WIN64A/asm/configdata.pm
index 47a66eaa695118..62fd5cb427b191 100644
--- a/deps/openssl/config/archs/VC-WIN64A/asm/configdata.pm
+++ b/deps/openssl/config/archs/VC-WIN64A/asm/configdata.pm
@@ -181,7 +181,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -246,7 +246,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -299,11 +299,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "VC-WIN64A",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "lib",
@@ -318,7 +318,7 @@ our %target = (
     "LDFLAGS" => "/nologo /debug",
     "MT" => "mt",
     "MTFLAGS" => "-nologo",
-    "RANLIB" => "CODE(0x55b8eb9ae8f0)",
+    "RANLIB" => "CODE(0x55da9d602550)",
     "RC" => "rc",
     "_conf_fname_int" => [
         "Configurations/00-base-templates.conf",
diff --git a/deps/openssl/config/archs/VC-WIN64A/asm/crypto/buildinf.h b/deps/openssl/config/archs/VC-WIN64A/asm/crypto/buildinf.h
index 8fa53dbea7526d..5a67676837b048 100644
--- a/deps/openssl/config/archs/VC-WIN64A/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/VC-WIN64A/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: "
-#define DATE "built on: Sun Jul 27 00:58:39 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:22:55 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/VC-WIN64A/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/VC-WIN64A/asm/include/openssl/opensslv.h
index a26d4e609af1b7..8f0439fc042ad0 100644
--- a/deps/openssl/config/archs/VC-WIN64A/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/VC-WIN64A/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/VC-WIN64A/asm_avx2/configdata.pm b/deps/openssl/config/archs/VC-WIN64A/asm_avx2/configdata.pm
index 4e1e496dea44c7..3fe9c6d5f901bd 100644
--- a/deps/openssl/config/archs/VC-WIN64A/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/VC-WIN64A/asm_avx2/configdata.pm
@@ -181,7 +181,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -246,7 +246,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -299,11 +299,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "VC-WIN64A",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "lib",
@@ -318,7 +318,7 @@ our %target = (
     "LDFLAGS" => "/nologo /debug",
     "MT" => "mt",
     "MTFLAGS" => "-nologo",
-    "RANLIB" => "CODE(0x5566d2efe410)",
+    "RANLIB" => "CODE(0x55c0b2e98700)",
     "RC" => "rc",
     "_conf_fname_int" => [
         "Configurations/00-base-templates.conf",
diff --git a/deps/openssl/config/archs/VC-WIN64A/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/VC-WIN64A/asm_avx2/crypto/buildinf.h
index f2f55307847632..91f213b66cadd0 100644
--- a/deps/openssl/config/archs/VC-WIN64A/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/VC-WIN64A/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: "
-#define DATE "built on: Sun Jul 27 00:59:02 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:23:17 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/opensslv.h
index a26d4e609af1b7..8f0439fc042ad0 100644
--- a/deps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/VC-WIN64A/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/VC-WIN64A/no-asm/configdata.pm b/deps/openssl/config/archs/VC-WIN64A/no-asm/configdata.pm
index aba14ccb65b60b..5314c4fea23351 100644
--- a/deps/openssl/config/archs/VC-WIN64A/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/VC-WIN64A/no-asm/configdata.pm
@@ -179,7 +179,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -245,7 +245,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -299,11 +299,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "VC-WIN64A",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "lib",
@@ -318,7 +318,7 @@ our %target = (
     "LDFLAGS" => "/nologo /debug",
     "MT" => "mt",
     "MTFLAGS" => "-nologo",
-    "RANLIB" => "CODE(0x562964a84f60)",
+    "RANLIB" => "CODE(0x55b8adae0460)",
     "RC" => "rc",
     "_conf_fname_int" => [
         "Configurations/00-base-templates.conf",
diff --git a/deps/openssl/config/archs/VC-WIN64A/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/VC-WIN64A/no-asm/crypto/buildinf.h
index 5acc8754e019ea..d9348ab60f3fb1 100644
--- a/deps/openssl/config/archs/VC-WIN64A/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/VC-WIN64A/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: "
-#define DATE "built on: Sun Jul 27 00:59:24 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:23:40 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/opensslv.h
index a26d4e609af1b7..8f0439fc042ad0 100644
--- a/deps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/VC-WIN64A/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/aix64-gcc-as/asm/configdata.pm b/deps/openssl/config/archs/aix64-gcc-as/asm/configdata.pm
index 7e3ff35591cdc9..3820dffd9401c8 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/asm/configdata.pm
+++ b/deps/openssl/config/archs/aix64-gcc-as/asm/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "aix64-gcc-as",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar -X64",
diff --git a/deps/openssl/config/archs/aix64-gcc-as/asm/crypto/buildinf.h b/deps/openssl/config/archs/aix64-gcc-as/asm/crypto/buildinf.h
index 8c0b5af5ab085b..c90a8d543fce30 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/aix64-gcc-as/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: aix64-gcc-as"
-#define DATE "built on: Sun Jul 27 00:44:53 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:09:24 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/aix64-gcc-as/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/configdata.pm b/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/configdata.pm
index 91c79c77102443..22701a7f0e675b 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "aix64-gcc-as",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar -X64",
diff --git a/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/crypto/buildinf.h
index e052a37e8b38ab..206d40f6265c63 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: aix64-gcc-as"
-#define DATE "built on: Sun Jul 27 00:45:10 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:09:41 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/aix64-gcc-as/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/aix64-gcc-as/no-asm/configdata.pm b/deps/openssl/config/archs/aix64-gcc-as/no-asm/configdata.pm
index b4835de765edcc..b43d57a75d55d2 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/aix64-gcc-as/no-asm/configdata.pm
@@ -169,7 +169,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -235,7 +235,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "aix64-gcc-as",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar -X64",
diff --git a/deps/openssl/config/archs/aix64-gcc-as/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/aix64-gcc-as/no-asm/crypto/buildinf.h
index 9397135d1c95ce..3ab9865c3968c0 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/aix64-gcc-as/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: aix64-gcc-as"
-#define DATE "built on: Sun Jul 27 00:45:27 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:09:57 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/aix64-gcc-as/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin-i386-cc/asm/configdata.pm b/deps/openssl/config/archs/darwin-i386-cc/asm/configdata.pm
index 7a6aa71219bf5c..dfc07686cc0841 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/asm/configdata.pm
+++ b/deps/openssl/config/archs/darwin-i386-cc/asm/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin-i386-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin-i386-cc/asm/crypto/buildinf.h b/deps/openssl/config/archs/darwin-i386-cc/asm/crypto/buildinf.h
index daefbea000f943..7af617f4e454f9 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin-i386-cc/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin-i386-cc"
-#define DATE "built on: Sun Jul 27 00:48:31 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:12:58 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin-i386-cc/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/configdata.pm b/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/configdata.pm
index 2506bfa9c3950f..c26cadec23f1b6 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin-i386-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/crypto/buildinf.h
index 0009b83745f7a4..681ba7174ac494 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin-i386-cc"
-#define DATE "built on: Sun Jul 27 00:48:47 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:13:14 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin-i386-cc/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin-i386-cc/no-asm/configdata.pm b/deps/openssl/config/archs/darwin-i386-cc/no-asm/configdata.pm
index 31847f517d540f..71d7fd890c7251 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/darwin-i386-cc/no-asm/configdata.pm
@@ -169,7 +169,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -235,7 +235,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin-i386-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin-i386-cc/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/darwin-i386-cc/no-asm/crypto/buildinf.h
index a9770215d6e097..8fd9774e663339 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin-i386-cc/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin-i386-cc"
-#define DATE "built on: Sun Jul 27 00:49:04 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:13:31 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin-i386-cc/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/asm/configdata.pm b/deps/openssl/config/archs/darwin64-arm64-cc/asm/configdata.pm
index 0800e21ef3f862..50cdad9e235176 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/asm/configdata.pm
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/asm/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin64-arm64-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/buildinf.h b/deps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/buildinf.h
index 02289cf8c2318c..df662c19e11ba7 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin64-arm64-cc"
-#define DATE "built on: Sun Jul 27 00:49:19 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:13:46 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/configdata.pm b/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/configdata.pm
index 6510c746c05430..b08eeb01f93dc7 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin64-arm64-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/buildinf.h
index 67883b363b46e4..a09ee426b86939 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin64-arm64-cc"
-#define DATE "built on: Sun Jul 27 00:49:36 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:14:02 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/configdata.pm b/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/configdata.pm
index 26dc1942be3749..a1b9b21af4c86a 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/configdata.pm
@@ -169,7 +169,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -235,7 +235,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin64-arm64-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/crypto/buildinf.h
index a9f03af33a0a2c..d32b65c115bd56 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin64-arm64-cc"
-#define DATE "built on: Sun Jul 27 00:49:53 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:14:19 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin64-arm64-cc/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/asm/configdata.pm b/deps/openssl/config/archs/darwin64-x86_64-cc/asm/configdata.pm
index 88fb942447fbae..20eda5fab1eeba 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/asm/configdata.pm
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/asm/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin64-x86_64-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/asm/crypto/buildinf.h b/deps/openssl/config/archs/darwin64-x86_64-cc/asm/crypto/buildinf.h
index 42e1e3cc0b4d35..29c30272ec7e50 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin64-x86_64-cc"
-#define DATE "built on: Sun Jul 27 00:47:32 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:12:00 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/configdata.pm b/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/configdata.pm
index 106af54c16496d..64ebab78064cc0 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin64-x86_64-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/crypto/buildinf.h
index 7b14503e0d6ce7..14504b280a7383 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin64-x86_64-cc"
-#define DATE "built on: Sun Jul 27 00:47:55 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:12:24 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/configdata.pm b/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/configdata.pm
index 496069f3f14754..e26d1f11e90c5a 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/configdata.pm
@@ -169,7 +169,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -235,7 +235,7 @@ our %config = (
     ],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -289,11 +289,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "darwin64-x86_64-cc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/crypto/buildinf.h
index f96fb48f49d1b8..99a7e3d87df931 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: darwin64-x86_64-cc"
-#define DATE "built on: Sun Jul 27 00:48:15 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:12:43 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/darwin64-x86_64-cc/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-aarch64/asm/configdata.pm b/deps/openssl/config/archs/linux-aarch64/asm/configdata.pm
index 761036f8eec32a..c20646e5582f56 100644
--- a/deps/openssl/config/archs/linux-aarch64/asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-aarch64/asm/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-aarch64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-aarch64/asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-aarch64/asm/crypto/buildinf.h
index 0cbf6332ece0e6..e5031f6cb86a2c 100644
--- a/deps/openssl/config/archs/linux-aarch64/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-aarch64/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-aarch64"
-#define DATE "built on: Sun Jul 27 00:50:08 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:14:34 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-aarch64/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-aarch64/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-aarch64/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-aarch64/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-aarch64/asm_avx2/configdata.pm b/deps/openssl/config/archs/linux-aarch64/asm_avx2/configdata.pm
index 3da90c177bc7e3..7267765549269f 100644
--- a/deps/openssl/config/archs/linux-aarch64/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/linux-aarch64/asm_avx2/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-aarch64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-aarch64/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/linux-aarch64/asm_avx2/crypto/buildinf.h
index 03c2d01cff195e..5a4272a274b8be 100644
--- a/deps/openssl/config/archs/linux-aarch64/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-aarch64/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-aarch64"
-#define DATE "built on: Sun Jul 27 00:50:26 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:14:51 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-aarch64/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-aarch64/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-aarch64/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-aarch64/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-aarch64/no-asm/configdata.pm b/deps/openssl/config/archs/linux-aarch64/no-asm/configdata.pm
index c1979501ea2fb0..b105b3f03d00fb 100644
--- a/deps/openssl/config/archs/linux-aarch64/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-aarch64/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-aarch64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-aarch64/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-aarch64/no-asm/crypto/buildinf.h
index d27c2c64289f83..ecc1c2e4041423 100644
--- a/deps/openssl/config/archs/linux-aarch64/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-aarch64/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-aarch64"
-#define DATE "built on: Sun Jul 27 00:50:43 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:15:08 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-aarch64/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-aarch64/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-aarch64/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-aarch64/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-armv4/asm/configdata.pm b/deps/openssl/config/archs/linux-armv4/asm/configdata.pm
index 44123221e58537..87fe302fd69a8b 100644
--- a/deps/openssl/config/archs/linux-armv4/asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-armv4/asm/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-armv4",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-armv4/asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-armv4/asm/crypto/buildinf.h
index e6f22c278c3e5b..3cf10883d94dda 100644
--- a/deps/openssl/config/archs/linux-armv4/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-armv4/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-armv4"
-#define DATE "built on: Sun Jul 27 00:50:58 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:15:23 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-armv4/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-armv4/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-armv4/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-armv4/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-armv4/asm_avx2/configdata.pm b/deps/openssl/config/archs/linux-armv4/asm_avx2/configdata.pm
index cc8b5e63daf142..311d59abd183d0 100644
--- a/deps/openssl/config/archs/linux-armv4/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/linux-armv4/asm_avx2/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-armv4",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-armv4/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/linux-armv4/asm_avx2/crypto/buildinf.h
index e31cbb1af6765f..3ee336d1a4d5dd 100644
--- a/deps/openssl/config/archs/linux-armv4/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-armv4/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-armv4"
-#define DATE "built on: Sun Jul 27 00:51:15 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:15:40 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-armv4/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-armv4/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-armv4/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-armv4/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-armv4/no-asm/configdata.pm b/deps/openssl/config/archs/linux-armv4/no-asm/configdata.pm
index 40a0701e383aa9..eab82d772be2bf 100644
--- a/deps/openssl/config/archs/linux-armv4/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-armv4/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-armv4",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-armv4/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-armv4/no-asm/crypto/buildinf.h
index 75a3b2ac3ddc7a..175cc958b3642f 100644
--- a/deps/openssl/config/archs/linux-armv4/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-armv4/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-armv4"
-#define DATE "built on: Sun Jul 27 00:51:32 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:15:56 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-armv4/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-armv4/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-armv4/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-armv4/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-elf/asm/configdata.pm b/deps/openssl/config/archs/linux-elf/asm/configdata.pm
index c586c364833c07..8076c37212eb8a 100644
--- a/deps/openssl/config/archs/linux-elf/asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-elf/asm/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-elf",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-elf/asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-elf/asm/crypto/buildinf.h
index 788e690f96db7f..7b5e359f090932 100644
--- a/deps/openssl/config/archs/linux-elf/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-elf/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-elf"
-#define DATE "built on: Sun Jul 27 00:51:47 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:16:11 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-elf/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-elf/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-elf/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-elf/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-elf/asm_avx2/configdata.pm b/deps/openssl/config/archs/linux-elf/asm_avx2/configdata.pm
index 0060eeb6a74ac4..a29f47c557c526 100644
--- a/deps/openssl/config/archs/linux-elf/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/linux-elf/asm_avx2/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-elf",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-elf/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/linux-elf/asm_avx2/crypto/buildinf.h
index 9f2fe9bd334f9c..b421f801fcbb42 100644
--- a/deps/openssl/config/archs/linux-elf/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-elf/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-elf"
-#define DATE "built on: Sun Jul 27 00:52:04 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:16:28 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-elf/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-elf/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-elf/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-elf/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-elf/no-asm/configdata.pm b/deps/openssl/config/archs/linux-elf/no-asm/configdata.pm
index 30dd627f238d12..58323e947c621a 100644
--- a/deps/openssl/config/archs/linux-elf/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-elf/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-elf",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-elf/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-elf/no-asm/crypto/buildinf.h
index f5ab0b369c6ff4..d8374092ec9670 100644
--- a/deps/openssl/config/archs/linux-elf/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-elf/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-elf"
-#define DATE "built on: Sun Jul 27 00:52:21 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:16:44 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-elf/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-elf/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-elf/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-elf/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-ppc64le/asm/configdata.pm b/deps/openssl/config/archs/linux-ppc64le/asm/configdata.pm
index 6d7b9d19fc2955..6182f84b4796b8 100644
--- a/deps/openssl/config/archs/linux-ppc64le/asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-ppc64le/asm/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-ppc64le",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-ppc64le/asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-ppc64le/asm/crypto/buildinf.h
index d4ad2196fabd92..19a8196de686b0 100644
--- a/deps/openssl/config/archs/linux-ppc64le/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-ppc64le/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-ppc64le"
-#define DATE "built on: Sun Jul 27 00:53:37 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:17:58 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-ppc64le/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-ppc64le/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-ppc64le/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-ppc64le/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-ppc64le/asm_avx2/configdata.pm b/deps/openssl/config/archs/linux-ppc64le/asm_avx2/configdata.pm
index d1e97a170d7ba2..de7e62bc3dfc03 100644
--- a/deps/openssl/config/archs/linux-ppc64le/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/linux-ppc64le/asm_avx2/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-ppc64le",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-ppc64le/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/linux-ppc64le/asm_avx2/crypto/buildinf.h
index 36c0091f9a2f3e..434e088519b31c 100644
--- a/deps/openssl/config/archs/linux-ppc64le/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-ppc64le/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-ppc64le"
-#define DATE "built on: Sun Jul 27 00:53:54 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:18:14 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-ppc64le/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-ppc64le/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-ppc64le/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-ppc64le/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-ppc64le/no-asm/configdata.pm b/deps/openssl/config/archs/linux-ppc64le/no-asm/configdata.pm
index 03942d2f8e3d65..6aad8b1ed8c667 100644
--- a/deps/openssl/config/archs/linux-ppc64le/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-ppc64le/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-ppc64le",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-ppc64le/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-ppc64le/no-asm/crypto/buildinf.h
index fec35dd7be649f..35753bd49b57f6 100644
--- a/deps/openssl/config/archs/linux-ppc64le/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-ppc64le/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-ppc64le"
-#define DATE "built on: Sun Jul 27 00:54:11 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:18:31 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-ppc64le/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-ppc64le/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-ppc64le/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-ppc64le/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-x86_64/asm/configdata.pm b/deps/openssl/config/archs/linux-x86_64/asm/configdata.pm
index 066039710c3b65..f93207b79d3213 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-x86_64/asm/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-x86_64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-x86_64/asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-x86_64/asm/crypto/buildinf.h
index b958a6c6f943b8..f3cdd6636be264 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-x86_64/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-x86_64"
-#define DATE "built on: Sun Jul 27 00:52:37 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:16:59 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-x86_64/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-x86_64/asm_avx2/configdata.pm b/deps/openssl/config/archs/linux-x86_64/asm_avx2/configdata.pm
index a62fda22315e66..e6e4f4675cac3d 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/linux-x86_64/asm_avx2/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-x86_64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-x86_64/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/linux-x86_64/asm_avx2/crypto/buildinf.h
index 3aecdfc9699b9f..2da74be67d8337 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-x86_64/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-x86_64"
-#define DATE "built on: Sun Jul 27 00:53:02 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:17:23 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-x86_64/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-x86_64/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-x86_64/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-x86_64/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux-x86_64/no-asm/configdata.pm b/deps/openssl/config/archs/linux-x86_64/no-asm/configdata.pm
index f3a4a8b52a2d77..e2b918b12b1bc8 100644
--- a/deps/openssl/config/archs/linux-x86_64/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux-x86_64/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux-x86_64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux-x86_64/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux-x86_64/no-asm/crypto/buildinf.h
index f179ecb6a4ee40..4783eff5ddd623 100644
--- a/deps/openssl/config/archs/linux-x86_64/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux-x86_64/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux-x86_64"
-#define DATE "built on: Sun Jul 27 00:53:21 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:17:43 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux-x86_64/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux-x86_64/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux-x86_64/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux-x86_64/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux32-s390x/asm/configdata.pm b/deps/openssl/config/archs/linux32-s390x/asm/configdata.pm
index c773615cae5a83..ceb907ec66308a 100644
--- a/deps/openssl/config/archs/linux32-s390x/asm/configdata.pm
+++ b/deps/openssl/config/archs/linux32-s390x/asm/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux32-s390x",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux32-s390x/asm/crypto/buildinf.h b/deps/openssl/config/archs/linux32-s390x/asm/crypto/buildinf.h
index ca5fef7a4b72d4..738c4791918516 100644
--- a/deps/openssl/config/archs/linux32-s390x/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux32-s390x/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux32-s390x"
-#define DATE "built on: Sun Jul 27 00:54:27 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:18:46 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux32-s390x/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux32-s390x/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux32-s390x/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux32-s390x/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux32-s390x/asm_avx2/configdata.pm b/deps/openssl/config/archs/linux32-s390x/asm_avx2/configdata.pm
index 070ea52638e1b1..a9549032fb059e 100644
--- a/deps/openssl/config/archs/linux32-s390x/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/linux32-s390x/asm_avx2/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux32-s390x",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux32-s390x/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/linux32-s390x/asm_avx2/crypto/buildinf.h
index 67d781c394d390..23fb03ddd41d09 100644
--- a/deps/openssl/config/archs/linux32-s390x/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux32-s390x/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux32-s390x"
-#define DATE "built on: Sun Jul 27 00:54:43 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:19:02 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux32-s390x/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/linux32-s390x/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux32-s390x/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux32-s390x/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux32-s390x/no-asm/configdata.pm b/deps/openssl/config/archs/linux32-s390x/no-asm/configdata.pm
index ca2073129203ed..95b520aeca1865 100644
--- a/deps/openssl/config/archs/linux32-s390x/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux32-s390x/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux32-s390x",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux32-s390x/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux32-s390x/no-asm/crypto/buildinf.h
index 41d1352c5f8d83..9ebed25c2ea8f4 100644
--- a/deps/openssl/config/archs/linux32-s390x/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux32-s390x/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux32-s390x"
-#define DATE "built on: Sun Jul 27 00:55:00 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:19:19 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux32-s390x/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux32-s390x/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux32-s390x/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux32-s390x/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux64-loongarch64/no-asm/configdata.pm b/deps/openssl/config/archs/linux64-loongarch64/no-asm/configdata.pm
index bf843ca2fe32d0..817cb82e36ebb9 100644
--- a/deps/openssl/config/archs/linux64-loongarch64/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux64-loongarch64/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux64-loongarch64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux64-loongarch64/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux64-loongarch64/no-asm/crypto/buildinf.h
index c11864985d41b7..ab9d68d8b84d40 100644
--- a/deps/openssl/config/archs/linux64-loongarch64/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux64-loongarch64/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux64-loongarch64"
-#define DATE "built on: Sun Jul 27 01:00:51 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:25:05 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux64-loongarch64/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux64-loongarch64/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux64-loongarch64/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux64-loongarch64/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux64-mips64/asm/configdata.pm b/deps/openssl/config/archs/linux64-mips64/asm/configdata.pm
index ac8ab7de63e45e..f2575c26690816 100644
--- a/deps/openssl/config/archs/linux64-mips64/asm/configdata.pm
+++ b/deps/openssl/config/archs/linux64-mips64/asm/configdata.pm
@@ -177,7 +177,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -240,7 +240,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -293,11 +293,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux64-mips64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux64-mips64/asm/crypto/buildinf.h b/deps/openssl/config/archs/linux64-mips64/asm/crypto/buildinf.h
index 6288188303930d..047128ab2501b2 100644
--- a/deps/openssl/config/archs/linux64-mips64/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux64-mips64/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux64-mips64"
-#define DATE "built on: Sun Jul 27 00:56:04 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:20:22 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux64-mips64/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux64-mips64/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux64-mips64/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux64-mips64/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux64-mips64/asm_avx2/configdata.pm b/deps/openssl/config/archs/linux64-mips64/asm_avx2/configdata.pm
index 3ba98393343b49..eeb03a7fa66a60 100644
--- a/deps/openssl/config/archs/linux64-mips64/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/linux64-mips64/asm_avx2/configdata.pm
@@ -177,7 +177,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -240,7 +240,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -293,11 +293,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux64-mips64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux64-mips64/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/linux64-mips64/asm_avx2/crypto/buildinf.h
index 210166bae87ddc..ca3f77bf96ccfa 100644
--- a/deps/openssl/config/archs/linux64-mips64/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux64-mips64/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux64-mips64"
-#define DATE "built on: Sun Jul 27 00:56:20 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:20:37 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux64-mips64/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/linux64-mips64/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux64-mips64/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux64-mips64/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux64-mips64/no-asm/configdata.pm b/deps/openssl/config/archs/linux64-mips64/no-asm/configdata.pm
index 355145e8379a21..dba10e402e03da 100644
--- a/deps/openssl/config/archs/linux64-mips64/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux64-mips64/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux64-mips64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux64-mips64/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux64-mips64/no-asm/crypto/buildinf.h
index 8368a87f2275c4..93bdceac787517 100644
--- a/deps/openssl/config/archs/linux64-mips64/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux64-mips64/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux64-mips64"
-#define DATE "built on: Sun Jul 27 00:56:35 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:20:53 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux64-mips64/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux64-mips64/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux64-mips64/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux64-mips64/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux64-riscv64/no-asm/configdata.pm b/deps/openssl/config/archs/linux64-riscv64/no-asm/configdata.pm
index 467cf558a505ff..c883d94dc8fc05 100644
--- a/deps/openssl/config/archs/linux64-riscv64/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux64-riscv64/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux64-riscv64",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux64-riscv64/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux64-riscv64/no-asm/crypto/buildinf.h
index 211351d0fdde26..5e65260a4335d3 100644
--- a/deps/openssl/config/archs/linux64-riscv64/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux64-riscv64/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux64-riscv64"
-#define DATE "built on: Sun Jul 27 01:00:35 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:24:50 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux64-riscv64/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux64-riscv64/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux64-riscv64/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux64-riscv64/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux64-s390x/asm/configdata.pm b/deps/openssl/config/archs/linux64-s390x/asm/configdata.pm
index b3bc3d0e2ab289..91c96b59aaa760 100644
--- a/deps/openssl/config/archs/linux64-s390x/asm/configdata.pm
+++ b/deps/openssl/config/archs/linux64-s390x/asm/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux64-s390x",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux64-s390x/asm/crypto/buildinf.h b/deps/openssl/config/archs/linux64-s390x/asm/crypto/buildinf.h
index d5e30f62579609..93b8a755c0c8a3 100644
--- a/deps/openssl/config/archs/linux64-s390x/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux64-s390x/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux64-s390x"
-#define DATE "built on: Sun Jul 27 00:55:16 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:19:34 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux64-s390x/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux64-s390x/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux64-s390x/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux64-s390x/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux64-s390x/asm_avx2/configdata.pm b/deps/openssl/config/archs/linux64-s390x/asm_avx2/configdata.pm
index a61ea5c6c313d6..5faba76393a0f3 100644
--- a/deps/openssl/config/archs/linux64-s390x/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/linux64-s390x/asm_avx2/configdata.pm
@@ -174,7 +174,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -237,7 +237,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux64-s390x",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux64-s390x/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/linux64-s390x/asm_avx2/crypto/buildinf.h
index 1036ea51b554cf..163362df39436e 100644
--- a/deps/openssl/config/archs/linux64-s390x/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux64-s390x/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux64-s390x"
-#define DATE "built on: Sun Jul 27 00:55:32 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:19:50 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux64-s390x/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/linux64-s390x/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux64-s390x/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux64-s390x/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/linux64-s390x/no-asm/configdata.pm b/deps/openssl/config/archs/linux64-s390x/no-asm/configdata.pm
index dccb1e5d782e58..2a89645e77faa7 100644
--- a/deps/openssl/config/archs/linux64-s390x/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/linux64-s390x/no-asm/configdata.pm
@@ -172,7 +172,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -236,7 +236,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -290,11 +290,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned char",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "linux64-s390x",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/linux64-s390x/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/linux64-s390x/no-asm/crypto/buildinf.h
index 8fe011d48f759d..1e535ef67f180b 100644
--- a/deps/openssl/config/archs/linux64-s390x/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/linux64-s390x/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: linux64-s390x"
-#define DATE "built on: Sun Jul 27 00:55:49 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:20:07 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/linux64-s390x/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/linux64-s390x/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/linux64-s390x/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/linux64-s390x/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/asm/configdata.pm b/deps/openssl/config/archs/solaris-x86-gcc/asm/configdata.pm
index 127a326414efbe..2f52da41b6183c 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/asm/configdata.pm
+++ b/deps/openssl/config/archs/solaris-x86-gcc/asm/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -234,7 +234,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -287,11 +287,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "solaris-x86-gcc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/asm/crypto/buildinf.h b/deps/openssl/config/archs/solaris-x86-gcc/asm/crypto/buildinf.h
index 2160113328025d..0eb94140bb6725 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/solaris-x86-gcc/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: solaris-x86-gcc"
-#define DATE "built on: Sun Jul 27 00:56:51 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:21:08 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/solaris-x86-gcc/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/solaris-x86-gcc/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/configdata.pm b/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/configdata.pm
index 78539510388cfa..3c76b4f54580cb 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -234,7 +234,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -287,11 +287,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "solaris-x86-gcc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/crypto/buildinf.h
index a0be49cdd11216..b052ece9659dd5 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: solaris-x86-gcc"
-#define DATE "built on: Sun Jul 27 00:57:08 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:21:25 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/solaris-x86-gcc/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/no-asm/configdata.pm b/deps/openssl/config/archs/solaris-x86-gcc/no-asm/configdata.pm
index 0de7c911fa7bdc..f83e93a3ce75ce 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/solaris-x86-gcc/no-asm/configdata.pm
@@ -169,7 +169,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -233,7 +233,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -287,11 +287,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "solaris-x86-gcc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/solaris-x86-gcc/no-asm/crypto/buildinf.h
index f368489dd847a2..ee81898e193328 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/solaris-x86-gcc/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: solaris-x86-gcc"
-#define DATE "built on: Sun Jul 27 00:57:24 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:21:41 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/solaris-x86-gcc/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/solaris-x86-gcc/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/solaris-x86-gcc/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/solaris-x86-gcc/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/configdata.pm b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/configdata.pm
index d72adc92f11fb8..fcdd3686e3c90d 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/configdata.pm
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -234,7 +234,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -287,11 +287,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "solaris64-x86_64-gcc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/crypto/buildinf.h b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/crypto/buildinf.h
index c794e3967bf87e..a2226dbb385145 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: solaris64-x86_64-gcc"
-#define DATE "built on: Sun Jul 27 00:57:40 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:21:56 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/include/openssl/opensslv.h b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/configdata.pm b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/configdata.pm
index 9d821bbb6756a8..930dcfb64b64c5 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/configdata.pm
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/configdata.pm
@@ -171,7 +171,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -234,7 +234,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -287,11 +287,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "solaris64-x86_64-gcc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/crypto/buildinf.h b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/crypto/buildinf.h
index 21f10134144a82..c0a09163fada76 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/crypto/buildinf.h
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: solaris64-x86_64-gcc"
-#define DATE "built on: Sun Jul 27 00:58:04 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:22:20 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/include/openssl/opensslv.h b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/asm_avx2/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/configdata.pm b/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/configdata.pm
index 945fd59a70bb80..1e03acb0fcd87c 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/configdata.pm
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/configdata.pm
@@ -169,7 +169,7 @@ our %config = (
     ],
     "dynamic_engines" => "0",
     "ex_libs" => [],
-    "full_version" => "3.5.1",
+    "full_version" => "3.5.2",
     "includes" => [],
     "lflags" => [],
     "lib_defines" => [
@@ -233,7 +233,7 @@ our %config = (
     "openssl_sys_defines" => [],
     "openssldir" => "",
     "options" => "enable-ssl-trace enable-fips no-afalgeng no-asan no-asm no-brotli no-brotli-dynamic no-buildtest-c++ no-comp no-crypto-mdebug no-crypto-mdebug-backtrace no-demos no-devcryptoeng no-dynamic-engine no-ec_nistp_64_gcc_128 no-egd no-external-tests no-fips-jitter no-fuzz-afl no-fuzz-libfuzzer no-h3demo no-hqinterop no-jitter no-ktls no-loadereng no-md2 no-msan no-pie no-rc5 no-sctp no-shared no-ssl3 no-ssl3-method no-sslkeylog no-tfo no-trace no-ubsan no-unit-test no-uplink no-weak-ssl-ciphers no-winstore no-zlib no-zlib-dynamic no-zstd no-zstd-dynamic",
-    "patch" => "1",
+    "patch" => "2",
     "perl_archname" => "x86_64-linux-gnu-thread-multi",
     "perl_cmd" => "/usr/bin/perl",
     "perl_version" => "5.34.0",
@@ -287,11 +287,11 @@ our %config = (
     "prerelease" => "",
     "processor" => "",
     "rc4_int" => "unsigned int",
-    "release_date" => "1 Jul 2025",
+    "release_date" => "5 Aug 2025",
     "shlib_version" => "3",
     "sourcedir" => ".",
     "target" => "solaris64-x86_64-gcc",
-    "version" => "3.5.1"
+    "version" => "3.5.2"
 );
 our %target = (
     "AR" => "ar",
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/crypto/buildinf.h b/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/crypto/buildinf.h
index 73514bcc453eac..6e391a5fd999b2 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/crypto/buildinf.h
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/crypto/buildinf.h
@@ -11,7 +11,7 @@
  */
 
 #define PLATFORM "platform: solaris64-x86_64-gcc"
-#define DATE "built on: Sun Jul 27 00:58:24 2025 UTC"
+#define DATE "built on: Tue Aug  5 17:22:40 2025 UTC"
 
 /*
  * Generate compiler_flags as an array of individual characters. This is a
diff --git a/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/include/openssl/opensslv.h b/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/include/openssl/opensslv.h
index dd50d89cb9982d..71a357701fd5e3 100644
--- a/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/include/openssl/opensslv.h
+++ b/deps/openssl/config/archs/solaris64-x86_64-gcc/no-asm/include/openssl/opensslv.h
@@ -29,7 +29,7 @@ extern "C" {
  */
 # define OPENSSL_VERSION_MAJOR  3
 # define OPENSSL_VERSION_MINOR  5
-# define OPENSSL_VERSION_PATCH  1
+# define OPENSSL_VERSION_PATCH  2
 
 /*
  * Additional version information
@@ -74,21 +74,21 @@ extern "C" {
  * longer variant with OPENSSL_VERSION_PRE_RELEASE_STR and
  * OPENSSL_VERSION_BUILD_METADATA_STR appended.
  */
-# define OPENSSL_VERSION_STR "3.5.1"
-# define OPENSSL_FULL_VERSION_STR "3.5.1"
+# define OPENSSL_VERSION_STR "3.5.2"
+# define OPENSSL_FULL_VERSION_STR "3.5.2"
 
 /*
  * SECTION 3: ADDITIONAL METADATA
  *
  * These strings are defined separately to allow them to be parsable.
  */
-# define OPENSSL_RELEASE_DATE "1 Jul 2025"
+# define OPENSSL_RELEASE_DATE "5 Aug 2025"
 
 /*
  * SECTION 4: BACKWARD COMPATIBILITY
  */
 
-# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.1 1 Jul 2025"
+# define OPENSSL_VERSION_TEXT "OpenSSL 3.5.2 5 Aug 2025"
 
 /* Synthesize OPENSSL_VERSION_NUMBER with the layout 0xMNN00PPSL */
 # ifdef OPENSSL_VERSION_PRE_RELEASE
diff --git a/deps/openssl/openssl/CHANGES.md b/deps/openssl/openssl/CHANGES.md
index 2978ebfa2d1072..c9682a863ff68e 100644
--- a/deps/openssl/openssl/CHANGES.md
+++ b/deps/openssl/openssl/CHANGES.md
@@ -28,6 +28,13 @@ OpenSSL Releases
 OpenSSL 3.5
 -----------
 
+### Changes between 3.5.1 and 3.5.2 [5 Aug 2025]
+
+ * The FIPS provider now performs a PCT on key import for RSA, EC and ECX.
+   This is mandated by FIPS 140-3 IG 10.3.A additional comment 1.
+
+   *Dr Paul Dale*
+
 ### Changes between 3.5.0 and 3.5.1 [1 Jul 2025]
 
  * Fix x509 application adds trusted use instead of rejected use.
diff --git a/deps/openssl/openssl/NEWS.md b/deps/openssl/openssl/NEWS.md
index e5fe94779035eb..0d7cf139fa2d1d 100644
--- a/deps/openssl/openssl/NEWS.md
+++ b/deps/openssl/openssl/NEWS.md
@@ -23,6 +23,10 @@ OpenSSL Releases
 OpenSSL 3.5
 -----------
 
+### Major changes between OpenSSL 3.5.1 and OpenSSL 3.5.2 [5 Aug 2025]
+
+  * none
+
 ### Major changes between OpenSSL 3.5.0 and OpenSSL 3.5.1 [1 Jul 2025]
 
 OpenSSL 3.5.1 is a security patch release. The most severe CVE fixed in this
diff --git a/deps/openssl/openssl/VERSION.dat b/deps/openssl/openssl/VERSION.dat
index f931934a197243..a5925c8d5338e7 100644
--- a/deps/openssl/openssl/VERSION.dat
+++ b/deps/openssl/openssl/VERSION.dat
@@ -1,7 +1,7 @@
 MAJOR=3
 MINOR=5
-PATCH=1
+PATCH=2
 PRE_RELEASE_TAG=
 BUILD_METADATA=
-RELEASE_DATE="1 Jul 2025"
+RELEASE_DATE="5 Aug 2025"
 SHLIB_VERSION=3
diff --git a/deps/openssl/openssl/apps/asn1parse.c b/deps/openssl/openssl/apps/asn1parse.c
index 4f882396d03d71..4540d5f5fb6e91 100644
--- a/deps/openssl/openssl/apps/asn1parse.c
+++ b/deps/openssl/openssl/apps/asn1parse.c
@@ -40,8 +40,8 @@ const OPTIONS asn1parse_options[] = {
     {"length", OPT_LENGTH, 'p', "length of section in file"},
     {"strparse", OPT_STRPARSE, 'p',
      "offset; a series of these can be used to 'dig'"},
-    {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
     {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
+    {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
     {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
     {"strictpem", OPT_STRICTPEM, 0,
      "equivalent to '-inform pem' (obsolete)"},
diff --git a/deps/openssl/openssl/apps/rand.c b/deps/openssl/openssl/apps/rand.c
index b123a151ea74ce..da747c1783e47b 100644
--- a/deps/openssl/openssl/apps/rand.c
+++ b/deps/openssl/openssl/apps/rand.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1998-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1998-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -199,7 +199,7 @@ int rand_main(int argc, char **argv)
         int chunk;
 
         chunk = scaled_num > buflen ? (int)buflen : (int)scaled_num;
-        r = RAND_bytes(buf, chunk);
+        r = RAND_bytes_ex(app_get0_libctx(), buf, chunk, 0);
         if (r <= 0)
             goto end;
         if (format != FORMAT_TEXT) {
diff --git a/deps/openssl/openssl/crypto/dh/dh_check.c b/deps/openssl/openssl/crypto/dh/dh_check.c
index ae23f61839eab3..2d899dc96f674b 100644
--- a/deps/openssl/openssl/crypto/dh/dh_check.c
+++ b/deps/openssl/openssl/crypto/dh/dh_check.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -16,6 +16,7 @@
 #include <stdio.h>
 #include "internal/cryptlib.h"
 #include <openssl/bn.h>
+#include <openssl/self_test.h>
 #include "dh_local.h"
 #include "crypto/dh.h"
 
@@ -329,17 +330,27 @@ int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret)
  * FFC pairwise check from SP800-56A R3.
  *    Section 5.6.2.1.4 Owner Assurance of Pair-wise Consistency
  */
-int ossl_dh_check_pairwise(const DH *dh)
+int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers)
 {
     int ret = 0;
     BN_CTX *ctx = NULL;
     BIGNUM *pub_key = NULL;
+    OSSL_SELF_TEST *st = NULL;
+    OSSL_CALLBACK *stcb = NULL;
+    void *stcbarg = NULL;
 
     if (dh->params.p == NULL
         || dh->params.g == NULL
         || dh->priv_key == NULL
         || dh->pub_key == NULL)
-        return 0;
+        return return_on_null_numbers;
+
+    OSSL_SELF_TEST_get_callback(dh->libctx, &stcb, &stcbarg);
+    st = OSSL_SELF_TEST_new(stcb, stcbarg);
+    if (st == NULL)
+        goto err;
+    OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT,
+                           OSSL_SELF_TEST_DESC_PCT_DH);
 
     ctx = BN_CTX_new_ex(dh->libctx);
     if (ctx == NULL)
@@ -351,10 +362,27 @@ int ossl_dh_check_pairwise(const DH *dh)
     /* recalculate the public key = (g ^ priv) mod p */
     if (!ossl_dh_generate_public_key(ctx, dh, dh->priv_key, pub_key))
         goto err;
+
+#ifdef FIPS_MODULE
+    {
+        int len;
+        unsigned char bytes[1024] = {0};    /* Max key size of 8192 bits */
+
+        if (BN_num_bytes(pub_key) > (int)sizeof(bytes))
+            goto err;
+        len = BN_bn2bin(pub_key, bytes);
+        OSSL_SELF_TEST_oncorrupt_byte(st, bytes);
+        if (BN_bin2bn(bytes, len, pub_key) == NULL)
+            goto err;
+    }
+#endif
     /* check it matches the existing public_key */
     ret = BN_cmp(pub_key, dh->pub_key) == 0;
-err:
+ err:
     BN_free(pub_key);
     BN_CTX_free(ctx);
+
+    OSSL_SELF_TEST_onend(st, ret);
+    OSSL_SELF_TEST_free(st);
     return ret;
 }
diff --git a/deps/openssl/openssl/crypto/encode_decode/decoder_lib.c b/deps/openssl/openssl/crypto/encode_decode/decoder_lib.c
index ffcf3cde115581..dedfb24e569e2f 100644
--- a/deps/openssl/openssl/crypto/encode_decode/decoder_lib.c
+++ b/deps/openssl/openssl/crypto/encode_decode/decoder_lib.c
@@ -537,6 +537,14 @@ static void collect_extra_decoder(OSSL_DECODER *decoder, void *arg)
     }
 }
 
+static int decoder_sk_cmp(const OSSL_DECODER_INSTANCE *const *a,
+                          const OSSL_DECODER_INSTANCE *const *b)
+{
+    if ((*a)->score == (*b)->score)
+        return (*a)->order - (*b)->order;
+    return (*a)->score - (*b)->score;
+}
+
 int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx,
                                OSSL_LIB_CTX *libctx, const char *propq)
 {
@@ -595,6 +603,26 @@ int OSSL_DECODER_CTX_add_extra(OSSL_DECODER_CTX *ctx,
     OSSL_DECODER_do_all_provided(libctx, collect_all_decoders, skdecoders);
     numdecoders = sk_OSSL_DECODER_num(skdecoders);
 
+    /*
+     * If there are provided or default properties, sort the initial decoder list
+     * by property matching score so that the highest scored provider is selected
+     * first.
+     */
+    if (propq != NULL || ossl_ctx_global_properties(libctx, 0) != NULL) {
+        int num_decoder_insts = sk_OSSL_DECODER_INSTANCE_num(ctx->decoder_insts);
+        int i;
+        OSSL_DECODER_INSTANCE *di;
+        sk_OSSL_DECODER_INSTANCE_compfunc old_cmp =
+            sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, decoder_sk_cmp);
+
+        for (i = 0; i < num_decoder_insts; i++) {
+            di = sk_OSSL_DECODER_INSTANCE_value(ctx->decoder_insts, i);
+            di->order = i;
+        }
+        sk_OSSL_DECODER_INSTANCE_sort(ctx->decoder_insts);
+        sk_OSSL_DECODER_INSTANCE_set_cmp_func(ctx->decoder_insts, old_cmp);
+    }
+
     memset(&data, 0, sizeof(data));
     data.ctx = ctx;
     data.w_prev_start = 0;
diff --git a/deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c b/deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c
index f99566bde7441c..9fc4e231233121 100644
--- a/deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c
+++ b/deps/openssl/openssl/crypto/encode_decode/decoder_pkey.c
@@ -222,15 +222,21 @@ struct collect_data_st {
     int total;      /* number of matching results */
     char error_occurred;
     char keytype_resolved;
+    OSSL_PROPERTY_LIST *pq;
 
     STACK_OF(EVP_KEYMGMT) *keymgmts;
 };
 
-static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
-                                    void *provctx, struct collect_data_st *data)
+/*
+ * Add decoder instance to the decoder context if it is compatible. Returns 1
+ * if a decoder was added, 0 otherwise.
+ */
+static int collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
+                                   void *provctx, struct collect_data_st *data)
 {
     void *decoderctx = NULL;
     OSSL_DECODER_INSTANCE *di = NULL;
+    const OSSL_PROPERTY_LIST *props;
 
     /*
      * We already checked the EVP_KEYMGMT is applicable in check_keymgmt so we
@@ -239,17 +245,17 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
 
     if (keymgmt->name_id != decoder->base.id)
         /* Mismatch is not an error, continue. */
-        return;
+        return 0;
 
     if ((decoderctx = decoder->newctx(provctx)) == NULL) {
         data->error_occurred = 1;
-        return;
+        return 0;
     }
 
     if ((di = ossl_decoder_instance_new(decoder, decoderctx)) == NULL) {
         decoder->freectx(decoderctx);
         data->error_occurred = 1;
-        return;
+        return 0;
     }
 
     /*
@@ -263,7 +269,7 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
             || OPENSSL_strcasecmp(data->ctx->start_input_type, "PEM") != 0)) {
         /* Mismatch is not an error, continue. */
         ossl_decoder_instance_free(di);
-        return;
+        return 0;
     }
 
     OSSL_TRACE_BEGIN(DECODER) {
@@ -275,13 +281,30 @@ static void collect_decoder_keymgmt(EVP_KEYMGMT *keymgmt, OSSL_DECODER *decoder,
                    OSSL_DECODER_get0_properties(decoder));
     } OSSL_TRACE_END(DECODER);
 
+    /*
+     * Get the property match score so the decoders can be prioritized later.
+     */
+    props = ossl_decoder_parsed_properties(decoder);
+    if (data->pq != NULL && props != NULL) {
+        di->score = ossl_property_match_count(data->pq, props);
+        /*
+         * Mismatch of mandatory properties is not an error, the decoder is just
+         * ignored, continue.
+         */
+        if (di->score < 0) {
+            ossl_decoder_instance_free(di);
+            return 0;
+        }
+    }
+
     if (!ossl_decoder_ctx_add_decoder_inst(data->ctx, di)) {
         ossl_decoder_instance_free(di);
         data->error_occurred = 1;
-        return;
+        return 0;
     }
 
     ++data->total;
+    return 1;
 }
 
 static void collect_decoder(OSSL_DECODER *decoder, void *arg)
@@ -321,7 +344,9 @@ static void collect_decoder(OSSL_DECODER *decoder, void *arg)
     for (i = 0; i < end_i; ++i) {
         keymgmt = sk_EVP_KEYMGMT_value(keymgmts, i);
 
-        collect_decoder_keymgmt(keymgmt, decoder, provctx, data);
+        /* Only add this decoder once */
+        if (collect_decoder_keymgmt(keymgmt, decoder, provctx, data))
+            break;
         if (data->error_occurred)
             return;
     }
@@ -407,6 +432,8 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
     struct decoder_pkey_data_st *process_data = NULL;
     struct collect_data_st collect_data = { NULL };
     STACK_OF(EVP_KEYMGMT) *keymgmts = NULL;
+    OSSL_PROPERTY_LIST **plp;
+    OSSL_PROPERTY_LIST *pq = NULL, *p2 = NULL;
 
     OSSL_TRACE_BEGIN(DECODER) {
         const char *input_type = ctx->start_input_type;
@@ -442,6 +469,25 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
     process_data->selection = ctx->selection;
     process_data->keymgmts  = keymgmts;
 
+    /*
+     * Collect passed and default properties to prioritize the decoders.
+     */
+    if (propquery != NULL)
+        p2 = pq = ossl_parse_query(libctx, propquery, 1);
+
+    plp = ossl_ctx_global_properties(libctx, 0);
+    if (plp != NULL && *plp != NULL) {
+        if (pq == NULL) {
+            pq = *plp;
+        } else {
+            p2 = ossl_property_merge(pq, *plp);
+            ossl_property_free(pq);
+            if (p2 == NULL)
+                goto err;
+            pq = p2;
+        }
+    }
+
     /*
      * Enumerate all keymgmts into a stack.
      *
@@ -457,10 +503,11 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
      * upfront, as this ensures that the names for all loaded providers have
      * been registered by the time we try to resolve the keytype string.
      */
-    collect_data.ctx        = ctx;
-    collect_data.libctx     = libctx;
-    collect_data.keymgmts   = keymgmts;
-    collect_data.keytype    = keytype;
+    collect_data.ctx            = ctx;
+    collect_data.libctx         = libctx;
+    collect_data.keymgmts       = keymgmts;
+    collect_data.keytype        = keytype;
+    collect_data.pq             = pq;
     EVP_KEYMGMT_do_all_provided(libctx, collect_keymgmt, &collect_data);
 
     if (collect_data.error_occurred)
@@ -496,6 +543,7 @@ static int ossl_decoder_ctx_setup_for_pkey(OSSL_DECODER_CTX *ctx,
     ok = 1;
  err:
     decoder_clean_pkey_construct_arg(process_data);
+    ossl_property_free(p2);
     return ok;
 }
 
diff --git a/deps/openssl/openssl/crypto/encode_decode/encoder_local.h b/deps/openssl/openssl/crypto/encode_decode/encoder_local.h
index a2846d309ea8aa..11e52cfeec75d4 100644
--- a/deps/openssl/openssl/crypto/encode_decode/encoder_local.h
+++ b/deps/openssl/openssl/crypto/encode_decode/encoder_local.h
@@ -109,6 +109,8 @@ struct ossl_decoder_instance_st {
     const char *input_type;      /* Never NULL */
     const char *input_structure; /* May be NULL */
     int input_type_id;
+    int order;                   /* For stable ordering of decoders wrt proqs */
+    int score;                   /* For ordering decoders wrt proqs */
 
     unsigned int flag_input_structure_was_set : 1;
 };
diff --git a/deps/openssl/openssl/crypto/evp/asymcipher.c b/deps/openssl/openssl/crypto/evp/asymcipher.c
index 975170c0aa0941..c97ce338fdf851 100644
--- a/deps/openssl/openssl/crypto/evp/asymcipher.c
+++ b/deps/openssl/openssl/crypto/evp/asymcipher.c
@@ -261,10 +261,12 @@ int EVP_PKEY_encrypt(EVP_PKEY_CTX *ctx,
 
     cipher = ctx->op.ciph.cipher;
     desc = cipher->description != NULL ? cipher->description : "";
+    ERR_set_mark();
     ret = cipher->encrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,
                        "%s encrypt:%s", cipher->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
@@ -309,10 +311,12 @@ int EVP_PKEY_decrypt(EVP_PKEY_CTX *ctx,
 
     cipher = ctx->op.ciph.cipher;
     desc = cipher->description != NULL ? cipher->description : "";
+    ERR_set_mark();
     ret = cipher->decrypt(ctx->op.ciph.algctx, out, outlen, (out == NULL ? 0 : *outlen), in, inlen);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_ASYM_CIPHER_FAILURE,
                        "%s decrypt:%s", cipher->type_name, desc);
+    ERR_clear_last_mark();
 
     return ret;
 
diff --git a/deps/openssl/openssl/crypto/evp/keymgmt_meth.c b/deps/openssl/openssl/crypto/evp/keymgmt_meth.c
index f54684852b7c24..f57153b2c1a1de 100644
--- a/deps/openssl/openssl/crypto/evp/keymgmt_meth.c
+++ b/deps/openssl/openssl/crypto/evp/keymgmt_meth.c
@@ -460,10 +460,12 @@ void *evp_keymgmt_gen(const EVP_KEYMGMT *keymgmt, void *genctx,
         return NULL;
     }
 
+    ERR_set_mark();
     ret = keymgmt->gen(genctx, cb, cbarg);
-    if (ret == NULL)
+    if (ret == NULL && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_KEYMGMT_FAILURE,
                        "%s key generation:%s", keymgmt->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 }
 
diff --git a/deps/openssl/openssl/crypto/evp/m_sigver.c b/deps/openssl/openssl/crypto/evp/m_sigver.c
index d5df497da77014..c27ed6dbe9b26f 100644
--- a/deps/openssl/openssl/crypto/evp/m_sigver.c
+++ b/deps/openssl/openssl/crypto/evp/m_sigver.c
@@ -426,10 +426,12 @@ int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
         return 0;
     }
 
+    ERR_set_mark();
     ret = signature->digest_sign_update(pctx->op.sig.algctx, data, dsize);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_sign_update:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
@@ -470,10 +472,12 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize)
         return 0;
     }
 
+    ERR_set_mark();
     ret = signature->digest_verify_update(pctx->op.sig.algctx, data, dsize);
-    if (ret <= 0)
+    if (ret <= 0 && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_verify_update:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     return ret;
 
  legacy:
@@ -523,11 +527,13 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret,
             pctx = dctx;
     }
 
+    ERR_set_mark();
     r = signature->digest_sign_final(pctx->op.sig.algctx, sigret, siglen,
                                      sigret == NULL ? 0 : *siglen);
-    if (!r)
+    if (!r && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_sign_final:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     if (dctx == NULL && sigret != NULL)
         ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
     else
@@ -634,11 +640,13 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
 
             if (sigret != NULL)
                 ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
+            ERR_set_mark();
             ret = signature->digest_sign(pctx->op.sig.algctx, sigret, siglen,
                                          sigret == NULL ? 0 : *siglen, tbs, tbslen);
-            if (ret <= 0)
+            if (ret <= 0 && ERR_count_to_mark() == 0)
                 ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                                "%s digest_sign:%s", signature->type_name, desc);
+            ERR_clear_last_mark();
             return ret;
         }
     } else {
@@ -689,10 +697,12 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig,
             pctx = dctx;
     }
 
+    ERR_set_mark();
     r = signature->digest_verify_final(pctx->op.sig.algctx, sig, siglen);
-    if (!r)
+    if (!r && ERR_count_to_mark() == 0)
         ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                        "%s digest_verify_final:%s", signature->type_name, desc);
+    ERR_clear_last_mark();
     if (dctx == NULL)
         ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
     else
@@ -765,10 +775,12 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret,
             int ret;
 
             ctx->flags |= EVP_MD_CTX_FLAG_FINALISED;
+            ERR_set_mark();
             ret = signature->digest_verify(pctx->op.sig.algctx, sigret, siglen, tbs, tbslen);
-            if (ret <= 0)
+            if (ret <= 0 && ERR_count_to_mark() == 0)
                 ERR_raise_data(ERR_LIB_EVP, EVP_R_PROVIDER_SIGNATURE_FAILURE,
                                "%s digest_verify:%s", signature->type_name, desc);
+            ERR_clear_last_mark();
             return ret;
         }
     } else {
diff --git a/deps/openssl/openssl/crypto/provider_core.c b/deps/openssl/openssl/crypto/provider_core.c
index 0b675946485c5a..ce5cf36eef9ddc 100644
--- a/deps/openssl/openssl/crypto/provider_core.c
+++ b/deps/openssl/openssl/crypto/provider_core.c
@@ -2419,6 +2419,11 @@ static int core_pop_error_to_mark(const OSSL_CORE_HANDLE *handle)
     return ERR_pop_to_mark();
 }
 
+static int core_count_to_mark(const OSSL_CORE_HANDLE *handle)
+{
+    return ERR_count_to_mark();
+}
+
 static void core_indicator_get_callback(OPENSSL_CORE_CTX *libctx,
                                         OSSL_INDICATOR_CALLBACK **cb)
 {
@@ -2600,6 +2605,7 @@ static const OSSL_DISPATCH core_dispatch_[] = {
     { OSSL_FUNC_CORE_CLEAR_LAST_ERROR_MARK,
       (void (*)(void))core_clear_last_error_mark },
     { OSSL_FUNC_CORE_POP_ERROR_TO_MARK, (void (*)(void))core_pop_error_to_mark },
+    { OSSL_FUNC_CORE_COUNT_TO_MARK, (void (*)(void))core_count_to_mark },
     { OSSL_FUNC_BIO_NEW_FILE, (void (*)(void))ossl_core_bio_new_file },
     { OSSL_FUNC_BIO_NEW_MEMBUF, (void (*)(void))ossl_core_bio_new_mem_buf },
     { OSSL_FUNC_BIO_READ_EX, (void (*)(void))ossl_core_bio_read_ex },
diff --git a/deps/openssl/openssl/crypto/rsa/rsa_gen.c b/deps/openssl/openssl/crypto/rsa/rsa_gen.c
index f76bb7748369fd..32084a822cac4e 100644
--- a/deps/openssl/openssl/crypto/rsa/rsa_gen.c
+++ b/deps/openssl/openssl/crypto/rsa/rsa_gen.c
@@ -734,3 +734,18 @@ static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg)
 
     return ret;
 }
+
+#ifdef FIPS_MODULE
+int ossl_rsa_key_pairwise_test(RSA *rsa)
+{
+    OSSL_CALLBACK *stcb;
+    void *stcbarg;
+    int res;
+
+    OSSL_SELF_TEST_get_callback(rsa->libctx, &stcb, &stcbarg);
+    res = rsa_keygen_pairwise_test(rsa, stcb, stcbarg);
+    if (res <= 0)
+        ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+    return res;
+}
+#endif  /* FIPS_MODULE */
diff --git a/deps/openssl/openssl/crypto/slh_dsa/slh_hash.c b/deps/openssl/openssl/crypto/slh_dsa/slh_hash.c
index 6a8d6bab03c136..8eb8ab4e860464 100644
--- a/deps/openssl/openssl/crypto/slh_dsa/slh_hash.c
+++ b/deps/openssl/openssl/crypto/slh_dsa/slh_hash.c
@@ -158,6 +158,9 @@ slh_hmsg_sha2(SLH_DSA_HASH_CTX *hctx, const uint8_t *r, const uint8_t *pk_seed,
     int sz = EVP_MD_get_size(hctx->key->md_big);
     size_t seed_len = (size_t)sz + 2 * n;
 
+    if (sz <= 0)
+        return 0;
+
     memcpy(seed, r, n);
     memcpy(seed + n, pk_seed, n);
     return digest_4(hctx->md_big_ctx, r, n, pk_seed, n, pk_root, n, msg, msg_len,
diff --git a/deps/openssl/openssl/crypto/sm2/sm2_sign.c b/deps/openssl/openssl/crypto/sm2/sm2_sign.c
index 28cf95cc48c9d3..7c49128b47dbeb 100644
--- a/deps/openssl/openssl/crypto/sm2/sm2_sign.c
+++ b/deps/openssl/openssl/crypto/sm2/sm2_sign.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2017-2025 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright 2017 Ribose Inc. All Rights Reserved.
  * Ported from Ribose contributions from Botan.
  *
@@ -220,6 +220,10 @@ static ECDSA_SIG *sm2_sig_gen(const EC_KEY *key, const BIGNUM *e)
     BIGNUM *tmp = NULL;
     OSSL_LIB_CTX *libctx = ossl_ec_key_get_libctx(key);
 
+    if (dA == NULL) {
+        ERR_raise(ERR_LIB_SM2, SM2_R_INVALID_PRIVATE_KEY);
+        goto done;
+    }
     kG = EC_POINT_new(group);
     if (kG == NULL) {
         ERR_raise(ERR_LIB_SM2, ERR_R_EC_LIB);
diff --git a/deps/openssl/openssl/crypto/store/store_lib.c b/deps/openssl/openssl/crypto/store/store_lib.c
index 505d606f4a9bac..ebf170c3e8f165 100644
--- a/deps/openssl/openssl/crypto/store/store_lib.c
+++ b/deps/openssl/openssl/crypto/store/store_lib.c
@@ -428,12 +428,6 @@ OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
     if (ctx->loader != NULL)
         OSSL_TRACE(STORE, "Loading next object\n");
 
-    if (ctx->cached_info != NULL
-        && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
-        sk_OSSL_STORE_INFO_free(ctx->cached_info);
-        ctx->cached_info = NULL;
-    }
-
     if (ctx->cached_info != NULL) {
         v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
     } else {
@@ -556,14 +550,23 @@ int OSSL_STORE_error(OSSL_STORE_CTX *ctx)
 
 int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)
 {
-    int ret = 1;
+    int ret = 0;
 
-    if (ctx->fetched_loader != NULL)
-        ret = ctx->loader->p_eof(ctx->loader_ctx);
+    if (ctx->cached_info != NULL
+        && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
+        sk_OSSL_STORE_INFO_free(ctx->cached_info);
+        ctx->cached_info = NULL;
+    }
+
+    if (ctx->cached_info == NULL) {
+        ret = 1;
+        if (ctx->fetched_loader != NULL)
+            ret = ctx->loader->p_eof(ctx->loader_ctx);
 #ifndef OPENSSL_NO_DEPRECATED_3_0
-    if (ctx->fetched_loader == NULL)
-        ret = ctx->loader->eof(ctx->loader_ctx);
+        if (ctx->fetched_loader == NULL)
+            ret = ctx->loader->eof(ctx->loader_ctx);
 #endif
+    }
     return ret != 0;
 }
 
diff --git a/deps/openssl/openssl/crypto/x509/x_crl.c b/deps/openssl/openssl/crypto/x509/x_crl.c
index 2601a019f87e3f..7af3e9a7e7f2c6 100644
--- a/deps/openssl/openssl/crypto/x509/x_crl.c
+++ b/deps/openssl/openssl/crypto/x509/x_crl.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -289,6 +289,7 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
 static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
 {
     int idp_only = 0;
+    int ret = 0;
 
     /* Set various flags according to IDP */
     crl->idp_flags |= IDP_PRESENT;
@@ -320,7 +321,17 @@ static int setup_idp(X509_CRL *crl, ISSUING_DIST_POINT *idp)
         crl->idp_reasons &= CRLDP_ALL_REASONS;
     }
 
-    return DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
+    ret = DIST_POINT_set_dpname(idp->distpoint, X509_CRL_get_issuer(crl));
+
+    /*
+     * RFC5280 specifies that if onlyContainsUserCerts, onlyContainsCACerts,
+     * indirectCRL, and OnlyContainsAttributeCerts are all FALSE, there must
+     * be either a distributionPoint field or an onlySomeReasons field present.
+     */
+    if (crl->idp_flags == IDP_PRESENT && idp->distpoint == NULL)
+        crl->idp_flags |= IDP_INVALID;
+
+    return ret;
 }
 
 ASN1_SEQUENCE_ref(X509_CRL, crl_cb) = {
diff --git a/deps/openssl/openssl/fuzz/dtlsserver.c b/deps/openssl/openssl/fuzz/dtlsserver.c
index 68ddb1e6e6834f..7ea57ea0533681 100644
--- a/deps/openssl/openssl/fuzz/dtlsserver.c
+++ b/deps/openssl/openssl/fuzz/dtlsserver.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License");
  * you may not use this file except in compliance with the License.
@@ -590,10 +590,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     SSL *server;
     BIO *in;
     BIO *out;
-#if !defined(OPENSSL_NO_EC)                     \
-    || (!defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DEPRECATED_3_0))
     BIO *bio_buf;
-#endif
     SSL_CTX *ctx;
     int ret;
 #ifndef OPENSSL_NO_DEPRECATED_3_0
diff --git a/deps/openssl/openssl/include/crypto/dh.h b/deps/openssl/openssl/include/crypto/dh.h
index 51232d18c2446b..b4a4a3c1fae8d2 100644
--- a/deps/openssl/openssl/include/crypto/dh.h
+++ b/deps/openssl/openssl/include/crypto/dh.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2020-2022 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2020-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -42,7 +42,7 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh);
 
 int ossl_dh_check_pub_key_partial(const DH *dh, const BIGNUM *pub_key, int *ret);
 int ossl_dh_check_priv_key(const DH *dh, const BIGNUM *priv_key, int *ret);
-int ossl_dh_check_pairwise(const DH *dh);
+int ossl_dh_check_pairwise(const DH *dh, int return_on_null_numbers);
 
 const DH_METHOD *ossl_dh_get_method(const DH *dh);
 
diff --git a/deps/openssl/openssl/include/crypto/rsa.h b/deps/openssl/openssl/include/crypto/rsa.h
index dcb465cbcae07b..ffbc95a778888a 100644
--- a/deps/openssl/openssl/include/crypto/rsa.h
+++ b/deps/openssl/openssl/include/crypto/rsa.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -124,6 +124,10 @@ ASN1_STRING *ossl_rsa_ctx_to_pss_string(EVP_PKEY_CTX *pkctx);
 int ossl_rsa_pss_to_ctx(EVP_MD_CTX *ctx, EVP_PKEY_CTX *pkctx,
                         const X509_ALGOR *sigalg, EVP_PKEY *pkey);
 
+# ifdef FIPS_MODULE
+int ossl_rsa_key_pairwise_test(RSA *rsa);
+# endif /* FIPS_MODULE */
+
 # if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS)
 int ossl_rsa_acvp_test_gen_params_new(OSSL_PARAM **dst, const OSSL_PARAM src[]);
 void ossl_rsa_acvp_test_gen_params_free(OSSL_PARAM *dst);
diff --git a/deps/openssl/openssl/include/internal/quic_ackm.h b/deps/openssl/openssl/include/internal/quic_ackm.h
index c271dfca2e1db5..949d91903bb158 100644
--- a/deps/openssl/openssl/include/internal/quic_ackm.h
+++ b/deps/openssl/openssl/include/internal/quic_ackm.h
@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -23,7 +23,7 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg),
                          void *now_arg,
                          OSSL_STATM *statm,
                          const OSSL_CC_METHOD *cc_method,
-                         OSSL_CC_DATA *cc_data);
+                         OSSL_CC_DATA *cc_data, int is_server);
 void ossl_ackm_free(OSSL_ACKM *ackm);
 
 void ossl_ackm_set_loss_detection_deadline_callback(OSSL_ACKM *ackm,
diff --git a/deps/openssl/openssl/include/openssl/core_dispatch.h b/deps/openssl/openssl/include/openssl/core_dispatch.h
index 690a38206a35e8..13de04e2622c49 100644
--- a/deps/openssl/openssl/include/openssl/core_dispatch.h
+++ b/deps/openssl/openssl/include/openssl/core_dispatch.h
@@ -253,6 +253,10 @@ OSSL_CORE_MAKE_FUNC(int, provider_up_ref,
 OSSL_CORE_MAKE_FUNC(int, provider_free,
                     (const OSSL_CORE_HANDLE *prov, int deactivate))
 
+/* Additional error functions provided by the core */
+# define OSSL_FUNC_CORE_COUNT_TO_MARK          120
+OSSL_CORE_MAKE_FUNC(int, core_count_to_mark, (const OSSL_CORE_HANDLE *prov))
+
 /* Functions provided by the provider to the Core, reserved numbers 1024-1535 */
 # define OSSL_FUNC_PROVIDER_TEARDOWN           1024
 OSSL_CORE_MAKE_FUNC(void, provider_teardown, (void *provctx))
diff --git a/deps/openssl/openssl/include/openssl/pem.h b/deps/openssl/openssl/include/openssl/pem.h
index 94424e6c209eb9..de1b6581f28f63 100644
--- a/deps/openssl/openssl/include/openssl/pem.h
+++ b/deps/openssl/openssl/include/openssl/pem.h
@@ -57,6 +57,7 @@ extern "C" {
 # define PEM_STRING_ECPRIVATEKEY "EC PRIVATE KEY"
 # define PEM_STRING_PARAMETERS   "PARAMETERS"
 # define PEM_STRING_CMS          "CMS"
+# define PEM_STRING_SM2PRIVATEKEY "SM2 PRIVATE KEY"
 # define PEM_STRING_SM2PARAMETERS "SM2 PARAMETERS"
 # define PEM_STRING_ACERT        "ATTRIBUTE CERTIFICATE"
 
diff --git a/deps/openssl/openssl/include/openssl/self_test.h b/deps/openssl/openssl/include/openssl/self_test.h
index 2d39e096eeab4b..c4439cb287155c 100644
--- a/deps/openssl/openssl/include/openssl/self_test.h
+++ b/deps/openssl/openssl/include/openssl/self_test.h
@@ -50,6 +50,7 @@ extern "C" {
 # define OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1  "RSA"
 # define OSSL_SELF_TEST_DESC_PCT_ECDSA      "ECDSA"
 # define OSSL_SELF_TEST_DESC_PCT_EDDSA      "EDDSA"
+# define OSSL_SELF_TEST_DESC_PCT_DH         "DH"
 # define OSSL_SELF_TEST_DESC_PCT_DSA        "DSA"
 # define OSSL_SELF_TEST_DESC_PCT_ML_DSA     "ML-DSA"
 # define OSSL_SELF_TEST_DESC_PCT_ML_KEM     "ML-KEM"
diff --git a/deps/openssl/openssl/providers/fips-sources.checksums b/deps/openssl/openssl/providers/fips-sources.checksums
index 9f25bac77f3e6e..04b820f1f1ece3 100644
--- a/deps/openssl/openssl/providers/fips-sources.checksums
+++ b/deps/openssl/openssl/providers/fips-sources.checksums
@@ -136,7 +136,7 @@ eeef5722ad56bf1af2ff71681bcc8b8525bc7077e973c98cee920ce9bcc66c81  crypto/des/ecb
 9549901d6f0f96cd17bd76c2b6cb33fb25641707bfdb8ed34aab250c34f7f4f6  crypto/des/set_key.c
 8344811b14d151f6cd40a7bc45c8f4a1106252b119c1d5e6a589a023f39b107d  crypto/des/spr.h
 a54b1b60cf48ca89dfb3f71d299794dd6c2e462c576b0fe583d1448f819c80ea  crypto/dh/dh_backend.c
-24cf9462da6632c52b726041271f8a43dfb3f74414abe460d9cc9c7fd2fd2d7d  crypto/dh/dh_check.c
+9db32c052fb3cf7c36ab8e642f4852c2fa68a7b6bae0e3b1746522f826827068  crypto/dh/dh_check.c
 c117ac4fd24369c7813ac9dc9685640700a82bb32b0f7e038e85afd6c8db75c7  crypto/dh/dh_gen.c
 6b17861887b2535159b9e6ca4f927767dad3e71b6e8be50055bc784f78e92d64  crypto/dh/dh_group_params.c
 a539a8930035fee3b723d74a1d13e931ff69a2b523c83d4a2d0d9db6c78ba902  crypto/dh/dh_kdf.c
@@ -204,7 +204,7 @@ a47d8541bb2cc180f4c7d3ac0f888657e17621b318ea8a2eacdefb1926efb500  crypto/ec/ecp_
 43f81968983e9a466b7dc9cffe64302418703f7a66adcbac4b7c4d8cb19c9af5  crypto/ec/ecx_backend.c
 5ee19c357c318b2948ff5d9118a626a6207af2b2eade7d8536051d4a522668d3  crypto/ec/ecx_backend.h
 2be4ca60082891bdc99f8c6ebc5392c1f0a7a53f0bcf18dcf5497a7aee0b9c84  crypto/ec/ecx_key.c
-73c956c97fd558b0fd267934657fb829fd8d9ab12dda2d96d3ca1521f0416ca8  crypto/evp/asymcipher.c
+c1f04d877f96f2d0852290e34b1994dd48222650ac1121903cee9c259fe3ebf2  crypto/evp/asymcipher.c
 80da494704c8fc54fea36e5de7100a6c2fdcc5f8c50f43ac477df5f56fa57e58  crypto/evp/dh_support.c
 bc9f3b827e3d29ac485fff9fb1c8f71d7e2bcd883ccc44c776de2f620081df58  crypto/evp/digest.c
 838277f228cd3025cf95a9cd435e5606ad1fb5d207bbb057aa29892e6a657c55  crypto/evp/ec_support.c
@@ -219,7 +219,7 @@ baccbd623a94ba350c07e0811033ad66a2c892ef51ccb051b4a65bf2ba625a85  crypto/evp/evp
 90742590db894920ffdb737a450ee591488aa455802e777400b1bf887618fd7a  crypto/evp/kdf_meth.c
 948f7904e81008588288a1ba7969b9de83546c687230ffe2a3fd0be1651bce8f  crypto/evp/kem.c
 55d141a74405415ad21789abcace9557f1d1ef54cf207e99993bf0a801f4b81e  crypto/evp/keymgmt_lib.c
-5cb9ddc6a7434bd7e063bf85455c2025fb34e4eb846d7d113dbcedc25eeac7a3  crypto/evp/keymgmt_meth.c
+d57908a9473d2af324f32549649016f7a3c196b5ac8b54d6ca3c82f84cab5d48  crypto/evp/keymgmt_meth.c
 9e44d1ffb52fee194b12c50962907c8637e7d92f08339345ec9fd3bd4a248e69  crypto/evp/mac_lib.c
 cd611921dc773b47207c036b9108ec820ab39d67780ba4adc9ccb9dc8da58627  crypto/evp/mac_meth.c
 4f0a9a7baa72c6984edb53c46101b6ff774543603bec1e1d3a6123adf27e41db  crypto/evp/p_lib.c
@@ -322,7 +322,7 @@ f0c8792a99132e0b9c027cfa7370f45594a115934cdc9e8f23bdd64abecaf7fd  crypto/rsa/rsa
 1b828f428f0e78b591378f7b780164c4574620c68f9097de041cbd576f811bf6  crypto/rsa/rsa_backend.c
 38a102cd1da1f6ca5a46e6a22f018237964336274385f5c70cbedcaa6997647e  crypto/rsa/rsa_chk.c
 e762c599b17d5c89f4b1c9eb7d0ca1f04a95d815c86a3e72c30b231ce57fb199  crypto/rsa/rsa_crpt.c
-a3d20f27ae3cb41af5b62febd0bb19025e59d401b136306d570cdba103b15542  crypto/rsa/rsa_gen.c
+026645569b11cf7c1247e4537cc004eea4469ed661391aef4fbc13e96c4952ca  crypto/rsa/rsa_gen.c
 f22bc4e2c3acab83e67820c906c1caf048ec1f0d4fcb7472c1bec753c75f8e93  crypto/rsa/rsa_lib.c
 5ae8edaf654645996385fbd420ef73030762fc146bf41deb5294d6d83e257a16  crypto/rsa/rsa_local.h
 cf0b75cd54b61b9b9a290ef18d0ddce9fb26a029a54eb3f720d9b25188440f00  crypto/rsa/rsa_mp_names.c
@@ -397,7 +397,7 @@ c26498960895d435af4ef5f592d98a0c011c00609bbba8bbd0078d4a4f081609  crypto/slh_dsa
 4c7981f7db69025f52495c549fb3b3a76be62b9e13072c3f3b7f1dedeaf8cc91  crypto/slh_dsa/slh_dsa_key.h
 5dcb631891eb6afcd27a6b19d2de4d493c71dab159e53620d86d9b96642e97e8  crypto/slh_dsa/slh_dsa_local.h
 adb3f4dea52396935b8442df7b36ed99324d3f3e8ce3fdf714d6dfd683e1f9f0  crypto/slh_dsa/slh_fors.c
-ff320d5fc65580eb85e4e0530f332af515124a5ec8915b5a7ec04acad524c11d  crypto/slh_dsa/slh_hash.c
+3891252acdefc4eff77d7a65cc35d77bdca8083c9dd0d44ff91889ceafcccb45  crypto/slh_dsa/slh_hash.c
 a146cdf01b4b6e20127f0e48b30ed5e8820bec0fca2d9423c7b63eddf0f19af3  crypto/slh_dsa/slh_hash.h
 6402664fbb259808a6f7b5a5d6be2b4a3cc8a905399d97b160cdb3e4a97c02c4  crypto/slh_dsa/slh_hypertree.c
 98ba100862bb45d13bcddff79bc55e44eadd95f528dd49accb4da3ca85fcc52d  crypto/slh_dsa/slh_params.c
@@ -433,7 +433,7 @@ e69b2b20fb415e24b970941c84a62b752b5d0175bc68126e467f7cc970495504  include/crypto
 6c72cfa9e59d276c1debcfd36a0aff277539b43d2272267147fad4165d72747c  include/crypto/ctype.h
 f69643f16687c5a290b2ce6b846c6d1dddabfaf7e4d26fde8b1181955de32833  include/crypto/decoder.h
 89693e0a7528a9574e1d2f80644b29e3b895d3684111dd07c18cc5bed28b45b7  include/crypto/des_platform.h
-daf508bb7ed5783f1c8c622f0c230e179244dd3f584e1223a19ab95930fbcb4f  include/crypto/dh.h
+48d133a1eb8c3b3198cfe1cafda47f9abe8050d53004f3874f258a78f29b9e48  include/crypto/dh.h
 679f6e52d9becdf51fde1649478083d18fa4f5a6ece21eeb1decf70f739f49d5  include/crypto/dsa.h
 c7aafee54cc3ace0c563f15aa5af2cdce13e2cfc4f9a9a133952825fb7c8faf5  include/crypto/ec.h
 adf369f3c9392e9f2dec5a87f61ac9e48160f4a763dae51d4ad5306c4ca4e226  include/crypto/ecx.h
@@ -445,7 +445,7 @@ bbe5e52d84e65449a13e42cd2d6adce59b8ed6e73d6950917aa77dc1f3f5dff6  include/crypto
 6e7762e7fb63f56d25b24f70209f4dc834c59a87f74467531ec81646f565dbe3  include/crypto/modes.h
 920bc48a4dad3712bdcef188c0ce8e8a8304e0ce332b54843bab366fc5eab472  include/crypto/rand.h
 71f23915ea74e93971fb0205901031be3abea7ffef2c52e4cc4848515079f68d  include/crypto/rand_pool.h
-6f16685ffbc97dc2ac1240bfddf4bbac2dd1ad83fff6da91aee6f3f64c6ee8ff  include/crypto/rsa.h
+b1df067691f9741ef9c42b2e5f12461bcd87b745514fc5701b9c9402fb10b224  include/crypto/rsa.h
 32f0149ab1d82fddbdfbbc44e3078b4a4cc6936d35187e0f8d02cc0bc19f2401  include/crypto/security_bits.h
 80338f3865b7c74aab343879432a6399507b834e2f55dd0e9ee7a5eeba11242a  include/crypto/sha.h
 0814571bff328719cc1e5a73a4daf6f5810b17f9e50fe63287f91f445f053213  include/crypto/slh_dsa.h
@@ -511,7 +511,7 @@ bb45de4eafdd89c14096e9af9b0aee12b09adcee43b9313a3a373294dec99142  include/openss
 69d98c5230b1c2a1b70c3e6b244fcfd8460a80ebf548542ea43bb1a57fe6cf57  include/openssl/configuration.h.in
 6b3810dac6c9d6f5ee36a10ad6d895a5e4553afdfb9641ce9b7dc5db7eef30b7  include/openssl/conftypes.h
 28c6f0ede39c821dcf4abeeb4e41972038ebb3e3c9d0a43ffdf28edb559470e1  include/openssl/core.h
-940f6276e5bab8a7c59eedba56150902e619823c10dc5e50cf63575be6be9ba0  include/openssl/core_dispatch.h
+b59255ddb1ead5531c3f0acf72fa6627d5c7192f3d23e9536eed00f32258c43b  include/openssl/core_dispatch.h
 d37532e62315d733862d0bff8d8de9fe40292a75deacae606f4776e544844316  include/openssl/core_names.h.in
 57898905771752f6303e2b1cca1c9a41ea5e9c7bf08ee06531213a65e960e424  include/openssl/crypto.h.in
 628e2a9e67412e2903ecb75efb27b262db1f266b805c07ece6b85bf7ffa19dac  include/openssl/cryptoerr.h
@@ -559,7 +559,7 @@ ed785c451189aa5f7299f9f32a841e7f25b67c4ee937c8de8491a39240f5bd9d  include/openss
 2f4f0106e9b2db6636491dbe3ef81b80dbf01aefe6f73d19663423b7fcd54466  include/openssl/rsa.h
 2f339ba2f22b8faa406692289a6e51fdbbb04b03f85cf3ca849835e58211ad23  include/openssl/rsaerr.h
 6586f2187991731835353de0ffad0b6b57609b495e53d0f32644491ece629eb2  include/openssl/safestack.h.in
-b0c9ed3ce37034524623c579e8a2ea0feb6aab39e7489ce66e2b6bf28ec81840  include/openssl/self_test.h
+cad320f140eade8a90b4d068e03d2fc0448204656f8c1270f69be82bc3272806  include/openssl/self_test.h
 a435cb5d87a37c05921afb2d68f581018ec9f62fd9b3194ab651139b24f616d2  include/openssl/sha.h
 c169a015d7be52b7b99dd41c418a48d97e52ad21687c39c512a83a7c3f3ddb70  include/openssl/stack.h
 22d7584ad609e30e818b54dca1dfae8dea38913fffedd25cd540c550372fb9a6  include/openssl/symhacks.h
@@ -611,14 +611,14 @@ bde6107744cf6840a4c350a48265ed000c49b0524fa60b0d68d6d7b33df5fce6  providers/comm
 8ea192553b423e881d85118c70bcb26a40fbdee4e110f230c966939c76f4aa7e  providers/common/securitycheck_fips.c
 abd5997bc33b681a4ab275978b92aebca0806a4a3f0c2f41dacf11b3b6f4e101  providers/fips/fips_entry.c
 d8cb05784ae8533a7d9569d4fbaaea4175b63a7c9f4fb0f254215224069dea6b  providers/fips/fipsindicator.c
-e9383013a79a8223784a69a66bb610d16d54e61ea978f67a3d31de9f48cd4627  providers/fips/fipsprov.c
+485441c31b5ff7916a12d0b8438d131a58cbc1ff6267cd266ae2dd6128c825cc  providers/fips/fipsprov.c
 7be8349d3b557b6d9d5f87d318253a73d21123628a08f50726502abf0e3d8a44  providers/fips/include/fips/fipsindicator.h
 ef204adc49776214dbb299265bc4f2c40b48848cbea4c25b8029f2b46a5c9797  providers/fips/include/fips_indicator_params.inc
 f2581d7b4e105f2bb6d30908f3c2d9959313be08cec6dbeb49030c125a7676d3  providers/fips/include/fips_selftest_params.inc
 669f76f742bcaaf28846b057bfab97da7c162d69da244de71b7c743bf16e430f  providers/fips/include/fipscommon.h
 1af975061d9ea273fd337c74ccaab7b9331ab781d887c4e7164c5ac35e2c2e94  providers/fips/self_test.c
 5c2c6c2f69e2eb01b88fa35630f27948e00dd2c2fd351735c74f34ccb2005cbe  providers/fips/self_test.h
-9c5c8131ee9a5b2d1056b5548db3269c00445294134cb30b631707f69f8904f1  providers/fips/self_test_data.inc
+826d559ea7019c5db557679c3fe1ff5022be0132789c847d61da3c293fc02227  providers/fips/self_test_data.inc
 2e568e2b161131240e97bd77a730c2299f961c2f1409ea8466422fc07f9be23f  providers/fips/self_test_kats.c
 7a368f6c6a5636593018bf10faecc3be1005e7cb3f0647f25c62b6f0fb7ac974  providers/implementations/asymciphers/rsa_enc.c
 c2f1b12c64fc369dfc3b9bc9e76a76de7280e6429adaee55d332eb1971ad1879  providers/implementations/ciphers/cipher_aes.c
@@ -692,20 +692,20 @@ abe2b0f3711eaa34846e155cffc9242e4051c45de896f747afd5ac9d87f637dc  providers/impl
 e18ef50cd62647a2cc784c45169d75054dccd58fc106bf623d921de995bb3c34  providers/implementations/kdfs/sskdf.c
 6d9767a99a5b46d44ac9e0898ee18d219c04dfb34fda42e71d54adccbed7d57c  providers/implementations/kdfs/tls1_prf.c
 88d04ff4c93648a4fbfd9ce137cfc64f2c85e1850593c1ab35334b8b3de8ad99  providers/implementations/kdfs/x942kdf.c
-3e199221ff78d80a3678e917dbbd232c5cd15f35b7c41bac92b60f766f656af7  providers/implementations/kem/ml_kem_kem.c
+b04249bcc64d6f7ec16f494afef252356b2f56424a034ab53def90463de0cb6f  providers/implementations/kem/ml_kem_kem.c
 a2e2b44064ef44b880b89ab6adc83686936acaa906313a37e5ec69d632912034  providers/implementations/kem/mlx_kem.c
 c764555b9dc9b273c280514a5d2d44156f82f3e99155a77c627f2c773209bcd7  providers/implementations/kem/rsa_kem.c
-b9f7fc5c19f637cee55b0a435b838f5de3a5573ca376ba602e90f70855a78852  providers/implementations/keymgmt/dh_kmgmt.c
+a780a73b02f97d42a621fe096adf57a362b458cd5e5cfe1e3e619e88a407c7d7  providers/implementations/keymgmt/dh_kmgmt.c
 24cc3cc8e8681c77b7f96c83293bd66045fd8ad69f756e673ca7f8ca9e82b0af  providers/implementations/keymgmt/dsa_kmgmt.c
-e10086c31aafae0562054e3b07f12409e39b87b5e96ee7668c231c37861aa447  providers/implementations/keymgmt/ec_kmgmt.c
+967ab174fa4fadb4d4b1d226a1870028a3945d6e85c04d08f215686fe8fd2a07  providers/implementations/keymgmt/ec_kmgmt.c
 258ae17bb2dd87ed1511a8eb3fe99eed9b77f5c2f757215ff6b3d0e8791fc251  providers/implementations/keymgmt/ec_kmgmt_imexport.inc
-d042d687da861d2a39658c6b857a6507a70fa78cecdf883bd1dcdafcf102e084  providers/implementations/keymgmt/ecx_kmgmt.c
+b335f1aca68f0b0b3f31e73473de264c812a932517d5a2c2339754d3e3f72a8a  providers/implementations/keymgmt/ecx_kmgmt.c
 daf35a7ab961ef70aefca981d80407935904c5da39dca6692432d6e6bc98759d  providers/implementations/keymgmt/kdf_legacy_kmgmt.c
 d97d7c8d3410b3e560ef2becaea2a47948e22205be5162f964c5e51a7eef08cb  providers/implementations/keymgmt/mac_legacy_kmgmt.c
 24384616fcba4eb5594ccb2ebc199bcee8494ce1b3f4ac7824f17743e39c0279  providers/implementations/keymgmt/ml_dsa_kmgmt.c
 830c339dfc7f301ce5267ef9b0dc173b84d9597509c1a61ae038f3c01af78f45  providers/implementations/keymgmt/ml_kem_kmgmt.c
 e15b780a1489bbe4c7d40d6aaa3bccfbf973e3946578f460eeb8373c657eee91  providers/implementations/keymgmt/mlx_kmgmt.c
-9376a19735fcc79893cb3c6b0cff17a2cae61db9e9165d9a30f8def7f8e8e7c7  providers/implementations/keymgmt/rsa_kmgmt.c
+d63d47e8705772c4269dbdb110400ec9a6dc49ea2217f3d2aecc8ce733d9e47f  providers/implementations/keymgmt/rsa_kmgmt.c
 6f0a786170ba9af860e36411d158ac0bd74bcb4d75c818a0cebadbc764759283  providers/implementations/keymgmt/slh_dsa_kmgmt.c
 9d02d481b9c7c0c9e0932267d1a3e1fef00830aaa03093f000b88aa042972b9f  providers/implementations/macs/cmac_prov.c
 3c558b57fff3588b6832475e0b1c5be590229ad50d95a6ebb089b62bf5fe382d  providers/implementations/macs/gmac_prov.c
diff --git a/deps/openssl/openssl/providers/fips.checksum b/deps/openssl/openssl/providers/fips.checksum
index f9e822a7f9f1ed..0f8f0c2ec6cabc 100644
--- a/deps/openssl/openssl/providers/fips.checksum
+++ b/deps/openssl/openssl/providers/fips.checksum
@@ -1 +1 @@
-cffe76b0bc6464c7c864d5e2eaaf528439cb6c9908dc75666d530aa8a65e152e  providers/fips-sources.checksums
+ef8128a08964171aaf5852362d97486b641fe521ad648e0c1108fd6d7f5a78ba  providers/fips-sources.checksums
diff --git a/deps/openssl/openssl/providers/fips/fipsprov.c b/deps/openssl/openssl/providers/fips/fipsprov.c
index 4b9a0574625d92..e260b5b6652e3e 100644
--- a/deps/openssl/openssl/providers/fips/fipsprov.c
+++ b/deps/openssl/openssl/providers/fips/fipsprov.c
@@ -65,6 +65,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error;
 static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark;
 static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark;
 static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark;
+static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark;
 static OSSL_FUNC_CRYPTO_malloc_fn *c_CRYPTO_malloc;
 static OSSL_FUNC_CRYPTO_zalloc_fn *c_CRYPTO_zalloc;
 static OSSL_FUNC_CRYPTO_free_fn *c_CRYPTO_free;
@@ -797,6 +798,9 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle,
         case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
             set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(in));
             break;
+        case OSSL_FUNC_CORE_COUNT_TO_MARK:
+            set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in));
+            break;
         case OSSL_FUNC_CRYPTO_MALLOC:
             set_func(c_CRYPTO_malloc, OSSL_FUNC_CRYPTO_malloc(in));
             break;
@@ -1035,6 +1039,11 @@ int ERR_pop_to_mark(void)
     return c_pop_error_to_mark(NULL);
 }
 
+int ERR_count_to_mark(void)
+{
+    return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0;
+}
+
 /*
  * This must take a library context, since it's called from the depths
  * of crypto/initthread.c code, where it's (correctly) assumed that the
diff --git a/deps/openssl/openssl/providers/fips/self_test_data.inc b/deps/openssl/openssl/providers/fips/self_test_data.inc
index 5cbb5352a59624..a8d0469900c184 100644
--- a/deps/openssl/openssl/providers/fips/self_test_data.inc
+++ b/deps/openssl/openssl/providers/fips/self_test_data.inc
@@ -208,28 +208,6 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] =
 
 /*- CIPHER TEST DATA */
 
-/* DES3 test data */
-static const unsigned char des_ede3_cbc_pt[] = {
-    0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96,
-    0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A,
-    0xAE, 0x2D, 0x8A, 0x57, 0x1E, 0x03, 0xAC, 0x9C,
-    0x9E, 0xB7, 0x6F, 0xAC, 0x45, 0xAF, 0x8E, 0x51
-};
-static const unsigned char des_ede3_cbc_key[] = {
-    0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF,
-    0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01,
-    0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, 0x01, 0x23
-};
-static const unsigned char des_ede3_cbc_iv[] = {
-    0xF6, 0x9F, 0x24, 0x45, 0xDF, 0x4F, 0x9B, 0x17
-};
-static const unsigned char des_ede3_cbc_ct[] = {
-    0x20, 0x79, 0xC3, 0xD5, 0x3A, 0xA7, 0x63, 0xE1,
-    0x93, 0xB7, 0x9E, 0x25, 0x69, 0xAB, 0x52, 0x62,
-    0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F,
-    0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7
-};
-
 /* AES-256 GCM test data */
 static const unsigned char aes_256_gcm_key[] = {
     0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c,
@@ -907,38 +885,39 @@ static const unsigned char dh_priv[] = {
     0x40, 0xb8, 0xfc, 0xe6
 };
 static const unsigned char dh_pub[] = {
-    0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04,
-    0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69,
-    0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59,
-    0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b,
-    0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c,
-    0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21,
-    0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06,
-    0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb,
-    0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2,
-    0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0,
-    0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83,
-    0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90,
-    0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2,
-    0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7,
-    0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0,
-    0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88,
-    0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb,
-    0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a,
-    0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97,
-    0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d,
-    0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf,
-    0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e,
-    0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f,
-    0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d,
-    0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1,
-    0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c,
-    0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47,
-    0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e,
-    0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f,
-    0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9,
-    0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c,
-    0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3
+    0x00, 0x8f, 0x81, 0x67, 0x68, 0xce, 0x97, 0x99,
+    0x7e, 0x11, 0x5c, 0xad, 0x5b, 0xe1, 0x0c, 0xd4,
+    0x15, 0x44, 0xdf, 0xc2, 0x47, 0xe7, 0x06, 0x27,
+    0x5e, 0xf3, 0x9d, 0x5c, 0x4b, 0x2e, 0x35, 0x05,
+    0xfd, 0x3c, 0x8f, 0x35, 0x85, 0x1b, 0x82, 0xdd,
+    0x49, 0xc9, 0xa8, 0x7e, 0x3a, 0x5f, 0x33, 0xdc,
+    0x8f, 0x5e, 0x32, 0x76, 0xe1, 0x52, 0x1b, 0x88,
+    0x85, 0xda, 0xa9, 0x1d, 0x5f, 0x1c, 0x05, 0x3a,
+    0xd4, 0x8d, 0xbb, 0xe7, 0x46, 0x46, 0x1e, 0x29,
+    0x4b, 0x5a, 0x02, 0x88, 0x46, 0x94, 0xd0, 0x68,
+    0x7d, 0xb2, 0x9f, 0x3a, 0x3d, 0x82, 0x05, 0xe5,
+    0xa7, 0xbe, 0x6c, 0x7e, 0x24, 0x35, 0x25, 0x14,
+    0xf3, 0x45, 0x08, 0x90, 0xfc, 0x55, 0x2e, 0xa8,
+    0xb8, 0xb1, 0x89, 0x15, 0x94, 0x51, 0x44, 0xa9,
+    0x9f, 0x68, 0xcb, 0x90, 0xbc, 0xd3, 0xae, 0x02,
+    0x37, 0x26, 0xe4, 0xe9, 0x1a, 0x90, 0x95, 0x7e,
+    0x1d, 0xac, 0x0c, 0x91, 0x97, 0x83, 0x24, 0x83,
+    0xb9, 0xa1, 0x40, 0x72, 0xac, 0xf0, 0x55, 0x32,
+    0x18, 0xab, 0xb8, 0x90, 0xda, 0x13, 0x4a, 0xc8,
+    0x4b, 0x7c, 0x18, 0xbc, 0x33, 0xbf, 0x99, 0x85,
+    0x39, 0x3e, 0xc6, 0x95, 0x9b, 0x48, 0x8e, 0xbe,
+    0x46, 0x59, 0x48, 0x41, 0x0d, 0x37, 0x25, 0x94,
+    0xbe, 0x8d, 0xf5, 0x81, 0x52, 0xf6, 0xdc, 0xeb,
+    0x98, 0xd7, 0x3b, 0x44, 0x61, 0x6f, 0xa3, 0xef,
+    0x7b, 0xfe, 0xbb, 0xc2, 0x8e, 0x46, 0x63, 0xbc,
+    0x52, 0x65, 0xf9, 0xf8, 0x85, 0x41, 0xdf, 0x82,
+    0x4a, 0x10, 0x2a, 0xe3, 0x0c, 0xb7, 0xad, 0x84,
+    0xa6, 0x6f, 0x4e, 0x8e, 0x96, 0x1e, 0x04, 0xf7,
+    0x57, 0x39, 0xca, 0x58, 0xd4, 0xef, 0x5a, 0xf1,
+    0xf5, 0x69, 0xc2, 0xb1, 0x5c, 0x0a, 0xce, 0xbe,
+    0x38, 0x01, 0xb5, 0x3f, 0x07, 0x8a, 0x72, 0x90,
+    0x10, 0xac, 0x51, 0x3a, 0x96, 0x43, 0xdf, 0x6f,
+    0xea
 };
 static const unsigned char dh_peer_pub[] = {
     0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a,
diff --git a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c
index abea679fe19af3..a38c71883dd14c 100644
--- a/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c
+++ b/deps/openssl/openssl/providers/implementations/encode_decode/decode_pem2der.c
@@ -151,6 +151,7 @@ static int pem2der_decode(void *vctx, OSSL_CORE_BIO *cin, int selection,
         { PEM_STRING_DSAPARAMS, OSSL_OBJECT_PKEY, "DSA", "type-specific" },
         { PEM_STRING_ECPRIVATEKEY, OSSL_OBJECT_PKEY, "EC", "type-specific" },
         { PEM_STRING_ECPARAMETERS, OSSL_OBJECT_PKEY, "EC", "type-specific" },
+        { PEM_STRING_SM2PRIVATEKEY, OSSL_OBJECT_PKEY, "SM2", "type-specific" },
         { PEM_STRING_SM2PARAMETERS, OSSL_OBJECT_PKEY, "SM2", "type-specific" },
         { PEM_STRING_RSA, OSSL_OBJECT_PKEY, "RSA", "type-specific" },
         { PEM_STRING_RSA_PUBLIC, OSSL_OBJECT_PKEY, "RSA", "type-specific" },
diff --git a/deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c b/deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c
index ac798cb4b6ba16..27aa3b819836b7 100644
--- a/deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c
+++ b/deps/openssl/openssl/providers/implementations/kem/ml_kem_kem.c
@@ -171,7 +171,7 @@ static int ml_kem_encapsulate(void *vctx, unsigned char *ctext, size_t *clen,
         return 1;
     }
     if (shsec == NULL) {
-        ERR_raise_data(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL,
+        ERR_raise_data(ERR_LIB_PROV, PROV_R_NULL_OUTPUT_BUFFER,
                        "NULL shared-secret buffer");
         goto end;
     }
diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c
index c2ee8593557a11..98a8a45cf15ae4 100644
--- a/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c
+++ b/deps/openssl/openssl/providers/implementations/keymgmt/dh_kmgmt.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2024 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -19,10 +19,12 @@
 #include <openssl/core_names.h>
 #include <openssl/bn.h>
 #include <openssl/err.h>
+#include <openssl/self_test.h>
 #include "prov/implementations.h"
 #include "prov/providercommon.h"
 #include "prov/provider_ctx.h"
 #include "crypto/dh.h"
+#include "internal/fips.h"
 #include "internal/sizes.h"
 
 static OSSL_FUNC_keymgmt_new_fn dh_newdata;
@@ -207,6 +209,18 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[])
             selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
 
         ok = ok && ossl_dh_key_fromdata(dh, params, include_private);
+#ifdef FIPS_MODULE
+        /*
+         * FIPS 140-3 IG 10.3.A additional comment 1 mandates that a pairwise
+         * consistency check be undertaken on key import.  The required test
+         * is described in SP 800-56Ar3 5.6.2.1.4.
+         */
+        if (ok > 0 && !ossl_fips_self_testing()) {
+            ok = ossl_dh_check_pairwise(dh, 1);
+            if (ok <= 0)
+                ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+        }
+#endif  /* FIPS_MODULE */
     }
 
     return ok;
@@ -440,7 +454,7 @@ static int dh_validate(const void *keydata, int selection, int checktype)
 
     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR)
             == OSSL_KEYMGMT_SELECT_KEYPAIR)
-        ok = ok && ossl_dh_check_pairwise(dh);
+        ok = ok && ossl_dh_check_pairwise(dh, 0);
     return ok;
 }
 
diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c
index 9421aabb145598..7d3c22316975cf 100644
--- a/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c
+++ b/deps/openssl/openssl/providers/implementations/keymgmt/ec_kmgmt.c
@@ -20,12 +20,14 @@
 #include <openssl/err.h>
 #include <openssl/objects.h>
 #include <openssl/proverr.h>
+#include <openssl/self_test.h>
 #include "crypto/bn.h"
 #include "crypto/ec.h"
 #include "prov/implementations.h"
 #include "prov/providercommon.h"
 #include "prov/provider_ctx.h"
 #include "prov/securitycheck.h"
+#include "internal/fips.h"
 #include "internal/param_build_set.h"
 
 #ifndef FIPS_MODULE
@@ -429,6 +431,21 @@ int common_import(void *keydata, int selection, const OSSL_PARAM params[],
     if ((selection & OSSL_KEYMGMT_SELECT_OTHER_PARAMETERS) != 0)
         ok = ok && ossl_ec_key_otherparams_fromdata(ec, params);
 
+#ifdef FIPS_MODULE
+    if (ok > 0
+            && !ossl_fips_self_testing()
+            && EC_KEY_get0_public_key(ec) != NULL
+            && EC_KEY_get0_private_key(ec) != NULL
+            && EC_KEY_get0_group(ec) != NULL) {
+        BN_CTX *bnctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec));
+
+        ok = bnctx != NULL && ossl_ec_key_pairwise_check(ec, bnctx);
+        BN_CTX_free(bnctx);
+        if (ok <= 0)
+            ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+    }
+#endif  /* FIPS_MODULE */
+
     return ok;
 }
 
diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c
index c2ac805ad1f666..faf25606e33a6e 100644
--- a/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c
+++ b/deps/openssl/openssl/providers/implementations/keymgmt/ecx_kmgmt.c
@@ -17,6 +17,7 @@
 #include <openssl/evp.h>
 #include <openssl/rand.h>
 #include <openssl/self_test.h>
+#include "internal/fips.h"
 #include "internal/param_build_set.h"
 #include <openssl/param_build.h>
 #include "crypto/ecx.h"
@@ -92,6 +93,15 @@ static void *s390x_ecd_keygen25519(struct ecx_gen_ctx *gctx);
 static void *s390x_ecd_keygen448(struct ecx_gen_ctx *gctx);
 #endif
 
+#ifdef FIPS_MODULE
+static int ecd_fips140_pairwise_test(const ECX_KEY *ecx, int type, int self_test);
+#endif  /* FIPS_MODULE */
+
+static ossl_inline int ecx_key_type_is_ed(ECX_KEY_TYPE type)
+{
+    return type == ECX_KEY_TYPE_ED25519 || type == ECX_KEY_TYPE_ED448;
+}
+
 static void *x25519_new_key(void *provctx)
 {
     if (!ossl_prov_is_running())
@@ -208,6 +218,14 @@ static int ecx_import(void *keydata, int selection, const OSSL_PARAM params[])
     include_private = selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0;
     ok = ok && ossl_ecx_key_fromdata(key, params, include_private);
 
+#ifdef FIPS_MODULE
+    if (ok > 0 && ecx_key_type_is_ed(key->type) && !ossl_fips_self_testing())
+        if (key->haspubkey && key->privkey != NULL) {
+            ok = ecd_fips140_pairwise_test(key, key->type, 1);
+            if (ok <= 0)
+                ossl_set_error_state(OSSL_SELF_TEST_TYPE_PCT);
+        }
+#endif  /* FIPS_MODULE */
     return ok;
 }
 
@@ -703,8 +721,7 @@ static void *ecx_gen(struct ecx_gen_ctx *gctx)
     }
 #ifndef FIPS_MODULE
     if (gctx->dhkem_ikm != NULL && gctx->dhkem_ikmlen != 0) {
-        if (gctx->type == ECX_KEY_TYPE_ED25519
-                || gctx->type == ECX_KEY_TYPE_ED448)
+        if (ecx_key_type_is_ed(gctx->type))
             goto err;
         if (!ossl_ecx_dhkem_derive_private(key, privkey,
                                            gctx->dhkem_ikm, gctx->dhkem_ikmlen))
@@ -968,7 +985,7 @@ static int ecx_validate(const void *keydata, int selection, int type,
     if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != OSSL_KEYMGMT_SELECT_KEYPAIR)
         return ok;
 
-    if (type == ECX_KEY_TYPE_ED25519 || type == ECX_KEY_TYPE_ED448)
+    if (ecx_key_type_is_ed(type))
         ok = ok && ecd_key_pairwise_check(ecx, type);
     else
         ok = ok && ecx_key_pairwise_check(ecx, type);
diff --git a/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c b/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c
index 77d09500942165..380c1c087b4c5b 100644
--- a/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c
+++ b/deps/openssl/openssl/providers/implementations/keymgmt/rsa_kmgmt.c
@@ -25,6 +25,7 @@
 #include "prov/provider_ctx.h"
 #include "crypto/rsa.h"
 #include "crypto/cryptlib.h"
+#include "internal/fips.h"
 #include "internal/param_build_set.h"
 
 static OSSL_FUNC_keymgmt_new_fn rsa_newdata;
@@ -196,6 +197,23 @@ static int rsa_import(void *keydata, int selection, const OSSL_PARAM params[])
         ok = ok && ossl_rsa_fromdata(rsa, params, include_private);
     }
 
+#ifdef FIPS_MODULE
+    if (ok > 0 && !ossl_fips_self_testing()) {
+        const BIGNUM *n, *e, *d, *dp, *dq, *iq, *p, *q;
+
+        RSA_get0_key(rsa, &n, &e, &d);
+        RSA_get0_crt_params(rsa, &dp, &dq, &iq);
+        p = RSA_get0_p(rsa);
+        q = RSA_get0_q(rsa);
+
+        /* Check for the public key */
+        if (n != NULL && e != NULL)
+            /* Check for private key in straightforward or CRT form */
+            if (d != NULL || (p != NULL && q != NULL && dp != NULL
+                              && dq != NULL && iq != NULL))
+                ok = ossl_rsa_key_pairwise_test(rsa);
+    }
+#endif  /* FIPS_MODULE */
     return ok;
 }
 
diff --git a/deps/openssl/openssl/providers/legacyprov.c b/deps/openssl/openssl/providers/legacyprov.c
index 16e3639e76f180..6dbe3a8505d0db 100644
--- a/deps/openssl/openssl/providers/legacyprov.c
+++ b/deps/openssl/openssl/providers/legacyprov.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2019-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2019-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -48,6 +48,7 @@ static OSSL_FUNC_core_vset_error_fn *c_vset_error;
 static OSSL_FUNC_core_set_error_mark_fn *c_set_error_mark;
 static OSSL_FUNC_core_clear_last_error_mark_fn *c_clear_last_error_mark;
 static OSSL_FUNC_core_pop_error_to_mark_fn *c_pop_error_to_mark;
+static OSSL_FUNC_core_count_to_mark_fn *c_count_to_mark;
 #endif
 
 /* Parameters we provide to the core */
@@ -234,6 +235,9 @@ int OSSL_provider_init(const OSSL_CORE_HANDLE *handle,
         case OSSL_FUNC_CORE_POP_ERROR_TO_MARK:
             set_func(c_pop_error_to_mark, OSSL_FUNC_core_pop_error_to_mark(tmp));
             break;
+        case OSSL_FUNC_CORE_COUNT_TO_MARK:
+            set_func(c_count_to_mark, OSSL_FUNC_core_count_to_mark(in));
+            break;
         }
     }
 #endif
@@ -301,4 +305,9 @@ int ERR_pop_to_mark(void)
 {
     return c_pop_error_to_mark(NULL);
 }
+
+int ERR_count_to_mark(void)
+{
+    return c_count_to_mark != NULL ? c_count_to_mark(NULL) : 0;
+}
 #endif
diff --git a/deps/openssl/openssl/ssl/quic/quic_ackm.c b/deps/openssl/openssl/ssl/quic/quic_ackm.c
index 75a1e5741a030b..93c83a36d8fef8 100644
--- a/deps/openssl/openssl/ssl/quic/quic_ackm.c
+++ b/deps/openssl/openssl/ssl/quic/quic_ackm.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2022-2025 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -536,6 +536,9 @@ struct ossl_ackm_st {
     /* Set to 1 when the handshake is confirmed. */
     char            handshake_confirmed;
 
+    /* Set to 1 when attached to server channel */
+    char            is_server;
+
     /* Set to 1 when the peer has completed address validation. */
     char            peer_completed_addr_validation;
 
@@ -855,7 +858,13 @@ static OSSL_TIME ackm_get_pto_time_and_space(OSSL_ACKM *ackm, int *space)
     }
 
     for (i = QUIC_PN_SPACE_INITIAL; i < QUIC_PN_SPACE_NUM; ++i) {
-        if (ackm->ack_eliciting_bytes_in_flight[i] == 0)
+        /*
+         * RFC 9002 section 6.2.2.1 keep probe timeout armed until
+         * handshake is confirmed (client sees HANDSHAKE_DONE message
+         * from server).
+         */
+        if (ackm->ack_eliciting_bytes_in_flight[i] == 0 &&
+            (ackm->handshake_confirmed == 1 || ackm->is_server == 1))
             continue;
 
         if (i == QUIC_PN_SPACE_APP) {
@@ -875,10 +884,18 @@ static OSSL_TIME ackm_get_pto_time_and_space(OSSL_ACKM *ackm, int *space)
             }
         }
 
-        t = ossl_time_add(ackm->time_of_last_ack_eliciting_pkt[i], duration);
-        if (ossl_time_compare(t, pto_timeout) < 0) {
-            pto_timeout = t;
-            pto_space   = i;
+        /*
+         * Only re-arm timer if stack has sent at least one ACK eliciting frame.
+         * If stack has sent no ACK eliciting frame at given encryption level then
+         * particular timer is zero and we must not attempt to set it. Timer keeps
+         * time since epoch (Jan 1 1970) and we must not set timer to past.
+         */
+        if (!ossl_time_is_zero(ackm->time_of_last_ack_eliciting_pkt[i])) {
+            t = ossl_time_add(ackm->time_of_last_ack_eliciting_pkt[i], duration);
+            if (ossl_time_compare(t, pto_timeout) < 0) {
+                pto_timeout = t;
+                pto_space   = i;
+            }
         }
     }
 
@@ -1021,7 +1038,8 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg),
                          void *now_arg,
                          OSSL_STATM *statm,
                          const OSSL_CC_METHOD *cc_method,
-                         OSSL_CC_DATA *cc_data)
+                         OSSL_CC_DATA *cc_data,
+                         int is_server)
 {
     OSSL_ACKM *ackm;
     int i;
@@ -1045,6 +1063,7 @@ OSSL_ACKM *ossl_ackm_new(OSSL_TIME (*now)(void *arg),
     ackm->statm     = statm;
     ackm->cc_method = cc_method;
     ackm->cc_data   = cc_data;
+    ackm->is_server = (char)is_server;
 
     ackm->rx_max_ack_delay = ossl_ms2time(QUIC_DEFAULT_MAX_ACK_DELAY);
     ackm->tx_max_ack_delay = DEFAULT_TX_MAX_ACK_DELAY;
diff --git a/deps/openssl/openssl/ssl/quic/quic_channel.c b/deps/openssl/openssl/ssl/quic/quic_channel.c
index 8fb651d9ceb670..f8e4252ba48f43 100644
--- a/deps/openssl/openssl/ssl/quic/quic_channel.c
+++ b/deps/openssl/openssl/ssl/quic/quic_channel.c
@@ -242,7 +242,8 @@ static int ch_init(QUIC_CHANNEL *ch)
         goto err;
 
     if ((ch->ackm = ossl_ackm_new(get_time, ch, &ch->statm,
-                                  ch->cc_method, ch->cc_data)) == NULL)
+                                  ch->cc_method, ch->cc_data,
+                                  ch->is_server)) == NULL)
         goto err;
 
     if (!ossl_quic_stream_map_init(&ch->qsm, get_stream_limit, ch,
diff --git a/deps/openssl/openssl/ssl/quic/quic_rx_depack.c b/deps/openssl/openssl/ssl/quic/quic_rx_depack.c
index a36b02d5dcb4f7..f800d8984193db 100644
--- a/deps/openssl/openssl/ssl/quic/quic_rx_depack.c
+++ b/deps/openssl/openssl/ssl/quic/quic_rx_depack.c
@@ -1429,16 +1429,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket)
     uint32_t enc_level;
     size_t dgram_len = qpacket->datagram_len;
 
-    /*
-     * ok has three states:
-     * -1 error with ackm_data uninitialized
-     *  0 error with ackm_data initialized
-     *  1 success (ackm_data initialized)
-     */
-    int ok = -1;                  /* Assume the worst */
-
     if (ch == NULL)
-        goto end;
+        return 0;
 
     ch->did_crypto_frame = 0;
 
@@ -1456,9 +1448,8 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket)
          * Retry and Version Negotiation packets should not be passed to this
          * function.
          */
-        goto end;
+        return 0;
 
-    ok = 0; /* Still assume the worst */
     ackm_data.pkt_space = ossl_quic_enc_level_to_pn_space(enc_level);
 
     /*
@@ -1480,18 +1471,9 @@ int ossl_quic_handle_frames(QUIC_CHANNEL *ch, OSSL_QRX_PKT *qpacket)
                                   enc_level,
                                   qpacket->time,
                                   &ackm_data))
-        goto end;
+        return 0;
 
-    ok = 1;
- end:
-    /*
-     * ASSUMPTION: If this function is called at all, |qpacket| is
-     * a legitimate packet, even if its contents aren't.
-     * Therefore, we call ossl_ackm_on_rx_packet() unconditionally, as long as
-     * |ackm_data| has at least been initialized.
-     */
-    if (ok >= 0)
-        ossl_ackm_on_rx_packet(ch->ackm, &ackm_data);
+    ossl_ackm_on_rx_packet(ch->ackm, &ackm_data);
 
-    return ok > 0;
+    return 1;
 }
diff --git a/deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm b/deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm
index b76f9e931ec073..ccc4814f6fd256 100644
--- a/deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm
+++ b/deps/openssl/openssl/util/perl/TLSProxy/Proxy.pm
@@ -97,7 +97,23 @@ sub new_dtls {
 
 sub init
 {
-    require IO::Socket::IP;
+    my $useSockInet = 0;
+    eval {
+        require IO::Socket::IP;
+        my $s = IO::Socket::IP->new(
+                LocalAddr => "::1",
+                LocalPort => 0,
+                Listen=>1,
+                );
+            $s or die "\n";
+            $s->close();
+    };
+    if ($@ eq "") {
+        require IO::Socket::IP;
+    } else {
+        $useSockInet = 1;
+    }
+
     my $class = shift;
     my ($filter,
         $execute,
@@ -118,8 +134,13 @@ sub init
         $test_client_port = 49152 + int(rand(65535 - 49152));
         my $test_sock;
         if ($useINET6 == 0) {
-            $test_sock = IO::Socket::IP->new(LocalPort => $test_client_port,
-                                             LocalAddr => $test_client_addr);
+            if ($useSockInet == 0) {
+                $test_sock = IO::Socket::IP->new(LocalPort => $test_client_port,
+                                                 LocalAddr => $test_client_addr);
+            } else {
+                $test_sock = IO::Socket::INET->new(LocalAddr => $test_client_addr,
+                                                   LocalPort => $test_client_port);
+            }
         } else {
             $test_sock = IO::Socket::INET6->new(LocalAddr => $test_client_addr,
                                                 LocalPort => $test_client_port,
diff --git a/deps/sqlite/sqlite3.c b/deps/sqlite/sqlite3.c
index e8a0bf11ada04d..26a7a43d8658be 100644
--- a/deps/sqlite/sqlite3.c
+++ b/deps/sqlite/sqlite3.c
@@ -1,6 +1,6 @@
 /******************************************************************************
 ** This file is an amalgamation of many separate C source files from SQLite
-** version 3.50.3.  By combining all the individual C code files into this
+** version 3.50.4.  By combining all the individual C code files into this
 ** single large file, the entire code can be compiled as a single translation
 ** unit.  This allows many compilers to do optimizations that would not be
 ** possible if the files were compiled separately.  Performance improvements
@@ -18,7 +18,7 @@
 ** separate file. This file contains only code for the core SQLite library.
 **
 ** The content in this amalgamation comes from Fossil check-in
-** 3ce993b8657d6d9deda380a93cdd6404a8c8 with changes in files:
+** 4d8adfb30e03f9cf27f800a2c1ba3c48fb4c with changes in files:
 **
 **    
 */
@@ -465,9 +465,9 @@ extern "C" {
 ** [sqlite3_libversion_number()], [sqlite3_sourceid()],
 ** [sqlite_version()] and [sqlite_source_id()].
 */
-#define SQLITE_VERSION        "3.50.3"
-#define SQLITE_VERSION_NUMBER 3050003
-#define SQLITE_SOURCE_ID      "2025-07-17 13:25:10 3ce993b8657d6d9deda380a93cdd6404a8c8ba1b185b2bc423703e41ae5f2543"
+#define SQLITE_VERSION        "3.50.4"
+#define SQLITE_VERSION_NUMBER 3050004
+#define SQLITE_SOURCE_ID      "2025-07-30 19:33:53 4d8adfb30e03f9cf27f800a2c1ba3c48fb4ca1b08b0f5ed59a4d5ecbf45e20a3"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers
@@ -19440,6 +19440,7 @@ struct Expr {
     Table *pTab;           /* TK_COLUMN: Table containing column. Can be NULL
                            ** for a column of an index on an expression */
     Window *pWin;          /* EP_WinFunc: Window/Filter defn for a function */
+    int nReg;              /* TK_NULLS: Number of registers to NULL out */
     struct {               /* TK_IN, TK_SELECT, and TK_EXISTS */
       int iAddr;             /* Subroutine entry address */
       int regReturn;         /* Register used to hold return address */
@@ -21474,6 +21475,7 @@ SQLITE_PRIVATE void sqlite3ExprCodeGeneratedColumn(Parse*, Table*, Column*, int)
 SQLITE_PRIVATE void sqlite3ExprCodeCopy(Parse*, Expr*, int);
 SQLITE_PRIVATE void sqlite3ExprCodeFactorable(Parse*, Expr*, int);
 SQLITE_PRIVATE int sqlite3ExprCodeRunJustOnce(Parse*, Expr*, int);
+SQLITE_PRIVATE void sqlite3ExprNullRegisterRange(Parse*, int, int);
 SQLITE_PRIVATE int sqlite3ExprCodeTemp(Parse*, Expr*, int*);
 SQLITE_PRIVATE int sqlite3ExprCodeTarget(Parse*, Expr*, int);
 SQLITE_PRIVATE int sqlite3ExprCodeExprList(Parse*, ExprList*, int, int, u8);
@@ -115241,6 +115243,12 @@ SQLITE_PRIVATE int sqlite3ExprCodeTarget(Parse *pParse, Expr *pExpr, int target)
       sqlite3VdbeLoadString(v, target, pExpr->u.zToken);
       return target;
     }
+    case TK_NULLS: {
+      /* Set a range of registers to NULL.  pExpr->y.nReg registers starting
+      ** with target */
+      sqlite3VdbeAddOp3(v, OP_Null, 0, target, target + pExpr->y.nReg - 1);
+      return target;
+    }
     default: {
       /* Make NULL the default case so that if a bug causes an illegal
       ** Expr node to be passed into this function, it will be handled
@@ -115925,6 +115933,25 @@ SQLITE_PRIVATE int sqlite3ExprCodeRunJustOnce(
   return regDest;
 }
 
+/*
+** Make arrangements to invoke OP_Null on a range of registers
+** during initialization.
+*/
+SQLITE_PRIVATE SQLITE_NOINLINE void sqlite3ExprNullRegisterRange(
+  Parse *pParse,   /* Parsing context */
+  int iReg,        /* First register to set to NULL */
+  int nReg         /* Number of sequential registers to NULL out */
+){
+  u8 okConstFactor = pParse->okConstFactor;
+  Expr t;
+  memset(&t, 0, sizeof(t));
+  t.op = TK_NULLS;
+  t.y.nReg = nReg;
+  pParse->okConstFactor = 1;
+  sqlite3ExprCodeRunJustOnce(pParse, &t, iReg);
+  pParse->okConstFactor = okConstFactor;
+}
+
 /*
 ** Generate code to evaluate an expression and store the results
 ** into a register.  Return the register number where the results
@@ -153175,6 +153202,7 @@ SQLITE_PRIVATE int sqlite3Select(
       sqlite3VdbeAddOp2(v, OP_Integer, 0, iAbortFlag);
       VdbeComment((v, "clear abort flag"));
       sqlite3VdbeAddOp3(v, OP_Null, 0, iAMem, iAMem+pGroupBy->nExpr-1);
+      sqlite3ExprNullRegisterRange(pParse, iAMem, pGroupBy->nExpr);
 
       /* Begin a loop that will extract all source rows in GROUP BY order.
       ** This might involve two separate loops with an OP_Sort in between, or
@@ -168470,6 +168498,7 @@ static int whereLoopAddBtree(
     pNew->u.btree.nEq = 0;
     pNew->u.btree.nBtm = 0;
     pNew->u.btree.nTop = 0;
+    pNew->u.btree.nDistinctCol = 0;
     pNew->nSkip = 0;
     pNew->nLTerm = 0;
     pNew->iSortIdx = 0;
@@ -169538,8 +169567,6 @@ static i8 wherePathSatisfiesOrderBy(
         obSat = obDone;
       }
       break;
-    }else if( wctrlFlags & WHERE_DISTINCTBY ){
-      pLoop->u.btree.nDistinctCol = 0;
     }
     iCur = pWInfo->pTabList->a[pLoop->iTab].iCursor;
 
@@ -257280,7 +257307,7 @@ static void fts5SourceIdFunc(
 ){
   assert( nArg==0 );
   UNUSED_PARAM2(nArg, apUnused);
-  sqlite3_result_text(pCtx, "fts5: 2025-07-17 13:25:10 3ce993b8657d6d9deda380a93cdd6404a8c8ba1b185b2bc423703e41ae5f2543", -1, SQLITE_TRANSIENT);
+  sqlite3_result_text(pCtx, "fts5: 2025-07-30 19:33:53 4d8adfb30e03f9cf27f800a2c1ba3c48fb4ca1b08b0f5ed59a4d5ecbf45e20a3", -1, SQLITE_TRANSIENT);
 }
 
 /*
diff --git a/deps/sqlite/sqlite3.h b/deps/sqlite/sqlite3.h
index d2ec9030ffc4ed..c2ed750305b244 100644
--- a/deps/sqlite/sqlite3.h
+++ b/deps/sqlite/sqlite3.h
@@ -146,9 +146,9 @@ extern "C" {
 ** [sqlite3_libversion_number()], [sqlite3_sourceid()],
 ** [sqlite_version()] and [sqlite_source_id()].
 */
-#define SQLITE_VERSION        "3.50.3"
-#define SQLITE_VERSION_NUMBER 3050003
-#define SQLITE_SOURCE_ID      "2025-07-17 13:25:10 3ce993b8657d6d9deda380a93cdd6404a8c8ba1b185b2bc423703e41ae5f2543"
+#define SQLITE_VERSION        "3.50.4"
+#define SQLITE_VERSION_NUMBER 3050004
+#define SQLITE_SOURCE_ID      "2025-07-30 19:33:53 4d8adfb30e03f9cf27f800a2c1ba3c48fb4ca1b08b0f5ed59a4d5ecbf45e20a3"
 
 /*
 ** CAPI3REF: Run-Time Library Version Numbers
diff --git a/deps/undici/src/README.md b/deps/undici/src/README.md
index 89a354bcc141ee..93008eb09918d9 100644
--- a/deps/undici/src/README.md
+++ b/deps/undici/src/README.md
@@ -440,13 +440,14 @@ This behavior is intentional for server-side environments where CORS restriction
 * https://fetch.spec.whatwg.org/#garbage-collection
 
 The [Fetch Standard](https://fetch.spec.whatwg.org) allows users to skip consuming the response body by relying on
-[garbage collection](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Memory_Management#garbage_collection) to release connection resources. Undici does not do the same. Therefore, it is important to always either consume or cancel the response body.
+[garbage collection](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Memory_Management#garbage_collection) to release connection resources.
 
 Garbage collection in Node is less aggressive and deterministic
 (due to the lack of clear idle periods that browsers have through the rendering refresh rate)
 which means that leaving the release of connection resources to the garbage collector can lead
 to excessive connection usage, reduced performance (due to less connection re-use), and even
 stalls or deadlocks when running out of connections.
+Therefore, __it is important to always either consume or cancel the response body anyway__.
 
 ```js
 // Do
@@ -459,7 +460,15 @@ for await (const chunk of body) {
 const { headers } = await fetch(url);
 ```
 
-The same applies for `request` too:
+However, if you want to get only headers, it might be better to use `HEAD` request method. Usage of this method will obviate the need for consumption or cancelling of the response body. See [MDN - HTTP - HTTP request methods - HEAD](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD) for more details.
+
+```js
+const headers = await fetch(url, { method: 'HEAD' })
+  .then(res => res.headers)
+```
+
+Note that consuming the response body is _mandatory_ for `request`:
+
 ```js
 // Do
 const { body, headers } = await request(url);
@@ -469,13 +478,6 @@ await res.body.dump(); // force consumption of body
 const { headers } = await request(url);
 ```
 
-However, if you want to get only headers, it might be better to use `HEAD` request method. Usage of this method will obviate the need for consumption or cancelling of the response body. See [MDN - HTTP - HTTP request methods - HEAD](https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/HEAD) for more details.
-
-```js
-const headers = await fetch(url, { method: 'HEAD' })
-  .then(res => res.headers)
-```
-
 #### Forbidden and Safelisted Header Names
 
 * https://fetch.spec.whatwg.org/#cors-safelisted-response-header-name
diff --git a/deps/undici/src/docs/docs/api/ProxyAgent.md b/deps/undici/src/docs/docs/api/ProxyAgent.md
index 0fced821cd8b8b..8db7221a3626af 100644
--- a/deps/undici/src/docs/docs/api/ProxyAgent.md
+++ b/deps/undici/src/docs/docs/api/ProxyAgent.md
@@ -27,7 +27,7 @@ For detailed information on the parsing process and potential validation errors,
 * **clientFactory** `(origin: URL, opts: Object) => Dispatcher` (optional) - Default: `(origin, opts) => new Pool(origin, opts)`
 * **requestTls** `BuildOptions` (optional) - Options object passed when creating the underlying socket via the connector builder for the request. It extends from [`Client#ConnectOptions`](/docs/docs/api/Client.md#parameter-connectoptions).
 * **proxyTls** `BuildOptions` (optional) - Options object passed when creating the underlying socket via the connector builder for the proxy server. It extends from [`Client#ConnectOptions`](/docs/docs/api/Client.md#parameter-connectoptions).
-* **proxyTunnel** `boolean` (optional) - By default, ProxyAgent will request that the Proxy facilitate a tunnel between the endpoint and the agent. Setting `proxyTunnel` to false avoids issuing a CONNECT extension, and includes the endpoint domain and path in each request.
+* **proxyTunnel** `boolean` (optional) - For connections involving secure protocols, Undici will always establish a tunnel via the HTTP2  CONNECT extension. If proxyTunnel is set to true, this will occur for unsecured proxy/endpoint connections as well. Currently, there is no way to facilitate HTTP1 IP tunneling as described in https://www.rfc-editor.org/rfc/rfc9484.html#name-http-11-request. If proxyTunnel is set to false (the default), ProxyAgent connections where both the Proxy and Endpoint are unsecured will issue all requests to the Proxy, and prefix the endpoint request path with the endpoint origin address.
 
 Examples:
 
diff --git a/deps/undici/src/docs/docs/api/SnapshotAgent.md b/deps/undici/src/docs/docs/api/SnapshotAgent.md
new file mode 100644
index 00000000000000..e4c8f2484a5408
--- /dev/null
+++ b/deps/undici/src/docs/docs/api/SnapshotAgent.md
@@ -0,0 +1,616 @@
+# SnapshotAgent
+
+The `SnapshotAgent` provides a powerful way to record and replay HTTP requests for testing purposes. It extends `MockAgent` to enable automatic snapshot testing, eliminating the need to manually define mock responses.
+
+## Use Cases
+
+- **Integration Testing**: Record real API interactions and replay them in tests
+- **Offline Development**: Work with APIs without network connectivity
+- **Consistent Test Data**: Ensure tests use the same responses across runs
+- **API Contract Testing**: Capture and validate API behavior over time
+
+## Constructor
+
+```javascript
+new SnapshotAgent([options])
+```
+
+### Parameters
+
+- **options** `Object` (optional)
+  - **mode** `String` - The snapshot mode: `'record'`, `'playback'`, or `'update'`. Default: `'record'`
+  - **snapshotPath** `String` - Path to the snapshot file for loading/saving
+  - **maxSnapshots** `Number` - Maximum number of snapshots to keep in memory. Default: `Infinity`
+  - **autoFlush** `Boolean` - Whether to automatically save snapshots to disk. Default: `false`
+  - **flushInterval** `Number` - Interval in milliseconds for auto-flush. Default: `30000`
+  - **matchHeaders** `Array<String>` - Specific headers to include in request matching. Default: all headers
+  - **ignoreHeaders** `Array<String>` - Headers to ignore during request matching
+  - **excludeHeaders** `Array<String>` - Headers to exclude from snapshots (for security)
+  - **matchBody** `Boolean` - Whether to include request body in matching. Default: `true`
+  - **matchQuery** `Boolean` - Whether to include query parameters in matching. Default: `true`
+  - **caseSensitive** `Boolean` - Whether header matching is case-sensitive. Default: `false`
+  - **shouldRecord** `Function` - Callback to determine if a request should be recorded
+  - **shouldPlayback** `Function` - Callback to determine if a request should be played back
+  - **excludeUrls** `Array` - URL patterns (strings or RegExp) to exclude from recording/playback
+  - All other options from `MockAgent` are supported
+
+### Modes
+
+#### Record Mode (`'record'`)
+Makes real HTTP requests and saves the responses to snapshots.
+
+```javascript
+import { SnapshotAgent, setGlobalDispatcher } from 'undici'
+
+const agent = new SnapshotAgent({ 
+  mode: 'record',
+  snapshotPath: './test/snapshots/api-calls.json'
+})
+setGlobalDispatcher(agent)
+
+// Makes real requests and records them
+const response = await fetch('https://api.example.com/users')
+const users = await response.json()
+
+// Save recorded snapshots
+await agent.saveSnapshots()
+```
+
+#### Playback Mode (`'playback'`)
+Replays recorded responses without making real HTTP requests.
+
+```javascript
+import { SnapshotAgent, setGlobalDispatcher } from 'undici'
+
+const agent = new SnapshotAgent({
+  mode: 'playback',
+  snapshotPath: './test/snapshots/api-calls.json'
+})
+setGlobalDispatcher(agent)
+
+// Uses recorded response instead of real request
+const response = await fetch('https://api.example.com/users')
+```
+
+#### Update Mode (`'update'`)
+Uses existing snapshots when available, but records new ones for missing requests.
+
+```javascript
+import { SnapshotAgent, setGlobalDispatcher } from 'undici'
+
+const agent = new SnapshotAgent({
+  mode: 'update',
+  snapshotPath: './test/snapshots/api-calls.json'
+})
+setGlobalDispatcher(agent)
+
+// Uses snapshot if exists, otherwise makes real request and records it
+const response = await fetch('https://api.example.com/new-endpoint')
+```
+
+## Instance Methods
+
+### `agent.saveSnapshots([filePath])`
+
+Saves all recorded snapshots to a file.
+
+#### Parameters
+
+- **filePath** `String` (optional) - Path to save snapshots. Uses constructor `snapshotPath` if not provided.
+
+#### Returns
+
+`Promise<void>`
+
+```javascript
+await agent.saveSnapshots('./custom-snapshots.json')
+```
+
+## Advanced Configuration
+
+### Header Filtering
+
+Control which headers are used for request matching and what gets stored in snapshots:
+
+```javascript
+const agent = new SnapshotAgent({
+  mode: 'record',
+  snapshotPath: './snapshots.json',
+  
+  // Only match these specific headers
+  matchHeaders: ['content-type', 'accept'],
+  
+  // Ignore these headers during matching (but still store them)
+  ignoreHeaders: ['user-agent', 'date'],
+  
+  // Exclude sensitive headers from snapshots entirely
+  excludeHeaders: ['authorization', 'x-api-key', 'cookie']
+})
+```
+
+### Custom Request/Response Filtering
+
+Use callback functions to determine what gets recorded or played back:
+
+```javascript
+const agent = new SnapshotAgent({
+  mode: 'record',
+  snapshotPath: './snapshots.json',
+  
+  // Only record GET requests to specific endpoints
+  shouldRecord: (requestOpts) => {
+    const url = new URL(requestOpts.path, requestOpts.origin)
+    return requestOpts.method === 'GET' && url.pathname.startsWith('/api/v1/')
+  },
+  
+  // Skip authentication endpoints during playback
+  shouldPlayback: (requestOpts) => {
+    const url = new URL(requestOpts.path, requestOpts.origin)
+    return !url.pathname.includes('/auth/')
+  }
+})
+```
+
+### URL Pattern Exclusion
+
+Exclude specific URLs from recording/playback using patterns:
+
+```javascript
+const agent = new SnapshotAgent({
+  mode: 'record',
+  snapshotPath: './snapshots.json',
+  
+  excludeUrls: [
+    'https://analytics.example.com',  // String match
+    /\/api\/v\d+\/health/,           // Regex pattern
+    'telemetry'                      // Substring match
+  ]
+})
+```
+
+### Memory Management
+
+Configure automatic memory and disk management:
+
+```javascript
+const agent = new SnapshotAgent({
+  mode: 'record',
+  snapshotPath: './snapshots.json',
+  
+  // Keep only 1000 snapshots in memory
+  maxSnapshots: 1000,
+  
+  // Automatically save to disk every 30 seconds
+  autoFlush: true,
+  flushInterval: 30000
+})
+```
+
+### Sequential Response Handling
+
+Handle multiple responses for the same request (similar to nock):
+
+```javascript
+// In record mode, multiple identical requests get recorded as separate responses
+const agent = new SnapshotAgent({ mode: 'record', snapshotPath: './sequential.json' })
+
+// First call returns response A
+await fetch('https://api.example.com/random')
+
+// Second call returns response B  
+await fetch('https://api.example.com/random')
+
+await agent.saveSnapshots()
+
+// In playback mode, calls return responses in sequence
+const playbackAgent = new SnapshotAgent({ mode: 'playback', snapshotPath: './sequential.json' })
+
+// Returns response A
+const first = await fetch('https://api.example.com/random')
+
+// Returns response B
+const second = await fetch('https://api.example.com/random')
+
+// Third call repeats the last response (B)
+const third = await fetch('https://api.example.com/random')
+```
+
+## Managing Snapshots
+
+### Replacing Existing Snapshots
+
+```javascript
+// Load existing snapshots
+await agent.loadSnapshots('./old-snapshots.json')
+
+// Get snapshot data
+const recorder = agent.getRecorder()
+const snapshots = recorder.getSnapshots()
+
+// Modify or filter snapshots
+const filteredSnapshots = snapshots.filter(s => 
+  !s.request.url.includes('deprecated')
+)
+
+// Replace all snapshots
+agent.replaceSnapshots(filteredSnapshots.map((snapshot, index) => ({
+  hash: `new-hash-${index}`,
+  snapshot
+})))
+
+// Save updated snapshots
+await agent.saveSnapshots('./updated-snapshots.json')
+```
+
+### `agent.loadSnapshots([filePath])`
+
+Loads snapshots from a file.
+
+#### Parameters
+
+- **filePath** `String` (optional) - Path to load snapshots from. Uses constructor `snapshotPath` if not provided.
+
+#### Returns
+
+`Promise<void>`
+
+```javascript
+await agent.loadSnapshots('./existing-snapshots.json')
+```
+
+### `agent.getRecorder()`
+
+Gets the underlying `SnapshotRecorder` instance.
+
+#### Returns
+
+`SnapshotRecorder`
+
+```javascript
+const recorder = agent.getRecorder()
+console.log(`Recorded ${recorder.size()} interactions`)
+```
+
+### `agent.getMode()`
+
+Gets the current snapshot mode.
+
+#### Returns
+
+`String` - The current mode (`'record'`, `'playback'`, or `'update'`)
+
+### `agent.clearSnapshots()`
+
+Clears all recorded snapshots from memory.
+
+```javascript
+agent.clearSnapshots()
+```
+
+## Working with Different Request Types
+
+### GET Requests
+
+```javascript
+// Record mode
+const agent = new SnapshotAgent({ mode: 'record', snapshotPath: './get-snapshots.json' })
+setGlobalDispatcher(agent)
+
+const response = await fetch('https://jsonplaceholder.typicode.com/posts/1')
+const post = await response.json()
+
+await agent.saveSnapshots()
+```
+
+### POST Requests with Body
+
+```javascript
+// Record mode
+const agent = new SnapshotAgent({ mode: 'record', snapshotPath: './post-snapshots.json' })
+setGlobalDispatcher(agent)
+
+const response = await fetch('https://jsonplaceholder.typicode.com/posts', {
+  method: 'POST',
+  headers: { 'Content-Type': 'application/json' },
+  body: JSON.stringify({ title: 'Test Post', body: 'Content' })
+})
+
+await agent.saveSnapshots()
+```
+
+### Using with `undici.request`
+
+SnapshotAgent works with all undici APIs, not just fetch:
+
+```javascript
+import { SnapshotAgent, request, setGlobalDispatcher } from 'undici'
+
+const agent = new SnapshotAgent({ mode: 'record', snapshotPath: './request-snapshots.json' })
+setGlobalDispatcher(agent)
+
+const { statusCode, headers, body } = await request('https://api.example.com/data')
+const data = await body.json()
+
+await agent.saveSnapshots()
+```
+
+## Test Integration
+
+### Basic Test Setup
+
+```javascript
+import { test } from 'node:test'
+import { SnapshotAgent, setGlobalDispatcher, getGlobalDispatcher } from 'undici'
+
+test('API integration test', async (t) => {
+  const originalDispatcher = getGlobalDispatcher()
+  
+  const agent = new SnapshotAgent({
+    mode: 'playback',
+    snapshotPath: './test/snapshots/api-test.json'
+  })
+  setGlobalDispatcher(agent)
+  
+  t.after(() => setGlobalDispatcher(originalDispatcher))
+  
+  // This will use recorded data
+  const response = await fetch('https://api.example.com/users')
+  const users = await response.json()
+  
+  assert(Array.isArray(users))
+  assert(users.length > 0)
+})
+```
+
+### Environment-Based Mode Selection
+
+```javascript
+const mode = process.env.SNAPSHOT_MODE || 'playback'
+
+const agent = new SnapshotAgent({
+  mode,
+  snapshotPath: './test/snapshots/integration.json'
+})
+
+// Run with: SNAPSHOT_MODE=record npm test (to record)
+// Run with: npm test (to playback)
+```
+
+### Test Helper Function
+
+```javascript
+function createSnapshotAgent(testName, mode = 'playback') {
+  return new SnapshotAgent({
+    mode,
+    snapshotPath: `./test/snapshots/${testName}.json`
+  })
+}
+
+test('user API test', async (t) => {
+  const agent = createSnapshotAgent('user-api')
+  setGlobalDispatcher(agent)
+  
+  // Test implementation...
+})
+```
+
+## Snapshot File Format
+
+Snapshots are stored as JSON with the following structure:
+
+```json
+[
+  {
+    "hash": "dGVzdC1oYXNo...",
+    "snapshot": {
+      "request": {
+        "method": "GET",
+        "url": "https://api.example.com/users",
+        "headers": {
+          "authorization": "Bearer token"
+        },
+        "body": undefined
+      },
+      "response": {
+        "statusCode": 200,
+        "headers": {
+          "content-type": "application/json"
+        },
+        "body": "eyJkYXRhIjoidGVzdCJ9", // base64 encoded
+        "trailers": {}
+      },
+      "timestamp": "2024-01-01T00:00:00.000Z"
+    }
+  }
+]
+```
+
+## Security Considerations
+
+### Sensitive Data in Snapshots
+
+By default, SnapshotAgent records all headers and request/response data. For production use, always exclude sensitive information:
+
+```javascript
+const agent = new SnapshotAgent({
+  mode: 'record',
+  snapshotPath: './snapshots.json',
+  
+  // Exclude sensitive headers from snapshots
+  excludeHeaders: [
+    'authorization',
+    'x-api-key', 
+    'cookie',
+    'set-cookie',
+    'x-auth-token',
+    'x-csrf-token'
+  ],
+  
+  // Filter out requests with sensitive data
+  shouldRecord: (requestOpts) => {
+    const url = new URL(requestOpts.path, requestOpts.origin)
+    
+    // Don't record authentication endpoints
+    if (url.pathname.includes('/auth/') || url.pathname.includes('/login')) {
+      return false
+    }
+    
+    // Don't record if request contains sensitive body data
+    if (requestOpts.body && typeof requestOpts.body === 'string') {
+      const body = requestOpts.body.toLowerCase()
+      if (body.includes('password') || body.includes('secret')) {
+        return false
+      }
+    }
+    
+    return true
+  }
+})
+```
+
+### Snapshot File Security
+
+**Important**: Snapshot files may contain sensitive data. Handle them securely:
+
+- ✅ Add snapshot files to `.gitignore` if they contain real API data
+- ✅ Use environment-specific snapshots (dev/staging/prod)
+- ✅ Regularly review snapshot contents for sensitive information
+- ✅ Use the `excludeHeaders` option for production snapshots
+- ❌ Never commit snapshots with real authentication tokens
+- ❌ Don't share snapshot files containing personal data
+
+```gitignore
+# Exclude snapshots with real data
+/test/snapshots/production-*.json
+/test/snapshots/*-real-data.json
+
+# Include sanitized test snapshots
+!/test/snapshots/mock-*.json
+```
+
+## Error Handling
+
+### Missing Snapshots in Playback Mode
+
+```javascript
+try {
+  const response = await fetch('https://api.example.com/nonexistent')
+} catch (error) {
+  if (error.message.includes('No snapshot found')) {
+    // Handle missing snapshot
+    console.log('Snapshot not found for this request')
+  }
+}
+```
+
+### Handling Network Errors in Record Mode
+
+```javascript
+const agent = new SnapshotAgent({ mode: 'record', snapshotPath: './snapshots.json' })
+
+try {
+  const response = await fetch('https://nonexistent-api.example.com/data')
+} catch (error) {
+  // Network errors are not recorded as snapshots
+  console.log('Network error:', error.message)
+}
+```
+
+## Best Practices
+
+### 1. Organize Snapshots by Test Suite
+
+```javascript
+// Use descriptive snapshot file names
+const agent = new SnapshotAgent({
+  mode: 'playback',
+  snapshotPath: `./test/snapshots/${testSuiteName}-${testName}.json`
+})
+```
+
+### 2. Version Control Snapshots
+
+Add snapshot files to version control to ensure consistent test behavior across environments:
+
+```gitignore
+# Include snapshots in version control
+!/test/snapshots/*.json
+```
+
+### 3. Clean Up Test Data
+
+```javascript
+test('API test', async (t) => {
+  const agent = new SnapshotAgent({
+    mode: 'playback',
+    snapshotPath: './test/snapshots/temp-test.json'
+  })
+  
+  // Clean up after test
+  t.after(() => {
+    agent.clearSnapshots()
+  })
+})
+```
+
+### 4. Snapshot Validation
+
+```javascript
+test('validate snapshot contents', async (t) => {
+  const agent = new SnapshotAgent({
+    mode: 'playback',
+    snapshotPath: './test/snapshots/validation.json'
+  })
+  
+  const recorder = agent.getRecorder()
+  const snapshots = recorder.getSnapshots()
+  
+  // Validate snapshot structure
+  assert(snapshots.length > 0, 'Should have recorded snapshots')
+  assert(snapshots[0].request.url.startsWith('https://'), 'Should use HTTPS')
+})
+```
+
+## Comparison with Other Tools
+
+### vs Manual MockAgent Setup
+
+**Manual MockAgent:**
+```javascript
+const mockAgent = new MockAgent()
+const mockPool = mockAgent.get('https://api.example.com')
+
+mockPool.intercept({
+  path: '/users',
+  method: 'GET'
+}).reply(200, [
+  { id: 1, name: 'User 1' },
+  { id: 2, name: 'User 2' }
+])
+```
+
+**SnapshotAgent:**
+```javascript
+// Record once
+const agent = new SnapshotAgent({ mode: 'record', snapshotPath: './snapshots.json' })
+// Real API call gets recorded automatically
+
+// Use in tests
+const agent = new SnapshotAgent({ mode: 'playback', snapshotPath: './snapshots.json' })
+// Automatically replays recorded response
+```
+
+### vs nock
+
+SnapshotAgent provides similar functionality to nock but is specifically designed for undici:
+
+- ✅ Works with all undici APIs (`request`, `stream`, `pipeline`, etc.)
+- ✅ Supports undici-specific features (RetryAgent, connection pooling)
+- ✅ Better TypeScript integration
+- ✅ More efficient for high-performance scenarios
+
+## See Also
+
+- [MockAgent](./MockAgent.md) - Manual mocking for more control
+- [MockCallHistory](./MockCallHistory.md) - Inspecting request history
+- [Testing Best Practices](../best-practices/writing-tests.md) - General testing guidance
\ No newline at end of file
diff --git a/deps/undici/src/index.js b/deps/undici/src/index.js
index 6ce77c4d53040b..4ebdabd441db31 100644
--- a/deps/undici/src/index.js
+++ b/deps/undici/src/index.js
@@ -18,6 +18,7 @@ const MockClient = require('./lib/mock/mock-client')
 const { MockCallHistory, MockCallHistoryLog } = require('./lib/mock/mock-call-history')
 const MockAgent = require('./lib/mock/mock-agent')
 const MockPool = require('./lib/mock/mock-pool')
+const SnapshotAgent = require('./lib/mock/snapshot-agent')
 const mockErrors = require('./lib/mock/mock-errors')
 const RetryHandler = require('./lib/handler/retry-handler')
 const { getGlobalDispatcher, setGlobalDispatcher } = require('./lib/global')
@@ -178,6 +179,7 @@ module.exports.MockCallHistory = MockCallHistory
 module.exports.MockCallHistoryLog = MockCallHistoryLog
 module.exports.MockPool = MockPool
 module.exports.MockAgent = MockAgent
+module.exports.SnapshotAgent = SnapshotAgent
 module.exports.mockErrors = mockErrors
 
 const { EventSource } = require('./lib/web/eventsource/eventsource')
diff --git a/deps/undici/src/lib/api/readable.js b/deps/undici/src/lib/api/readable.js
index d7dd0d534244b9..b5fd12dd30382b 100644
--- a/deps/undici/src/lib/api/readable.js
+++ b/deps/undici/src/lib/api/readable.js
@@ -1,5 +1,3 @@
-// Ported from https://github.com/nodejs/undici/pull/907
-
 'use strict'
 
 const assert = require('node:assert')
@@ -50,23 +48,32 @@ class BodyReadable extends Readable {
 
     this[kAbort] = abort
 
-    /**
-     * @type {Consume | null}
-     */
+    /** @type {Consume | null} */
     this[kConsume] = null
+
+    /** @type {number} */
     this[kBytesRead] = 0
-    /**
-     * @type {ReadableStream|null}
-     */
+
+    /** @type {ReadableStream|null} */
     this[kBody] = null
+
+    /** @type {boolean} */
     this[kUsed] = false
+
+    /** @type {string} */
     this[kContentType] = contentType
+
+    /** @type {number|null} */
     this[kContentLength] = Number.isFinite(contentLength) ? contentLength : null
 
-    // Is stream being consumed through Readable API?
-    // This is an optimization so that we avoid checking
-    // for 'data' and 'readable' listeners in the hot path
-    // inside push().
+    /**
+     * Is stream being consumed through Readable API?
+     * This is an optimization so that we avoid checking
+     * for 'data' and 'readable' listeners in the hot path
+     * inside push().
+     *
+     * @type {boolean}
+     */
     this[kReading] = false
   }
 
@@ -96,7 +103,7 @@ class BodyReadable extends Readable {
   }
 
   /**
-   * @param {string} event
+   * @param {string|symbol} event
    * @param {(...args: any[]) => void} listener
    * @returns {this}
    */
@@ -109,7 +116,7 @@ class BodyReadable extends Readable {
   }
 
   /**
-   * @param {string} event
+   * @param {string|symbol} event
    * @param {(...args: any[]) => void} listener
    * @returns {this}
    */
@@ -147,12 +154,14 @@ class BodyReadable extends Readable {
    * @returns {boolean}
    */
   push (chunk) {
-    this[kBytesRead] += chunk ? chunk.length : 0
-
-    if (this[kConsume] && chunk !== null) {
-      consumePush(this[kConsume], chunk)
-      return this[kReading] ? super.push(chunk) : true
+    if (chunk) {
+      this[kBytesRead] += chunk.length
+      if (this[kConsume]) {
+        consumePush(this[kConsume], chunk)
+        return this[kReading] ? super.push(chunk) : true
+      }
     }
+
     return super.push(chunk)
   }
 
@@ -338,9 +347,23 @@ function isUnusable (bodyReadable) {
   return util.isDisturbed(bodyReadable) || isLocked(bodyReadable)
 }
 
+/**
+ * @typedef {'text' | 'json' | 'blob' | 'bytes' | 'arrayBuffer'} ConsumeType
+ */
+
+/**
+ * @template {ConsumeType} T
+ * @typedef {T extends 'text' ? string :
+ *           T extends 'json' ? unknown :
+ *           T extends 'blob' ? Blob :
+ *           T extends 'arrayBuffer' ? ArrayBuffer :
+ *           T extends 'bytes' ? Uint8Array :
+ *           never
+ * } ConsumeReturnType
+ */
 /**
  * @typedef {object} Consume
- * @property {string} type
+ * @property {ConsumeType} type
  * @property {BodyReadable} stream
  * @property {((value?: any) => void)} resolve
  * @property {((err: Error) => void)} reject
@@ -349,9 +372,10 @@ function isUnusable (bodyReadable) {
  */
 
 /**
+ * @template {ConsumeType} T
  * @param {BodyReadable} stream
- * @param {string} type
- * @returns {Promise<any>}
+ * @param {T} type
+ * @returns {Promise<ConsumeReturnType<T>>}
  */
 function consume (stream, type) {
   assert(!stream[kConsume])
@@ -361,9 +385,7 @@ function consume (stream, type) {
       const rState = stream._readableState
       if (rState.destroyed && rState.closeEmitted === false) {
         stream
-          .on('error', err => {
-            reject(err)
-          })
+          .on('error', reject)
           .on('close', () => {
             reject(new TypeError('unusable'))
           })
@@ -438,7 +460,7 @@ function consumeStart (consume) {
 /**
  * @param {Buffer[]} chunks
  * @param {number} length
- * @param {BufferEncoding} encoding
+ * @param {BufferEncoding} [encoding='utf8']
  * @returns {string}
  */
 function chunksDecode (chunks, length, encoding) {
diff --git a/deps/undici/src/lib/core/util.js b/deps/undici/src/lib/core/util.js
index aa44edfa97f18a..c8e446de2d8e7c 100644
--- a/deps/undici/src/lib/core/util.js
+++ b/deps/undici/src/lib/core/util.js
@@ -5,7 +5,6 @@ const { kDestroyed, kBodyUsed, kListeners, kBody } = require('./symbols')
 const { IncomingMessage } = require('node:http')
 const stream = require('node:stream')
 const net = require('node:net')
-const { Blob } = require('node:buffer')
 const { stringify } = require('node:querystring')
 const { EventEmitter: EE } = require('node:events')
 const timers = require('../util/timers')
diff --git a/deps/undici/src/lib/dispatcher/proxy-agent.js b/deps/undici/src/lib/dispatcher/proxy-agent.js
index cd9bc45ffad5c7..139ae6d17274d5 100644
--- a/deps/undici/src/lib/dispatcher/proxy-agent.js
+++ b/deps/undici/src/lib/dispatcher/proxy-agent.js
@@ -1,6 +1,6 @@
 'use strict'
 
-const { kProxy, kClose, kDestroy, kDispatch, kConnector } = require('../core/symbols')
+const { kProxy, kClose, kDestroy, kDispatch } = require('../core/symbols')
 const { URL } = require('node:url')
 const Agent = require('./agent')
 const Pool = require('./pool')
@@ -27,61 +27,69 @@ function defaultFactory (origin, opts) {
 
 const noop = () => {}
 
-class ProxyClient extends DispatcherBase {
-  #client = null
-  constructor (origin, opts) {
-    if (typeof origin === 'string') {
-      origin = new URL(origin)
-    }
+function defaultAgentFactory (origin, opts) {
+  if (opts.connections === 1) {
+    return new Client(origin, opts)
+  }
+  return new Pool(origin, opts)
+}
 
-    if (origin.protocol !== 'http:' && origin.protocol !== 'https:') {
-      throw new InvalidArgumentError('ProxyClient only supports http and https protocols')
-    }
+class Http1ProxyWrapper extends DispatcherBase {
+  #client
 
+  constructor (proxyUrl, { headers = {}, connect, factory }) {
     super()
+    if (!proxyUrl) {
+      throw new InvalidArgumentError('Proxy URL is mandatory')
+    }
 
-    this.#client = new Client(origin, opts)
-  }
-
-  async [kClose] () {
-    await this.#client.close()
-  }
-
-  async [kDestroy] () {
-    await this.#client.destroy()
+    this[kProxyHeaders] = headers
+    if (factory) {
+      this.#client = factory(proxyUrl, { connect })
+    } else {
+      this.#client = new Client(proxyUrl, { connect })
+    }
   }
 
-  async [kDispatch] (opts, handler) {
-    const { method, origin } = opts
-    if (method === 'CONNECT') {
-      this.#client[kConnector]({
-        origin,
-        port: opts.port || defaultProtocolPort(opts.protocol),
-        path: opts.host,
-        signal: opts.signal,
-        headers: {
-          ...this[kProxyHeaders],
-          host: opts.host
-        },
-        servername: this[kProxyTls]?.servername || opts.servername
-      },
-      (err, socket) => {
-        if (err) {
-          handler.callback(err)
-        } else {
-          handler.callback(null, { socket, statusCode: 200 })
+  [kDispatch] (opts, handler) {
+    const onHeaders = handler.onHeaders
+    handler.onHeaders = function (statusCode, data, resume) {
+      if (statusCode === 407) {
+        if (typeof handler.onError === 'function') {
+          handler.onError(new InvalidArgumentError('Proxy Authentication Required (407)'))
         }
+        return
       }
-      )
-      return
+      if (onHeaders) onHeaders.call(this, statusCode, data, resume)
     }
-    if (typeof origin === 'string') {
-      opts.origin = new URL(origin)
+
+    // Rewrite request as an HTTP1 Proxy request, without tunneling.
+    const {
+      origin,
+      path = '/',
+      headers = {}
+    } = opts
+
+    opts.path = origin + path
+
+    if (!('host' in headers) && !('Host' in headers)) {
+      const { host } = new URL(origin)
+      headers.host = host
     }
+    opts.headers = { ...this[kProxyHeaders], ...headers }
+
+    return this.#client[kDispatch](opts, handler)
+  }
 
-    return this.#client.dispatch(opts, handler)
+  async [kClose] () {
+    return this.#client.close()
+  }
+
+  async [kDestroy] (err) {
+    return this.#client.destroy(err)
   }
 }
+
 class ProxyAgent extends DispatcherBase {
   constructor (opts) {
     if (!opts || (typeof opts === 'object' && !(opts instanceof URL) && !opts.uri)) {
@@ -104,6 +112,7 @@ class ProxyAgent extends DispatcherBase {
     this[kRequestTls] = opts.requestTls
     this[kProxyTls] = opts.proxyTls
     this[kProxyHeaders] = opts.headers || {}
+    this[kTunnelProxy] = proxyTunnel
 
     if (opts.auth && opts.token) {
       throw new InvalidArgumentError('opts.auth cannot be used in combination with opts.token')
@@ -116,21 +125,25 @@ class ProxyAgent extends DispatcherBase {
       this[kProxyHeaders]['proxy-authorization'] = `Basic ${Buffer.from(`${decodeURIComponent(username)}:${decodeURIComponent(password)}`).toString('base64')}`
     }
 
-    const factory = (!proxyTunnel && protocol === 'http:')
-      ? (origin, options) => {
-          if (origin.protocol === 'http:') {
-            return new ProxyClient(origin, options)
-          }
-          return new Client(origin, options)
-        }
-      : undefined
-
     const connect = buildConnector({ ...opts.proxyTls })
     this[kConnectEndpoint] = buildConnector({ ...opts.requestTls })
-    this[kClient] = clientFactory(url, { connect, factory })
-    this[kTunnelProxy] = proxyTunnel
+
+    const agentFactory = opts.factory || defaultAgentFactory
+    const factory = (origin, options) => {
+      const { protocol } = new URL(origin)
+      if (!this[kTunnelProxy] && protocol === 'http:' && this[kProxy].protocol === 'http:') {
+        return new Http1ProxyWrapper(this[kProxy].uri, {
+          headers: this[kProxyHeaders],
+          connect,
+          factory: agentFactory
+        })
+      }
+      return agentFactory(origin, options)
+    }
+    this[kClient] = clientFactory(url, { connect })
     this[kAgent] = new Agent({
       ...opts,
+      factory,
       connect: async (opts, callback) => {
         let requestedPath = opts.host
         if (!opts.port) {
@@ -185,10 +198,6 @@ class ProxyAgent extends DispatcherBase {
       headers.host = host
     }
 
-    if (!this.#shouldConnect(new URL(opts.origin))) {
-      opts.path = opts.origin + opts.path
-    }
-
     return this[kAgent].dispatch(
       {
         ...opts,
@@ -221,19 +230,6 @@ class ProxyAgent extends DispatcherBase {
     await this[kAgent].destroy()
     await this[kClient].destroy()
   }
-
-  #shouldConnect (uri) {
-    if (typeof uri === 'string') {
-      uri = new URL(uri)
-    }
-    if (this[kTunnelProxy]) {
-      return true
-    }
-    if (uri.protocol !== 'http:' || this[kProxy].protocol !== 'http:') {
-      return true
-    }
-    return false
-  }
 }
 
 /**
diff --git a/deps/undici/src/lib/handler/redirect-handler.js b/deps/undici/src/lib/handler/redirect-handler.js
index 46da3550f77df2..dd0f47170ae154 100644
--- a/deps/undici/src/lib/handler/redirect-handler.js
+++ b/deps/undici/src/lib/handler/redirect-handler.js
@@ -133,6 +133,16 @@ class RedirectHandler {
     const { origin, pathname, search } = util.parseURL(new URL(this.location, this.opts.origin && new URL(this.opts.path, this.opts.origin)))
     const path = search ? `${pathname}${search}` : pathname
 
+    // Check for redirect loops by seeing if we've already visited this URL in our history
+    // This catches the case where Client/Pool try to handle cross-origin redirects but fail
+    // and keep redirecting to the same URL in an infinite loop
+    const redirectUrlString = `${origin}${path}`
+    for (const historyUrl of this.history) {
+      if (historyUrl.toString() === redirectUrlString) {
+        throw new InvalidArgumentError(`Redirect loop detected. Cannot redirect to ${origin}. This typically happens when using a Client or Pool with cross-origin redirects. Use an Agent for cross-origin redirects.`)
+      }
+    }
+
     // Remove headers referring to the original URL.
     // By default it is Host only, unless it's a 303 (see below), which removes also all Content-* headers.
     // https://tools.ietf.org/html/rfc7231#section-6.4
diff --git a/deps/undici/src/lib/interceptor/dump.js b/deps/undici/src/lib/interceptor/dump.js
index 61c09d5c9ee182..4810a09f382424 100644
--- a/deps/undici/src/lib/interceptor/dump.js
+++ b/deps/undici/src/lib/interceptor/dump.js
@@ -57,7 +57,8 @@ class DumpHandler extends DecoratorHandler {
       return
     }
 
-    err = this.#controller.reason ?? err
+    // On network errors before connect, controller will be null
+    err = this.#controller?.reason ?? err
 
     super.onResponseError(controller, err)
   }
diff --git a/deps/undici/src/lib/llhttp/wasm_build_env.txt b/deps/undici/src/lib/llhttp/wasm_build_env.txt
index 7092ce09d32aba..77e7ad40adc06a 100644
--- a/deps/undici/src/lib/llhttp/wasm_build_env.txt
+++ b/deps/undici/src/lib/llhttp/wasm_build_env.txt
@@ -1,5 +1,5 @@
 
-> undici@7.12.0 build:wasm
+> undici@7.13.0 build:wasm
 > node build/wasm.js --docker
 
 > docker run --rm --platform=linux/x86_64  --user 1001:118 --mount type=bind,source=/home/runner/work/node/node/deps/undici/src/lib/llhttp,target=/home/node/build/lib/llhttp            --mount type=bind,source=/home/runner/work/node/node/deps/undici/src/build,target=/home/node/build/build            --mount type=bind,source=/home/runner/work/node/node/deps/undici/src/deps,target=/home/node/build/deps            -t ghcr.io/nodejs/wasm-builder@sha256:975f391d907e42a75b8c72eb77c782181e941608687d4d8694c3e9df415a0970 node build/wasm.js
diff --git a/deps/undici/src/lib/mock/mock-agent.js b/deps/undici/src/lib/mock/mock-agent.js
index 19bb01c266188f..3079b15ec8ceef 100644
--- a/deps/undici/src/lib/mock/mock-agent.js
+++ b/deps/undici/src/lib/mock/mock-agent.js
@@ -17,7 +17,8 @@ const {
   kMockAgentAddCallHistoryLog,
   kMockAgentMockCallHistoryInstance,
   kMockAgentAcceptsNonStandardSearchParameters,
-  kMockCallHistoryAddLog
+  kMockCallHistoryAddLog,
+  kIgnoreTrailingSlash
 } = require('./mock-symbols')
 const MockClient = require('./mock-client')
 const MockPool = require('./mock-pool')
@@ -37,6 +38,7 @@ class MockAgent extends Dispatcher {
     this[kIsMockActive] = true
     this[kMockAgentIsCallHistoryEnabled] = mockOptions?.enableCallHistory ?? false
     this[kMockAgentAcceptsNonStandardSearchParameters] = mockOptions?.acceptNonStandardSearchParameters ?? false
+    this[kIgnoreTrailingSlash] = mockOptions?.ignoreTrailingSlash ?? false
 
     // Instantiate Agent and encapsulate
     if (opts?.agent && typeof opts.agent.dispatch !== 'function') {
@@ -54,11 +56,15 @@ class MockAgent extends Dispatcher {
   }
 
   get (origin) {
-    let dispatcher = this[kMockAgentGet](origin)
+    const originKey = this[kIgnoreTrailingSlash]
+      ? origin.replace(/\/$/, '')
+      : origin
+
+    let dispatcher = this[kMockAgentGet](originKey)
 
     if (!dispatcher) {
-      dispatcher = this[kFactory](origin)
-      this[kMockAgentSet](origin, dispatcher)
+      dispatcher = this[kFactory](originKey)
+      this[kMockAgentSet](originKey, dispatcher)
     }
     return dispatcher
   }
diff --git a/deps/undici/src/lib/mock/snapshot-agent.js b/deps/undici/src/lib/mock/snapshot-agent.js
new file mode 100644
index 00000000000000..abdd8227e1e367
--- /dev/null
+++ b/deps/undici/src/lib/mock/snapshot-agent.js
@@ -0,0 +1,333 @@
+'use strict'
+
+const Agent = require('../dispatcher/agent')
+const MockAgent = require('./mock-agent')
+const { SnapshotRecorder } = require('./snapshot-recorder')
+const WrapHandler = require('../handler/wrap-handler')
+const { InvalidArgumentError, UndiciError } = require('../core/errors')
+
+const kSnapshotRecorder = Symbol('kSnapshotRecorder')
+const kSnapshotMode = Symbol('kSnapshotMode')
+const kSnapshotPath = Symbol('kSnapshotPath')
+const kSnapshotLoaded = Symbol('kSnapshotLoaded')
+const kRealAgent = Symbol('kRealAgent')
+
+// Static flag to ensure warning is only emitted once
+let warningEmitted = false
+
+class SnapshotAgent extends MockAgent {
+  constructor (opts = {}) {
+    // Emit experimental warning only once
+    if (!warningEmitted) {
+      process.emitWarning(
+        'SnapshotAgent is experimental and subject to change',
+        'ExperimentalWarning'
+      )
+      warningEmitted = true
+    }
+
+    const mockOptions = { ...opts }
+    delete mockOptions.mode
+    delete mockOptions.snapshotPath
+
+    super(mockOptions)
+
+    // Validate mode option
+    const validModes = ['record', 'playback', 'update']
+    const mode = opts.mode || 'record'
+    if (!validModes.includes(mode)) {
+      throw new InvalidArgumentError(`Invalid snapshot mode: ${mode}. Must be one of: ${validModes.join(', ')}`)
+    }
+
+    // Validate snapshotPath is provided when required
+    if ((mode === 'playback' || mode === 'update') && !opts.snapshotPath) {
+      throw new InvalidArgumentError(`snapshotPath is required when mode is '${mode}'`)
+    }
+
+    this[kSnapshotMode] = mode
+    this[kSnapshotPath] = opts.snapshotPath
+    this[kSnapshotRecorder] = new SnapshotRecorder({
+      snapshotPath: this[kSnapshotPath],
+      mode: this[kSnapshotMode],
+      maxSnapshots: opts.maxSnapshots,
+      autoFlush: opts.autoFlush,
+      flushInterval: opts.flushInterval,
+      matchHeaders: opts.matchHeaders,
+      ignoreHeaders: opts.ignoreHeaders,
+      excludeHeaders: opts.excludeHeaders,
+      matchBody: opts.matchBody,
+      matchQuery: opts.matchQuery,
+      caseSensitive: opts.caseSensitive,
+      shouldRecord: opts.shouldRecord,
+      shouldPlayback: opts.shouldPlayback,
+      excludeUrls: opts.excludeUrls
+    })
+    this[kSnapshotLoaded] = false
+
+    // For recording/update mode, we need a real agent to make actual requests
+    if (this[kSnapshotMode] === 'record' || this[kSnapshotMode] === 'update') {
+      this[kRealAgent] = new Agent(opts)
+    }
+
+    // Auto-load snapshots in playback/update mode
+    if ((this[kSnapshotMode] === 'playback' || this[kSnapshotMode] === 'update') && this[kSnapshotPath]) {
+      this.loadSnapshots().catch(() => {
+        // Ignore load errors - file might not exist yet
+      })
+    }
+  }
+
+  dispatch (opts, handler) {
+    handler = WrapHandler.wrap(handler)
+    const mode = this[kSnapshotMode]
+
+    if (mode === 'playback' || mode === 'update') {
+      // Ensure snapshots are loaded
+      if (!this[kSnapshotLoaded]) {
+        // Need to load asynchronously, delegate to async version
+        return this._asyncDispatch(opts, handler)
+      }
+
+      // Try to find existing snapshot (synchronous)
+      const snapshot = this[kSnapshotRecorder].findSnapshot(opts)
+
+      if (snapshot) {
+        // Use recorded response (synchronous)
+        return this._replaySnapshot(snapshot, handler)
+      } else if (mode === 'update') {
+        // Make real request and record it (async required)
+        return this._recordAndReplay(opts, handler)
+      } else {
+        // Playback mode but no snapshot found
+        const error = new UndiciError(`No snapshot found for ${opts.method || 'GET'} ${opts.path}`)
+        if (handler.onError) {
+          handler.onError(error)
+          return
+        }
+        throw error
+      }
+    } else if (mode === 'record') {
+      // Record mode - make real request and save response (async required)
+      return this._recordAndReplay(opts, handler)
+    } else {
+      throw new InvalidArgumentError(`Invalid snapshot mode: ${mode}. Must be 'record', 'playback', or 'update'`)
+    }
+  }
+
+  /**
+   * Async version of dispatch for when we need to load snapshots first
+   */
+  async _asyncDispatch (opts, handler) {
+    await this.loadSnapshots()
+    return this.dispatch(opts, handler)
+  }
+
+  /**
+   * Records a real request and replays the response
+   */
+  _recordAndReplay (opts, handler) {
+    const responseData = {
+      statusCode: null,
+      headers: {},
+      trailers: {},
+      body: []
+    }
+
+    const self = this // Capture 'this' context for use within nested handler callbacks
+
+    const recordingHandler = {
+      onRequestStart (controller, context) {
+        return handler.onRequestStart(controller, { ...context, history: this.history })
+      },
+
+      onRequestUpgrade (controller, statusCode, headers, socket) {
+        return handler.onRequestUpgrade(controller, statusCode, headers, socket)
+      },
+
+      onResponseStart (controller, statusCode, headers, statusMessage) {
+        responseData.statusCode = statusCode
+        responseData.headers = headers
+        return handler.onResponseStart(controller, statusCode, headers, statusMessage)
+      },
+
+      onResponseData (controller, chunk) {
+        responseData.body.push(chunk)
+        return handler.onResponseData(controller, chunk)
+      },
+
+      onResponseEnd (controller, trailers) {
+        responseData.trailers = trailers
+
+        // Record the interaction using captured 'self' context (fire and forget)
+        const responseBody = Buffer.concat(responseData.body)
+        self[kSnapshotRecorder].record(opts, {
+          statusCode: responseData.statusCode,
+          headers: responseData.headers,
+          body: responseBody,
+          trailers: responseData.trailers
+        }).then(() => {
+          handler.onResponseEnd(controller, trailers)
+        }).catch((error) => {
+          handler.onResponseError(controller, error)
+        })
+      }
+    }
+
+    // Use composed agent if available (includes interceptors), otherwise use real agent
+    const agent = this[kRealAgent]
+    return agent.dispatch(opts, recordingHandler)
+  }
+
+  /**
+   * Replays a recorded response
+   */
+  _replaySnapshot (snapshot, handler) {
+    return new Promise((resolve) => {
+      // Simulate the response
+      setImmediate(() => {
+        try {
+          const { response } = snapshot
+
+          const controller = {
+            pause () {},
+            resume () {},
+            abort (reason) {
+              this.aborted = true
+              this.reason = reason
+            },
+
+            aborted: false,
+            paused: false
+          }
+
+          handler.onRequestStart(controller)
+
+          handler.onResponseStart(controller, response.statusCode, response.headers)
+
+          // Body is always stored as base64 string
+          const body = Buffer.from(response.body, 'base64')
+          handler.onResponseData(controller, body)
+
+          handler.onResponseEnd(controller, response.trailers)
+          resolve()
+        } catch (error) {
+          handler.onError?.(error)
+        }
+      })
+    })
+  }
+
+  /**
+   * Loads snapshots from file
+   */
+  async loadSnapshots (filePath) {
+    await this[kSnapshotRecorder].loadSnapshots(filePath || this[kSnapshotPath])
+    this[kSnapshotLoaded] = true
+
+    // In playback mode, set up MockAgent interceptors for all snapshots
+    if (this[kSnapshotMode] === 'playback') {
+      this._setupMockInterceptors()
+    }
+  }
+
+  /**
+   * Saves snapshots to file
+   */
+  async saveSnapshots (filePath) {
+    return this[kSnapshotRecorder].saveSnapshots(filePath || this[kSnapshotPath])
+  }
+
+  /**
+   * Sets up MockAgent interceptors based on recorded snapshots.
+   *
+   * This method creates MockAgent interceptors for each recorded snapshot,
+   * allowing the SnapshotAgent to fall back to MockAgent's standard intercept
+   * mechanism in playback mode. Each interceptor is configured to persist
+   * (remain active for multiple requests) and responds with the recorded
+   * response data.
+   *
+   * Called automatically when loading snapshots in playback mode.
+   *
+   * @private
+   */
+  _setupMockInterceptors () {
+    for (const snapshot of this[kSnapshotRecorder].getSnapshots()) {
+      const { request, responses, response } = snapshot
+      const url = new URL(request.url)
+
+      const mockPool = this.get(url.origin)
+
+      // Handle both new format (responses array) and legacy format (response object)
+      const responseData = responses ? responses[0] : response
+      if (!responseData) continue
+
+      mockPool.intercept({
+        path: url.pathname + url.search,
+        method: request.method,
+        headers: request.headers,
+        body: request.body
+      }).reply(responseData.statusCode, responseData.body, {
+        headers: responseData.headers,
+        trailers: responseData.trailers
+      }).persist()
+    }
+  }
+
+  /**
+   * Gets the snapshot recorder
+   */
+  getRecorder () {
+    return this[kSnapshotRecorder]
+  }
+
+  /**
+   * Gets the current mode
+   */
+  getMode () {
+    return this[kSnapshotMode]
+  }
+
+  /**
+   * Clears all snapshots
+   */
+  clearSnapshots () {
+    this[kSnapshotRecorder].clear()
+  }
+
+  /**
+   * Resets call counts for all snapshots (useful for test cleanup)
+   */
+  resetCallCounts () {
+    this[kSnapshotRecorder].resetCallCounts()
+  }
+
+  /**
+   * Deletes a specific snapshot by request options
+   */
+  deleteSnapshot (requestOpts) {
+    return this[kSnapshotRecorder].deleteSnapshot(requestOpts)
+  }
+
+  /**
+   * Gets information about a specific snapshot
+   */
+  getSnapshotInfo (requestOpts) {
+    return this[kSnapshotRecorder].getSnapshotInfo(requestOpts)
+  }
+
+  /**
+   * Replaces all snapshots with new data (full replacement)
+   */
+  replaceSnapshots (snapshotData) {
+    this[kSnapshotRecorder].replaceSnapshots(snapshotData)
+  }
+
+  async close () {
+    // Close recorder (saves snapshots and cleans up timers)
+    await this[kSnapshotRecorder].close()
+    await this[kRealAgent]?.close()
+    await super.close()
+  }
+}
+
+module.exports = SnapshotAgent
diff --git a/deps/undici/src/lib/mock/snapshot-recorder.js b/deps/undici/src/lib/mock/snapshot-recorder.js
new file mode 100644
index 00000000000000..7482b5c1914a56
--- /dev/null
+++ b/deps/undici/src/lib/mock/snapshot-recorder.js
@@ -0,0 +1,517 @@
+'use strict'
+
+const { writeFile, readFile, mkdir } = require('node:fs/promises')
+const { dirname, resolve } = require('node:path')
+const { InvalidArgumentError, UndiciError } = require('../core/errors')
+
+/**
+ * Formats a request for consistent snapshot storage
+ * Caches normalized headers to avoid repeated processing
+ */
+function formatRequestKey (opts, cachedSets, matchOptions = {}) {
+  const url = new URL(opts.path, opts.origin)
+
+  // Cache normalized headers if not already done
+  const normalized = opts._normalizedHeaders || normalizeHeaders(opts.headers)
+  if (!opts._normalizedHeaders) {
+    opts._normalizedHeaders = normalized
+  }
+
+  return {
+    method: opts.method || 'GET',
+    url: matchOptions.matchQuery !== false ? url.toString() : `${url.origin}${url.pathname}`,
+    headers: filterHeadersForMatching(normalized, cachedSets, matchOptions),
+    body: matchOptions.matchBody !== false && opts.body ? String(opts.body) : undefined
+  }
+}
+
+/**
+ * Filters headers based on matching configuration
+ */
+function filterHeadersForMatching (headers, cachedSets, matchOptions = {}) {
+  if (!headers || typeof headers !== 'object') return {}
+
+  const {
+    matchHeaders = null,
+    caseSensitive = false
+  } = matchOptions
+
+  const filtered = {}
+  const { ignoreSet, excludeSet, matchSet } = cachedSets
+
+  for (const [key, value] of Object.entries(headers)) {
+    const headerKey = caseSensitive ? key : key.toLowerCase()
+
+    // Skip if in exclude list (for security)
+    if (excludeSet.has(headerKey)) continue
+
+    // Skip if in ignore list (for matching)
+    if (ignoreSet.has(headerKey)) continue
+
+    // If matchHeaders is specified, only include those headers
+    if (matchHeaders && Array.isArray(matchHeaders)) {
+      if (!matchSet.has(headerKey)) continue
+    }
+
+    filtered[headerKey] = value
+  }
+
+  return filtered
+}
+
+/**
+ * Filters headers for storage (only excludes sensitive headers)
+ */
+function filterHeadersForStorage (headers, matchOptions = {}) {
+  if (!headers || typeof headers !== 'object') return {}
+
+  const {
+    excludeHeaders = [],
+    caseSensitive = false
+  } = matchOptions
+
+  const filtered = {}
+  const excludeSet = new Set(excludeHeaders.map(h => caseSensitive ? h : h.toLowerCase()))
+
+  for (const [key, value] of Object.entries(headers)) {
+    const headerKey = caseSensitive ? key : key.toLowerCase()
+
+    // Skip if in exclude list (for security)
+    if (excludeSet.has(headerKey)) continue
+
+    filtered[headerKey] = value
+  }
+
+  return filtered
+}
+
+/**
+ * Creates cached header sets for performance
+ */
+function createHeaderSetsCache (matchOptions = {}) {
+  const { ignoreHeaders = [], excludeHeaders = [], matchHeaders = null, caseSensitive = false } = matchOptions
+
+  return {
+    ignoreSet: new Set(ignoreHeaders.map(h => caseSensitive ? h : h.toLowerCase())),
+    excludeSet: new Set(excludeHeaders.map(h => caseSensitive ? h : h.toLowerCase())),
+    matchSet: matchHeaders && Array.isArray(matchHeaders)
+      ? new Set(matchHeaders.map(h => caseSensitive ? h : h.toLowerCase()))
+      : null
+  }
+}
+
+/**
+ * Normalizes headers for consistent comparison
+ */
+function normalizeHeaders (headers) {
+  if (!headers) return {}
+
+  const normalized = {}
+
+  // Handle array format (undici internal format: [name, value, name, value, ...])
+  if (Array.isArray(headers)) {
+    for (let i = 0; i < headers.length; i += 2) {
+      const key = headers[i]
+      const value = headers[i + 1]
+      if (key && value !== undefined) {
+        // Convert Buffers to strings if needed
+        const keyStr = Buffer.isBuffer(key) ? key.toString() : String(key)
+        const valueStr = Buffer.isBuffer(value) ? value.toString() : String(value)
+        normalized[keyStr.toLowerCase()] = valueStr
+      }
+    }
+    return normalized
+  }
+
+  // Handle object format
+  if (headers && typeof headers === 'object') {
+    for (const [key, value] of Object.entries(headers)) {
+      if (key && typeof key === 'string') {
+        normalized[key.toLowerCase()] = Array.isArray(value) ? value.join(', ') : String(value)
+      }
+    }
+  }
+
+  return normalized
+}
+
+/**
+ * Creates a hash key for request matching
+ */
+function createRequestHash (request) {
+  const parts = [
+    request.method,
+    request.url,
+    JSON.stringify(request.headers, Object.keys(request.headers).sort()),
+    request.body || ''
+  ]
+  return Buffer.from(parts.join('|')).toString('base64url')
+}
+
+/**
+ * Checks if a URL matches any of the exclude patterns
+ */
+function isUrlExcluded (url, excludePatterns = []) {
+  if (!excludePatterns.length) return false
+
+  for (const pattern of excludePatterns) {
+    if (typeof pattern === 'string') {
+      // Simple string match (case-insensitive)
+      if (url.toLowerCase().includes(pattern.toLowerCase())) {
+        return true
+      }
+    } else if (pattern instanceof RegExp) {
+      // Regex pattern match
+      if (pattern.test(url)) {
+        return true
+      }
+    }
+  }
+
+  return false
+}
+
+class SnapshotRecorder {
+  constructor (options = {}) {
+    this.snapshots = new Map()
+    this.snapshotPath = options.snapshotPath
+    this.mode = options.mode || 'record'
+    this.loaded = false
+    this.maxSnapshots = options.maxSnapshots || Infinity
+    this.autoFlush = options.autoFlush || false
+    this.flushInterval = options.flushInterval || 30000 // 30 seconds default
+    this._flushTimer = null
+    this._flushTimeout = null
+
+    // Matching configuration
+    this.matchOptions = {
+      matchHeaders: options.matchHeaders || null, // null means match all headers
+      ignoreHeaders: options.ignoreHeaders || [],
+      excludeHeaders: options.excludeHeaders || [],
+      matchBody: options.matchBody !== false, // default: true
+      matchQuery: options.matchQuery !== false, // default: true
+      caseSensitive: options.caseSensitive || false
+    }
+
+    // Cache processed header sets to avoid recreating them on every request
+    this._headerSetsCache = createHeaderSetsCache(this.matchOptions)
+
+    // Request filtering callbacks
+    this.shouldRecord = options.shouldRecord || null // function(requestOpts) -> boolean
+    this.shouldPlayback = options.shouldPlayback || null // function(requestOpts) -> boolean
+
+    // URL pattern filtering
+    this.excludeUrls = options.excludeUrls || [] // Array of regex patterns or strings
+
+    // Start auto-flush timer if enabled
+    if (this.autoFlush && this.snapshotPath) {
+      this._startAutoFlush()
+    }
+  }
+
+  /**
+   * Records a request-response interaction
+   */
+  async record (requestOpts, response) {
+    // Check if recording should be filtered out
+    if (this.shouldRecord && typeof this.shouldRecord === 'function') {
+      if (!this.shouldRecord(requestOpts)) {
+        return // Skip recording
+      }
+    }
+
+    // Check URL exclusion patterns
+    const url = new URL(requestOpts.path, requestOpts.origin).toString()
+    if (isUrlExcluded(url, this.excludeUrls)) {
+      return // Skip recording
+    }
+
+    const request = formatRequestKey(requestOpts, this._headerSetsCache, this.matchOptions)
+    const hash = createRequestHash(request)
+
+    // Extract response data - always store body as base64
+    const normalizedHeaders = normalizeHeaders(response.headers)
+    const responseData = {
+      statusCode: response.statusCode,
+      headers: filterHeadersForStorage(normalizedHeaders, this.matchOptions),
+      body: Buffer.isBuffer(response.body)
+        ? response.body.toString('base64')
+        : Buffer.from(String(response.body || '')).toString('base64'),
+      trailers: response.trailers
+    }
+
+    // Remove oldest snapshot if we exceed maxSnapshots limit
+    if (this.snapshots.size >= this.maxSnapshots && !this.snapshots.has(hash)) {
+      const oldestKey = this.snapshots.keys().next().value
+      this.snapshots.delete(oldestKey)
+    }
+
+    // Support sequential responses - if snapshot exists, add to responses array
+    const existingSnapshot = this.snapshots.get(hash)
+    if (existingSnapshot && existingSnapshot.responses) {
+      existingSnapshot.responses.push(responseData)
+      existingSnapshot.timestamp = new Date().toISOString()
+    } else {
+      this.snapshots.set(hash, {
+        request,
+        responses: [responseData], // Always store as array for consistency
+        callCount: 0,
+        timestamp: new Date().toISOString()
+      })
+    }
+
+    // Auto-flush if enabled
+    if (this.autoFlush && this.snapshotPath) {
+      this._scheduleFlush()
+    }
+  }
+
+  /**
+   * Finds a matching snapshot for the given request
+   * Returns the appropriate response based on call count for sequential responses
+   */
+  findSnapshot (requestOpts) {
+    // Check if playback should be filtered out
+    if (this.shouldPlayback && typeof this.shouldPlayback === 'function') {
+      if (!this.shouldPlayback(requestOpts)) {
+        return undefined // Skip playback
+      }
+    }
+
+    // Check URL exclusion patterns
+    const url = new URL(requestOpts.path, requestOpts.origin).toString()
+    if (isUrlExcluded(url, this.excludeUrls)) {
+      return undefined // Skip playback
+    }
+
+    const request = formatRequestKey(requestOpts, this._headerSetsCache, this.matchOptions)
+    const hash = createRequestHash(request)
+    const snapshot = this.snapshots.get(hash)
+
+    if (!snapshot) return undefined
+
+    // Handle sequential responses
+    if (snapshot.responses && Array.isArray(snapshot.responses)) {
+      const currentCallCount = snapshot.callCount || 0
+      const responseIndex = Math.min(currentCallCount, snapshot.responses.length - 1)
+      snapshot.callCount = currentCallCount + 1
+
+      return {
+        ...snapshot,
+        response: snapshot.responses[responseIndex]
+      }
+    }
+
+    // Legacy format compatibility - convert single response to array format
+    if (snapshot.response && !snapshot.responses) {
+      snapshot.responses = [snapshot.response]
+      snapshot.callCount = 1
+      delete snapshot.response
+
+      return {
+        ...snapshot,
+        response: snapshot.responses[0]
+      }
+    }
+
+    return snapshot
+  }
+
+  /**
+   * Loads snapshots from file
+   */
+  async loadSnapshots (filePath) {
+    const path = filePath || this.snapshotPath
+    if (!path) {
+      throw new InvalidArgumentError('Snapshot path is required')
+    }
+
+    try {
+      const data = await readFile(resolve(path), 'utf8')
+      const parsed = JSON.parse(data)
+
+      // Convert array format back to Map
+      if (Array.isArray(parsed)) {
+        this.snapshots.clear()
+        for (const { hash, snapshot } of parsed) {
+          this.snapshots.set(hash, snapshot)
+        }
+      } else {
+        // Legacy object format
+        this.snapshots = new Map(Object.entries(parsed))
+      }
+
+      this.loaded = true
+    } catch (error) {
+      if (error.code === 'ENOENT') {
+        // File doesn't exist yet - that's ok for recording mode
+        this.snapshots.clear()
+        this.loaded = true
+      } else {
+        throw new UndiciError(`Failed to load snapshots from ${path}`, { cause: error })
+      }
+    }
+  }
+
+  /**
+   * Saves snapshots to file
+   */
+  async saveSnapshots (filePath) {
+    const path = filePath || this.snapshotPath
+    if (!path) {
+      throw new InvalidArgumentError('Snapshot path is required')
+    }
+
+    const resolvedPath = resolve(path)
+
+    // Ensure directory exists
+    await mkdir(dirname(resolvedPath), { recursive: true })
+
+    // Convert Map to serializable format
+    const data = Array.from(this.snapshots.entries()).map(([hash, snapshot]) => ({
+      hash,
+      snapshot
+    }))
+
+    await writeFile(resolvedPath, JSON.stringify(data, null, 2), 'utf8', { flush: true })
+  }
+
+  /**
+   * Clears all recorded snapshots
+   */
+  clear () {
+    this.snapshots.clear()
+  }
+
+  /**
+   * Gets all recorded snapshots
+   */
+  getSnapshots () {
+    return Array.from(this.snapshots.values())
+  }
+
+  /**
+   * Gets snapshot count
+   */
+  size () {
+    return this.snapshots.size
+  }
+
+  /**
+   * Resets call counts for all snapshots (useful for test cleanup)
+   */
+  resetCallCounts () {
+    for (const snapshot of this.snapshots.values()) {
+      snapshot.callCount = 0
+    }
+  }
+
+  /**
+   * Deletes a specific snapshot by request options
+   */
+  deleteSnapshot (requestOpts) {
+    const request = formatRequestKey(requestOpts, this._headerSetsCache, this.matchOptions)
+    const hash = createRequestHash(request)
+    return this.snapshots.delete(hash)
+  }
+
+  /**
+   * Gets information about a specific snapshot
+   */
+  getSnapshotInfo (requestOpts) {
+    const request = formatRequestKey(requestOpts, this._headerSetsCache, this.matchOptions)
+    const hash = createRequestHash(request)
+    const snapshot = this.snapshots.get(hash)
+
+    if (!snapshot) return null
+
+    return {
+      hash,
+      request: snapshot.request,
+      responseCount: snapshot.responses ? snapshot.responses.length : (snapshot.response ? 1 : 0),
+      callCount: snapshot.callCount || 0,
+      timestamp: snapshot.timestamp
+    }
+  }
+
+  /**
+   * Replaces all snapshots with new data (full replacement)
+   */
+  replaceSnapshots (snapshotData) {
+    this.snapshots.clear()
+
+    if (Array.isArray(snapshotData)) {
+      for (const { hash, snapshot } of snapshotData) {
+        this.snapshots.set(hash, snapshot)
+      }
+    } else if (snapshotData && typeof snapshotData === 'object') {
+      // Legacy object format
+      this.snapshots = new Map(Object.entries(snapshotData))
+    }
+  }
+
+  /**
+   * Starts the auto-flush timer
+   */
+  _startAutoFlush () {
+    if (!this._flushTimer) {
+      this._flushTimer = setInterval(() => {
+        this.saveSnapshots().catch(() => {
+          // Ignore flush errors - they shouldn't interrupt normal operation
+        })
+      }, this.flushInterval)
+    }
+  }
+
+  /**
+   * Stops the auto-flush timer
+   */
+  _stopAutoFlush () {
+    if (this._flushTimer) {
+      clearInterval(this._flushTimer)
+      this._flushTimer = null
+    }
+  }
+
+  /**
+   * Schedules a flush (debounced to avoid excessive writes)
+   */
+  _scheduleFlush () {
+    // Simple debouncing - clear existing timeout and set new one
+    if (this._flushTimeout) {
+      clearTimeout(this._flushTimeout)
+    }
+    this._flushTimeout = setTimeout(() => {
+      this.saveSnapshots().catch(() => {
+        // Ignore flush errors
+      })
+      this._flushTimeout = null
+    }, 1000) // 1 second debounce
+  }
+
+  /**
+   * Cleanup method to stop timers
+   */
+  destroy () {
+    this._stopAutoFlush()
+    if (this._flushTimeout) {
+      clearTimeout(this._flushTimeout)
+      this._flushTimeout = null
+    }
+  }
+
+  /**
+   * Async close method that saves all recordings and performs cleanup
+   */
+  async close () {
+    // Save any pending recordings if we have a snapshot path
+    if (this.snapshotPath && this.snapshots.size > 0) {
+      await this.saveSnapshots()
+    }
+
+    // Perform cleanup
+    this.destroy()
+  }
+}
+
+module.exports = { SnapshotRecorder, formatRequestKey, createRequestHash, filterHeadersForMatching, filterHeadersForStorage, isUrlExcluded, createHeaderSetsCache }
diff --git a/deps/undici/src/lib/web/fetch/body.js b/deps/undici/src/lib/web/fetch/body.js
index 270d6e997adac7..adfcb99302ae4a 100644
--- a/deps/undici/src/lib/web/fetch/body.js
+++ b/deps/undici/src/lib/web/fetch/body.js
@@ -10,7 +10,6 @@ const {
 } = require('./util')
 const { FormData, setFormDataState } = require('./formdata')
 const { webidl } = require('../webidl')
-const { Blob } = require('node:buffer')
 const assert = require('node:assert')
 const { isErrored, isDisturbed } = require('node:stream')
 const { isArrayBuffer } = require('node:util/types')
diff --git a/deps/undici/src/lib/web/fetch/formdata-parser.js b/deps/undici/src/lib/web/fetch/formdata-parser.js
index 0691622e605a1a..5fd11444622b29 100644
--- a/deps/undici/src/lib/web/fetch/formdata-parser.js
+++ b/deps/undici/src/lib/web/fetch/formdata-parser.js
@@ -6,9 +6,6 @@ const { HTTP_TOKEN_CODEPOINTS, isomorphicDecode } = require('./data-url')
 const { makeEntry } = require('./formdata')
 const { webidl } = require('../webidl')
 const assert = require('node:assert')
-const { File: NodeFile } = require('node:buffer')
-
-const File = globalThis.File ?? NodeFile
 
 const formDataNameBuffer = Buffer.from('form-data; name="')
 const filenameBuffer = Buffer.from('filename')
diff --git a/deps/undici/src/lib/web/fetch/formdata.js b/deps/undici/src/lib/web/fetch/formdata.js
index c34b7772997b37..e21ee3f553e96e 100644
--- a/deps/undici/src/lib/web/fetch/formdata.js
+++ b/deps/undici/src/lib/web/fetch/formdata.js
@@ -3,12 +3,8 @@
 const { iteratorMixin } = require('./util')
 const { kEnumerableProperty } = require('../../core/util')
 const { webidl } = require('../webidl')
-const { File: NativeFile } = require('node:buffer')
 const nodeUtil = require('node:util')
 
-/** @type {globalThis['File']} */
-const File = globalThis.File ?? NativeFile
-
 // https://xhr.spec.whatwg.org/#formdata
 class FormData {
   #state = []
diff --git a/deps/undici/src/lib/web/webidl/index.js b/deps/undici/src/lib/web/webidl/index.js
index fc82e3cc1f3239..dfe8a92cfd276a 100644
--- a/deps/undici/src/lib/web/webidl/index.js
+++ b/deps/undici/src/lib/web/webidl/index.js
@@ -509,7 +509,7 @@ webidl.is.USVString = function (value) {
 webidl.is.ReadableStream = webidl.util.MakeTypeAssertion(ReadableStream)
 webidl.is.Blob = webidl.util.MakeTypeAssertion(Blob)
 webidl.is.URLSearchParams = webidl.util.MakeTypeAssertion(URLSearchParams)
-webidl.is.File = webidl.util.MakeTypeAssertion(globalThis.File ?? require('node:buffer').File)
+webidl.is.File = webidl.util.MakeTypeAssertion(File)
 webidl.is.URL = webidl.util.MakeTypeAssertion(URL)
 webidl.is.AbortSignal = webidl.util.MakeTypeAssertion(AbortSignal)
 webidl.is.MessagePort = webidl.util.MakeTypeAssertion(MessagePort)
diff --git a/deps/undici/src/package-lock.json b/deps/undici/src/package-lock.json
index 674659bf2ed429..57498279f5040c 100644
--- a/deps/undici/src/package-lock.json
+++ b/deps/undici/src/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "undici",
-  "version": "7.12.0",
+  "version": "7.13.0",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "undici",
-      "version": "7.12.0",
+      "version": "7.13.0",
       "license": "MIT",
       "devDependencies": {
         "@fastify/busboy": "3.1.1",
@@ -261,14 +261,14 @@
       }
     },
     "node_modules/@babel/helpers": {
-      "version": "7.27.6",
-      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.27.6.tgz",
-      "integrity": "sha512-muE8Tt8M22638HU31A3CgfSUciwz1fhATfoVai05aPXGor//CdWDCbnlY1yvBPo07njuVOCNGCSp/GTt12lIug==",
+      "version": "7.28.2",
+      "resolved": "https://registry.npmjs.org/@babel/helpers/-/helpers-7.28.2.tgz",
+      "integrity": "sha512-/V9771t+EgXz62aCcyofnQhGM8DQACbRhvzKFsXKC9QM+5MadF8ZmIm0crDMaz3+o0h0zXfJnd4EhbYbxsrcFw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@babel/template": "^7.27.2",
-        "@babel/types": "^7.27.6"
+        "@babel/types": "^7.28.2"
       },
       "engines": {
         "node": ">=6.9.0"
@@ -564,9 +564,9 @@
       }
     },
     "node_modules/@babel/types": {
-      "version": "7.28.1",
-      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.1.tgz",
-      "integrity": "sha512-x0LvFTekgSX+83TI28Y9wYPUfzrnl2aT5+5QLnO6v7mSJYtEEevuDRN0F0uSHRk1G1IWZC43o00Y0xDDrpBGPQ==",
+      "version": "7.28.2",
+      "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.28.2.tgz",
+      "integrity": "sha512-ruv7Ae4J5dUYULmeXw1gmb7rYRz57OWCPM57pHojnLq/3Z1CK2lNSLTCVjxVk1F/TZHwOZZrOWi0ur95BbLxNQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -1168,9 +1168,9 @@
       }
     },
     "node_modules/@eslint/js": {
-      "version": "9.31.0",
-      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.31.0.tgz",
-      "integrity": "sha512-LOm5OVt7D4qiKCqoiPbA7LWmI+tbw1VbTUowBcUMgQSuM6poJufkFkYDcQpo5KfgD39TnNySV26QjOh7VFpSyw==",
+      "version": "9.32.0",
+      "resolved": "https://registry.npmjs.org/@eslint/js/-/js-9.32.0.tgz",
+      "integrity": "sha512-BBpRFZK3eX6uMLKz8WxFOBIFFcGFJ/g8XuwjTHCqHROSIsopI+ddn/d5Cfh36+7+e5edVS8dbSHnBNhrLEX0zg==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -1191,9 +1191,9 @@
       }
     },
     "node_modules/@eslint/plugin-kit": {
-      "version": "0.3.3",
-      "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.3.3.tgz",
-      "integrity": "sha512-1+WqvgNMhmlAambTvT3KPtCl/Ibr68VldY2XY40SL1CE0ZXiakFR/cbTspaF5HsnpDMvcYYoJHfl4980NBjGag==",
+      "version": "0.3.4",
+      "resolved": "https://registry.npmjs.org/@eslint/plugin-kit/-/plugin-kit-0.3.4.tgz",
+      "integrity": "sha512-Ul5l+lHEcw3L5+k8POx6r74mxEYKG5kOb6Xpy2gCRW6zweT6TEhAf8vhxGgjhqrd/VO/Dirhsb+1hNpD1ue9hw==",
       "dev": true,
       "license": "Apache-2.0",
       "dependencies": {
@@ -1959,9 +1959,9 @@
       }
     },
     "node_modules/@reporters/github": {
-      "version": "1.7.2",
-      "resolved": "https://registry.npmjs.org/@reporters/github/-/github-1.7.2.tgz",
-      "integrity": "sha512-8mvTyKUxxDXkNIWfzv3FsHVwjr8JCwVtwidQws2neV6YgrsJW6OwTOBBhd01RKrDMXPxgpMQuFEfN9hRuUZGuA==",
+      "version": "1.8.0",
+      "resolved": "https://registry.npmjs.org/@reporters/github/-/github-1.8.0.tgz",
+      "integrity": "sha512-EJNbv7qvqbICrVbyaPLKWT/mGzdkkdskKuPg1hG0tVKeAEtH6D1gCZwZ84N/26CQ8FBsyfiUyVjwtgYEByGKWQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2106,13 +2106,13 @@
       }
     },
     "node_modules/@types/babel__traverse": {
-      "version": "7.20.7",
-      "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.20.7.tgz",
-      "integrity": "sha512-dkO5fhS7+/oos4ciWxyEyjWe48zmG6wbCheo/G2ZnHx4fs3EU6YC6UM8rk56gAjNJ9P3MTH2jo5jb92/K6wbng==",
+      "version": "7.28.0",
+      "resolved": "https://registry.npmjs.org/@types/babel__traverse/-/babel__traverse-7.28.0.tgz",
+      "integrity": "sha512-8PvcXf70gTDZBgt9ptxJ8elBeBjcLOAcOtoO/mPJjtji1+CdGbHgm77om1GrsPxsiE+uXIpNSK64UYaIwQXd4Q==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@babel/types": "^7.20.7"
+        "@babel/types": "^7.28.2"
       }
     },
     "node_modules/@types/eslint": {
@@ -2185,9 +2185,9 @@
       "license": "MIT"
     },
     "node_modules/@types/node": {
-      "version": "18.19.120",
-      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.120.tgz",
-      "integrity": "sha512-WtCGHFXnVI8WHLxDAt5TbnCM4eSE+nI0QN2NJtwzcgMhht2eNz6V9evJrk+lwC8bCY8OWV5Ym8Jz7ZEyGnKnMA==",
+      "version": "18.19.121",
+      "resolved": "https://registry.npmjs.org/@types/node/-/node-18.19.121.tgz",
+      "integrity": "sha512-bHOrbyztmyYIi4f1R0s17QsPs1uyyYnGcXeZoGEd227oZjry0q6XQBQxd82X1I57zEfwO8h9Xo+Kl5gX1d9MwQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -2236,17 +2236,17 @@
       "license": "MIT"
     },
     "node_modules/@typescript-eslint/eslint-plugin": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.37.0.tgz",
-      "integrity": "sha512-jsuVWeIkb6ggzB+wPCsR4e6loj+rM72ohW6IBn2C+5NCvfUVY8s33iFPySSVXqtm5Hu29Ne/9bnA0JmyLmgenA==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/eslint-plugin/-/eslint-plugin-8.38.0.tgz",
+      "integrity": "sha512-CPoznzpuAnIOl4nhj4tRr4gIPj5AfKgkiJmGQDaq+fQnRJTYlcBjbX3wbciGmpoPf8DREufuPRe1tNMZnGdanA==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/regexpp": "^4.10.0",
-        "@typescript-eslint/scope-manager": "8.37.0",
-        "@typescript-eslint/type-utils": "8.37.0",
-        "@typescript-eslint/utils": "8.37.0",
-        "@typescript-eslint/visitor-keys": "8.37.0",
+        "@typescript-eslint/scope-manager": "8.38.0",
+        "@typescript-eslint/type-utils": "8.38.0",
+        "@typescript-eslint/utils": "8.38.0",
+        "@typescript-eslint/visitor-keys": "8.38.0",
         "graphemer": "^1.4.0",
         "ignore": "^7.0.0",
         "natural-compare": "^1.4.0",
@@ -2260,7 +2260,7 @@
         "url": "https://opencollective.com/typescript-eslint"
       },
       "peerDependencies": {
-        "@typescript-eslint/parser": "^8.37.0",
+        "@typescript-eslint/parser": "^8.38.0",
         "eslint": "^8.57.0 || ^9.0.0",
         "typescript": ">=4.8.4 <5.9.0"
       }
@@ -2276,16 +2276,16 @@
       }
     },
     "node_modules/@typescript-eslint/parser": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.37.0.tgz",
-      "integrity": "sha512-kVIaQE9vrN9RLCQMQ3iyRlVJpTiDUY6woHGb30JDkfJErqrQEmtdWH3gV0PBAfGZgQXoqzXOO0T3K6ioApbbAA==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/parser/-/parser-8.38.0.tgz",
+      "integrity": "sha512-Zhy8HCvBUEfBECzIl1PKqF4p11+d0aUJS1GeUiuqK9WmOug8YCmC4h4bjyBvMyAMI9sbRczmrYL5lKg/YMbrcQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/scope-manager": "8.37.0",
-        "@typescript-eslint/types": "8.37.0",
-        "@typescript-eslint/typescript-estree": "8.37.0",
-        "@typescript-eslint/visitor-keys": "8.37.0",
+        "@typescript-eslint/scope-manager": "8.38.0",
+        "@typescript-eslint/types": "8.38.0",
+        "@typescript-eslint/typescript-estree": "8.38.0",
+        "@typescript-eslint/visitor-keys": "8.38.0",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2301,14 +2301,14 @@
       }
     },
     "node_modules/@typescript-eslint/project-service": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.37.0.tgz",
-      "integrity": "sha512-BIUXYsbkl5A1aJDdYJCBAo8rCEbAvdquQ8AnLb6z5Lp1u3x5PNgSSx9A/zqYc++Xnr/0DVpls8iQ2cJs/izTXA==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/project-service/-/project-service-8.38.0.tgz",
+      "integrity": "sha512-dbK7Jvqcb8c9QfH01YB6pORpqX1mn5gDZc9n63Ak/+jD67oWXn3Gs0M6vddAN+eDXBCS5EmNWzbSxsn9SzFWWg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/tsconfig-utils": "^8.37.0",
-        "@typescript-eslint/types": "^8.37.0",
+        "@typescript-eslint/tsconfig-utils": "^8.38.0",
+        "@typescript-eslint/types": "^8.38.0",
         "debug": "^4.3.4"
       },
       "engines": {
@@ -2323,14 +2323,14 @@
       }
     },
     "node_modules/@typescript-eslint/scope-manager": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.37.0.tgz",
-      "integrity": "sha512-0vGq0yiU1gbjKob2q691ybTg9JX6ShiVXAAfm2jGf3q0hdP6/BruaFjL/ManAR/lj05AvYCH+5bbVo0VtzmjOA==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/scope-manager/-/scope-manager-8.38.0.tgz",
+      "integrity": "sha512-WJw3AVlFFcdT9Ri1xs/lg8LwDqgekWXWhH3iAF+1ZM+QPd7oxQ6jvtW/JPwzAScxitILUIFs0/AnQ/UWHzbATQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.37.0",
-        "@typescript-eslint/visitor-keys": "8.37.0"
+        "@typescript-eslint/types": "8.38.0",
+        "@typescript-eslint/visitor-keys": "8.38.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2341,9 +2341,9 @@
       }
     },
     "node_modules/@typescript-eslint/tsconfig-utils": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.37.0.tgz",
-      "integrity": "sha512-1/YHvAVTimMM9mmlPvTec9NP4bobA1RkDbMydxG8omqwJJLEW/Iy2C4adsAESIXU3WGLXFHSZUU+C9EoFWl4Zg==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/tsconfig-utils/-/tsconfig-utils-8.38.0.tgz",
+      "integrity": "sha512-Lum9RtSE3EroKk/bYns+sPOodqb2Fv50XOl/gMviMKNvanETUuUcC9ObRbzrJ4VSd2JalPqgSAavwrPiPvnAiQ==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2358,15 +2358,15 @@
       }
     },
     "node_modules/@typescript-eslint/type-utils": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.37.0.tgz",
-      "integrity": "sha512-SPkXWIkVZxhgwSwVq9rqj/4VFo7MnWwVaRNznfQDc/xPYHjXnPfLWn+4L6FF1cAz6e7dsqBeMawgl7QjUMj4Ow==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/type-utils/-/type-utils-8.38.0.tgz",
+      "integrity": "sha512-c7jAvGEZVf0ao2z+nnz8BUaHZD09Agbh+DY7qvBQqLiz8uJzRgVPj5YvOh8I8uEiH8oIUGIfHzMwUcGVco/SJg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.37.0",
-        "@typescript-eslint/typescript-estree": "8.37.0",
-        "@typescript-eslint/utils": "8.37.0",
+        "@typescript-eslint/types": "8.38.0",
+        "@typescript-eslint/typescript-estree": "8.38.0",
+        "@typescript-eslint/utils": "8.38.0",
         "debug": "^4.3.4",
         "ts-api-utils": "^2.1.0"
       },
@@ -2383,9 +2383,9 @@
       }
     },
     "node_modules/@typescript-eslint/types": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.37.0.tgz",
-      "integrity": "sha512-ax0nv7PUF9NOVPs+lmQ7yIE7IQmAf8LGcXbMvHX5Gm+YJUYNAl340XkGnrimxZ0elXyoQJuN5sbg6C4evKA4SQ==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/types/-/types-8.38.0.tgz",
+      "integrity": "sha512-wzkUfX3plUqij4YwWaJyqhiPE5UCRVlFpKn1oCRn2O1bJ592XxWJj8ROQ3JD5MYXLORW84063z3tZTb/cs4Tyw==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -2397,16 +2397,16 @@
       }
     },
     "node_modules/@typescript-eslint/typescript-estree": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.37.0.tgz",
-      "integrity": "sha512-zuWDMDuzMRbQOM+bHyU4/slw27bAUEcKSKKs3hcv2aNnc/tvE/h7w60dwVw8vnal2Pub6RT1T7BI8tFZ1fE+yg==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/typescript-estree/-/typescript-estree-8.38.0.tgz",
+      "integrity": "sha512-fooELKcAKzxux6fA6pxOflpNS0jc+nOQEEOipXFNjSlBS6fqrJOVY/whSn70SScHrcJ2LDsxWrneFoWYSVfqhQ==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/project-service": "8.37.0",
-        "@typescript-eslint/tsconfig-utils": "8.37.0",
-        "@typescript-eslint/types": "8.37.0",
-        "@typescript-eslint/visitor-keys": "8.37.0",
+        "@typescript-eslint/project-service": "8.38.0",
+        "@typescript-eslint/tsconfig-utils": "8.38.0",
+        "@typescript-eslint/types": "8.38.0",
+        "@typescript-eslint/visitor-keys": "8.38.0",
         "debug": "^4.3.4",
         "fast-glob": "^3.3.2",
         "is-glob": "^4.0.3",
@@ -2465,16 +2465,16 @@
       }
     },
     "node_modules/@typescript-eslint/utils": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.37.0.tgz",
-      "integrity": "sha512-TSFvkIW6gGjN2p6zbXo20FzCABbyUAuq6tBvNRGsKdsSQ6a7rnV6ADfZ7f4iI3lIiXc4F4WWvtUfDw9CJ9pO5A==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/utils/-/utils-8.38.0.tgz",
+      "integrity": "sha512-hHcMA86Hgt+ijJlrD8fX0j1j8w4C92zue/8LOPAFioIno+W0+L7KqE8QZKCcPGc/92Vs9x36w/4MPTJhqXdyvg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
         "@eslint-community/eslint-utils": "^4.7.0",
-        "@typescript-eslint/scope-manager": "8.37.0",
-        "@typescript-eslint/types": "8.37.0",
-        "@typescript-eslint/typescript-estree": "8.37.0"
+        "@typescript-eslint/scope-manager": "8.38.0",
+        "@typescript-eslint/types": "8.38.0",
+        "@typescript-eslint/typescript-estree": "8.38.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
@@ -2489,13 +2489,13 @@
       }
     },
     "node_modules/@typescript-eslint/visitor-keys": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.37.0.tgz",
-      "integrity": "sha512-YzfhzcTnZVPiLfP/oeKtDp2evwvHLMe0LOy7oe+hb9KKIumLNohYS9Hgp1ifwpu42YWxhZE8yieggz6JpqO/1w==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/@typescript-eslint/visitor-keys/-/visitor-keys-8.38.0.tgz",
+      "integrity": "sha512-pWrTcoFNWuwHlA9CvlfSsGWs14JxfN1TH25zM5L7o0pRLhsoZkDnTsXfQRJBEWJoV5DL0jf+Z+sxiud+K0mq1g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/types": "8.37.0",
+        "@typescript-eslint/types": "8.38.0",
         "eslint-visitor-keys": "^4.2.1"
       },
       "engines": {
@@ -3302,9 +3302,9 @@
       }
     },
     "node_modules/babel-preset-current-node-syntax": {
-      "version": "1.1.0",
-      "resolved": "https://registry.npmjs.org/babel-preset-current-node-syntax/-/babel-preset-current-node-syntax-1.1.0.tgz",
-      "integrity": "sha512-ldYss8SbBlWva1bs28q78Ju5Zq1F+8BrqBZZ0VFhLBvhh6lCpC2o3gDJi/5DRLs9FgYZCnmPYIVFU4lRXCkyUw==",
+      "version": "1.2.0",
+      "resolved": "https://registry.npmjs.org/babel-preset-current-node-syntax/-/babel-preset-current-node-syntax-1.2.0.tgz",
+      "integrity": "sha512-E/VlAEzRrsLEb2+dv8yp3bo4scof3l9nR4lrld+Iy5NyVqgVYUJnDAmunkhPMisRI32Qc4iRiz425d8vM++2fg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3325,7 +3325,7 @@
         "@babel/plugin-syntax-top-level-await": "^7.14.5"
       },
       "peerDependencies": {
-        "@babel/core": "^7.0.0"
+        "@babel/core": "^7.0.0 || ^8.0.0-0"
       }
     },
     "node_modules/babel-preset-jest": {
@@ -3359,9 +3359,9 @@
       "dev": true
     },
     "node_modules/borp": {
-      "version": "0.20.0",
-      "resolved": "https://registry.npmjs.org/borp/-/borp-0.20.0.tgz",
-      "integrity": "sha512-SZhSNosPoX6c9gtXKnakpkUYdAyQMkQDQwPzpPoIBV9ErWhWH2ks6paai27R37O/MNC9jLMW1lQojuZEOAF87g==",
+      "version": "0.20.1",
+      "resolved": "https://registry.npmjs.org/borp/-/borp-0.20.1.tgz",
+      "integrity": "sha512-+1juusmbzAetePd0AIGbj+wut27bmzLFa2BhP8J9VGNcV7sx7bs4pDR2DhOU2oDZestWZpUzjfgIKYEI7LDW/A==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -3632,9 +3632,9 @@
       }
     },
     "node_modules/caniuse-lite": {
-      "version": "1.0.30001727",
-      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001727.tgz",
-      "integrity": "sha512-pB68nIHmbN6L/4C6MH1DokyR3bYqFwjaSs/sWDHGj4CTcFtQUQMuJftVwWkXq7mNWOybD3KhUv3oWHoGxgP14Q==",
+      "version": "1.0.30001731",
+      "resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001731.tgz",
+      "integrity": "sha512-lDdp2/wrOmTRWuoB5DpfNkC0rJDU8DqRa6nYL6HK6sytw70QMopt/NIc/9SM7ylItlBWfACXk0tEn37UWM/+mg==",
       "dev": true,
       "funding": [
         {
@@ -4157,9 +4157,9 @@
       "license": "MIT"
     },
     "node_modules/electron-to-chromium": {
-      "version": "1.5.187",
-      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.187.tgz",
-      "integrity": "sha512-cl5Jc9I0KGUoOoSbxvTywTa40uspGJt/BDBoDLoxJRSBpWh4FFXBsjNRHfQrONsV/OoEjDfHUmZQa2d6Ze4YgA==",
+      "version": "1.5.194",
+      "resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.194.tgz",
+      "integrity": "sha512-SdnWJwSUot04UR51I2oPD8kuP2VI37/CADR1OHsFOUzZIvfWJBO6q11k5P/uKNyTT3cdOsnyjkrZ+DDShqYqJA==",
       "dev": true,
       "license": "ISC"
     },
@@ -4450,9 +4450,9 @@
       }
     },
     "node_modules/eslint": {
-      "version": "9.31.0",
-      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.31.0.tgz",
-      "integrity": "sha512-QldCVh/ztyKJJZLr4jXNUByx3gR+TDYZCRXEktiZoUR3PGy4qCmSbkxcIle8GEwGpb5JBZazlaJ/CxLidXdEbQ==",
+      "version": "9.32.0",
+      "resolved": "https://registry.npmjs.org/eslint/-/eslint-9.32.0.tgz",
+      "integrity": "sha512-LSehfdpgMeWcTZkWZVIJl+tkZ2nuSkyyB9C27MZqFWXuph7DvaowgcTvKqxvpLW1JZIk8PN7hFY3Rj9LQ7m7lg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4462,8 +4462,8 @@
         "@eslint/config-helpers": "^0.3.0",
         "@eslint/core": "^0.15.0",
         "@eslint/eslintrc": "^3.3.1",
-        "@eslint/js": "9.31.0",
-        "@eslint/plugin-kit": "^0.3.1",
+        "@eslint/js": "9.32.0",
+        "@eslint/plugin-kit": "^0.3.4",
         "@humanfs/node": "^0.16.6",
         "@humanwhocodes/module-importer": "^1.0.1",
         "@humanwhocodes/retry": "^0.4.2",
@@ -4756,9 +4756,9 @@
       }
     },
     "node_modules/eslint-plugin-n": {
-      "version": "17.21.0",
-      "resolved": "https://registry.npmjs.org/eslint-plugin-n/-/eslint-plugin-n-17.21.0.tgz",
-      "integrity": "sha512-1+iZ8We4ZlwVMtb/DcHG3y5/bZOdazIpa/4TySo22MLKdwrLcfrX0hbadnCvykSQCCmkAnWmIP8jZVb2AAq29A==",
+      "version": "17.21.3",
+      "resolved": "https://registry.npmjs.org/eslint-plugin-n/-/eslint-plugin-n-17.21.3.tgz",
+      "integrity": "sha512-MtxYjDZhMQgsWRm/4xYLL0i2EhusWT7itDxlJ80l1NND2AL2Vi5Mvneqv/ikG9+zpran0VsVRXTEHrpLmUZRNw==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -4767,8 +4767,8 @@
         "eslint-plugin-es-x": "^7.8.0",
         "get-tsconfig": "^4.8.1",
         "globals": "^15.11.0",
+        "globrex": "^0.1.2",
         "ignore": "^5.3.2",
-        "minimatch": "^9.0.5",
         "semver": "^7.6.3",
         "ts-declaration-location": "^1.0.6"
       },
@@ -4782,16 +4782,6 @@
         "eslint": ">=8.23.0"
       }
     },
-    "node_modules/eslint-plugin-n/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "balanced-match": "^1.0.0"
-      }
-    },
     "node_modules/eslint-plugin-n/node_modules/globals": {
       "version": "15.15.0",
       "resolved": "https://registry.npmjs.org/globals/-/globals-15.15.0.tgz",
@@ -4805,22 +4795,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/eslint-plugin-n/node_modules/minimatch": {
-      "version": "9.0.5",
-      "resolved": "https://registry.npmjs.org/minimatch/-/minimatch-9.0.5.tgz",
-      "integrity": "sha512-G6T0ZX48xgozx7587koeX9Ys2NYy6Gmv//P89sEte9V9whIapMNF4idKxnW2QtCcLiTWlb/wfCabAtAFWhhBow==",
-      "dev": true,
-      "license": "ISC",
-      "dependencies": {
-        "brace-expansion": "^2.0.1"
-      },
-      "engines": {
-        "node": ">=16 || 14 >=14.17"
-      },
-      "funding": {
-        "url": "https://github.com/sponsors/isaacs"
-      }
-    },
     "node_modules/eslint-plugin-n/node_modules/semver": {
       "version": "7.7.2",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.2.tgz",
@@ -5640,6 +5614,13 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
+    "node_modules/globrex": {
+      "version": "0.1.2",
+      "resolved": "https://registry.npmjs.org/globrex/-/globrex-0.1.2.tgz",
+      "integrity": "sha512-uHJgbwAMwNFf5mLst7IWLNg14x1CkeqglJb/K3doi4dw6q2IvAAmM/Y81kevy83wP+Sst+nutFTYOGg3d1lsxg==",
+      "dev": true,
+      "license": "MIT"
+    },
     "node_modules/gopd": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/gopd/-/gopd-1.2.0.tgz",
@@ -10066,16 +10047,16 @@
       }
     },
     "node_modules/typescript-eslint": {
-      "version": "8.37.0",
-      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.37.0.tgz",
-      "integrity": "sha512-TnbEjzkE9EmcO0Q2zM+GE8NQLItNAJpMmED1BdgoBMYNdqMhzlbqfdSwiRlAzEK2pA9UzVW0gzaaIzXWg2BjfA==",
+      "version": "8.38.0",
+      "resolved": "https://registry.npmjs.org/typescript-eslint/-/typescript-eslint-8.38.0.tgz",
+      "integrity": "sha512-FsZlrYK6bPDGoLeZRuvx2v6qrM03I0U0SnfCLPs/XCCPCFD80xU9Pg09H/K+XFa68uJuZo7l/Xhs+eDRg2l3hg==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
-        "@typescript-eslint/eslint-plugin": "8.37.0",
-        "@typescript-eslint/parser": "8.37.0",
-        "@typescript-eslint/typescript-estree": "8.37.0",
-        "@typescript-eslint/utils": "8.37.0"
+        "@typescript-eslint/eslint-plugin": "8.38.0",
+        "@typescript-eslint/parser": "8.38.0",
+        "@typescript-eslint/typescript-estree": "8.38.0",
+        "@typescript-eslint/utils": "8.38.0"
       },
       "engines": {
         "node": "^18.18.0 || ^20.9.0 || >=21.1.0"
diff --git a/deps/undici/src/package.json b/deps/undici/src/package.json
index f7d9035163686b..48948be80dd166 100644
--- a/deps/undici/src/package.json
+++ b/deps/undici/src/package.json
@@ -1,6 +1,6 @@
 {
   "name": "undici",
-  "version": "7.12.0",
+  "version": "7.13.0",
   "description": "An HTTP/1.1 client, written from scratch for Node.js",
   "homepage": "https://undici.nodejs.org",
   "bugs": {
diff --git a/deps/undici/src/types/agent.d.ts b/deps/undici/src/types/agent.d.ts
index 2132560744ac02..8c881481a46bf6 100644
--- a/deps/undici/src/types/agent.d.ts
+++ b/deps/undici/src/types/agent.d.ts
@@ -22,14 +22,10 @@ declare namespace Agent {
   export interface Options extends Pool.Options {
     /** Default: `(origin, opts) => new Pool(origin, opts)`. */
     factory?(origin: string | URL, opts: Object): Dispatcher;
-    /** Integer. Default: `0` */
-    maxRedirections?: number;
 
     interceptors?: { Agent?: readonly Dispatcher.DispatchInterceptor[] } & Pool.Options['interceptors']
   }
 
   export interface DispatchOptions extends Dispatcher.DispatchOptions {
-    /** Integer. */
-    maxRedirections?: number;
   }
 }
diff --git a/deps/undici/src/types/client.d.ts b/deps/undici/src/types/client.d.ts
index 088a673eb52791..bd1a32c380aa1e 100644
--- a/deps/undici/src/types/client.d.ts
+++ b/deps/undici/src/types/client.d.ts
@@ -71,8 +71,6 @@ export declare namespace Client {
     /** TODO */
     maxCachedSessions?: number;
     /** TODO */
-    maxRedirections?: number;
-    /** TODO */
     connect?: Partial<buildConnector.BuildOptions> | buildConnector.connector;
     /** TODO */
     maxRequestsPerClient?: number;
diff --git a/deps/undici/src/types/dispatcher.d.ts b/deps/undici/src/types/dispatcher.d.ts
index 5da4c720c20118..fffe870c272a78 100644
--- a/deps/undici/src/types/dispatcher.d.ts
+++ b/deps/undici/src/types/dispatcher.d.ts
@@ -135,8 +135,6 @@ declare namespace Dispatcher {
     signal?: AbortSignal | EventEmitter | null;
     /** This argument parameter is passed through to `ConnectData` */
     opaque?: TOpaque;
-    /** Default: 0 */
-    maxRedirections?: number;
     /** Default: false */
     redirectionLimitReached?: boolean;
     /** Default: `null` */
@@ -147,8 +145,6 @@ declare namespace Dispatcher {
     opaque?: TOpaque;
     /** Default: `null` */
     signal?: AbortSignal | EventEmitter | null;
-    /** Default: 0 */
-    maxRedirections?: number;
     /** Default: false */
     redirectionLimitReached?: boolean;
     /** Default: `null` */
@@ -172,8 +168,6 @@ declare namespace Dispatcher {
     protocol?: string;
     /** Default: `null` */
     signal?: AbortSignal | EventEmitter | null;
-    /** Default: 0 */
-    maxRedirections?: number;
     /** Default: false */
     redirectionLimitReached?: boolean;
     /** Default: `null` */
diff --git a/deps/undici/src/types/h2c-client.d.ts b/deps/undici/src/types/h2c-client.d.ts
index 2e878694758f8b..e7a6808df36324 100644
--- a/deps/undici/src/types/h2c-client.d.ts
+++ b/deps/undici/src/types/h2c-client.d.ts
@@ -51,8 +51,6 @@ export declare namespace H2CClient {
     /** TODO */
     maxCachedSessions?: number;
     /** TODO */
-    maxRedirections?: number;
-    /** TODO */
     connect?: Omit<Partial<buildConnector.BuildOptions>, 'allowH2'> | buildConnector.connector;
     /** TODO */
     maxRequestsPerClient?: number;
diff --git a/deps/undici/src/types/index.d.ts b/deps/undici/src/types/index.d.ts
index 6540a929ca95bd..f9035293a95037 100644
--- a/deps/undici/src/types/index.d.ts
+++ b/deps/undici/src/types/index.d.ts
@@ -13,6 +13,7 @@ import Agent from './agent'
 import MockClient from './mock-client'
 import MockPool from './mock-pool'
 import MockAgent from './mock-agent'
+import { SnapshotAgent } from './snapshot-agent'
 import { MockCallHistory, MockCallHistoryLog } from './mock-call-history'
 import mockErrors from './mock-errors'
 import ProxyAgent from './proxy-agent'
@@ -33,7 +34,7 @@ export * from './content-type'
 export * from './cache'
 export { Interceptable } from './mock-interceptor'
 
-export { Dispatcher, BalancedPool, Pool, Client, buildConnector, errors, Agent, request, stream, pipeline, connect, upgrade, setGlobalDispatcher, getGlobalDispatcher, setGlobalOrigin, getGlobalOrigin, interceptors, MockClient, MockPool, MockAgent, MockCallHistory, MockCallHistoryLog, mockErrors, ProxyAgent, EnvHttpProxyAgent, RedirectHandler, DecoratorHandler, RetryHandler, RetryAgent, H2CClient }
+export { Dispatcher, BalancedPool, Pool, Client, buildConnector, errors, Agent, request, stream, pipeline, connect, upgrade, setGlobalDispatcher, getGlobalDispatcher, setGlobalOrigin, getGlobalOrigin, interceptors, MockClient, MockPool, MockAgent, SnapshotAgent, MockCallHistory, MockCallHistoryLog, mockErrors, ProxyAgent, EnvHttpProxyAgent, RedirectHandler, DecoratorHandler, RetryHandler, RetryAgent, H2CClient }
 export default Undici
 
 declare namespace Undici {
@@ -58,6 +59,7 @@ declare namespace Undici {
   const MockClient: typeof import('./mock-client').default
   const MockPool: typeof import('./mock-pool').default
   const MockAgent: typeof import('./mock-agent').default
+  const SnapshotAgent: typeof import('./snapshot-agent').SnapshotAgent
   const MockCallHistory: typeof import('./mock-call-history').MockCallHistory
   const MockCallHistoryLog: typeof import('./mock-call-history').MockCallHistoryLog
   const mockErrors: typeof import('./mock-errors').default
diff --git a/deps/undici/src/types/mock-interceptor.d.ts b/deps/undici/src/types/mock-interceptor.d.ts
index 83c0b3831ef189..a48d715a4cd094 100644
--- a/deps/undici/src/types/mock-interceptor.d.ts
+++ b/deps/undici/src/types/mock-interceptor.d.ts
@@ -69,7 +69,6 @@ declare namespace MockInterceptor {
     headers?: Headers | Record<string, string>;
     origin?: string;
     body?: BodyInit | Dispatcher.DispatchOptions['body'] | null;
-    maxRedirections?: number;
   }
 
   export type MockResponseDataHandler<TData extends object = object> = (
diff --git a/deps/undici/src/types/snapshot-agent.d.ts b/deps/undici/src/types/snapshot-agent.d.ts
new file mode 100644
index 00000000000000..a08dd6ff0304bd
--- /dev/null
+++ b/deps/undici/src/types/snapshot-agent.d.ts
@@ -0,0 +1,107 @@
+import MockAgent from './mock-agent'
+
+declare class SnapshotRecorder {
+  constructor (options?: SnapshotRecorder.Options)
+
+  record (requestOpts: any, response: any): Promise<void>
+  findSnapshot (requestOpts: any): SnapshotRecorder.Snapshot | undefined
+  loadSnapshots (filePath?: string): Promise<void>
+  saveSnapshots (filePath?: string): Promise<void>
+  clear (): void
+  getSnapshots (): SnapshotRecorder.Snapshot[]
+  size (): number
+  resetCallCounts (): void
+  deleteSnapshot (requestOpts: any): boolean
+  getSnapshotInfo (requestOpts: any): SnapshotRecorder.SnapshotInfo | null
+  replaceSnapshots (snapshotData: SnapshotRecorder.SnapshotData[]): void
+  destroy (): void
+}
+
+declare namespace SnapshotRecorder {
+  export interface Options {
+    snapshotPath?: string
+    mode?: 'record' | 'playback' | 'update'
+    maxSnapshots?: number
+    autoFlush?: boolean
+    flushInterval?: number
+    matchHeaders?: string[]
+    ignoreHeaders?: string[]
+    excludeHeaders?: string[]
+    matchBody?: boolean
+    matchQuery?: boolean
+    caseSensitive?: boolean
+    shouldRecord?: (requestOpts: any) => boolean
+    shouldPlayback?: (requestOpts: any) => boolean
+    excludeUrls?: (string | RegExp)[]
+  }
+
+  export interface Snapshot {
+    request: {
+      method: string
+      url: string
+      headers: Record<string, string>
+      body?: string
+    }
+    responses: {
+      statusCode: number
+      headers: Record<string, string>
+      body: string
+      trailers: Record<string, string>
+    }[]
+    callCount: number
+    timestamp: string
+  }
+
+  export interface SnapshotInfo {
+    hash: string
+    request: {
+      method: string
+      url: string
+      headers: Record<string, string>
+      body?: string
+    }
+    responseCount: number
+    callCount: number
+    timestamp: string
+  }
+
+  export interface SnapshotData {
+    hash: string
+    snapshot: Snapshot
+  }
+}
+
+declare class SnapshotAgent extends MockAgent {
+  constructor (options?: SnapshotAgent.Options)
+
+  saveSnapshots (filePath?: string): Promise<void>
+  loadSnapshots (filePath?: string): Promise<void>
+  getRecorder (): SnapshotRecorder
+  getMode (): 'record' | 'playback' | 'update'
+  clearSnapshots (): void
+  resetCallCounts (): void
+  deleteSnapshot (requestOpts: any): boolean
+  getSnapshotInfo (requestOpts: any): SnapshotRecorder.SnapshotInfo | null
+  replaceSnapshots (snapshotData: SnapshotRecorder.SnapshotData[]): void
+}
+
+declare namespace SnapshotAgent {
+  export interface Options extends MockAgent.Options {
+    mode?: 'record' | 'playback' | 'update'
+    snapshotPath?: string
+    maxSnapshots?: number
+    autoFlush?: boolean
+    flushInterval?: number
+    matchHeaders?: string[]
+    ignoreHeaders?: string[]
+    excludeHeaders?: string[]
+    matchBody?: boolean
+    matchQuery?: boolean
+    caseSensitive?: boolean
+    shouldRecord?: (requestOpts: any) => boolean
+    shouldPlayback?: (requestOpts: any) => boolean
+    excludeUrls?: (string | RegExp)[]
+  }
+}
+
+export { SnapshotAgent, SnapshotRecorder }
diff --git a/deps/undici/undici.js b/deps/undici/undici.js
index 6d9d3d5221d1cc..651a8cd6159569 100644
--- a/deps/undici/undici.js
+++ b/deps/undici/undici.js
@@ -1019,7 +1019,6 @@ var require_util = __commonJS({
     var { IncomingMessage } = require("node:http");
     var stream = require("node:stream");
     var net = require("node:net");
-    var { Blob: Blob2 } = require("node:buffer");
     var { stringify } = require("node:querystring");
     var { EventEmitter: EE } = require("node:events");
     var timers = require_timers();
@@ -1074,7 +1073,7 @@ var require_util = __commonJS({
     function isBlobLike(object) {
       if (object === null) {
         return false;
-      } else if (object instanceof Blob2) {
+      } else if (object instanceof Blob) {
         return true;
       } else if (typeof object !== "object") {
         return false;
@@ -4365,7 +4364,7 @@ var require_webidl = __commonJS({
     webidl.is.ReadableStream = webidl.util.MakeTypeAssertion(ReadableStream);
     webidl.is.Blob = webidl.util.MakeTypeAssertion(Blob);
     webidl.is.URLSearchParams = webidl.util.MakeTypeAssertion(URLSearchParams);
-    webidl.is.File = webidl.util.MakeTypeAssertion(globalThis.File ?? require("node:buffer").File);
+    webidl.is.File = webidl.util.MakeTypeAssertion(File);
     webidl.is.URL = webidl.util.MakeTypeAssertion(URL);
     webidl.is.AbortSignal = webidl.util.MakeTypeAssertion(AbortSignal);
     webidl.is.MessagePort = webidl.util.MakeTypeAssertion(MessagePort);
@@ -5472,9 +5471,7 @@ var require_formdata = __commonJS({
     var { iteratorMixin } = require_util2();
     var { kEnumerableProperty } = require_util();
     var { webidl } = require_webidl();
-    var { File: NativeFile } = require("node:buffer");
     var nodeUtil = require("node:util");
-    var File = globalThis.File ?? NativeFile;
     var FormData = class _FormData {
       static {
         __name(this, "FormData");
@@ -5643,8 +5640,6 @@ var require_formdata_parser = __commonJS({
     var { makeEntry } = require_formdata();
     var { webidl } = require_webidl();
     var assert = require("node:assert");
-    var { File: NodeFile } = require("node:buffer");
-    var File = globalThis.File ?? NodeFile;
     var formDataNameBuffer = Buffer.from('form-data; name="');
     var filenameBuffer = Buffer.from("filename");
     var dd = Buffer.from("--");
@@ -5946,7 +5941,6 @@ var require_body = __commonJS({
     } = require_util2();
     var { FormData, setFormDataState } = require_formdata();
     var { webidl } = require_webidl();
-    var { Blob: Blob2 } = require("node:buffer");
     var assert = require("node:assert");
     var { isErrored, isDisturbed } = require("node:stream");
     var { isArrayBuffer } = require("node:util/types");
@@ -6141,7 +6135,7 @@ Content-Type: ${value.type || "application/octet-stream"}\r
             } else if (mimeType) {
               mimeType = serializeAMimeType(mimeType);
             }
-            return new Blob2([bytes], { type: mimeType });
+            return new Blob([bytes], { type: mimeType });
           }, instance, getInternalState);
         },
         arrayBuffer() {
@@ -8787,7 +8781,7 @@ var require_global2 = __commonJS({
 var require_proxy_agent = __commonJS({
   "lib/dispatcher/proxy-agent.js"(exports2, module2) {
     "use strict";
-    var { kProxy, kClose, kDestroy, kDispatch, kConnector } = require_symbols();
+    var { kProxy, kClose, kDestroy, kDispatch } = require_symbols();
     var { URL: URL2 } = require("node:url");
     var Agent = require_agent();
     var Pool = require_pool();
@@ -8812,56 +8806,59 @@ var require_proxy_agent = __commonJS({
     __name(defaultFactory, "defaultFactory");
     var noop = /* @__PURE__ */ __name(() => {
     }, "noop");
-    var ProxyClient = class extends DispatcherBase {
+    function defaultAgentFactory(origin, opts) {
+      if (opts.connections === 1) {
+        return new Client(origin, opts);
+      }
+      return new Pool(origin, opts);
+    }
+    __name(defaultAgentFactory, "defaultAgentFactory");
+    var Http1ProxyWrapper = class extends DispatcherBase {
       static {
-        __name(this, "ProxyClient");
+        __name(this, "Http1ProxyWrapper");
       }
-      #client = null;
-      constructor(origin, opts) {
-        if (typeof origin === "string") {
-          origin = new URL2(origin);
+      #client;
+      constructor(proxyUrl, { headers = {}, connect, factory }) {
+        super();
+        if (!proxyUrl) {
+          throw new InvalidArgumentError("Proxy URL is mandatory");
         }
-        if (origin.protocol !== "http:" && origin.protocol !== "https:") {
-          throw new InvalidArgumentError("ProxyClient only supports http and https protocols");
+        this[kProxyHeaders] = headers;
+        if (factory) {
+          this.#client = factory(proxyUrl, { connect });
+        } else {
+          this.#client = new Client(proxyUrl, { connect });
         }
-        super();
-        this.#client = new Client(origin, opts);
       }
-      async [kClose]() {
-        await this.#client.close();
-      }
-      async [kDestroy]() {
-        await this.#client.destroy();
-      }
-      async [kDispatch](opts, handler) {
-        const { method, origin } = opts;
-        if (method === "CONNECT") {
-          this.#client[kConnector](
-            {
-              origin,
-              port: opts.port || defaultProtocolPort(opts.protocol),
-              path: opts.host,
-              signal: opts.signal,
-              headers: {
-                ...this[kProxyHeaders],
-                host: opts.host
-              },
-              servername: this[kProxyTls]?.servername || opts.servername
-            },
-            (err, socket) => {
-              if (err) {
-                handler.callback(err);
-              } else {
-                handler.callback(null, { socket, statusCode: 200 });
-              }
+      [kDispatch](opts, handler) {
+        const onHeaders = handler.onHeaders;
+        handler.onHeaders = function(statusCode, data, resume) {
+          if (statusCode === 407) {
+            if (typeof handler.onError === "function") {
+              handler.onError(new InvalidArgumentError("Proxy Authentication Required (407)"));
             }
-          );
-          return;
-        }
-        if (typeof origin === "string") {
-          opts.origin = new URL2(origin);
+            return;
+          }
+          if (onHeaders) onHeaders.call(this, statusCode, data, resume);
+        };
+        const {
+          origin,
+          path = "/",
+          headers = {}
+        } = opts;
+        opts.path = origin + path;
+        if (!("host" in headers) && !("Host" in headers)) {
+          const { host } = new URL2(origin);
+          headers.host = host;
         }
-        return this.#client.dispatch(opts, handler);
+        opts.headers = { ...this[kProxyHeaders], ...headers };
+        return this.#client[kDispatch](opts, handler);
+      }
+      async [kClose]() {
+        return this.#client.close();
+      }
+      async [kDestroy](err) {
+        return this.#client.destroy(err);
       }
     };
     var ProxyAgent = class extends DispatcherBase {
@@ -8884,6 +8881,7 @@ var require_proxy_agent = __commonJS({
         this[kRequestTls] = opts.requestTls;
         this[kProxyTls] = opts.proxyTls;
         this[kProxyHeaders] = opts.headers || {};
+        this[kTunnelProxy] = proxyTunnel;
         if (opts.auth && opts.token) {
           throw new InvalidArgumentError("opts.auth cannot be used in combination with opts.token");
         } else if (opts.auth) {
@@ -8893,18 +8891,24 @@ var require_proxy_agent = __commonJS({
         } else if (username && password) {
           this[kProxyHeaders]["proxy-authorization"] = `Basic ${Buffer.from(`${decodeURIComponent(username)}:${decodeURIComponent(password)}`).toString("base64")}`;
         }
-        const factory = !proxyTunnel && protocol === "http:" ? (origin2, options) => {
-          if (origin2.protocol === "http:") {
-            return new ProxyClient(origin2, options);
-          }
-          return new Client(origin2, options);
-        } : void 0;
         const connect = buildConnector({ ...opts.proxyTls });
         this[kConnectEndpoint] = buildConnector({ ...opts.requestTls });
-        this[kClient] = clientFactory(url, { connect, factory });
-        this[kTunnelProxy] = proxyTunnel;
+        const agentFactory = opts.factory || defaultAgentFactory;
+        const factory = /* @__PURE__ */ __name((origin2, options) => {
+          const { protocol: protocol2 } = new URL2(origin2);
+          if (!this[kTunnelProxy] && protocol2 === "http:" && this[kProxy].protocol === "http:") {
+            return new Http1ProxyWrapper(this[kProxy].uri, {
+              headers: this[kProxyHeaders],
+              connect,
+              factory: agentFactory
+            });
+          }
+          return agentFactory(origin2, options);
+        }, "factory");
+        this[kClient] = clientFactory(url, { connect });
         this[kAgent] = new Agent({
           ...opts,
+          factory,
           connect: /* @__PURE__ */ __name(async (opts2, callback) => {
             let requestedPath = opts2.host;
             if (!opts2.port) {
@@ -8955,9 +8959,6 @@ var require_proxy_agent = __commonJS({
           const { host } = new URL2(opts.origin);
           headers.host = host;
         }
-        if (!this.#shouldConnect(new URL2(opts.origin))) {
-          opts.path = opts.origin + opts.path;
-        }
         return this[kAgent].dispatch(
           {
             ...opts,
@@ -8987,18 +8988,6 @@ var require_proxy_agent = __commonJS({
         await this[kAgent].destroy();
         await this[kClient].destroy();
       }
-      #shouldConnect(uri) {
-        if (typeof uri === "string") {
-          uri = new URL2(uri);
-        }
-        if (this[kTunnelProxy]) {
-          return true;
-        }
-        if (uri.protocol !== "http:" || this[kProxy].protocol !== "http:") {
-          return true;
-        }
-        return false;
-      }
     };
     function buildHeaders(headers) {
       if (Array.isArray(headers)) {
@@ -14273,7 +14262,7 @@ var require_readable = __commonJS({
         }
       }
       /**
-       * @param {string} event
+       * @param {string|symbol} event
        * @param {(...args: any[]) => void} listener
        * @returns {this}
        */
@@ -14285,7 +14274,7 @@ var require_readable = __commonJS({
         return super.on(event, listener);
       }
       /**
-       * @param {string} event
+       * @param {string|symbol} event
        * @param {(...args: any[]) => void} listener
        * @returns {this}
        */
@@ -14317,10 +14306,12 @@ var require_readable = __commonJS({
        * @returns {boolean}
        */
       push(chunk) {
-        this[kBytesRead] += chunk ? chunk.length : 0;
-        if (this[kConsume] && chunk !== null) {
-          consumePush(this[kConsume], chunk);
-          return this[kReading] ? super.push(chunk) : true;
+        if (chunk) {
+          this[kBytesRead] += chunk.length;
+          if (this[kConsume]) {
+            consumePush(this[kConsume], chunk);
+            return this[kReading] ? super.push(chunk) : true;
+          }
         }
         return super.push(chunk);
       }
@@ -14473,9 +14464,7 @@ var require_readable = __commonJS({
         if (isUnusable(stream)) {
           const rState = stream._readableState;
           if (rState.destroyed && rState.closeEmitted === false) {
-            stream.on("error", (err) => {
-              reject(err);
-            }).on("close", () => {
+            stream.on("error", reject).on("close", () => {
               reject(new TypeError("unusable"));
             });
           } else {
diff --git a/deps/v8/include/v8-persistent-handle.h b/deps/v8/include/v8-persistent-handle.h
index 6abe29d4ab782f..d08412fbd05dc4 100644
--- a/deps/v8/include/v8-persistent-handle.h
+++ b/deps/v8/include/v8-persistent-handle.h
@@ -488,9 +488,16 @@ V8_INLINE void PersistentBase<T>::SetWeak(
 #if (__GNUC__ >= 8) && !defined(__clang__)
 #pragma GCC diagnostic push
 #pragma GCC diagnostic ignored "-Wcast-function-type"
+#endif
+#if __clang__
+#pragma clang diagnostic push
+#pragma clang diagnostic ignored "-Wcast-function-type"
 #endif
   api_internal::MakeWeak(this->slot(), parameter,
                          reinterpret_cast<Callback>(callback), type);
+#if __clang__
+#pragma clang diagnostic pop
+#endif
 #if (__GNUC__ >= 8) && !defined(__clang__)
 #pragma GCC diagnostic pop
 #endif
diff --git a/deps/v8/include/v8-primitive.h b/deps/v8/include/v8-primitive.h
index f966ed55674841..50b07d9c10a7bb 100644
--- a/deps/v8/include/v8-primitive.h
+++ b/deps/v8/include/v8-primitive.h
@@ -819,6 +819,8 @@ class V8_EXPORT Symbol : public Name {
   static Local<Symbol> GetToPrimitive(Isolate* isolate);
   static Local<Symbol> GetToStringTag(Isolate* isolate);
   static Local<Symbol> GetUnscopables(Isolate* isolate);
+  static Local<Symbol> GetDispose(Isolate* isolate);
+  static Local<Symbol> GetAsyncDispose(Isolate* isolate);
 
   V8_INLINE static Symbol* Cast(Data* data) {
 #ifdef V8_ENABLE_CHECKS
diff --git a/deps/v8/src/api/api.cc b/deps/v8/src/api/api.cc
index 0f2a526b2b3453..ba759168aa92f5 100644
--- a/deps/v8/src/api/api.cc
+++ b/deps/v8/src/api/api.cc
@@ -9548,7 +9548,9 @@ Local<Symbol> v8::Symbol::ForApi(Isolate* v8_isolate, Local<String> name) {
   V(Split, split)                             \
   V(ToPrimitive, to_primitive)                \
   V(ToStringTag, to_string_tag)               \
-  V(Unscopables, unscopables)
+  V(Unscopables, unscopables)                 \
+  V(Dispose, dispose)                         \
+  V(AsyncDispose, async_dispose)
 
 #define SYMBOL_GETTER(Name, name)                                      \
   Local<Symbol> v8::Symbol::Get##Name(Isolate* v8_isolate) {           \
diff --git a/deps/v8/src/base/platform/platform-posix.cc b/deps/v8/src/base/platform/platform-posix.cc
index 2d351f67b93bdb..5c93b3aaafe34a 100644
--- a/deps/v8/src/base/platform/platform-posix.cc
+++ b/deps/v8/src/base/platform/platform-posix.cc
@@ -80,7 +80,19 @@
 #define MAP_ANONYMOUS MAP_ANON
 #endif
 
-#if defined(V8_OS_SOLARIS)
+/*
+ * NOTE: illumos starting with illumos#14418 (pushed April 20th, 2022)
+ * prototypes madvise(3C) properly with a `void *` first argument.
+ * The only way to detect this outside of configure-time checking is to
+ * check for the existence of MEMCNTL_SHARED, which gets defined for the first
+ * time in illumos#14418 under the same circumstances save _STRICT_POSIX, which
+ * thankfully neither Solaris nor illumos builds of Node or V8 do.
+ *
+ * If some future illumos push changes the MEMCNTL_SHARED assumptions made
+ * above, the illumos check below will have to be revisited.  This check
+ * will work on both pre-and-post illumos#14418 illumos environments.
+ */
+#if defined(V8_OS_SOLARIS) && !(defined(__illumos__) && defined(MEMCNTL_SHARED))
 #if (defined(_POSIX_C_SOURCE) && _POSIX_C_SOURCE > 2) || defined(__EXTENSIONS__)
 extern "C" int madvise(caddr_t, size_t, int);
 #else
diff --git a/deps/v8/test/cctest/test-api.cc b/deps/v8/test/cctest/test-api.cc
index 0f023d15cfc181..876de6efb525ab 100644
--- a/deps/v8/test/cctest/test-api.cc
+++ b/deps/v8/test/cctest/test-api.cc
@@ -4006,6 +4006,8 @@ THREADED_TEST(WellKnownSymbols) {
   CheckWellKnownSymbol(v8::Symbol::GetSplit, "Symbol.split");
   CheckWellKnownSymbol(v8::Symbol::GetToPrimitive, "Symbol.toPrimitive");
   CheckWellKnownSymbol(v8::Symbol::GetToStringTag, "Symbol.toStringTag");
+  CheckWellKnownSymbol(v8::Symbol::GetDispose, "Symbol.dispose");
+  CheckWellKnownSymbol(v8::Symbol::GetAsyncDispose, "Symbol.asyncDispose");
 }
 
 
diff --git a/doc/api/assert.md b/doc/api/assert.md
index 06f110793d1e43..76c0adf17c2bd9 100644
--- a/doc/api/assert.md
+++ b/doc/api/assert.md
@@ -149,6 +149,8 @@ added: v0.1.21
   * `operator` {string} The `operator` property on the error instance.
   * `stackStartFn` {Function} If provided, the generated stack trace omits
     frames before this function.
+  * `diff` {string} If set to `'full'`, shows the full diff in assertion errors. Defaults to `'simple'`.
+    Accepted values: `'simple'`, `'full'`.
 
 A subclass of {Error} that indicates the failure of an assertion.
 
@@ -215,6 +217,51 @@ try {
 }
 ```
 
+## Class: `assert.Assert`
+
+<!-- YAML
+added: v24.6.0
+-->
+
+The `Assert` class allows creating independent assertion instances with custom options.
+
+### `new assert.Assert([options])`
+
+* `options` {Object}
+  * `diff` {string} If set to `'full'`, shows the full diff in assertion errors. Defaults to `'simple'`.
+    Accepted values: `'simple'`, `'full'`.
+  * `strict` {boolean} If set to `true`, non-strict methods behave like their
+    corresponding strict methods. Defaults to `true`.
+
+Creates a new assertion instance. The `diff` option controls the verbosity of diffs in assertion error messages.
+
+```js
+const { Assert } = require('node:assert');
+const assertInstance = new Assert({ diff: 'full' });
+assertInstance.deepStrictEqual({ a: 1 }, { a: 2 });
+// Shows a full diff in the error message.
+```
+
+**Important**: When destructuring assertion methods from an `Assert` instance,
+the methods lose their connection to the instance's configuration options (such as `diff` and `strict` settings).
+The destructured methods will fall back to default behavior instead.
+
+```js
+const myAssert = new Assert({ diff: 'full' });
+
+// This works as expected - uses 'full' diff
+myAssert.strictEqual({ a: 1 }, { b: { c: 1 } });
+
+// This loses the 'full' diff setting - falls back to default 'simple' diff
+const { strictEqual } = myAssert;
+strictEqual({ a: 1 }, { b: { c: 1 } });
+```
+
+When destructured, methods lose access to the instance's `this` context and revert to default assertion behavior
+(diff: 'simple', non-strict mode).
+To maintain custom options when using destructured methods, avoid
+destructuring and call methods directly on the instance.
+
 ## Class: `assert.CallTracker`
 
 <!-- YAML
diff --git a/doc/api/cli.md b/doc/api/cli.md
index 491bb1cb3fc8f1..ba1356650c2383 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -1680,6 +1680,22 @@ changes:
 
 Specify the maximum size, in bytes, of HTTP headers. Defaults to 16 KiB.
 
+### `--max-old-space-size-percentage=PERCENTAGE`
+
+Sets the max memory size of V8's old memory section as a percentage of available system memory.
+This flag takes precedence over `--max-old-space-size` when both are specified.
+
+The `PERCENTAGE` parameter must be a number greater than 0 and up to 100. representing the percentage
+of available system memory to allocate to the V8 heap.
+
+```bash
+# Using 50% of available system memory
+node --max-old-space-size-percentage=50 index.js
+
+# Using 75% of available system memory
+node --max-old-space-size-percentage=75 index.js
+```
+
 ### `--napi-modules`
 
 <!-- YAML
@@ -3395,6 +3411,7 @@ one is included in the list below.
 * `--inspect`
 * `--localstorage-file`
 * `--max-http-header-size`
+* `--max-old-space-size-percentage`
 * `--napi-modules`
 * `--network-family-autoselection-attempt-timeout`
 * `--no-addons`
@@ -3632,6 +3649,18 @@ specified proxy.
 This can also be enabled using the [`--use-env-proxy`][] command-line flag.
 When both are set, `--use-env-proxy` takes precedence.
 
+### `NODE_USE_SYSTEM_CA=1`
+
+<!-- YAML
+added: v24.6.0
+-->
+
+Node.js uses the trusted CA certificates present in the system store along with
+the `--use-bundled-ca` option and the `NODE_EXTRA_CA_CERTS` environment variable.
+
+This can also be enabled using the [`--use-system-ca`][] command-line flag.
+When both are set, `--use-system-ca` takes precedence.
+
 ### `NODE_V8_COVERAGE=dir`
 
 When set, Node.js will begin outputting [V8 JavaScript code coverage][] and
@@ -3960,6 +3989,7 @@ node --stack-trace-limit=12 -p -e "Error.stackTraceLimit" # prints 12
 [`--redirect-warnings`]: #--redirect-warningsfile
 [`--require`]: #-r---require-module
 [`--use-env-proxy`]: #--use-env-proxy
+[`--use-system-ca`]: #--use-system-ca
 [`AsyncLocalStorage`]: async_context.md#class-asynclocalstorage
 [`Buffer`]: buffer.md#class-buffer
 [`CRYPTO_secure_malloc_init`]: https://www.openssl.org/docs/man3.0/man3/CRYPTO_secure_malloc_init.html
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index 748fdc88178809..9333db6941abfe 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -1916,6 +1916,9 @@ This can be called many times with new data as it is streamed.
 <!-- YAML
 added: v11.6.0
 changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59259
+    description: Add support for ML-DSA keys.
   - version:
     - v14.5.0
     - v12.19.0
@@ -2021,6 +2024,9 @@ Other key details might be exposed via this API using additional attributes.
 <!-- YAML
 added: v11.6.0
 changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59259
+    description: Add support for ML-DSA keys.
   - version:
      - v13.9.0
      - v12.17.0
@@ -2055,6 +2061,9 @@ types are:
 * `'ed25519'` (OID 1.3.101.112)
 * `'ed448'` (OID 1.3.101.113)
 * `'dh'` (OID 1.2.840.113549.1.3.1)
+* `'ml-dsa-44'`[^openssl35] (OID 2.16.840.1.101.3.4.3.17)
+* `'ml-dsa-65'`[^openssl35] (OID 2.16.840.1.101.3.4.3.18)
+* `'ml-dsa-87'`[^openssl35] (OID 2.16.840.1.101.3.4.3.19)
 
 This property is `undefined` for unrecognized `KeyObject` types and symmetric
 keys.
@@ -2681,16 +2690,6 @@ added: v15.6.0
 Checks whether the public key for this certificate is consistent with
 the given private key.
 
-### `x509.extKeyUsage`
-
-<!-- YAML
-added: v15.6.0
--->
-
-* Type: {string\[]}
-
-An array detailing the key extended usages for this certificate.
-
 ### `x509.fingerprint`
 
 <!-- YAML
@@ -2782,6 +2781,16 @@ added: v15.9.0
 The issuer certificate or `undefined` if the issuer certificate is not
 available.
 
+### `x509.keyUsage`
+
+<!-- YAML
+added: v15.6.0
+-->
+
+* Type: {string\[]}
+
+An array detailing the key extended usages for this certificate.
+
 ### `x509.publicKey`
 
 <!-- YAML
@@ -3403,6 +3412,9 @@ input.on('readable', () => {
 <!-- YAML
 added: v11.6.0
 changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59259
+    description: Add support for ML-DSA keys.
   - version: v15.12.0
     pr-url: https://github.com/nodejs/node/pull/37254
     description: The key can also be a JWK object.
@@ -3439,6 +3451,9 @@ of the passphrase is limited to 1024 bytes.
 <!-- YAML
 added: v11.6.0
 changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59259
+    description: Add support for ML-DSA keys.
   - version: v15.12.0
     pr-url: https://github.com/nodejs/node/pull/37254
     description: The key can also be a JWK object.
@@ -3602,18 +3617,18 @@ changes:
                  `ERR_INVALID_CALLBACK`.
 -->
 
-* `type`: {string} The intended use of the generated secret key. Currently
+* `type` {string} The intended use of the generated secret key. Currently
   accepted values are `'hmac'` and `'aes'`.
-* `options`: {Object}
-  * `length`: {number} The bit length of the key to generate. This must be a
+* `options` {Object}
+  * `length` {number} The bit length of the key to generate. This must be a
     value greater than 0.
     * If `type` is `'hmac'`, the minimum is 8, and the maximum length is
       2<sup>31</sup>-1. If the value is not a multiple of 8, the generated
       key will be truncated to `Math.floor(length / 8)`.
     * If `type` is `'aes'`, the length must be one of `128`, `192`, or `256`.
-* `callback`: {Function}
-  * `err`: {Error}
-  * `key`: {KeyObject}
+* `callback` {Function}
+  * `err` {Error}
+  * `key` {KeyObject}
 
 Asynchronously generates a new random secret key of the given `length`. The
 `type` will determine which validations will be performed on the `length`.
@@ -3648,6 +3663,9 @@ underlying hash function. See [`crypto.createHmac()`][] for more information.
 <!-- YAML
 added: v10.12.0
 changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59259
+    description: Add support for ML-DSA key pairs.
   - version: v18.0.0
     pr-url: https://github.com/nodejs/node/pull/41678
     description: Passing an invalid callback to the `callback` argument
@@ -3677,30 +3695,31 @@ changes:
                  produce key objects if no encoding was specified.
 -->
 
-* `type`: {string} Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`,
-  `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
-* `options`: {Object}
-  * `modulusLength`: {number} Key size in bits (RSA, DSA).
-  * `publicExponent`: {number} Public exponent (RSA). **Default:** `0x10001`.
-  * `hashAlgorithm`: {string} Name of the message digest (RSA-PSS).
-  * `mgf1HashAlgorithm`: {string} Name of the message digest used by
+* `type` {string} Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`,
+  `'ed448'`, `'x25519'`, `'x448'`, `'dh'`, `'ml-dsa-44'`[^openssl35],
+  `'ml-dsa-65'`[^openssl35], or `'ml-dsa-87'`[^openssl35].
+* `options` {Object}
+  * `modulusLength` {number} Key size in bits (RSA, DSA).
+  * `publicExponent` {number} Public exponent (RSA). **Default:** `0x10001`.
+  * `hashAlgorithm` {string} Name of the message digest (RSA-PSS).
+  * `mgf1HashAlgorithm` {string} Name of the message digest used by
     MGF1 (RSA-PSS).
-  * `saltLength`: {number} Minimal salt length in bytes (RSA-PSS).
-  * `divisorLength`: {number} Size of `q` in bits (DSA).
-  * `namedCurve`: {string} Name of the curve to use (EC).
-  * `prime`: {Buffer} The prime parameter (DH).
-  * `primeLength`: {number} Prime length in bits (DH).
-  * `generator`: {number} Custom generator (DH). **Default:** `2`.
-  * `groupName`: {string} Diffie-Hellman group name (DH). See
+  * `saltLength` {number} Minimal salt length in bytes (RSA-PSS).
+  * `divisorLength` {number} Size of `q` in bits (DSA).
+  * `namedCurve` {string} Name of the curve to use (EC).
+  * `prime` {Buffer} The prime parameter (DH).
+  * `primeLength` {number} Prime length in bits (DH).
+  * `generator` {number} Custom generator (DH). **Default:** `2`.
+  * `groupName` {string} Diffie-Hellman group name (DH). See
     [`crypto.getDiffieHellman()`][].
-  * `paramEncoding`: {string} Must be `'named'` or `'explicit'` (EC).
+  * `paramEncoding` {string} Must be `'named'` or `'explicit'` (EC).
     **Default:** `'named'`.
-  * `publicKeyEncoding`: {Object} See [`keyObject.export()`][].
-  * `privateKeyEncoding`: {Object} See [`keyObject.export()`][].
-* `callback`: {Function}
-  * `err`: {Error}
-  * `publicKey`: {string | Buffer | KeyObject}
-  * `privateKey`: {string | Buffer | KeyObject}
+  * `publicKeyEncoding` {Object} See [`keyObject.export()`][].
+  * `privateKeyEncoding` {Object} See [`keyObject.export()`][].
+* `callback` {Function}
+  * `err` {Error}
+  * `publicKey` {string | Buffer | KeyObject}
+  * `privateKey` {string | Buffer | KeyObject}
 
 Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
 Ed25519, Ed448, X25519, X448, and DH are currently supported.
@@ -3767,6 +3786,9 @@ a `Promise` for an `Object` with `publicKey` and `privateKey` properties.
 <!-- YAML
 added: v10.12.0
 changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59259
+    description: Add support for ML-DSA key pairs.
   - version: v16.10.0
     pr-url: https://github.com/nodejs/node/pull/39927
     description: Add ability to define `RSASSA-PSS-params` sequence parameters
@@ -3791,32 +3813,33 @@ changes:
                  produce key objects if no encoding was specified.
 -->
 
-* `type`: {string} Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`,
-  `'ed448'`, `'x25519'`, `'x448'`, or `'dh'`.
-* `options`: {Object}
-  * `modulusLength`: {number} Key size in bits (RSA, DSA).
-  * `publicExponent`: {number} Public exponent (RSA). **Default:** `0x10001`.
-  * `hashAlgorithm`: {string} Name of the message digest (RSA-PSS).
-  * `mgf1HashAlgorithm`: {string} Name of the message digest used by
+* `type` {string} Must be `'rsa'`, `'rsa-pss'`, `'dsa'`, `'ec'`, `'ed25519'`,
+  `'ed448'`, `'x25519'`, `'x448'`, `'dh'`, `'ml-dsa-44'`[^openssl35],
+  `'ml-dsa-65'`[^openssl35], or `'ml-dsa-87'`[^openssl35].
+* `options` {Object}
+  * `modulusLength` {number} Key size in bits (RSA, DSA).
+  * `publicExponent` {number} Public exponent (RSA). **Default:** `0x10001`.
+  * `hashAlgorithm` {string} Name of the message digest (RSA-PSS).
+  * `mgf1HashAlgorithm` {string} Name of the message digest used by
     MGF1 (RSA-PSS).
-  * `saltLength`: {number} Minimal salt length in bytes (RSA-PSS).
-  * `divisorLength`: {number} Size of `q` in bits (DSA).
-  * `namedCurve`: {string} Name of the curve to use (EC).
-  * `prime`: {Buffer} The prime parameter (DH).
-  * `primeLength`: {number} Prime length in bits (DH).
-  * `generator`: {number} Custom generator (DH). **Default:** `2`.
-  * `groupName`: {string} Diffie-Hellman group name (DH). See
+  * `saltLength` {number} Minimal salt length in bytes (RSA-PSS).
+  * `divisorLength` {number} Size of `q` in bits (DSA).
+  * `namedCurve` {string} Name of the curve to use (EC).
+  * `prime` {Buffer} The prime parameter (DH).
+  * `primeLength` {number} Prime length in bits (DH).
+  * `generator` {number} Custom generator (DH). **Default:** `2`.
+  * `groupName` {string} Diffie-Hellman group name (DH). See
     [`crypto.getDiffieHellman()`][].
-  * `paramEncoding`: {string} Must be `'named'` or `'explicit'` (EC).
+  * `paramEncoding` {string} Must be `'named'` or `'explicit'` (EC).
     **Default:** `'named'`.
-  * `publicKeyEncoding`: {Object} See [`keyObject.export()`][].
-  * `privateKeyEncoding`: {Object} See [`keyObject.export()`][].
+  * `publicKeyEncoding` {Object} See [`keyObject.export()`][].
+  * `privateKeyEncoding` {Object} See [`keyObject.export()`][].
 * Returns: {Object}
-  * `publicKey`: {string | Buffer | KeyObject}
-  * `privateKey`: {string | Buffer | KeyObject}
+  * `publicKey` {string | Buffer | KeyObject}
+  * `privateKey` {string | Buffer | KeyObject}
 
 Generates a new asymmetric key pair of the given `type`. RSA, RSA-PSS, DSA, EC,
-Ed25519, Ed448, X25519, X448, and DH are currently supported.
+Ed25519, Ed448, X25519, X448, DH, and ML-DSA[^openssl35] are currently supported.
 
 If a `publicKeyEncoding` or `privateKeyEncoding` was specified, this function
 behaves as if [`keyObject.export()`][] had been called on its result. Otherwise,
@@ -3882,10 +3905,10 @@ it will be a buffer containing the data encoded as DER.
 added: v15.0.0
 -->
 
-* `type`: {string} The intended use of the generated secret key. Currently
+* `type` {string} The intended use of the generated secret key. Currently
   accepted values are `'hmac'` and `'aes'`.
-* `options`: {Object}
-  * `length`: {number} The bit length of the key to generate.
+* `options` {Object}
+  * `length` {number} The bit length of the key to generate.
     * If `type` is `'hmac'`, the minimum is 8, and the maximum length is
       2<sup>31</sup>-1. If the value is not a multiple of 8, the generated
       key will be truncated to `Math.floor(length / 8)`.
@@ -4026,10 +4049,10 @@ the process unresponsive.
 added: v15.0.0
 -->
 
-* `nameOrNid`: {string|number} The name or nid of the cipher to query.
-* `options`: {Object}
-  * `keyLength`: {number} A test key length.
-  * `ivLength`: {number} A test IV length.
+* `nameOrNid` {string|number} The name or nid of the cipher to query.
+* `options` {Object}
+  * `keyLength` {number} A test key length.
+  * `ivLength` {number} A test IV length.
 * Returns: {Object}
   * `name` {string} The name of the cipher
   * `nid` {number} The nid of the cipher
@@ -5416,6 +5439,9 @@ Throws an error if FIPS mode is not available.
 <!-- YAML
 added: v12.0.0
 changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59259
+    description: Add support for ML-DSA signing.
   - version: v18.0.0
     pr-url: https://github.com/nodejs/node/pull/41678
     description: Passing an invalid callback to the `callback` argument
@@ -5445,7 +5471,10 @@ changes:
 
 Calculates and returns the signature for `data` using the given private key and
 algorithm. If `algorithm` is `null` or `undefined`, then the algorithm is
-dependent upon the key type (especially Ed25519 and Ed448).
+dependent upon the key type.
+
+`algorithm` is required to be `null` or `undefined` for Ed25519, Ed448, and
+ML-DSA.
 
 If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
 passed to [`crypto.createPrivateKey()`][]. If it is an object, the following
@@ -5526,6 +5555,9 @@ not introduce timing vulnerabilities.
 <!-- YAML
 added: v12.0.0
 changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59259
+    description: Add support for ML-DSA signature verification.
   - version: v18.0.0
     pr-url: https://github.com/nodejs/node/pull/41678
     description: Passing an invalid callback to the `callback` argument
@@ -5561,7 +5593,10 @@ changes:
 
 Verifies the given signature for `data` using the given key and algorithm. If
 `algorithm` is `null` or `undefined`, then the algorithm is dependent upon the
-key type (especially Ed25519 and Ed448).
+key type.
+
+`algorithm` is required to be `null` or `undefined` for Ed25519, Ed448, and
+ML-DSA.
 
 If `key` is not a [`KeyObject`][], this function behaves as if `key` had been
 passed to [`crypto.createPublicKey()`][]. If it is an object, the following
@@ -6150,6 +6185,8 @@ See the [list of SSL OP Flags][] for details.
   </tr>
 </table>
 
+[^openssl35]: Requires OpenSSL >= 3.5
+
 [AEAD algorithms]: https://en.wikipedia.org/wiki/Authenticated_encryption
 [CCM mode]: #ccm-mode
 [CVE-2021-44532]: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
diff --git a/doc/api/deprecations.md b/doc/api/deprecations.md
index 5c62c5268e05e4..870c76a776641c 100644
--- a/doc/api/deprecations.md
+++ b/doc/api/deprecations.md
@@ -4010,6 +4010,21 @@ Type: Documentation-only (supports [`--pending-deprecation`][])
 
 Creating SHAKE-128 and SHAKE-256 digests without an explicit `options.outputLength` is deprecated.
 
+### DEP0199: `require('node:_http_*')`
+
+<!-- YAML
+changes:
+  - version: v24.6.0
+    pr-url: https://github.com/nodejs/node/pull/59293
+    description: Documentation-only deprecation.
+-->
+
+Type: Documentation-only
+
+The `node:_http_agent`, `node:_http_client`, `node:_http_common`, `node:_http_incoming`,
+`node:_http_outgoing` and `node:_http_server` modules are deprecated as they should be considered
+an internal nodejs implementation rather than a public facing API, use `node:http` instead.
+
 [DEP0142]: #dep0142-repl_builtinlibs
 [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
 [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3
diff --git a/doc/api/diagnostics_channel.md b/doc/api/diagnostics_channel.md
index 7f50ca2dbf39c4..1c742f7f972ce0 100644
--- a/doc/api/diagnostics_channel.md
+++ b/doc/api/diagnostics_channel.md
@@ -1107,35 +1107,35 @@ for the sync error and one for the async error.
 
 > Stability: 1 - Experimental
 
-`console.log`
+##### Event: `'console.log'`
 
 * `args` {any\[]}
 
 Emitted when `console.log()` is called. Receives and array of the arguments
 passed to `console.log()`.
 
-`console.info`
+##### Event: `'console.info'`
 
 * `args` {any\[]}
 
 Emitted when `console.info()` is called. Receives and array of the arguments
 passed to `console.info()`.
 
-`console.debug`
+##### Event: `'console.debug'`
 
 * `args` {any\[]}
 
 Emitted when `console.debug()` is called. Receives and array of the arguments
 passed to `console.debug()`.
 
-`console.warn`
+##### Event: `'console.warn'`
 
 * `args` {any\[]}
 
 Emitted when `console.warn()` is called. Receives and array of the arguments
 passed to `console.warn()`.
 
-`console.error`
+##### Event: `'console.error'`
 
 * `args` {any\[]}
 
@@ -1146,34 +1146,34 @@ passed to `console.error()`.
 
 > Stability: 1 - Experimental
 
-`http.client.request.created`
+##### Event: `'http.client.request.created'`
 
 * `request` {http.ClientRequest}
 
 Emitted when client creates a request object.
 Unlike `http.client.request.start`, this event is emitted before the request has been sent.
 
-`http.client.request.start`
+##### Event: `'http.client.request.start'`
 
 * `request` {http.ClientRequest}
 
 Emitted when client starts a request.
 
-`http.client.request.error`
+##### Event: `'http.client.request.error'`
 
 * `request` {http.ClientRequest}
 * `error` {Error}
 
 Emitted when an error occurs during a client request.
 
-`http.client.response.finish`
+##### Event: `'http.client.response.finish'`
 
 * `request` {http.ClientRequest}
 * `response` {http.IncomingMessage}
 
 Emitted when client receives a response.
 
-`http.server.request.start`
+##### Event: `'http.server.request.start'`
 
 * `request` {http.IncomingMessage}
 * `response` {http.ServerResponse}
@@ -1182,7 +1182,7 @@ Emitted when client receives a response.
 
 Emitted when server receives a request.
 
-`http.server.response.created`
+##### Event: `'http.server.response.created'`
 
 * `request` {http.IncomingMessage}
 * `response` {http.ServerResponse}
@@ -1190,7 +1190,7 @@ Emitted when server receives a request.
 Emitted when server creates a response.
 The event is emitted before the response is sent.
 
-`http.server.response.finish`
+##### Event: `'http.server.response.finish'`
 
 * `request` {http.IncomingMessage}
 * `response` {http.ServerResponse}
@@ -1203,28 +1203,28 @@ Emitted when server sends a response.
 
 > Stability: 1 - Experimental
 
-`http2.client.stream.created`
+##### Event: `'http2.client.stream.created'`
 
 * `stream` {ClientHttp2Stream}
 * `headers` {HTTP/2 Headers Object}
 
 Emitted when a stream is created on the client.
 
-`http2.client.stream.start`
+##### Event: `'http2.client.stream.start'`
 
 * `stream` {ClientHttp2Stream}
 * `headers` {HTTP/2 Headers Object}
 
 Emitted when a stream is started on the client.
 
-`http2.client.stream.error`
+##### Event: `'http2.client.stream.error'`
 
 * `stream` {ClientHttp2Stream}
 * `error` {Error}
 
 Emitted when an error occurs during the processing of a stream on the client.
 
-`http2.client.stream.finish`
+##### Event: `'http2.client.stream.finish'`
 
 * `stream` {ClientHttp2Stream}
 * `headers` {HTTP/2 Headers Object}
@@ -1232,35 +1232,35 @@ Emitted when an error occurs during the processing of a stream on the client.
 
 Emitted when a stream is received on the client.
 
-`http2.client.stream.close`
+##### Event: `'http2.client.stream.close'`
 
 * `stream` {ClientHttp2Stream}
 
 Emitted when a stream is closed on the client. The HTTP/2 error code used when
 closing the stream can be retrieved using the `stream.rstCode` property.
 
-`http2.server.stream.created`
+##### Event: `'http2.server.stream.created'`
 
 * `stream` {ServerHttp2Stream}
 * `headers` {HTTP/2 Headers Object}
 
 Emitted when a stream is created on the server.
 
-`http2.server.stream.start`
+##### Event: `'http2.server.stream.start'`
 
 * `stream` {ServerHttp2Stream}
 * `headers` {HTTP/2 Headers Object}
 
 Emitted when a stream is started on the server.
 
-`http2.server.stream.error`
+##### Event: `'http2.server.stream.error'`
 
 * `stream` {ServerHttp2Stream}
 * `error` {Error}
 
 Emitted when an error occurs during the processing of a stream on the server.
 
-`http2.server.stream.finish`
+##### Event: `'http2.server.stream.finish'`
 
 * `stream` {ServerHttp2Stream}
 * `headers` {HTTP/2 Headers Object}
@@ -1268,7 +1268,7 @@ Emitted when an error occurs during the processing of a stream on the server.
 
 Emitted when a stream is sent on the server.
 
-`http2.server.stream.close`
+##### Event: `'http2.server.stream.close'`
 
 * `stream` {ServerHttp2Stream}
 
@@ -1279,52 +1279,52 @@ closing the stream can be retrieved using the `stream.rstCode` property.
 
 > Stability: 1 - Experimental
 
-`module.require.start`
+##### Event: `'module.require.start'`
 
 * `event` {Object} containing the following properties
-  * `id` - Argument passed to `require()`. Module name.
-  * `parentFilename` - Name of the module that attempted to require(id).
+  * `id` Argument passed to `require()`. Module name.
+  * `parentFilename` Name of the module that attempted to require(id).
 
 Emitted when `require()` is executed. See [`start` event][].
 
-`module.require.end`
+##### Event: `'module.require.end'`
 
 * `event` {Object} containing the following properties
-  * `id` - Argument passed to `require()`. Module name.
-  * `parentFilename` - Name of the module that attempted to require(id).
+  * `id` Argument passed to `require()`. Module name.
+  * `parentFilename` Name of the module that attempted to require(id).
 
 Emitted when a `require()` call returns. See [`end` event][].
 
-`module.require.error`
+##### Event: `'module.require.error'`
 
 * `event` {Object} containing the following properties
-  * `id` - Argument passed to `require()`. Module name.
-  * `parentFilename` - Name of the module that attempted to require(id).
+  * `id` Argument passed to `require()`. Module name.
+  * `parentFilename` Name of the module that attempted to require(id).
 * `error` {Error}
 
 Emitted when a `require()` throws an error. See [`error` event][].
 
-`module.import.asyncStart`
+##### Event: `'module.import.asyncStart'`
 
 * `event` {Object} containing the following properties
-  * `id` - Argument passed to `import()`. Module name.
-  * `parentURL` - URL object of the module that attempted to import(id).
+  * `id` Argument passed to `import()`. Module name.
+  * `parentURL` URL object of the module that attempted to import(id).
 
 Emitted when `import()` is invoked. See [`asyncStart` event][].
 
-`module.import.asyncEnd`
+##### Event: `'module.import.asyncEnd'`
 
 * `event` {Object} containing the following properties
-  * `id` - Argument passed to `import()`. Module name.
-  * `parentURL` - URL object of the module that attempted to import(id).
+  * `id` Argument passed to `import()`. Module name.
+  * `parentURL` URL object of the module that attempted to import(id).
 
 Emitted when `import()` has completed. See [`asyncEnd` event][].
 
-`module.import.error`
+##### Event: `'module.import.error'`
 
 * `event` {Object} containing the following properties
-  * `id` - Argument passed to `import()`. Module name.
-  * `parentURL` - URL object of the module that attempted to import(id).
+  * `id` Argument passed to `import()`. Module name.
+  * `parentURL` URL object of the module that attempted to import(id).
 * `error` {Error}
 
 Emitted when a `import()` throws an error. See [`error` event][].
@@ -1333,32 +1333,32 @@ Emitted when a `import()` throws an error. See [`error` event][].
 
 > Stability: 1 - Experimental
 
-`net.client.socket`
+##### Event: `'net.client.socket'`
 
 * `socket` {net.Socket|tls.TLSSocket}
 
 Emitted when a new TCP or pipe client socket connection is created.
 
-`net.server.socket`
+##### Event: `'net.server.socket'`
 
 * `socket` {net.Socket}
 
 Emitted when a new TCP or pipe connection is received.
 
-`tracing:net.server.listen:asyncStart`
+##### Event: `'tracing:net.server.listen:asyncStart'`
 
 * `server` {net.Server}
 * `options` {Object}
 
 Emitted when [`net.Server.listen()`][] is invoked, before the port or pipe is actually setup.
 
-`tracing:net.server.listen:asyncEnd`
+##### Event: `'tracing:net.server.listen:asyncEnd'`
 
 * `server` {net.Server}
 
 Emitted when [`net.Server.listen()`][] has completed and thus the server is ready to accept connection.
 
-`tracing:net.server.listen:error`
+##### Event: `'tracing:net.server.listen:error'`
 
 * `server` {net.Server}
 * `error` {Error}
@@ -1369,7 +1369,7 @@ Emitted when [`net.Server.listen()`][] is returning an error.
 
 > Stability: 1 - Experimental
 
-`udp.socket`
+##### Event: `'udp.socket'`
 
 * `socket` {dgram.Socket}
 
@@ -1383,13 +1383,13 @@ Emitted when a new UDP socket is created.
 added: v16.18.0
 -->
 
-`child_process`
+##### Event: `'child_process'`
 
 * `process` {ChildProcess}
 
 Emitted when a new process is created.
 
-`execve`
+##### Event: `'execve'`
 
 * `execPath` {string}
 * `args` {string\[]}
@@ -1405,16 +1405,15 @@ Emitted when [`process.execve()`][] is invoked.
 added: v16.18.0
 -->
 
-`worker_threads`
+##### Event: `'worker_threads'`
 
-* `worker` [`Worker`][]
+* `worker` {Worker}
 
 Emitted when a new thread is created.
 
 [TracingChannel Channels]: #tracingchannel-channels
 [`'uncaughtException'`]: process.md#event-uncaughtexception
 [`TracingChannel`]: #class-tracingchannel
-[`Worker`]: worker_threads.md#class-worker
 [`asyncEnd` event]: #asyncendevent
 [`asyncStart` event]: #asyncstartevent
 [`channel.bindStore(store)`]: #channelbindstorestore-transform
diff --git a/doc/api/dns.md b/doc/api/dns.md
index f5da52f0cc1e26..61846f6f621014 100644
--- a/doc/api/dns.md
+++ b/doc/api/dns.md
@@ -856,14 +856,10 @@ changes:
                  `ERR_INVALID_CALLBACK`.
 -->
 
-<!--lint disable no-undefined-references list-item-bullet-indent-->
-
 * `hostname` {string}
 * `callback` {Function}
   * `err` {Error}
-  * `records` <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#String_type" class="type">\<string\[]\[]></a>
-
-<!--lint enable no-undefined-references list-item-bullet-indent-->
+  * `records` {string\[]}
 
 Uses the DNS protocol to resolve text queries (`TXT` records) for the
 `hostname`. The `records` argument passed to the `callback` function is a
diff --git a/doc/api/documentation.md b/doc/api/documentation.md
index c6edb13ad613cd..6938ac40a21374 100644
--- a/doc/api/documentation.md
+++ b/doc/api/documentation.md
@@ -41,9 +41,9 @@ The stability indexes are as follows:
 >   minimum viability.
 > * 1.2 - Release candidate. Experimental features at this stage are hopefully
 >   ready to become stable. No further breaking changes are anticipated but may
->   still occur in response to user feedback. We encourage user testing and
->   feedback so that we can know that this feature is ready to be marked as
->   stable.
+>   still occur in response to user feedback or the features' underlying
+>   specification development. We encourage user testing and feedback so that
+>   we can know that this feature is ready to be marked as stable.
 >
 > Experimental features leave the experimental status typically either by
 > graduating to stable, or are removed without a deprecation cycle.
diff --git a/doc/api/events.md b/doc/api/events.md
index f1c1683528490c..bad5814c373281 100644
--- a/doc/api/events.md
+++ b/doc/api/events.md
@@ -1099,7 +1099,7 @@ changes:
     description: No longer experimental.
 -->
 
-* `err` Error
+* `err` {Error}
 * `eventName` {string|symbol}
 * `...args` {any}
 
@@ -1600,7 +1600,7 @@ changes:
     description: No longer experimental.
 -->
 
-Value: {boolean}
+* Type: {boolean}
 
 Change the default `captureRejections` option on all new `EventEmitter` objects.
 
@@ -1618,7 +1618,7 @@ changes:
     description: No longer experimental.
 -->
 
-Value: `Symbol.for('nodejs.rejection')`
+* Type: {symbol} `Symbol.for('nodejs.rejection')`
 
 See how to write a custom [rejection handler][rejection].
 
@@ -1681,12 +1681,12 @@ changes:
 * `eventName` {string|symbol} The name of the event being listened for
 * `options` {Object}
   * `signal` {AbortSignal} Can be used to cancel awaiting events.
-  * `close` - {string\[]} Names of events that will end the iteration.
-  * `highWaterMark` - {integer} **Default:** `Number.MAX_SAFE_INTEGER`
+  * `close` {string\[]} Names of events that will end the iteration.
+  * `highWaterMark` {integer} **Default:** `Number.MAX_SAFE_INTEGER`
     The high watermark. The emitter is paused every time the size of events
     being buffered is higher than it. Supported only on emitters implementing
     `pause()` and `resume()` methods.
-  * `lowWaterMark` - {integer} **Default:** `1`
+  * `lowWaterMark` {integer} **Default:** `1`
     The low watermark. The emitter is resumed every time the size of events
     being buffered is lower than it. Supported only on emitters implementing
     `pause()` and `resume()` methods.
@@ -1986,7 +1986,7 @@ same options as `EventEmitter` and `AsyncResource` themselves.
 
 ### `eventemitterasyncresource.asyncResource`
 
-* The underlying {AsyncResource}.
+* Type: {AsyncResource} The underlying {AsyncResource}.
 
 The returned `AsyncResource` object has an additional `eventEmitter` property
 that provides a reference to this `EventEmitterAsyncResource`.
diff --git a/doc/api/fs.md b/doc/api/fs.md
index 31914ea772ab81..57ce4c0bae3a10 100644
--- a/doc/api/fs.md
+++ b/doc/api/fs.md
@@ -7701,6 +7701,186 @@ added:
 
 Type of file system.
 
+### Class: `fs.Utf8Stream`
+
+<!-- YAML
+added: v24.6.0
+-->
+
+> Stability: 1 - Experimental
+
+An optimized UTF-8 stream writer that allows for flushing all the internal
+buffering on demand. It handles `EAGAIN` errors correctly, allowing for
+customization, for example, by dropping content if the disk is busy.
+
+#### Event: `'close'`
+
+The `'close'` event is emitted when the stream is fully closed.
+
+#### Event: `'drain'`
+
+The `'drain'` event is emitted when the internal buffer has drained sufficiently
+to allow continued writing.
+
+#### Event: `'drop'`
+
+The `'drop'` event is emitted when to maximal length is reached and that data
+will not be written. The data that was dropped is passed as the first argument
+to the event handle.
+
+#### Event: `'error'`
+
+The `'error'` event is emitted when an error occurs.
+
+#### Event: `'finish'`
+
+The `'finish'` event is emitted when the stream has been ended and all data has
+been flushed to the underlying file.
+
+#### Event: `'ready'`
+
+The `'ready'` event is emitted when the stream is ready to accept writes.
+
+#### Event: `'write'`
+
+The `'write'` event is emitted when a write operation has completed. The number
+of bytes written is passed as the first argument to the event handler.
+
+#### `new fs.Utf8Stream([options])`
+
+* `options` {Object}
+  * `append`: {boolean} Appends writes to dest file instead of truncating it.
+    **Default**: `true`.
+  * `contentMode`: {string} Which type of data you can send to the write
+    function, supported values are `'utf8'` or `'buffer'`. **Default**:
+    `'utf8'`.
+  * `dest`: {string} A path to a file to be written to (mode controlled by the
+    append option).
+  * `fd`: {number} A file descriptor, something that is returned by `fs.open()`
+    or `fs.openSync()`.
+  * `fs`: {Object} An object that has the same API as the `fs` module, useful
+    for mocking, testing, or customizing the behavior of the stream.
+  * `fsync`: {boolean} Perform a `fs.fsyncSync()` every time a write is
+    completed.
+  * `maxLength`: {number} The maximum length of the internal buffer. If a write
+    operation would cause the buffer to exceed `maxLength`, the data written is
+    dropped and a drop event is emitted with the dropped data
+  * `maxWrite`: {number} The maximum number of bytes that can be written;
+    **Default**: `16384`
+  * `minLength`: {number} The minimum length of the internal buffer that is
+    required to be full before flushing.
+  * `mkdir`: {boolean} Ensure directory for `dest` file exists when true.
+    **Default**: `false`.
+  * `mode`: {number|string} Specify the creating file mode (see `fs.open()`).
+  * `periodicFlush`: {number} Calls flush every `periodicFlush` milliseconds.
+  * `retryEAGAIN` {Function} A function that will be called when `write()`,
+    `writeSync()`, or `flushSync()` encounters an `EAGAIN` or `EBUSY` error.
+    If the return value is `true` the operation will be retried, otherwise it
+    will bubble the error. The `err` is the error that caused this function to
+    be called, `writeBufferLen` is the length of the buffer that was written,
+    and `remainingBufferLen` is the length of the remaining buffer that the
+    stream did not try to write.
+    * `err` {any} An error or `null`.
+    * `writeBufferLen` {number}
+    * `remainingBufferLen`: {number}
+  * `sync`: {boolean} Perform writes synchronously.
+
+#### `utf8Stream.append`
+
+* {boolean} Whether the stream is appending to the file or truncating it.
+
+#### `utf8Stream.contentMode`
+
+* {string} The type of data that can be written to the stream. Supported
+  values are `'utf8'` or `'buffer'`. **Default**: `'utf8'`.
+
+#### `utf8Stream.destroy()`
+
+Close the stream immediately, without flushing the internal buffer.
+
+#### `utf8Stream.end()`
+
+Close the stream gracefully, flushing the internal buffer before closing.
+
+#### `utf8Stream.fd`
+
+* {number} The file descriptor that is being written to.
+
+#### `utf8Stream.file`
+
+* {string} The file that is being written to.
+
+#### `utf8Stream.flush(callback)`
+
+* `callback` {Function}
+  * `err` {Error|null} An error if the flush failed, otherwise `null`.
+
+Writes the current buffer to the file if a write was not in progress. Do
+nothing if `minLength` is zero or if it is already writing.
+
+#### `utf8Stream.flushSync()`
+
+Flushes the buffered data synchronously. This is a costly operation.
+
+#### `utf8Stream.fsync`
+
+* {boolean} Whether the stream is performing a `fs.fsyncSync()` after every
+  write operation.
+
+#### `utf8Stream.maxLength`
+
+* {number} The maximum length of the internal buffer. If a write
+  operation would cause the buffer to exceed `maxLength`, the data written is
+  dropped and a drop event is emitted with the dropped data.
+
+#### `utf8Stream.minLength`
+
+* {number} The minimum length of the internal buffer that is required to be
+  full before flushing.
+
+#### `utf8Stream.mkdir`
+
+* {boolean} Whether the stream should ensure that the directory for the
+  `dest` file exists. If `true`, it will create the directory if it does not
+  exist. **Default**: `false`.
+
+#### `utf8Stream.mode`
+
+* {number|string} The mode of the file that is being written to.
+
+#### `utf8Stream.periodicFlush`
+
+* {number} The number of milliseconds between flushes. If set to `0`, no
+  periodic flushes will be performed.
+
+#### `utf8Stream.reopen(file)`
+
+* `file`: {string|Buffer|URL} A path to a file to be written to (mode
+  controlled by the append option).
+
+Reopen the file in place, useful for log rotation.
+
+#### `utf8Stream.sync`
+
+* {boolean} Whether the stream is writing synchronously or asynchronously.
+
+#### `utf8Stream.write(data)`
+
+* `data` {string|Buffer} The data to write.
+* Returns {boolean}
+
+When the `options.contentMode` is set to `'utf8'` when the stream is created,
+the `data` argument must be a string. If the `contentMode` is set to `'buffer'`,
+the `data` argument must be a {Buffer}.
+
+#### `utf8Stream.writing`
+
+* {boolean} Whether the stream is currently writing data to the file.
+
+#### `utf8Stream[Symbol.dispose]()`
+
+Calls `utf8Stream.destroy()`.
+
 ### Class: `fs.WriteStream`
 
 <!-- YAML
diff --git a/doc/api/globals.md b/doc/api/globals.md
index 1d9ea55f99a40f..7d272e127cecfa 100644
--- a/doc/api/globals.md
+++ b/doc/api/globals.md
@@ -537,7 +537,7 @@ The dispatcher must be compatible with `undici`'s
 fetch(url, { dispatcher: new MyAgent() });
 ```
 
-It is possible to change the global dispatcher in Node.js installing `undici` and using
+It is possible to change the global dispatcher in Node.js by installing `undici` and using
 the `setGlobalDispatcher()` method. Calling this method will affect both `undici` and
 Node.js.
 
diff --git a/doc/api/http.md b/doc/api/http.md
index 295c9e3642dad9..64bd5a519a75f1 100644
--- a/doc/api/http.md
+++ b/doc/api/http.md
@@ -1942,18 +1942,39 @@ added: v8.0.0
 
 The number of milliseconds of inactivity a server needs to wait for additional
 incoming data, after it has finished writing the last response, before a socket
-will be destroyed. If the server receives new data before the keep-alive
-timeout has fired, it will reset the regular inactivity timeout, i.e.,
-[`server.timeout`][].
+will be destroyed.
+
+This timeout value is combined with the
+[`server.keepAliveTimeoutBuffer`][] option to determine the actual socket
+timeout, calculated as:
+socketTimeout = keepAliveTimeout + keepAliveTimeoutBuffer
+If the server receives new data before the keep-alive timeout has fired, it
+will reset the regular inactivity timeout, i.e., [`server.timeout`][].
 
 A value of `0` will disable the keep-alive timeout behavior on incoming
 connections.
-A value of `0` makes the http server behave similarly to Node.js versions prior
+A value of `0` makes the HTTP server behave similarly to Node.js versions prior
 to 8.0.0, which did not have a keep-alive timeout.
 
 The socket timeout logic is set up on connection, so changing this value only
 affects new connections to the server, not any existing connections.
 
+### `server.keepAliveTimeoutBuffer`
+
+<!-- YAML
+added: v24.6.0
+-->
+
+* Type: {number} Timeout in milliseconds. **Default:** `1000` (1 second).
+
+An additional buffer time added to the
+[`server.keepAliveTimeout`][] to extend the internal socket timeout.
+
+This buffer helps reduce connection reset (`ECONNRESET`) errors by increasing
+the socket timeout slightly beyond the advertised keep-alive timeout.
+
+This option applies only to new incoming connections.
+
 ### `server[Symbol.asyncDispose]()`
 
 <!-- YAML
@@ -4432,6 +4453,7 @@ const agent2 = new http.Agent({ proxyEnv: process.env });
 [`response.writeHead()`]: #responsewriteheadstatuscode-statusmessage-headers
 [`server.close()`]: #serverclosecallback
 [`server.headersTimeout`]: #serverheaderstimeout
+[`server.keepAliveTimeoutBuffer`]: #serverkeepalivetimeoutbuffer
 [`server.keepAliveTimeout`]: #serverkeepalivetimeout
 [`server.listen()`]: net.md#serverlisten
 [`server.requestTimeout`]: #serverrequesttimeout
diff --git a/doc/api/http2.md b/doc/api/http2.md
index c8e243021dcd8f..084bf1d3a2d3eb 100644
--- a/doc/api/http2.md
+++ b/doc/api/http2.md
@@ -2914,7 +2914,7 @@ changes:
     and trailing whitespace validation for HTTP/2 header field names and values
     as per [RFC-9113](https://www.rfc-editor.org/rfc/rfc9113.html#section-8.2.1).
     **Default:** `true`.
-  * ...: Any [`net.createServer()`][] option can be provided.
+  * `...options` {Object} Any [`net.createServer()`][] option can be provided.
 * `onRequestHandler` {Function} See [Compatibility API][]
 * Returns: {Http2Server}
 
@@ -3077,8 +3077,8 @@ changes:
     settings types, which are included in the `customSettings`-property of the
     received remoteSettings. Please see the `customSettings`-property of the
     `Http2Settings` object for more information, on the allowed setting types.
-  * ...: Any [`tls.createServer()`][] options can be provided. For
-    servers, the identity options (`pfx` or `key`/`cert`) are usually required.
+  * `...options` {Object} Any [`tls.createServer()`][] options can be provided.
+    For servers, the identity options (`pfx` or `key`/`cert`) are usually required.
   * `origins` {string\[]} An array of origin strings to send within an `ORIGIN`
     frame immediately following creation of a new server `Http2Session`.
   * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
@@ -3239,7 +3239,8 @@ changes:
   * `createConnection` {Function} An optional callback that receives the `URL`
     instance passed to `connect` and the `options` object, and returns any
     [`Duplex`][] stream that is to be used as the connection for this session.
-  * ...: Any [`net.connect()`][] or [`tls.connect()`][] options can be provided.
+  * `...options` {Object} Any [`net.connect()`][] or [`tls.connect()`][] options
+    can be provided.
   * `unknownProtocolTimeout` {number} Specifies a timeout in milliseconds that
     a server should wait when an [`'unknownProtocol'`][] event is emitted. If
     the socket has not been destroyed by that time the server will destroy it.
@@ -3364,8 +3365,7 @@ added:
 -->
 
 * `socket` {stream.Duplex}
-* `options` {Object}
-  * ...: Any [`http2.createServer()`][] option can be provided.
+* `options` {Object} Any [`http2.createServer()`][] option can be provided.
 * Returns: {ServerHttp2Session}
 
 Create an HTTP/2 server session from an existing socket.
diff --git a/doc/api/inspector.md b/doc/api/inspector.md
index 9a34b4652afa66..0ab07b995749d1 100644
--- a/doc/api/inspector.md
+++ b/doc/api/inspector.md
@@ -79,7 +79,7 @@ session.on('inspectorNotification', (message) => console.log(message.method));
 
 It is also possible to subscribe only to notifications with specific method:
 
-#### Event: `<inspector-protocol-method>`;
+#### Event: `<inspector-protocol-method>`
 
 <!-- YAML
 added: v8.0.0
diff --git a/doc/api/module.md b/doc/api/module.md
index c29afe5aedaad8..f1e55c733ea4cc 100644
--- a/doc/api/module.md
+++ b/doc/api/module.md
@@ -1722,17 +1722,17 @@ original file if found, or an empty object if not.
 
 The object returned contains the following keys:
 
-* generatedLine: {number} The line offset of the start of the
+* `generatedLine` {number} The line offset of the start of the
   range in the generated source
-* generatedColumn: {number} The column offset of start of the
+* `generatedColumn` {number} The column offset of start of the
   range in the generated source
-* originalSource: {string} The file name of the original source,
+* `originalSource` {string} The file name of the original source,
   as reported in the SourceMap
-* originalLine: {number} The line offset of the start of the
+* `originalLine` {number} The line offset of the start of the
   range in the original source
-* originalColumn: {number} The column offset of start of the
+* `originalColumn` {number} The column offset of start of the
   range in the original source
-* name: {string}
+* `name` {string}
 
 The returned value represents the raw range as it appears in the
 SourceMap, based on zero-indexed offsets, _not_ 1-indexed line and
@@ -1766,13 +1766,13 @@ If the `lineNumber` and `columnNumber` provided are not found in any
 source map, then an empty object is returned. Otherwise, the
 returned object contains the following keys:
 
-* name: {string | undefined} The name of the range in the
+* `name` {string|undefined} The name of the range in the
   source map, if one was provided
-* fileName: {string} The file name of the original source, as
+* `fileName` {string} The file name of the original source, as
   reported in the SourceMap
-* lineNumber: {number} The 1-indexed lineNumber of the
+* `lineNumber` {number} The 1-indexed lineNumber of the
   corresponding call site in the original source
-* columnNumber: {number} The 1-indexed columnNumber of the
+* `columnNumber` {number} The 1-indexed columnNumber of the
   corresponding call site in the original source
 
 [CommonJS]: modules.md
diff --git a/doc/api/modules.md b/doc/api/modules.md
index d54c0d1852cd53..4ef79b855bd877 100644
--- a/doc/api/modules.md
+++ b/doc/api/modules.md
@@ -773,8 +773,6 @@ By doing this, Node.js achieves a few things:
 added: v0.1.27
 -->
 
-<!-- type=var -->
-
 * Type: {string}
 
 The directory name of the current module. This is the same as the
@@ -795,8 +793,6 @@ console.log(path.dirname(__filename));
 added: v0.0.1
 -->
 
-<!-- type=var -->
-
 * Type: {string}
 
 The file name of the current module. This is the current module file's absolute
@@ -834,8 +830,6 @@ References to `__filename` within `b.js` will return
 added: v0.1.12
 -->
 
-<!-- type=var -->
-
 * Type: {Object}
 
 A reference to the `module.exports` that is shorter to type.
@@ -848,8 +842,6 @@ See the section about the [exports shortcut][] for details on when to use
 added: v0.1.16
 -->
 
-<!-- type=var -->
-
 * Type: {module}
 
 A reference to the current module, see the section about the
@@ -862,8 +854,6 @@ a module exports and makes available through `require()`.
 added: v0.1.13
 -->
 
-<!-- type=var -->
-
 * `id` {string} module name or path
 * Returns: {any} exported module content
 
@@ -1029,8 +1019,6 @@ Returns an array containing the paths searched during resolution of `request` or
 added: v0.1.16
 -->
 
-<!-- type=var -->
-
 <!-- name=module -->
 
 * Type: {Object}
diff --git a/doc/api/process.md b/doc/api/process.md
index b2f795e2034f47..e590bbbff73589 100644
--- a/doc/api/process.md
+++ b/doc/api/process.md
@@ -2890,6 +2890,13 @@ The `process.memoryUsage()` method iterates over each page to gather
 information about memory usage which might be slow depending on the
 program memory allocations.
 
+### A note on process memoryUsage
+
+On Linux or other systems where glibc is commonly used, an application may have sustained
+`rss` growth despite stable `heapTotal` due to fragmentation caused by the glibc `malloc`
+implementation. See [nodejs/node#21973][] on how to switch to an alternative `malloc`
+implementation to address the performance issue.
+
 ## `process.memoryUsage.rss()`
 
 <!-- YAML
@@ -4631,6 +4638,7 @@ cases:
 [debugger]: debugger.md
 [deprecation code]: deprecations.md
 [loading ECMAScript modules using `require()`]: modules.md#loading-ecmascript-modules-using-require
+[nodejs/node#21973]: https://github.com/nodejs/node/issues/21973
 [note on process I/O]: #a-note-on-process-io
 [process.cpuUsage]: #processcpuusagepreviousvalue
 [process_emit_warning]: #processemitwarningwarning-type-code-ctor
diff --git a/doc/api/stream.md b/doc/api/stream.md
index 416ae30903521f..4ca97a67f844e7 100644
--- a/doc/api/stream.md
+++ b/doc/api/stream.md
@@ -62,10 +62,10 @@ functions for streams that return `Promise` objects rather than using
 callbacks. The API is accessible via `require('node:stream/promises')`
 or `require('node:stream').promises`.
 
-### `stream.pipeline(source[, ...transforms], destination[, options])`
-
 ### `stream.pipeline(streams[, options])`
 
+### `stream.pipeline(source[, ...transforms], destination[, options])`
+
 <!-- YAML
 added: v15.0.0
 changes:
diff --git a/doc/api/tls.md b/doc/api/tls.md
index 532d3b02659057..423ed66f87fc48 100644
--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@@ -193,7 +193,7 @@ the selected cipher's digest).
 
 It will be called first on the client:
 
-* hint: {string} optional message sent from the server to help the client
+* `hint` {string} optional message sent from the server to help the client
   decide which identity to use during negotiation.
   Always `null` if TLS 1.3 is used.
 * Returns: {Object} in the form
@@ -201,8 +201,8 @@ It will be called first on the client:
 
 Then on the server:
 
-* socket: {tls.TLSSocket} the server socket instance, equivalent to `this`.
-* identity: {string} identity parameter sent from the client.
+* `socket` {tls.TLSSocket} the server socket instance, equivalent to `this`.
+* `identity` {string} identity parameter sent from the client.
 * Returns: {Buffer|TypedArray|DataView} the PSK (or `null`).
 
 A return value of `null` stops the negotiation process and sends an
@@ -1705,7 +1705,7 @@ changes:
     verification fails; `err.code` contains the OpenSSL error code. **Default:**
     `true`.
   * `pskCallback` {Function} For TLS-PSK negotiation, see [Pre-shared keys][].
-  * `ALPNProtocols`: {string\[]|Buffer\[]|TypedArray\[]|DataView\[]|Buffer|
+  * `ALPNProtocols` {string\[]|Buffer\[]|TypedArray\[]|DataView\[]|Buffer|
     TypedArray|DataView}
     An array of strings, `Buffer`s, `TypedArray`s, or `DataView`s, or a
     single `Buffer`, `TypedArray`, or `DataView` containing the supported ALPN
@@ -1714,7 +1714,7 @@ changes:
     next protocol name. Passing an array is usually much simpler, e.g.
     `['http/1.1', 'http/1.0']`. Protocols earlier in the list have higher
     preference than those later.
-  * `servername`: {string} Server name for the SNI (Server Name Indication) TLS
+  * `servername` {string} Server name for the SNI (Server Name Indication) TLS
     extension. It is the name of the host being connected to, and must be a host
     name, and not an IP address. It can be used by a multi-homed server to
     choose the correct certificate to present to the client, see the
@@ -1730,7 +1730,7 @@ changes:
     TLS connection. When a server offers a DH parameter with a size less
     than `minDHSize`, the TLS connection is destroyed and an error is thrown.
     **Default:** `1024`.
-  * `highWaterMark`: {number} Consistent with the readable stream `highWaterMark` parameter.
+  * `highWaterMark` {number} Consistent with the readable stream `highWaterMark` parameter.
     **Default:** `16 * 1024`.
   * `secureContext`: TLS context object created with
     [`tls.createSecureContext()`][]. If a `secureContext` is _not_ provided, one
@@ -2051,7 +2051,7 @@ changes:
     **Default:** none, see `minVersion`.
   * `sessionIdContext` {string} Opaque identifier used by servers to ensure
     session state is not shared between applications. Unused by clients.
-  * `ticketKeys`: {Buffer} 48-bytes of cryptographically strong pseudorandom
+  * `ticketKeys` {Buffer} 48-bytes of cryptographically strong pseudorandom
     data. See [Session Resumption][] for more information.
   * `sessionTimeout` {number} The number of seconds after which a TLS session
     created by the server will no longer be resumable. See
@@ -2120,7 +2120,7 @@ changes:
 -->
 
 * `options` {Object}
-  * `ALPNProtocols`: {string\[]|Buffer\[]|TypedArray\[]|DataView\[]|Buffer|
+  * `ALPNProtocols` {string\[]|Buffer\[]|TypedArray\[]|DataView\[]|Buffer|
     TypedArray|DataView}
     An array of strings, `Buffer`s, `TypedArray`s, or `DataView`s, or a single
     `Buffer`, `TypedArray`, or `DataView` containing the supported ALPN
@@ -2128,7 +2128,7 @@ changes:
     e.g. `0x05hello0x05world`, where the first byte is the length of the next
     protocol name. Passing an array is usually much simpler, e.g.
     `['hello', 'world']`. (Protocols should be ordered by their priority.)
-  * `ALPNCallback`: {Function} If set, this will be called when a
+  * `ALPNCallback` {Function} If set, this will be called when a
     client opens a connection using the ALPN extension. One argument will
     be passed to the callback: an object containing `servername` and
     `protocols` fields, respectively containing the server name from
@@ -2167,7 +2167,7 @@ changes:
     If `callback` is called with a falsy `ctx` argument, the default secure
     context of the server will be used. If `SNICallback` wasn't provided the
     default callback with high-level API will be used (see below).
-  * `ticketKeys`: {Buffer} 48-bytes of cryptographically strong pseudorandom
+  * `ticketKeys` {Buffer} 48-bytes of cryptographically strong pseudorandom
     data. See [Session Resumption][] for more information.
   * `pskCallback` {Function} For TLS-PSK negotiation, see [Pre-shared keys][].
   * `pskIdentityHint` {string} optional hint to send to a client to help
diff --git a/doc/api/util.md b/doc/api/util.md
index 75e09f61738587..f1dce7e65d3670 100644
--- a/doc/api/util.md
+++ b/doc/api/util.md
@@ -340,8 +340,8 @@ added:
 * `expected` {Array|string} The second value to compare
 
 * Returns: {Array} An array of difference entries. Each entry is an array with two elements:
-  * Index 0: {number} Operation code: `-1` for delete, `0` for no-op/unchanged, `1` for insert
-  * Index 1: {string} The value associated with the operation
+  * `0` {number} Operation code: `-1` for delete, `0` for no-op/unchanged, `1` for insert
+  * `1` {string} The value associated with the operation
 
 * Algorithm complexity: O(N\*D), where:
 
@@ -739,6 +739,16 @@ fs.access('file/that/does/not/exist', (err) => {
 });
 ```
 
+## `util.setTraceSigInt(enable)`
+
+<!-- YAML
+added: v24.6.0
+-->
+
+* `enable` {boolean}
+
+Enable or disable printing a stack trace on `SIGINT`. The API is only available on the main thread.
+
 ## `util.inherits(constructor, superConstructor)`
 
 <!-- YAML
@@ -1305,19 +1315,19 @@ ignored, if not supported.
 * `reset` - Resets all (color) modifiers to their defaults
 * **bold** - Make text bold
 * _italic_ - Make text italic
-* <span style="border-bottom: 1px;">underline</span> - Make text underlined
+* <span style="border-bottom: 1px solid;">underline</span> - Make text underlined
 * ~~strikethrough~~ - Puts a horizontal line through the center of the text
   (Alias: `strikeThrough`, `crossedout`, `crossedOut`)
 * `hidden` - Prints the text, but makes it invisible (Alias: conceal)
 * <span style="opacity: 0.5;">dim</span> - Decreased color intensity (Alias:
   `faint`)
-* <span style="border-top: 1px">overlined</span> - Make text overlined
+* <span style="border-top: 1px solid;">overlined</span> - Make text overlined
 * blink - Hides and shows the text in an interval
-* <span style="filter: invert(100%)">inverse</span> - Swap foreground and
+* <span style="filter: invert(100%);">inverse</span> - Swap foreground and
   background colors (Alias: `swapcolors`, `swapColors`)
 * <span style="border-bottom: 1px double;">doubleunderline</span> - Make text
   double underlined (Alias: `doubleUnderline`)
-* <span style="border: 1px">framed</span> - Draw a frame around the text
+* <span style="border: 1px solid;">framed</span> - Draw a frame around the text
 
 #### Foreground colors
 
diff --git a/doc/api/webcrypto.md b/doc/api/webcrypto.md
index 4db5b84842c5d4..0e1376c5d3eea2 100644
--- a/doc/api/webcrypto.md
+++ b/doc/api/webcrypto.md
@@ -555,9 +555,9 @@ added: v15.0.0
 added: v15.0.0
 -->
 
-* `algorithm`: {RsaOaepParams|AesCtrParams|AesCbcParams|AesGcmParams}
-* `key`: {CryptoKey}
-* `data`: {ArrayBuffer|TypedArray|DataView|Buffer}
+* `algorithm` {RsaOaepParams|AesCtrParams|AesCbcParams|AesGcmParams}
+* `key` {CryptoKey}
+* `data` {ArrayBuffer|TypedArray|DataView|Buffer}
 * Returns: {Promise} Fulfills with an {ArrayBuffer} upon success.
 
 Using the method and parameters specified in `algorithm` and the keying
@@ -593,9 +593,9 @@ changes:
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `algorithm`: {EcdhKeyDeriveParams|HkdfParams|Pbkdf2Params}
-* `baseKey`: {CryptoKey}
-* `length`: {number|null} **Default:** `null`
+* `algorithm` {EcdhKeyDeriveParams|HkdfParams|Pbkdf2Params}
+* `baseKey` {CryptoKey}
+* `length` {number|null} **Default:** `null`
 * Returns: {Promise} Fulfills with an {ArrayBuffer} upon success.
 
 <!--lint enable maximum-line-length remark-lint-->
@@ -633,11 +633,11 @@ changes:
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `algorithm`: {EcdhKeyDeriveParams|HkdfParams|Pbkdf2Params}
-* `baseKey`: {CryptoKey}
-* `derivedKeyAlgorithm`: {string|Algorithm|HmacImportParams|AesDerivedKeyParams}
-* `extractable`: {boolean}
-* `keyUsages`: {string\[]} See [Key usages][].
+* `algorithm` {EcdhKeyDeriveParams|HkdfParams|Pbkdf2Params}
+* `baseKey` {CryptoKey}
+* `derivedKeyAlgorithm` {string|Algorithm|HmacImportParams|AesDerivedKeyParams}
+* `extractable` {boolean}
+* `keyUsages` {string\[]} See [Key usages][].
 * Returns: {Promise} Fulfills with a {CryptoKey} upon success.
 
 <!--lint enable maximum-line-length remark-lint-->
@@ -665,8 +665,8 @@ The algorithms currently supported include:
 added: v15.0.0
 -->
 
-* `algorithm`: {string|Algorithm}
-* `data`: {ArrayBuffer|TypedArray|DataView|Buffer}
+* `algorithm` {string|Algorithm}
+* `data` {ArrayBuffer|TypedArray|DataView|Buffer}
 * Returns: {Promise} Fulfills with an {ArrayBuffer} upon success.
 
 Using the method identified by `algorithm`, `subtle.digest()` attempts to
@@ -689,9 +689,9 @@ whose value is one of the above.
 added: v15.0.0
 -->
 
-* `algorithm`: {RsaOaepParams|AesCtrParams|AesCbcParams|AesGcmParams}
-* `key`: {CryptoKey}
-* `data`: {ArrayBuffer|TypedArray|DataView|Buffer}
+* `algorithm` {RsaOaepParams|AesCtrParams|AesCbcParams|AesGcmParams}
+* `key` {CryptoKey}
+* `data` {ArrayBuffer|TypedArray|DataView|Buffer}
 * Returns: {Promise} Fulfills with an {ArrayBuffer} upon success.
 
 Using the method and parameters specified by `algorithm` and the keying
@@ -722,8 +722,8 @@ changes:
     description: Removed `'NODE-DSA'` JWK export.
 -->
 
-* `format`: {string} Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
-* `key`: {CryptoKey}
+* `format` {string} Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+* `key` {CryptoKey}
 * Returns: {Promise} Fulfills with an {ArrayBuffer|Object} upon success.
 
 Exports the given key into the specified format, if supported.
@@ -761,12 +761,12 @@ added: v15.0.0
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `algorithm`: {string|Algorithm|RsaHashedKeyGenParams|EcKeyGenParams|HmacKeyGenParams|AesKeyGenParams}
+* `algorithm` {string|Algorithm|RsaHashedKeyGenParams|EcKeyGenParams|HmacKeyGenParams|AesKeyGenParams}
 
 <!--lint enable maximum-line-length remark-lint-->
 
-* `extractable`: {boolean}
-* `keyUsages`: {string\[]} See [Key usages][].
+* `extractable` {boolean}
+* `keyUsages` {string\[]} See [Key usages][].
 * Returns: {Promise} Fulfills with a {CryptoKey|CryptoKeyPair} upon success.
 
 Using the method and parameters provided in `algorithm`, `subtle.generateKey()`
@@ -810,17 +810,17 @@ changes:
     description: Removed `'NODE-DSA'` JWK import.
 -->
 
-* `format`: {string} Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
-* `keyData`: {ArrayBuffer|TypedArray|DataView|Buffer|Object}
+* `format` {string} Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+* `keyData` {ArrayBuffer|TypedArray|DataView|Buffer|Object}
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `algorithm`: {string|Algorithm|RsaHashedImportParams|EcKeyImportParams|HmacImportParams}
+* `algorithm` {string|Algorithm|RsaHashedImportParams|EcKeyImportParams|HmacImportParams}
 
 <!--lint enable maximum-line-length remark-lint-->
 
-* `extractable`: {boolean}
-* `keyUsages`: {string\[]} See [Key usages][].
+* `extractable` {boolean}
+* `keyUsages` {string\[]} See [Key usages][].
 * Returns: {Promise} Fulfills with a {CryptoKey} upon success.
 
 The `subtle.importKey()` method attempts to interpret the provided `keyData`
@@ -865,9 +865,9 @@ changes:
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `algorithm`: {string|Algorithm|RsaPssParams|EcdsaParams|Ed448Params}
-* `key`: {CryptoKey}
-* `data`: {ArrayBuffer|TypedArray|DataView|Buffer}
+* `algorithm` {string|Algorithm|RsaPssParams|EcdsaParams|Ed448Params}
+* `key` {CryptoKey}
+* `data` {ArrayBuffer|TypedArray|DataView|Buffer}
 * Returns: {Promise} Fulfills with an {ArrayBuffer} upon success.
 
 <!--lint enable maximum-line-length remark-lint-->
@@ -892,19 +892,19 @@ The algorithms currently supported include:
 added: v15.0.0
 -->
 
-* `format`: {string} Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
-* `wrappedKey`: {ArrayBuffer|TypedArray|DataView|Buffer}
-* `unwrappingKey`: {CryptoKey}
+* `format` {string} Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+* `wrappedKey` {ArrayBuffer|TypedArray|DataView|Buffer}
+* `unwrappingKey` {CryptoKey}
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `unwrapAlgo`: {string|Algorithm|RsaOaepParams|AesCtrParams|AesCbcParams|AesGcmParams}
-* `unwrappedKeyAlgo`: {string|Algorithm|RsaHashedImportParams|EcKeyImportParams|HmacImportParams}
+* `unwrapAlgo` {string|Algorithm|RsaOaepParams|AesCtrParams|AesCbcParams|AesGcmParams}
+* `unwrappedKeyAlgo` {string|Algorithm|RsaHashedImportParams|EcKeyImportParams|HmacImportParams}
 
 <!--lint enable maximum-line-length remark-lint-->
 
-* `extractable`: {boolean}
-* `keyUsages`: {string\[]} See [Key usages][].
+* `extractable` {boolean}
+* `keyUsages` {string\[]} See [Key usages][].
 * Returns: {Promise} Fulfills with a {CryptoKey} upon success.
 
 In cryptography, "wrapping a key" refers to exporting and then encrypting the
@@ -955,10 +955,10 @@ changes:
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `algorithm`: {string|Algorithm|RsaPssParams|EcdsaParams|Ed448Params}
-* `key`: {CryptoKey}
-* `signature`: {ArrayBuffer|TypedArray|DataView|Buffer}
-* `data`: {ArrayBuffer|TypedArray|DataView|Buffer}
+* `algorithm` {string|Algorithm|RsaPssParams|EcdsaParams|Ed448Params}
+* `key` {CryptoKey}
+* `signature` {ArrayBuffer|TypedArray|DataView|Buffer}
+* `data` {ArrayBuffer|TypedArray|DataView|Buffer}
 * Returns: {Promise} Fulfills with a {boolean} upon success.
 
 <!--lint enable maximum-line-length remark-lint-->
@@ -985,10 +985,10 @@ added: v15.0.0
 
 <!--lint disable maximum-line-length remark-lint-->
 
-* `format`: {string} Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
-* `key`: {CryptoKey}
-* `wrappingKey`: {CryptoKey}
-* `wrapAlgo`: {string|Algorithm|RsaOaepParams|AesCtrParams|AesCbcParams|AesGcmParams}
+* `format` {string} Must be one of `'raw'`, `'pkcs8'`, `'spki'`, or `'jwk'`.
+* `key` {CryptoKey}
+* `wrappingKey` {CryptoKey}
+* `wrapAlgo` {string|Algorithm|RsaOaepParams|AesCtrParams|AesCbcParams|AesGcmParams}
 * Returns: {Promise} Fulfills with an {ArrayBuffer} upon success.
 
 <!--lint enable maximum-line-length remark-lint-->
@@ -1572,7 +1572,7 @@ added: v15.0.0
 added: v15.0.0
 -->
 
-#### `pbkdb2Params.hash`
+#### `pbkdf2Params.hash`
 
 <!-- YAML
 added: v15.0.0
diff --git a/doc/api/webstreams.md b/doc/api/webstreams.md
index 7509451a933ffc..b1b22a56e2b45e 100644
--- a/doc/api/webstreams.md
+++ b/doc/api/webstreams.md
@@ -807,7 +807,7 @@ queue.
 added: v16.5.0
 -->
 
-* `chunk`: {Buffer|TypedArray|DataView}
+* `chunk` {Buffer|TypedArray|DataView}
 
 Appends a new chunk of data to the {ReadableStream}'s queue.
 
@@ -1077,7 +1077,7 @@ Releases this writer's lock on the underlying {ReadableStream}.
 added: v16.5.0
 -->
 
-* `chunk`: {any}
+* `chunk` {any}
 * Returns: A promise fulfilled with `undefined`.
 
 Appends a new chunk of data to the {WritableStream}'s queue.
diff --git a/doc/api/worker_threads.md b/doc/api/worker_threads.md
index f40df51f58384e..80949039875db2 100644
--- a/doc/api/worker_threads.md
+++ b/doc/api/worker_threads.md
@@ -721,6 +721,17 @@ An integer identifier for the current thread. On the corresponding worker object
 (if there is any), it is available as [`worker.threadId`][].
 This value is unique for each [`Worker`][] instance inside a single process.
 
+## `worker.threadName`
+
+<!-- YAML
+added: v24.6.0
+-->
+
+* {string|null}
+
+A string identifier for the current thread or null if the thread is not running.
+On the corresponding worker object (if there is any), it is available as [`worker.threadName`][].
+
 ## `worker.workerData`
 
 <!-- YAML
@@ -1758,6 +1769,19 @@ added: v10.5.0
 The `'online'` event is emitted when the worker thread has started executing
 JavaScript code.
 
+### `worker.cpuUsage([prev])`
+
+<!-- YAML
+added:
+- v24.6.0
+-->
+
+* Returns: {Promise}
+
+This method returns a `Promise` that will resolve to an object identical to [`process.threadCpuUsage()`][],
+or reject with an [`ERR_WORKER_NOT_RUNNING`][] error if the worker is no longer running.
+This methods allows the statistics to be observed from outside the actual thread.
+
 ### `worker.getHeapSnapshot([options])`
 
 <!-- YAML
@@ -1998,6 +2022,17 @@ An integer identifier for the referenced thread. Inside the worker thread,
 it is available as [`require('node:worker_threads').threadId`][].
 This value is unique for each `Worker` instance inside a single process.
 
+### `worker.threadName`
+
+<!-- YAML
+added: v24.6.0
+-->
+
+* {string|null}
+
+A string identifier for the referenced thread or null if the thread is not running.
+Inside the worker thread, it is available as [`require('node:worker_threads').threadName`][].
+
 ### `worker.unref()`
 
 <!-- YAML
@@ -2119,12 +2154,14 @@ thread spawned will spawn another until the application crashes.
 [`process.stderr`]: process.md#processstderr
 [`process.stdin`]: process.md#processstdin
 [`process.stdout`]: process.md#processstdout
+[`process.threadCpuUsage()`]: process.md#processthreadcpuusagepreviousvalue
 [`process.title`]: process.md#processtitle
 [`require('node:worker_threads').isMainThread`]: #workerismainthread
 [`require('node:worker_threads').parentPort.on('message')`]: #event-message
 [`require('node:worker_threads').parentPort.postMessage()`]: #workerpostmessagevalue-transferlist
 [`require('node:worker_threads').parentPort`]: #workerparentport
 [`require('node:worker_threads').threadId`]: #workerthreadid
+[`require('node:worker_threads').threadName`]: #workerthreadname
 [`require('node:worker_threads').workerData`]: #workerworkerdata
 [`trace_events`]: tracing.md
 [`v8.getHeapSnapshot()`]: v8.md#v8getheapsnapshotoptions
@@ -2135,6 +2172,7 @@ thread spawned will spawn another until the application crashes.
 [`worker.postMessage()`]: #workerpostmessagevalue-transferlist
 [`worker.terminate()`]: #workerterminate
 [`worker.threadId`]: #workerthreadid_1
+[`worker.threadName`]: #workerthreadname_1
 [async-resource-worker-pool]: async_context.md#using-asyncresource-for-a-worker-thread-pool
 [browser `LockManager`]: https://developer.mozilla.org/en-US/docs/Web/API/LockManager
 [browser `MessagePort`]: https://developer.mozilla.org/en-US/docs/Web/API/MessagePort
diff --git a/doc/api/zlib.md b/doc/api/zlib.md
index 78330445a846ca..c3f827ee0c23d0 100644
--- a/doc/api/zlib.md
+++ b/doc/api/zlib.md
@@ -1069,6 +1069,9 @@ Each Zstd-based class takes an `options` object. All options are optional.
 * `maxOutputLength` {integer} Limits output size when using
   [convenience methods][]. **Default:** [`buffer.kMaxLength`][]
 * `info` {boolean} If `true`, returns an object with `buffer` and `engine`. **Default:** `false`
+* `dictionary` {Buffer} Optional dictionary used to
+  improve compression efficiency when compressing or decompressing data that
+  shares common patterns with the dictionary.
 
 For example:
 
diff --git a/doc/changelogs/CHANGELOG_V24.md b/doc/changelogs/CHANGELOG_V24.md
index 0994f7cd51f566..eb6c549d0b8191 100644
--- a/doc/changelogs/CHANGELOG_V24.md
+++ b/doc/changelogs/CHANGELOG_V24.md
@@ -8,6 +8,7 @@
 </tr>
 <tr>
 <td>
+<a href="#24.6.0">24.6.0</a><br/>
 <a href="#24.5.0">24.5.0</a><br/>
 <a href="#24.4.1">24.4.1</a><br/>
 <a href="#24.4.0">24.4.0</a><br/>
@@ -47,6 +48,101 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="24.6.0"></a>
+
+## 2025-08-14, Version 24.6.0 (Current), @RafaelGSS
+
+### Notable Changes
+
+* \[[`471fe712b3`](https://github.com/nodejs/node/commit/471fe712b3)] - **(SEMVER-MINOR)** **cli**: add NODE\_USE\_SYSTEM\_CA=1 (Joyee Cheung) [#59276](https://github.com/nodejs/node/pull/59276)
+* \[[`38aedfbf73`](https://github.com/nodejs/node/commit/38aedfbf73)] - **(SEMVER-MINOR)** **crypto**: support ML-DSA KeyObject, sign, and verify (Filip Skokan) [#59259](https://github.com/nodejs/node/pull/59259)
+* \[[`201304537e`](https://github.com/nodejs/node/commit/201304537e)] - **(SEMVER-MINOR)** **zlib**: add dictionary support to zstdCompress and zstdDecompress (lluisemper) [#59240](https://github.com/nodejs/node/pull/59240)
+* \[[`e79c93a5d0`](https://github.com/nodejs/node/commit/e79c93a5d0)] - **(SEMVER-MINOR)** **http**: add server.keepAliveTimeoutBuffer option (Haram Jeong) [#59243](https://github.com/nodejs/node/pull/59243)
+* \[[`c144d69efc`](https://github.com/nodejs/node/commit/c144d69efc)] - **lib**: docs deprecate \_http\_\* (Sebastian Beltran) [#59293](https://github.com/nodejs/node/pull/59293)
+* \[[`aeb4de55a7`](https://github.com/nodejs/node/commit/aeb4de55a7)] - **(SEMVER-MINOR)** **fs**: port SonicBoom module to fs module as Utf8Stream (James M Snell) [#58897](https://github.com/nodejs/node/pull/58897)
+
+### Commits
+
+* \[[`f7484575ff`](https://github.com/nodejs/node/commit/f7484575ff)] - **assert**: change utils to use index instead of for...of (방진혁) [#59278](https://github.com/nodejs/node/pull/59278)
+* \[[`269cd16185`](https://github.com/nodejs/node/commit/269cd16185)] - **benchmark**: remove deprecated \_extend from benchmark (Rafael Gonzaga) [#59228](https://github.com/nodejs/node/pull/59228)
+* \[[`848e49c20b`](https://github.com/nodejs/node/commit/848e49c20b)] - **benchmark**: add fs warmup to writefile-promises (Bruno Rodrigues) [#59215](https://github.com/nodejs/node/pull/59215)
+* \[[`8c609be1b1`](https://github.com/nodejs/node/commit/8c609be1b1)] - **benchmark**: add calibrate-n script (Rafael Gonzaga) [#59186](https://github.com/nodejs/node/pull/59186)
+* \[[`6a3bf772d8`](https://github.com/nodejs/node/commit/6a3bf772d8)] - **build**: fix node\_use\_sqlite for GN builds (Shelley Vohr) [#59017](https://github.com/nodejs/node/pull/59017)
+* \[[`471fe712b3`](https://github.com/nodejs/node/commit/471fe712b3)] - **(SEMVER-MINOR)** **cli**: add NODE\_USE\_SYSTEM\_CA=1 (Joyee Cheung) [#59276](https://github.com/nodejs/node/pull/59276)
+* \[[`38aedfbf73`](https://github.com/nodejs/node/commit/38aedfbf73)] - **(SEMVER-MINOR)** **crypto**: support ML-DSA KeyObject, sign, and verify (Filip Skokan) [#59259](https://github.com/nodejs/node/pull/59259)
+* \[[`a312e706cf`](https://github.com/nodejs/node/commit/a312e706cf)] - **crypto**: prepare webcrypto key import/export for modern algorithms (Filip Skokan) [#59284](https://github.com/nodejs/node/pull/59284)
+* \[[`3a7c2c3a47`](https://github.com/nodejs/node/commit/3a7c2c3a47)] - **deps**: update ada to 3.2.7 (Node.js GitHub Bot) [#59336](https://github.com/nodejs/node/pull/59336)
+* \[[`8d9ceeaf6a`](https://github.com/nodejs/node/commit/8d9ceeaf6a)] - **deps**: update archs files for openssl-3.5.2 (Node.js GitHub Bot) [#59371](https://github.com/nodejs/node/pull/59371)
+* \[[`33b06df354`](https://github.com/nodejs/node/commit/33b06df354)] - **deps**: upgrade openssl sources to openssl-3.5.2 (Node.js GitHub Bot) [#59371](https://github.com/nodejs/node/pull/59371)
+* \[[`fa70f1af77`](https://github.com/nodejs/node/commit/fa70f1af77)] - **deps**: support madvise(3C) across ALL illumos revisions (Dan McDonald) [#58237](https://github.com/nodejs/node/pull/58237)
+* \[[`f834a6be59`](https://github.com/nodejs/node/commit/f834a6be59)] - **deps**: update undici to 7.13.0 (Node.js GitHub Bot) [#59338](https://github.com/nodejs/node/pull/59338)
+* \[[`db2417487e`](https://github.com/nodejs/node/commit/db2417487e)] - **deps**: update sqlite to 3.50.4 (Node.js GitHub Bot) [#59337](https://github.com/nodejs/node/pull/59337)
+* \[[`41978adb08`](https://github.com/nodejs/node/commit/41978adb08)] - **deps**: V8: backport 493cb53691be (Chengzhong Wu) [#59238](https://github.com/nodejs/node/pull/59238)
+* \[[`05667991ca`](https://github.com/nodejs/node/commit/05667991ca)] - **deps**: V8: backport 1c3e018e7d48 (Renegade334) [#58818](https://github.com/nodejs/node/pull/58818)
+* \[[`fd61588bb4`](https://github.com/nodejs/node/commit/fd61588bb4)] - **doc**: rename x509.extKeyUsage to x509.keyUsage (Filip Skokan) [#59332](https://github.com/nodejs/node/pull/59332)
+* \[[`a271ae4360`](https://github.com/nodejs/node/commit/a271ae4360)] - **doc**: fix Pbkdf2Params hash attribute heading (Filip Skokan) [#59395](https://github.com/nodejs/node/pull/59395)
+* \[[`72cfff165b`](https://github.com/nodejs/node/commit/72cfff165b)] - **doc**: fix missing reference links for server.keepAliveTimeoutBuffer (Lee Jiho) [#59356](https://github.com/nodejs/node/pull/59356)
+* \[[`8341916772`](https://github.com/nodejs/node/commit/8341916772)] - **doc**: fix grammar in global dispatcher usage (Eng Zer Jun) [#59344](https://github.com/nodejs/node/pull/59344)
+* \[[`e3e489706b`](https://github.com/nodejs/node/commit/e3e489706b)] - **doc**: run license-builder (github-actions\[bot]) [#59343](https://github.com/nodejs/node/pull/59343)
+* \[[`46527e8cea`](https://github.com/nodejs/node/commit/46527e8cea)] - **doc**: correct orthography `eg.` → `e.g.` (Jacob Smith) [#59329](https://github.com/nodejs/node/pull/59329)
+* \[[`d140c3713e`](https://github.com/nodejs/node/commit/d140c3713e)] - **doc**: clarify the need of compiler compatible with c++20 (Rafael Gonzaga) [#59297](https://github.com/nodejs/node/pull/59297)
+* \[[`95e9cabf9d`](https://github.com/nodejs/node/commit/95e9cabf9d)] - **doc**: clarify release candidate stability index (Filip Skokan) [#59295](https://github.com/nodejs/node/pull/59295)
+* \[[`a056dd36d2`](https://github.com/nodejs/node/commit/a056dd36d2)] - **doc**: add WDYT to glossary (btea) [#59280](https://github.com/nodejs/node/pull/59280)
+* \[[`1e2c52f5c4`](https://github.com/nodejs/node/commit/1e2c52f5c4)] - **doc**: add manpage entry for --use-system-ca (Joyee Cheung) [#59273](https://github.com/nodejs/node/pull/59273)
+* \[[`31a46fdeb4`](https://github.com/nodejs/node/commit/31a46fdeb4)] - **doc**: add path.join and path.normalize clarification (Rafael Gonzaga) [#59262](https://github.com/nodejs/node/pull/59262)
+* \[[`cff3725ff9`](https://github.com/nodejs/node/commit/cff3725ff9)] - **doc**: fix typo in `test/common/README.md` (Yoo) [#59180](https://github.com/nodejs/node/pull/59180)
+* \[[`31a9283591`](https://github.com/nodejs/node/commit/31a9283591)] - **doc**: add note on process memoryUsage (fengmk2) [#59026](https://github.com/nodejs/node/pull/59026)
+* \[[`5a98bff6b8`](https://github.com/nodejs/node/commit/5a98bff6b8)] - **doc**: format safely for `doc-kit` (Aviv Keller) [#59229](https://github.com/nodejs/node/pull/59229)
+* \[[`95b8b7ea5c`](https://github.com/nodejs/node/commit/95b8b7ea5c)] - **domain**: remove deprecated API call (Alex Yang) [#59339](https://github.com/nodejs/node/pull/59339)
+* \[[`2990f178bd`](https://github.com/nodejs/node/commit/2990f178bd)] - **fs**: fix glob TypeError on restricted dirs (Sylphy-0xd3ac) [#58674](https://github.com/nodejs/node/pull/58674)
+* \[[`e2fb4caf9c`](https://github.com/nodejs/node/commit/e2fb4caf9c)] - **fs**: correct error message when FileHandle is transferred (Alex Yang) [#59156](https://github.com/nodejs/node/pull/59156)
+* \[[`aeb4de55a7`](https://github.com/nodejs/node/commit/aeb4de55a7)] - **(SEMVER-MINOR)** **fs**: port SonicBoom module to fs module as Utf8Stream (James M Snell) [#58897](https://github.com/nodejs/node/pull/58897)
+* \[[`e79c93a5d0`](https://github.com/nodejs/node/commit/e79c93a5d0)] - **(SEMVER-MINOR)** **http**: add server.keepAliveTimeoutBuffer option (Haram Jeong) [#59243](https://github.com/nodejs/node/pull/59243)
+* \[[`0fb005a53f`](https://github.com/nodejs/node/commit/0fb005a53f)] - **http2**: set Http2Stream#sentHeaders for raw headers (Darshan Sen) [#59244](https://github.com/nodejs/node/pull/59244)
+* \[[`e055539604`](https://github.com/nodejs/node/commit/e055539604)] - **lib**: add trace-sigint APIs (theanarkh) [#59040](https://github.com/nodejs/node/pull/59040)
+* \[[`d2183d860a`](https://github.com/nodejs/node/commit/d2183d860a)] - **lib**: optimize writable stream buffer clearing (Yoo) [#59406](https://github.com/nodejs/node/pull/59406)
+* \[[`47543a7e17`](https://github.com/nodejs/node/commit/47543a7e17)] - **lib**: handle windows reserved device names on UNC (Rafael Gonzaga) [#59286](https://github.com/nodejs/node/pull/59286)
+* \[[`c6911f0717`](https://github.com/nodejs/node/commit/c6911f0717)] - **lib**: do not modify prototype deprecated asyncResource (RafaelGSS) [#59195](https://github.com/nodejs/node/pull/59195)
+* \[[`3c88b769bb`](https://github.com/nodejs/node/commit/3c88b769bb)] - **lib**: restructure assert to become a class (Miguel Marcondes Filho) [#58253](https://github.com/nodejs/node/pull/58253)
+* \[[`e91b54df59`](https://github.com/nodejs/node/commit/e91b54df59)] - **lib**: handle superscript variants on windows device (Rafael Gonzaga) [#59261](https://github.com/nodejs/node/pull/59261)
+* \[[`4ee467905d`](https://github.com/nodejs/node/commit/4ee467905d)] - **lib**: use validateString (hotpineapple) [#59296](https://github.com/nodejs/node/pull/59296)
+* \[[`c144d69efc`](https://github.com/nodejs/node/commit/c144d69efc)] - **lib**: docs deprecate \_http\_\* (Sebastian Beltran) [#59293](https://github.com/nodejs/node/pull/59293)
+* \[[`c89b67e681`](https://github.com/nodejs/node/commit/c89b67e681)] - **lib**: add type names in source mapped stack traces (Chengzhong Wu) [#58976](https://github.com/nodejs/node/pull/58976)
+* \[[`5b2363be8d`](https://github.com/nodejs/node/commit/5b2363be8d)] - **lib**: prefer AsyncIteratorPrototype primordial (René) [#59097](https://github.com/nodejs/node/pull/59097)
+* \[[`41b4f4d694`](https://github.com/nodejs/node/commit/41b4f4d694)] - **meta**: clarify pr objection process further (James M Snell) [#59096](https://github.com/nodejs/node/pull/59096)
+* \[[`0eb5962f1e`](https://github.com/nodejs/node/commit/0eb5962f1e)] - **meta**: add mailmap entry for aditi-1400 (Aditi) [#59316](https://github.com/nodejs/node/pull/59316)
+* \[[`a2b72c2304`](https://github.com/nodejs/node/commit/a2b72c2304)] - **meta**: add tsc and build team as codeowners building.md (Rafael Gonzaga) [#59298](https://github.com/nodejs/node/pull/59298)
+* \[[`d69f3ee1e0`](https://github.com/nodejs/node/commit/d69f3ee1e0)] - **meta**: add nodejs/path to path files (Rafael Gonzaga) [#59289](https://github.com/nodejs/node/pull/59289)
+* \[[`1e37eab865`](https://github.com/nodejs/node/commit/1e37eab865)] - **node-api**: reword "implementation in an alternative VM" as implementable (Chengzhong Wu) [#59036](https://github.com/nodejs/node/pull/59036)
+* \[[`64add6302a`](https://github.com/nodejs/node/commit/64add6302a)] - **src**: use simdjson to parse SEA configuration (Joyee Cheung) [#59323](https://github.com/nodejs/node/pull/59323)
+* \[[`e9c6636585`](https://github.com/nodejs/node/commit/e9c6636585)] - **src**: mark realm leaf classes final (Anna Henningsen) [#59355](https://github.com/nodejs/node/pull/59355)
+* \[[`42ef8147d1`](https://github.com/nodejs/node/commit/42ef8147d1)] - **src**: warn about FastOneByteString invalidation (James M Snell) [#59275](https://github.com/nodejs/node/pull/59275)
+* \[[`8686b8037a`](https://github.com/nodejs/node/commit/8686b8037a)] - **src**: remove unused DSAKeyExportJob (Filip Skokan) [#59291](https://github.com/nodejs/node/pull/59291)
+* \[[`1e5f632666`](https://github.com/nodejs/node/commit/1e5f632666)] - **src**: use C++20 `contains()` method (iknoom) [#59304](https://github.com/nodejs/node/pull/59304)
+* \[[`22d4683cfe`](https://github.com/nodejs/node/commit/22d4683cfe)] - **src**: added CHECK\_NOT\_NULL check for multiple eq\_wrap\_async (F3lixTheCat) [#59267](https://github.com/nodejs/node/pull/59267)
+* \[[`6a47ff4943`](https://github.com/nodejs/node/commit/6a47ff4943)] - **src**: clear all linked module caches once instantiated (Chengzhong Wu) [#59117](https://github.com/nodejs/node/pull/59117)
+* \[[`33728cb4ca`](https://github.com/nodejs/node/commit/33728cb4ca)] - **src**: add nullptr checks in `StreamPipe::New` (Burkov Egor) [#57613](https://github.com/nodejs/node/pull/57613)
+* \[[`4a907bdad1`](https://github.com/nodejs/node/commit/4a907bdad1)] - **src**: add percentage support to --max-old-space-size (Asaf Federman) [#59082](https://github.com/nodejs/node/pull/59082)
+* \[[`7c189d4f55`](https://github.com/nodejs/node/commit/7c189d4f55)] - **test**: deflake sequential/test-tls-session-timeout (Joyee Cheung) [#59423](https://github.com/nodejs/node/pull/59423)
+* \[[`fb0a6fb57f`](https://github.com/nodejs/node/commit/fb0a6fb57f)] - **test**: exclude mock from coverage (Shima Ryuhei) [#59348](https://github.com/nodejs/node/pull/59348)
+* \[[`7e10f95f13`](https://github.com/nodejs/node/commit/7e10f95f13)] - **test**: split test-fs-cp.js (Joyee Cheung) [#59408](https://github.com/nodejs/node/pull/59408)
+* \[[`41bcf5f659`](https://github.com/nodejs/node/commit/41bcf5f659)] - **test**: update WPT resources,WebCryptoAPI,webstorage (Filip Skokan) [#59311](https://github.com/nodejs/node/pull/59311)
+* \[[`f9f3dc94cb`](https://github.com/nodejs/node/commit/f9f3dc94cb)] - **test**: add known issue test for fs.cpSync dereference bug (James M Snell) [#58941](https://github.com/nodejs/node/pull/58941)
+* \[[`244d0c38a8`](https://github.com/nodejs/node/commit/244d0c38a8)] - **test**: deflake stream-readable-to-web test (Ethan Arrowood) [#58948](https://github.com/nodejs/node/pull/58948)
+* \[[`564e604a1a`](https://github.com/nodejs/node/commit/564e604a1a)] - **test**: make test-inspector-network-resource sequential (Shima Ryuhei) [#59104](https://github.com/nodejs/node/pull/59104)
+* \[[`7ab13b7477`](https://github.com/nodejs/node/commit/7ab13b7477)] - **test**: don't use expose internals in test-http-outgoing-buffer.js (Meghan Denny) [#59219](https://github.com/nodejs/node/pull/59219)
+* \[[`319df3859a`](https://github.com/nodejs/node/commit/319df3859a)] - **test,crypto**: skip unsupported ciphers (Shelley Vohr) [#59388](https://github.com/nodejs/node/pull/59388)
+* \[[`713c70c32a`](https://github.com/nodejs/node/commit/713c70c32a)] - **test\_runner**: remove unused callee convertion (Alex Yang) [#59221](https://github.com/nodejs/node/pull/59221)
+* \[[`e4ca30e115`](https://github.com/nodejs/node/commit/e4ca30e115)] - **tools**: disable nullability-completeness warnings (Michaël Zasso) [#59392](https://github.com/nodejs/node/pull/59392)
+* \[[`dab7f6b542`](https://github.com/nodejs/node/commit/dab7f6b542)] - **tools**: check for std::vector\<v8::Local> in lint (Aditi) [#58497](https://github.com/nodejs/node/pull/58497)
+* \[[`7b94982eb0`](https://github.com/nodejs/node/commit/7b94982eb0)] - **tools**: allow selecting test subsystems with numbers in their names (Darshan Sen) [#59242](https://github.com/nodejs/node/pull/59242)
+* \[[`16bbcd8881`](https://github.com/nodejs/node/commit/16bbcd8881)] - **typings**: improve internal binding types (Nam Yooseong) [#59351](https://github.com/nodejs/node/pull/59351)
+* \[[`76bc4d659b`](https://github.com/nodejs/node/commit/76bc4d659b)] - **typings**: improve internal binding types (Michaël Zasso) [#59176](https://github.com/nodejs/node/pull/59176)
+* \[[`eecd3272a6`](https://github.com/nodejs/node/commit/eecd3272a6)] - **worker**: add name for worker (theanarkh) [#59213](https://github.com/nodejs/node/pull/59213)
+* \[[`84c3513ce2`](https://github.com/nodejs/node/commit/84c3513ce2)] - **worker**: implements nits in Web Locks code (Antoine du Hamel) [#59270](https://github.com/nodejs/node/pull/59270)
+* \[[`bd68fbd753`](https://github.com/nodejs/node/commit/bd68fbd753)] - **worker**: add cpuUsage for worker (theanarkh) [#59177](https://github.com/nodejs/node/pull/59177)
+* \[[`201304537e`](https://github.com/nodejs/node/commit/201304537e)] - **(SEMVER-MINOR)** **zlib**: add dictionary support to zstdCompress and zstdDecompress (lluisemper) [#59240](https://github.com/nodejs/node/pull/59240)
+
 <a id="24.5.0"></a>
 
 ## 2025-07-31, Version 24.5.0 (Current), @aduh95
diff --git a/doc/contributing/adding-new-napi-api.md b/doc/contributing/adding-new-napi-api.md
index 196075be20aade..b17abb03ad7a5c 100644
--- a/doc/contributing/adding-new-napi-api.md
+++ b/doc/contributing/adding-new-napi-api.md
@@ -37,7 +37,7 @@ please follow these principles and guidelines:
 
 2. **Review and approval**
    * A new API addition **must** be signed off by at least two Node-API team members.
-   * **Should** be implemented in at least one other VM implementation of Node.js.
+   * **Should** be implemented in terms of available VM APIs in at least one other VM implementation of Node.js.
 
 3. **Experimental phase**
    * New APIs **must** be marked as experimental for at least one minor Node.js release before promotion.
@@ -49,4 +49,4 @@ please follow these principles and guidelines:
      * Approval by the Node-API team.
      * Availability of a down-level implementation if backporting is needed.
      * Usage by a published real-world module.
-     * Implementation in an alternative VM.
+     * Implementable in an alternative VM.
diff --git a/doc/contributing/collaborator-guide.md b/doc/contributing/collaborator-guide.md
index d883533d26e218..3d77e1e0fe7463 100644
--- a/doc/contributing/collaborator-guide.md
+++ b/doc/contributing/collaborator-guide.md
@@ -154,10 +154,13 @@ requirements. If a pull request meets all requirements except the
 
 Collaborators can object to a pull request by using the "Request
 Changes" GitHub feature. Dissent comments alone don't constitute an
-objection. Any pull request objection must include a clear reason for that
-objection, and the objector must remain responsive for further discussion
-towards consensus about the direction of the pull request. Where possible,
-provide a set of actionable steps alongside the objection.
+objection, nor do dissenting comments made in any associated issue.
+A blocking objection to a change must be made in the pull request that
+specifically proposes that change. Any pull request objection must include
+a clear reason for that objection, and the objector must remain responsive
+for further discussion towards consensus about the direction of the pull
+request. Where possible, provide a set of actionable steps alongside the
+objection.
 
 If the objection is not clear to others, another collaborator can ask an
 objecting collaborator to explain their objection or to provide actionable
@@ -168,7 +171,22 @@ dismiss the objection.
 Pull requests with outstanding objections must remain open until all
 objections are satisfied. If reaching consensus is not possible, a
 collaborator can escalate the issue to the TSC by pinging `@nodejs/tsc` and
-adding the `tsc-agenda` label to the issue.
+adding the `tsc-agenda` label to the issue. The change cannot proceed without
+either reaching consensus or a TSC decision to dismiss the objection(s). If the
+TSC does choose to dismiss any objections, a clear explanation of the reasoning
+or a link to the public vote must be given in the pull request before it lands.
+
+All Collaborator objections are considered equal. There is no greater weight given to
+objections from TSC members than from any other Collaborator.
+
+Mistakes do happen. If a pull request is merged with an unresolved objection,
+submit a fix. Simple issues may be fixed with a follow-up PR that addresses
+the concern. More difficult issues may require a full revert. Most corrections
+can be fast-tracked. If deemed necessary take a slower route to ensure stability
+and consensus.
+
+Collaborators objecting to a pull request can best ensure their objections
+are addressed by remaining engaged and responsive in the discussion.
 
 #### Helpful resources
 
diff --git a/doc/contributing/investigating-native-memory-leaks.md b/doc/contributing/investigating-native-memory-leaks.md
index 4d565fe031244f..6639617b54c53c 100644
--- a/doc/contributing/investigating-native-memory-leaks.md
+++ b/doc/contributing/investigating-native-memory-leaks.md
@@ -396,7 +396,7 @@ call:
 }
 ```
 
-Create a file (eg. `node-12.14.1.supp`) with the contents of the suppression
+Create a file (e.g. `node-12.14.1.supp`) with the contents of the suppression
 records, and run Valgrind with the suppression file previously created:
 
 ```bash
diff --git a/doc/contributing/writing-and-running-benchmarks.md b/doc/contributing/writing-and-running-benchmarks.md
index 1ff494c7c4d90f..5c9709bab882a3 100644
--- a/doc/contributing/writing-and-running-benchmarks.md
+++ b/doc/contributing/writing-and-running-benchmarks.md
@@ -9,6 +9,7 @@
   * [Benchmark analysis requirements](#benchmark-analysis-requirements)
 * [Running benchmarks](#running-benchmarks)
   * [Running individual benchmarks](#running-individual-benchmarks)
+  * [Calibrating the number of iterations with calibrate-n.js](#calibrating-the-number-of-iterations-with-calibrate-njs)
   * [Running all benchmarks](#running-all-benchmarks)
   * [Specifying CPU Cores for Benchmarks with run.js](#specifying-cpu-cores-for-benchmarks-with-runjs)
   * [Filtering benchmarks](#filtering-benchmarks)
@@ -142,6 +143,46 @@ buffers/buffer-tostring.js n=10000000 len=1024 arg=true: 3498295.68561504
 buffers/buffer-tostring.js n=10000000 len=1024 arg=false: 3783071.1678948295
 ```
 
+### Calibrating the number of iterations with calibrate-n.js
+
+Before running benchmarks, it's often useful to determine the optimal number of iterations (`n`)
+that provides statistically stable results. The `calibrate-n.js` tool helps find this value by
+running a benchmark multiple times with increasing `n` values until the coefficient of variation (CV)
+falls below a target threshold.
+
+```console
+$ node benchmark/calibrate-n.js benchmark/buffers/buffer-compare.js
+
+--------------------------------------------------------
+Benchmark: buffers/buffer-compare.js
+--------------------------------------------------------
+What we are trying to find: The optimal number of iterations (n)
+that produces consistent benchmark results without wasting time.
+
+How it works:
+1. Run the benchmark multiple times with a specific n value
+2. Group results by configuration
+3. If overall CV is above 5% or any configuration has CV above 10%, increase n and try again
+4. Stop when we have stable results (overall CV < 5% and all configs CV < 10%) or max increases reached
+
+Configuration:
+- Starting n: 10 iterations
+- Runs per n value: 30
+- Target CV threshold: 5% (lower CV = more stable results)
+- Max increases: 6
+- Increase factor: 10x
+```
+
+The tool accepts several options:
+
+* `--runs=N`: Number of runs for each n value (default: 30)
+* `--cv-threshold=N`: Target coefficient of variation threshold (default: 0.05)
+* `--max-increases=N`: Maximum number of n increases to try (default: 6)
+* `--start-n=N`: Initial n value to start with (default: 10)
+* `--increase=N`: Factor by which to increase n (default: 10)
+
+Once you've determined a stable `n` value, you can use it when running your benchmarks.
+
 ### Running all benchmarks
 
 Similar to running individual benchmarks, a group of benchmarks can be executed
diff --git a/doc/node-config-schema.json b/doc/node-config-schema.json
index 6ede911f26bbfd..ba83550f09426c 100644
--- a/doc/node-config-schema.json
+++ b/doc/node-config-schema.json
@@ -266,6 +266,9 @@
         "max-http-header-size": {
           "type": "number"
         },
+        "max-old-space-size-percentage": {
+          "type": "string"
+        },
         "network-family-autoselection": {
           "type": "boolean"
         },
diff --git a/doc/node.1 b/doc/node.1
index 3f81f9bc09beab..3e9b376a0739b2 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -332,6 +332,16 @@ The file used to store localStorage data.
 .It Fl -max-http-header-size Ns = Ns Ar size
 Specify the maximum size of HTTP headers in bytes. Defaults to 16 KiB.
 .
+.It Fl -max-old-space-size-percentage Ns = Ns Ar percentage
+Sets the max memory size of V8's old memory section as a percentage of available system memory.
+This flag takes precedence over
+.Fl -max-old-space-size
+when both are specified.
+The
+.Ar percentage
+parameter must be a number greater than 0 and up to 100, representing the percentage
+of available system memory to allocate to the V8 heap.
+.
 .It Fl -napi-modules
 This option is a no-op.
 It is kept for compatibility.
@@ -603,6 +613,13 @@ and
 .It Fl -use-env-proxy
 Parse proxy settings from HTTP_PROXY/HTTPS_PROXY/NO_PROXY environment variables and apply the setting in global HTTP/HTTPS clients.
 .
+.It Fl -use-system-ca
+Use the trusted CA certificates present in the system store, in addition to the certificates in the
+bundled Mozilla CA store and certificates from `NODE_EXTRA_CA_CERTS`. On Windows and macOS, it uses system APIs to
+integrate additional trusted certificates. On other platforms it is similar to `--use-openssl-ca` with the difference
+being that it caches the certificates on first load, and the system certificates are added in a complementary manner
+without replacing certificates from other sources. This flag supersedes `--use-openssl-ca`.
+.
 .It Fl -use-largepages Ns = Ns Ar mode
 Re-map the Node.js static code to large memory pages at startup. If supported on
 the target system, this will cause the Node.js static code to be moved onto 2
@@ -824,6 +841,12 @@ This currently only affects requests sent over
 .Ar fetch() .
 Support for other built-in http and https methods is under way.
 .
+.It Ev NODE_USE_SYSTEM_CA
+Similar to
+.Fl -use-system-ca .
+Use the trusted CA certificates present in the system store, in addition to the certificates in the
+bundled Mozilla CA store and certificates from `NODE_EXTRA_CA_CERTS`.
+.
 .It Ev NODE_V8_COVERAGE Ar dir
 When set, Node.js writes JavaScript code coverage information to
 .Ar dir .
diff --git a/glossary.md b/glossary.md
index 3c5369d5d9cde3..fe3b8b6e8804fd 100644
--- a/glossary.md
+++ b/glossary.md
@@ -99,6 +99,7 @@ This file documents various terms and definitions used throughout the Node.js co
   various aspects of the web ecosystem.
 * **WASI**: [Web Assembly System Interface][] - Interface for WebAssembly.
 * **WASM**: Web Assembly - Binary instruction format for a stack-based virtual machine.
+* **WDYT**: What Do You Think?
 * **WG**: Working Group - Autonomous teams in the project with specific focus areas.
 * **WHATWG**: [Web Hypertext Application Technology Working Group][] - Community developing web standards.
 * **WIP**: Work In Progress - Unfinished work that may be worth an early look.
diff --git a/lib/_http_client.js b/lib/_http_client.js
index f5d3d711a7f165..63a7befc8ebbb3 100644
--- a/lib/_http_client.js
+++ b/lib/_http_client.js
@@ -80,6 +80,7 @@ const {
 const {
   validateInteger,
   validateBoolean,
+  validateString,
 } = require('internal/validators');
 const { getTimerDuration } = require('internal/timers');
 const {
@@ -270,12 +271,11 @@ function ClientRequest(input, options, cb) {
     delete optsWithoutSignal.signal;
   }
   let method = options.method;
-  const methodIsString = (typeof method === 'string');
-  if (method !== null && method !== undefined && !methodIsString) {
-    throw new ERR_INVALID_ARG_TYPE('options.method', 'string', method);
+  if (method != null) {
+    validateString(method, 'options.method');
   }
 
-  if (methodIsString && method) {
+  if (method) {
     if (!checkIsHttpToken(method)) {
       throw new ERR_INVALID_HTTP_TOKEN('Method', method);
     }
diff --git a/lib/_http_server.js b/lib/_http_server.js
index dd743baa306183..de71fdf7228b05 100644
--- a/lib/_http_server.js
+++ b/lib/_http_server.js
@@ -25,6 +25,7 @@ const {
   ArrayIsArray,
   Error,
   MathMin,
+  NumberIsFinite,
   ObjectKeys,
   ObjectSetPrototypeOf,
   ReflectApply,
@@ -184,8 +185,6 @@ const kConnections = Symbol('http.server.connections');
 const kConnectionsCheckingInterval = Symbol('http.server.connectionsCheckingInterval');
 
 const HTTP_SERVER_TRACE_EVENT_NAME = 'http.server.request';
-// TODO(jazelly): make this configurable
-const HTTP_SERVER_KEEP_ALIVE_TIMEOUT_BUFFER = 1000;
 
 class HTTPServerAsyncResource {
   constructor(type, socket) {
@@ -484,6 +483,14 @@ function storeHTTPOptions(options) {
     this.keepAliveTimeout = 5_000; // 5 seconds;
   }
 
+  const keepAliveTimeoutBuffer = options.keepAliveTimeoutBuffer;
+  if (keepAliveTimeoutBuffer !== undefined) {
+    validateInteger(keepAliveTimeoutBuffer, 'keepAliveTimeoutBuffer', 0);
+    this.keepAliveTimeoutBuffer = keepAliveTimeoutBuffer;
+  } else {
+    this.keepAliveTimeoutBuffer = 1000;
+  }
+
   const connectionsCheckingInterval = options.connectionsCheckingInterval;
   if (connectionsCheckingInterval !== undefined) {
     validateInteger(connectionsCheckingInterval, 'connectionsCheckingInterval', 0);
@@ -546,6 +553,13 @@ function Server(options, requestListener) {
   }
 
   storeHTTPOptions.call(this, options);
+
+  // Optional buffer added to the keep-alive timeout when setting socket timeouts.
+  // Helps reduce ECONNRESET errors from clients by extending the internal timeout.
+  // Default is 1000ms if not specified.
+  const buf = options.keepAliveTimeoutBuffer;
+  this.keepAliveTimeoutBuffer =
+  (typeof buf === 'number' && NumberIsFinite(buf) && buf >= 0) ? buf : 1000;
   net.Server.call(
     this,
     { allowHalfOpen: true, noDelay: options.noDelay ?? true,
@@ -1012,9 +1026,10 @@ function resOnFinish(req, res, socket, state, server) {
     }
   } else if (state.outgoing.length === 0) {
     if (server.keepAliveTimeout && typeof socket.setTimeout === 'function') {
-      // Increase the internal timeout wrt the advertised value to reduce
+      // Extend the internal timeout by the configured buffer to reduce
       // the likelihood of ECONNRESET errors.
-      socket.setTimeout(server.keepAliveTimeout + HTTP_SERVER_KEEP_ALIVE_TIMEOUT_BUFFER);
+      // This allows fine-tuning beyond the advertised keepAliveTimeout.
+      socket.setTimeout(server.keepAliveTimeout + server.keepAliveTimeoutBuffer);
       state.keepAliveTimeoutSet = true;
     }
   } else {
diff --git a/lib/assert.js b/lib/assert.js
index af34cbfd3f4e42..f2ce5e9c0752e8 100644
--- a/lib/assert.js
+++ b/lib/assert.js
@@ -21,6 +21,7 @@
 'use strict';
 
 const {
+  ArrayPrototypeForEach,
   ArrayPrototypeIndexOf,
   ArrayPrototypeJoin,
   ArrayPrototypePush,
@@ -28,6 +29,7 @@ const {
   Error,
   NumberIsNaN,
   ObjectAssign,
+  ObjectDefineProperty,
   ObjectIs,
   ObjectKeys,
   ObjectPrototypeIsPrototypeOf,
@@ -37,11 +39,13 @@ const {
   StringPrototypeIndexOf,
   StringPrototypeSlice,
   StringPrototypeSplit,
+  Symbol,
 } = primordials;
 
 const {
   codes: {
     ERR_AMBIGUOUS_ARGUMENT,
+    ERR_CONSTRUCT_CALL_REQUIRED,
     ERR_INVALID_ARG_TYPE,
     ERR_INVALID_ARG_VALUE,
     ERR_INVALID_RETURN_VALUE,
@@ -54,14 +58,17 @@ const {
   isPromise,
   isRegExp,
 } = require('internal/util/types');
-const { isError, deprecate } = require('internal/util');
+const { isError, deprecate, setOwnProperty } = require('internal/util');
 const { innerOk } = require('internal/assert/utils');
 
 const CallTracker = require('internal/assert/calltracker');
 const {
   validateFunction,
+  validateOneOf,
 } = require('internal/validators');
 
+const kOptions = Symbol('options');
+
 let isDeepEqual;
 let isDeepStrictEqual;
 let isPartialStrictEqual;
@@ -83,12 +90,60 @@ const assert = module.exports = ok;
 
 const NO_EXCEPTION_SENTINEL = {};
 
+/**
+ * Assert options.
+ * @typedef {object} AssertOptions
+ * @property {'full'|'simple'} [diff='simple'] - If set to 'full', shows the full diff in assertion errors.
+ * @property {boolean} [strict=true] - If set to true, non-strict methods behave like their corresponding
+ *   strict methods.
+ */
+
+/**
+ * @class Assert
+ * @param {AssertOptions} [options] - Optional configuration for assertions.
+ * @throws {ERR_CONSTRUCT_CALL_REQUIRED} If not called with `new`.
+ */
+function Assert(options) {
+  if (!new.target) {
+    throw new ERR_CONSTRUCT_CALL_REQUIRED('Assert');
+  }
+
+  options = ObjectAssign({ __proto__: null, strict: true }, options);
+
+  const allowedDiffs = ['simple', 'full'];
+  if (options.diff !== undefined) {
+    validateOneOf(options.diff, 'options.diff', allowedDiffs);
+  }
+
+  this.AssertionError = AssertionError;
+  ObjectDefineProperty(this, kOptions, {
+    __proto__: null,
+    value: options,
+    enumerable: false,
+    configurable: false,
+    writable: false,
+  });
+
+  if (options.strict) {
+    this.equal = this.strictEqual;
+    this.deepEqual = this.deepStrictEqual;
+    this.notEqual = this.notStrictEqual;
+    this.notDeepEqual = this.notDeepStrictEqual;
+  }
+}
+
 // All of the following functions must throw an AssertionError
 // when a corresponding condition is not met, with a message that
 // may be undefined if not provided. All assertion methods provide
 // both the actual and expected values to the assertion error for
 // display purposes.
 
+// DESTRUCTURING WARNING: All Assert.prototype methods use optional chaining
+// (this?.[kOptions]) to safely access instance configuration. When methods are
+// destructured from an Assert instance (e.g., const {strictEqual} = myAssert),
+// they lose their `this` context and will use default behavior instead of the
+// instance's custom options.
+
 function innerFail(obj) {
   if (obj.message instanceof Error) throw obj.message;
 
@@ -102,7 +157,7 @@ function innerFail(obj) {
  * @param {string} [operator]
  * @param {Function} [stackStartFn]
  */
-function fail(actual, expected, message, operator, stackStartFn) {
+Assert.prototype.fail = function fail(actual, expected, message, operator, stackStartFn) {
   const argsLen = arguments.length;
 
   let internalMessage = false;
@@ -128,21 +183,24 @@ function fail(actual, expected, message, operator, stackStartFn) {
 
   if (message instanceof Error) throw message;
 
+  // IMPORTANT: When adding new references to `this`, ensure they use optional chaining
+  // (this?.[kOptions]?.diff) to handle cases where the method is destructured from an
+  // Assert instance and loses its context. Destructured methods will fall back
+  // to default behavior when `this` is undefined.
   const errArgs = {
     actual,
     expected,
     operator: operator === undefined ? 'fail' : operator,
     stackStartFn: stackStartFn || fail,
     message,
+    diff: this?.[kOptions]?.diff,
   };
   const err = new AssertionError(errArgs);
   if (internalMessage) {
     err.generatedMessage = true;
   }
   throw err;
-}
-
-assert.fail = fail;
+};
 
 // The AssertionError is defined in internal/error.
 assert.AssertionError = AssertionError;
@@ -156,7 +214,17 @@ assert.AssertionError = AssertionError;
 function ok(...args) {
   innerOk(ok, args.length, ...args);
 }
-assert.ok = ok;
+
+/**
+ * Pure assertion tests whether a value is truthy, as determined
+ * by !!value.
+ * Duplicated as the other `ok` function is supercharged and exposed as default export.
+ * @param {...any} args
+ * @returns {void}
+ */
+Assert.prototype.ok = function ok(...args) {
+  innerOk(ok, args.length, ...args);
+};
 
 /**
  * The equality assertion tests shallow, coercive equality with ==.
@@ -165,8 +233,7 @@ assert.ok = ok;
  * @param {string | Error} [message]
  * @returns {void}
  */
-/* eslint-disable no-restricted-properties */
-assert.equal = function equal(actual, expected, message) {
+Assert.prototype.equal = function equal(actual, expected, message) {
   if (arguments.length < 2) {
     throw new ERR_MISSING_ARGS('actual', 'expected');
   }
@@ -178,6 +245,7 @@ assert.equal = function equal(actual, expected, message) {
       message,
       operator: '==',
       stackStartFn: equal,
+      diff: this?.[kOptions]?.diff,
     });
   }
 };
@@ -190,7 +258,7 @@ assert.equal = function equal(actual, expected, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.notEqual = function notEqual(actual, expected, message) {
+Assert.prototype.notEqual = function notEqual(actual, expected, message) {
   if (arguments.length < 2) {
     throw new ERR_MISSING_ARGS('actual', 'expected');
   }
@@ -202,6 +270,7 @@ assert.notEqual = function notEqual(actual, expected, message) {
       message,
       operator: '!=',
       stackStartFn: notEqual,
+      diff: this?.[kOptions]?.diff,
     });
   }
 };
@@ -213,7 +282,7 @@ assert.notEqual = function notEqual(actual, expected, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.deepEqual = function deepEqual(actual, expected, message) {
+Assert.prototype.deepEqual = function deepEqual(actual, expected, message) {
   if (arguments.length < 2) {
     throw new ERR_MISSING_ARGS('actual', 'expected');
   }
@@ -225,6 +294,7 @@ assert.deepEqual = function deepEqual(actual, expected, message) {
       message,
       operator: 'deepEqual',
       stackStartFn: deepEqual,
+      diff: this?.[kOptions]?.diff,
     });
   }
 };
@@ -236,7 +306,7 @@ assert.deepEqual = function deepEqual(actual, expected, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.notDeepEqual = function notDeepEqual(actual, expected, message) {
+Assert.prototype.notDeepEqual = function notDeepEqual(actual, expected, message) {
   if (arguments.length < 2) {
     throw new ERR_MISSING_ARGS('actual', 'expected');
   }
@@ -248,10 +318,10 @@ assert.notDeepEqual = function notDeepEqual(actual, expected, message) {
       message,
       operator: 'notDeepEqual',
       stackStartFn: notDeepEqual,
+      diff: this?.[kOptions]?.diff,
     });
   }
 };
-/* eslint-enable */
 
 /**
  * The deep strict equivalence assertion tests a deep strict equality
@@ -261,7 +331,7 @@ assert.notDeepEqual = function notDeepEqual(actual, expected, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.deepStrictEqual = function deepStrictEqual(actual, expected, message) {
+Assert.prototype.deepStrictEqual = function deepStrictEqual(actual, expected, message) {
   if (arguments.length < 2) {
     throw new ERR_MISSING_ARGS('actual', 'expected');
   }
@@ -273,6 +343,7 @@ assert.deepStrictEqual = function deepStrictEqual(actual, expected, message) {
       message,
       operator: 'deepStrictEqual',
       stackStartFn: deepStrictEqual,
+      diff: this?.[kOptions]?.diff,
     });
   }
 };
@@ -285,7 +356,7 @@ assert.deepStrictEqual = function deepStrictEqual(actual, expected, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.notDeepStrictEqual = notDeepStrictEqual;
+Assert.prototype.notDeepStrictEqual = notDeepStrictEqual;
 function notDeepStrictEqual(actual, expected, message) {
   if (arguments.length < 2) {
     throw new ERR_MISSING_ARGS('actual', 'expected');
@@ -298,6 +369,7 @@ function notDeepStrictEqual(actual, expected, message) {
       message,
       operator: 'notDeepStrictEqual',
       stackStartFn: notDeepStrictEqual,
+      diff: this?.[kOptions]?.diff,
     });
   }
 }
@@ -309,7 +381,7 @@ function notDeepStrictEqual(actual, expected, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.strictEqual = function strictEqual(actual, expected, message) {
+Assert.prototype.strictEqual = function strictEqual(actual, expected, message) {
   if (arguments.length < 2) {
     throw new ERR_MISSING_ARGS('actual', 'expected');
   }
@@ -320,6 +392,7 @@ assert.strictEqual = function strictEqual(actual, expected, message) {
       message,
       operator: 'strictEqual',
       stackStartFn: strictEqual,
+      diff: this?.[kOptions]?.diff,
     });
   }
 };
@@ -331,7 +404,7 @@ assert.strictEqual = function strictEqual(actual, expected, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.notStrictEqual = function notStrictEqual(actual, expected, message) {
+Assert.prototype.notStrictEqual = function notStrictEqual(actual, expected, message) {
   if (arguments.length < 2) {
     throw new ERR_MISSING_ARGS('actual', 'expected');
   }
@@ -342,6 +415,7 @@ assert.notStrictEqual = function notStrictEqual(actual, expected, message) {
       message,
       operator: 'notStrictEqual',
       stackStartFn: notStrictEqual,
+      diff: this?.[kOptions]?.diff,
     });
   }
 };
@@ -353,7 +427,7 @@ assert.notStrictEqual = function notStrictEqual(actual, expected, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.partialDeepStrictEqual = function partialDeepStrictEqual(
+Assert.prototype.partialDeepStrictEqual = function partialDeepStrictEqual(
   actual,
   expected,
   message,
@@ -369,6 +443,7 @@ assert.partialDeepStrictEqual = function partialDeepStrictEqual(
       message,
       operator: 'partialDeepStrictEqual',
       stackStartFn: partialDeepStrictEqual,
+      diff: this?.[kOptions]?.diff,
     });
   }
 };
@@ -402,6 +477,7 @@ function compareExceptionKey(actual, expected, key, message, keys, fn) {
         expected: b,
         operator: 'deepStrictEqual',
         stackStartFn: fn,
+        diff: this?.[kOptions]?.diff,
       });
       err.actual = actual;
       err.expected = expected;
@@ -414,6 +490,7 @@ function compareExceptionKey(actual, expected, key, message, keys, fn) {
       message,
       operator: fn.name,
       stackStartFn: fn,
+      diff: this?.[kOptions]?.diff,
     });
   }
 }
@@ -443,6 +520,7 @@ function expectedException(actual, expected, message, fn) {
         message,
         operator: 'deepStrictEqual',
         stackStartFn: fn,
+        diff: this?.[kOptions]?.diff,
       });
       err.operator = fn.name;
       throw err;
@@ -518,6 +596,7 @@ function expectedException(actual, expected, message, fn) {
       message,
       operator: fn.name,
       stackStartFn: fn,
+      diff: this?.[kOptions]?.diff,
     });
     err.generatedMessage = generatedMessage;
     throw err;
@@ -605,20 +684,21 @@ function expectsError(stackStartFn, actual, error, message) {
       details += ` (${error.name})`;
     }
     details += message ? `: ${message}` : '.';
-    const fnType = stackStartFn === assert.rejects ? 'rejection' : 'exception';
+    const fnType = stackStartFn === Assert.prototype.rejects ? 'rejection' : 'exception';
     innerFail({
       actual: undefined,
       expected: error,
       operator: stackStartFn.name,
       message: `Missing expected ${fnType}${details}`,
       stackStartFn,
+      diff: this?.[kOptions]?.diff,
     });
   }
 
   if (!error)
     return;
 
-  expectedException(actual, error, message, stackStartFn);
+  expectedException.call(this, actual, error, message, stackStartFn);
 }
 
 function hasMatchingError(actual, expected) {
@@ -652,7 +732,7 @@ function expectsNoError(stackStartFn, actual, error, message) {
 
   if (!error || hasMatchingError(actual, error)) {
     const details = message ? `: ${message}` : '.';
-    const fnType = stackStartFn === assert.doesNotReject ?
+    const fnType = stackStartFn === Assert.prototype.doesNotReject ?
       'rejection' : 'exception';
     innerFail({
       actual,
@@ -661,6 +741,7 @@ function expectsNoError(stackStartFn, actual, error, message) {
       message: `Got unwanted ${fnType}${details}\n` +
                `Actual message: "${actual?.message}"`,
       stackStartFn,
+      diff: this?.[kOptions]?.diff,
     });
   }
   throw actual;
@@ -672,7 +753,7 @@ function expectsNoError(stackStartFn, actual, error, message) {
  * @param {...any} [args]
  * @returns {void}
  */
-assert.throws = function throws(promiseFn, ...args) {
+Assert.prototype.throws = function throws(promiseFn, ...args) {
   expectsError(throws, getActual(promiseFn), ...args);
 };
 
@@ -682,7 +763,7 @@ assert.throws = function throws(promiseFn, ...args) {
  * @param {...any} [args]
  * @returns {Promise<void>}
  */
-assert.rejects = async function rejects(promiseFn, ...args) {
+Assert.prototype.rejects = async function rejects(promiseFn, ...args) {
   expectsError(rejects, await waitForActual(promiseFn), ...args);
 };
 
@@ -692,7 +773,7 @@ assert.rejects = async function rejects(promiseFn, ...args) {
  * @param {...any} [args]
  * @returns {void}
  */
-assert.doesNotThrow = function doesNotThrow(fn, ...args) {
+Assert.prototype.doesNotThrow = function doesNotThrow(fn, ...args) {
   expectsNoError(doesNotThrow, getActual(fn), ...args);
 };
 
@@ -702,7 +783,7 @@ assert.doesNotThrow = function doesNotThrow(fn, ...args) {
  * @param {...any} [args]
  * @returns {Promise<void>}
  */
-assert.doesNotReject = async function doesNotReject(fn, ...args) {
+Assert.prototype.doesNotReject = async function doesNotReject(fn, ...args) {
   expectsNoError(doesNotReject, await waitForActual(fn), ...args);
 };
 
@@ -711,7 +792,7 @@ assert.doesNotReject = async function doesNotReject(fn, ...args) {
  * @param {any} err
  * @returns {void}
  */
-assert.ifError = function ifError(err) {
+Assert.prototype.ifError = function ifError(err) {
   if (err !== null && err !== undefined) {
     let message = 'ifError got unwanted exception: ';
     if (typeof err === 'object' && typeof err.message === 'string') {
@@ -730,6 +811,7 @@ assert.ifError = function ifError(err) {
       operator: 'ifError',
       message,
       stackStartFn: ifError,
+      diff: this?.[kOptions]?.diff,
     });
 
     // Make sure we actually have a stack trace!
@@ -772,7 +854,7 @@ function internalMatch(string, regexp, message, fn) {
       'regexp', 'RegExp', regexp,
     );
   }
-  const match = fn === assert.match;
+  const match = fn === Assert.prototype.match;
   if (typeof string !== 'string' ||
       RegExpPrototypeExec(regexp, string) !== null !== match) {
     if (message instanceof Error) {
@@ -795,6 +877,7 @@ function internalMatch(string, regexp, message, fn) {
       message,
       operator: fn.name,
       stackStartFn: fn,
+      diff: this?.[kOptions]?.diff,
     });
     err.generatedMessage = generatedMessage;
     throw err;
@@ -808,7 +891,7 @@ function internalMatch(string, regexp, message, fn) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.match = function match(string, regexp, message) {
+Assert.prototype.match = function match(string, regexp, message) {
   internalMatch(string, regexp, message, match);
 };
 
@@ -819,7 +902,7 @@ assert.match = function match(string, regexp, message) {
  * @param {string | Error} [message]
  * @returns {void}
  */
-assert.doesNotMatch = function doesNotMatch(string, regexp, message) {
+Assert.prototype.doesNotMatch = function doesNotMatch(string, regexp, message) {
   internalMatch(string, regexp, message, doesNotMatch);
 };
 
@@ -834,6 +917,17 @@ function strict(...args) {
   innerOk(strict, args.length, ...args);
 }
 
+// TODO(aduh95): take `ok` from `Assert.prototype` instead of a self-ref in a next major.
+assert.ok = assert;
+ArrayPrototypeForEach([
+  'fail', 'equal', 'notEqual', 'deepEqual', 'notDeepEqual',
+  'deepStrictEqual', 'notDeepStrictEqual', 'strictEqual',
+  'notStrictEqual', 'partialDeepStrictEqual', 'match', 'doesNotMatch',
+  'throws', 'rejects', 'doesNotThrow', 'doesNotReject', 'ifError',
+], (name) => {
+  setOwnProperty(assert, name, Assert.prototype[name]);
+});
+
 assert.strict = ObjectAssign(strict, assert, {
   equal: assert.strictEqual,
   deepEqual: assert.deepStrictEqual,
@@ -841,4 +935,7 @@ assert.strict = ObjectAssign(strict, assert, {
   notDeepEqual: assert.notDeepStrictEqual,
 });
 
+assert.strict.Assert = Assert;
 assert.strict.strict = assert.strict;
+
+assert.Assert = Assert;
diff --git a/lib/async_hooks.js b/lib/async_hooks.js
index 7dc7bfab328498..4216ee3f240c48 100644
--- a/lib/async_hooks.js
+++ b/lib/async_hooks.js
@@ -262,10 +262,10 @@ class AsyncResource {
         enumerable: true,
         get: deprecate(function() {
           return self;
-        }, 'The asyncResource property on bound functions is deprecated', 'DEP0172'),
+        }, 'The asyncResource property on bound functions is deprecated', 'DEP0172', false),
         set: deprecate(function(val) {
           self = val;
-        }, 'The asyncResource property on bound functions is deprecated', 'DEP0172'),
+        }, 'The asyncResource property on bound functions is deprecated', 'DEP0172', false),
       },
     });
     return bound;
diff --git a/lib/domain.js b/lib/domain.js
index 03d240e98d4506..7dd16ee1bf59ef 100644
--- a/lib/domain.js
+++ b/lib/domain.js
@@ -270,7 +270,7 @@ Domain.prototype._errorHandler = function(er) {
     // as this would throw an error, make the process exit, and thus
     // prevent the process 'uncaughtException' event from being emitted
     // if a listener is set.
-    if (EventEmitter.listenerCount(this, 'error') > 0) {
+    if (this.listenerCount('error') > 0) {
       // Clear the uncaughtExceptionCaptureCallback so that we know that, since
       // the top-level domain is not active anymore, it would be ok to abort on
       // an uncaught exception at this point
diff --git a/lib/events.js b/lib/events.js
index 1555994df6950e..1c732802ef28aa 100644
--- a/lib/events.js
+++ b/lib/events.js
@@ -28,6 +28,7 @@ const {
   ArrayPrototypeSlice,
   ArrayPrototypeSplice,
   ArrayPrototypeUnshift,
+  AsyncIteratorPrototype,
   Boolean,
   Error,
   ErrorCaptureStackTrace,
@@ -1000,9 +1001,6 @@ async function once(emitter, name, options = kEmptyObject) {
   });
 }
 
-const AsyncIteratorPrototype = ObjectGetPrototypeOf(
-  ObjectGetPrototypeOf(async function* () {}).prototype);
-
 function createIterResult(value, done) {
   return { value, done };
 }
diff --git a/lib/fs.js b/lib/fs.js
index 4b1f400f0ad838..4c5e7574e7f96d 100644
--- a/lib/fs.js
+++ b/lib/fs.js
@@ -170,6 +170,11 @@ let ReadFileContext;
 // monkeypatching.
 let FileReadStream;
 let FileWriteStream;
+let Utf8Stream;
+
+function lazyLoadUtf8Stream() {
+  Utf8Stream ??= require('internal/streams/fast-utf8-stream');
+}
 
 // Ensure that callbacks run in the global context. Only use this function
 // for callbacks that are passed to the binding layer, callbacks that are
@@ -3353,6 +3358,11 @@ module.exports = fs = {
     FileWriteStream = val;
   },
 
+  get Utf8Stream() {
+    lazyLoadUtf8Stream();
+    return Utf8Stream;
+  },
+
   // For tests
   _toUnixTimestamp: toUnixTimestamp,
 };
diff --git a/lib/internal/assert/assertion_error.js b/lib/internal/assert/assertion_error.js
index d654ca5038bbab..5c15b96b12d1ea 100644
--- a/lib/internal/assert/assertion_error.js
+++ b/lib/internal/assert/assertion_error.js
@@ -178,7 +178,7 @@ function isSimpleDiff(actual, inspectedActual, expected, inspectedExpected) {
   return typeof actual !== 'object' || actual === null || typeof expected !== 'object' || expected === null;
 }
 
-function createErrDiff(actual, expected, operator, customMessage) {
+function createErrDiff(actual, expected, operator, customMessage, diffType = 'simple') {
   operator = checkOperator(actual, expected, operator);
 
   let skipped = false;
@@ -202,7 +202,7 @@ function createErrDiff(actual, expected, operator, customMessage) {
   } else if (inspectedActual === inspectedExpected) {
     // Handles the case where the objects are structurally the same but different references
     operator = 'notIdentical';
-    if (inspectedSplitActual.length > 50) {
+    if (inspectedSplitActual.length > 50 && diffType !== 'full') {
       message = `${ArrayPrototypeJoin(ArrayPrototypeSlice(inspectedSplitActual, 0, 50), '\n')}\n...}`;
       skipped = true;
     } else {
@@ -252,6 +252,7 @@ class AssertionError extends Error {
       details,
       // Compatibility with older versions.
       stackStartFunction,
+      diff = 'simple',
     } = options;
     let {
       actual,
@@ -263,7 +264,7 @@ class AssertionError extends Error {
 
     if (message != null) {
       if (kMethodsWithCustomMessageDiff.includes(operator)) {
-        super(createErrDiff(actual, expected, operator, message));
+        super(createErrDiff(actual, expected, operator, message, diff));
       } else {
         super(String(message));
       }
@@ -283,7 +284,7 @@ class AssertionError extends Error {
       }
 
       if (kMethodsWithCustomMessageDiff.includes(operator)) {
-        super(createErrDiff(actual, expected, operator, message));
+        super(createErrDiff(actual, expected, operator, message, diff));
       } else if (operator === 'notDeepStrictEqual' ||
         operator === 'notStrictEqual') {
         // In case the objects are equal but the operator requires unequal, show
@@ -300,8 +301,7 @@ class AssertionError extends Error {
         }
 
         // Only remove lines in case it makes sense to collapse those.
-        // TODO: Accept env to always show the full error.
-        if (res.length > 50) {
+        if (res.length > 50 && diff !== 'full') {
           res[46] = `${colors.blue}...${colors.white}`;
           while (res.length > 47) {
             ArrayPrototypePop(res);
@@ -320,15 +320,15 @@ class AssertionError extends Error {
         const knownOperator = kReadableOperator[operator];
         if (operator === 'notDeepEqual' && res === other) {
           res = `${knownOperator}\n\n${res}`;
-          if (res.length > 1024) {
+          if (res.length > 1024 && diff !== 'full') {
             res = `${StringPrototypeSlice(res, 0, 1021)}...`;
           }
           super(res);
         } else {
-          if (res.length > kMaxLongStringLength) {
+          if (res.length > kMaxLongStringLength && diff !== 'full') {
             res = `${StringPrototypeSlice(res, 0, 509)}...`;
           }
-          if (other.length > kMaxLongStringLength) {
+          if (other.length > kMaxLongStringLength && diff !== 'full') {
             other = `${StringPrototypeSlice(other, 0, 509)}...`;
           }
           if (operator === 'deepEqual') {
@@ -378,6 +378,7 @@ class AssertionError extends Error {
     this.stack; // eslint-disable-line no-unused-expressions
     // Reset the name.
     this.name = 'AssertionError';
+    this.diff = diff;
   }
 
   toString() {
diff --git a/lib/internal/assert/utils.js b/lib/internal/assert/utils.js
index d059fa89baf7d4..13e41d67c635c2 100644
--- a/lib/internal/assert/utils.js
+++ b/lib/internal/assert/utils.js
@@ -222,7 +222,8 @@ function getErrMessage(message, fn) {
       }
       const frames = StringPrototypeSplit(message, '\n');
       message = ArrayPrototypeShift(frames);
-      for (const frame of frames) {
+      for (let i = 0; i < frames.length; i++) {
+        const frame = frames[i];
         let pos = 0;
         while (pos < column && (frame[pos] === ' ' || frame[pos] === '\t')) {
           pos++;
diff --git a/lib/internal/crypto/aes.js b/lib/internal/crypto/aes.js
index d2f1111a7155bd..b7d1abf4a85daf 100644
--- a/lib/internal/crypto/aes.js
+++ b/lib/internal/crypto/aes.js
@@ -285,9 +285,7 @@ function aesImportKey(
       break;
     }
     default:
-      throw lazyDOMException(
-        `Unable to import AES key with format ${format}`,
-        'NotSupportedError');
+      return undefined;
   }
 
   if (length === undefined) {
diff --git a/lib/internal/crypto/cfrg.js b/lib/internal/crypto/cfrg.js
index 34d8e294163fc7..e8af5750a865fd 100644
--- a/lib/internal/crypto/cfrg.js
+++ b/lib/internal/crypto/cfrg.js
@@ -324,6 +324,8 @@ function cfrgImportKey(
       keyObject = createCFRGRawKey(name, keyData, true);
       break;
     }
+    default:
+      return undefined;
   }
 
   if (keyObject.asymmetricKeyType !== name.toLowerCase()) {
diff --git a/lib/internal/crypto/ec.js b/lib/internal/crypto/ec.js
index 6c73344ef17e1c..f4ea317b86ee73 100644
--- a/lib/internal/crypto/ec.js
+++ b/lib/internal/crypto/ec.js
@@ -250,6 +250,8 @@ function ecImportKey(
       keyObject = createECPublicKeyRaw(namedCurve, keyData);
       break;
     }
+    default:
+      return undefined;
   }
 
   switch (algorithm.name) {
diff --git a/lib/internal/crypto/keygen.js b/lib/internal/crypto/keygen.js
index e3f3e3e6b9ac82..cb46b72c59a5ca 100644
--- a/lib/internal/crypto/keygen.js
+++ b/lib/internal/crypto/keygen.js
@@ -19,6 +19,9 @@ const {
   kKeyVariantRSA_SSA_PKCS1_v1_5,
   EVP_PKEY_ED25519,
   EVP_PKEY_ED448,
+  EVP_PKEY_ML_DSA_44,
+  EVP_PKEY_ML_DSA_65,
+  EVP_PKEY_ML_DSA_87,
   EVP_PKEY_X25519,
   EVP_PKEY_X448,
   OPENSSL_EC_NAMED_CURVE,
@@ -162,6 +165,16 @@ function parseKeyEncoding(keyType, options = kEmptyObject) {
   ];
 }
 
+const ids = {
+  'ed25519': EVP_PKEY_ED25519,
+  'ed448': EVP_PKEY_ED448,
+  'x25519': EVP_PKEY_X25519,
+  'x448': EVP_PKEY_X448,
+  'ml-dsa-44': EVP_PKEY_ML_DSA_44,
+  'ml-dsa-65': EVP_PKEY_ML_DSA_65,
+  'ml-dsa-87': EVP_PKEY_ML_DSA_87,
+};
+
 function createJob(mode, type, options) {
   validateString(type, 'type');
 
@@ -278,23 +291,14 @@ function createJob(mode, type, options) {
     case 'ed448':
     case 'x25519':
     case 'x448':
+    case 'ml-dsa-44':
+    case 'ml-dsa-65':
+    case 'ml-dsa-87':
     {
-      let id;
-      switch (type) {
-        case 'ed25519':
-          id = EVP_PKEY_ED25519;
-          break;
-        case 'ed448':
-          id = EVP_PKEY_ED448;
-          break;
-        case 'x25519':
-          id = EVP_PKEY_X25519;
-          break;
-        case 'x448':
-          id = EVP_PKEY_X448;
-          break;
+      if (ids[type] === undefined) {
+        throw new ERR_INVALID_ARG_VALUE('type', type, 'must be a supported key type');
       }
-      return new NidKeyPairGenJob(mode, id, ...encoding);
+      return new NidKeyPairGenJob(mode, ids[type], ...encoding);
     }
     case 'dh':
     {
diff --git a/lib/internal/crypto/keys.js b/lib/internal/crypto/keys.js
index 7529254685fb17..60b4d26d35e967 100644
--- a/lib/internal/crypto/keys.js
+++ b/lib/internal/crypto/keys.js
@@ -24,6 +24,9 @@ const {
   kKeyEncodingPKCS8,
   kKeyEncodingSPKI,
   kKeyEncodingSEC1,
+  EVP_PKEY_ML_DSA_44,
+  EVP_PKEY_ML_DSA_65,
+  EVP_PKEY_ML_DSA_87,
 } = internalBinding('crypto');
 
 const {
@@ -509,12 +512,54 @@ function getKeyTypes(allowKeyObject, bufferOnly = false) {
   return types;
 }
 
+function mlDsaPubLen(alg) {
+  switch (alg) {
+    case 'ML-DSA-44': return 1312;
+    case 'ML-DSA-65': return 1952;
+    case 'ML-DSA-87': return 2592;
+  }
+}
+
 function getKeyObjectHandleFromJwk(key, ctx) {
   validateObject(key, 'key');
-  validateOneOf(
-    key.kty, 'key.kty', ['RSA', 'EC', 'OKP']);
+  if (EVP_PKEY_ML_DSA_44 || EVP_PKEY_ML_DSA_65 || EVP_PKEY_ML_DSA_87) {
+    validateOneOf(
+      key.kty, 'key.kty', ['RSA', 'EC', 'OKP', 'AKP']);
+  } else {
+    validateOneOf(
+      key.kty, 'key.kty', ['RSA', 'EC', 'OKP']);
+  }
   const isPublic = ctx === kConsumePublic || ctx === kCreatePublic;
 
+  if (key.kty === 'AKP') {
+    validateOneOf(
+      key.alg, 'key.alg', ['ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']);
+    validateString(key.pub, 'key.pub');
+
+    let keyData;
+    if (isPublic) {
+      keyData = Buffer.from(key.pub, 'base64url');
+      if (keyData.byteLength !== mlDsaPubLen(key.alg)) {
+        throw new ERR_CRYPTO_INVALID_JWK();
+      }
+    } else {
+      validateString(key.priv, 'key.priv');
+      keyData = Buffer.from(key.priv, 'base64url');
+      if (keyData.byteLength !== 32) {
+        throw new ERR_CRYPTO_INVALID_JWK();
+      }
+    }
+
+    const handle = new KeyObjectHandle();
+
+    const keyType = isPublic ? kKeyTypePublic : kKeyTypePrivate;
+    if (!handle.initMlDsaRaw(key.alg, keyData, keyType)) {
+      throw new ERR_CRYPTO_INVALID_JWK();
+    }
+
+    return handle;
+  }
+
   if (key.kty === 'OKP') {
     validateString(key.crv, 'key.crv');
     validateOneOf(
@@ -922,15 +967,11 @@ function importGenericSecretKey(
       keyObject = createSecretKey(keyData);
       break;
     }
+    default:
+      return undefined;
   }
 
-  if (keyObject) {
-    return new InternalCryptoKey(keyObject, { name }, keyUsages, false);
-  }
-
-  throw lazyDOMException(
-    `Unable to import ${name} key with format ${format}`,
-    'NotSupportedError');
+  return new InternalCryptoKey(keyObject, { name }, keyUsages, false);
 }
 
 module.exports = {
diff --git a/lib/internal/crypto/mac.js b/lib/internal/crypto/mac.js
index 3e232fe1ca6491..0f9b1f9618d260 100644
--- a/lib/internal/crypto/mac.js
+++ b/lib/internal/crypto/mac.js
@@ -143,7 +143,7 @@ function hmacImportKey(
       break;
     }
     default:
-      throw lazyDOMException(`Unable to import HMAC key with format ${format}`);
+      return undefined;
   }
 
   const { length } = keyObject[kHandle].keyDetail({});
diff --git a/lib/internal/crypto/rsa.js b/lib/internal/crypto/rsa.js
index a3ef89ed6f2e7e..bf6c341c5a723d 100644
--- a/lib/internal/crypto/rsa.js
+++ b/lib/internal/crypto/rsa.js
@@ -305,9 +305,7 @@ function rsaImportKey(
       break;
     }
     default:
-      throw lazyDOMException(
-        `Unable to import RSA key with format ${format}`,
-        'NotSupportedError');
+      return undefined;
   }
 
   if (keyObject.asymmetricKeyType !== 'rsa') {
diff --git a/lib/internal/crypto/util.js b/lib/internal/crypto/util.js
index 2eba29333bcba4..c7e0c31a4cc609 100644
--- a/lib/internal/crypto/util.js
+++ b/lib/internal/crypto/util.js
@@ -189,6 +189,20 @@ const kSupportedAlgorithms = {
     'Ed25519': null,
     'X25519': null,
   },
+  'exportKey': {
+    'RSASSA-PKCS1-v1_5': null,
+    'RSA-PSS': null,
+    'RSA-OAEP': null,
+    'ECDSA': null,
+    'ECDH': null,
+    'HMAC': null,
+    'AES-CTR': null,
+    'AES-CBC': null,
+    'AES-GCM': null,
+    'AES-KW': null,
+    'Ed25519': null,
+    'X25519': null,
+  },
   'sign': {
     'RSASSA-PKCS1-v1_5': null,
     'RSA-PSS': 'RsaPssParams',
@@ -259,12 +273,14 @@ const experimentalAlgorithms = ObjectEntries({
     generateKey: null,
     importKey: null,
     deriveBits: 'EcdhKeyDeriveParams',
+    exportKey: null,
   },
   'Ed448': {
     generateKey: null,
     sign: 'Ed448Params',
     verify: 'Ed448Params',
     importKey: null,
+    exportKey: null,
   },
 });
 
diff --git a/lib/internal/crypto/webcrypto.js b/lib/internal/crypto/webcrypto.js
index e39035c46209f0..82bdc29f50a4d4 100644
--- a/lib/internal/crypto/webcrypto.js
+++ b/lib/internal/crypto/webcrypto.js
@@ -322,19 +322,13 @@ async function exportKeySpki(key) {
     case 'RSA-PSS':
       // Fall through
     case 'RSA-OAEP':
-      if (key.type === 'public') {
-        return require('internal/crypto/rsa')
-          .rsaExportKey(key, kWebCryptoKeyFormatSPKI);
-      }
-      break;
+      return require('internal/crypto/rsa')
+        .rsaExportKey(key, kWebCryptoKeyFormatSPKI);
     case 'ECDSA':
       // Fall through
     case 'ECDH':
-      if (key.type === 'public') {
-        return require('internal/crypto/ec')
-          .ecExportKey(key, kWebCryptoKeyFormatSPKI);
-      }
-      break;
+      return require('internal/crypto/ec')
+        .ecExportKey(key, kWebCryptoKeyFormatSPKI);
     case 'Ed25519':
       // Fall through
     case 'Ed448':
@@ -342,16 +336,11 @@ async function exportKeySpki(key) {
     case 'X25519':
       // Fall through
     case 'X448':
-      if (key.type === 'public') {
-        return require('internal/crypto/cfrg')
-          .cfrgExportKey(key, kWebCryptoKeyFormatSPKI);
-      }
-      break;
+      return require('internal/crypto/cfrg')
+        .cfrgExportKey(key, kWebCryptoKeyFormatSPKI);
+    default:
+      return undefined;
   }
-
-  throw lazyDOMException(
-    `Unable to export a raw ${key.algorithm.name} ${key.type} key`,
-    'InvalidAccessError');
 }
 
 async function exportKeyPkcs8(key) {
@@ -361,19 +350,13 @@ async function exportKeyPkcs8(key) {
     case 'RSA-PSS':
       // Fall through
     case 'RSA-OAEP':
-      if (key.type === 'private') {
-        return require('internal/crypto/rsa')
-          .rsaExportKey(key, kWebCryptoKeyFormatPKCS8);
-      }
-      break;
+      return require('internal/crypto/rsa')
+        .rsaExportKey(key, kWebCryptoKeyFormatPKCS8);
     case 'ECDSA':
       // Fall through
     case 'ECDH':
-      if (key.type === 'private') {
-        return require('internal/crypto/ec')
-          .ecExportKey(key, kWebCryptoKeyFormatPKCS8);
-      }
-      break;
+      return require('internal/crypto/ec')
+        .ecExportKey(key, kWebCryptoKeyFormatPKCS8);
     case 'Ed25519':
       // Fall through
     case 'Ed448':
@@ -381,28 +364,20 @@ async function exportKeyPkcs8(key) {
     case 'X25519':
       // Fall through
     case 'X448':
-      if (key.type === 'private') {
-        return require('internal/crypto/cfrg')
-          .cfrgExportKey(key, kWebCryptoKeyFormatPKCS8);
-      }
-      break;
+      return require('internal/crypto/cfrg')
+        .cfrgExportKey(key, kWebCryptoKeyFormatPKCS8);
+    default:
+      return undefined;
   }
-
-  throw lazyDOMException(
-    `Unable to export a pkcs8 ${key.algorithm.name} ${key.type} key`,
-    'InvalidAccessError');
 }
 
-async function exportKeyRaw(key) {
+async function exportKeyRawPublic(key) {
   switch (key.algorithm.name) {
     case 'ECDSA':
       // Fall through
     case 'ECDH':
-      if (key.type === 'public') {
-        return require('internal/crypto/ec')
-          .ecExportKey(key, kWebCryptoKeyFormatRaw);
-      }
-      break;
+      return require('internal/crypto/ec')
+        .ecExportKey(key, kWebCryptoKeyFormatRaw);
     case 'Ed25519':
       // Fall through
     case 'Ed448':
@@ -410,11 +385,15 @@ async function exportKeyRaw(key) {
     case 'X25519':
       // Fall through
     case 'X448':
-      if (key.type === 'public') {
-        return require('internal/crypto/cfrg')
-          .cfrgExportKey(key, kWebCryptoKeyFormatRaw);
-      }
-      break;
+      return require('internal/crypto/cfrg')
+        .cfrgExportKey(key, kWebCryptoKeyFormatRaw);
+    default:
+      return undefined;
+  }
+}
+
+async function exportKeyRawSecret(key) {
+  switch (key.algorithm.name) {
     case 'AES-CTR':
       // Fall through
     case 'AES-CBC':
@@ -424,51 +403,46 @@ async function exportKeyRaw(key) {
     case 'AES-KW':
       // Fall through
     case 'HMAC':
-      return key[kKeyObject].export().buffer;
+      return key[kKeyObject][kHandle].export().buffer;
+    default:
+      return undefined;
   }
-
-  throw lazyDOMException(
-    `Unable to export a raw ${key.algorithm.name} ${key.type} key`,
-    'InvalidAccessError');
 }
 
 async function exportKeyJWK(key) {
-  const jwk = key[kKeyObject][kHandle].exportJwk({
+  const parameters = {
     key_ops: key.usages,
     ext: key.extractable,
-  }, true);
+  };
   switch (key.algorithm.name) {
     case 'RSASSA-PKCS1-v1_5':
-      jwk.alg = normalizeHashName(
+      parameters.alg = normalizeHashName(
         key.algorithm.hash.name,
         normalizeHashName.kContextJwkRsa);
-      return jwk;
+      break;
     case 'RSA-PSS':
-      jwk.alg = normalizeHashName(
+      parameters.alg = normalizeHashName(
         key.algorithm.hash.name,
         normalizeHashName.kContextJwkRsaPss);
-      return jwk;
+      break;
     case 'RSA-OAEP':
-      jwk.alg = normalizeHashName(
+      parameters.alg = normalizeHashName(
         key.algorithm.hash.name,
         normalizeHashName.kContextJwkRsaOaep);
-      return jwk;
+      break;
     case 'ECDSA':
       // Fall through
     case 'ECDH':
-      jwk.crv ||= key.algorithm.namedCurve;
-      return jwk;
+      // Fall through
     case 'X25519':
       // Fall through
     case 'X448':
-      jwk.crv ||= key.algorithm.name;
-      return jwk;
+      break;
     case 'Ed25519':
       // Fall through
     case 'Ed448':
-      jwk.crv ||= key.algorithm.name;
-      jwk.alg = key.algorithm.name;
-      return jwk;
+      parameters.alg = key.algorithm.name;
+      break;
     case 'AES-CTR':
       // Fall through
     case 'AES-CBC':
@@ -476,19 +450,19 @@ async function exportKeyJWK(key) {
     case 'AES-GCM':
       // Fall through
     case 'AES-KW':
-      jwk.alg = require('internal/crypto/aes')
+      parameters.alg = require('internal/crypto/aes')
         .getAlgorithmName(key.algorithm.name, key.algorithm.length);
-      return jwk;
+      break;
     case 'HMAC':
-      jwk.alg = normalizeHashName(
+      parameters.alg = normalizeHashName(
         key.algorithm.hash.name,
         normalizeHashName.kContextJwkHmac);
-      return jwk;
+      break;
     default:
-      // Fall through
+      return undefined;
   }
 
-  throw lazyDOMException('Not yet supported', 'NotSupportedError');
+  return key[kKeyObject][kHandle].exportJwk(parameters, true);
 }
 
 async function exportKey(format, key) {
@@ -506,17 +480,55 @@ async function exportKey(format, key) {
     context: '2nd argument',
   });
 
+  try {
+    normalizeAlgorithm(key.algorithm, 'exportKey');
+  } catch {
+    throw lazyDOMException(
+      `${key.algorithm.name} key export is not supported`, 'NotSupportedError');
+  }
+
   if (!key.extractable)
     throw lazyDOMException('key is not extractable', 'InvalidAccessException');
 
+  let result;
   switch (format) {
-    case 'spki': return exportKeySpki(key);
-    case 'pkcs8': return exportKeyPkcs8(key);
-    case 'jwk': return exportKeyJWK(key);
-    case 'raw': return exportKeyRaw(key);
+    case 'spki': {
+      if (key.type === 'public') {
+        result = await exportKeySpki(key);
+      }
+      break;
+    }
+    case 'pkcs8': {
+      if (key.type === 'private') {
+        result = await exportKeyPkcs8(key);
+      }
+      break;
+    }
+    case 'jwk': {
+      result = await exportKeyJWK(key);
+      break;
+    }
+    case 'raw': {
+      if (key.type === 'secret') {
+        result = await exportKeyRawSecret(key);
+        break;
+      }
+
+      if (key.type === 'public') {
+        result = await exportKeyRawPublic(key);
+        break;
+      }
+      break;
+    }
   }
-  throw lazyDOMException(
-    'Export format is unsupported', 'NotSupportedError');
+
+  if (!result) {
+    throw lazyDOMException(
+      `Unable to export ${key.algorithm.name} ${key.type} key using ${format} format`,
+      'NotSupportedError');
+  }
+
+  return result;
 }
 
 async function importKey(
@@ -603,8 +615,12 @@ async function importKey(
         extractable,
         keyUsages);
       break;
-    default:
-      throw lazyDOMException('Unrecognized algorithm name', 'NotSupportedError');
+  }
+
+  if (!result) {
+    throw lazyDOMException(
+      `Unable to import ${algorithm.name} using ${format} format`,
+      'NotSupportedError');
   }
 
   if ((result.type === 'secret' || result.type === 'private') && result.usages.length === 0) {
diff --git a/lib/internal/errors.js b/lib/internal/errors.js
index 5e079933951688..ade2acdc662312 100644
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@@ -1148,6 +1148,7 @@ E('ERR_CHILD_PROCESS_STDIO_MAXBUFFER', '%s maxBuffer length exceeded',
   RangeError);
 E('ERR_CONSOLE_WRITABLE_STREAM',
   'Console expects a writable stream instance for %s', TypeError);
+E('ERR_CONSTRUCT_CALL_REQUIRED', 'Class constructor %s cannot be invoked without `new`', TypeError);
 E('ERR_CONTEXT_NOT_INITIALIZED', 'context used is not initialized', Error);
 E('ERR_CRYPTO_CUSTOM_ENGINE_NOT_SUPPORTED',
   'Custom engines not supported by this OpenSSL', Error);
diff --git a/lib/internal/freeze_intrinsics.js b/lib/internal/freeze_intrinsics.js
index ac7723b528e872..1d793d719f5fbf 100644
--- a/lib/internal/freeze_intrinsics.js
+++ b/lib/internal/freeze_intrinsics.js
@@ -31,6 +31,7 @@ const {
   ArrayPrototype,
   ArrayPrototypeForEach,
   ArrayPrototypePush,
+  AsyncIteratorPrototype,
   Atomics,
   BigInt,
   BigInt64Array,
@@ -212,10 +213,7 @@ module.exports = function() {
     // 27 Control Abstraction Objects
     // 27.1 Iteration
     IteratorPrototype, // 27.1.2 IteratorPrototype
-    // 27.1.3 AsyncIteratorPrototype
-    ObjectGetPrototypeOf(ObjectGetPrototypeOf(ObjectGetPrototypeOf(
-      (async function*() {})(),
-    ))),
+    AsyncIteratorPrototype, // 27.1.3 AsyncIteratorPrototype
     PromisePrototype, // 27.2
 
     // Other APIs / Web Compatibility
diff --git a/lib/internal/fs/glob.js b/lib/internal/fs/glob.js
index 14180f936ac1c8..05252348daee7a 100644
--- a/lib/internal/fs/glob.js
+++ b/lib/internal/fs/glob.js
@@ -143,7 +143,7 @@ class Cache {
     if (cached) {
       return cached;
     }
-    const promise = PromisePrototypeThen(readdir(path, { __proto__: null, withFileTypes: true }), null, () => null);
+    const promise = PromisePrototypeThen(readdir(path, { __proto__: null, withFileTypes: true }), null, () => []);
     this.#readdirCache.set(path, promise);
     return promise;
   }
diff --git a/lib/internal/fs/promises.js b/lib/internal/fs/promises.js
index e29b63b7aeef7c..7767d96bcfc7de 100644
--- a/lib/internal/fs/promises.js
+++ b/lib/internal/fs/promises.js
@@ -112,6 +112,7 @@ const kHandle = Symbol('kHandle');
 const kFd = Symbol('kFd');
 const kRefs = Symbol('kRefs');
 const kClosePromise = Symbol('kClosePromise');
+const kCloseReason = Symbol('kCloseReason');
 const kCloseResolve = Symbol('kCloseResolve');
 const kCloseReject = Symbol('kCloseReject');
 const kRef = Symbol('kRef');
@@ -390,6 +391,7 @@ class FileHandle extends EventEmitter {
 
     const handle = this[kHandle];
     this[kFd] = -1;
+    this[kCloseReason] = 'The FileHandle has been transferred';
     this[kHandle] = null;
     this[kRefs] = 0;
 
@@ -456,7 +458,7 @@ async function fsCall(fn, handle, ...args) {
 
   if (handle.fd === -1) {
     // eslint-disable-next-line no-restricted-syntax
-    const err = new Error('file closed');
+    const err = new Error(handle[kCloseReason] ?? 'file closed');
     err.code = 'EBADF';
     err.syscall = fn.name;
     throw err;
diff --git a/lib/internal/http2/core.js b/lib/internal/http2/core.js
index 2ec1e9fc19a7e7..6bf2edd1487d49 100644
--- a/lib/internal/http2/core.js
+++ b/lib/internal/http2/core.js
@@ -254,6 +254,7 @@ const kProceed = Symbol('proceed');
 const kRemoteSettings = Symbol('remote-settings');
 const kRequestAsyncResource = Symbol('requestAsyncResource');
 const kSentHeaders = Symbol('sent-headers');
+const kRawHeaders = Symbol('raw-headers');
 const kSentTrailers = Symbol('sent-trailers');
 const kServer = Symbol('server');
 const kState = Symbol('state');
@@ -1807,12 +1808,14 @@ class ClientHttp2Session extends Http2Session {
 
     let headersList;
     let headersObject;
+    let rawHeaders;
     let scheme;
     let authority;
     let method;
 
     if (ArrayIsArray(headersParam)) {
       ({
+        rawHeaders,
         headersList,
         scheme,
         authority,
@@ -1859,6 +1862,7 @@ class ClientHttp2Session extends Http2Session {
     // eslint-disable-next-line no-use-before-define
     const stream = new ClientHttp2Stream(this, undefined, undefined, {});
     stream[kSentHeaders] = headersObject; // N.b. Only set for object headers, not raw headers
+    stream[kRawHeaders] = rawHeaders; // N.b. Only set for raw headers, not object headers
     stream[kOrigin] = `${scheme}://${authority}`;
     const reqAsync = new AsyncResource('PendingRequest');
     stream[kRequestAsyncResource] = reqAsync;
@@ -2128,6 +2132,33 @@ class Http2Stream extends Duplex {
   }
 
   get sentHeaders() {
+    if (this[kSentHeaders] || !this[kRawHeaders]) {
+      return this[kSentHeaders];
+    }
+
+    const rawHeaders = this[kRawHeaders];
+    const headersObject = { __proto__: null };
+
+    for (let i = 0; i < rawHeaders.length; i += 2) {
+      const key = rawHeaders[i];
+      const value = rawHeaders[i + 1];
+
+      const existing = headersObject[key];
+      if (existing === undefined) {
+        headersObject[key] = value;
+      } else if (ArrayIsArray(existing)) {
+        existing.push(value);
+      } else {
+        headersObject[key] = [existing, value];
+      }
+    }
+
+    if (rawHeaders[kSensitiveHeaders] !== undefined) {
+      headersObject[kSensitiveHeaders] = rawHeaders[kSensitiveHeaders];
+    }
+
+    this[kSentHeaders] = headersObject;
+
     return this[kSentHeaders];
   }
 
diff --git a/lib/internal/http2/util.js b/lib/internal/http2/util.js
index 8b2309d4afc845..19cbc08f8a9c7d 100644
--- a/lib/internal/http2/util.js
+++ b/lib/internal/http2/util.js
@@ -678,15 +678,23 @@ function prepareRequestHeadersArray(headers, session) {
       throw new ERR_HTTP2_CONNECT_PATH();
   }
 
-  const headersList = buildNgHeaderString(
+  const rawHeaders =
     additionalPsuedoHeaders.length ?
       additionalPsuedoHeaders.concat(headers) :
-      headers,
+      headers;
+
+  if (headers[kSensitiveHeaders] !== undefined) {
+    rawHeaders[kSensitiveHeaders] = headers[kSensitiveHeaders];
+  }
+
+  const headersList = buildNgHeaderString(
+    rawHeaders,
     assertValidPseudoHeader,
     headers[kSensitiveHeaders],
   );
 
   return {
+    rawHeaders,
     headersList,
     scheme,
     authority: authority ?? headers[HTTP2_HEADER_HOST],
diff --git a/lib/internal/locks.js b/lib/internal/locks.js
index a238a048ec610d..b3d605aa8bc79e 100644
--- a/lib/internal/locks.js
+++ b/lib/internal/locks.js
@@ -3,7 +3,9 @@
 const {
   ObjectDefineProperties,
   Promise,
+  PromisePrototypeThen,
   PromiseResolve,
+  SafePromisePrototypeFinally,
   Symbol,
   SymbolToStringTag,
 } = primordials;
@@ -15,6 +17,7 @@ const {
 const {
   kEmptyObject,
   lazyDOMException,
+  kEnumerableProperty,
 } = require('internal/util');
 const {
   validateAbortSignal,
@@ -86,8 +89,8 @@ class Lock {
 }
 
 ObjectDefineProperties(Lock.prototype, {
-  name: { __proto__: null, enumerable: true },
-  mode: { __proto__: null, enumerable: true },
+  name: kEnumerableProperty,
+  mode: kEnumerableProperty,
   [SymbolToStringTag]: {
     __proto__: null,
     value: 'Lock',
@@ -126,13 +129,13 @@ class LockManager {
    * @param {boolean} [options.ifAvailable] - Only grant if immediately available
    * @param {boolean} [options.steal] - Steal existing locks with same name
    * @param {AbortSignal} [options.signal] - Signal to abort pending lock request
-   * @param {Function} callback - Function called when lock is granted
+   * @param {Function} [callback] - Function called when lock is granted
    * @returns {Promise} Promise that resolves when the lock is released
    * @throws {TypeError} When name is not a string or callback is not a function
    * @throws {DOMException} When validation fails or operation is not supported
    */
   // https://w3c.github.io/web-locks/#api-lock-manager-request
-  async request(name, options, callback) {
+  async request(name, options, callback = undefined) {
     if (callback === undefined) {
       callback = options;
       options = undefined;
@@ -204,7 +207,7 @@ class LockManager {
         signal.addEventListener('abort', abortListener, { once: true });
 
         const wrappedCallback = (lock) => {
-          return PromiseResolve().then(() => {
+          return PromisePrototypeThen(PromiseResolve(), () => {
             if (signal.aborted) {
               return undefined;
             }
@@ -224,11 +227,10 @@ class LockManager {
           );
 
           // When released promise settles, clean up listener and resolve main promise
-          released
-            .then(resolve, (error) => reject(convertLockError(error)))
-            .finally(() => {
-              signal.removeEventListener('abort', abortListener);
-            });
+          SafePromisePrototypeFinally(
+            PromisePrototypeThen(released, resolve, (error) => reject(convertLockError(error))),
+            () => signal.removeEventListener('abort', abortListener),
+          );
         } catch (error) {
           signal.removeEventListener('abort', abortListener);
           reject(convertLockError(error));
@@ -265,8 +267,8 @@ class LockManager {
 }
 
 ObjectDefineProperties(LockManager.prototype, {
-  request: { __proto__: null, enumerable: true },
-  query: { __proto__: null, enumerable: true },
+  request: kEnumerableProperty,
+  query: kEnumerableProperty,
   [SymbolToStringTag]: {
     __proto__: null,
     value: 'LockManager',
@@ -276,16 +278,6 @@ ObjectDefineProperties(LockManager.prototype, {
   },
 });
 
-ObjectDefineProperties(LockManager.prototype.request, {
-  length: {
-    __proto__: null,
-    value: 2,
-    writable: false,
-    enumerable: false,
-    configurable: true,
-  },
-});
-
 module.exports = {
   Lock,
   LockManager,
diff --git a/lib/internal/process/pre_execution.js b/lib/internal/process/pre_execution.js
index 6a0d21cd90287b..c7f86098bdb00b 100644
--- a/lib/internal/process/pre_execution.js
+++ b/lib/internal/process/pre_execution.js
@@ -393,10 +393,7 @@ function setupStacktracePrinterOnSigint() {
   if (!getOptionValue('--trace-sigint')) {
     return;
   }
-  const { SigintWatchdog } = require('internal/watchdog');
-
-  const watchdog = new SigintWatchdog();
-  watchdog.start();
+  require('internal/util/trace_sigint').setTraceSigInt(true);
 }
 
 function initializeReport() {
diff --git a/lib/internal/source_map/prepare_stack_trace.js b/lib/internal/source_map/prepare_stack_trace.js
index 3e4b0825e7b3a5..814ea396f60144 100644
--- a/lib/internal/source_map/prepare_stack_trace.js
+++ b/lib/internal/source_map/prepare_stack_trace.js
@@ -112,17 +112,12 @@ function serializeJSStackFrame(sm, callSite, callerCallSite) {
 
   const typeName = callSite.getTypeName();
   const namePrefix = typeName !== null && typeName !== 'global' ? `${typeName}.` : '';
-  const originalName = `${namePrefix}${fnName || '<anonymous>'}`;
-  // The original call site may have a different symbol name
-  // associated with it, use it:
-  const mappedName = (name && name !== originalName) ?
-    `${name}` :
-    `${originalName}`;
-  const hasName = !!(name || originalName);
+  const originalName = `${fnName || '<anonymous>'}`;
+  const mappedName = `${namePrefix}${name || originalName}` || '';
   // Replace the transpiled call site with the original:
-  return `${prefix}${mappedName}${hasName ? ' (' : ''}` +
+  return `${prefix}${mappedName} (` +
     `${originalSourceNoScheme}:${originalLine + 1}:` +
-    `${originalColumn + 1}${hasName ? ')' : ''}`;
+    `${originalColumn + 1})`;
 }
 
 // Transpilers may have removed the original symbol name used in the stack
diff --git a/lib/internal/streams/fast-utf8-stream.js b/lib/internal/streams/fast-utf8-stream.js
new file mode 100644
index 00000000000000..3bfcc494d17b5c
--- /dev/null
+++ b/lib/internal/streams/fast-utf8-stream.js
@@ -0,0 +1,919 @@
+'use strict';
+
+// This file is derived from the original SonicBoom module
+// MIT License
+// Copyright (c) 2017 Matteo Collina
+
+const {
+  ArrayPrototypePush,
+  AtomicsWait,
+  Int32Array,
+  MathMax,
+  SymbolDispose,
+  globalThis: {
+    Number,
+    SharedArrayBuffer,
+  },
+} = primordials;
+
+const {
+  Buffer,
+} = require('buffer');
+
+const fs = require('fs');
+const EventEmitter = require('events');
+const path = require('path');
+const {
+  clearInterval,
+  setInterval,
+  setTimeout,
+} = require('timers');
+const {
+  codes: {
+    ERR_INVALID_ARG_TYPE,
+    ERR_INVALID_ARG_VALUE,
+    ERR_INVALID_STATE,
+    ERR_OPERATION_FAILED,
+  },
+} = require('internal/errors');
+
+const {
+  validateBoolean,
+  validateFunction,
+  validateObject,
+  validateOneOf,
+  validateString,
+  validateUint32,
+} = require('internal/validators');
+
+const BUSY_WRITE_TIMEOUT = 100;
+const kEmptyBuffer = Buffer.allocUnsafe(0);
+
+const kNil = new Int32Array(new SharedArrayBuffer(4));
+
+function sleep(ms) {
+  // Also filters out NaN, non-number types, including empty strings, but allows bigints
+  const valid = ms > 0 && ms < Infinity;
+  if (valid === false) {
+    if (typeof ms !== 'number' && typeof ms !== 'bigint') {
+      throw new ERR_INVALID_ARG_TYPE('ms', ['number', 'bigint'], ms);
+    }
+    throw new ERR_INVALID_ARG_VALUE.RangeError('ms', ms,
+                                               'must be a number greater than 0 and less than Infinity');
+  }
+
+  AtomicsWait(kNil, 0, 0, Number(ms));
+}
+
+// 16 KB. Don't write more than docker buffer size.
+// https://github.com/moby/moby/blob/513ec73831269947d38a644c278ce3cac36783b2/daemon/logger/copier.go#L13
+const kMaxWrite = 16 * 1024;
+const kContentModeBuffer = 'buffer';
+const kContentModeUtf8 = 'utf8';
+const kNullPrototype = { __proto__: null };
+
+// Utf8Stream is a port of the original SonicBoom module
+// (https://github.com/pinojs/sonic-boom) that provides a fast and efficient
+// way to write UTF-8 encoded data to a file or stream.
+class Utf8Stream extends EventEmitter {
+  #len = 0;
+  #fd = -1;
+  #bufs = [];
+  #lens = [];
+  #writing = false;
+  #ending = false;
+  #reopening = false;
+  #asyncDrainScheduled = false;
+  #flushPending = false;
+  #hwm = 16387; // 16 KB
+  #file = null;
+  #destroyed = false;
+  #minLength = 0;
+  #maxLength = 0;
+  #maxWrite = kMaxWrite;
+  #opening = false;
+  #periodicFlush = 0;
+  #periodicFlushTimer = undefined;
+  #sync = false;
+  #fsync = false;
+  #append = true;
+  #mode = 0o666;
+  #retryEAGAIN = () => true;
+  #mkdir = false;
+  #writingBuf = '';
+  #write;
+  #flush;
+  #flushSync;
+  #actualWrite;
+  #fsWriteSync;
+  #fsWrite;
+  #fs;
+
+  /**
+   * @typedef {object} Utf8StreamOptions
+   * @property {string} [dest] - path to the file to write to
+   * @property {number} [fd] - file descriptor to write to
+   * @property {number} [minLength] - minimum length of the internal buffer before a write is triggered
+   * @property {number} [maxLength] - maximum length of the internal buffer before writes are dropped
+   * @property {number} [maxWrite] - maximum size of a single write operation (default 16384)
+   * @property {number} [periodicFlush] - interval in ms to flush the stream periodically (default 0, disabled)
+   * @property {boolean} [sync] - if true, writes are performed synchronously (default false)
+   * @property {boolean} [fsync] - if true, fsync is called after every write (default false)
+   * @property {boolean} [append] - if true, data is appended to the file (default true, ignored
+   *   if fd is provided)
+   * @property {string} [contentMode] - 'utf8' or 'buffer'
+   * @property {string} [mode] - file mode (permission and sticky bits), default is 0o666
+   * @property {boolean} [mkdir] - if true, the directory path will be created if it does not exist (default false)
+   * @property {Function} [retryEAGAIN] - function that receives (err, writingBufLength,
+   *   remainingBufLength) and returns true if EAGAIN/EBUSY should be retried
+   * @property {object} [fs] - custom fs implementation, must provide write, writeSync, fsync,
+   *   fsyncSync, close, open, mkdir, mkdirSync methods. Mostly useful for testing.
+   * @param {Utf8StreamOptions} [options]
+   */
+  constructor(options = kNullPrototype) {
+    validateObject(options, 'options');
+    let {
+      fd,
+    } = options;
+    const {
+      dest,
+      minLength,
+      maxLength,
+      maxWrite,
+      periodicFlush,
+      sync,
+      append = true,
+      mkdir,
+      retryEAGAIN,
+      fsync,
+      contentMode = kContentModeUtf8,
+      mode,
+      // Provides for a custom fs implementation. Mostly useful for testing.
+      fs: overrideFs = {},
+    } = options;
+
+    super();
+
+    fd ??= dest;
+
+    validateObject(overrideFs, 'options.fs');
+    this.#fs = { ...fs, ...overrideFs };
+    validateFunction(this.#fs.write, 'options.fs.write');
+    validateFunction(this.#fs.writeSync, 'options.fs.writeSync');
+    validateFunction(this.#fs.fsync, 'options.fs.fsync');
+    validateFunction(this.#fs.fsyncSync, 'options.fs.fsyncSync');
+    validateFunction(this.#fs.close, 'options.fs.close');
+    validateFunction(this.#fs.open, 'options.fs.open');
+    validateFunction(this.#fs.mkdir, 'options.fs.mkdir');
+    validateFunction(this.#fs.mkdirSync, 'options.fs.mkdirSync');
+
+    this.#hwm = MathMax(minLength || 0, this.#hwm);
+    this.#minLength = minLength || 0;
+    this.#maxLength = maxLength || 0;
+    this.#maxWrite = maxWrite || kMaxWrite;
+    this.#periodicFlush = periodicFlush || 0;
+    this.#sync = sync || false;
+    this.#fsync = fsync || false;
+    this.#append = append || false;
+    this.#mode = mode;
+    this.#retryEAGAIN = retryEAGAIN || (() => true);
+    this.#mkdir = mkdir || false;
+
+    validateUint32(this.#hwm, 'options.hwm');
+    validateUint32(this.#minLength, 'options.minLength');
+    validateUint32(this.#maxLength, 'options.maxLength');
+    validateUint32(this.#maxWrite, 'options.maxWrite');
+    validateUint32(this.#periodicFlush, 'options.periodicFlush');
+    validateBoolean(this.#sync, 'options.sync');
+    validateBoolean(this.#fsync, 'options.fsync');
+    validateBoolean(this.#append, 'options.append');
+    validateBoolean(this.#mkdir, 'options.mkdir');
+    validateFunction(this.#retryEAGAIN, 'options.retryEAGAIN');
+    validateOneOf(contentMode, 'options.contentMode', [kContentModeBuffer, kContentModeUtf8]);
+
+    if (contentMode === kContentModeBuffer) {
+      this.#writingBuf = kEmptyBuffer;
+      this.#write = (...args) => this.#writeBuffer(...args);
+      this.#flush = (...args) => this.#flushBuffer(...args);
+      this.#flushSync = (...args) => this.#flushBufferSync(...args);
+      this.#actualWrite = (...args) => this.#actualWriteBuffer(...args);
+      this.#fsWriteSync = () => this.#fs.writeSync(this.#fd, this.#writingBuf);
+      this.#fsWrite = () => this.#fs.write(this.#fd, this.#writingBuf, (...args) => {
+        return this.#release(...args);
+      });
+    } else {
+      this.#writingBuf = '';
+      this.#write = (...args) => this.#writeUtf8(...args);
+      this.#flush = (...args) => this.#flushUtf8(...args);
+      this.#flushSync = (...args) => this.#flushSyncUtf8(...args);
+      this.#actualWrite = (...args) => this.#actualWriteUtf8(...args);
+      this.#fsWriteSync = () => this.#fs.writeSync(this.#fd, this.#writingBuf, 'utf8');
+      this.#fsWrite = () => this.#fs.write(this.#fd, this.#writingBuf, 'utf8', (...args) => {
+        return this.#release(...args);
+      });
+    }
+
+    // TODO(@jasnell): Support passing in an AbortSignal to cancel the stream.
+
+    // TODO(@jasnell): Support FileHandle here as well?
+
+    // TODO(@jasnell): The `dest` option is a path string. We may consider
+    // also supporting URL and Buffer types here as well like the rest of
+    // the fs module APIs do.
+
+    if (typeof fd === 'number') {
+      this.#fd = fd;
+      process.nextTick(() => this.emit('ready'));
+    } else if (typeof fd === 'string') {
+      this.#openFile(fd);
+    } else {
+      throw new ERR_INVALID_ARG_TYPE('fd', ['number', 'string'], fd);
+    }
+    if (this.#minLength >= this.#maxWrite) {
+      throw new ERR_INVALID_ARG_VALUE.RangeError('minLength', this.#minLength,
+                                                 `should be smaller than maxWrite (${this.#maxWrite})`);
+    }
+
+    this.on('newListener', (name) => {
+      if (name === 'drain') {
+        this._asyncDrainScheduled = false;
+      }
+    });
+
+    if (this.#periodicFlush !== 0) {
+      this.#periodicFlushTimer = setInterval(() => this.flush(null), this.#periodicFlush);
+      this.#periodicFlushTimer.unref();
+    }
+  }
+
+  /**
+   * @param {string|Buffer} data
+   * @returns {boolean}
+   */
+  write(data) {
+    return this.#write(data);
+  }
+
+  /**
+   * @callback FlushCallback
+   * @param {Error} [err] - Error if any
+   * @returns {void}
+   */
+
+  /**
+   * @param {FlushCallback} [cb]
+   */
+  flush(cb = function(_err) {}) { this.#flush(cb); }
+
+  flushSync() { return this.#flushSync(); }
+
+  /**
+   * @param {string} [file]
+   */
+  reopen(file) {
+    if (this.#destroyed) {
+      throw new ERR_INVALID_STATE('Utf8Stream is destroyed');
+    }
+
+    if (this.#opening) {
+      this.once('ready', () => this.reopen(file));
+      return;
+    }
+
+    if (this.#ending) {
+      return;
+    }
+
+    if (!this.#file) {
+      throw new ERR_OPERATION_FAILED(
+        'Unable to reopen a file descriptor, you must pass a file to SonicBoom');
+    }
+
+    if (file) {
+      this.#file = file;
+    }
+    this.#reopening = true;
+
+    if (this.#writing) {
+      return;
+    }
+
+    const fd = this.#fd;
+    this.once('ready', () => {
+      if (fd !== this.#fd) {
+        this.#fs.close(fd, (err) => {
+          if (err) {
+            return this.emit('error', err);
+          }
+        });
+      }
+    });
+
+    this.#openFile(this.#file);
+  }
+
+  end() {
+    if (this.#destroyed) {
+      throw new ERR_INVALID_STATE('Utf8Stream is destroyed');
+    }
+
+    if (this.#opening) {
+      this.once('ready', () => {
+        this.end();
+      });
+      return;
+    }
+
+    if (this.#ending) {
+      return;
+    }
+
+    this.#ending = true;
+
+    if (this.#writing) {
+      return;
+    }
+
+    if (this.#len > 0 && this.#fd >= 0) {
+      this.#actualWrite();
+    } else {
+      this.#actualClose();
+    }
+  }
+
+  destroy() {
+    if (this.#destroyed) {
+      return;
+    }
+    this.#actualClose();
+  }
+
+  /** @type {number} */
+  get mode() { return this.#mode; }
+
+  /** @type {string|undefined} */
+  get file() { return this.#file; }
+
+  /** @type {number} */
+  get fd() { return this.#fd; }
+
+  /** @type {number} */
+  get minLength() { return this.#minLength; }
+
+  /** @type {number} */
+  get maxLength() { return this.#maxLength; }
+
+  /** @type {boolean} */
+  get writing() { return this.#writing; }
+
+  /** @type {boolean} */
+  get sync() { return this.#sync; }
+
+  /** @type {boolean} */
+  get fsync() { return this.#fsync; }
+
+  /** @type {boolean} */
+  get append() { return this.#append; }
+
+  /** @type {number} */
+  get periodicFlush() { return this.#periodicFlush; }
+
+  /** @type {'buffer'|'utf8'} */
+  get contentMode() {
+    return this.#writingBuf instanceof Buffer ? kContentModeBuffer : kContentModeUtf8;
+  }
+
+  /** @type {boolean} */
+  get mkdir() { return this.#mkdir; }
+
+  [SymbolDispose]() { this.destroy(); }
+
+  #release(err, n) {
+    if (err) {
+      if ((err.code === 'EAGAIN' || err.code === 'EBUSY') &&
+          this.#retryEAGAIN(err, this.#writingBuf.length, this.#len - this.#writingBuf.length)) {
+        if (this.#sync) {
+          // This error code should not happen in sync mode, because it is
+          // not using the underlining operating system asynchronous functions.
+          // However it happens, and so we handle it.
+          // Ref: https://github.com/pinojs/pino/issues/783
+          try {
+            sleep(BUSY_WRITE_TIMEOUT);
+            this.#release(undefined, 0);
+          } catch (err) {
+            this.#release(err);
+          }
+        } else {
+          // Let's give the destination some time to process the chunk.
+          setTimeout(() => this.#fsWrite(), BUSY_WRITE_TIMEOUT);
+        }
+      } else {
+        this.#writing = false;
+
+        this.emit('error', err);
+      }
+      return;
+    }
+
+    this.emit('write', n);
+    const releasedBufObj = releaseWritingBuf(this.#writingBuf, this.#len, n);
+    this.#len = releasedBufObj.len;
+    this.#writingBuf = releasedBufObj.writingBuf;
+
+    if (this.#writingBuf.length) {
+      if (!this.#sync) {
+        this.#fsWrite();
+        return;
+      }
+
+      try {
+        do {
+          const n = this.#fsWriteSync();
+          const releasedBufObj = releaseWritingBuf(this.#writingBuf, this.#len, n);
+          this.#len = releasedBufObj.len;
+          this.#writingBuf = releasedBufObj.writingBuf;
+        } while (this.#writingBuf.length);
+      } catch (err) {
+        this.#release(err);
+        return;
+      }
+    }
+
+    if (this.#fsync) {
+      this.#fs.fsyncSync(this.#fd);
+    }
+
+    const len = this.#len;
+    if (this.#reopening) {
+      this.#writing = false;
+      this.#reopening = false;
+      this.reopen();
+    } else if (len > this.#minLength) {
+      this.#actualWrite();
+    } else if (this.#ending) {
+      if (len > 0) {
+        this.#actualWrite();
+      } else {
+        this.#writing = false;
+        this.#actualClose();
+      }
+    } else {
+      this.#writing = false;
+      if (this.#sync) {
+        if (!this.#asyncDrainScheduled) {
+          this.#asyncDrainScheduled = true;
+          process.nextTick(() => this.#emitDrain());
+        }
+      } else {
+        this.emit('drain');
+      }
+    }
+  }
+
+  #openFile(file) {
+    this.#opening = true;
+    this.#writing = true;
+    this.#asyncDrainScheduled = false;
+
+    // NOTE: 'error' and 'ready' events emitted below only relevant when sonic.sync===false
+    // for sync mode, there is no way to add a listener that will receive these
+
+    const fileOpened = (err, fd) => {
+      if (err) {
+        this.#reopening = false;
+        this.#writing = false;
+        this.#opening = false;
+
+        if (this.#sync) {
+          process.nextTick(() => {
+            if (this.listenerCount('error') > 0) {
+              this.emit('error', err);
+            }
+          });
+        } else {
+          this.emit('error', err);
+        }
+        return;
+      }
+
+      const reopening = this.#reopening;
+
+      this.#fd = fd;
+      this.#file = file;
+      this.#reopening = false;
+      this.#opening = false;
+      this.#writing = false;
+
+      if (this.#sync) {
+        process.nextTick(() => this.emit('ready'));
+      } else {
+        this.emit('ready');
+      }
+
+      if (this.#destroyed) {
+        return;
+      }
+
+      // start
+      if ((!this.#writing && this.#len > this.#minLength) || this.#flushPending) {
+        this.#actualWrite();
+      } else if (reopening) {
+        process.nextTick(() => this.emit('drain'));
+      }
+    };
+
+    const flags = this.#append ? 'a' : 'w';
+    const mode = this.#mode;
+
+    if (this.#sync) {
+      try {
+        if (this.#mkdir) this.#fs.mkdirSync(path.dirname(file), { recursive: true });
+        const fd = this.#fs.openSync(file, flags, mode);
+        fileOpened(null, fd);
+      } catch (err) {
+        fileOpened(err);
+        throw err;
+      }
+    } else if (this.#mkdir) {
+      this.#fs.mkdir(path.dirname(file), { recursive: true }, (err) => {
+        if (err) return fileOpened(err);
+        this.#fs.open(file, flags, mode, fileOpened);
+      });
+    } else {
+      this.#fs.open(file, flags, mode, fileOpened);
+    }
+  }
+
+  #emitDrain() {
+    const hasListeners = this.listenerCount('drain') > 0;
+    if (!hasListeners) return;
+    this.#asyncDrainScheduled = false;
+    this.emit('drain');
+  }
+
+  #actualClose() {
+    if (this.#fd === -1) {
+      this.once('ready', () => this.#actualClose());
+      return;
+    }
+
+    if (this.#periodicFlushTimer !== undefined) {
+      clearInterval(this.#periodicFlushTimer);
+    }
+
+    this.#destroyed = true;
+    this.#bufs = [];
+    this.#lens = [];
+
+    const done = (err) => {
+      if (err) {
+        this.emit('error', err);
+        return;
+      }
+
+      if (this.#ending && !this.#writing) {
+        this.emit('finish');
+      }
+      this.emit('close');
+    };
+
+    const closeWrapped = () => {
+      // We skip errors in fsync
+      if (this.#fd !== 1 && this.#fd !== 2) {
+        this.#fs.close(this.#fd, done);
+      } else {
+        done();
+      }
+    };
+
+    try {
+      this.#fs.fsync(this.#fd, closeWrapped);
+    } catch {
+      // Intentionally empty.
+    }
+  }
+
+  #actualWriteBuffer() {
+    this.#writing = true;
+    this.#writingBuf = this.#writingBuf.length ? this.#writingBuf : mergeBuf(this.#bufs.shift(), this.#lens.shift());
+
+    if (this.#sync) {
+      try {
+        const written = this.#fs.writeSync(this.#fd, this.#writingBuf);
+        this.#release(null, written);
+      } catch (err) {
+        this.#release(err);
+      }
+    } else {
+      // fs.write will need to copy string to buffer anyway so
+      // we do it here to avoid the overhead of calculating the buffer size
+      // in releaseWritingBuf.
+      this.#writingBuf = Buffer.from(this.#writingBuf);
+      this.#fs.write(this.#fd, this.#writingBuf, (...args) => this.#release(...args));
+    }
+  }
+
+  #actualWriteUtf8() {
+    this.#writing = true;
+    this.#writingBuf ||= this.#bufs.shift() || '';
+
+    if (this.#sync) {
+      try {
+        const written = this.#fs.writeSync(this.#fd, this.#writingBuf, 'utf8');
+        this.#release(null, written);
+      } catch (err) {
+        this.#release(err);
+      }
+    } else {
+      this.#fs.write(this.#fd, this.#writingBuf, 'utf8', (...args) => this.#release(...args));
+    }
+  }
+
+  #flushBufferSync() {
+    if (this.#destroyed) {
+      throw new ERR_INVALID_STATE('Utf8Stream is destroyed');
+    }
+
+    if (this.#fd < 0) {
+      throw new ERR_INVALID_STATE('Invalid file descriptor');
+    }
+
+    if (!this.#writing && this.#writingBuf.length > 0) {
+      this.#bufs.unshift([this.#writingBuf]);
+      this.#writingBuf = kEmptyBuffer;
+    }
+
+    let buf = kEmptyBuffer;
+    while (this.#bufs.length || buf.length) {
+      if (buf.length <= 0) {
+        buf = mergeBuf(this.#bufs[0], this.#lens[0]);
+      }
+      try {
+        const n = this.#fs.writeSync(this.#fd, buf);
+        buf = buf.subarray(n);
+        this.#len = MathMax(this.#len - n, 0);
+        if (buf.length <= 0) {
+          this.#bufs.shift();
+          this.#lens.shift();
+        }
+      } catch (err) {
+        const shouldRetry = err.code === 'EAGAIN' || err.code === 'EBUSY';
+        if (shouldRetry && !this.#retryEAGAIN(err, buf.length, this.#len - buf.length)) {
+          throw err;
+        }
+
+        sleep(BUSY_WRITE_TIMEOUT);
+      }
+    }
+  }
+
+  #flushSyncUtf8() {
+    if (this.#destroyed) {
+      throw new ERR_INVALID_STATE('Utf8Stream is destroyed');
+    }
+
+    if (this.#fd < 0) {
+      throw new ERR_INVALID_STATE('Invalid file descriptor');
+    }
+
+    if (!this.#writing && this.#writingBuf.length > 0) {
+      this.#bufs.unshift(this.#writingBuf);
+      this.#writingBuf = '';
+    }
+
+    let buf = '';
+    while (this.#bufs.length || buf) {
+      if (buf.length <= 0) {
+        buf = this.#bufs[0];
+      }
+      try {
+        const n = this.#fs.writeSync(this.#fd, buf, 'utf8');
+        const releasedBufObj = releaseWritingBuf(buf, this.#len, n);
+        buf = releasedBufObj.writingBuf;
+        this.#len = releasedBufObj.len;
+        if (buf.length <= 0) {
+          this.#bufs.shift();
+        }
+      } catch (err) {
+        const shouldRetry = err.code === 'EAGAIN' || err.code === 'EBUSY';
+        if (shouldRetry && !this.#retryEAGAIN(err, buf.length, this.#len - buf.length)) {
+          throw err;
+        }
+
+        sleep(BUSY_WRITE_TIMEOUT);
+      }
+    }
+
+    try {
+      this.#fs.fsyncSync(this.#fd);
+    } catch {
+      // Skip the error. The fd might not support fsync.
+    }
+  }
+
+  #callFlushCallbackOnDrain(cb) {
+    this.#flushPending = true;
+    const onDrain = () => {
+      // Only if _fsync is false to avoid double fsync
+      if (!this.#fsync && !this.#destroyed) {
+        try {
+          this.#fs.fsync(this.#fd, (err) => {
+            this.#flushPending = false;
+            // If the fd is closed, we ignore the error.
+            if (err?.code === 'EBADF') {
+              cb();
+              return;
+            }
+            cb(err);
+          });
+        } catch (err) {
+          this.#flushPending = false;
+          cb(err);
+        }
+      } else {
+        this.#flushPending = false;
+        cb();
+      }
+      this.off('error', onError);
+    };
+    const onError = (err) => {
+      this.#flushPending = false;
+      cb(err);
+      this.off('drain', onDrain);
+    };
+
+    this.once('drain', onDrain);
+    this.once('error', onError);
+  }
+
+  #flushBuffer(cb) {
+    validateFunction(cb, 'cb');
+
+    if (this.#destroyed) {
+      const error = new ERR_INVALID_STATE('Utf8Stream is destroyed');
+      if (cb) {
+        cb(error);
+        return;
+      }
+
+      throw error;
+    }
+
+    if (this.#minLength <= 0) {
+      cb?.();
+      return;
+    }
+
+    if (cb) {
+      this.#callFlushCallbackOnDrain(cb);
+    }
+
+    if (this.#writing) {
+      return;
+    }
+
+    if (this.#bufs.length === 0) {
+      ArrayPrototypePush(this.#bufs, []);
+      ArrayPrototypePush(this.#lens, 0);
+    }
+
+    this.#actualWrite();
+  }
+
+  #flushUtf8(cb) {
+    validateFunction(cb, 'cb');
+
+    if (this.#destroyed) {
+      const error = new ERR_INVALID_STATE('Utf8Stream is destroyed');
+      if (cb) {
+        cb(error);
+        return;
+      }
+
+      throw error;
+    }
+
+    if (this.#minLength <= 0) {
+      cb?.();
+      return;
+    }
+
+    if (cb) {
+      this.#callFlushCallbackOnDrain(cb);
+    }
+
+    if (this.#writing) {
+      return;
+    }
+
+    if (this.#bufs.length === 0) {
+      ArrayPrototypePush(this.#bufs, '');
+    }
+
+    this.#actualWrite();
+  }
+
+  #writeBuffer(data) {
+    if (this.#destroyed) {
+      throw new ERR_INVALID_STATE('Utf8Stream is destroyed');
+    }
+
+    // TODO(@jasnell): Support any ArrayBufferView type here, not just Buffer.
+    if (!Buffer.isBuffer(data)) {
+      throw new ERR_INVALID_ARG_TYPE('data', 'Buffer', data);
+    }
+
+    const len = this.#len + data.length;
+    const bufs = this.#bufs;
+    const lens = this.#lens;
+
+    if (this.#maxLength && len > this.#maxLength) {
+      this.emit('drop', data);
+      return this.#len < this.#hwm;
+    }
+
+    if (
+      bufs.length === 0 ||
+      lens[lens.length - 1] + data.length > this.#maxWrite
+    ) {
+      ArrayPrototypePush(bufs, []);
+      ArrayPrototypePush(lens, data.length);
+    } else {
+      ArrayPrototypePush(bufs[bufs.length - 1], data);
+      lens[lens.length - 1] += data.length;
+    }
+
+    this.#len = len;
+
+    if (!this.#writing && this.#len >= this.#minLength) {
+      this.#actualWrite();
+    }
+
+    return this.#len < this.#hwm;
+  }
+
+  #writeUtf8(data) {
+    if (this.#destroyed) {
+      throw new ERR_INVALID_STATE('Utf8Stream is destroyed');
+    }
+    validateString(data, 'data');
+
+    const len = this.#len + data.length;
+    const bufs = this.#bufs;
+
+    if (this.#maxLength && len > this.#maxLength) {
+      this.emit('drop', data);
+      return this.#len < this.#hwm;
+    }
+
+    if (
+      bufs.length === 0 ||
+      bufs[bufs.length - 1].length + data.length > this.#maxWrite
+    ) {
+      ArrayPrototypePush(bufs, '' + data);
+    } else {
+      bufs[bufs.length - 1] += data;
+    }
+
+    this.#len = len;
+
+    if (!this.#writing && this.#len >= this.#minLength) {
+      this.#actualWrite();
+    }
+
+    return this.#len < this.#hwm;
+  }
+}
+
+/**
+ * Release the writingBuf after fs.write n bytes data
+ * @param {string | Buffer} writingBuf - currently writing buffer, usually be instance._writingBuf.
+ * @param {number} len - currently buffer length, usually be instance._len.
+ * @param {number} n - number of bytes fs already written
+ * @returns {{writingBuf: string | Buffer, len: number}} released writingBuf and length
+ */
+function releaseWritingBuf(writingBuf, len, n) {
+  // if Buffer.byteLength is equal to n, that means writingBuf contains no multi-byte character
+  if (typeof writingBuf === 'string' && Buffer.byteLength(writingBuf) !== n) {
+    // Since the fs.write callback parameter `n` means how many bytes the passed of string
+    // We calculate the original string length for avoiding the multi-byte character issue
+    n = Buffer.from(writingBuf).subarray(0, n).toString().length;
+  }
+  len = MathMax(len - n, 0);
+  writingBuf = writingBuf.slice(n);
+  return { writingBuf, len };
+}
+
+function mergeBuf(bufs, len) {
+  if (bufs.length === 0) {
+    return kEmptyBuffer;
+  }
+
+  if (bufs.length === 1) {
+    return bufs[0];
+  }
+
+  return Buffer.concat(bufs, len);
+}
+
+module.exports = Utf8Stream;
diff --git a/lib/internal/streams/writable.js b/lib/internal/streams/writable.js
index 1081db9ffcf661..67beef44142d44 100644
--- a/lib/internal/streams/writable.js
+++ b/lib/internal/streams/writable.js
@@ -784,7 +784,7 @@ function clearBuffer(stream, state) {
     if (i === buffered.length) {
       resetBuffer(state);
     } else if (i > 256) {
-      buffered.splice(0, i);
+      state[kBufferedValue] = ArrayPrototypeSlice(buffered, i);
       state.bufferedIndex = 0;
     } else {
       state.bufferedIndex = i;
diff --git a/lib/internal/test_runner/coverage.js b/lib/internal/test_runner/coverage.js
index d8b4cfd8b5e7e0..80811dffb1e1d0 100644
--- a/lib/internal/test_runner/coverage.js
+++ b/lib/internal/test_runner/coverage.js
@@ -28,7 +28,7 @@ const {
 const { setupCoverageHooks } = require('internal/util');
 const { tmpdir } = require('os');
 const { join, resolve, relative } = require('path');
-const { fileURLToPath } = require('internal/url');
+const { fileURLToPath, URL } = require('internal/url');
 const { kMappings, SourceMap } = require('internal/source_map/source_map');
 const {
   codes: {
@@ -37,6 +37,7 @@ const {
   },
 } = require('internal/errors');
 const { matchGlobPattern } = require('internal/fs/glob');
+const { kMockSearchParam } = require('internal/test_runner/mock/mock');
 
 const kCoverageFileRegex = /^coverage-(\d+)-(\d{13})-(\d+)\.json$/;
 const kIgnoreRegex = /\/\* node:coverage ignore next (?<count>\d+ )?\*\//;
@@ -497,6 +498,11 @@ class TestCoverage {
       return true;
     }
 
+    const searchParams = new URL(url).searchParams;
+    if (searchParams.get(kMockSearchParam)) {
+      return true;
+    }
+
     // This check filters out the node_modules/ directory, unless it is explicitly included.
     return StringPrototypeIncludes(url, '/node_modules/');
   }
diff --git a/lib/internal/test_runner/mock/mock.js b/lib/internal/test_runner/mock/mock.js
index 3004c9c8adfacd..8a63c7757d1752 100644
--- a/lib/internal/test_runner/mock/mock.js
+++ b/lib/internal/test_runner/mock/mock.js
@@ -36,7 +36,6 @@ const {
   fileURLToPath,
   isURL,
   pathToFileURL,
-  toPathIfFileURL,
   URL,
 } = require('internal/url');
 const {
@@ -210,7 +209,7 @@ class MockModuleContext {
       defaultExport,
       hasDefaultExport,
       namedExports,
-      caller: toPathIfFileURL(caller),
+      caller,
     };
 
     sharedState.mockMap.set(baseURL, config);
diff --git a/lib/internal/util/trace_sigint.js b/lib/internal/util/trace_sigint.js
new file mode 100644
index 00000000000000..fe946f1486c232
--- /dev/null
+++ b/lib/internal/util/trace_sigint.js
@@ -0,0 +1,29 @@
+'use strict';
+
+const { isMainThread } = require('worker_threads');
+const {
+  ERR_WORKER_UNSUPPORTED_OPERATION,
+} = require('internal/errors').codes;
+
+let sigintWatchdog;
+function getSigintWatchdog() {
+  if (!sigintWatchdog) {
+    const { SigintWatchdog } = require('internal/watchdog');
+    sigintWatchdog = new SigintWatchdog();
+  }
+  return sigintWatchdog;
+}
+
+function setTraceSigInt(enable) {
+  if (!isMainThread)
+    throw new ERR_WORKER_UNSUPPORTED_OPERATION('Calling util.setTraceSigInt');
+  if (enable) {
+    getSigintWatchdog().start();
+  } else {
+    getSigintWatchdog().stop();
+  }
+};
+
+module.exports = {
+  setTraceSigInt,
+};
diff --git a/lib/internal/worker.js b/lib/internal/worker.js
index 1df638ff77864c..187781fc851159 100644
--- a/lib/internal/worker.js
+++ b/lib/internal/worker.js
@@ -8,6 +8,7 @@ const {
   Float64Array,
   FunctionPrototypeBind,
   MathMax,
+  NumberMAX_SAFE_INTEGER,
   ObjectEntries,
   Promise,
   PromiseResolve,
@@ -40,6 +41,7 @@ const {
   ERR_WORKER_INVALID_EXEC_ARGV,
   ERR_INVALID_ARG_TYPE,
   ERR_INVALID_ARG_VALUE,
+  ERR_OPERATION_FAILED,
 } = errorCodes;
 
 const workerIo = require('internal/worker/io');
@@ -60,7 +62,7 @@ const { createMainThreadPort, destroyMainThreadPort } = require('internal/worker
 const { deserializeError } = require('internal/error_serdes');
 const { fileURLToPath, isURL, pathToFileURL } = require('internal/url');
 const { kEmptyObject } = require('internal/util');
-const { validateArray, validateString } = require('internal/validators');
+const { validateArray, validateString, validateObject, validateNumber } = require('internal/validators');
 const {
   throwIfBuildingSnapshot,
 } = require('internal/v8/startup_snapshot');
@@ -70,6 +72,7 @@ const {
   isInternalThread,
   resourceLimits: resourceLimitsRaw,
   threadId,
+  threadName,
   Worker: WorkerImpl,
   kMaxYoungGenerationSizeMb,
   kMaxOldGenerationSizeMb,
@@ -431,6 +434,12 @@ class Worker extends EventEmitter {
     return this[kHandle].threadId;
   }
 
+  get threadName() {
+    if (this[kHandle] === null) return null;
+
+    return this[kHandle].threadName;
+  }
+
   get stdin() {
     return this[kParentSideStdio].stdin;
   }
@@ -474,6 +483,37 @@ class Worker extends EventEmitter {
       };
     });
   }
+
+  cpuUsage(prev) {
+    if (prev) {
+      validateObject(prev, 'prev');
+      validateNumber(prev.user, 'prev.user', 0, NumberMAX_SAFE_INTEGER);
+      validateNumber(prev.system, 'prev.system', 0, NumberMAX_SAFE_INTEGER);
+    }
+    if (process.platform === 'sunos') {
+      throw new ERR_OPERATION_FAILED('worker.cpuUsage() is not available on SunOS');
+    }
+    const taker = this[kHandle]?.cpuUsage();
+    return new Promise((resolve, reject) => {
+      if (!taker) return reject(new ERR_WORKER_NOT_RUNNING());
+      taker.ondone = (err, current) => {
+        if (err !== null) {
+          return reject(err);
+        }
+        if (prev) {
+          resolve({
+            user: current.user - prev.user,
+            system: current.system - prev.system,
+          });
+        } else {
+          resolve({
+            user: current.user,
+            system: current.system,
+          });
+        }
+      };
+    });
+  }
 }
 
 /**
@@ -564,6 +604,7 @@ module.exports = {
   getEnvironmentData,
   assignEnvironmentData,
   threadId,
+  threadName,
   InternalWorker,
   Worker,
 };
diff --git a/lib/path.js b/lib/path.js
index 70b0f67e93bf1e..be6fd8b24ac8bf 100644
--- a/lib/path.js
+++ b/lib/path.js
@@ -73,6 +73,8 @@ const WINDOWS_RESERVED_NAMES = [
   'CON', 'PRN', 'AUX', 'NUL',
   'COM1', 'COM2', 'COM3', 'COM4', 'COM5', 'COM6', 'COM7', 'COM8', 'COM9',
   'LPT1', 'LPT2', 'LPT3', 'LPT4', 'LPT5', 'LPT6', 'LPT7', 'LPT8', 'LPT9',
+  'COM\xb9', 'COM\xb2', 'COM\xb3',
+  'LPT\xb9', 'LPT\xb2', 'LPT\xb3',
 ];
 
 function isWindowsReservedName(path, colonIndex) {
@@ -398,6 +400,13 @@ const win32 = {
                 // We matched a device root (e.g. \\\\.\\PHYSICALDRIVE0)
                 device = `\\\\${firstPart}`;
                 rootEnd = 4;
+                const colonIndex = StringPrototypeIndexOf(path, ':');
+                // Special case: handle \\?\COM1: or similar reserved device paths
+                const possibleDevice = StringPrototypeSlice(path, 4, colonIndex + 1);
+                if (isWindowsReservedName(possibleDevice, possibleDevice.length - 1)) {
+                  device = `\\\\?\\${possibleDevice}`;
+                  rootEnd = 4 + possibleDevice.length;
+                }
               } else if (j === len) {
                 // We matched a UNC root only
                 // Return the normalized version of the UNC root since there
@@ -556,6 +565,36 @@ const win32 = {
         joined = `\\${StringPrototypeSlice(joined, slashCount)}`;
     }
 
+    // Skip normalization when reserved device names are present
+    const parts = [];
+    let part = '';
+
+    for (let i = 0; i < joined.length; i++) {
+      if (joined[i] === '\\') {
+        if (part) parts.push(part);
+        part = '';
+        // Skip consecutive backslashes
+        while (i + 1 < joined.length && joined[i + 1] === '\\') i++;
+      } else {
+        part += joined[i];
+      }
+    }
+    // Add the final part if any
+    if (part) parts.push(part);
+
+    // Check if any part has a Windows reserved name
+    if (parts.some((p) => {
+      const colonIndex = StringPrototypeIndexOf(p, ':');
+      return colonIndex !== -1 && isWindowsReservedName(p, colonIndex);
+    })) {
+      // Replace forward slashes with backslashes
+      let result = '';
+      for (let i = 0; i < joined.length; i++) {
+        result += joined[i] === '/' ? '\\' : joined[i];
+      }
+      return result;
+    }
+
     return win32.normalize(joined);
   },
 
diff --git a/lib/util.js b/lib/util.js
index 0884a8d518602d..4b014a290c312f 100644
--- a/lib/util.js
+++ b/lib/util.js
@@ -535,3 +535,9 @@ defineLazyProperties(
   'internal/util/diff',
   ['diff'],
 );
+
+defineLazyProperties(
+  module.exports,
+  'internal/util/trace_sigint',
+  ['setTraceSigInt'],
+);
diff --git a/lib/worker_threads.js b/lib/worker_threads.js
index c62f5eeea8bb9c..78007d1502b352 100644
--- a/lib/worker_threads.js
+++ b/lib/worker_threads.js
@@ -8,6 +8,7 @@ const {
   setEnvironmentData,
   getEnvironmentData,
   threadId,
+  threadName,
   Worker,
 } = require('internal/worker');
 
@@ -44,6 +45,7 @@ module.exports = {
   resourceLimits,
   postMessageToThread,
   threadId,
+  threadName,
   SHARE_ENV,
   Worker,
   parentPort: null,
diff --git a/lib/zlib.js b/lib/zlib.js
index 57d0bcfd84c0f9..6fce059732f2da 100644
--- a/lib/zlib.js
+++ b/lib/zlib.js
@@ -893,12 +893,15 @@ class Zstd extends ZlibBase {
     const pledgedSrcSize = opts?.pledgedSrcSize ?? undefined;
 
     const writeState = new Uint32Array(2);
+
     handle.init(
       initParamsArray,
       pledgedSrcSize,
       writeState,
       processCallback,
+      opts?.dictionary && isArrayBufferView(opts.dictionary) ? opts.dictionary : undefined,
     );
+
     super(opts, mode, handle, zstdDefaultOpts);
     this._writeState = writeState;
   }
diff --git a/node.gni b/node.gni
index b049f0692980c3..d4438f7fd61598 100644
--- a/node.gni
+++ b/node.gni
@@ -42,6 +42,9 @@ declare_args() {
   # The variable is called "openssl" for parity with node's GYP build.
   node_use_openssl = true
 
+  # Build node with SQLite support.
+  node_use_sqlite = true
+
   # Use the specified path to system CA (PEM format) in addition to
   # the BoringSSL supplied CA store or compiled-in Mozilla CA copy.
   node_openssl_system_ca_path = ""
diff --git a/node.gyp b/node.gyp
index 9d677182eca590..bcf01a6b1b5634 100644
--- a/node.gyp
+++ b/node.gyp
@@ -334,6 +334,7 @@
       'src/crypto/crypto_cipher.cc',
       'src/crypto/crypto_context.cc',
       'src/crypto/crypto_ec.cc',
+      'src/crypto/crypto_ml_dsa.cc',
       'src/crypto/crypto_hmac.cc',
       'src/crypto/crypto_random.cc',
       'src/crypto/crypto_rsa.cc',
@@ -365,6 +366,7 @@
       'src/crypto/crypto_clienthello.h',
       'src/crypto/crypto_context.h',
       'src/crypto/crypto_ec.h',
+      'src/crypto/crypto_ml_dsa.h',
       'src/crypto/crypto_hkdf.h',
       'src/crypto/crypto_pbkdf2.h',
       'src/crypto/crypto_sig.h',
diff --git a/src/api/environment.cc b/src/api/environment.cc
index 417c9ca64b36dd..798f35cb5c6148 100644
--- a/src/api/environment.cc
+++ b/src/api/environment.cc
@@ -414,6 +414,25 @@ Environment* CreateEnvironment(
     EnvironmentFlags::Flags flags,
     ThreadId thread_id,
     std::unique_ptr<InspectorParentHandle> inspector_parent_handle) {
+  return CreateEnvironment(isolate_data,
+                           context,
+                           args,
+                           exec_args,
+                           flags,
+                           thread_id,
+                           std::move(inspector_parent_handle),
+                           {});
+}
+
+Environment* CreateEnvironment(
+    IsolateData* isolate_data,
+    Local<Context> context,
+    const std::vector<std::string>& args,
+    const std::vector<std::string>& exec_args,
+    EnvironmentFlags::Flags flags,
+    ThreadId thread_id,
+    std::unique_ptr<InspectorParentHandle> inspector_parent_handle,
+    std::string_view thread_name) {
   Isolate* isolate = isolate_data->isolate();
 
   Isolate::Scope isolate_scope(isolate);
@@ -434,7 +453,8 @@ Environment* CreateEnvironment(
                                      exec_args,
                                      env_snapshot_info,
                                      flags,
-                                     thread_id);
+                                     thread_id,
+                                     thread_name);
   CHECK_NOT_NULL(env);
 
   if (use_snapshot) {
diff --git a/src/async_wrap.h b/src/async_wrap.h
index 398e31c1b45e16..adb0c64bbb8eb8 100644
--- a/src/async_wrap.h
+++ b/src/async_wrap.h
@@ -79,6 +79,7 @@ namespace node {
   V(UDPWRAP)                                                                   \
   V(SIGINTWATCHDOG)                                                            \
   V(WORKER)                                                                    \
+  V(WORKERCPUUSAGE)                                                            \
   V(WORKERHEAPSNAPSHOT)                                                        \
   V(WORKERHEAPSTATISTICS)                                                      \
   V(WRITEWRAP)                                                                 \
diff --git a/src/crypto/crypto_dsa.cc b/src/crypto/crypto_dsa.cc
index eff34444999fbb..c2ae2eceb2cf2f 100644
--- a/src/crypto/crypto_dsa.cc
+++ b/src/crypto/crypto_dsa.cc
@@ -74,37 +74,6 @@ Maybe<void> DsaKeyGenTraits::AdditionalConfig(
   return JustVoid();
 }
 
-Maybe<void> DSAKeyExportTraits::AdditionalConfig(
-    const FunctionCallbackInfo<Value>& args,
-    unsigned int offset,
-    DSAKeyExportConfig* params) {
-  return JustVoid();
-}
-
-WebCryptoKeyExportStatus DSAKeyExportTraits::DoExport(
-    const KeyObjectData& key_data,
-    WebCryptoKeyFormat format,
-    const DSAKeyExportConfig& params,
-    ByteSource* out) {
-  CHECK_NE(key_data.GetKeyType(), kKeyTypeSecret);
-
-  switch (format) {
-    case kWebCryptoKeyFormatRaw:
-      // Not supported for RSA keys of either type
-      return WebCryptoKeyExportStatus::FAILED;
-    case kWebCryptoKeyFormatPKCS8:
-      if (key_data.GetKeyType() != kKeyTypePrivate)
-        return WebCryptoKeyExportStatus::INVALID_KEY_TYPE;
-      return PKEY_PKCS8_Export(key_data, out);
-    case kWebCryptoKeyFormatSPKI:
-      if (key_data.GetKeyType() != kKeyTypePublic)
-        return WebCryptoKeyExportStatus::INVALID_KEY_TYPE;
-      return PKEY_SPKI_Export(key_data, out);
-    default:
-      UNREACHABLE();
-  }
-}
-
 bool GetDsaKeyDetail(Environment* env,
                      const KeyObjectData& key,
                      Local<Object> target) {
@@ -132,12 +101,10 @@ bool GetDsaKeyDetail(Environment* env,
 namespace DSAAlg {
 void Initialize(Environment* env, Local<Object> target) {
   DsaKeyPairGenJob::Initialize(env, target);
-  DSAKeyExportJob::Initialize(env, target);
 }
 
 void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
   DsaKeyPairGenJob::RegisterExternalReferences(registry);
-  DSAKeyExportJob::RegisterExternalReferences(registry);
 }
 }  // namespace DSAAlg
 }  // namespace crypto
diff --git a/src/crypto/crypto_dsa.h b/src/crypto/crypto_dsa.h
index d761aad2ad02c7..784923c0abd227 100644
--- a/src/crypto/crypto_dsa.h
+++ b/src/crypto/crypto_dsa.h
@@ -36,29 +36,6 @@ struct DsaKeyGenTraits final {
 
 using DsaKeyPairGenJob = KeyGenJob<KeyPairGenTraits<DsaKeyGenTraits>>;
 
-struct DSAKeyExportConfig final : public MemoryRetainer {
-  SET_NO_MEMORY_INFO()
-  SET_MEMORY_INFO_NAME(DSAKeyExportConfig)
-  SET_SELF_SIZE(DSAKeyExportConfig)
-};
-
-struct DSAKeyExportTraits final {
-  static constexpr const char* JobName = "DSAKeyExportJob";
-  using AdditionalParameters = DSAKeyExportConfig;
-
-  static v8::Maybe<void> AdditionalConfig(
-      const v8::FunctionCallbackInfo<v8::Value>& args,
-      unsigned int offset,
-      DSAKeyExportConfig* config);
-
-  static WebCryptoKeyExportStatus DoExport(const KeyObjectData& key_data,
-                                           WebCryptoKeyFormat format,
-                                           const DSAKeyExportConfig& params,
-                                           ByteSource* out);
-};
-
-using DSAKeyExportJob = KeyExportJob<DSAKeyExportTraits>;
-
 bool GetDsaKeyDetail(Environment* env,
                      const KeyObjectData& key,
                      v8::Local<v8::Object> target);
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
index 458282b1cdfa7a..167018d7d208c6 100644
--- a/src/crypto/crypto_keys.cc
+++ b/src/crypto/crypto_keys.cc
@@ -1,12 +1,13 @@
 #include "crypto/crypto_keys.h"
+#include "async_wrap-inl.h"
+#include "base_object-inl.h"
 #include "crypto/crypto_common.h"
+#include "crypto/crypto_dh.h"
 #include "crypto/crypto_dsa.h"
 #include "crypto/crypto_ec.h"
-#include "crypto/crypto_dh.h"
+#include "crypto/crypto_ml_dsa.h"
 #include "crypto/crypto_rsa.h"
 #include "crypto/crypto_util.h"
-#include "async_wrap-inl.h"
-#include "base_object-inl.h"
 #include "env-inl.h"
 #include "memory_tracker-inl.h"
 #include "node.h"
@@ -176,6 +177,14 @@ bool ExportJWKAsymmetricKey(Environment* env,
       // Fall through
     case EVP_PKEY_X448:
       return ExportJWKEdKey(env, key, target);
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+    case EVP_PKEY_ML_DSA_44:
+      // Fall through
+    case EVP_PKEY_ML_DSA_65:
+      // Fall through
+    case EVP_PKEY_ML_DSA_87:
+      return ExportJwkMlDsaKey(env, key, target);
+#endif
   }
   THROW_ERR_CRYPTO_JWK_UNSUPPORTED_KEY_TYPE(env);
   return false;
@@ -261,7 +270,7 @@ bool ExportJWKInner(Environment* env,
                    env, key, result.As<Object>(), handleRsaPss);
 }
 
-int GetOKPCurveFromName(const char* name) {
+int GetNidFromName(const char* name) {
   int nid;
   if (strcmp(name, "Ed25519") == 0) {
     nid = EVP_PKEY_ED25519;
@@ -271,6 +280,14 @@ int GetOKPCurveFromName(const char* name) {
     nid = EVP_PKEY_X25519;
   } else if (strcmp(name, "X448") == 0) {
     nid = EVP_PKEY_X448;
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+  } else if (strcmp(name, "ML-DSA-44") == 0) {
+    nid = EVP_PKEY_ML_DSA_44;
+  } else if (strcmp(name, "ML-DSA-65") == 0) {
+    nid = EVP_PKEY_ML_DSA_65;
+  } else if (strcmp(name, "ML-DSA-87") == 0) {
+    nid = EVP_PKEY_ML_DSA_87;
+#endif
   } else {
     nid = NID_undef;
   }
@@ -603,6 +620,9 @@ Local<Function> KeyObjectHandle::Initialize(Environment* env) {
     SetProtoMethod(isolate, templ, "exportJwk", ExportJWK);
     SetProtoMethod(isolate, templ, "initECRaw", InitECRaw);
     SetProtoMethod(isolate, templ, "initEDRaw", InitEDRaw);
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+    SetProtoMethod(isolate, templ, "initMlDsaRaw", InitMlDsaRaw);
+#endif
     SetProtoMethod(isolate, templ, "initJwk", InitJWK);
     SetProtoMethod(isolate, templ, "keyDetail", GetKeyDetail);
     SetProtoMethod(isolate, templ, "equals", Equals);
@@ -623,6 +643,9 @@ void KeyObjectHandle::RegisterExternalReferences(
   registry->Register(ExportJWK);
   registry->Register(InitECRaw);
   registry->Register(InitEDRaw);
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+  registry->Register(InitMlDsaRaw);
+#endif
   registry->Register(InitJWK);
   registry->Register(GetKeyDetail);
   registry->Register(Equals);
@@ -789,7 +812,7 @@ void KeyObjectHandle::InitEDRaw(const FunctionCallbackInfo<Value>& args) {
   new_key_fn fn = type == kKeyTypePrivate ? EVPKeyPointer::NewRawPrivate
                                           : EVPKeyPointer::NewRawPublic;
 
-  int id = GetOKPCurveFromName(*name);
+  int id = GetNidFromName(*name);
 
   switch (id) {
     case EVP_PKEY_X25519:
@@ -815,6 +838,51 @@ void KeyObjectHandle::InitEDRaw(const FunctionCallbackInfo<Value>& args) {
   args.GetReturnValue().Set(true);
 }
 
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+void KeyObjectHandle::InitMlDsaRaw(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  KeyObjectHandle* key;
+  ASSIGN_OR_RETURN_UNWRAP(&key, args.This());
+
+  CHECK(args[0]->IsString());
+  Utf8Value name(env->isolate(), args[0]);
+
+  ArrayBufferOrViewContents<unsigned char> key_data(args[1]);
+  KeyType type = FromV8Value<KeyType>(args[2]);
+
+  MarkPopErrorOnReturn mark_pop_error_on_return;
+
+  typedef EVPKeyPointer (*new_key_fn)(
+      int, const ncrypto::Buffer<const unsigned char>&);
+  new_key_fn fn = type == kKeyTypePrivate ? EVPKeyPointer::NewRawSeed
+                                          : EVPKeyPointer::NewRawPublic;
+
+  int id = GetNidFromName(*name);
+
+  switch (id) {
+    case EVP_PKEY_ML_DSA_44:
+    case EVP_PKEY_ML_DSA_65:
+    case EVP_PKEY_ML_DSA_87: {
+      auto pkey = fn(id,
+                     ncrypto::Buffer<const unsigned char>{
+                         .data = key_data.data(),
+                         .len = key_data.size(),
+                     });
+      if (!pkey) {
+        return args.GetReturnValue().Set(false);
+      }
+      key->data_ = KeyObjectData::CreateAsymmetric(type, std::move(pkey));
+      CHECK(key->data_);
+      break;
+    }
+    default:
+      UNREACHABLE();
+  }
+
+  args.GetReturnValue().Set(true);
+}
+#endif
+
 void KeyObjectHandle::Equals(const FunctionCallbackInfo<Value>& args) {
   KeyObjectHandle* self_handle;
   KeyObjectHandle* arg_handle;
@@ -903,6 +971,14 @@ Local<Value> KeyObjectHandle::GetAsymmetricKeyType() const {
       return env()->crypto_x25519_string();
     case EVP_PKEY_X448:
       return env()->crypto_x448_string();
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+    case EVP_PKEY_ML_DSA_44:
+      return env()->crypto_ml_dsa_44_string();
+    case EVP_PKEY_ML_DSA_65:
+      return env()->crypto_ml_dsa_65_string();
+    case EVP_PKEY_ML_DSA_87:
+      return env()->crypto_ml_dsa_87_string();
+#endif
     default:
       return Undefined(env()->isolate());
   }
@@ -1178,6 +1254,11 @@ void Initialize(Environment* env, Local<Object> target) {
   NODE_DEFINE_CONSTANT(target, kWebCryptoKeyFormatJWK);
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_ED25519);
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_ED448);
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+  NODE_DEFINE_CONSTANT(target, EVP_PKEY_ML_DSA_44);
+  NODE_DEFINE_CONSTANT(target, EVP_PKEY_ML_DSA_65);
+  NODE_DEFINE_CONSTANT(target, EVP_PKEY_ML_DSA_87);
+#endif
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_X25519);
   NODE_DEFINE_CONSTANT(target, EVP_PKEY_X448);
   NODE_DEFINE_CONSTANT(target, kKeyEncodingPKCS1);
diff --git a/src/crypto/crypto_keys.h b/src/crypto/crypto_keys.h
index 794e2699c8163f..2a2a38ebe0e3cb 100644
--- a/src/crypto/crypto_keys.h
+++ b/src/crypto/crypto_keys.h
@@ -152,6 +152,9 @@ class KeyObjectHandle : public BaseObject {
   static void Init(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void InitECRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void InitEDRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+  static void InitMlDsaRaw(const v8::FunctionCallbackInfo<v8::Value>& args);
+#endif
   static void InitJWK(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetKeyDetail(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void Equals(const v8::FunctionCallbackInfo<v8::Value>& args);
diff --git a/src/crypto/crypto_ml_dsa.cc b/src/crypto/crypto_ml_dsa.cc
new file mode 100644
index 00000000000000..119597c634cc11
--- /dev/null
+++ b/src/crypto/crypto_ml_dsa.cc
@@ -0,0 +1,85 @@
+#include "crypto/crypto_ml_dsa.h"
+#include "crypto/crypto_util.h"
+#include "env-inl.h"
+#include "string_bytes.h"
+#include "v8.h"
+
+namespace node {
+
+using ncrypto::DataPointer;
+using v8::Local;
+using v8::Object;
+using v8::String;
+using v8::Value;
+
+namespace crypto {
+
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+constexpr const char* GetMlDsaAlgorithmName(int id) {
+  switch (id) {
+    case EVP_PKEY_ML_DSA_44:
+      return "ML-DSA-44";
+    case EVP_PKEY_ML_DSA_65:
+      return "ML-DSA-65";
+    case EVP_PKEY_ML_DSA_87:
+      return "ML-DSA-87";
+    default:
+      return nullptr;
+  }
+}
+
+/**
+ * Exports an ML-DSA key to JWK format.
+ *
+ * The resulting JWK object contains:
+ * - "kty": "AKP" (Asymmetric Key Pair - required)
+ * - "alg": "ML-DSA-XX" (Algorithm identifier - required for "AKP")
+ * - "pub": "<Base64URL-encoded raw public key>" (required)
+ * - "priv": <"Base64URL-encoded raw seed>" (required for private keys only)
+ */
+bool ExportJwkMlDsaKey(Environment* env,
+                       const KeyObjectData& key,
+                       Local<Object> target) {
+  Mutex::ScopedLock lock(key.mutex());
+  const auto& pkey = key.GetAsymmetricKey();
+
+  const char* alg = GetMlDsaAlgorithmName(pkey.id());
+  CHECK(alg);
+
+  static constexpr auto trySetKey = [](Environment* env,
+                                       DataPointer data,
+                                       Local<Object> target,
+                                       Local<String> key) {
+    Local<Value> encoded;
+    if (!data) return false;
+    const ncrypto::Buffer<const char> out = data;
+    return StringBytes::Encode(env->isolate(), out.data, out.len, BASE64URL)
+               .ToLocal(&encoded) &&
+           target->Set(env->context(), key, encoded).IsJust();
+  };
+
+  if (key.GetKeyType() == kKeyTypePrivate) {
+    auto seed = pkey.rawSeed();
+    if (!seed) {
+      THROW_ERR_CRYPTO_OPERATION_FAILED(env,
+                                        "key does not have an available seed");
+      return false;
+    }
+    if (!trySetKey(env, pkey.rawSeed(), target, env->jwk_priv_string())) {
+      return false;
+    }
+  }
+
+  return !(
+      target->Set(env->context(), env->jwk_kty_string(), env->jwk_akp_string())
+          .IsNothing() ||
+      target
+          ->Set(env->context(),
+                env->jwk_alg_string(),
+                OneByteString(env->isolate(), alg))
+          .IsNothing() ||
+      !trySetKey(env, pkey.rawPublicKey(), target, env->jwk_pub_string()));
+}
+#endif
+}  // namespace crypto
+}  // namespace node
diff --git a/src/crypto/crypto_ml_dsa.h b/src/crypto/crypto_ml_dsa.h
new file mode 100644
index 00000000000000..6ecdedaee12629
--- /dev/null
+++ b/src/crypto/crypto_ml_dsa.h
@@ -0,0 +1,21 @@
+#ifndef SRC_CRYPTO_CRYPTO_ML_DSA_H_
+#define SRC_CRYPTO_CRYPTO_ML_DSA_H_
+
+#if defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+
+#include "crypto/crypto_keys.h"
+#include "env.h"
+#include "v8.h"
+
+namespace node {
+namespace crypto {
+#if OPENSSL_VERSION_MAJOR >= 3 && OPENSSL_VERSION_MINOR >= 5
+bool ExportJwkMlDsaKey(Environment* env,
+                       const KeyObjectData& key,
+                       v8::Local<v8::Object> target);
+#endif
+}  // namespace crypto
+}  // namespace node
+
+#endif  // defined(NODE_WANT_INTERNALS) && NODE_WANT_INTERNALS
+#endif  // SRC_CRYPTO_CRYPTO_ML_DSA_H_
diff --git a/src/env-inl.h b/src/env-inl.h
index f4c42efefeca05..0eee9a3ed9d1fc 100644
--- a/src/env-inl.h
+++ b/src/env-inl.h
@@ -703,6 +703,10 @@ inline uint64_t Environment::thread_id() const {
   return thread_id_;
 }
 
+inline std::string_view Environment::thread_name() const {
+  return thread_name_;
+}
+
 inline worker::Worker* Environment::worker_context() const {
   return isolate_data()->worker_context();
 }
diff --git a/src/env.cc b/src/env.cc
index 25c99e5f6d81e9..b7944b10b57178 100644
--- a/src/env.cc
+++ b/src/env.cc
@@ -784,7 +784,8 @@ Environment::Environment(IsolateData* isolate_data,
                          const std::vector<std::string>& exec_args,
                          const EnvSerializeInfo* env_info,
                          EnvironmentFlags::Flags flags,
-                         ThreadId thread_id)
+                         ThreadId thread_id,
+                         std::string_view thread_name)
     : isolate_(isolate),
       external_memory_accounter_(new ExternalMemoryAccounter()),
       isolate_data_(isolate_data),
@@ -811,7 +812,8 @@ Environment::Environment(IsolateData* isolate_data,
       flags_(flags),
       thread_id_(thread_id.id == static_cast<uint64_t>(-1)
                      ? AllocateEnvironmentThreadId().id
-                     : thread_id.id) {
+                     : thread_id.id),
+      thread_name_(thread_name) {
   if (!is_main_thread()) {
     // If this is a Worker thread, we can always safely use the parent's
     // Isolate's code cache because of the shared read-only heap.
diff --git a/src/env.h b/src/env.h
index 10e579bee9c059..84240d6ed47372 100644
--- a/src/env.h
+++ b/src/env.h
@@ -660,7 +660,8 @@ class Environment final : public MemoryRetainer {
               const std::vector<std::string>& exec_args,
               const EnvSerializeInfo* env_info,
               EnvironmentFlags::Flags flags,
-              ThreadId thread_id);
+              ThreadId thread_id,
+              std::string_view thread_name = "");
   void InitializeMainContext(v8::Local<v8::Context> context,
                              const EnvSerializeInfo* env_info);
   ~Environment() override;
@@ -807,6 +808,7 @@ class Environment final : public MemoryRetainer {
   inline bool should_start_debug_signal_handler() const;
   inline bool no_browser_globals() const;
   inline uint64_t thread_id() const;
+  inline std::string_view thread_name() const;
   inline worker::Worker* worker_context() const;
   Environment* worker_parent_env() const;
   inline void add_sub_worker_context(worker::Worker* context);
@@ -1176,6 +1178,7 @@ class Environment final : public MemoryRetainer {
 
   uint64_t flags_;
   uint64_t thread_id_;
+  std::string thread_name_;
   std::unordered_set<worker::Worker*> sub_worker_contexts_;
 
 #if HAVE_INSPECTOR
diff --git a/src/env_properties.h b/src/env_properties.h
index 230eb9986198ef..edc013aec2d07f 100644
--- a/src/env_properties.h
+++ b/src/env_properties.h
@@ -115,6 +115,9 @@
   V(crypto_ec_string, "ec")                                                    \
   V(crypto_ed25519_string, "ed25519")                                          \
   V(crypto_ed448_string, "ed448")                                              \
+  V(crypto_ml_dsa_44_string, "ml-dsa-44")                                      \
+  V(crypto_ml_dsa_65_string, "ml-dsa-65")                                      \
+  V(crypto_ml_dsa_87_string, "ml-dsa-87")                                      \
   V(crypto_x25519_string, "x25519")                                            \
   V(crypto_x448_string, "x448")                                                \
   V(crypto_rsa_string, "rsa")                                                  \
@@ -220,6 +223,8 @@
   V(issuer_string, "issuer")                                                   \
   V(issuercert_string, "issuerCertificate")                                    \
   V(iterator_string, "Iterator")                                               \
+  V(jwk_akp_string, "AKP")                                                     \
+  V(jwk_alg_string, "alg")                                                     \
   V(jwk_crv_string, "crv")                                                     \
   V(jwk_d_string, "d")                                                         \
   V(jwk_dp_string, "dp")                                                       \
@@ -229,13 +234,15 @@
   V(jwk_ec_string, "EC")                                                       \
   V(jwk_g_string, "g")                                                         \
   V(jwk_k_string, "k")                                                         \
-  V(jwk_p_string, "p")                                                         \
-  V(jwk_q_string, "q")                                                         \
-  V(jwk_qi_string, "qi")                                                       \
   V(jwk_kty_string, "kty")                                                     \
   V(jwk_n_string, "n")                                                         \
   V(jwk_oct_string, "oct")                                                     \
   V(jwk_okp_string, "OKP")                                                     \
+  V(jwk_p_string, "p")                                                         \
+  V(jwk_priv_string, "priv")                                                   \
+  V(jwk_pub_string, "pub")                                                     \
+  V(jwk_q_string, "q")                                                         \
+  V(jwk_qi_string, "qi")                                                       \
   V(jwk_rsa_string, "RSA")                                                     \
   V(jwk_x_string, "x")                                                         \
   V(jwk_y_string, "y")                                                         \
@@ -390,6 +397,7 @@
   V(table_string, "table")                                                     \
   V(target_string, "target")                                                   \
   V(thread_id_string, "threadId")                                              \
+  V(thread_name_string, "threadName")                                          \
   V(ticketkeycallback_string, "onticketkeycallback")                           \
   V(timeout_string, "timeout")                                                 \
   V(time_to_first_byte_string, "timeToFirstByte")                              \
@@ -475,6 +483,7 @@
   V(tcp_constructor_template, v8::FunctionTemplate)                            \
   V(tty_constructor_template, v8::FunctionTemplate)                            \
   V(write_wrap_template, v8::ObjectTemplate)                                   \
+  V(worker_cpu_usage_taker_template, v8::ObjectTemplate)                       \
   V(worker_heap_snapshot_taker_template, v8::ObjectTemplate)                   \
   V(worker_heap_statistics_taker_template, v8::ObjectTemplate)                 \
   V(x509_constructor_template, v8::FunctionTemplate)
diff --git a/src/inspector/io_agent.cc b/src/inspector/io_agent.cc
index 749774f5c3144f..c66c091d69b747 100644
--- a/src/inspector/io_agent.cc
+++ b/src/inspector/io_agent.cc
@@ -27,7 +27,7 @@ DispatchResponse IoAgent::read(const String& in_handle,
   if (in_offset.has_value()) {
     offset = *in_offset;
     offset_was_specified = true;
-  } else if (offset_map_.find(url) != offset_map_.end()) {
+  } else if (offset_map_.contains(url)) {
     offset = offset_map_[url];
   }
   int size = 1 << 20;
diff --git a/src/inspector_profiler.h b/src/inspector_profiler.h
index fd741c1f1ff659..d07334c818d90e 100644
--- a/src/inspector_profiler.h
+++ b/src/inspector_profiler.h
@@ -65,9 +65,7 @@ class V8ProfilerConnection {
       simdjson::ondemand::object* result);
   virtual void WriteProfile(simdjson::ondemand::object* result);
 
-  bool HasProfileId(uint64_t id) const {
-    return profile_ids_.find(id) != profile_ids_.end();
-  }
+  bool HasProfileId(uint64_t id) const { return profile_ids_.contains(id); }
 
   void RemoveProfileId(uint64_t id) { profile_ids_.erase(id); }
 
diff --git a/src/module_wrap.cc b/src/module_wrap.cc
index 83728032406645..28843f6206e62a 100644
--- a/src/module_wrap.cc
+++ b/src/module_wrap.cc
@@ -133,12 +133,23 @@ ModuleWrap::ModuleWrap(Realm* realm,
   object->SetInternalField(kSyntheticEvaluationStepsSlot,
                            synthetic_evaluation_step);
   object->SetInternalField(kContextObjectSlot, context_object);
+  object->SetInternalField(kLinkedRequestsSlot,
+                           v8::Undefined(realm->isolate()));
 
   if (!synthetic_evaluation_step->IsUndefined()) {
     synthetic_ = true;
   }
   MakeWeak();
   module_.SetWeak();
+
+  HandleScope scope(realm->isolate());
+  Local<Context> context = realm->context();
+  Local<FixedArray> requests = module->GetModuleRequests();
+  for (int i = 0; i < requests->Length(); i++) {
+    ModuleCacheKey module_cache_key = ModuleCacheKey::From(
+        context, requests->Get(context, i).As<ModuleRequest>());
+    resolve_cache_[module_cache_key] = i;
+  }
 }
 
 ModuleWrap::~ModuleWrap() {
@@ -159,6 +170,30 @@ Local<Context> ModuleWrap::context() const {
   return obj.As<Object>()->GetCreationContextChecked();
 }
 
+ModuleWrap* ModuleWrap::GetLinkedRequest(uint32_t index) {
+  DCHECK(IsLinked());
+  Isolate* isolate = env()->isolate();
+  EscapableHandleScope scope(isolate);
+  Local<Data> linked_requests_data =
+      object()->GetInternalField(kLinkedRequestsSlot);
+  DCHECK(linked_requests_data->IsValue() &&
+         linked_requests_data.As<Value>()->IsArray());
+  Local<Array> requests = linked_requests_data.As<Array>();
+
+  CHECK_LT(index, requests->Length());
+
+  Local<Value> module_value;
+  if (!requests->Get(context(), index).ToLocal(&module_value)) {
+    return nullptr;
+  }
+  CHECK(module_value->IsObject());
+  Local<Object> module_object = module_value.As<Object>();
+
+  ModuleWrap* module_wrap;
+  ASSIGN_OR_RETURN_UNWRAP(&module_wrap, module_object, nullptr);
+  return module_wrap;
+}
+
 ModuleWrap* ModuleWrap::GetFromModule(Environment* env,
                                       Local<Module> module) {
   auto range = env->hash_to_module_map.equal_range(module->GetIdentityHash());
@@ -571,34 +606,28 @@ void ModuleWrap::GetModuleRequests(const FunctionCallbackInfo<Value>& args) {
 void ModuleWrap::Link(const FunctionCallbackInfo<Value>& args) {
   Realm* realm = Realm::GetCurrent(args);
   Isolate* isolate = args.GetIsolate();
-  Local<Context> context = realm->context();
 
   ModuleWrap* dependent;
   ASSIGN_OR_RETURN_UNWRAP(&dependent, args.This());
 
   CHECK_EQ(args.Length(), 1);
 
+  Local<Data> linked_requests =
+      args.This()->GetInternalField(kLinkedRequestsSlot);
+  if (linked_requests->IsValue() &&
+      !linked_requests.As<Value>()->IsUndefined()) {
+    // If the module is already linked, we should not link it again.
+    THROW_ERR_VM_MODULE_LINK_FAILURE(realm->env(), "module is already linked");
+    return;
+  }
+
   Local<FixedArray> requests =
       dependent->module_.Get(isolate)->GetModuleRequests();
   Local<Array> modules = args[0].As<Array>();
   CHECK_EQ(modules->Length(), static_cast<uint32_t>(requests->Length()));
 
-  std::vector<Global<Value>> modules_buffer;
-  if (FromV8Array(context, modules, &modules_buffer).IsNothing()) {
-    return;
-  }
-
-  for (uint32_t i = 0; i < modules_buffer.size(); i++) {
-    Local<Object> module_object = modules_buffer[i].Get(isolate).As<Object>();
-
-    CHECK(
-        realm->isolate_data()->module_wrap_constructor_template()->HasInstance(
-            module_object));
-
-    ModuleCacheKey module_cache_key = ModuleCacheKey::From(
-        context, requests->Get(context, i).As<ModuleRequest>());
-    dependent->resolve_cache_[module_cache_key].Reset(isolate, module_object);
-  }
+  args.This()->SetInternalField(kLinkedRequestsSlot, modules);
+  dependent->linked_ = true;
 }
 
 void ModuleWrap::Instantiate(const FunctionCallbackInfo<Value>& args) {
@@ -612,9 +641,6 @@ void ModuleWrap::Instantiate(const FunctionCallbackInfo<Value>& args) {
   USE(module->InstantiateModule(
       context, ResolveModuleCallback, ResolveSourceCallback));
 
-  // clear resolve cache on instantiate
-  obj->resolve_cache_.clear();
-
   if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
     CHECK(!try_catch.Message().IsEmpty());
     CHECK(!try_catch.Exception().IsEmpty());
@@ -722,9 +748,6 @@ void ModuleWrap::InstantiateSync(const FunctionCallbackInfo<Value>& args) {
     USE(module->InstantiateModule(
         context, ResolveModuleCallback, ResolveSourceCallback));
 
-    // clear resolve cache on instantiate
-    obj->resolve_cache_.clear();
-
     if (try_catch.HasCaught() && !try_catch.HasTerminated()) {
       CHECK(!try_catch.Message().IsEmpty());
       CHECK(!try_catch.Exception().IsEmpty());
@@ -965,48 +988,51 @@ void ModuleWrap::GetError(const FunctionCallbackInfo<Value>& args) {
   args.GetReturnValue().Set(module->GetException());
 }
 
+// static
 MaybeLocal<Module> ModuleWrap::ResolveModuleCallback(
     Local<Context> context,
     Local<String> specifier,
     Local<FixedArray> import_attributes,
     Local<Module> referrer) {
-  Isolate* isolate = context->GetIsolate();
-  Environment* env = Environment::GetCurrent(context);
-  if (env == nullptr) {
-    THROW_ERR_EXECUTION_ENVIRONMENT_NOT_AVAILABLE(isolate);
-    return MaybeLocal<Module>();
-  }
-
-  ModuleCacheKey cache_key =
-      ModuleCacheKey::From(context, specifier, import_attributes);
-
-  ModuleWrap* dependent = GetFromModule(env, referrer);
-  if (dependent == nullptr) {
-    THROW_ERR_VM_MODULE_LINK_FAILURE(
-        env, "request for '%s' is from invalid module", cache_key.specifier);
-    return MaybeLocal<Module>();
+  ModuleWrap* resolved_module;
+  if (!ResolveModule(context, specifier, import_attributes, referrer)
+           .To(&resolved_module)) {
+    return {};
   }
+  DCHECK_NOT_NULL(resolved_module);
+  return resolved_module->module_.Get(context->GetIsolate());
+}
 
-  if (dependent->resolve_cache_.count(cache_key) != 1) {
-    THROW_ERR_VM_MODULE_LINK_FAILURE(
-        env, "request for '%s' is not in cache", cache_key.specifier);
-    return MaybeLocal<Module>();
+// static
+MaybeLocal<Object> ModuleWrap::ResolveSourceCallback(
+    Local<Context> context,
+    Local<String> specifier,
+    Local<FixedArray> import_attributes,
+    Local<Module> referrer) {
+  ModuleWrap* resolved_module;
+  if (!ResolveModule(context, specifier, import_attributes, referrer)
+           .To(&resolved_module)) {
+    return {};
   }
+  DCHECK_NOT_NULL(resolved_module);
 
-  Local<Object> module_object =
-      dependent->resolve_cache_[cache_key].Get(isolate);
-  if (module_object.IsEmpty() || !module_object->IsObject()) {
-    THROW_ERR_VM_MODULE_LINK_FAILURE(
-        env, "request for '%s' did not return an object", cache_key.specifier);
-    return MaybeLocal<Module>();
+  Local<Value> module_source_object =
+      resolved_module->object()
+          ->GetInternalField(ModuleWrap::kModuleSourceObjectSlot)
+          .As<Value>();
+  if (module_source_object->IsUndefined()) {
+    Local<String> url = resolved_module->object()
+                            ->GetInternalField(ModuleWrap::kURLSlot)
+                            .As<String>();
+    THROW_ERR_SOURCE_PHASE_NOT_DEFINED(context->GetIsolate(), url);
+    return {};
   }
-
-  ModuleWrap* module;
-  ASSIGN_OR_RETURN_UNWRAP(&module, module_object, MaybeLocal<Module>());
-  return module->module_.Get(isolate);
+  CHECK(module_source_object->IsObject());
+  return module_source_object.As<Object>();
 }
 
-MaybeLocal<Object> ModuleWrap::ResolveSourceCallback(
+// static
+Maybe<ModuleWrap*> ModuleWrap::ResolveModule(
     Local<Context> context,
     Local<String> specifier,
     Local<FixedArray> import_attributes,
@@ -1015,46 +1041,38 @@ MaybeLocal<Object> ModuleWrap::ResolveSourceCallback(
   Environment* env = Environment::GetCurrent(context);
   if (env == nullptr) {
     THROW_ERR_EXECUTION_ENVIRONMENT_NOT_AVAILABLE(isolate);
-    return MaybeLocal<Object>();
+    return Nothing<ModuleWrap*>();
   }
+  // Check that the referrer is not yet been instantiated.
+  DCHECK(referrer->GetStatus() <= Module::kInstantiated);
 
   ModuleCacheKey cache_key =
       ModuleCacheKey::From(context, specifier, import_attributes);
 
-  ModuleWrap* dependent = GetFromModule(env, referrer);
+  ModuleWrap* dependent = ModuleWrap::GetFromModule(env, referrer);
   if (dependent == nullptr) {
     THROW_ERR_VM_MODULE_LINK_FAILURE(
         env, "request for '%s' is from invalid module", cache_key.specifier);
-    return MaybeLocal<Object>();
+    return Nothing<ModuleWrap*>();
   }
-
-  if (dependent->resolve_cache_.count(cache_key) != 1) {
+  if (!dependent->IsLinked()) {
     THROW_ERR_VM_MODULE_LINK_FAILURE(
-        env, "request for '%s' is not in cache", cache_key.specifier);
-    return MaybeLocal<Object>();
+        env,
+        "request for '%s' is from a module not been linked",
+        cache_key.specifier);
+    return Nothing<ModuleWrap*>();
   }
 
-  Local<Object> module_object =
-      dependent->resolve_cache_[cache_key].Get(isolate);
-  if (module_object.IsEmpty() || !module_object->IsObject()) {
+  auto it = dependent->resolve_cache_.find(cache_key);
+  if (it == dependent->resolve_cache_.end()) {
     THROW_ERR_VM_MODULE_LINK_FAILURE(
-        env, "request for '%s' did not return an object", cache_key.specifier);
-    return MaybeLocal<Object>();
+        env, "request for '%s' is not in cache", cache_key.specifier);
+    return Nothing<ModuleWrap*>();
   }
 
-  ModuleWrap* module;
-  ASSIGN_OR_RETURN_UNWRAP(&module, module_object, MaybeLocal<Object>());
-
-  Local<Value> module_source_object =
-      module->object()->GetInternalField(kModuleSourceObjectSlot).As<Value>();
-  if (module_source_object->IsUndefined()) {
-    Local<String> url =
-        module->object()->GetInternalField(kURLSlot).As<String>();
-    THROW_ERR_SOURCE_PHASE_NOT_DEFINED(isolate, url);
-    return MaybeLocal<Object>();
-  }
-  CHECK(module_source_object->IsObject());
-  return module_source_object.As<Object>();
+  ModuleWrap* module_wrap = dependent->GetLinkedRequest(it->second);
+  CHECK_NOT_NULL(module_wrap);
+  return Just(module_wrap);
 }
 
 static MaybeLocal<Promise> ImportModuleDynamicallyWithPhase(
diff --git a/src/module_wrap.h b/src/module_wrap.h
index dbab9946c7210b..467a9af1177b0f 100644
--- a/src/module_wrap.h
+++ b/src/module_wrap.h
@@ -90,13 +90,17 @@ struct ModuleCacheKey : public MemoryRetainer {
 };
 
 class ModuleWrap : public BaseObject {
+  using ResolveCache =
+      std::unordered_map<ModuleCacheKey, uint32_t, ModuleCacheKey::Hash>;
+
  public:
   enum InternalFields {
     kModuleSlot = BaseObject::kInternalFieldCount,
     kURLSlot,
     kModuleSourceObjectSlot,
     kSyntheticEvaluationStepsSlot,
-    kContextObjectSlot,  // Object whose creation context is the target Context
+    kContextObjectSlot,   // Object whose creation context is the target Context
+    kLinkedRequestsSlot,  // Array of linked requests
     kInternalFieldCount
   };
 
@@ -112,9 +116,6 @@ class ModuleWrap : public BaseObject {
       v8::Local<v8::Module> module,
       v8::Local<v8::Object> meta);
 
-  void MemoryInfo(MemoryTracker* tracker) const override {
-    tracker->TrackField("resolve_cache", resolve_cache_);
-  }
   static void HasTopLevelAwait(const v8::FunctionCallbackInfo<v8::Value>& args);
 
   v8::Local<v8::Context> context() const;
@@ -122,6 +123,7 @@ class ModuleWrap : public BaseObject {
 
   SET_MEMORY_INFO_NAME(ModuleWrap)
   SET_SELF_SIZE(ModuleWrap)
+  SET_NO_MEMORY_INFO()
 
   bool IsNotIndicativeOfMemoryLeakAtExit() const override {
     // XXX: The garbage collection rules for ModuleWrap are *super* unclear.
@@ -129,6 +131,10 @@ class ModuleWrap : public BaseObject {
     return true;
   }
 
+  bool IsLinked() const { return linked_; }
+
+  ModuleWrap* GetLinkedRequest(uint32_t index);
+
   static v8::Local<v8::PrimitiveArray> GetHostDefinedOptions(
       v8::Isolate* isolate, v8::Local<v8::Symbol> symbol);
 
@@ -199,13 +205,19 @@ class ModuleWrap : public BaseObject {
       v8::Local<v8::Module> referrer);
   static ModuleWrap* GetFromModule(node::Environment*, v8::Local<v8::Module>);
 
+  // This method may throw a JavaScript exception, so the return type is
+  // wrapped in a Maybe.
+  static v8::Maybe<ModuleWrap*> ResolveModule(
+      v8::Local<v8::Context> context,
+      v8::Local<v8::String> specifier,
+      v8::Local<v8::FixedArray> import_attributes,
+      v8::Local<v8::Module> referrer);
+
   v8::Global<v8::Module> module_;
-  std::unordered_map<ModuleCacheKey,
-                     v8::Global<v8::Object>,
-                     ModuleCacheKey::Hash>
-      resolve_cache_;
+  ResolveCache resolve_cache_;
   contextify::ContextifyContext* contextify_context_ = nullptr;
   bool synthetic_ = false;
+  bool linked_ = false;
   int module_hash_;
 };
 
diff --git a/src/node.cc b/src/node.cc
index 6572b6c0f26fa7..95585e7b16a830 100644
--- a/src/node.cc
+++ b/src/node.cc
@@ -765,6 +765,13 @@ static ExitCode ProcessGlobalArgsInternal(std::vector<std::string>* args,
     v8_args.emplace_back("--harmony-import-attributes");
   }
 
+  if (!per_process::cli_options->per_isolate->max_old_space_size_percentage
+           .empty()) {
+    v8_args.emplace_back(
+        "--max_old_space_size=" +
+        per_process::cli_options->per_isolate->max_old_space_size);
+  }
+
   auto env_opts = per_process::cli_options->per_isolate->per_env;
   if (std::ranges::find(v8_args, "--abort-on-uncaught-exception") !=
           v8_args.end() ||
@@ -861,6 +868,15 @@ static ExitCode InitializeNodeWithArgsInternal(
   // default value.
   V8::SetFlagsFromString("--rehash-snapshot");
 
+#if HAVE_OPENSSL
+  // TODO(joyeecheung): make this a per-env option and move the normalization
+  // into HandleEnvOptions.
+  std::string use_system_ca;
+  if (credentials::SafeGetenv("NODE_USE_SYSTEM_CA", &use_system_ca) &&
+      use_system_ca == "1") {
+    per_process::cli_options->use_system_ca = true;
+  }
+#endif  // HAVE_OPENSSL
   HandleEnvOptions(per_process::cli_options->per_isolate->per_env);
 
   std::string node_options;
diff --git a/src/node.h b/src/node.h
index f773096c959b59..0eb21dee1a9391 100644
--- a/src/node.h
+++ b/src/node.h
@@ -730,6 +730,16 @@ NODE_EXTERN Environment* CreateEnvironment(
     ThreadId thread_id = {} /* allocates a thread id automatically */,
     std::unique_ptr<InspectorParentHandle> inspector_parent_handle = {});
 
+NODE_EXTERN Environment* CreateEnvironment(
+    IsolateData* isolate_data,
+    v8::Local<v8::Context> context,
+    const std::vector<std::string>& args,
+    const std::vector<std::string>& exec_args,
+    EnvironmentFlags::Flags flags,
+    ThreadId thread_id,
+    std::unique_ptr<InspectorParentHandle> inspector_parent_handle,
+    std::string_view thread_name);
+
 // Returns a handle that can be passed to `LoadEnvironment()`, making the
 // child Environment accessible to the inspector as if it were a Node.js Worker.
 // `child_thread_id` can be created using `AllocateEnvironmentThreadId()`
diff --git a/src/node_blob.cc b/src/node_blob.cc
index 0bc4eb7e9318b5..eceddfbba39144 100644
--- a/src/node_blob.cc
+++ b/src/node_blob.cc
@@ -537,11 +537,11 @@ void BlobBindingData::store_data_object(
 }
 
 void BlobBindingData::revoke_data_object(const std::string& uuid) {
-  if (data_objects_.find(uuid) == data_objects_.end()) {
+  if (!data_objects_.contains(uuid)) {
     return;
   }
   data_objects_.erase(uuid);
-  CHECK_EQ(data_objects_.find(uuid), data_objects_.end());
+  CHECK(!data_objects_.contains(uuid));
 }
 
 BlobBindingData::StoredDataObject BlobBindingData::get_data_object(
diff --git a/src/node_buffer.cc b/src/node_buffer.cc
index 2fff0488cd81cd..836f93697a2609 100644
--- a/src/node_buffer.cc
+++ b/src/node_buffer.cc
@@ -1526,6 +1526,14 @@ uint32_t FastWriteString(Local<Value> receiver,
                          uint32_t max_length,
                          // NOLINTNEXTLINE(runtime/references)
                          FastApiCallbackOptions& options) {
+  // Just a heads up... this is a v8 fast api function. The use of
+  // FastOneByteString has some caveats. Specifically, a GC occurring
+  // between the time the FastOneByteString is created and the time
+  // we use it below can cause the FastOneByteString to become invalid
+  // and produce garbage data. This is not a problem here because we
+  // are not performing any allocations or other operations that would
+  // trigger a GC before the FastOneByteString is used. Take care when
+  // modifying this code to ensure that no operations would trigger a GC.
   HandleScope handle_scope(options.isolate);
   SPREAD_BUFFER_ARG(dst_obj, dst);
   CHECK(offset <= dst_length);
diff --git a/src/node_builtins.cc b/src/node_builtins.cc
index 5555657cbe5b28..9e82a3f3cf9d16 100644
--- a/src/node_builtins.cc
+++ b/src/node_builtins.cc
@@ -306,7 +306,7 @@ MaybeLocal<Function> BuiltinLoader::LookupAndCompileInternal(
   if (should_eager_compile_) {
     options = ScriptCompiler::kEagerCompile;
   } else if (!to_eager_compile_.empty()) {
-    if (to_eager_compile_.find(id) != to_eager_compile_.end()) {
+    if (to_eager_compile_.contains(id)) {
       options = ScriptCompiler::kEagerCompile;
     }
   }
diff --git a/src/node_crypto.h b/src/node_crypto.h
index 04d44599854226..d34ff52daff8bc 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -40,6 +40,7 @@
 #include "crypto/crypto_hmac.h"
 #include "crypto/crypto_keygen.h"
 #include "crypto/crypto_keys.h"
+#include "crypto/crypto_ml_dsa.h"
 #include "crypto/crypto_pbkdf2.h"
 #include "crypto/crypto_random.h"
 #include "crypto/crypto_rsa.h"
diff --git a/src/node_env_var.cc b/src/node_env_var.cc
index 307153c0e3781b..6aad252eb5681b 100644
--- a/src/node_env_var.cc
+++ b/src/node_env_var.cc
@@ -273,7 +273,7 @@ void MapKVStore::Set(Isolate* isolate, Local<String> key, Local<String> value) {
 
 int32_t MapKVStore::Query(const char* key) const {
   Mutex::ScopedLock lock(mutex_);
-  return map_.find(key) == map_.end() ? -1 : 0;
+  return map_.contains(key) ? 0 : -1;
 }
 
 int32_t MapKVStore::Query(Isolate* isolate, Local<String> key) const {
diff --git a/src/node_file.cc b/src/node_file.cc
index 0be3aa00364333..e469498353c82c 100644
--- a/src/node_file.cc
+++ b/src/node_file.cc
@@ -1149,6 +1149,7 @@ static void LStat(const FunctionCallbackInfo<Value>& args) {
   bool use_bigint = args[1]->IsTrue();
   if (!args[2]->IsUndefined()) {  // lstat(path, use_bigint, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2, use_bigint);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_LSTAT, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "lstat", UTF8, AfterStat,
@@ -1191,6 +1192,7 @@ static void FStat(const FunctionCallbackInfo<Value>& args) {
   bool use_bigint = args[1]->IsTrue();
   if (!args[2]->IsUndefined()) {  // fstat(fd, use_bigint, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2, use_bigint);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN0(UV_FS_FSTAT, req_wrap_async)
     AsyncCall(env, req_wrap_async, args, "fstat", UTF8, AfterStat,
               uv_fs_fstat, fd);
@@ -1292,6 +1294,7 @@ static void Symlink(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // symlink(target, path, flags, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN2(UV_FS_SYMLINK,
                           req_wrap_async,
                           "target",
@@ -1330,6 +1333,7 @@ static void Link(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // link(src, dest, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
     // To avoid bypass the link target should be allowed to read and write
     ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
         env,
@@ -1388,6 +1392,7 @@ static void ReadLink(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // readlink(path, encoding, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_READLINK, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "readlink", encoding, AfterStringPtr,
@@ -1428,6 +1433,7 @@ static void Rename(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // rename(old_path, new_path, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
     ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
         env,
         req_wrap_async,
@@ -1485,6 +1491,7 @@ static void FTruncate(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // ftruncate(fd, len, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN0(UV_FS_FTRUNCATE, req_wrap_async)
     AsyncCall(env, req_wrap_async, args, "ftruncate", UTF8, AfterNoArgs,
               uv_fs_ftruncate, fd, len);
@@ -1594,6 +1601,7 @@ static void RMDir(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 1) {
     FSReqBase* req_wrap_async = GetReqWrap(args, 1);  // rmdir(path, req)
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_RMDIR, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "rmdir", UTF8, AfterNoArgs,
@@ -1891,6 +1899,7 @@ static void MKDir(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // mkdir(path, mode, recursive, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_UNLINK, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "mkdir", UTF8,
@@ -1937,6 +1946,7 @@ static void RealPath(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // realpath(path, encoding, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_REALPATH, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "realpath", encoding, AfterStringPtr,
@@ -1998,6 +2008,7 @@ static void ReadDir(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // readdir(path, encoding, withTypes, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
         env,
         req_wrap_async,
@@ -2245,6 +2256,7 @@ static void CopyFile(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // copyFile(src, dest, flags, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
         env,
         req_wrap_async,
@@ -2380,6 +2392,7 @@ static void WriteBuffers(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // writeBuffers(fd, chunks, pos, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN0(UV_FS_WRITE, req_wrap_async)
     AsyncCall(env,
               req_wrap_async,
@@ -2764,6 +2777,7 @@ static void ReadBuffers(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // readBuffers(fd, buffers, pos, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN0(UV_FS_READ, req_wrap_async)
     AsyncCall(env, req_wrap_async, args, "read", UTF8, AfterInteger,
               uv_fs_read, fd, *iovs, iovs.length(), pos);
@@ -2801,6 +2815,7 @@ static void Chmod(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // chmod(path, mode, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_CHMOD, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "chmod", UTF8, AfterNoArgs,
@@ -2833,6 +2848,7 @@ static void FChmod(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // fchmod(fd, mode, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN0(UV_FS_FCHMOD, req_wrap_async)
     AsyncCall(env, req_wrap_async, args, "fchmod", UTF8, AfterNoArgs,
               uv_fs_fchmod, fd, mode);
@@ -2910,6 +2926,7 @@ static void FChown(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // fchown(fd, uid, gid, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN0(UV_FS_FCHOWN, req_wrap_async)
     AsyncCall(env, req_wrap_async, args, "fchown", UTF8, AfterNoArgs,
               uv_fs_fchown, fd, uid, gid);
@@ -2940,6 +2957,7 @@ static void LChown(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // lchown(path, uid, gid, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
         env,
         req_wrap_async,
@@ -2982,6 +3000,7 @@ static void UTimes(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // utimes(path, atime, mtime, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_UTIME, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "utime", UTF8, AfterNoArgs,
@@ -3014,6 +3033,7 @@ static void FUTimes(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // futimes(fd, atime, mtime, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN0(UV_FS_FUTIME, req_wrap_async)
     AsyncCall(env, req_wrap_async, args, "futime", UTF8, AfterNoArgs,
               uv_fs_futime, fd, atime, mtime);
@@ -3046,6 +3066,7 @@ static void LUTimes(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 3) {  // lutimes(path, atime, mtime, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 3);
+    CHECK_NOT_NULL(req_wrap_async);
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_LUTIME, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "lutime", UTF8, AfterNoArgs,
@@ -3078,6 +3099,7 @@ static void Mkdtemp(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // mkdtemp(tmpl, encoding, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
     ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
         env,
         req_wrap_async,
diff --git a/src/node_messaging.cc b/src/node_messaging.cc
index cb321ff606f4fe..084ff03dbe8124 100644
--- a/src/node_messaging.cc
+++ b/src/node_messaging.cc
@@ -1505,7 +1505,7 @@ Maybe<bool> SiblingGroup::Dispatch(
   RwLock::ScopedReadLock lock(group_mutex_);
 
   // The source MessagePortData is not part of this group.
-  if (ports_.find(source) == ports_.end()) {
+  if (!ports_.contains(source)) {
     if (error != nullptr)
       *error = "Source MessagePort is not entangled with this group.";
     return Nothing<bool>();
diff --git a/src/node_options.cc b/src/node_options.cc
index ccf04a0f92af42..3848c5e0d4c1f5 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -7,6 +7,7 @@
 #include "node_external_reference.h"
 #include "node_internals.h"
 #include "node_sea.h"
+#include "uv.h"
 #if HAVE_OPENSSL
 #include "openssl/opensslv.h"
 #endif
@@ -14,6 +15,7 @@
 #include <algorithm>
 #include <array>
 #include <charconv>
+#include <cstdint>
 #include <limits>
 #include <sstream>
 #include <string_view>
@@ -107,8 +109,49 @@ void PerProcessOptions::CheckOptions(std::vector<std::string>* errors,
   per_isolate->CheckOptions(errors, argv);
 }
 
+void PerIsolateOptions::HandleMaxOldSpaceSizePercentage(
+    std::vector<std::string>* errors,
+    std::string* max_old_space_size_percentage) {
+  std::string original_input_for_error = *max_old_space_size_percentage;
+  // Parse the percentage value
+  char* end_ptr;
+  double percentage =
+      std::strtod(max_old_space_size_percentage->c_str(), &end_ptr);
+
+  // Validate the percentage value
+  if (*end_ptr != '\0' || percentage <= 0.0 || percentage > 100.0) {
+    errors->push_back("--max-old-space-size-percentage must be greater "
+                      "than 0 and up to 100. Got: " +
+                      original_input_for_error);
+    return;
+  }
+
+  // Get available memory in bytes
+  uint64_t total_memory = uv_get_total_memory();
+  uint64_t constrained_memory = uv_get_constrained_memory();
+
+  // Use constrained memory if available, otherwise use total memory
+  // This logic correctly handles the documented guarantees.
+  // Use uint64_t for the result to prevent data loss on 32-bit systems.
+  uint64_t available_memory =
+      (constrained_memory > 0 && constrained_memory != UINT64_MAX)
+          ? constrained_memory
+          : total_memory;
+
+  // Convert to MB and calculate the percentage
+  uint64_t memory_mb = available_memory / (1024 * 1024);
+  uint64_t calculated_mb = static_cast<size_t>(memory_mb * percentage / 100.0);
+
+  // Convert back to string
+  max_old_space_size = std::to_string(calculated_mb);
+}
+
 void PerIsolateOptions::CheckOptions(std::vector<std::string>* errors,
                                      std::vector<std::string>* argv) {
+  if (!max_old_space_size_percentage.empty()) {
+    HandleMaxOldSpaceSizePercentage(errors, &max_old_space_size_percentage);
+  }
+
   per_env->CheckOptions(errors, argv);
 }
 
@@ -1082,6 +1125,11 @@ PerIsolateOptionsParser::PerIsolateOptionsParser(
             V8Option{},
             kAllowedInEnvvar);
   AddOption("--max-old-space-size", "", V8Option{}, kAllowedInEnvvar);
+  AddOption("--max-old-space-size-percentage",
+            "set V8's max old space size as a percentage of available memory "
+            "(e.g., '50%'). Takes precedence over --max-old-space-size.",
+            &PerIsolateOptions::max_old_space_size_percentage,
+            kAllowedInEnvvar);
   AddOption("--max-semi-space-size", "", V8Option{}, kAllowedInEnvvar);
   AddOption("--perf-basic-prof", "", V8Option{}, kAllowedInEnvvar);
   AddOption(
diff --git a/src/node_options.h b/src/node_options.h
index b482ce87acc49c..460deced771d0b 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -285,6 +285,8 @@ class PerIsolateOptions : public Options {
   bool report_uncaught_exception = false;
   bool report_on_signal = false;
   bool experimental_shadow_realm = false;
+  std::string max_old_space_size_percentage;
+  std::string max_old_space_size;
   int64_t stack_trace_limit = 10;
   std::string report_signal = "SIGUSR2";
   bool build_snapshot = false;
@@ -292,6 +294,8 @@ class PerIsolateOptions : public Options {
   inline EnvironmentOptions* get_per_env_options();
   void CheckOptions(std::vector<std::string>* errors,
                     std::vector<std::string>* argv) override;
+  void HandleMaxOldSpaceSizePercentage(std::vector<std::string>* errors,
+                                       std::string* max_old_space_size);
 
   inline std::shared_ptr<PerIsolateOptions> Clone() const;
 
diff --git a/src/node_realm.h b/src/node_realm.h
index 9ad38be761df06..63a23013cb1f63 100644
--- a/src/node_realm.h
+++ b/src/node_realm.h
@@ -209,7 +209,7 @@ class Realm : public MemoryRetainer {
   CppgcWrapperList cppgc_wrapper_list_;
 };
 
-class PrincipalRealm : public Realm {
+class PrincipalRealm final : public Realm {
  public:
   PrincipalRealm(Environment* env,
                  v8::Local<v8::Context> context,
diff --git a/src/node_sea.cc b/src/node_sea.cc
index 891d69ae973f08..461862d67907c2 100644
--- a/src/node_sea.cc
+++ b/src/node_sea.cc
@@ -3,7 +3,6 @@
 #include "blob_serializer_deserializer-inl.h"
 #include "debug_utils-inl.h"
 #include "env-inl.h"
-#include "json_parser.h"
 #include "node_contextify.h"
 #include "node_errors.h"
 #include "node_external_reference.h"
@@ -11,6 +10,7 @@
 #include "node_snapshot_builder.h"
 #include "node_union_bytes.h"
 #include "node_v8_platform-inl.h"
+#include "simdjson.h"
 #include "util-inl.h"
 
 // The POSTJECT_SENTINEL_FUSE macro is a string of random characters selected by
@@ -303,79 +303,131 @@ std::optional<SeaConfig> ParseSingleExecutableConfig(
   }
 
   SeaConfig result;
-  JSONParser parser;
-  if (!parser.Parse(config)) {
-    FPrintF(stderr, "Cannot parse JSON from %s\n", config_path);
-    return std::nullopt;
-  }
 
-  result.main_path =
-      parser.GetTopLevelStringField("main").value_or(std::string());
-  if (result.main_path.empty()) {
-    FPrintF(stderr,
-            "\"main\" field of %s is not a non-empty string\n",
-            config_path);
-    return std::nullopt;
-  }
+  simdjson::ondemand::parser parser;
+  simdjson::ondemand::document document;
+  simdjson::ondemand::object main_object;
+  simdjson::error_code error =
+      parser.iterate(simdjson::pad(config)).get(document);
 
-  result.output_path =
-      parser.GetTopLevelStringField("output").value_or(std::string());
-  if (result.output_path.empty()) {
+  if (!error) {
+    error = document.get_object().get(main_object);
+  }
+  if (error) {
     FPrintF(stderr,
-            "\"output\" field of %s is not a non-empty string\n",
-            config_path);
+            "Cannot parse JSON from %s: %s\n",
+            config_path,
+            simdjson::error_message(error));
     return std::nullopt;
   }
 
-  std::optional<bool> disable_experimental_sea_warning =
-      parser.GetTopLevelBoolField("disableExperimentalSEAWarning");
-  if (!disable_experimental_sea_warning.has_value()) {
-    FPrintF(stderr,
+  bool use_snapshot_value = false;
+  bool use_code_cache_value = false;
+
+  for (auto field : main_object) {
+    std::string_view key;
+    if (field.unescaped_key().get(key)) {
+      FPrintF(stderr, "Cannot read key from %s\n", config_path);
+      return std::nullopt;
+    }
+    if (key == "main") {
+      if (field.value().get_string().get(result.main_path) ||
+          result.main_path.empty()) {
+        FPrintF(stderr,
+                "\"main\" field of %s is not a non-empty string\n",
+                config_path);
+        return std::nullopt;
+      }
+    } else if (key == "output") {
+      if (field.value().get_string().get(result.output_path) ||
+          result.output_path.empty()) {
+        FPrintF(stderr,
+                "\"output\" field of %s is not a non-empty string\n",
+                config_path);
+        return std::nullopt;
+      }
+    } else if (key == "disableExperimentalSEAWarning") {
+      bool disable_experimental_sea_warning;
+      if (field.value().get_bool().get(disable_experimental_sea_warning)) {
+        FPrintF(
+            stderr,
             "\"disableExperimentalSEAWarning\" field of %s is not a Boolean\n",
             config_path);
-    return std::nullopt;
-  }
-  if (disable_experimental_sea_warning.value()) {
-    result.flags |= SeaFlags::kDisableExperimentalSeaWarning;
+        return std::nullopt;
+      }
+      if (disable_experimental_sea_warning) {
+        result.flags |= SeaFlags::kDisableExperimentalSeaWarning;
+      }
+    } else if (key == "useSnapshot") {
+      if (field.value().get_bool().get(use_snapshot_value)) {
+        FPrintF(stderr,
+                "\"useSnapshot\" field of %s is not a Boolean\n",
+                config_path);
+        return std::nullopt;
+      }
+      if (use_snapshot_value) {
+        result.flags |= SeaFlags::kUseSnapshot;
+      }
+    } else if (key == "useCodeCache") {
+      if (field.value().get_bool().get(use_code_cache_value)) {
+        FPrintF(stderr,
+                "\"useCodeCache\" field of %s is not a Boolean\n",
+                config_path);
+        return std::nullopt;
+      }
+      if (use_code_cache_value) {
+        result.flags |= SeaFlags::kUseCodeCache;
+      }
+    } else if (key == "assets") {
+      simdjson::ondemand::object assets_object;
+      if (field.value().get_object().get(assets_object)) {
+        FPrintF(stderr,
+                "\"assets\" field of %s is not a map of strings\n",
+                config_path);
+        return std::nullopt;
+      }
+      simdjson::ondemand::value asset_value;
+      for (auto asset_field : assets_object) {
+        std::string_view key_str;
+        std::string_view value_str;
+        if (asset_field.unescaped_key().get(key_str) ||
+            asset_field.value().get(asset_value) ||
+            asset_value.get_string().get(value_str)) {
+          FPrintF(stderr,
+                  "\"assets\" field of %s is not a map of strings\n",
+                  config_path);
+          return std::nullopt;
+        }
+
+        result.assets.emplace(key_str, value_str);
+      }
+
+      if (!result.assets.empty()) {
+        result.flags |= SeaFlags::kIncludeAssets;
+      }
+    }
   }
 
-  std::optional<bool> use_snapshot = parser.GetTopLevelBoolField("useSnapshot");
-  if (!use_snapshot.has_value()) {
-    FPrintF(
-        stderr, "\"useSnapshot\" field of %s is not a Boolean\n", config_path);
-    return std::nullopt;
-  }
-  if (use_snapshot.value()) {
-    result.flags |= SeaFlags::kUseSnapshot;
+  if (static_cast<bool>(result.flags & SeaFlags::kUseSnapshot) &&
+      static_cast<bool>(result.flags & SeaFlags::kUseCodeCache)) {
+    // TODO(joyeecheung): code cache in snapshot should be configured by
+    // separate snapshot configurations.
+    FPrintF(stderr,
+            "\"useCodeCache\" is redundant when \"useSnapshot\" is true\n");
   }
 
-  std::optional<bool> use_code_cache =
-      parser.GetTopLevelBoolField("useCodeCache");
-  if (!use_code_cache.has_value()) {
-    FPrintF(
-        stderr, "\"useCodeCache\" field of %s is not a Boolean\n", config_path);
+  if (result.main_path.empty()) {
+    FPrintF(stderr,
+            "\"main\" field of %s is not a non-empty string\n",
+            config_path);
     return std::nullopt;
   }
-  if (use_code_cache.value()) {
-    if (use_snapshot.value()) {
-      // TODO(joyeecheung): code cache in snapshot should be configured by
-      // separate snapshot configurations.
-      FPrintF(stderr,
-              "\"useCodeCache\" is redundant when \"useSnapshot\" is true\n");
-    } else {
-      result.flags |= SeaFlags::kUseCodeCache;
-    }
-  }
 
-  auto assets_opt = parser.GetTopLevelStringDict("assets");
-  if (!assets_opt.has_value()) {
+  if (result.output_path.empty()) {
     FPrintF(stderr,
-            "\"assets\" field of %s is not a map of strings\n",
+            "\"output\" field of %s is not a non-empty string\n",
             config_path);
     return std::nullopt;
-  } else if (!assets_opt.value().empty()) {
-    result.flags |= SeaFlags::kIncludeAssets;
-    result.assets = std::move(assets_opt.value());
   }
 
   return result;
diff --git a/src/node_shadow_realm.h b/src/node_shadow_realm.h
index c2a6f2c8cb8d05..65844349f7ab49 100644
--- a/src/node_shadow_realm.h
+++ b/src/node_shadow_realm.h
@@ -9,7 +9,7 @@
 namespace node {
 namespace shadow_realm {
 
-class ShadowRealm : public Realm {
+class ShadowRealm final : public Realm {
  public:
   static ShadowRealm* New(Environment* env);
 
diff --git a/src/node_version.h b/src/node_version.h
index 0b023173eb46e4..9238ca24804757 100644
--- a/src/node_version.h
+++ b/src/node_version.h
@@ -23,13 +23,13 @@
 #define SRC_NODE_VERSION_H_
 
 #define NODE_MAJOR_VERSION 24
-#define NODE_MINOR_VERSION 5
-#define NODE_PATCH_VERSION 1
+#define NODE_MINOR_VERSION 6
+#define NODE_PATCH_VERSION 0
 
 #define NODE_VERSION_IS_LTS 0
 #define NODE_VERSION_LTS_CODENAME ""
 
-#define NODE_VERSION_IS_RELEASE 0
+#define NODE_VERSION_IS_RELEASE 1
 
 #ifndef NODE_STRINGIFY
 #define NODE_STRINGIFY(n) NODE_STRINGIFY_HELPER(n)
diff --git a/src/node_worker.cc b/src/node_worker.cc
index 27be25796f781f..76a17305f088d6 100644
--- a/src/node_worker.cc
+++ b/src/node_worker.cc
@@ -32,6 +32,8 @@ using v8::Isolate;
 using v8::Local;
 using v8::Locker;
 using v8::Maybe;
+using v8::Name;
+using v8::NewStringType;
 using v8::Null;
 using v8::Number;
 using v8::Object;
@@ -88,6 +90,15 @@ Worker::Worker(Environment* env,
                 Number::New(env->isolate(), static_cast<double>(thread_id_.id)))
       .Check();
 
+  object()
+      ->Set(env->context(),
+            env->thread_name_string(),
+            String::NewFromUtf8(env->isolate(),
+                                name_.data(),
+                                NewStringType::kNormal,
+                                name_.size())
+                .ToLocalChecked())
+      .Check();
   // Without this check, to use the permission model with
   // workers (--allow-worker) one would need to pass --allow-inspector as well
   if (env->permission()->is_granted(
@@ -364,7 +375,8 @@ void Worker::Run() {
             std::move(exec_argv_),
             static_cast<EnvironmentFlags::Flags>(environment_flags_),
             thread_id_,
-            std::move(inspector_parent_handle_)));
+            std::move(inspector_parent_handle_),
+            name_));
         if (is_stopped()) return;
         CHECK_NOT_NULL(env_);
         env_->set_env_vars(std::move(env_vars_));
@@ -810,6 +822,81 @@ void Worker::Unref(const FunctionCallbackInfo<Value>& args) {
   }
 }
 
+class WorkerCpuUsageTaker : public AsyncWrap {
+ public:
+  WorkerCpuUsageTaker(Environment* env, Local<Object> obj)
+      : AsyncWrap(env, obj, AsyncWrap::PROVIDER_WORKERCPUUSAGE) {}
+
+  SET_NO_MEMORY_INFO()
+  SET_MEMORY_INFO_NAME(WorkerCpuUsageTaker)
+  SET_SELF_SIZE(WorkerCpuUsageTaker)
+};
+
+void Worker::CpuUsage(const FunctionCallbackInfo<Value>& args) {
+  Worker* w;
+  ASSIGN_OR_RETURN_UNWRAP(&w, args.This());
+
+  Environment* env = w->env();
+  AsyncHooks::DefaultTriggerAsyncIdScope trigger_id_scope(w);
+  Local<Object> wrap;
+  if (!env->worker_cpu_usage_taker_template()
+           ->NewInstance(env->context())
+           .ToLocal(&wrap)) {
+    return;
+  }
+
+  BaseObjectPtr<WorkerCpuUsageTaker> taker =
+      MakeDetachedBaseObject<WorkerCpuUsageTaker>(env, wrap);
+
+  bool scheduled = w->RequestInterrupt([taker = std::move(taker),
+                                        env](Environment* worker_env) mutable {
+    auto cpu_usage_stats = std::make_unique<uv_rusage_t>();
+    int err = uv_getrusage_thread(cpu_usage_stats.get());
+
+    env->SetImmediateThreadsafe(
+        [taker = std::move(taker),
+         cpu_usage_stats = std::move(cpu_usage_stats),
+         err = err](Environment* env) mutable {
+          Isolate* isolate = env->isolate();
+          HandleScope handle_scope(isolate);
+          Context::Scope context_scope(env->context());
+          AsyncHooks::DefaultTriggerAsyncIdScope trigger_id_scope(taker.get());
+
+          Local<Value> argv[] = {
+              Null(isolate),
+              Undefined(isolate),
+          };
+
+          if (err) {
+            argv[0] = UVException(
+                isolate, err, "uv_getrusage_thread", nullptr, nullptr, nullptr);
+          } else {
+            Local<Name> names[] = {
+                FIXED_ONE_BYTE_STRING(isolate, "user"),
+                FIXED_ONE_BYTE_STRING(isolate, "system"),
+            };
+            Local<Value> values[] = {
+                Number::New(isolate,
+                            1e6 * cpu_usage_stats->ru_utime.tv_sec +
+                                cpu_usage_stats->ru_utime.tv_usec),
+                Number::New(isolate,
+                            1e6 * cpu_usage_stats->ru_stime.tv_sec +
+                                cpu_usage_stats->ru_stime.tv_usec),
+            };
+            argv[1] = Object::New(
+                isolate, Null(isolate), names, values, arraysize(names));
+          }
+
+          taker->MakeCallback(env->ondone_string(), arraysize(argv), argv);
+        },
+        CallbackFlags::kUnrefed);
+  });
+
+  if (scheduled) {
+    args.GetReturnValue().Set(wrap);
+  }
+}
+
 class WorkerHeapStatisticsTaker : public AsyncWrap {
  public:
   WorkerHeapStatisticsTaker(Environment* env, Local<Object> obj)
@@ -1101,6 +1188,7 @@ void CreateWorkerPerIsolateProperties(IsolateData* isolate_data,
     SetProtoMethod(isolate, w, "loopIdleTime", Worker::LoopIdleTime);
     SetProtoMethod(isolate, w, "loopStartTime", Worker::LoopStartTime);
     SetProtoMethod(isolate, w, "getHeapStatistics", Worker::GetHeapStatistics);
+    SetProtoMethod(isolate, w, "cpuUsage", Worker::CpuUsage);
 
     SetConstructorFunction(isolate, target, "Worker", w);
   }
@@ -1133,6 +1221,19 @@ void CreateWorkerPerIsolateProperties(IsolateData* isolate_data,
         wst->InstanceTemplate());
   }
 
+  {
+    Local<FunctionTemplate> wst = NewFunctionTemplate(isolate, nullptr);
+
+    wst->InstanceTemplate()->SetInternalFieldCount(
+        WorkerCpuUsageTaker::kInternalFieldCount);
+    wst->Inherit(AsyncWrap::GetConstructorTemplate(isolate_data));
+
+    Local<String> wst_string =
+        FIXED_ONE_BYTE_STRING(isolate, "WorkerCpuUsageTaker");
+    wst->SetClassName(wst_string);
+    isolate_data->set_worker_cpu_usage_taker_template(wst->InstanceTemplate());
+  }
+
   SetMethod(isolate, target, "getEnvMessagePort", GetEnvMessagePort);
 }
 
@@ -1149,6 +1250,16 @@ void CreateWorkerPerContextProperties(Local<Object> target,
             Number::New(isolate, static_cast<double>(env->thread_id())))
       .Check();
 
+  target
+      ->Set(env->context(),
+            env->thread_name_string(),
+            String::NewFromUtf8(isolate,
+                                env->thread_name().data(),
+                                NewStringType::kNormal,
+                                env->thread_name().size())
+                .ToLocalChecked())
+      .Check();
+
   target
       ->Set(env->context(),
             FIXED_ONE_BYTE_STRING(isolate, "isMainThread"),
@@ -1199,6 +1310,7 @@ void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
   registry->Register(Worker::LoopIdleTime);
   registry->Register(Worker::LoopStartTime);
   registry->Register(Worker::GetHeapStatistics);
+  registry->Register(Worker::CpuUsage);
 }
 
 }  // anonymous namespace
diff --git a/src/node_worker.h b/src/node_worker.h
index ca022104bd4024..9e80a764a8bd71 100644
--- a/src/node_worker.h
+++ b/src/node_worker.h
@@ -80,6 +80,7 @@ class Worker : public AsyncWrap {
   static void LoopStartTime(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetHeapStatistics(
       const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void CpuUsage(const v8::FunctionCallbackInfo<v8::Value>& args);
 
  private:
   bool CreateEnvMessagePort(Environment* env);
diff --git a/src/node_zlib.cc b/src/node_zlib.cc
index e66bbb26a9b3c5..c088c54753989f 100644
--- a/src/node_zlib.cc
+++ b/src/node_zlib.cc
@@ -324,7 +324,8 @@ class ZstdCompressContext final : public ZstdContext {
   CompressionError ResetStream();
 
   // Zstd specific:
-  CompressionError Init(uint64_t pledged_src_size);
+  CompressionError Init(uint64_t pledged_src_size,
+                        std::string_view dictionary = {});
   CompressionError SetParameter(int key, int value);
 
   // Wrap ZSTD_freeCCtx to remove the return type.
@@ -349,7 +350,9 @@ class ZstdDecompressContext final : public ZstdContext {
   CompressionError ResetStream();
 
   // Zstd specific:
-  CompressionError Init(uint64_t pledged_src_size);
+  CompressionError Init(uint64_t pledged_src_size,
+                        std::string_view dictionary = {});
+
   CompressionError SetParameter(int key, int value);
 
   // Wrap ZSTD_freeDCtx to remove the return type.
@@ -875,8 +878,10 @@ class ZstdStream final : public CompressionStream<CompressionContext> {
     Environment* env = Environment::GetCurrent(args);
     Local<Context> context = env->context();
 
-    CHECK(args.Length() == 4 &&
-          "init(params, pledgedSrcSize, writeResult, writeCallback)");
+    CHECK((args.Length() == 4 || args.Length() == 5) &&
+          "init(params, pledgedSrcSize, writeResult, writeCallback[, "
+          "dictionary])");
+
     ZstdStream* wrap;
     ASSIGN_OR_RETURN_UNWRAP(&wrap, args.This());
 
@@ -904,7 +909,19 @@ class ZstdStream final : public CompressionStream<CompressionContext> {
     }
 
     AllocScope alloc_scope(wrap);
-    CompressionError err = wrap->context()->Init(pledged_src_size);
+    std::string_view dictionary;
+    ArrayBufferViewContents<char> contents;
+    if (args.Length() == 5 && !args[4]->IsUndefined()) {
+      if (!args[4]->IsArrayBufferView()) {
+        THROW_ERR_INVALID_ARG_TYPE(
+            wrap->env(), "dictionary must be an ArrayBufferView if provided");
+        return;
+      }
+      contents.ReadValue(args[4]);
+      dictionary = std::string_view(contents.data(), contents.length());
+    }
+
+    CompressionError err = wrap->context()->Init(pledged_src_size, dictionary);
     if (err.IsError()) {
       wrap->EmitError(err);
       THROW_ERR_ZLIB_INITIALIZATION_FAILED(wrap->env(), err.message);
@@ -1509,7 +1526,8 @@ CompressionError ZstdCompressContext::SetParameter(int key, int value) {
   return {};
 }
 
-CompressionError ZstdCompressContext::Init(uint64_t pledged_src_size) {
+CompressionError ZstdCompressContext::Init(uint64_t pledged_src_size,
+                                           std::string_view dictionary) {
   pledged_src_size_ = pledged_src_size;
   cctx_.reset(ZSTD_createCCtx());
   if (!cctx_) {
@@ -1517,6 +1535,17 @@ CompressionError ZstdCompressContext::Init(uint64_t pledged_src_size) {
                             "ERR_ZLIB_INITIALIZATION_FAILED",
                             -1);
   }
+
+  if (!dictionary.empty()) {
+    size_t ret = ZSTD_CCtx_loadDictionary(
+        cctx_.get(), dictionary.data(), dictionary.size());
+    if (ZSTD_isError(ret)) {
+      return CompressionError("Failed to load zstd dictionary",
+                              "ERR_ZLIB_DICTIONARY_LOAD_FAILED",
+                              -1);
+    }
+  }
+
   size_t result = ZSTD_CCtx_setPledgedSrcSize(cctx_.get(), pledged_src_size);
   if (ZSTD_isError(result)) {
     return CompressionError(
@@ -1549,13 +1578,24 @@ CompressionError ZstdDecompressContext::SetParameter(int key, int value) {
   return {};
 }
 
-CompressionError ZstdDecompressContext::Init(uint64_t pledged_src_size) {
+CompressionError ZstdDecompressContext::Init(uint64_t pledged_src_size,
+                                             std::string_view dictionary) {
   dctx_.reset(ZSTD_createDCtx());
   if (!dctx_) {
     return CompressionError("Could not initialize zstd instance",
                             "ERR_ZLIB_INITIALIZATION_FAILED",
                             -1);
   }
+
+  if (!dictionary.empty()) {
+    size_t ret = ZSTD_DCtx_loadDictionary(
+        dctx_.get(), dictionary.data(), dictionary.size());
+    if (ZSTD_isError(ret)) {
+      return CompressionError("Failed to load zstd dictionary",
+                              "ERR_ZLIB_DICTIONARY_LOAD_FAILED",
+                              -1);
+    }
+  }
   return {};
 }
 
diff --git a/src/signal_wrap.cc b/src/signal_wrap.cc
index d4fe8a3bcdd9ff..cd4960a4ec9e28 100644
--- a/src/signal_wrap.cc
+++ b/src/signal_wrap.cc
@@ -170,7 +170,7 @@ void DecreaseSignalHandlerCount(int signum) {
 
 bool HasSignalJSHandler(int signum) {
   Mutex::ScopedLock lock(handled_signals_mutex);
-  return handled_signals.find(signum) != handled_signals.end();
+  return handled_signals.contains(signum);
 }
 }  // namespace node
 
diff --git a/src/stream_pipe.cc b/src/stream_pipe.cc
index 0b0cf4eb30d59f..512c3f16e441c1 100644
--- a/src/stream_pipe.cc
+++ b/src/stream_pipe.cc
@@ -278,6 +278,8 @@ void StreamPipe::New(const FunctionCallbackInfo<Value>& args) {
   CHECK(args[1]->IsObject());
   StreamBase* source = StreamBase::FromObject(args[0].As<Object>());
   StreamBase* sink = StreamBase::FromObject(args[1].As<Object>());
+  CHECK_NOT_NULL(source);
+  CHECK_NOT_NULL(sink);
 
   if (StreamPipe::New(source, sink, args.This()).IsNothing()) return;
 }
diff --git a/src/undici_version.h b/src/undici_version.h
index f914e59be157dd..9df0737f163f4a 100644
--- a/src/undici_version.h
+++ b/src/undici_version.h
@@ -2,5 +2,5 @@
 // Refer to tools/dep_updaters/update-undici.sh
 #ifndef SRC_UNDICI_VERSION_H_
 #define SRC_UNDICI_VERSION_H_
-#define UNDICI_VERSION "7.12.0"
+#define UNDICI_VERSION "7.13.0"
 #endif  // SRC_UNDICI_VERSION_H_
diff --git a/test/common/README.md b/test/common/README.md
index 6fe330d866be8c..6c8fcf42847a17 100644
--- a/test/common/README.md
+++ b/test/common/README.md
@@ -14,7 +14,7 @@ several other tasks:
   don't accidentally pollute the global namespace.
 
 * Some tests assume a default umask of `0o022`. To enforce this assumption,
-  the common module sets the unmask at startup. Tests that require a
+  the common module sets the umask at startup. Tests that require a
   different umask can override this setting after loading the module.
 
 * Some tests specify runtime flags (example, `--expose-internals`) via a
diff --git a/test/common/fs.js b/test/common/fs.js
new file mode 100644
index 00000000000000..fdf7cbece5ceb9
--- /dev/null
+++ b/test/common/fs.js
@@ -0,0 +1,49 @@
+'use strict';
+
+const { mustNotMutateObjectDeep } = require('.');
+const { readdirSync } = require('node:fs');
+const { join } = require('node:path');
+const assert = require('node:assert');
+const tmpdir = require('./tmpdir.js');
+
+let dirc = 0;
+function nextdir(dirname) {
+  return tmpdir.resolve(dirname || `copy_%${++dirc}`);
+}
+
+function assertDirEquivalent(dir1, dir2) {
+  const dir1Entries = [];
+  collectEntries(dir1, dir1Entries);
+  const dir2Entries = [];
+  collectEntries(dir2, dir2Entries);
+  assert.strictEqual(dir1Entries.length, dir2Entries.length);
+  for (const entry1 of dir1Entries) {
+    const entry2 = dir2Entries.find((entry) => {
+      return entry.name === entry1.name;
+    });
+    assert(entry2, `entry ${entry2.name} not copied`);
+    if (entry1.isFile()) {
+      assert(entry2.isFile(), `${entry2.name} was not file`);
+    } else if (entry1.isDirectory()) {
+      assert(entry2.isDirectory(), `${entry2.name} was not directory`);
+    } else if (entry1.isSymbolicLink()) {
+      assert(entry2.isSymbolicLink(), `${entry2.name} was not symlink`);
+    }
+  }
+}
+
+function collectEntries(dir, dirEntries) {
+  const newEntries = readdirSync(dir, mustNotMutateObjectDeep({ withFileTypes: true }));
+  for (const entry of newEntries) {
+    if (entry.isDirectory()) {
+      collectEntries(join(dir, entry.name), dirEntries);
+    }
+  }
+  dirEntries.push(...newEntries);
+}
+
+module.exports = {
+  nextdir,
+  assertDirEquivalent,
+  collectEntries,
+};
diff --git a/test/fixtures/errors/error_exit.snapshot b/test/fixtures/errors/error_exit.snapshot
index 778165dc25c4fc..9594e08b4dadf9 100644
--- a/test/fixtures/errors/error_exit.snapshot
+++ b/test/fixtures/errors/error_exit.snapshot
@@ -12,7 +12,8 @@ AssertionError [ERR_ASSERTION]: Expected values to be strictly equal:
   code: 'ERR_ASSERTION',
   actual: 1,
   expected: 2,
-  operator: 'strictEqual'
+  operator: 'strictEqual',
+  diff: 'simple'
 }
 
 Node.js *
diff --git a/test/fixtures/errors/if-error-has-good-stack.snapshot b/test/fixtures/errors/if-error-has-good-stack.snapshot
index 9296b25f10b7c6..ba76800b970028 100644
--- a/test/fixtures/errors/if-error-has-good-stack.snapshot
+++ b/test/fixtures/errors/if-error-has-good-stack.snapshot
@@ -19,7 +19,8 @@ AssertionError [ERR_ASSERTION]: ifError got unwanted exception: test error
       at a (*if-error-has-good-stack.js:*:*)
       at Object.<anonymous> (*if-error-has-good-stack.js:*:*),
   expected: null,
-  operator: 'ifError'
+  operator: 'ifError',
+  diff: 'simple'
 }
 
 Node.js *
diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile
index ffb84ec353b10b..7ab71970483183 100644
--- a/test/fixtures/keys/Makefile
+++ b/test/fixtures/keys/Makefile
@@ -98,6 +98,18 @@ all: \
   incorrect_san_correct_subject-key.pem \
   irrelevant_san_correct_subject-cert.pem \
   irrelevant_san_correct_subject-key.pem \
+  ml_dsa_44_private.pem \
+  ml_dsa_44_private_seed_only.pem \
+  ml_dsa_44_private_priv_only.pem \
+  ml_dsa_44_public.pem \
+  ml_dsa_65_private.pem \
+  ml_dsa_65_private_seed_only.pem \
+  ml_dsa_65_private_priv_only.pem \
+  ml_dsa_65_public.pem \
+  ml_dsa_87_private.pem \
+  ml_dsa_87_private_seed_only.pem \
+  ml_dsa_87_private_priv_only.pem \
+  ml_dsa_87_public.pem \
 
 #
 # Create Certificate Authority: ca1
@@ -855,6 +867,42 @@ ed448_private.pem:
 ed448_public.pem: ed448_private.pem
 	openssl pkey -in ed448_private.pem -pubout -out ed448_public.pem
 
+ml_dsa_44_private.pem:
+	openssl genpkey -algorithm ml-dsa-44 -out ml_dsa_44_private.pem
+
+ml_dsa_44_private_seed_only.pem: ml_dsa_44_private.pem
+	openssl pkey -in ml_dsa_44_private.pem -provparam ml-dsa.output_formats=seed-only -out ml_dsa_44_private_seed_only.pem
+
+ml_dsa_44_private_priv_only.pem: ml_dsa_44_private.pem
+	openssl pkey -in ml_dsa_44_private.pem -provparam ml-dsa.output_formats=priv-only -out ml_dsa_44_private_priv_only.pem
+
+ml_dsa_44_public.pem: ml_dsa_44_private.pem
+	openssl pkey -in ml_dsa_44_private.pem -pubout -out ml_dsa_44_public.pem
+
+ml_dsa_65_private.pem:
+	openssl genpkey -algorithm ml-dsa-65 -out ml_dsa_65_private.pem
+
+ml_dsa_65_private_seed_only.pem: ml_dsa_65_private.pem
+	openssl pkey -in ml_dsa_65_private.pem -provparam ml-dsa.output_formats=seed-only -out ml_dsa_65_private_seed_only.pem
+
+ml_dsa_65_private_priv_only.pem: ml_dsa_65_private.pem
+	openssl pkey -in ml_dsa_65_private.pem -provparam ml-dsa.output_formats=priv-only -out ml_dsa_65_private_priv_only.pem
+
+ml_dsa_65_public.pem: ml_dsa_65_private.pem
+	openssl pkey -in ml_dsa_65_private.pem -pubout -out ml_dsa_65_public.pem
+
+ml_dsa_87_private.pem:
+	openssl genpkey -algorithm ml-dsa-87 -out ml_dsa_87_private.pem
+
+ml_dsa_87_private_seed_only.pem: ml_dsa_87_private.pem
+	openssl pkey -in ml_dsa_87_private.pem -provparam ml-dsa.output_formats=seed-only -out ml_dsa_87_private_seed_only.pem
+
+ml_dsa_87_private_priv_only.pem: ml_dsa_87_private.pem
+	openssl pkey -in ml_dsa_87_private.pem -provparam ml-dsa.output_formats=priv-only -out ml_dsa_87_private_priv_only.pem
+
+ml_dsa_87_public.pem: ml_dsa_87_private.pem
+	openssl pkey -in ml_dsa_87_private.pem -pubout -out ml_dsa_87_public.pem
+
 x448_private.pem:
 	openssl genpkey -algorithm x448 -out x448_private.pem
 
diff --git a/test/fixtures/keys/ml_dsa_44_private.pem b/test/fixtures/keys/ml_dsa_44_private.pem
new file mode 100644
index 00000000000000..e856bb9ddb8b98
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_44_private.pem
@@ -0,0 +1,57 @@
+-----BEGIN PRIVATE KEY-----
+MIIKPgIBADALBglghkgBZQMEAxEEggoqMIIKJgQg273AhMPiZWLlSQCY41yi1fMj
+6xavGH0btB23zMhI1uYEggoAfYmD1Rx/jkoW9KG7Bs/5zyYEiWEZs15tYBxNdKq9
+Nirz5yNjqbIxcVRNQBIe5zeinrkGIfqRUjzll47/zVrs1bHvs67MS9Tqkmure606
+iUAbjQSSSfiNMs7+0KLDde4dPc/nLynZu2LCKviOpvxIIAw9kfarvBR3e6Ny+/4C
+G8KIEEnkNGXjRDADNwASQERhloVDOBBLtClBQmoIkmghEwUBAImDFEHSQmZkJAqS
+FmgCJmJJxARRCC1KxCREtBERtIEKFmoIBEoAMmgERoATNHGBtIwIGWiEgGgBI3GJ
+lICDRkIBxYyTGEBiggmguCyMKCRYNmpZFGyhNGQQA2QIhUwjxYGJxInUKG3CMIxS
+tm0RgiwaABAYpDDYSArZtoTImAQUCUDhhpAbQErKggSRknEINE5CSIKkJIiREoQa
+I2AkxQWjtkmRsAUIQjEYqQEAI40hEVLgsjHaJIGhRgICtYQbGWGUlEGkAghctBGK
+JJBRQGwYsYmLhADRNDHSsITTsClDNDEDkG0LRQ4BI43QkG0AhWmCRhEiF4yglnCE
+og0AEUkUmTBIlEmCFnEDRiFCMmYhJAEAswwTSYyUQiwKhxDZxAXjuIBAwBCDAgUR
+EkgTAgaTAFEUFTERkxCIKFDMxCAJOIQYRmTRNgWEqJBZmGnkEhIIFoTDSBIDhg0k
+JCSgCAbBII3QwE0MJnDRyAiYCDAChAhChBCiIAGQAiACR1FIkkkDoHEJGJDgspHi
+qG2KEGUTM0CcBmSDwohJNEmKQiICFU0BRmYbo2TSAA0DxmEMiQhTqCAYGG2gJg7a
+kGHSSAzgRiBjFBCiGEaMqCQDJiKAFgIbJIECMyVYApFUkHGiFjFLhmhAiHAYQUZI
+omXEAmTkqEDjsEQBEIEhFUUaAmJYQCJUBoViGGSaIjIBpZHcyFAMEwAMIgkZwwxj
+OI4BsIELOUZEIoocMQHEIoiDsAHjAoZhNgLKhgQJBgjQolHThIUCREjaRBBjOIAQ
+MhIRQXIkQSWZJgSMuAQRCQhcRGmRxABchAUYMmYRyGFYNIKblo2JqCHcpohguGhJ
+lAzBmGlMlk3IIoxjJk4Zs2UBuSXiIo0ZwGTSiGlMuHFYFIkaSJFJNEnRlIEbpmzT
+pohbhFGCAlJjICYkhigIJ1ISQkSKpJDMkoBIMkoUhmwCJXLbBEwBpmyLgiXBEmSQ
+Ng7bRyG4wjDVpM+H4L1ZvmSDBST5YCbGqeGir7YK29Nt58Wpg+kSI/w4MG/vPHpA
+iOJLat7WkpVc6ZOwzAF9zLAOKig2chGSS6+o38GI6GBvs1EzSy8Qx4UQYJfj+c/k
+Qpb1UOzayixoR+DeSTUd6kB/IhmqcW8JaN4iBVig3yBzB7lj6cYvuHxFXJESTFMN
+ALlZvgRGyvSjGF8wJ31t4svCBA/uwRKOwOIxbZrChB1vj7dtIr+MQFbQx72gIhU9
+FGZ3DM9/3Iy1bxziEjLg4KsUp4a4eNXWQ5y164zjj9v9cGZUSOw20mEc0wwqeB5B
+PscuPafR3GM0vQEyMfNoAkukfznLCF0eMvvCZ90MygrabtXZuG2SkRcmxKys/zAF
+ijuoIzlWK4ZDdQsSOK4dq+Wo0nJP+chiB9fj8JMEQmfvjil9fU/Xo7nqJ+shVdDU
+vX4OYFfnvE3Kah4ezD+BQFfre34g2F2De/UX0df7ml7qNaKCYUyq8k1zgFb/wdrF
+0HVLYpqc9/20e6zv64O3rIXwYcFaboBQ4NPFXqpjLgdhTRp1qn2+7LPwucAyBYpb
+likuI0W8o2Jf57dTL2BYUjojrXIKnCqBDd8ynp/kWr7JG+N6VXtAVQtW5LpxMsAC
+sSKzuw5aO+wPzW9X6BW30paXza9S03HPIVC/Ll+Z5Ke8NZQOHL8pr6toeNGIrLhf
+2HMF7yK9vnUe2mUuCYJ5+TOmQK0LdsUs/qmPpU5P7hHEy5R/BxpJkZpb1B92BNyX
+r1FOoOs2OBFDwWfZz7FL/pjZlLqlnI+wDue5sfdjds9AhcoReN9iBpUpANwhgZfW
+IbrMQM6KJnW3AwUgibaX/hQ7F7iGbRUPLJp6GgvhLCvXd75SIjo3+iK8EYHXsZO1
+vZSoXV9B8bnxsVOjZF0N0ehJy3ZiH4/O4gqLwxEjQFvAyuZt6AijUbPM9rbCxxJN
+s7EC0UcoBoqdH1r0fCOyO6oljMR2E6UnyoeNFu0+QjceqhIUdaCDZKYrn5G3aTAv
+N/IuwmMbanN4YUXdcdTIGPUgB6hH73KskEkZ1YS91MyHS5jMBLiflWyMdk0A+6df
+SplkdBOpcGB9Cc+lSQe+SA0t76gRZAO0RNsCxwHnmsSm3QbbODVnC0fbUZz6nL6a
+cDNw6TLOAmIZbc9+Dr4cwJeiNpp8JKjYXR+NsAQMwLoNmfWE7VZUl4qS1N7kV+gY
+R8Fl6U6kiIJCEErRFdGJaGFsjL69iNAXk7NBcXqwxVftsmWC3uio4CC7iFBpCIsU
+lYkn88BcBsvyEr0dSMjDX1h2uLUbVlSPoIi4PvW5tjMo8ZOpWANGtU28wyrxBoEP
+pa7NXvGCwgSJ0dE3FoIOtzGFuHfMojRZmToHA6BGLPmNivtOwtNAlZphRjqTg01l
+rNmnoS72s/09S/hLkcObkg1ydZfTSqhEHY9wv1cCRnKMfUoJDxMrhMWLyIdm6ZfF
+/Om7zg1SqjDfINF76AXowj3sWurZUbL6NyCKYQ/5kiQewRZhRuIO2K36O5HUvwSp
+VNjwGc2RxHN7kmARG2DpYIAyK/rF8KYneMdtptBiTFNZ9ZwK71yGXnNBUxMyNWAK
+CIlBDMS9mdfUIL52x4FNvR6uePCgRc2LpFYLc7P1x9ruDQFyRNpCJ6mMo6VkELF4
+oXUh8fmUM04WT2WHI4+K8CC2V9M0o8wWlvy1JlH2QnYlUtiYHkCx1Vxr5n7ilgZ5
+5/kDskflB3fFZmVE1v+LdwpeA67rbkWi7xDDgdTBmupTl1pVvX2o/e8wlpxs7tuq
+Py0MNqa0UNegqRQ+X0m/dcpUqlBJUVtyScmGnln/xWEGaQXj68GLMbhqZ0tm+jr8
+nab4xUPddSr6fogaLiGp67pQiBwe2fT5NtY0NHzW5elXsdGYKZiHBMMsK6RfMEUI
+mlo7MrzhzDM73FQ+gXWVuAXIRtrIAKn0D2ZF9hCbMexncSYDNcnNnmYLZPADDdsz
+ulU+nHgRrycRAbNNSLh1dqFWdW6VwFfuO1LTahAMD4RgEMFsE5CAPNugK2bUB91k
+4Ph5ZxRdBsYAK3fdIBrc5xBUXQU2iPjTJDc7f/MnLPXkLLsfykssTKcALnlpthKO
+4lg9KlF0Xy9fziYRBnlTDGGALPeSli7Ks4ICD0e+sCbNnmz0Y6MyCP1OvSTKnjBi
+UB1jvq6luL7UmEtV4JmawD/vtgKbK82QtZSRInspcTycsg==
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_44_private_priv_only.pem b/test/fixtures/keys/ml_dsa_44_private_priv_only.pem
new file mode 100644
index 00000000000000..9c7d0d492bbc68
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_44_private_priv_only.pem
@@ -0,0 +1,56 @@
+-----BEGIN PRIVATE KEY-----
+MIIKGAIBADALBglghkgBZQMEAxEEggoEBIIKAH2Jg9Ucf45KFvShuwbP+c8mBIlh
+GbNebWAcTXSqvTYq8+cjY6myMXFUTUASHuc3op65BiH6kVI85ZeO/81a7NWx77Ou
+zEvU6pJrq3utOolAG40Ekkn4jTLO/tCiw3XuHT3P5y8p2btiwir4jqb8SCAMPZH2
+q7wUd3ujcvv+AhvCiBBJ5DRl40QwAzcAEkBEYZaFQzgQS7QpQUJqCJJoIRMFAQCJ
+gxRB0kJmZCQKkhZoAiZiScQEUQgtSsQkRLQREbSBChZqCARKADJoBEaAEzRxgbSM
+CBlohIBoASNxiZSAg0ZCAcWMkxhAYoIJoLgsjCgkWDZqWRRsoTRkEANkCIVMI8WB
+icSJ1ChtwjCMUrZtEYIsGgAQGKQw2EgK2baEyJgEFAlA4YaQG0BKyoIEkZJxCDRO
+QkiCpCSIkRKEGiNgJMUFo7ZJkbAFCEIxGKkBACONIRFS4LIx2iSBoUYCArWEGxlh
+lJRBpAIIXLQRiiSQUUBsGLGJi4QA0TQx0rCE07ApQzQxA5BtC0UOASON0JBtAIVp
+gkYRIheMoJZwhKINABFJFJkwSJRJghZxA0YhQjJmISQBALMME0mMlEIsCocQ2cQF
+47iAQMAQgwIFERJIEwIGkwBRFBUxEZMQiChQzMQgCTiEGEZk0TYFhKiQWZhp5BIS
+CBaEw0gSA4YNJCQkoAgGwSCN0MBNDCZw0cgImAgwAoQIQoQQoiABkAIgAkdRSJJJ
+A6BxCRiQ4LKR4qhtihBlEzNAnAZkg8KISTRJikIiAhVNAUZmG6Nk0gANA8ZhDIkI
+U6ggGBhtoCYO2pBh0kgM4EYgYxQQohhGjKgkAyYigBYCGySBAjMlWAKRVJBxohYx
+S4ZoQIhwGEFGSKJlxAJk5KhA47BEARCBIRVFGgJiWEAiVAaFYhhkmiIyAaWR3MhQ
+DBMADCIJGcMMYziOAbCBCzlGRCKKHDEBxCKIg7AB4wKGYTYCyoYECQYI0KJR04SF
+AkRI2kQQYziAEDISEUFyJEElmSYEjLgEEQkIXERpkcQAXIQFGDJmEchhWDSCm5aN
+iagh3KaIYLhoSZQMwZhpTJZNyCKMYyZOGbNlAbkl4iKNGcBk0ohpTLhxWBSJGkiR
+STRJ0ZSBG6Zs06aIW4RRggJSYyAmJIYoCCdSEkJEiqSQzJKASDJKFIZsAiVy2wRM
+AaZsi4IlwRJkkDYO20chuMIw1aTPh+C9Wb5kgwUk+WAmxqnhoq+2CtvTbefFqYPp
+EiP8ODBv7zx6QIjiS2re1pKVXOmTsMwBfcywDiooNnIRkkuvqN/BiOhgb7NRM0sv
+EMeFEGCX4/nP5EKW9VDs2sosaEfg3kk1HepAfyIZqnFvCWjeIgVYoN8gcwe5Y+nG
+L7h8RVyREkxTDQC5Wb4ERsr0oxhfMCd9beLLwgQP7sESjsDiMW2awoQdb4+3bSK/
+jEBW0Me9oCIVPRRmdwzPf9yMtW8c4hIy4OCrFKeGuHjV1kOcteuM44/b/XBmVEjs
+NtJhHNMMKngeQT7HLj2n0dxjNL0BMjHzaAJLpH85ywhdHjL7wmfdDMoK2m7V2bht
+kpEXJsSsrP8wBYo7qCM5ViuGQ3ULEjiuHavlqNJyT/nIYgfX4/CTBEJn744pfX1P
+16O56ifrIVXQ1L1+DmBX57xNymoeHsw/gUBX63t+INhdg3v1F9HX+5pe6jWigmFM
+qvJNc4BW/8HaxdB1S2KanPf9tHus7+uDt6yF8GHBWm6AUODTxV6qYy4HYU0adap9
+vuyz8LnAMgWKW5YpLiNFvKNiX+e3Uy9gWFI6I61yCpwqgQ3fMp6f5Fq+yRvjelV7
+QFULVuS6cTLAArEis7sOWjvsD81vV+gVt9KWl82vUtNxzyFQvy5fmeSnvDWUDhy/
+Ka+raHjRiKy4X9hzBe8ivb51HtplLgmCefkzpkCtC3bFLP6pj6VOT+4RxMuUfwca
+SZGaW9QfdgTcl69RTqDrNjgRQ8Fn2c+xS/6Y2ZS6pZyPsA7nubH3Y3bPQIXKEXjf
+YgaVKQDcIYGX1iG6zEDOiiZ1twMFIIm2l/4UOxe4hm0VDyyaehoL4Swr13e+UiI6
+N/oivBGB17GTtb2UqF1fQfG58bFTo2RdDdHoSct2Yh+PzuIKi8MRI0BbwMrmbegI
+o1GzzPa2wscSTbOxAtFHKAaKnR9a9HwjsjuqJYzEdhOlJ8qHjRbtPkI3HqoSFHWg
+g2SmK5+Rt2kwLzfyLsJjG2pzeGFF3XHUyBj1IAeoR+9yrJBJGdWEvdTMh0uYzAS4
+n5VsjHZNAPunX0qZZHQTqXBgfQnPpUkHvkgNLe+oEWQDtETbAscB55rEpt0G2zg1
+ZwtH21Gc+py+mnAzcOkyzgJiGW3Pfg6+HMCXojaafCSo2F0fjbAEDMC6DZn1hO1W
+VJeKktTe5FfoGEfBZelOpIiCQhBK0RXRiWhhbIy+vYjQF5OzQXF6sMVX7bJlgt7o
+qOAgu4hQaQiLFJWJJ/PAXAbL8hK9HUjIw19Ydri1G1ZUj6CIuD71ubYzKPGTqVgD
+RrVNvMMq8QaBD6WuzV7xgsIEidHRNxaCDrcxhbh3zKI0WZk6BwOgRiz5jYr7TsLT
+QJWaYUY6k4NNZazZp6Eu9rP9PUv4S5HDm5INcnWX00qoRB2PcL9XAkZyjH1KCQ8T
+K4TFi8iHZumXxfzpu84NUqow3yDRe+gF6MI97Frq2VGy+jcgimEP+ZIkHsEWYUbi
+Dtit+juR1L8EqVTY8BnNkcRze5JgERtg6WCAMiv6xfCmJ3jHbabQYkxTWfWcCu9c
+hl5zQVMTMjVgCgiJQQzEvZnX1CC+dseBTb0ernjwoEXNi6RWC3Oz9cfa7g0BckTa
+QiepjKOlZBCxeKF1IfH5lDNOFk9lhyOPivAgtlfTNKPMFpb8tSZR9kJ2JVLYmB5A
+sdVca+Z+4pYGeef5A7JH5Qd3xWZlRNb/i3cKXgOu625Fou8Qw4HUwZrqU5daVb19
+qP3vMJacbO7bqj8tDDamtFDXoKkUPl9Jv3XKVKpQSVFbcknJhp5Z/8VhBmkF4+vB
+izG4amdLZvo6/J2m+MVD3XUq+n6IGi4hqeu6UIgcHtn0+TbWNDR81uXpV7HRmCmY
+hwTDLCukXzBFCJpaOzK84cwzO9xUPoF1lbgFyEbayACp9A9mRfYQmzHsZ3EmAzXJ
+zZ5mC2TwAw3bM7pVPpx4Ea8nEQGzTUi4dXahVnVulcBX7jtS02oQDA+EYBDBbBOQ
+gDzboCtm1AfdZOD4eWcUXQbGACt33SAa3OcQVF0FNoj40yQ3O3/zJyz15Cy7H8pL
+LEynAC55abYSjuJYPSpRdF8vX84mEQZ5UwxhgCz3kpYuyrOCAg9HvrAmzZ5s9GOj
+Mgj9Tr0kyp4wYlAdY76upbi+1JhLVeCZmsA/77YCmyvNkLWUkSJ7KXE8nLI=
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_44_private_seed_only.pem b/test/fixtures/keys/ml_dsa_44_private_seed_only.pem
new file mode 100644
index 00000000000000..96a404dc712e64
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_44_private_seed_only.pem
@@ -0,0 +1,4 @@
+-----BEGIN PRIVATE KEY-----
+MDQCAQAwCwYJYIZIAWUDBAMRBCKAINu9wITD4mVi5UkAmONcotXzI+sWrxh9G7Qd
+t8zISNbm
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_44_public.pem b/test/fixtures/keys/ml_dsa_44_public.pem
new file mode 100644
index 00000000000000..890e65ccedb61b
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_44_public.pem
@@ -0,0 +1,30 @@
+-----BEGIN PUBLIC KEY-----
+MIIFMjALBglghkgBZQMEAxEDggUhAH2Jg9Ucf45KFvShuwbP+c8mBIlhGbNebWAc
+TXSqvTYq3GZ72QcMMGhm49FLMSTXOA8n6diBQGWTzt6xQklHaVxz6xkR8CFTM8Is
+H7tle1dNsaIXluJq5D04QNyUSUpjXbMemBrt+zGniZCJOgJVHsaOOiXxq5EV2afy
+MmcYi/y9nT638Mft9o+1hSObAWnae3A1nzZCY3UMFuKbk3uUcO4dehh2/gzDgCqX
+3jB7o4eyGB7iwlOpVYvdI9ZvEbtHcXZnkNXmNbw5zu3zUCn8zi4aVDZ4+wQWduBk
+6hXPkjeRwwkgrEhiknE2GAcIklU3UhhtRjaiIjdhYBOM9SY+iRVQfziFJ5eLCm29
+5vJAdAcLVD25AtBVaJBkVBBrem2tT3PyDKQeRrN4PTxURCPwvaNclVtzUtj8x/1Z
+OE6X9DdStZMyCv9yKnpC38ql5lQzbDqL7Eu0sPU3ZnVlDRkZoVxSkZHseVY6TCMe
+zsARrGCQnOBYWrlna1bW5LxxoIEqbJWu92XAOFc4e2quOyzL9CktmC6fgzJ+0hKI
+TxxoO+NdfHiy5/PMqbccLcLdXQRY/ASlHz68rbjdRCEUMt+IcG5ASzfcA6oYJ92d
+375LEb5oDf+GUPGI3g/h9zhYeVif0XeusB0pfmBWrfvyReFD3HZZDVG8T7w4uVS/
+dPT3t1ZcBGYU+aLXbV0F+FN3VH6lihIdpDdENpaPMG39zjJgThU38l9HmGv+dPPG
+Zyb75Ynn5/kwg8nOlpXGazasAThfDfPiDd2//ET6vkblfPpivjPNx4uBJUAe2eOH
+mTJn1MBa6MxBuFqtiujMEP3nRuHVnlFTApaE6RgxTrZS0JQ6ADeJv7Eti28Jv962
+tvZ6FHCvP49dMsvoRDRNmJbodaSC/hqFmY97mDvqxClW7M2moHRNAyf7kHB1HTZw
+Ryp+uPnEOsYoV88Wnh8fTsZFljCm8y7SqbmAyv1+xFb5vGE45f6E7K9klk9rrIzS
+ZKN9g4UVfjlyyih6ORSaQstmxhS1xhtugoJVL4GUNncl4lnhlTSn3zr9XEOUf0ZV
+NjKS4mdW4oMvYYeJbv1wBy340H4X+9Y3jLheJxAVlfmDgIw02gwdoXBqr/13Bl3J
+i1h6jloHOTG+pZG9s2LP6MjrJJshcegtD+1K1fJAojeM27k6mTXTY5Vi/0CVJlN7
+5OgqTWtFzdTN7C42aThLGqoEVTy3CAx/o7lYclosprsXvvMjQjhUisYbHHsNPBEP
+QxHJD/4iAPKlNoHK3h7bwEuVQORJs9StsqWHuqEt6ID/gl+JzgBH747G9RxyaHJY
+IsIy9QbQixYDhPtL59TPp1ThOlmxxh6DSjCTBz9mtx0Auw5g30jsOT+go+V+0Fao
+QmOrQBmVhD7t4VLLKeyuVCXjxHQZ/y6xK7eLnMl1ustTwANhZ/BLh2kcn9oIImwx
+p86vBNeZv0eCzL2QLhkdGzfYwU5Zv8eGUDKhcCpCHZZZDdUExK2szsjbIFOn4QP9
+tIeRCGE+vi6l6/zrY9yqfDJCQfXN1zRqKObGx00ArdFTTh6MQhT/7MIgCS7Zu+N3
+jrCNTOp2liyKj2oEgoqKLALyWKMMqSUBrzPjd4QbvClK9H/ddSkTe1qkwF0zh2f7
+706nFinrdHRXYdRB7j9061PIUjHImqYRr7ivd094GlriepXApEJ3VrxKPUuhUAe3
+i1PwCyjkN0Tsm1FJF4H8k5Fgz8Wx3XiQoDEb+iINT0oT8sWG+Io=
+-----END PUBLIC KEY-----
diff --git a/test/fixtures/keys/ml_dsa_65_private.pem b/test/fixtures/keys/ml_dsa_65_private.pem
new file mode 100644
index 00000000000000..afdf08bec4d9af
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_65_private.pem
@@ -0,0 +1,88 @@
+-----BEGIN PRIVATE KEY-----
+MIIP/gIBADALBglghkgBZQMEAxIEgg/qMIIP5gQg1X9VEr/iXMRwBvnSytEmHrtA
++DpD6FWAUqMrDNlJVBgEgg/AhxPP5LvG83t2fJyfA1TUssJK/ydrzryrCHGZuKFx
+mnkukumHBVlGTVKbFcS36vPb0qdJz+7yT4VUEfr2Olvm9/GsrxE8cgRyZu1okCxv
+Cb4cNi1BHERK3N3M5g9mbXqUbBqPl5Ug9960/kN2+hJa2+sldDzhmiyw5QWHV6Fv
+Hrg4cxggNDEYAQYiADY2YVd2RmJ0FFJTRYd1NBhyJyFUABQjBUFlZGeFEScDJYIG
+UoIDQGaEhigFgSYBNBdIRiNDgVcjMQNDIWYHaDcHB3MTV4cXNnR4AHExFVAiJwhi
+RQRRYoF4gld2ACAEN1AwEyd2NmcVBINygiFUZjSBAjUlA3QRI2SBdzFBNwgRRDRE
+OIRQgoMWhWY3ZDMnQoMzhIaFIxIFBggIGEhkhjEAYABoUkQjEXYFNAFXNjB2UAcI
+ZoaGY2cQGFgjcGRTFSdVEiATYDJyhDFYM3UFcwiCgzOHFiM2FEdXgTcEggQhCIhU
+NVaIRkIFJHgYGEiGNlBYEgYHUWUDZTQUQRQCcFYVh3ERVRcHAHNEMkJgA2RDaCZW
+RXgEYkBzRzSGFQQkSIVCWIRBUgYWgDVzEncDMGgmEIhGcDEBM4BDEmdkAIATQyAh
+RHBxJWKGJlRiMEF2ZldRaCchcGE2ETgwUxFTZGd3YxNlcVUBRICDgShhciZGN1Zx
+BxGAR4FFRUAAYHBUIlYzA3ByBwAxNjVCcUBgU1EQBTZGIkFBAiMFN1dEMBcRQ1QC
+MHM1VSd4SHATEjhWZyYkg4ZIRFSCIjBCYzAmeAUFUSIENFgXOFYCYIZ2VSEDcQNx
+JlJkVQFoAUR4QmIVM1RRgThRR3Uyg0UyQ0dVNFA1F3AQV2gTF2U2EkNDNUIFhjET
+BYOGSIQjcmJXcnUBEYZmdFhyEYZUNyOIc3RlIAJnKHQ0ETRmF2c0Q4dXMVRVKGFz
+Z0CAVRcFN2YGEyhWYRESRIJIEXQIY2YEEQEzFBd1ZIYGNCY2ViJUKAgBd3QBMVJx
+OAgihAJzOCYwgYBFBQiCSIaDE4VCIkNEF1gGcxZiR4OFV1hUZxJQNkgTFIRGgGFH
+R1eEEidYgSUVF2NUQIE4Q2MxYTJQUwBQM1UUJVZSQYQoOHKFYGaBOHCGZHhBOAZE
+ARMxR2gSEYhTVIAXMoRRJiVIgBAlFFhEZlBXEmA3dmVTUFBRcRQDYWZkMCA2VWdx
+NxhoFmcnMTBTUnMBJENVZGhIdGBzhAgzgxRmE2IyJkSAVEIlEyRTNYKFUiJhCGeH
+hgRxMTVgYoAjCHcmN1NSgVUhUhRUI0ggCINQKFIhUxOFCGIwRghQYQVSNxEUgDBl
+cVASNXQ3V0ZWVkAig4YnVFSIcyiIYCFIaBcRUgFBcQMDJCEAVEZndyZYU2EUKAhG
+ckADBhYzgFEGhgElAmh3djQIh4ZxFYQBZXQBJUeHBgQEYzdwdBJoczcSZ2ByAUGC
+YHdRIkZiR0h0hUJic0N4MGZWhRZ2MAVBOHI1VBFnhGNIUxUTRENVdjZReHBQGIIH
+dDgEGBVYdXFYQQMABhKFQzhQNAElAIQFA0ABARgAFwMEFzU1h1EliEElEDUyUFaI
+AnUVVhg2NmZRNARmURAnRFcgMQNzg1NRclcUgEUAIyhxYSRFd0RHQDU2h1QoIAQA
+AWMHE2IjYHN2gGBVQmZGdVUhZDOCYYVGQyeEB4BShTgFN3ExYlhUBXYxMwgTViB4
+AEVTgVKGJQMAZIYDh3hWQFGEAgYhhEZHSIh1VBcwBBRXaAKCgAQCA0g1YlZnCEAB
+dkaBNkYRFTEiAwZCOGA0iIeHhgdXOGcoEHZRARFkFkEWd3d0V2cFCAAQWCRwISdo
+NBYAU3VWIYGCMGNEMFMWJCAEEIBlNhCFZxcwSCh3EBgoQ4UjUUEmFGUiMmcVRBAH
+GBRiNFgoADgUEBIDR4BQYFFggoNmIQEnOCMwEIJnRHaDIGIEOFcYYRVWcGB4UWFn
+MzACU3doRUgIIhJFdFcGJjIWdHWFURQjYgISh2ZxF1cxU3RmFRAxJQdoZogVRkQz
+Nic4N4V1AjSHMBVXBxhwEjaIeJ8jA/GwRCv271RCBmT18yHeLpMYgpN5EUIlSApM
+bvaIWow/FUJAx+ejUiTiS3BVbeAylfianswTnxsa5kmeSNjgPxAO/U0fSzkyKcCF
+v7z+xpg0nrQrLQQyr4s+pnmzgI7kaTMXqG6b0l1R8pWfI/5DzobR4Q5v1Gb4yAfi
+NA1uEBFRmzJGNWukgttxygeiYesIqimCUDI5GAEJ+ZIAox/ie4Oi29DXwzQRW+HD
+HeK97iLZon1+RFEiKfvzq3d5/NkdigJFZsBTXdFrfPwBcRJTIrUrXt+5qEaz1wB9
+qWsRwFynfnMjhRXClqkUmwBYhB5lrRNHzq7hyVztLR3hykBQ2S+9MdxHsCnO96cg
+mGISQsEZXVNpPl7pvQG9oclqkPn0PYD0pHsNpp9P5HQVxFVMSdS69B5nJaLh2Mes
+WWhs0WoyfTLK+/MKGCnDKB8SaAIbx9CN9FI+6YSBzJFGUVNiDOIGC0ETaimQDYdc
+dcE4vDKIeHlznGWHYTWzfICn3suPyUzf/3Uy+yJgmfaU/oY5NAovObyGuQTXd3bL
+Cv1NejFuLShScgfAnu4/JA1gxHwTAVWHrYW8mLbBwCLF9v08aj4Sj7A9660jNxt6
+Vce4P1841aEKbpCsWnWKK1hwsJcSAoAESr/QDyRt2klK5isRrz6OpTKKTuje6/zw
+OeEefI2ov84J5wttGCOw1fvOaYKUpEzeq02n4eY4eCJSRjNDxbbhfridmkGwFwPL
+GhHOR61BOXtAwxZwKo1v6wql9Kfyi8opKeHLd2QYrkVdX2Tj7yScYWJJ77c1aL8X
+sej2dq0LLAxq+xfR3VxSE4PPhY7YybRlwx9azpWPCqoEplRpllhBltf59EYWo7Ah
+k95ZFa6ClAXWxhEzcQNUQjjsseXJJmYVv1ssmpUsg3Lc4DbK3yBOqkDMIYBobyUc
+Zou8dihrKr5qUdUA80GHtR8S/uSu52Giaiqf1mXWEXzRmtqRXP5V1paWBLxqBwlm
+s+gYo86iYtlnfcZEz07ipi2X1FhX90FJx5Dqdje8tFlTo4+x2BtSsI6lu9DZn4ab
+/KkSx5CkqNhy/8Kn5buDzQhm7tdEE/vYz7I8DlSd3yqnp/9hPN8umVMX+W3dmgHc
+podtFe7bPxrWHXFJotI1XwZnHbnJT8rgehcLHDji/OrkJBdCHc8Gg2xUiOz3Seko
+faWL6RHT7zVccP+RhIGkfOZwyDiO0DIzUn3oGX36ntjjkKhpOsGNP5LpClXe2xTW
+a41ZLkM4WBeai0HT1RpSuOmKyfzacSlk6wDFKYlNofFUoLyz9hxlBLiLsJajf7HE
+kNpVr7M3w8nB2un68+Ipu3/+EgC5xRGllLu51Am9UE84Oei9Tp3FZkptfqId09t8
+9eMDxVnQYUBWS3kUlcQVfMh59N5JecoR+qHYlgSEhA0iLk6pfUWUdsqp14hL+q2f
+iXc5j6SCfKTVC42J1ISnldEqTCtjcErQeRPA7Onufy3zuBeNbKhPIaDnm4I+M5FF
+SvBH0R3p6i0Yy7uPgn3LBdhXcF22S/F/U2M0oc3tInwJOm/BYWVAwdY6WYkGtc9f
+JMfl8g6Q0khmnRRssHqcJAnwa7DZvy0nJjJC0uhpxxHd29nUcgFXHq2IgiPPnxa5
+zLb5uaNSLVi/ybb8x8Nyk0iqfIgnKf7CYebjFnh/Ue0PZf/CZNCR1UYYL9cy6oxO
+Hthf9Wc8ENhpYYXzoYObWDoyJa/Uj/0fx7NfSwLc9+9EQBejjQmmOaN+yQ2e2GN5
+nnUpDWEdsdQmDHQQW10tHkP6Dks/kT0gzECM/a3f+nTdABGN9yBet6EAUcjC09fL
+MHAikLOB/oTa4lkqCW8bFf121sGGX20KhB1P7fXOhmAHYoJknNJLoiDMDpDJVbma
+wRnCml2AS03yOr0ap4RR/qWaYkmPv3fY2wOu0gzpKZrJC0rgbATonpOPzS3+4ta2
+CtfdiipKdk8XvnEhFb8Qk4WNk/54wML9UIIevdInHGjfhF3hoMVhetp+6sxUMAhr
++stAPh3wPnZ7tNMRNzKPmv20ADzeco5mzN1umJGmRspc8dYOIQtqcung7/Z6TUhn
+HGPCSQZuvXRDaMv8JpsROvvVLwFtC7+QzyzqR7dL4OxspIzT6GwdsMXc3ArnDfQS
+Y0uqzXa67Xt3ho4RB7YxUPRAhpVPHS3v5t6GENom6ZkmsorLZ7mCbyBBSPGzp/ff
+mklk0gh5JB5IQOaKIggpBKA+vrq/eGDdPQcUuYkSSxuvvmvlYGiEC4khRS8YlJTz
+zQFSGaOnSO1kQApMH6sm7eISuCnTqFY8n3v1mQ8S+O6da0mNKItLpExtUzZNGWJB
+PaZTw2CsiuXj3VsCWZKR2MJPSh0JzAl2WJ+W3qxB0qAlwwAFKDyDCzpEuwcyzZYH
+rjGrep5LQTOUZbNIHR3guY1z7YY+YgHhyYOd48v7mknW6c2KLAmbZ2AJMlAhUXDm
+PDQK1cN3+CKjDeq1IxAq9/j4lgbo+p1IjfWkplkCWKNb5un7rtvqoWT7paemhaJH
+clfHTMVswnq1xxl7CFmOnyzmR6dcV54xAJpcWYUwgUQPGaZ1nIjTs11I86IzArJn
+WJg9aJ3p9mjIc+4e1cxgXXSfyS1oL8zuFCaHP7R3XM7F0Uuh0F/RIS16TEYBmvRX
+AbStjOAlgcWPppIzCSrqWor8O7C/Omsq5EniZgVZHDRnYMEKcb+c+evyaUwL0z5I
+N+aSaGN2i5yVudw5kyEQsP2gC5H8pgWNDdL8tvxK2uaTmJN8jIvFjlxDpE6spBRD
+MIyQZ7KQ36Us1zCWDVwcmeiVaiMK0v2xaSXt2tmsZHZQ/gxRujaYK7J9EL8rfulf
+UgS2S5lxaYfJ8L2VFLBPiXHvdNlX8UMUVdThqsghBbesaLE4i+YhLNUwsRBl1hSi
+BPS24gGVnuDAm3mOu9qDpPawx8db5XrLL2KRMwJMlfG2ZtS6a8OSFRfO0NX0VhuS
+96mVA++Z3RXlvu7UHTBfbns3QFS2GgbMU3loOZ22+wfEUwgmi3Z3dPnLY1JtDjHu
+0WSdbz0l2J1Qw8OszNNtPQmVIw02htIRVNt7OYGF4Doqg+7MmjHb0s9kNZRtCyqC
+eFjniIk2z4FSnXPlByLGzrywhHyTz5z4D/YZd+3LlaSihJXH/+F5V0HVRZONzrwh
+zMLbwwdhrpupZVlZOakVXRLtwFpf0WCUdZSJPsyuv2kvndCAQpbOKJR1qkVBWmEu
+sZKrE4H3tF8Y4NR9j8dbynCsu2y3DtN9oHok/3sS5FH9ml/mC2ojsXBY9exfLaC2
+5/C+6BuzkxxL/NVOWWf8cL7k
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_65_private_priv_only.pem b/test/fixtures/keys/ml_dsa_65_private_priv_only.pem
new file mode 100644
index 00000000000000..e0e628291fa430
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_65_private_priv_only.pem
@@ -0,0 +1,87 @@
+-----BEGIN PRIVATE KEY-----
+MIIP2AIBADALBglghkgBZQMEAxIEgg/EBIIPwIcTz+S7xvN7dnycnwNU1LLCSv8n
+a868qwhxmbihcZp5LpLphwVZRk1SmxXEt+rz29KnSc/u8k+FVBH69jpb5vfxrK8R
+PHIEcmbtaJAsbwm+HDYtQRxEStzdzOYPZm16lGwaj5eVIPfetP5DdvoSWtvrJXQ8
+4ZossOUFh1ehbx64OHMYIDQxGAEGIgA2NmFXdkZidBRSU0WHdTQYcichVAAUIwVB
+ZWRnhREnAyWCBlKCA0BmhIYoBYEmATQXSEYjQ4FXIzEDQyFmB2g3BwdzE1eHFzZ0
+eABxMRVQIicIYkUEUWKBeIJXdgAgBDdQMBMndjZnFQSDcoIhVGY0gQI1JQN0ESNk
+gXcxQTcIEUQ0RDiEUIKDFoVmN2QzJ0KDM4SGhSMSBQYICBhIZIYxAGAAaFJEIxF2
+BTQBVzYwdlAHCGaGhmNnEBhYI3BkUxUnVRIgE2AycoQxWDN1BXMIgoMzhxYjNhRH
+V4E3BIIEIQiIVDVWiEZCBSR4GBhIhjZQWBIGB1FlA2U0FEEUAnBWFYdxEVUXBwBz
+RDJCYANkQ2gmVkV4BGJAc0c0hhUEJEiFQliEQVIGFoA1cxJ3AzBoJhCIRnAxATOA
+QxJnZACAE0MgIURwcSVihiZUYjBBdmZXUWgnIXBhNhE4MFMRU2Rnd2MTZXFVAUSA
+g4EoYXImRjdWcQcRgEeBRUVAAGBwVCJWMwNwcgcAMTY1QnFAYFNREAU2RiJBQQIj
+BTdXRDAXEUNUAjBzNVUneEhwExI4VmcmJIOGSERUgiIwQmMwJngFBVEiBDRYFzhW
+AmCGdlUhA3EDcSZSZFUBaAFEeEJiFTNUUYE4UUd1MoNFMkNHVTRQNRdwEFdoExdl
+NhJDQzVCBYYxEwWDhkiEI3JiV3J1ARGGZnRYchGGVDcjiHN0ZSACZyh0NBE0Zhdn
+NEOHVzFUVShhc2dAgFUXBTdmBhMoVmEREkSCSBF0CGNmBBEBMxQXdWSGBjQmNlYi
+VCgIAXd0ATFScTgIIoQCczgmMIGARQUIgkiGgxOFQiJDRBdYBnMWYkeDhVdYVGcS
+UDZIExSERoBhR0dXhBInWIElFRdjVECBOENjMWEyUFMAUDNVFCVWUkGEKDhyhWBm
+gThwhmR4QTgGRAETMUdoEhGIU1SAFzKEUSYlSIAQJRRYRGZQVxJgN3ZlU1BQUXEU
+A2FmZDAgNlVncTcYaBZnJzEwU1JzASRDVWRoSHRgc4QIM4MUZhNiMiZEgFRCJRMk
+UzWChVIiYQhnh4YEcTE1YGKAIwh3JjdTUoFVIVIUVCNIIAiDUChSIVMThQhiMEYI
+UGEFUjcRFIAwZXFQEjV0N1dGVlZAIoOGJ1RUiHMoiGAhSGgXEVIBQXEDAyQhAFRG
+Z3cmWFNhFCgIRnJAAwYWM4BRBoYBJQJod3Y0CIeGcRWEAWV0ASVHhwYEBGM3cHQS
+aHM3EmdgcgFBgmB3USJGYkdIdIVCYnNDeDBmVoUWdjAFQThyNVQRZ4RjSFMVE0RD
+VXY2UXhwUBiCB3Q4BBgVWHVxWEEDAAYShUM4UDQBJQCEBQNAAQEYABcDBBc1NYdR
+JYhBJRA1MlBWiAJ1FVYYNjZmUTQEZlEQJ0RXIDEDc4NTUXJXFIBFACMocWEkRXdE
+R0A1NodUKCAEAAFjBxNiI2BzdoBgVUJmRnVVIWQzgmGFRkMnhAeAUoU4BTdxMWJY
+VAV2MTMIE1YgeABFU4FShiUDAGSGA4d4VkBRhAIGIYRGR0iIdVQXMAQUV2gCgoAE
+AgNINWJWZwhAAXZGgTZGERUxIgMGQjhgNIiHh4YHVzhnKBB2UQERZBZBFnd3dFdn
+BQgAEFgkcCEnaDQWAFN1ViGBgjBjRDBTFiQgBBCAZTYQhWcXMEgodxAYKEOFI1FB
+JhRlIjJnFUQQBxgUYjRYKAA4FBASA0eAUGBRYIKDZiEBJzgjMBCCZ0R2gyBiBDhX
+GGEVVnBgeFFhZzMwAlN3aEVICCISRXRXBiYyFnR1hVEUI2ICEodmcRdXMVN0ZhUQ
+MSUHaGaIFUZEMzYnODeFdQI0hzAVVwcYcBI2iHifIwPxsEQr9u9UQgZk9fMh3i6T
+GIKTeRFCJUgKTG72iFqMPxVCQMfno1Ik4ktwVW3gMpX4mp7ME58bGuZJnkjY4D8Q
+Dv1NH0s5MinAhb+8/saYNJ60Ky0EMq+LPqZ5s4CO5GkzF6hum9JdUfKVnyP+Q86G
+0eEOb9Rm+MgH4jQNbhARUZsyRjVrpILbccoHomHrCKopglAyORgBCfmSAKMf4nuD
+otvQ18M0EVvhwx3ive4i2aJ9fkRRIin786t3efzZHYoCRWbAU13Ra3z8AXESUyK1
+K17fuahGs9cAfalrEcBcp35zI4UVwpapFJsAWIQeZa0TR86u4clc7S0d4cpAUNkv
+vTHcR7ApzvenIJhiEkLBGV1TaT5e6b0BvaHJapD59D2A9KR7DaafT+R0FcRVTEnU
+uvQeZyWi4djHrFlobNFqMn0yyvvzChgpwygfEmgCG8fQjfRSPumEgcyRRlFTYgzi
+BgtBE2opkA2HXHXBOLwyiHh5c5xlh2E1s3yAp97Lj8lM3/91MvsiYJn2lP6GOTQK
+Lzm8hrkE13d2ywr9TXoxbi0oUnIHwJ7uPyQNYMR8EwFVh62FvJi2wcAixfb9PGo+
+Eo+wPeutIzcbelXHuD9fONWhCm6QrFp1iitYcLCXEgKABEq/0A8kbdpJSuYrEa8+
+jqUyik7o3uv88DnhHnyNqL/OCecLbRgjsNX7zmmClKRM3qtNp+HmOHgiUkYzQ8W2
+4X64nZpBsBcDyxoRzketQTl7QMMWcCqNb+sKpfSn8ovKKSnhy3dkGK5FXV9k4+8k
+nGFiSe+3NWi/F7Ho9natCywMavsX0d1cUhODz4WO2Mm0ZcMfWs6VjwqqBKZUaZZY
+QZbX+fRGFqOwIZPeWRWugpQF1sYRM3EDVEI47LHlySZmFb9bLJqVLINy3OA2yt8g
+TqpAzCGAaG8lHGaLvHYoayq+alHVAPNBh7UfEv7krudhomoqn9Zl1hF80ZrakVz+
+VdaWlgS8agcJZrPoGKPOomLZZ33GRM9O4qYtl9RYV/dBSceQ6nY3vLRZU6OPsdgb
+UrCOpbvQ2Z+Gm/ypEseQpKjYcv/Cp+W7g80IZu7XRBP72M+yPA5Und8qp6f/YTzf
+LplTF/lt3ZoB3KaHbRXu2z8a1h1xSaLSNV8GZx25yU/K4HoXCxw44vzq5CQXQh3P
+BoNsVIjs90npKH2li+kR0+81XHD/kYSBpHzmcMg4jtAyM1J96Bl9+p7Y45CoaTrB
+jT+S6QpV3tsU1muNWS5DOFgXmotB09UaUrjpisn82nEpZOsAxSmJTaHxVKC8s/Yc
+ZQS4i7CWo3+xxJDaVa+zN8PJwdrp+vPiKbt//hIAucURpZS7udQJvVBPODnovU6d
+xWZKbX6iHdPbfPXjA8VZ0GFAVkt5FJXEFXzIefTeSXnKEfqh2JYEhIQNIi5OqX1F
+lHbKqdeIS/qtn4l3OY+kgnyk1QuNidSEp5XRKkwrY3BK0HkTwOzp7n8t87gXjWyo
+TyGg55uCPjORRUrwR9Ed6eotGMu7j4J9ywXYV3Bdtkvxf1NjNKHN7SJ8CTpvwWFl
+QMHWOlmJBrXPXyTH5fIOkNJIZp0UbLB6nCQJ8Guw2b8tJyYyQtLoaccR3dvZ1HIB
+Vx6tiIIjz58Wucy2+bmjUi1Yv8m2/MfDcpNIqnyIJyn+wmHm4xZ4f1HtD2X/wmTQ
+kdVGGC/XMuqMTh7YX/VnPBDYaWGF86GDm1g6MiWv1I/9H8ezX0sC3PfvREAXo40J
+pjmjfskNnthjeZ51KQ1hHbHUJgx0EFtdLR5D+g5LP5E9IMxAjP2t3/p03QARjfcg
+XrehAFHIwtPXyzBwIpCzgf6E2uJZKglvGxX9dtbBhl9tCoQdT+31zoZgB2KCZJzS
+S6IgzA6QyVW5msEZwppdgEtN8jq9GqeEUf6lmmJJj7932NsDrtIM6SmayQtK4GwE
+6J6Tj80t/uLWtgrX3YoqSnZPF75xIRW/EJOFjZP+eMDC/VCCHr3SJxxo34Rd4aDF
+YXrafurMVDAIa/rLQD4d8D52e7TTETcyj5r9tAA83nKOZszdbpiRpkbKXPHWDiEL
+anLp4O/2ek1IZxxjwkkGbr10Q2jL/CabETr71S8BbQu/kM8s6ke3S+DsbKSM0+hs
+HbDF3NwK5w30EmNLqs12uu17d4aOEQe2MVD0QIaVTx0t7+behhDaJumZJrKKy2e5
+gm8gQUjxs6f335pJZNIIeSQeSEDmiiIIKQSgPr66v3hg3T0HFLmJEksbr75r5WBo
+hAuJIUUvGJSU880BUhmjp0jtZEAKTB+rJu3iErgp06hWPJ979ZkPEvjunWtJjSiL
+S6RMbVM2TRliQT2mU8NgrIrl491bAlmSkdjCT0odCcwJdliflt6sQdKgJcMABSg8
+gws6RLsHMs2WB64xq3qeS0EzlGWzSB0d4LmNc+2GPmIB4cmDnePL+5pJ1unNiiwJ
+m2dgCTJQIVFw5jw0CtXDd/giow3qtSMQKvf4+JYG6PqdSI31pKZZAlijW+bp+67b
+6qFk+6WnpoWiR3JXx0zFbMJ6tccZewhZjp8s5kenXFeeMQCaXFmFMIFEDxmmdZyI
+07NdSPOiMwKyZ1iYPWid6fZoyHPuHtXMYF10n8ktaC/M7hQmhz+0d1zOxdFLodBf
+0SEtekxGAZr0VwG0rYzgJYHFj6aSMwkq6lqK/DuwvzprKuRJ4mYFWRw0Z2DBCnG/
+nPnr8mlMC9M+SDfmkmhjdouclbncOZMhELD9oAuR/KYFjQ3S/Lb8Strmk5iTfIyL
+xY5cQ6ROrKQUQzCMkGeykN+lLNcwlg1cHJnolWojCtL9sWkl7drZrGR2UP4MUbo2
+mCuyfRC/K37pX1IEtkuZcWmHyfC9lRSwT4lx73TZV/FDFFXU4arIIQW3rGixOIvm
+ISzVMLEQZdYUogT0tuIBlZ7gwJt5jrvag6T2sMfHW+V6yy9ikTMCTJXxtmbUumvD
+khUXztDV9FYbkveplQPvmd0V5b7u1B0wX257N0BUthoGzFN5aDmdtvsHxFMIJot2
+d3T5y2NSbQ4x7tFknW89JdidUMPDrMzTbT0JlSMNNobSEVTbezmBheA6KoPuzJox
+29LPZDWUbQsqgnhY54iJNs+BUp1z5Qcixs68sIR8k8+c+A/2GXfty5WkooSVx//h
+eVdB1UWTjc68IczC28MHYa6bqWVZWTmpFV0S7cBaX9FglHWUiT7Mrr9pL53QgEKW
+ziiUdapFQVphLrGSqxOB97RfGODUfY/HW8pwrLtstw7TfaB6JP97EuRR/Zpf5gtq
+I7FwWPXsXy2gtufwvugbs5McS/zVTlln/HC+5A==
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_65_private_seed_only.pem b/test/fixtures/keys/ml_dsa_65_private_seed_only.pem
new file mode 100644
index 00000000000000..894b948293c3f9
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_65_private_seed_only.pem
@@ -0,0 +1,4 @@
+-----BEGIN PRIVATE KEY-----
+MDQCAQAwCwYJYIZIAWUDBAMSBCKAINV/VRK/4lzEcAb50srRJh67QPg6Q+hVgFKj
+KwzZSVQY
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_65_public.pem b/test/fixtures/keys/ml_dsa_65_public.pem
new file mode 100644
index 00000000000000..233d86a045742c
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_65_public.pem
@@ -0,0 +1,44 @@
+-----BEGIN PUBLIC KEY-----
+MIIHsjALBglghkgBZQMEAxIDggehAIcTz+S7xvN7dnycnwNU1LLCSv8na868qwhx
+mbihcZp5eWN7MR0Qj1vyaRxKIiIEepIBC58Im2Z7nmsdcxXq0zkwO6NDcFxxYmhA
+fvAJqiSPdw5L7W1DkkwosWt2nZkASlvz7YDAlbWhFbrrwrjhBYTsrmZMn756QcFC
+jpM97fjtcKYK0pn/q3T1zhL/GHLEp/sXy2D0i8zwp7e4JyF/38LZIJ1463n/kKox
+SpSmRNnuzJJh3lYieIhsu/K91M1YQR7JhRgtGTXPPok95rh+Up9El5javhdhKHq1
+iyALD8S9ihOlK6jwME2x59QebABlr4bFVS5RTyNbNSS1SwTUSeb4Yn+ducTSKTAD
+LgGa7Xg/Nu6b3t80KPfxh41oMpI/VczPTxHFZlasWebuNZFF7DOD1mRdvTodrGLJ
+idi3YifUXAPdb0Sxtg6hGJvleScCM/LsS9ew1LBAu82LYb7ahgEqtOQm3z0wXr99
+60FL+B9BLc/fVPPVqKE5NBYrBw89bhFIpVP1WNbTeW8iA4rVzX9I5890iBw1FGQE
+Z+5ZdGMDtI7ZLE+vLEFty4suhMYZadbXdLKNqmVK21WWrI8gjlbom8G8L63aT90E
+bKBuVKpAKpPEZtogqXUEoPO6bMDrHIAPAAvE3MxhzX13PT6swJm7BDyr5mbhOtBy
+xs6qUahVC3958mFEFKm3ZiibCkNvS13g1W8st/n5E1A7mKjQtrQWOz5MxyUgPWeI
+QwvwRxBcXHpYm0nEjcn+8uJQ1Vp7iTF6UNFkYd1JFD2tNOyHq4YscMbwbxV0Efsr
+WIp4sb44q5XBBdcECNQ8xPCozl2GLhT0uGJfB3mR0PuuENEbsZSiET92L42VoeCA
+1bxFbOWS82T2xN08HtDeWu4grtAc2Vk3hzW3DKFYhciU6XnNsN71R3iODyQfuR3i
+PMbofvcvMrU2rvELTHuLYaETqGo4sw0C65MN3uq8iSd0fOItKJ4uL5mVsiw4pcHC
+6jzpECQiAzI6u3sXZlV+bdw7QFuBegqM9M97H+7RpUjFcQO4swqFWxtMtv5dT9oe
+31gbhD0+z1pTHT6rvT4+Y6l2OoydJ5Gkf6ae3Q4TtRymnuXnXAWLpx2alUEI0Wfw
+7ys2z6w5Obel6vX3UpIgHj9weKp+blPp8ezml+w0aFRJ224hA8pyET0hGPk7N2pT
+ybQb/M7s2hjcl9OWfTMmdMPlZQvlsTgXVRLCAKf+Lid5EN1LHxPQyyR/Fj7gyOLe
+ItlZzTchZSNF0lKHHP9K1oKqdiNVM0s5FW5JcJLhcsDyOuObuBtlwJX3Xf8KYxRg
+viFD14KXkn7KT8FtebAT/iE0voMLb380FS6UUtHrszfe8aPxjITT2eG1vmMmbfM/
+0fG7EPJLX6D/uUVFfss2A7dLQNNUCbGXQS3+Sfx+6j/JeHPFeIT3vwhS9N9qG28Z
+gJ1TwD+vbtkmjAZS/Gs45OMBlRUKUKdSajCQmqNlvGSJglXoJD2cYRm8dJ5IFX8h
+ceIoTHgzTNvPCWxguAhjjfAtNkPOK0M4cM2RPN2Pa0ntQW9H1DBzLuooQ+Yy3Xpb
+bgS+GXSZSoC9uCmSuaOaauP5fUssxgIwdSgEJwpTTgdUsVfPQrSC7vuucG9e7NM9
+6sNvjRdAelFZRkBXm420si0L9gEWhE4f/HAYj7oFTIASFdytSgcDclno8iNWQwrL
+LyGRyQhdkkVtx5iXq04gdt3hhxWCki3cVuyxM6ByHNsWRHN6cEeN4Gr43qC9KTXP
+hzRVf3NfcIh+058NyB5XfxX06gCD56ijDSGOw/w9A5hTUznZ83IqaisVAdAL3PsK
+/Bc9II3kaSx9og0giVrb1o6HmLx05LRrG5QwDOY/cc58BL2X0L4/H01JxcZd3JZA
++nvVdY6w0A5F3zrZfmwyL/T7TMGpnyRbvs9rmxfoCsrVHsDzaNdLocK9kwzXVGsg
+mQ0dk9x6ESzfIKCMNmxaDyffC6D3ErpBLygAYx9A4hzXqhRCzWT8f7gseTfmBZFG
+cR1gNUFKBoakN0RLXE93PkmX/0wxTj78LOm5sLeJXFqS5rmzgCSxbeifJvBwpFVL
+IUXRc7x0Jv9CRLwNybcl2c77D1L+Z43ZNJ8U2ZLb7J6l9OeEUJOcfFPpQWPmyt7j
+DqBZx47uOSzKBwlIBiYttnlJu5yxmRIfOGQGzZTy16X2r17zyYdtTluRDgHrkPsl
+jR2NsW5gIhzZ2/idlaWXNVcvNrMZ/LphbSnbrkLiEDDrH+Kh6o+TMw2P9TY6zOFp
+u1wIiwuDKUNtsPT1jUF0mVr6Nn4/FlJ3xIm6YMkZKA9j9uRkUKrESd/mJJeW5v9l
+X3uot6FxzsEMGcChl3wKl8qOIlNVCO3vqguLI+VOuKAfwPzUgWiSa2aENn1Xhk5x
+cQOEDDKFgk9FZcAVytAd44bfF2pd1nCPovXLUAdfhq5sMIBtrbXjx7dSCsuvW0mR
+NxS5BYnGh4OlccqRunn/K1bJjK36UwEzpxef4hGizWPeNvBxxltIs+L18GhPjJGM
+uzStijDxYggdHnPToyETsGsiuC0RL+KpJ1h51UEUptuUa/Q3FRVyo9egLu19Yb+0
+7lR+4duV
+-----END PUBLIC KEY-----
diff --git a/test/fixtures/keys/ml_dsa_87_private.pem b/test/fixtures/keys/ml_dsa_87_private.pem
new file mode 100644
index 00000000000000..4ee303b92d9810
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_87_private.pem
@@ -0,0 +1,106 @@
+-----BEGIN PRIVATE KEY-----
+MIITXgIBADALBglghkgBZQMEAxMEghNKMIITRgQgLZSOlEPbU9S5/mSsMULffTyx
+Zu6qKEOQ1nfEi2NCscgEghMgDZXqaBATRN0GRtigxzkLxp7C9fFYxI7Gl+tdfXqJ
+Hbz7Dzhs5+pqr2nnfV5slJ2+V9Ka0SqxdqieVMnphoBlYsCMxHIioUrCBUBgRm2f
+LVinn7O1JPekKZgIZmxzg+V+hZsMeQN7wxRr4uG8XfrDNnL9cqLDsbIj/49dY/Sv
+aRQLt0mbFgkZOYUQCY0AoYnLNDBBIHEAKQEMNkRZooCggGVBRICCgknUyEmUEmTI
+RCQhNmAhyW3DNEVJICQjNIDDxDHAuAXjwgFLJChLBCgACITIJFJgEhKThmwiERCC
+OHAgEwoUqIkJCUhEgmAAxnAByAxgiEGIAEmAqCgEES1gBgULNURioIyAQjBZBohY
+NGhCQmlkCE6QKAIiQVAUFIUbQGHUkBHBpgQgRCQkN4EjQYQDJJIJlgngRiGTIiTT
+uCHgwiURBgEUMo4AE26IIkpZuCSIgkEDAEXjhhAhRVDUFA2IhCkTNiAhhU1LAI0b
+gWmJRpFgmGEhoUiSEGWBgjAAxYQLhECECHIIF5HRmHDIhASTNjIAJoQgJW3MpCzI
+FkzDsDAklFAjIYlUAo4KJmziEIrKNG4LJkgBhwEYBiwQhohJGAwhJGkTJlHIokHA
+Nm0EFhECtmVQIigjEkGhJIKEKA4atkHIxlCSRClENpELoACEpAxMBFLMQm6JoEwR
+oEAMoSggmFGiFoCUOIEZAEDaoBDcBgTTCICjBgLQACREFmHMIEZRiGWDJCjcxEBI
+RA3jFEUIJw4TpUgiOI6SpBEaSQqAIHEJJQRkEGUctm0QkYDUsCnbAmITCTAZR5Eg
+wggUsWBStmkTQwlLwEAiw4TZlBAgh4kKCYmTtGQUuGQEogXJEo4AOWwCGGRMlmhK
+uBDQJgwgNSTakokYhADCImoQKJDCoGWLMkwiM5FYhAAjMmWkJAQaA0kIoySLCAQh
+M0iRFk7gsEgkSBFMIgWcgIEasShBMIkZRgiZBgxRuC0BGG0LFiAbpizApGwjxzAE
+M1ARuU0iAU4Msi0TgAwCRVBEqHGMpiUYswEhlUnSNpDcFoxMIi3JiBCUhjHTkHCh
+NCrZKAxcMo2KBGhDgkkbsmxiqA0goowQBmTYOG6itEXBJCYaNG2ZpkEaBU6gEiEK
+x4iAAJAUIEFapIgCQGGTJmxQGAJaMg7YkAkbMgLBAmUQtQykxIAQJg3LNo0MQXEC
+kggQwCkkkmnYQnHhNoyiuAUjpYVMomkiNwoDxzBRsIWJElHUQkyjkgFDxkwLpmSb
+SBGSIiZKEjLKgATTpAwMJCjkBHAYAG5CRkEIyAyJyIDcskkCKJJZCIgEpAkQMIyj
+QBKCMk0gAiELNULcwAQJJkBQxoDMpmiQho1YNCwUo0zBghHLOE3LqCRkAI6AQCQi
+lEDcQCykJjHYCDIQMQAYpoGEhJFZkigKiBETIYRUsiWKNGqbRE2AGEqUJAXjMlIg
+EU0hEkYQBC6AAgUcw20cQSLABgVThkwJqUTYMkDIMpKaOHJKEG4gRgKURI1DlEUE
+sXEBMAGiiC1DNkpQACIcIiQSJkRaoFHLtihCmESgQi4RRGoCpYUcRQaaFnDUgASU
+NEDAMijRqDAUqSQhtwUkB0nDMDETIwpJgBDbxCQbwgDZGCIIKWBCJmAEpokCSWpD
+ooVYiFGbhCwSgC0LgG2BIpBCkEykiHAZQUYkQ2HLAI4YxmUYoIkIASVLRoWYRGob
+FADiSInZRiUBsigihZBLQCRjtIUYqASAoAAAwWmLIk3BiCUZI2bJJIJahAUIEQgM
+FxFKAihbEBKckA0KKUicRpAUgjCRMCIhlwCipIRTQpBgqGEUQGbjgkghNyXKSGVh
+BAnCto3SFHCcgggjEWzaEEDKAAaCBGnZQA5jAFEUByEkFBJhBAKCwGThwjARpmgU
+yAHUtEUaQArQhEAkKExCuEELIBDixojLQgZiAiZTFgkTkYHYuIEZIokIGSzRFGyi
+oEERpATZQgVkOACBFAyaFmRSRIKIonGkkCEDNVAAMVEUkUxCJinCFhIIGY5Kwiwh
+KE0KtiiBMgpKBE2TsmVQEoEghUARiIBgyJATxiwDt0kKAiSZBmFSwC1gBkABRmki
+MGbCbTCoZqi0raNT5gwWrw89UQOwaoBbte1OojOJ1MGtJpqExLM4eYXYc+W3HJOM
+JUktWB1NVy1ra128cpP2ZLHc80RFNeKtP+uyUnRbnGoh7fsByeYHCWfgVmauYjF5
+wzzW96qjTh5EIhOmj7Ndyrb/aN6onINOyBLM7adA4EiSYkgyL4Pv1m3BBJLSA8Aw
+nc8z5NXhplG+5AKNd2OYZYdFUhQ0nNL39UvyGLT7ICJECR9td+DW5LMWx2+x4z5J
+t4ZoGALM+uz5b0XkcRp0OTY7XS1N5kUATugrDPYXKgp1/bMn72hZvTFruqi2V7j7
+Ambj4NiyOSQlaakBtVdS4nFbrs19KiDLML8S53ow49I1HMsgQUWHWlC+rJc2hWIb
+jIluBozpytwZPw0Z4RcUY+ADO04mLaSSXl/F5DZ4ue4hhcBz8wWvP/UXcZDtXd2s
+DIf2ceIobGJNQBVbTZo2yPh04Sn0+SFIUGjfizUVLlAttXviR3+FxG44TAMW0hXq
+PI2huefIZ6VWXtCCNpQMyrSysKU0GzzwkaMcEOSBnR71Nt5r+JUlsLYgUc4ikjB3
+l1zB/BEeHWQK+eHVzsxRkvZT+V+0IAtNb3mwAorid/6QFtYU3QKcinBTDJvVfH5z
+WiVgHJ8Les4JFZC2SnPsUZEdySmhpSEW7WjYiD4cQY9vRH4KDl1ZS53tlU0S+1u1
+Hqw9uHRhwYMBC4hATfJh9SXvwi5LtxRhCadrBUVjV3/AffvopFblHub3T3bX1502
+EJiMyGQFLvg/GmPr6DmQ72qvNgbDZofhiHFF6KrmtdRLuMfbEokI2wBG6UxL1bET
+Pw02IW8Sz5faiXBAex1BvrhOIBb4xb9uZUByMv5OD/IeWG0KQIbwCdaWnVpO4qGQ
+VfTiapc+nhqYHyEvP/eGa+ACt7lGGIJtdcg9amDMpUzb6YUb/gKnNOlwX96+efIV
+49sHbsGHuFrtT6nHJvHyNhJx2LR5tHwHD+Df7/SrTanTkSdDuw654c0wexC/NuNk
+0WaC8MJdPhUs5CJ0wdGEIBRsIFLMT0LmFcGL8a3GT2FzoatQkGjodIuMLdsxD1v5
+ljbEk8OeFxWZlgMvHmzxEaAV9jV36oh9eZmKbuw1fcKIgSnPfxuucVYspaMvl/cR
+a4sucNNZ1onMK2GKmGqKxRFPzaXq4u4TJQt11sDm89nC2irLHn4+k+d86wy1QDFn
+Y3f69OiLnmtDFjuQa9Fz3D3FweANp7ecTUG01y8I7Vbw3vnEqATUANJ6FLPh5mVd
+TCLuOVSwXRBJw5UTtd/RpSmuLD//pMTA7xaIVKlm/JTs9Sd2a2clsCc4TzXeg4ZF
+QMUSo1/0Jub3zczK80eVk/kAPbRkDYWCoq+od9wbysV1lSIdMMM8pCgiRi8BRHSC
+9iDCOwf7SoEyUU3e6UEvKnoIqk4mgp+WivdERJuCRMTIp8cnsNGyO8Dy+5uj4nyv
+mnE498VIHSJAbcqYmrHiwg2r6iaazPcLGTvKXY2/dEHV8MJclM/5D7TwtjRNWCDE
+ed9YWnYrYDzkPtfT/FVIgSxAT2/qZRTxQDOc8bwG6AcQEJQG1V/Kc+ELocnv5rUz
+P/afgFa8ytliMrXvSdFTCXw53sXj9WXFYiqZJb4fkqp8Hypn/gQJNWcae05Gvqa9
+2JhMeRkprX2yUMlMPP0vQ/BTSnsbqFXh+lm/aKenh2V0jIML+OvYLrA2VDSf7MU0
+1I1V9t7AA6JjBwPq6w8Stk2Z0x0zr1V7pTXkm8W+L8D+5n3PxHfMjf5B8qQsIVly
+53/tgQGkRK6PBX4XCzv1XoU8Xgo19IwDBfseuNgK1oUZosDh00+Bkrsd+QC6H74k
+xlqBFKQl35F/aRtWZQng2nvp7hiyjLvBwdEWZMOBMJowudcfhzdilqB4i9Cd8uE6
+ob1+PjDgAH5r+Ge5TxlgmoUKoWM2oOvG/cp+5msyGz12ImxAx/FbN1dKm6ZYxgz+
+zB3y8ksavaQ9vvJB7MXt4ZTCHypUOc59XXe+qJP3IV/ExHiGLCcSWsmmoQ+UU9I1
+dMZ176okCjGtGac8Be10uj5u1wUkLhnljK1ziuLS39ha+R2RXZn4Uz7qdlXgIk2N
+ZyQ0yST3rK0n7WfzutsclJIPtG/rDZR47PycihK965o7G/i6cq3lDQiIITuBYfsI
+fWiTRwOM1FrndykPXwScN9iVfw2GPcAGVyT98CzgVYx3lff6sP8rM6PIhjuC2J0x
+4/p5O3BC+ljb+FA1/U7fVmeA5s+s/H0BUS5B+raKXe7J7bP47oq1os4XIJDWRRel
+p9p38gPWE3huU4z5Si+EuFBN2hU96PXmcbNlmwhYp3q/1j4vujHcOPEp621rsPMJ
+XJVF8OF8gBywUVsfUFz/cKWG+njnNfq1S9KG3zd7NWVCN4LX7I/UyUeigb5pXX5F
+vFD/VMvDte9jw1JKoh1zAI7vsJBx9CJAHyMQe1/OUSnnVZOchSRNFszdybVpFHVF
+ttmsGrZRPVab7W57gnpO82QmiHWdoJXXqseIdfx0r9dCFQcRlXNUrv5oYJnU4+8A
+avEnq3S+h+SP9V45nQgPq3XD5Renw2dbU8eKp01BbW6GnUQE2fT2n4o0g9YmZwIs
+T+ZSm2oQUlic/0jjd7Cu7fB8O8jwCV3rdbtr+3qSrnmWpOlpl92qHhV+V5hw736x
+X5CA874pUuCL3RP/b8cYX8McZlvWuXCCunQ1IyAYJfeB8wRKIdLKUq89m8mYnGzL
+Grx5Kf99qqjtl8A78pbP9pziQMxb8B8sPklsOTDxNA80AhEjuqzarVnyQurs3vf3
+PT5h78PMNUn/Tz/KDK2JsetXE4PUQFtPzwfxHC7miKikfxnaBKiOQ7bas5KBFaYe
+Xuu5S2kJk82lvLiQV+IauAE7uzhrQJEfOYS4AQNUQ/NqmOgC5sky0HSRQapOnAl+
+Z/JLmb/Ss7j9p9Babm54iLGqFiTdveGMpQVtHt0hfchIIxkOLhrWyYMIjHHhp9zH
+OSYY/3ZUc1ibUk801r92OLbW3h95MRkURfjPU3qT8xTVMasjCZGqm5vmNjutB1Ut
+SPK+9qAWAfB1pUi3S30ZMr+ySDklD4ZXnUtJZXf19j6daagnXMx4+SHGQdGsZDqE
+W88i7T0wvc1Vz1tuXYeQstEMHXLlROcKap+xTrtjiPcE6DZcVnfd3cADJhZUItoX
+K2qhmiu4afyn25NZdp3QlopCx0Uqz5uXLgRCvMH0cM6cjuCBcIiS3NXiwz8BAm0n
+RU1UX244AK2KMvxsPtNaosvRiJatwiqDraCjvnPrJRA+XTgxhIjMQ8sHEfEoHG7t
+RIAe4fNO1w8kHOXIiPCbMeONvi78E0P8sRv2xk/RTWD/S7wzHi+nm5Gea1G5kFSc
+eqdmxp9S99XfLpy5iKjkOru+pn1bMULcNUaThypqPefrR7PE0S/DWS6iBruG6tZR
+8d/G/LSmtWM0vFwcg62Vr1Witye9Yy0J+jA7W3y2uccBNRyl6kcLhL2ZvheBvNZ5
+WXu5DItJFyyM6Uk3ZG9ISDkkKOto5L6bLIpy7qoxEDMkjd9t1skdMVIR/h3oOvLI
+rnJGfosU3cUMytqMJbpJS1UuS36ESD05tEaOpqhlvqi44g9iRqXGFY8+8O0PNtQE
+HwiTbBpofOJgyiSbUnjjVSEzl6oEGQKy36UQW8sej/Pu8y9/jY6gWlHysig/QjJn
+KLf03JNlXANOMImKxM0T1X5WvoapWf4tdw1KY0WW457pW8DrYJfNp4W29MRdz0qR
+VL5n7vZFZXhxCarnLdFkbJb16+QQCdLU/ijJB8Hb1s7BFmCtVNfYkYHO7IIw5OP5
+CvcHGDKLlkeXPBlvPIg+QG0+3HcDzRrUfaWAgB/IwMmKTUIL8YG0QZRXJA91IzRl
+uC02LEYOroBHQ/uU+shCPmDmfhlGAVJ95/r+0xNOVhoT4qiLVTAt/Hnn2XPTV9v1
+IPt1RuaqDmJbllOYvU7KBTkr/jcannZXAxopK6EZqvwWzAd4YvOUwedEJX6O9heK
+JVZcE4ZuUrzn96rjUGUrSbjlwuJ92pKoMER1PQ6VmHfM3VCzvwqYRyYhMxfA1KSP
+S3gkrY1b/lkV9D9AdTgpLEwaSkf0Z+qGPHxUwRyVv9LH695dqF7FTDj8rE3hxQJM
+sTBu1TEq/6xAEns6FLNKonKlgWNol0JdcPQXVb039OW6OhutGOz48E/08OwrFeDv
+tfaqQ5NUazCZwJNkwRwXLvWhTrar63HxuzzZvBXg4blWLtbsDkmFlkAp4AGSq2Vy
+vSHSvAAmTC8W9Yd1tn/MptMLuHwOZfEfFGJSZTOe9W9UvqSJhGmiakbsHlfy9GKj
+sy73cJ4QLBLTKLAh7E7wBGIidfkp8eOVh7xojTBrp7kIdg9/sHX7nz1U3a6YMAec
+3kDDdVtohnHxepbHfY4aVmkl
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_87_private_priv_only.pem b/test/fixtures/keys/ml_dsa_87_private_priv_only.pem
new file mode 100644
index 00000000000000..71a1267c88459f
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_87_private_priv_only.pem
@@ -0,0 +1,105 @@
+-----BEGIN PRIVATE KEY-----
+MIITOAIBADALBglghkgBZQMEAxMEghMkBIITIA2V6mgQE0TdBkbYoMc5C8aewvXx
+WMSOxpfrXX16iR28+w84bOfqaq9p531ebJSdvlfSmtEqsXaonlTJ6YaAZWLAjMRy
+IqFKwgVAYEZtny1Yp5+ztST3pCmYCGZsc4PlfoWbDHkDe8MUa+LhvF36wzZy/XKi
+w7GyI/+PXWP0r2kUC7dJmxYJGTmFEAmNAKGJyzQwQSBxACkBDDZEWaKAoIBlQUSA
+goJJ1MhJlBJkyEQkITZgIcltwzRFSSAkIzSAw8QxwLgF48IBSyQoSwQoAAiEyCRS
+YBISk4ZsIhEQgjhwIBMKFKiJCQlIRIJgAMZwAcgMYIhBiABJgKgoBBEtYAYFCzVE
+YqCMgEIwWQaIWDRoQkJpZAhOkCgCIkFQFBSFG0Bh1JARwaYEIEQkJDeBI0GEAySS
+CZYJ4EYhkyIk07gh4MIlEQYBFDKOABNuiCJKWbgkiIJBAwBF44YQIUVQ1BQNiIQp
+EzYgIYVNSwCNG4FpiUaRYJhhIaFIkhBlgYIwAMWEC4RAhAhyCBeR0ZhwyIQEkzYy
+ACaEICVtzKQsyBZMw7AwJJRQIyGJVAKOCiZs4hCKyjRuCyZIAYcBGAYsEIaISRgM
+ISRpEyZRyKJBwDZtBBYRArZlUCIoIxJBoSSChCgOGrZByMZQkkQpRDaRC6AAhKQM
+TARSzEJuiaBMEaBADKEoIJhRohaAlDiBGQBA2qAQ3AYE0wiAowYC0AAkRBZhzCBG
+UYhlgyQo3MRASEQN4xRFCCcOE6VIIjiOkqQRGkkKgCBxCSUEZBBlHLZtEJGA1LAp
+2wJiEwkwGUeRIMIIFLFgUrZpE0MJS8BAIsOE2ZQQIIeJCgmJk7RkFLhkBKIFyRKO
+ADlsAhhkTJZoSrgQ0CYMIDUk2pKJGIQAwiJqECiQwqBlizJMIjORWIQAIzJlpCQE
+GgNJCKMkiwgEITNIkRZO4LBIJEgRTCIFnICBGrEoQTCJGUYImQYMUbgtARhtCxYg
+G6YswKRsI8cwBDNQEblNIgFODLItE4AMAkVQRKhxjKYlGLMBIZVJ0jaQ3BaMTCIt
+yYgQlIYx05BwoTQq2SgMXDKNigRoQ4JJG7JsYqgNIKKMEAZk2DhuorRFwSQmGjRt
+maZBGgVOoBIhCseIgACQFCBBWqSIAkBhkyZsUBgCWjIO2JAJGzICwQJlELUMpMSA
+ECYNyzaNDEFxApIIEMApJJJp2EJx4TaMorgFI6WFTKJpIjcKA8cwUbCFiRJR1EJM
+o5IBQ8ZMC6Zkm0gRkiImShIyyoAE06QMDCQo5ARwGABuQkZBCMgMiciA3LJJAiiS
+WQiIBKQJEDCMo0ASgjJNIAIhCzVC3MAECSZAUMaAzKZokIaNWDQsFKNMwYIRyzhN
+y6gkZACOgEAkIpRA3EAspCYx2AgyEDEAGKaBhISRWZIoCogREyGEVLIlijRqm0RN
+gBhKlCQF4zJSIBFNIRJGEAQugAIFHMNtHEEiwAYFU4ZMCalE2DJAyDKSmjhyShBu
+IEYClESNQ5RFBLFxATABoogtQzZKUAAiHCIkEiZEWqBRy7YoQphEoEIuEURqAqWF
+HEUGmhZw1IAElDRAwDIo0agwFKkkIbcFJAdJwzAxEyMKSYAQ28QkG8IA2RgiCClg
+QiZgBKaJAklqQ6KFWIhRm4QsEoAtC4BtgSKQQpBMpIhwGUFGJENhywCOGMZlGKCJ
+CAElS0aFmERqGxQA4kiJ2UYlAbIoIoWQS0AkY7SFGKgEgKAAAMFpiyJNwYglGSNm
+ySSCWoQFCBEIDBcRSgIoWxASnJANCilInEaQFIIwkTAiIZcAoqSEU0KQYKhhFEBm
+44JIITclykhlYQQJwraN0hRwnIIIIxFs2hBAygAGggRp2UAOYwBRFAchJBQSYQQC
+gsBk4cIwEaZoFMgB1LRFGkAK0IRAJChMQrhBCyAQ4saIy0IGYgImUxYJE5GB2LiB
+GSKJCBks0RRsoqBBEaQE2UIFZDgAgRQMmhZkUkSCiKJxpJAhAzVQADFRFJFMQiYp
+whYSCBmOSsIsIShNCrYogTIKSgRNk7JlUBKBIIVAEYiAYMiQE8YsA7dJCgIkmQZh
+UsAtYAZAAUZpIjBmwm0wqGaotK2jU+YMFq8PPVEDsGqAW7XtTqIzidTBrSaahMSz
+OHmF2HPltxyTjCVJLVgdTVcta2tdvHKT9mSx3PNERTXirT/rslJ0W5xqIe37Acnm
+Bwln4FZmrmIxecM81veqo04eRCITpo+zXcq2/2jeqJyDTsgSzO2nQOBIkmJIMi+D
+79ZtwQSS0gPAMJ3PM+TV4aZRvuQCjXdjmGWHRVIUNJzS9/VL8hi0+yAiRAkfbXfg
+1uSzFsdvseM+SbeGaBgCzPrs+W9F5HEadDk2O10tTeZFAE7oKwz2FyoKdf2zJ+9o
+Wb0xa7qotle4+wJm4+DYsjkkJWmpAbVXUuJxW67NfSogyzC/Eud6MOPSNRzLIEFF
+h1pQvqyXNoViG4yJbgaM6crcGT8NGeEXFGPgAztOJi2kkl5fxeQ2eLnuIYXAc/MF
+rz/1F3GQ7V3drAyH9nHiKGxiTUAVW02aNsj4dOEp9PkhSFBo34s1FS5QLbV74kd/
+hcRuOEwDFtIV6jyNobnnyGelVl7QgjaUDMq0srClNBs88JGjHBDkgZ0e9Tbea/iV
+JbC2IFHOIpIwd5dcwfwRHh1kCvnh1c7MUZL2U/lftCALTW95sAKK4nf+kBbWFN0C
+nIpwUwyb1Xx+c1olYByfC3rOCRWQtkpz7FGRHckpoaUhFu1o2Ig+HEGPb0R+Cg5d
+WUud7ZVNEvtbtR6sPbh0YcGDAQuIQE3yYfUl78IuS7cUYQmnawVFY1d/wH376KRW
+5R7m909219edNhCYjMhkBS74Pxpj6+g5kO9qrzYGw2aH4YhxReiq5rXUS7jH2xKJ
+CNsARulMS9WxEz8NNiFvEs+X2olwQHsdQb64TiAW+MW/bmVAcjL+Tg/yHlhtCkCG
+8AnWlp1aTuKhkFX04mqXPp4amB8hLz/3hmvgAre5RhiCbXXIPWpgzKVM2+mFG/4C
+pzTpcF/evnnyFePbB27Bh7ha7U+pxybx8jYScdi0ebR8Bw/g3+/0q02p05EnQ7sO
+ueHNMHsQvzbjZNFmgvDCXT4VLOQidMHRhCAUbCBSzE9C5hXBi/Gtxk9hc6GrUJBo
+6HSLjC3bMQ9b+ZY2xJPDnhcVmZYDLx5s8RGgFfY1d+qIfXmZim7sNX3CiIEpz38b
+rnFWLKWjL5f3EWuLLnDTWdaJzCthiphqisURT82l6uLuEyULddbA5vPZwtoqyx5+
+PpPnfOsMtUAxZ2N3+vToi55rQxY7kGvRc9w9xcHgDae3nE1BtNcvCO1W8N75xKgE
+1ADSehSz4eZlXUwi7jlUsF0QScOVE7Xf0aUpriw//6TEwO8WiFSpZvyU7PUndmtn
+JbAnOE813oOGRUDFEqNf9Cbm983MyvNHlZP5AD20ZA2FgqKvqHfcG8rFdZUiHTDD
+PKQoIkYvAUR0gvYgwjsH+0qBMlFN3ulBLyp6CKpOJoKflor3RESbgkTEyKfHJ7DR
+sjvA8vubo+J8r5pxOPfFSB0iQG3KmJqx4sINq+ommsz3Cxk7yl2Nv3RB1fDCXJTP
++Q+08LY0TVggxHnfWFp2K2A85D7X0/xVSIEsQE9v6mUU8UAznPG8BugHEBCUBtVf
+ynPhC6HJ7+a1Mz/2n4BWvMrZYjK170nRUwl8Od7F4/VlxWIqmSW+H5KqfB8qZ/4E
+CTVnGntORr6mvdiYTHkZKa19slDJTDz9L0PwU0p7G6hV4fpZv2inp4dldIyDC/jr
+2C6wNlQ0n+zFNNSNVfbewAOiYwcD6usPErZNmdMdM69Ve6U15JvFvi/A/uZ9z8R3
+zI3+QfKkLCFZcud/7YEBpESujwV+Fws79V6FPF4KNfSMAwX7HrjYCtaFGaLA4dNP
+gZK7HfkAuh++JMZagRSkJd+Rf2kbVmUJ4Np76e4Ysoy7wcHRFmTDgTCaMLnXH4c3
+YpageIvQnfLhOqG9fj4w4AB+a/hnuU8ZYJqFCqFjNqDrxv3KfuZrMhs9diJsQMfx
+WzdXSpumWMYM/swd8vJLGr2kPb7yQezF7eGUwh8qVDnOfV13vqiT9yFfxMR4hiwn
+ElrJpqEPlFPSNXTGde+qJAoxrRmnPAXtdLo+btcFJC4Z5Yytc4ri0t/YWvkdkV2Z
++FM+6nZV4CJNjWckNMkk96ytJ+1n87rbHJSSD7Rv6w2UeOz8nIoSveuaOxv4unKt
+5Q0IiCE7gWH7CH1ok0cDjNRa53cpD18EnDfYlX8Nhj3ABlck/fAs4FWMd5X3+rD/
+KzOjyIY7gtidMeP6eTtwQvpY2/hQNf1O31ZngObPrPx9AVEuQfq2il3uye2z+O6K
+taLOFyCQ1kUXpafad/ID1hN4blOM+UovhLhQTdoVPej15nGzZZsIWKd6v9Y+L7ox
+3DjxKetta7DzCVyVRfDhfIAcsFFbH1Bc/3Clhvp45zX6tUvSht83ezVlQjeC1+yP
+1MlHooG+aV1+RbxQ/1TLw7XvY8NSSqIdcwCO77CQcfQiQB8jEHtfzlEp51WTnIUk
+TRbM3cm1aRR1RbbZrBq2UT1Wm+1ue4J6TvNkJoh1naCV16rHiHX8dK/XQhUHEZVz
+VK7+aGCZ1OPvAGrxJ6t0vofkj/VeOZ0ID6t1w+UXp8NnW1PHiqdNQW1uhp1EBNn0
+9p+KNIPWJmcCLE/mUptqEFJYnP9I43ewru3wfDvI8Ald63W7a/t6kq55lqTpaZfd
+qh4VfleYcO9+sV+QgPO+KVLgi90T/2/HGF/DHGZb1rlwgrp0NSMgGCX3gfMESiHS
+ylKvPZvJmJxsyxq8eSn/faqo7ZfAO/KWz/ac4kDMW/AfLD5JbDkw8TQPNAIRI7qs
+2q1Z8kLq7N739z0+Ye/DzDVJ/08/ygytibHrVxOD1EBbT88H8Rwu5oiopH8Z2gSo
+jkO22rOSgRWmHl7ruUtpCZPNpby4kFfiGrgBO7s4a0CRHzmEuAEDVEPzapjoAubJ
+MtB0kUGqTpwJfmfyS5m/0rO4/afQWm5ueIixqhYk3b3hjKUFbR7dIX3ISCMZDi4a
+1smDCIxx4afcxzkmGP92VHNYm1JPNNa/dji21t4feTEZFEX4z1N6k/MU1TGrIwmR
+qpub5jY7rQdVLUjyvvagFgHwdaVIt0t9GTK/skg5JQ+GV51LSWV39fY+nWmoJ1zM
+ePkhxkHRrGQ6hFvPIu09ML3NVc9bbl2HkLLRDB1y5UTnCmqfsU67Y4j3BOg2XFZ3
+3d3AAyYWVCLaFytqoZoruGn8p9uTWXad0JaKQsdFKs+bly4EQrzB9HDOnI7ggXCI
+ktzV4sM/AQJtJ0VNVF9uOACtijL8bD7TWqLL0YiWrcIqg62go75z6yUQPl04MYSI
+zEPLBxHxKBxu7USAHuHzTtcPJBzlyIjwmzHjjb4u/BND/LEb9sZP0U1g/0u8Mx4v
+p5uRnmtRuZBUnHqnZsafUvfV3y6cuYio5Dq7vqZ9WzFC3DVGk4cqaj3n60ezxNEv
+w1kuoga7hurWUfHfxvy0prVjNLxcHIOtla9VorcnvWMtCfowO1t8trnHATUcpepH
+C4S9mb4XgbzWeVl7uQyLSRcsjOlJN2RvSEg5JCjraOS+myyKcu6qMRAzJI3fbdbJ
+HTFSEf4d6DryyK5yRn6LFN3FDMrajCW6SUtVLkt+hEg9ObRGjqaoZb6ouOIPYkal
+xhWPPvDtDzbUBB8Ik2waaHziYMokm1J441UhM5eqBBkCst+lEFvLHo/z7vMvf42O
+oFpR8rIoP0IyZyi39NyTZVwDTjCJisTNE9V+Vr6GqVn+LXcNSmNFluOe6VvA62CX
+zaeFtvTEXc9KkVS+Z+72RWV4cQmq5y3RZGyW9evkEAnS1P4oyQfB29bOwRZgrVTX
+2JGBzuyCMOTj+Qr3Bxgyi5ZHlzwZbzyIPkBtPtx3A80a1H2lgIAfyMDJik1CC/GB
+tEGUVyQPdSM0ZbgtNixGDq6AR0P7lPrIQj5g5n4ZRgFSfef6/tMTTlYaE+Koi1Uw
+Lfx559lz01fb9SD7dUbmqg5iW5ZTmL1OygU5K/43Gp52VwMaKSuhGar8FswHeGLz
+lMHnRCV+jvYXiiVWXBOGblK85/eq41BlK0m45cLifdqSqDBEdT0OlZh3zN1Qs78K
+mEcmITMXwNSkj0t4JK2NW/5ZFfQ/QHU4KSxMGkpH9Gfqhjx8VMEclb/Sx+veXahe
+xUw4/KxN4cUCTLEwbtUxKv+sQBJ7OhSzSqJypYFjaJdCXXD0F1W9N/TlujobrRjs
++PBP9PDsKxXg77X2qkOTVGswmcCTZMEcFy71oU62q+tx8bs82bwV4OG5Vi7W7A5J
+hZZAKeABkqtlcr0h0rwAJkwvFvWHdbZ/zKbTC7h8DmXxHxRiUmUznvVvVL6kiYRp
+ompG7B5X8vRio7Mu93CeECwS0yiwIexO8ARiInX5KfHjlYe8aI0wa6e5CHYPf7B1
++589VN2umDAHnN5Aw3VbaIZx8XqWx32OGlZpJQ==
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_87_private_seed_only.pem b/test/fixtures/keys/ml_dsa_87_private_seed_only.pem
new file mode 100644
index 00000000000000..4a712f03f3d82c
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_87_private_seed_only.pem
@@ -0,0 +1,4 @@
+-----BEGIN PRIVATE KEY-----
+MDQCAQAwCwYJYIZIAWUDBAMTBCKAIC2UjpRD21PUuf5krDFC3308sWbuqihDkNZ3
+xItjQrHI
+-----END PRIVATE KEY-----
diff --git a/test/fixtures/keys/ml_dsa_87_public.pem b/test/fixtures/keys/ml_dsa_87_public.pem
new file mode 100644
index 00000000000000..c734e59000bd89
--- /dev/null
+++ b/test/fixtures/keys/ml_dsa_87_public.pem
@@ -0,0 +1,57 @@
+-----BEGIN PUBLIC KEY-----
+MIIKMjALBglghkgBZQMEAxMDggohAA2V6mgQE0TdBkbYoMc5C8aewvXxWMSOxpfr
+XX16iR281Qk070X0cGXLt2JqbFGFwXV9qVbEOdUJasTLJSgUZnzQmpwS3H3ee6qB
+CG9CuhiCmRh8ZbK/WlzYxBnCjKNCAqJ9C2E701q5e9js/tshAP2mzyt/3QVBRgGE
+OpDkIQB3E9QjJk03JNtz5xHeVlKWH2TgPYIhV/XTVa63RVnM4/7wzrcvNTmzSrMX
+1Vk9Zxu3OtFAicW9nNrTKwcd66ex33P2joOeFuSh6HCYtBGotKJOG7skk3tFAkgl
+E5HqAnHYgAYDhQYl0WM6Zty8+LqLeoUoBaboeu3xPWaYLZ+uL3yPjtZoHD6zz6Xd
+8gPdia6vnb17jOecNUZgP4YWt1OUodr5tLQ9VOe6veOVKaRUXiL//DQCgZMUP7x4
+pe8kpvpuyADPrE1GPOvyKjGaorMaM+xX+2UdryIlJt/i9KMOAfLj7Ar9mZVKFV7z
+Bel0Ijh7IKoD9a3x/A5n5jxbncIl6wFusBJotdLJD5pDfdmgt0zxup5mja8kO3/C
+fNslZhsVvVO8zG4NtajZERgYv9WMBLeg/FdqVFr+VNWuKePjGtH+LkBuINKHTPlh
+qJpYe6WVmX97H34j15PcAaxorMbQibmgeb7ZIXlsaRH1qp4XN0HTln67EYOj9Yez
+PeUjVVtFPAN/MMK6jzqcxJ3JAlXQq2c9m9ilZZ+muLcHyDYNft5RGUeK5BJk2k2J
+SxZV820RVgQTxgE8XkcYUP/TeVYR4u0k1jxQ+RyCclas+N+m21bzOj8v6JXU/8bf
+7VpT3NMOD3rMtgoGgj5SQp8enIxIP7EQVHEZAaB6mu2mY+CRRZvW8xGoidjCn5B1
+U+MXWxIpjB7A9B5CEKYOfs6AdibKoHOkIty+e4WYvkNVdBtpZnWeVmZENpuYcZXu
+IR7QJoIYMpytqdKsw1h0nMR3HXdrCJ2KkIDGG577NOGGClqSH53QlAbPavxDjTeb
+Z/IH0sBxCpUPiqaZRC+ZHPvfYdrmmbMUZSThev8/BGfmimimPI76AFdIOJGSR+VC
+svzJAYr2uq/s11JqPPKiY10GrTjknX7yVE4mYkn3KQUKhfUkgw/VlrICJ2jgijv3
+wBX/X7mnFwzBI9HrFMdWK1RHv++0ubjm4PlKyuNOVNSYSiSb3e6PMUCsXp7+QSXb
+G28mEA20knvQawqnhxIJn0R013Ur5f90Dj9BI/nU/GCSR2dZa7o1O2YOX+SoPfbV
+ORnSzGx19pLeBdmtDV9PR4pBHpr1IODSz4YzooX1ZAoa/s3RevZ37J04mkKzIKSH
+JfY7bTfff/Bo7vi1PDlm2/dpvUS8QFBT9deb9tn++2D6CC5vdiIzGTJMRIRp3qHJ
+VoZ7nZMke2KEwYwp0+W+wAvf9ObpbOt+xZlX+wpPPjBeIC4pd3bLV4uINuG4rWIc
+calsIqheL7A6LkhlJ7igjMMd0y7CCP8ZO+046UD+L6S3WDN7Z/eAFZUzDIZyPjmZ
+FSZPv5iG8sAsER5UG+Z81QnNAVpTNZG/TycrNiH3IkvC1hKMXqvZqA1+cO9siSqC
+zdwlqQ91XSQIlu/c1GsksPiHltF2h55c3uX2JzqMxvJSHskPbDGWrDIhaLxp0d2+
+48jLQN/FN979en6LlrgSCzrtJv0DqUQyPYt640TOoXQuPMwrTUs3Nf9VT2JFg0hS
+taFQI3XfPtq48qnT3lMJ6g9ulQPf3d0e8fE4a2s3W0QvFNYa/Y6ajR7meCxmLt1I
+vMAfpUrfUDGh8+dezGP8wRKDRsr20FrZTO5ry7tdiqDDO57xqzyZ7w/h5sU6rFUK
+JQ/P5SFeWqO9soig6QK1a+kbleD6SNI/1suPsgwrsAVtII5wfRrwsDk3gcmFyU+l
+Je3YB3JOAWxdyMhYL5mPvnHlq+Zga2wAvSyT/+Fn+Turpd4Ra4Yhus0leM8wWC5x
+MH1uizSxGY2SoJgWIgubNcZcWFg3XEORRpi0PbhA5K+FSLV0FryCHXgUD8ro8Znf
+euTIoPfkmu0gslf98B/H0Jxpb1PoyTBi9M78wdoHLu4TCzGoFAY9QCl4/lMaW19Y
+veX9kzomQ8DHggrM4Lwo0NtVyoNO0wV66zohXIHAA4HaPhya+ztU96MziLpatTwz
+O0GR+ot8Aw9I929DQnaiglqoXy189vhbM8lB5gPxgszi1c6y09g3BliHEG5LxdMm
+T4E8qigKymvKsrTnq3R+qAidG0ZfevOebDFY7lHclS1+11v61U8LDsFdIFQMfEq8
+6L7QxXh0TZewUCjLMkNQY1rtuY6iieffLwItywmb9JDHYgtuKj3YGVOHtmlJHKNd
+RJw+pyYHarFRcbnwpeAQ/w/YOVsuNnybeGYDTwHG1H9+NShEckXngREI/qpTwdyF
+EyF3CcOvBknHm4cW9Fv7RijAQuvoqeEHzVu1E8VMVcZgle4dMkZwQZZLlEdXmEMF
+kZhD4ynd3Sx74B7a9uujUJhNbZyrSZbHTym9M7ayPb6ILBDbIBjRUNrR6Hl/L6sX
+GoBs55T1T33Nw5aowUnkxUGj1r5gkB1SoMZG733ysxUMhb1xKremxhrZMAaESfyC
+MLUnlkNpxTwXt65ciq7Up0BSDImyW22Lz1RNNwpXfUeta/hhg0kM+Gl3pC83jxFc
+J8aXuJliRnKO3LUMhO9z3pC9bqNoNG0SvioGhPO/Doi0QaOU+3Ot98RH9oTMved9
+jNhlXU2bqBNCy/sKQIfRpjXbyWXO4NrCDb8GYu+/L9lh3GBCql73Zq1/kocod0JM
+4CBmaw8zOFJccVFml32dGejzYLpOyWn6n98blHvWfM3wCZeXP1QN5PHZ+yEYPfYU
+bIfkxgQs6s4IyauKeFzFj9kLsRUxkoB0Xthkghc3efpT464++mck9zD1MUHv21dl
+RPjsrNzE/lZAgjPIxQgDV3a35bRuo0olGdriVFjanTZ8T4JZpsq4H3/5vuQsiEVm
+F0LCHWRrKanY82+BekWwSny9j0JTOs1H6PSTZhPGEKvNeTcZHsfLwzqyJp3sN9dn
+2QOq0Y6/f7hOJRG8N1OzxZQigVD7z57HYHnYymIYktMVOoktTQyjr2IXK5ApIlOu
+xJhQ+FNPjgr/SqW2+WyMUybr+NOTcSQRJQDFSPsmtJ7Ow+PsVD59OROz4bRmU9Hh
+8CLY0+qJk4U7Ex8Af20KmHza46zmztZdYKNoUPnFGnWWLBuZeOwgeUZRYQDbWgvL
+YquCiYuPE5hBAKQf9FcDiOBJiO0kdKGqsdx0V2X3hnrwsdsgvWgmDOB6nMqj9oP9
+R8LDmM8KuFwxGyuWJdXbWAAcT6KO7fBQatrEpn6wSVhb/5763m/wz8G36EngsvZJ
+6rzpLUkEazzJqPpzRqWp3Qb45q40pNxHXs4gD+1za3uSPm5/9r6A8ZMxhbVDPsM5
+S9+/QEkRno/BZDVmjsqhj+gJ6uT0iQ==
+-----END PUBLIC KEY-----
diff --git a/test/fixtures/source-map/output/source_map_throw_class_method.js b/test/fixtures/source-map/output/source_map_throw_class_method.js
new file mode 100644
index 00000000000000..c8c4b722a41829
--- /dev/null
+++ b/test/fixtures/source-map/output/source_map_throw_class_method.js
@@ -0,0 +1,7 @@
+'use strict';
+
+// Flags: --enable-source-maps
+
+require('../../../common');
+Error.stackTraceLimit = 2;
+require('../throw-class-method.min.js');
diff --git a/test/fixtures/source-map/output/source_map_throw_class_method.snapshot b/test/fixtures/source-map/output/source_map_throw_class_method.snapshot
new file mode 100644
index 00000000000000..a6b7984d4c7c76
--- /dev/null
+++ b/test/fixtures/source-map/output/source_map_throw_class_method.snapshot
@@ -0,0 +1,6 @@
+Error: This is a test
+    at Foo.bar (*/test/fixtures/source-map/throw-class-method.js:3:11)
+    at Object.<anonymous> (*/test/fixtures/source-map/throw-class-method.js:12:7)
+Error: This is a test
+    at Bar.bar (*/test/fixtures/source-map/throw-class-method.js:3:11)
+    at Object.<anonymous> (*/test/fixtures/source-map/throw-class-method.js:19:7)
diff --git a/test/fixtures/source-map/throw-class-method.js b/test/fixtures/source-map/throw-class-method.js
new file mode 100644
index 00000000000000..2bfa9ce06675dd
--- /dev/null
+++ b/test/fixtures/source-map/throw-class-method.js
@@ -0,0 +1,27 @@
+class Foo {
+  bar() {
+    throw Error('This is a test');
+  }
+}
+
+class Bar {}
+Bar.prototype.bar = Foo.prototype.bar;
+
+try {
+  const foo = new Foo();
+  foo.bar();
+} catch (e) {
+  console.error(e);
+}
+
+try {
+  const bar = Object.create(Bar.prototype);
+  bar.bar();
+} catch (e) {
+  console.error(e);
+}
+
+// To recreate:
+//
+// cd test/fixtures/source-map
+// npx terser -o throw-class-method.min.js --source-map "url='throw-class-method.min.js.map'" throw-class-method.js
diff --git a/test/fixtures/source-map/throw-class-method.min.js b/test/fixtures/source-map/throw-class-method.min.js
new file mode 100644
index 00000000000000..eba49ea1c24b54
--- /dev/null
+++ b/test/fixtures/source-map/throw-class-method.min.js
@@ -0,0 +1,2 @@
+class Foo{bar(){throw Error("This is a test")}}class Bar{}Bar.prototype.bar=Foo.prototype.bar;try{const foo=new Foo;foo.bar()}catch(e){console.error(e)}try{const bar=Object.create(Bar.prototype);bar.bar()}catch(e){console.error(e)}
+//# sourceMappingURL=throw-class-method.min.js.map
\ No newline at end of file
diff --git a/test/fixtures/source-map/throw-class-method.min.js.map b/test/fixtures/source-map/throw-class-method.min.js.map
new file mode 100644
index 00000000000000..5be313d68fd551
--- /dev/null
+++ b/test/fixtures/source-map/throw-class-method.min.js.map
@@ -0,0 +1 @@
+{"version":3,"names":["Foo","bar","Error","Bar","prototype","foo","e","console","error","Object","create"],"sources":["throw-class-method.js"],"mappings":"AAAA,MAAMA,IACJ,GAAAC,GACE,MAAMC,MAAM,iBACd,EAGF,MAAMC,KACNA,IAAIC,UAAUH,IAAMD,IAAII,UAAUH,IAElC,IACE,MAAMI,IAAM,IAAIL,IAChBK,IAAIJ,KACN,CAAE,MAAOK,GACPC,QAAQC,MAAMF,EAChB,CAEA,IACE,MAAML,IAAMQ,OAAOC,OAAOP,IAAIC,WAC9BH,IAAIA,KACN,CAAE,MAAOK,GACPC,QAAQC,MAAMF,EAChB","ignoreList":[]}
\ No newline at end of file
diff --git a/test/fixtures/test-runner/coverage-with-mock/module.js b/test/fixtures/test-runner/coverage-with-mock/module.js
new file mode 100644
index 00000000000000..aa80ca1950dfc6
--- /dev/null
+++ b/test/fixtures/test-runner/coverage-with-mock/module.js
@@ -0,0 +1,5 @@
+import {getData, sum} from './sum.js'
+
+export const theModuleSum = (a, b) => sum(a,b)
+
+export const theModuleGetData = () => getData()
diff --git a/test/fixtures/test-runner/coverage-with-mock/sum.js b/test/fixtures/test-runner/coverage-with-mock/sum.js
new file mode 100644
index 00000000000000..3227f83209e23c
--- /dev/null
+++ b/test/fixtures/test-runner/coverage-with-mock/sum.js
@@ -0,0 +1,9 @@
+// console.log('imported')
+
+const data = { type: 'object' }
+
+// console.log(data)
+
+export const sum = (a, b) => a + b
+
+export const getData = () => data
diff --git a/test/fixtures/test-runner/output/assertion-color-tty.snapshot b/test/fixtures/test-runner/output/assertion-color-tty.snapshot
index a74016febc5df4..4409d6f5e3e939 100644
--- a/test/fixtures/test-runner/output/assertion-color-tty.snapshot
+++ b/test/fixtures/test-runner/output/assertion-color-tty.snapshot
@@ -21,5 +21,6 @@
     code: [32m'ERR_ASSERTION'[39m,
     actual: [32m'!Hello World'[39m,
     expected: [32m'Hello World!'[39m,
-    operator: [32m'strictEqual'[39m
+    operator: [32m'strictEqual'[39m,
+    diff: [32m'simple'[39m
   }
diff --git a/test/fixtures/test-runner/output/coverage-with-mock.mjs b/test/fixtures/test-runner/output/coverage-with-mock.mjs
new file mode 100644
index 00000000000000..5d5b2b14f66a95
--- /dev/null
+++ b/test/fixtures/test-runner/output/coverage-with-mock.mjs
@@ -0,0 +1,17 @@
+import { describe, it, mock } from 'node:test';
+
+describe('module test with mock', async () => {
+  mock.module('../coverage-with-mock/sum.js', {
+    namedExports: {
+      sum: (a, b) => 1,
+      getData: () => ({}),
+    },
+  });
+
+  const { theModuleSum, theModuleGetData } = await import('../coverage-with-mock/module.js');
+
+  it('tests correct thing', (t) => {
+    t.assert.strictEqual(theModuleSum(1, 2), 1);
+    t.assert.deepStrictEqual(theModuleGetData(), {});
+  });
+});
diff --git a/test/fixtures/test-runner/output/coverage-with-mock.snapshot b/test/fixtures/test-runner/output/coverage-with-mock.snapshot
new file mode 100644
index 00000000000000..2dd3443265b7b7
--- /dev/null
+++ b/test/fixtures/test-runner/output/coverage-with-mock.snapshot
@@ -0,0 +1,38 @@
+TAP version 13
+# Subtest: module test with mock
+    # Subtest: tests correct thing
+    ok 1 - tests correct thing
+      ---
+      duration_ms: *
+      type: 'test'
+      ...
+    1..1
+ok 1 - module test with mock
+  ---
+  duration_ms: *
+  type: 'suite'
+  ...
+1..1
+# tests 1
+# suites 1
+# pass 1
+# fail 0
+# cancelled 0
+# skipped 0
+# todo 0
+# duration_ms *
+# start of coverage report
+# ---------------------------------------------------------------------------
+# file                       | line % | branch % | funcs % | uncovered lines
+# ---------------------------------------------------------------------------
+# test                       |        |          |         | 
+#  fixtures                  |        |          |         | 
+#   test-runner              |        |          |         | 
+#    coverage-with-mock      |        |          |         | 
+#     module.js              | 100.00 |   100.00 |  100.00 | 
+#    output                  |        |          |         | 
+#     coverage-with-mock.mjs | 100.00 |   100.00 |  100.00 | 
+# ---------------------------------------------------------------------------
+# all files                  | 100.00 |   100.00 |  100.00 | 
+# ---------------------------------------------------------------------------
+# end of coverage report
diff --git a/test/fixtures/test-runner/output/dot_reporter.snapshot b/test/fixtures/test-runner/output/dot_reporter.snapshot
index 4ef804951dc99f..c50cb99c16a0fa 100644
--- a/test/fixtures/test-runner/output/dot_reporter.snapshot
+++ b/test/fixtures/test-runner/output/dot_reporter.snapshot
@@ -66,7 +66,8 @@ Failed tests:
     code: 'ERR_ASSERTION',
     actual: true,
     expected: false,
-    operator: 'strictEqual'
+    operator: 'strictEqual',
+    diff: 'simple'
   }
 ✖ reject fail (*ms)
   Error: rejected from reject fail
@@ -215,7 +216,8 @@ Failed tests:
     code: 'ERR_ASSERTION',
     actual: [Object],
     expected: [Object],
-    operator: 'deepEqual'
+    operator: 'deepEqual',
+    diff: 'simple'
   }
 ✖ invalid subtest fail (*ms)
   'test could not be started because its parent finished'
diff --git a/test/fixtures/test-runner/output/junit_reporter.snapshot b/test/fixtures/test-runner/output/junit_reporter.snapshot
index d1868bd4b6eaa9..37cea45d62bd84 100644
--- a/test/fixtures/test-runner/output/junit_reporter.snapshot
+++ b/test/fixtures/test-runner/output/junit_reporter.snapshot
@@ -124,7 +124,8 @@ true !== false
     code: 'ERR_ASSERTION',
     actual: true,
     expected: false,
-    operator: 'strictEqual'
+    operator: 'strictEqual',
+    diff: 'simple'
   }
 }
 		</failure>
@@ -491,7 +492,8 @@ should loosely deep-equal
     code: 'ERR_ASSERTION',
     actual: [Object],
     expected: [Object],
-    operator: 'deepEqual'
+    operator: 'deepEqual',
+    diff: 'simple'
   }
 }
 		</failure>
diff --git a/test/fixtures/test-runner/output/spec_reporter.snapshot b/test/fixtures/test-runner/output/spec_reporter.snapshot
index 17eb9d01451d32..749f0dce43a450 100644
--- a/test/fixtures/test-runner/output/spec_reporter.snapshot
+++ b/test/fixtures/test-runner/output/spec_reporter.snapshot
@@ -171,7 +171,8 @@
     code: 'ERR_ASSERTION',
     actual: true,
     expected: false,
-    operator: 'strictEqual'
+    operator: 'strictEqual',
+    diff: 'simple'
   }
 
 *
@@ -356,7 +357,8 @@
     code: 'ERR_ASSERTION',
     actual: [Object],
     expected: [Object],
-    operator: 'deepEqual'
+    operator: 'deepEqual',
+    diff: 'simple'
   }
 
 *
diff --git a/test/fixtures/test-runner/output/spec_reporter_cli.snapshot b/test/fixtures/test-runner/output/spec_reporter_cli.snapshot
index 2dd9e92deb1b38..b3a352092c677a 100644
--- a/test/fixtures/test-runner/output/spec_reporter_cli.snapshot
+++ b/test/fixtures/test-runner/output/spec_reporter_cli.snapshot
@@ -174,7 +174,8 @@
     code: 'ERR_ASSERTION',
     actual: true,
     expected: false,
-    operator: 'strictEqual'
+    operator: 'strictEqual',
+    diff: 'simple'
   }
 
 *
@@ -359,7 +360,8 @@
     code: 'ERR_ASSERTION',
     actual: { foo: 1, bar: 1, boo: [ 1 ], baz: { date: 1970-01-01T00:00:00.000Z, null: null, number: 1, string: 'Hello', undefined: undefined } },
     expected: { boo: [ 1 ], baz: { date: 1970-01-01T00:00:00.000Z, null: null, number: 1, string: 'Hello', undefined: undefined }, circular: <ref *1> { bar: 2, c: [Circular *1] } },
-    operator: 'deepEqual'
+    operator: 'deepEqual',
+    diff: 'simple'
   }
 
 *
diff --git a/test/fixtures/test-runner/output/typescript-coverage.snapshot b/test/fixtures/test-runner/output/typescript-coverage.snapshot
index eaeba2bfa11b12..5d628e2b0854d8 100644
--- a/test/fixtures/test-runner/output/typescript-coverage.snapshot
+++ b/test/fixtures/test-runner/output/typescript-coverage.snapshot
@@ -29,11 +29,11 @@ ok 1 - foo
 #  fixtures                   |        |          |         | 
 #   test-runner               |        |          |         | 
 #    coverage                 |        |          |         | 
-#     bar.mts                 |   0.00 |   100.00 |  100.00 | 1-3
+#     bar.mts                 |  33.33 |   100.00 |    0.00 | 2-3
 #     foo.mts                 | 100.00 |   100.00 |  100.00 | 
 #    output                   |        |          |         | 
 #     typescript-coverage.mts | 100.00 |   100.00 |  100.00 | 
 # ----------------------------------------------------------------------------
-# all files                   |  85.29 |   100.00 |   85.71 | 
+# all files                   |  93.55 |   100.00 |   85.71 | 
 # ----------------------------------------------------------------------------
 # end of coverage report
diff --git a/test/fixtures/wpt/README.md b/test/fixtures/wpt/README.md
index 34aed56641dd84..06872e85e556f2 100644
--- a/test/fixtures/wpt/README.md
+++ b/test/fixtures/wpt/README.md
@@ -26,7 +26,7 @@ Last update:
 - interfaces: https://github.com/web-platform-tests/wpt/tree/e1b27be06b/interfaces
 - performance-timeline: https://github.com/web-platform-tests/wpt/tree/94caab7038/performance-timeline
 - resource-timing: https://github.com/web-platform-tests/wpt/tree/22d38586d0/resource-timing
-- resources: https://github.com/web-platform-tests/wpt/tree/1e140d63ec/resources
+- resources: https://github.com/web-platform-tests/wpt/tree/1d2c5fb36a/resources
 - streams: https://github.com/web-platform-tests/wpt/tree/bc9dcbbf1a/streams
 - url: https://github.com/web-platform-tests/wpt/tree/9504a83e01/url
 - urlpattern: https://github.com/web-platform-tests/wpt/tree/84b75f0880/urlpattern
@@ -34,10 +34,10 @@ Last update:
 - wasm/jsapi: https://github.com/web-platform-tests/wpt/tree/cde25e7e3c/wasm/jsapi
 - wasm/webapi: https://github.com/web-platform-tests/wpt/tree/fd1b23eeaa/wasm/webapi
 - web-locks: https://github.com/web-platform-tests/wpt/tree/10a122a6bc/web-locks
-- WebCryptoAPI: https://github.com/web-platform-tests/wpt/tree/ab08796857/WebCryptoAPI
+- WebCryptoAPI: https://github.com/web-platform-tests/wpt/tree/1d2c5fb36a/WebCryptoAPI
 - webidl/ecmascript-binding/es-exceptions: https://github.com/web-platform-tests/wpt/tree/2f96fa1996/webidl/ecmascript-binding/es-exceptions
 - webmessaging/broadcastchannel: https://github.com/web-platform-tests/wpt/tree/6495c91853/webmessaging/broadcastchannel
-- webstorage: https://github.com/web-platform-tests/wpt/tree/1291340aaa/webstorage
+- webstorage: https://github.com/web-platform-tests/wpt/tree/1d2c5fb36a/webstorage
 
 [Web Platform Tests]: https://github.com/web-platform-tests/wpt
 [`git node wpt`]: https://github.com/nodejs/node-core-utils/blob/main/docs/git-node.md#git-node-wpt
diff --git a/test/fixtures/wpt/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits_curve448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits_curve448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits_curve448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/derive_bits_keys/cfrg_curves_bits_curve448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/derive_bits_keys/cfrg_curves_keys_curve448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/derive_bits_keys/cfrg_curves_keys_curve448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/derive_bits_keys/cfrg_curves_keys_curve448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/derive_bits_keys/cfrg_curves_keys_curve448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/generateKey/failures_Ed448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/generateKey/failures_Ed448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/generateKey/failures_Ed448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/generateKey/failures_Ed448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/generateKey/failures_X448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/generateKey/failures_X448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/generateKey/failures_X448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/generateKey/failures_X448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/generateKey/successes_Ed448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/generateKey/successes_Ed448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/generateKey/successes_Ed448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/generateKey/successes_Ed448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/generateKey/successes_X448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/generateKey/successes_X448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/generateKey/successes_X448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/generateKey/successes_X448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/getRandomValues.any.js b/test/fixtures/wpt/WebCryptoAPI/getRandomValues.any.js
index 574134eb76dcd8..aecd38efd60bac 100644
--- a/test/fixtures/wpt/WebCryptoAPI/getRandomValues.any.js
+++ b/test/fixtures/wpt/WebCryptoAPI/getRandomValues.any.js
@@ -60,9 +60,9 @@ for (const array of arrays) {
 
     test(function() {
         const maxlength = 65536 / ctor.BYTES_PER_ELEMENT;
-        assert_throws_dom("QuotaExceededError", function() {
-            self.crypto.getRandomValues(new ctor(maxlength + 1))
-        }, "crypto.getRandomValues length over 65536")
+        assert_throws_quotaexceedederror(() => {
+            self.crypto.getRandomValues(new ctor(maxlength + 1));
+        }, null, null, "crypto.getRandomValues length over 65536");
     }, "Large length: " + array);
 
     test(function() {
diff --git a/test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_Ed448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_Ed448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_Ed448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_Ed448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_X448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_X448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_X448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_X448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_failures_Ed448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_failures_Ed448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_failures_Ed448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_failures_Ed448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_failures_X448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_failures_X448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_failures_X448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/import_export/okp_importKey_failures_X448.tentative.https.any.js
diff --git a/test/fixtures/wpt/WebCryptoAPI/sign_verify/eddsa_curve448.https.any.js b/test/fixtures/wpt/WebCryptoAPI/sign_verify/eddsa_curve448.tentative.https.any.js
similarity index 100%
rename from test/fixtures/wpt/WebCryptoAPI/sign_verify/eddsa_curve448.https.any.js
rename to test/fixtures/wpt/WebCryptoAPI/sign_verify/eddsa_curve448.tentative.https.any.js
diff --git a/test/fixtures/wpt/resources/channel.sub.js b/test/fixtures/wpt/resources/channel.sub.js
index d93b3b3091947d..370d4f5905e3fa 100644
--- a/test/fixtures/wpt/resources/channel.sub.js
+++ b/test/fixtures/wpt/resources/channel.sub.js
@@ -511,7 +511,7 @@
          *
          * @param {SendChannel|string} [dest] - Either a SendChannel
          * to the destination, or the UUID of the destination. If
-         * omitted, a new UUID is generated, which can be used when
+         * ommitted, a new UUID is generated, which can be used when
          * constructing the URL for the global.
          *
          */
diff --git a/test/fixtures/wpt/resources/check-layout-th.js b/test/fixtures/wpt/resources/check-layout-th.js
index f14ca3246b8ea2..2965a25d146a1f 100644
--- a/test/fixtures/wpt/resources/check-layout-th.js
+++ b/test/fixtures/wpt/resources/check-layout-th.js
@@ -218,6 +218,7 @@ window.checkLayout = function(selectorList, callDone = true)
     nodes = Array.prototype.slice.call(nodes);
     var checkedLayout = false;
     Array.prototype.forEach.call(nodes, function(node) {
+        const title = node.title ? `: ${node.title}` : '';
         test(function(t) {
             var container = node.parentNode.className == 'container' ? node.parentNode : node;
             var prefix =
@@ -240,7 +241,7 @@ window.checkLayout = function(selectorList, callDone = true)
               }
                 checkedLayout |= !passed;
             }
-        }, selectorList + ' ' + String(++testNumber));
+        }, `${selectorList} ${++testNumber}${title}`);
     });
     if (!checkedLayout) {
         console.error("No valid data-* attributes found in selector list : " + selectorList);
diff --git a/test/fixtures/wpt/resources/check-layout.js b/test/fixtures/wpt/resources/check-layout.js
deleted file mode 100644
index 8634481497d701..00000000000000
--- a/test/fixtures/wpt/resources/check-layout.js
+++ /dev/null
@@ -1,245 +0,0 @@
-(function() {
-
-function insertAfter(nodeToAdd, referenceNode)
-{
-    if (referenceNode == document.body) {
-        document.body.appendChild(nodeToAdd);
-        return;
-    }
-
-    if (referenceNode.nextSibling)
-        referenceNode.parentNode.insertBefore(nodeToAdd, referenceNode.nextSibling);
-    else
-        referenceNode.parentNode.appendChild(nodeToAdd);
-}
-
-function positionedAncestor(node)
-{
-    var ancestor = node.parentNode;
-    while (getComputedStyle(ancestor).position == 'static')
-        ancestor = ancestor.parentNode;
-    return ancestor;
-}
-
-function checkSubtreeExpectedValues(parent, failures)
-{
-    var checkedLayout = checkExpectedValues(parent, failures);
-    Array.prototype.forEach.call(parent.childNodes, function(node) {
-        checkedLayout |= checkSubtreeExpectedValues(node, failures);
-    });
-    return checkedLayout;
-}
-
-function checkAttribute(output, node, attribute)
-{
-    var result = node.getAttribute && node.getAttribute(attribute);
-    output.checked |= !!result;
-    return result;
-}
-
-function checkExpectedValues(node, failures)
-{
-    var output = { checked: false };
-    var expectedWidth = checkAttribute(output, node, "data-expected-width");
-    if (expectedWidth) {
-        if (isNaN(expectedWidth) || Math.abs(node.offsetWidth - expectedWidth) >= 1)
-            failures.push("Expected " + expectedWidth + " for width, but got " + node.offsetWidth + ". ");
-    }
-
-    var expectedHeight = checkAttribute(output, node, "data-expected-height");
-    if (expectedHeight) {
-        if (isNaN(expectedHeight) || Math.abs(node.offsetHeight - expectedHeight) >= 1)
-            failures.push("Expected " + expectedHeight + " for height, but got " + node.offsetHeight + ". ");
-    }
-
-    var expectedOffset = checkAttribute(output, node, "data-offset-x");
-    if (expectedOffset) {
-        if (isNaN(expectedOffset) || Math.abs(node.offsetLeft - expectedOffset) >= 1)
-            failures.push("Expected " + expectedOffset + " for offsetLeft, but got " + node.offsetLeft + ". ");
-    }
-
-    var expectedOffset = checkAttribute(output, node, "data-offset-y");
-    if (expectedOffset) {
-        if (isNaN(expectedOffset) || Math.abs(node.offsetTop - expectedOffset) >= 1)
-            failures.push("Expected " + expectedOffset + " for offsetTop, but got " + node.offsetTop + ". ");
-    }
-
-    var expectedOffset = checkAttribute(output, node, "data-positioned-offset-x");
-    if (expectedOffset) {
-        var actualOffset = node.getBoundingClientRect().left - positionedAncestor(node).getBoundingClientRect().left;
-        if (isNaN(expectedOffset) || Math.abs(actualOffset - expectedOffset) >= 1)
-            failures.push("Expected " + expectedOffset + " for getBoundingClientRect().left offset, but got " + actualOffset + ". ");
-    }
-
-    var expectedOffset = checkAttribute(output, node, "data-positioned-offset-y");
-    if (expectedOffset) {
-        var actualOffset = node.getBoundingClientRect().top - positionedAncestor(node).getBoundingClientRect().top;
-        if (isNaN(expectedOffset) || Math.abs(actualOffset - expectedOffset) >= 1)
-            failures.push("Expected " + expectedOffset + " for getBoundingClientRect().top offset, but got " + actualOffset + ". ");
-    }
-
-    var expectedWidth = checkAttribute(output, node, "data-expected-client-width");
-    if (expectedWidth) {
-        if (isNaN(expectedWidth) || Math.abs(node.clientWidth - expectedWidth) >= 1)
-            failures.push("Expected " + expectedWidth + " for clientWidth, but got " + node.clientWidth + ". ");
-    }
-
-    var expectedHeight = checkAttribute(output, node, "data-expected-client-height");
-    if (expectedHeight) {
-        if (isNaN(expectedHeight) || Math.abs(node.clientHeight - expectedHeight) >= 1)
-            failures.push("Expected " + expectedHeight + " for clientHeight, but got " + node.clientHeight + ". ");
-    }
-
-    var expectedWidth = checkAttribute(output, node, "data-expected-scroll-width");
-    if (expectedWidth) {
-        if (isNaN(expectedWidth) || Math.abs(node.scrollWidth - expectedWidth) >= 1)
-            failures.push("Expected " + expectedWidth + " for scrollWidth, but got " + node.scrollWidth + ". ");
-    }
-
-    var expectedHeight = checkAttribute(output, node, "data-expected-scroll-height");
-    if (expectedHeight) {
-        if (isNaN(expectedHeight) || Math.abs(node.scrollHeight - expectedHeight) >= 1)
-            failures.push("Expected " + expectedHeight + " for scrollHeight, but got " + node.scrollHeight + ". ");
-    }
-
-    var expectedOffset = checkAttribute(output, node, "data-total-x");
-    if (expectedOffset) {
-        var totalLeft = node.clientLeft + node.offsetLeft;
-        if (isNaN(expectedOffset) || Math.abs(totalLeft - expectedOffset) >= 1)
-            failures.push("Expected " + expectedOffset + " for clientLeft+offsetLeft, but got " + totalLeft + ", clientLeft: " + node.clientLeft + ", offsetLeft: " + node.offsetLeft + ". ");
-    }
-
-    var expectedOffset = checkAttribute(output, node, "data-total-y");
-    if (expectedOffset) {
-        var totalTop = node.clientTop + node.offsetTop;
-        if (isNaN(expectedOffset) || Math.abs(totalTop - expectedOffset) >= 1)
-            failures.push("Expected " + expectedOffset + " for clientTop+offsetTop, but got " + totalTop + ", clientTop: " + node.clientTop + ", + offsetTop: " + node.offsetTop + ". ");
-    }
-
-    var expectedDisplay = checkAttribute(output, node, "data-expected-display");
-    if (expectedDisplay) {
-        var actualDisplay = getComputedStyle(node).display;
-        if (actualDisplay != expectedDisplay)
-            failures.push("Expected " + expectedDisplay + " for display, but got " + actualDisplay + ". ");
-    }
-
-    var expectedPaddingTop = checkAttribute(output, node, "data-expected-padding-top");
-    if (expectedPaddingTop) {
-        var actualPaddingTop = getComputedStyle(node).paddingTop;
-        // Trim the unit "px" from the output.
-        actualPaddingTop = actualPaddingTop.substring(0, actualPaddingTop.length - 2);
-        if (actualPaddingTop != expectedPaddingTop)
-            failures.push("Expected " + expectedPaddingTop + " for padding-top, but got " + actualPaddingTop + ". ");
-    }
-
-    var expectedPaddingBottom = checkAttribute(output, node, "data-expected-padding-bottom");
-    if (expectedPaddingBottom) {
-        var actualPaddingBottom = getComputedStyle(node).paddingBottom;
-        // Trim the unit "px" from the output.
-        actualPaddingBottom = actualPaddingBottom.substring(0, actualPaddingBottom.length - 2);
-        if (actualPaddingBottom != expectedPaddingBottom)
-            failures.push("Expected " + expectedPaddingBottom + " for padding-bottom, but got " + actualPaddingBottom + ". ");
-    }
-
-    var expectedPaddingLeft = checkAttribute(output, node, "data-expected-padding-left");
-    if (expectedPaddingLeft) {
-        var actualPaddingLeft = getComputedStyle(node).paddingLeft;
-        // Trim the unit "px" from the output.
-        actualPaddingLeft = actualPaddingLeft.substring(0, actualPaddingLeft.length - 2);
-        if (actualPaddingLeft != expectedPaddingLeft)
-            failures.push("Expected " + expectedPaddingLeft + " for padding-left, but got " + actualPaddingLeft + ". ");
-    }
-
-    var expectedPaddingRight = checkAttribute(output, node, "data-expected-padding-right");
-    if (expectedPaddingRight) {
-        var actualPaddingRight = getComputedStyle(node).paddingRight;
-        // Trim the unit "px" from the output.
-        actualPaddingRight = actualPaddingRight.substring(0, actualPaddingRight.length - 2);
-        if (actualPaddingRight != expectedPaddingRight)
-            failures.push("Expected " + expectedPaddingRight + " for padding-right, but got " + actualPaddingRight + ". ");
-    }
-
-    var expectedMarginTop = checkAttribute(output, node, "data-expected-margin-top");
-    if (expectedMarginTop) {
-        var actualMarginTop = getComputedStyle(node).marginTop;
-        // Trim the unit "px" from the output.
-        actualMarginTop = actualMarginTop.substring(0, actualMarginTop.length - 2);
-        if (actualMarginTop != expectedMarginTop)
-            failures.push("Expected " + expectedMarginTop + " for margin-top, but got " + actualMarginTop + ". ");
-    }
-
-    var expectedMarginBottom = checkAttribute(output, node, "data-expected-margin-bottom");
-    if (expectedMarginBottom) {
-        var actualMarginBottom = getComputedStyle(node).marginBottom;
-        // Trim the unit "px" from the output.
-        actualMarginBottom = actualMarginBottom.substring(0, actualMarginBottom.length - 2);
-        if (actualMarginBottom != expectedMarginBottom)
-            failures.push("Expected " + expectedMarginBottom + " for margin-bottom, but got " + actualMarginBottom + ". ");
-    }
-
-    var expectedMarginLeft = checkAttribute(output, node, "data-expected-margin-left");
-    if (expectedMarginLeft) {
-        var actualMarginLeft = getComputedStyle(node).marginLeft;
-        // Trim the unit "px" from the output.
-        actualMarginLeft = actualMarginLeft.substring(0, actualMarginLeft.length - 2);
-        if (actualMarginLeft != expectedMarginLeft)
-            failures.push("Expected " + expectedMarginLeft + " for margin-left, but got " + actualMarginLeft + ". ");
-    }
-
-    var expectedMarginRight = checkAttribute(output, node, "data-expected-margin-right");
-    if (expectedMarginRight) {
-        var actualMarginRight = getComputedStyle(node).marginRight;
-        // Trim the unit "px" from the output.
-        actualMarginRight = actualMarginRight.substring(0, actualMarginRight.length - 2);
-        if (actualMarginRight != expectedMarginRight)
-            failures.push("Expected " + expectedMarginRight + " for margin-right, but got " + actualMarginRight + ". ");
-    }
-
-    return output.checked;
-}
-
-window.checkLayout = function(selectorList, outputContainer)
-{
-    var result = true;
-    if (!selectorList) {
-        document.body.appendChild(document.createTextNode("You must provide a CSS selector of nodes to check."));
-        return;
-    }
-    var nodes = document.querySelectorAll(selectorList);
-    nodes = Array.prototype.slice.call(nodes);
-    nodes.reverse();
-    var checkedLayout = false;
-    Array.prototype.forEach.call(nodes, function(node) {
-        var failures = [];
-        checkedLayout |= checkExpectedValues(node.parentNode, failures);
-        checkedLayout |= checkSubtreeExpectedValues(node, failures);
-
-        var container = node.parentNode.className == 'container' ? node.parentNode : node;
-
-        var pre = document.createElement('pre');
-        if (failures.length) {
-            pre.className = 'FAIL';
-            result = false;
-        }
-        pre.appendChild(document.createTextNode(failures.length ? "FAIL:\n" + failures.join('\n') + '\n\n' + container.outerHTML : "PASS"));
-
-        var referenceNode = container;
-        if (outputContainer) {
-            if (!outputContainer.lastChild) {
-                // Inserting a text node so we have something to insertAfter.
-                outputContainer.textContent = " ";
-            }
-            referenceNode = outputContainer.lastChild;
-        }
-        insertAfter(pre, referenceNode);
-    });
-
-    if (!checkedLayout) {
-        document.body.appendChild(document.createTextNode("FAIL: No valid data-* attributes found in selector list : " + selectorList));
-        return false;
-    }
-
-    return result;
-}
-
-})();
diff --git a/test/fixtures/wpt/resources/declarative-shadow-dom-polyfill.js b/test/fixtures/wpt/resources/declarative-shadow-dom-polyfill.js
deleted file mode 100644
index 99a3e911eb6336..00000000000000
--- a/test/fixtures/wpt/resources/declarative-shadow-dom-polyfill.js
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Polyfill for attaching shadow trees for declarative Shadow DOM for
- * implementations that do not support declarative Shadow DOM.
- *
- * Note: this polyfill will feature-detect the native feature, and do nothing
- *       if supported.
- *
- * See: https://github.com/whatwg/html/pull/5465
- *
- * root: The root of the subtree in which to upgrade shadow roots
- *
- */
-
-function polyfill_declarative_shadow_dom(root) {
-  if (HTMLTemplateElement.prototype.hasOwnProperty('shadowRootMode'))
-    return;
-  root.querySelectorAll("template[shadowrootmode]").forEach(template => {
-    const mode = template.getAttribute("shadowrootmode");
-    const delegatesFocus = template.hasAttribute("shadowrootdelegatesfocus");
-    const shadowRoot = template.parentNode.attachShadow({ mode, delegatesFocus });
-    shadowRoot.appendChild(template.content);
-    template.remove();
-    polyfill_declarative_shadow_dom(shadowRoot);
-  });
-}
diff --git a/test/fixtures/wpt/resources/idlharness-shadowrealm.js b/test/fixtures/wpt/resources/idlharness-shadowrealm.js
deleted file mode 100644
index 9484ca6f512ad0..00000000000000
--- a/test/fixtures/wpt/resources/idlharness-shadowrealm.js
+++ /dev/null
@@ -1,61 +0,0 @@
-// TODO: it would be nice to support `idl_array.add_objects`
-function fetch_text(url) {
-    return fetch(url).then(function (r) {
-        if (!r.ok) {
-            throw new Error("Error fetching " + url + ".");
-        }
-        return r.text();
-    });
-}
-
-/**
- * idl_test_shadowrealm is a promise_test wrapper that handles the fetching of the IDL, and
- * running the code in a `ShadowRealm`, avoiding repetitive boilerplate.
- *
- * @see https://github.com/tc39/proposal-shadowrealm
- * @param {String[]} srcs Spec name(s) for source idl files (fetched from
- *      /interfaces/{name}.idl).
- * @param {String[]} deps Spec name(s) for dependency idl files (fetched
- *      from /interfaces/{name}.idl). Order is important - dependencies from
- *      each source will only be included if they're already know to be a
- *      dependency (i.e. have already been seen).
- */
-function idl_test_shadowrealm(srcs, deps) {
-    promise_setup(async t => {
-        const realm = new ShadowRealm();
-        // https://github.com/web-platform-tests/wpt/issues/31996
-        realm.evaluate("globalThis.self = globalThis; undefined;");
-
-        realm.evaluate(`
-            globalThis.self.GLOBAL = {
-                isWindow: function() { return false; },
-                isWorker: function() { return false; },
-                isShadowRealm: function() { return true; },
-            }; undefined;
-        `);
-        const specs = await Promise.all(srcs.concat(deps).map(spec => {
-            return fetch_text("/interfaces/" + spec + ".idl");
-        }));
-        const idls = JSON.stringify(specs);
-        await new Promise(
-            realm.evaluate(`(resolve,reject) => {
-                (async () => {
-                    await import("/resources/testharness.js");
-                    await import("/resources/WebIDLParser.js");
-                    await import("/resources/idlharness.js");
-                    const idls = ${idls};
-                    const idl_array = new IdlArray();
-                    for (let i = 0; i < ${srcs.length}; i++) {
-                        idl_array.add_idls(idls[i]);
-                    }
-                    for (let i = ${srcs.length}; i < ${srcs.length + deps.length}; i++) {
-                        idl_array.add_dependency_idls(idls[i]);
-                    }
-                    idl_array.test();
-                })().then(resolve, (e) => reject(e.toString()));
-            }`)
-        );
-        await fetch_tests_from_shadow_realm(realm);
-    });
-}
-// vim: set expandtab shiftwidth=4 tabstop=4 foldmarker=@{,@} foldmethod=marker:
diff --git a/test/fixtures/wpt/resources/idlharness.js b/test/fixtures/wpt/resources/idlharness.js
index 056fcdd4a1076a..2eb710c1827cda 100644
--- a/test/fixtures/wpt/resources/idlharness.js
+++ b/test/fixtures/wpt/resources/idlharness.js
@@ -566,6 +566,7 @@ IdlArray.prototype.is_json_type = function(type)
        case "Uint8ClampedArray":
        case "BigInt64Array":
        case "BigUint64Array":
+       case "Float16Array":
        case "Float32Array":
        case "Float64Array":
        case "ArrayBuffer":
@@ -733,7 +734,7 @@ IdlArray.prototype.test = function()
 
     Object.getOwnPropertyNames(this.members).forEach(function(memberName) {
         var member = this.members[memberName];
-        if (!(member instanceof IdlInterface)) {
+        if (!(member instanceof IdlInterface || member instanceof IdlNamespace)) {
             return;
         }
 
@@ -782,6 +783,10 @@ IdlArray.prototype.merge_partials = function()
         }
         testedPartials.set(parsed_idl.name, partialTestCount);
 
+        if (!self.shouldRunSubTest(partialTestName)) {
+            return;
+        }
+
         if (!parsed_idl.untested) {
             test(function () {
                 assert_true(originalExists, `Original ${parsed_idl.type} should be defined`);
@@ -809,7 +814,7 @@ IdlArray.prototype.merge_partials = function()
         {
             // Special-case "Exposed". Must be a subset of original interface's exposure.
             // Exposed on a partial is the equivalent of having the same Exposed on all nested members.
-            // See https://github.com/heycam/webidl/issues/154 for discrepancy between Exposed and
+            // See https://github.com/heycam/webidl/issues/154 for discrepency between Exposed and
             // other extended attributes on partial interfaces.
             const exposureAttr = parsed_idl.extAttrs.find(a => a.name === "Exposed");
             if (exposureAttr) {
@@ -870,6 +875,7 @@ IdlArray.prototype.merge_mixins = function()
     {
         const lhs = parsed_idl.target;
         const rhs = parsed_idl.includes;
+        const testName = lhs + " includes " + rhs + ": member names are unique";
 
         var errStr = lhs + " includes " + rhs + ", but ";
         if (!(lhs in this.members)) throw errStr + lhs + " is undefined.";
@@ -877,7 +883,7 @@ IdlArray.prototype.merge_mixins = function()
         if (!(rhs in this.members)) throw errStr + rhs + " is undefined.";
         if (!(this.members[rhs] instanceof IdlInterface)) throw errStr + rhs + " is not an interface.";
 
-        if (this.members[rhs].members.length) {
+        if (this.members[rhs].members.length && self.shouldRunSubTest(testName)) {
             test(function () {
                 var clash = this.members[rhs].members.find(function(member) {
                     return this.members[lhs].members.find(function(m) {
@@ -891,7 +897,7 @@ IdlArray.prototype.merge_mixins = function()
                     this.members[lhs].members.push(new IdlInterfaceMember(member));
                 }.bind(this));
                 assert_true(!clash, "member " + (clash && clash.name) + " is unique");
-            }.bind(this), lhs + " includes " + rhs + ": member names are unique");
+            }.bind(this), testName);
         }
     }
     this.includes = [];
@@ -1420,7 +1426,7 @@ IdlInterface.prototype.test = function()
         if (!this.untested)
         {
             subsetTestByKey(this.name, test, function() {
-                assert_false(this.name in self);
+                assert_false(this.name in self, this.name + " interface should not exist");
             }.bind(this), this.name + " interface: existence and properties of interface object");
         }
         return;
@@ -3450,6 +3456,17 @@ IdlNamespace.prototype.test_self = function ()
 
 IdlNamespace.prototype.test = function ()
 {
+    // If the namespace object is not exposed, only test that. Members can't be
+    // tested either
+    if (!this.exposed) {
+        if (!this.untested) {
+            subsetTestByKey(this.name, test, function() {
+                assert_false(this.name in self, this.name + " namespace should not exist");
+            }.bind(this), this.name + " namespace: existence and properties of namespace object");
+        }
+        return;
+    }
+
     if (!this.untested) {
         this.test_self();
     }
@@ -3497,7 +3514,7 @@ function idl_test(srcs, deps, idl_setup_func) {
             "require-exposed"
         ];
         return Promise.all(
-            srcs.concat(deps).map(fetch_spec))
+            srcs.concat(deps).map(globalThis.fetch_spec))
             .then(function(results) {
                 const astArray = results.map(result =>
                     WebIDL2.parse(result.idl, { sourceName: result.spec })
@@ -3538,9 +3555,11 @@ function idl_test(srcs, deps, idl_setup_func) {
             });
     }, 'idl_test setup');
 }
+globalThis.idl_test = idl_test;
 
 /**
  * fetch_spec is a shorthand for a Promise that fetches the spec's content.
+ * Note: ShadowRealm-specific implementation in testharness-shadowrealm-inner.js
  */
 function fetch_spec(spec) {
     var url = '/interfaces/' + spec + '.idl';
diff --git a/test/fixtures/wpt/resources/out-of-scope-test.js b/test/fixtures/wpt/resources/out-of-scope-test.js
new file mode 100644
index 00000000000000..ce24124646dc83
--- /dev/null
+++ b/test/fixtures/wpt/resources/out-of-scope-test.js
@@ -0,0 +1,5 @@
+// Testing that the resolution is correct using `resolve`, as you can't import
+// the same module twice.
+window.outscope_test_result = import.meta.resolve("a");
+window.outscope_test_result2 = import.meta.resolve("../resources/log.sub.js?name=E");
+
diff --git a/test/fixtures/wpt/resources/testdriver-actions.js b/test/fixtures/wpt/resources/testdriver-actions.js
index e550ff0b1dc903..edb4759954d4c3 100644
--- a/test/fixtures/wpt/resources/testdriver-actions.js
+++ b/test/fixtures/wpt/resources/testdriver-actions.js
@@ -32,7 +32,7 @@
    * await actions.send();
    *
    * @param {number} [defaultTickDuration] - The default duration of a
-   * tick. Be default this is set to 16ms, which is one frame time
+   * tick. Be default this is set ot 16ms, which is one frame time
    * based on 60Hz display.
    */
   function Actions(defaultTickDuration=16) {
@@ -290,7 +290,7 @@
     },
 
     /**
-     * Create a keyDown event for the current default key source
+     * Create a keyUp event for the current default key source
      *
      * @param {String} key - Key to release
      * @param {String?} sourceName - Named key source to use or null for the default key source
diff --git a/test/fixtures/wpt/resources/testdriver-actions.js.headers b/test/fixtures/wpt/resources/testdriver-actions.js.headers
new file mode 100644
index 00000000000000..5e8f640c6659d1
--- /dev/null
+++ b/test/fixtures/wpt/resources/testdriver-actions.js.headers
@@ -0,0 +1,2 @@
+Content-Type: text/javascript; charset=utf-8
+Cache-Control: max-age=3600
diff --git a/test/fixtures/wpt/resources/testdriver.js b/test/fixtures/wpt/resources/testdriver.js
index ddf723cb3ee8a5..5b390dedeb72bb 100644
--- a/test/fixtures/wpt/resources/testdriver.js
+++ b/test/fixtures/wpt/resources/testdriver.js
@@ -3,6 +3,26 @@
     var idCounter = 0;
     let testharness_context = null;
 
+    const features = (() => {
+        function getFeatures(scriptSrc) {
+            try {
+                const url = new URL(scriptSrc);
+                return url.searchParams.getAll('feature');
+            } catch (e) {
+                return [];
+            }
+        }
+
+        return getFeatures(document?.currentScript?.src ?? '');
+    })();
+
+    function assertBidiIsEnabled(){
+        if (!features.includes('bidi')) {
+            throw new Error(
+                "`?feature=bidi` is missing when importing testdriver.js but the test is using WebDriver BiDi APIs");
+        }
+    }
+
     function getInViewCenterPoint(rect) {
         var left = Math.max(0, rect.left);
         var right = Math.min(window.innerWidth, rect.right);
@@ -49,6 +69,924 @@
      * @namespace {test_driver}
      */
     window.test_driver = {
+        /**
+         Represents `WebDriver BiDi <https://w3c.github.io/webdriver-bidi>`_ protocol.
+         */
+        bidi: {
+            /**
+             * @typedef {(String|WindowProxy)} Context A browsing context. Can
+             * be specified by its ID (a string) or using a `WindowProxy`
+             * object.
+             */
+            /**
+             * `bluetooth <https://webbluetoothcg.github.io/web-bluetooth>`_ module.
+             */
+            bluetooth: {
+                /**
+                 * Handle a bluetooth device prompt with the given params. Matches the
+                 * `bluetooth.handleRequestDevicePrompt
+                 * <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-handlerequestdeviceprompt-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.handleRequestDevicePrompt({
+                 *     prompt: "pmt-e0a234b",
+                 *     accept: true,
+                 *     device: "dvc-9b3b872"
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.prompt - The id of a bluetooth device prompt.
+                 * Matches the
+                 * `bluetooth.HandleRequestDevicePromptParameters:prompt <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-handlerequestdeviceprompt-command>`_
+                 * value.
+                 * @param {bool} params.accept - Whether to accept a bluetooth device prompt.
+                 * Matches the
+                 * `bluetooth.HandleRequestDevicePromptAcceptParameters:accept <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-handlerequestdeviceprompt-command>`_
+                 * value.
+                 * @param {string} params.device - The device id from a bluetooth device
+                 * prompt to be accepted. Matches the
+                 * `bluetooth.HandleRequestDevicePromptAcceptParameters:device <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-handlerequestdeviceprompt-command>`_
+                 * value.
+                 * @param {Context} [params.context] The optional context parameter specifies in
+                 * which browsing context the bluetooth device prompt should be handled. If not
+                 * provided, the current browsing context is used.
+                 * @returns {Promise} fulfilled after the bluetooth device prompt
+                 * is handled, or rejected if the operation fails.
+                 */
+                handle_request_device_prompt: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .handle_request_device_prompt(params);
+                },
+                /**
+                 * Creates a simulated bluetooth adapter with the given params. Matches the
+                 * `bluetooth.simulateAdapter <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateAdapter-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulate_adapter({
+                 *     state: "powered-on"
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.state The state of the simulated bluetooth adapter.
+                 * Matches the
+                 * `bluetooth.SimulateAdapterParameters:state <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateAdapter-command>`_
+                 * value.
+                 * @param {Context} [params.context] The optional context parameter specifies in
+                 * which browsing context the simulated bluetooth adapter should be set. If not
+                 * provided, the current browsing context is used.
+                 * @returns {Promise} fulfilled after the simulated bluetooth adapter is created
+                 * and set, or rejected if the operation fails.
+                 */
+                simulate_adapter: function (params) {
+                    return window.test_driver_internal.bidi.bluetooth.simulate_adapter(params);
+                },
+                /**
+                 * Disables the bluetooth simulation with the given params. Matches the
+                 * `bluetooth.disableSimulation <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-disableSimulation-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.disable_simulation();
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {Context} [params.context] The optional context parameter specifies in
+                 * which browsing context to disable the simulation for. If not provided, the
+                 * current browsing context is used.
+                 * @returns {Promise} fulfilled after the simulation is disabled, or rejected if
+                 * the operation fails.
+                 */
+                disable_simulation: function (params) {
+                    return window.test_driver_internal.bidi.bluetooth.disable_simulation(params);
+                },
+                /**
+                 * Creates a simulated bluetooth peripheral with the given params.
+                 * Matches the
+                 * `bluetooth.simulatePreconnectedPeripheral <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateconnectedperipheral-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulatePreconnectedPeripheral({
+                 *     "address": "09:09:09:09:09:09",
+                 *     "name": "Some Device",
+                 *     "manufacturerData": [{key: 17, data: "AP8BAX8="}],
+                 *     "knownServiceUuids": [
+                 *          "12345678-1234-5678-9abc-def123456789",
+                 *     ],
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.address - The address of the simulated
+                 * bluetooth peripheral. Matches the
+                 * `bluetooth.SimulatePreconnectedPeripheralParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateconnectedperipheral-command>`_
+                 * value.
+                 * @param {string} params.name - The name of the simulated bluetooth
+                 * peripheral. Matches the
+                 * `bluetooth.SimulatePreconnectedPeripheralParameters:name <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateconnectedperipheral-command>`_
+                 * value.
+                 * @param {Array.ManufacturerData} params.manufacturerData - The manufacturerData of the
+                 * simulated bluetooth peripheral. Matches the
+                 * `bluetooth.SimulatePreconnectedPeripheralParameters:manufacturerData <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateconnectedperipheral-command>`_
+                 * value.
+                 * @param {string} params.knownServiceUuids - The knownServiceUuids of
+                 * the simulated bluetooth peripheral. Matches the
+                 * `bluetooth.SimulatePreconnectedPeripheralParameters:knownServiceUuids <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateconnectedperipheral-command>`_
+                 * value.
+                 * @param {Context} [params.context] The optional context parameter
+                 * specifies in which browsing context the simulated bluetooth peripheral should be
+                 * set. If not provided, the current browsing context is used.
+                 * @returns {Promise} fulfilled after the simulated bluetooth peripheral is created
+                 * and set, or rejected if the operation fails.
+                 */
+                simulate_preconnected_peripheral: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .simulate_preconnected_peripheral(params);
+                },
+                /**
+                 * Simulates a GATT connection response for a given peripheral.
+                 * Matches the `bluetooth.simulateGattConnectionResponse
+                 * <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulategattconnectionresponse-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulate_gatt_connection_response({
+                 *     "address": "09:09:09:09:09:09",
+                 *     "code": 0x0
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.address - The address of the simulated
+                 * bluetooth peripheral. Matches the
+                 * `bluetooth.SimulateGattConnectionResponseParameters:peripheral <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulategattconnectionresponse-command>`_
+                 * value.
+                 * @param {number} params.code - The response code for a GATT connection attempted.
+                 * Matches the
+                 * `bluetooth.SimulateGattConnectionResponseParameters:code <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulategattconnectionresponse-command>`_
+                 * value.
+                 * @param {Context} [params.context] The optional context parameter specifies in
+                 * which browsing context the GATT connection response should be simulated. If not
+                 * provided, the current browsing context is used.
+                 * @returns {Promise} fulfilled after the GATT connection response
+                 * is simulated, or rejected if the operation fails.
+                 */
+                simulate_gatt_connection_response: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .simulate_gatt_connection_response(params);
+                },
+                /**
+                 * Simulates a GATT disconnection for a given peripheral.
+                 * Matches the `bluetooth.simulateGattDisconnection
+                 * <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulategattdisconnection-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulate_gatt_disconnection({
+                 *     "address": "09:09:09:09:09:09",
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.address - The address of the simulated
+                 * bluetooth peripheral. Matches the
+                 * `bluetooth.SimulateGattDisconnectionParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulategattdisconnection-command>`_
+                 * value.
+                 * @param {Context} [params.context] The optional context parameter specifies in
+                 * which browsing context the GATT disconnection should be simulated. If not
+                 * provided, the current browsing context is used.
+                 * @returns {Promise} fulfilled after the GATT disconnection
+                 * is simulated, or rejected if the operation fails.
+                 */
+                simulate_gatt_disconnection: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .simulate_gatt_disconnection(params);
+                },
+                /**
+                 * Simulates a GATT service.
+                 * Matches the `bluetooth.simulateService
+                 * <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateservice-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulate_service({
+                 *     "address": "09:09:09:09:09:09",
+                 *     "uuid": "0000180d-0000-1000-8000-00805f9b34fb",
+                 *     "type": "add"
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.address - The address of the simulated bluetooth peripheral this service belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateServiceParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateservice-command>`_
+                 * value.
+                 * @param {string} params.uuid - The uuid of the simulated GATT service.
+                 * Matches the
+                 * `bluetooth.SimulateServiceParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateservice-command>`_
+                 * value.
+                 * @param {string} params.type - The type of the GATT service simulation, either "add" or "remove".
+                 * Matches the
+                 * `bluetooth.SimulateServiceParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulateservice-command>`_
+                 * value.
+                 * @param {Context} [params.context] The optional context parameter specifies in
+                 * which browsing context the GATT service should be simulated. If not
+                 * provided, the current browsing context is used.
+                 * @returns {Promise} fulfilled after the GATT service
+                 * is simulated, or rejected if the operation fails.
+                 */
+                simulate_service: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .simulate_service(params);
+                },
+                /**
+                 * Simulates a GATT characteristic.
+                 * Matches the `bluetooth.simulateCharacteristic
+                 * <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristic-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulate_characteristic({
+                 *     "address": "09:09:09:09:09:09",
+                 *    "serviceUuid": "0000180d-0000-1000-8000-00805f9b34fb",
+                 *    "characteristicUuid": "00002a21-0000-1000-8000-00805f9b34fb",
+                 *    "characteristicProperties": {
+                 *      "read": true,
+                 *      "write": true,
+                 *      "notify": true
+                 *    },
+                 *    "type": "add"
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.address - The address of the simulated bluetooth peripheral the characterisitc belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateCharacteristicParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristic-command>`_
+                 * value.
+                 * @param {string} params.serviceUuid - The uuid of the simulated GATT service the characterisitc belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateCharacteristicParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristic-command>`_
+                 * value.
+                * @param {string} params.characteristicUuid - The uuid of the simulated GATT characteristic.
+                * Matches the
+                * `bluetooth.SimulateCharacteristicParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristic-command>`_
+                * value.
+                * @param {string} params.characteristicProperties - The properties of the simulated GATT characteristic.
+                * Matches the
+                * `bluetooth.SimulateCharacteristicParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristic-command>`_
+                * value.
+                * @param {string} params.type - The type of the GATT characterisitc simulation, either "add" or "remove".
+                * Matches the
+                * `bluetooth.SimulateCharacteristicParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristic-command>`_
+                * value.
+                * @param {Context} [params.context] The optional context parameter specifies in
+                * which browsing context the GATT characteristic should be simulated. If not
+                * provided, the current browsing context is used.
+                * @returns {Promise} fulfilled after the GATT characteristic
+                * is simulated, or rejected if the operation fails.
+                */
+                simulate_characteristic: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .simulate_characteristic(params);
+                },
+                /**
+                 * Simulates a GATT characteristic response.
+                 * Matches the `bluetooth.simulateCharacteristicResponse
+                 * <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristicresponse-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulate_characteristic({
+                 *     "address": "09:09:09:09:09:09",
+                 *    "serviceUuid": "0000180d-0000-1000-8000-00805f9b34fb",
+                 *    "characteristicUuid": "00002a21-0000-1000-8000-00805f9b34fb",
+                 *    "type": "read",
+                 *    "code": 0,
+                 *    "data": [1, 2]
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.address - The address of the simulated
+                 * bluetooth peripheral. Matches the
+                 * `bluetooth.SimulateCharacteristicResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristicresponse-command>`_
+                 * value.
+                 * @param {string} params.serviceUuid - The uuid of the simulated GATT service the characterisitc belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateCharacteristicResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristicresponse-command>`_
+                 * value.
+                * @param {string} params.characteristicUuid - The uuid of the simulated characteristic.
+                * Matches the
+                * `bluetooth.SimulateCharacteristicResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristicresponse-command>`_
+                * value.
+                * @param {string} params.type - The type of the simulated GATT characteristic operation."
+                * Can be "read", "write", "subscribe-to-notifications" or "unsubscribe-from-notifications".
+                * Matches the
+                * `bluetooth.SimulateCharacteristicResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristicresponse-command>`_
+                * value.
+                * @param {string} params.code - The simulated GATT characteristic response code.
+                * Matches the
+                * `bluetooth.SimulateCharacteristicResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristicresponse-command>`_
+                * value.*
+                * @param {string} params.data - The data along with the simulated GATT characteristic response.
+                * Matches the
+                * `bluetooth.SimulateCharacteristicResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatecharacteristicresponse-command>`_
+                * value.**
+                * @param {Context} [params.context] The optional context parameter specifies in
+                * which browsing context the GATT characteristic belongs to. If not
+                * provided, the current browsing context is used.
+                * @returns {Promise} fulfilled after the GATT characteristic
+                * is simulated, or rejected if the operation fails.
+                */
+                simulate_characteristic_response: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .simulate_characteristic_response(params);
+                },
+                /**
+                 * Simulates a GATT descriptor.
+                 * Matches the `bluetooth.simulateDescriptor
+                 * <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptor-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulate_descriptor({
+                 *     "address": "09:09:09:09:09:09",
+                 *    "serviceUuid": "0000180d-0000-1000-8000-00805f9b34fb",
+                 *    "characteristicUuid": "00002a21-0000-1000-8000-00805f9b34fb",
+                 *    "descriptorUuid": "00002901-0000-1000-8000-00805f9b34fb",
+                 *    "type": "add"
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.address - The address of the simulated bluetooth peripheral the descriptor belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateDescriptorParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptor-command>`_
+                 * value.
+                 * @param {string} params.serviceUuid - The uuid of the simulated GATT service the descriptor belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateDescriptorParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptor-command>`_
+                 * value.
+                * @param {string} params.characteristicUuid - The uuid of the simulated GATT characterisitc the descriptor belongs to.
+                 * Matches the
+                * `bluetooth.SimulateDescriptorParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptor-command>`_
+                * value.
+                * @param {string} params.descriptorUuid - The uuid of the simulated GATT descriptor.
+                *  Matches the
+                * `bluetooth.SimulateDescriptorParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptor-command>`_
+                * value.*
+                * @param {string} params.type - The type of the GATT descriptor simulation, either "add" or "remove".
+                * Matches the
+                * `bluetooth.SimulateDescriptorParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptor-command>`_
+                * value.
+                * @param {Context} [params.context] The optional context parameter specifies in
+                * which browsing context the GATT descriptor should be simulated. If not
+                * provided, the current browsing context is used.
+                * @returns {Promise} fulfilled after the GATT descriptor
+                * is simulated, or rejected if the operation fails.
+                */
+                simulate_descriptor: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .simulate_descriptor(params);
+                },
+                /**
+                 * Simulates a GATT descriptor response.
+                 * Matches the `bluetooth.simulateDescriptorResponse
+                 * <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptorresponse-command>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.bluetooth.simulate_descriptor_response({
+                 *     "address": "09:09:09:09:09:09",
+                 *    "serviceUuid": "0000180d-0000-1000-8000-00805f9b34fb",
+                 *    "characteristicUuid": "00002a21-0000-1000-8000-00805f9b34fb",
+                 *    "descriptorUuid": "00002901-0000-1000-8000-00805f9b34fb",
+                 *    "type": "read",
+                 *    "code": 0,
+                 *    "data": [1, 2]
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {string} params.address - The address of the simulated bluetooth peripheral the descriptor belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateDescriptorResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptorresponse-command>`_
+                 * value.
+                 * @param {string} params.serviceUuid - The uuid of the simulated GATT service the descriptor belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateDescriptorResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptorresponse-command>`_
+                 * value.
+                 * @param {string} params.characteristicUuid - The uuid of the simulated GATT characterisitc the descriptor belongs to.
+                 * Matches the
+                 * `bluetooth.SimulateDescriptorResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptorresponse-command>`_
+                 * value.
+                * @param {string} params.descriptorUuid - The uuid of the simulated GATT descriptor.
+                * Matches the
+                * `bluetooth.SimulateDescriptorResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptorresponse-command>`_
+                * value.
+                * @param {string} params.type - The type of the simulated GATT descriptor operation.
+                * Matches the
+                * `bluetooth.SimulateDescriptorResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptorresponse-command>`_
+                * value.
+                * @param {string} params.code - The simulated GATT descriptor response code.
+                * Matches the
+                * `bluetooth.SimulateDescriptorResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptorresponse-command>`_
+                * value.*
+                * @param {string} params.data - The data along with the simulated GATT descriptor response.
+                * Matches the
+                * `bluetooth.SimulateDescriptorResponseParameters:address <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-simulatedescriptorresponse-command>`_
+                * value.**
+                * @param {Context} [params.context] The optional context parameter specifies in
+                * which browsing context the GATT descriptor belongs to. If not
+                * provided, the current browsing context is used.
+                * @returns {Promise} fulfilled after the GATT descriptor response
+                * is simulated, or rejected if the operation fails.
+                */
+                simulate_descriptor_response: function(params) {
+                    return window.test_driver_internal.bidi.bluetooth
+                        .simulate_descriptor_response(params);
+                },
+                /**
+                 * `bluetooth.RequestDevicePromptUpdatedParameters <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-requestdevicepromptupdated-event>`_
+                 * event.
+                 */
+                request_device_prompt_updated: {
+                    /**
+                     * @typedef {object} RequestDevicePromptUpdated
+                     * `bluetooth.RequestDevicePromptUpdatedParameters <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-requestdevicepromptupdated-event>`_
+                     * event.
+                     */
+
+                    /**
+                     * Subscribes to the event. Events will be emitted only if
+                     * there is a subscription for the event. This method does
+                     * not add actual listeners. To listen to the event, use the
+                     * `on` or `once` methods. The buffered events will be
+                     * emitted before the command promise is resolved.
+                     *
+                     * @param {object} [params] Parameters for the subscription.
+                     * @param {null|Array.<(Context)>} [params.contexts] The
+                     * optional contexts parameter specifies which browsing
+                     * contexts to subscribe to the event on. It should be
+                     * either an array of Context objects, or null. If null, the
+                     * event will be subscribed to globally. If omitted, the
+                     * event will be subscribed to on the current browsing
+                     * context.
+                     * @returns {Promise<(function(): Promise<void>)>} Callback
+                     * for unsubscribing from the created subscription.
+                     */
+                    subscribe: async function(params = {}) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.bluetooth
+                            .request_device_prompt_updated.subscribe(params);
+                    },
+                    /**
+                     * Adds an event listener for the event.
+                     *
+                     * @param {function(RequestDevicePromptUpdated): void} callback The
+                     * callback to be called when the event is emitted. The
+                     * callback is called with the event object as a parameter.
+                     * @returns {function(): void} A function that removes the
+                     * added event listener when called.
+                     */
+                    on: function(callback) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.bluetooth
+                            .request_device_prompt_updated.on(callback);
+                    },
+                    /**
+                     * Adds an event listener for the event that is only called
+                     * once and removed afterward.
+                     *
+                     * @return {Promise<RequestDevicePromptUpdated>} The promise which
+                     * is resolved with the event object when the event is emitted.
+                     */
+                    once: function() {
+                        assertBidiIsEnabled();
+                        return new Promise(resolve => {
+                            const remove_handler =
+                                window.test_driver_internal.bidi.bluetooth
+                                    .request_device_prompt_updated.on(event => {
+                                    resolve(event);
+                                    remove_handler();
+                                });
+                        });
+                    },
+                },
+                /**
+                 * `bluetooth.GattConnectionAttemptedParameters <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-gattConnectionAttempted-event>`_
+                 * event.
+                 */
+                gatt_connection_attempted: {
+                    /**
+                     * @typedef {object} GattConnectionAttempted
+                     * `bluetooth.GattConnectionAttempted <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-gattConnectionAttempted-event>`_
+                     * event.
+                     */
+
+                    /**
+                     * Subscribes to the event. Events will be emitted only if
+                     * there is a subscription for the event. This method does
+                     * not add actual listeners. To listen to the event, use the
+                     * `on` or `once` methods. The buffered events will be
+                     * emitted before the command promise is resolved.
+                     *
+                     * @param {object} [params] Parameters for the subscription.
+                     * @param {null|Array.<(Context)>} [params.contexts] The
+                     * optional contexts parameter specifies which browsing
+                     * contexts to subscribe to the event on. It should be
+                     * either an array of Context objects, or null. If null, the
+                     * event will be subscribed to globally. If omitted, the
+                     * event will be subscribed to on the current browsing
+                     * context.
+                     * @returns {Promise<(function(): Promise<void>)>} Callback
+                     * for unsubscribing from the created subscription.
+                     */
+                    subscribe: async function(params = {}) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.bluetooth
+                            .gatt_connection_attempted.subscribe(params);
+                    },
+                    /**
+                     * Adds an event listener for the event.
+                     *
+                     * @param {function(GattConnectionAttempted): void} callback The
+                     * callback to be called when the event is emitted. The
+                     * callback is called with the event object as a parameter.
+                     * @returns {function(): void} A function that removes the
+                     * added event listener when called.
+                     */
+                    on: function(callback) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.bluetooth
+                            .gatt_connection_attempted.on(callback);
+                    },
+                    /**
+                     * Adds an event listener for the event that is only called
+                     * once and removed afterward.
+                     *
+                     * @return {Promise<GattConnectionAttempted>} The promise which
+                     * is resolved with the event object when the event is emitted.
+                     */
+                    once: function() {
+                        assertBidiIsEnabled();
+                        return new Promise(resolve => {
+                            const remove_handler =
+                                window.test_driver_internal.bidi.bluetooth
+                                    .gatt_connection_attempted.on(event => {
+                                    resolve(event);
+                                    remove_handler();
+                                });
+                        });
+                    },
+                },
+                /**
+                 * `bluetooth.CharacteristicEventGeneratedParameters <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-characteristiceventgenerated-event>`_
+                 * event.
+                 */
+                characteristic_event_generated: {
+                    /**
+                     * @typedef {object} CharacteristicEventGenerated
+                     * `bluetooth.CharacteristicEventGenerated <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-characteristiceventgenerated-event>`_
+                     * event.
+                     */
+
+                    /**
+                     * Subscribes to the event. Events will be emitted only if
+                     * there is a subscription for the event. This method does
+                     * not add actual listeners. To listen to the event, use the
+                     * `on` or `once` methods. The buffered events will be
+                     * emitted before the command promise is resolved.
+                     *
+                     * @param {object} [params] Parameters for the subscription.
+                     * @param {null|Array.<(Context)>} [params.contexts] The
+                     * optional contexts parameter specifies which browsing
+                     * contexts to subscribe to the event on. It should be
+                     * either an array of Context objects, or null. If null, the
+                     * event will be subscribed to globally. If omitted, the
+                     * event will be subscribed to on the current browsing
+                     * context.
+                     * @returns {Promise<(function(): Promise<void>)>} Callback
+                     * for unsubscribing from the created subscription.
+                     */
+                    subscribe: async function(params = {}) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.bluetooth
+                            .characteristic_event_generated.subscribe(params);
+                    },
+                    /**
+                     * Adds an event listener for the event.
+                     *
+                     * @param {function(CharacteristicEventGenerated): void} callback The
+                     * callback to be called when the event is emitted. The
+                     * callback is called with the event object as a parameter.
+                     * @returns {function(): void} A function that removes the
+                     * added event listener when called.
+                     */
+                    on: function(callback) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.bluetooth
+                            .characteristic_event_generated.on(callback);
+                    },
+                    /**
+                     * Adds an event listener for the event that is only called
+                     * once and removed afterward.
+                     *
+                     * @return {Promise<CharacteristicEventGenerated>} The promise which
+                     * is resolved with the event object when the event is emitted.
+                     */
+                    once: function() {
+                        assertBidiIsEnabled();
+                        return new Promise(resolve => {
+                            const remove_handler =
+                                window.test_driver_internal.bidi.bluetooth
+                                    .characteristic_event_generated.on(event => {
+                                    resolve(event);
+                                    remove_handler();
+                                });
+                        });
+                    },
+                },
+                /**
+                 * `bluetooth.DescriptorEventGeneratedParameters <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-descriptoreventgenerated-event>`_
+                 * event.
+                 */
+                descriptor_event_generated: {
+                    /**
+                     * @typedef {object} DescriptorEventGenerated
+                     * `bluetooth.DescriptorEventGenerated <https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-descriptoreventgenerated-event>`_
+                     * event.
+                     */
+
+                    /**
+                     * Subscribes to the event. Events will be emitted only if
+                     * there is a subscription for the event. This method does
+                     * not add actual listeners. To listen to the event, use the
+                     * `on` or `once` methods. The buffered events will be
+                     * emitted before the command promise is resolved.
+                     *
+                     * @param {object} [params] Parameters for the subscription.
+                     * @param {null|Array.<(Context)>} [params.contexts] The
+                     * optional contexts parameter specifies which browsing
+                     * contexts to subscribe to the event on. It should be
+                     * either an array of Context objects, or null. If null, the
+                     * event will be subscribed to globally. If omitted, the
+                     * event will be subscribed to on the current browsing
+                     * context.
+                     * @returns {Promise<(function(): Promise<void>)>} Callback
+                     * for unsubscribing from the created subscription.
+                     */
+                    subscribe: async function(params = {}) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.bluetooth
+                            .descriptor_event_generated.subscribe(params);
+                    },
+                    /**
+                     * Adds an event listener for the event.
+                     *
+                     * @param {function(DescriptorEventGenerated): void} callback The
+                     * callback to be called when the event is emitted. The
+                     * callback is called with the event object as a parameter.
+                     * @returns {function(): void} A function that removes the
+                     * added event listener when called.
+                     */
+                    on: function(callback) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.bluetooth
+                            .descriptor_event_generated.on(callback);
+                    },
+                    /**
+                     * Adds an event listener for the event that is only called
+                     * once and removed afterward.
+                     *
+                     * @return {Promise<DescriptorEventGenerated>} The promise which
+                     * is resolved with the event object when the event is emitted.
+                     */
+                    once: function() {
+                        assertBidiIsEnabled();
+                        return new Promise(resolve => {
+                            const remove_handler =
+                                window.test_driver_internal.bidi.bluetooth
+                                    .descriptor_event_generated.on(event => {
+                                    resolve(event);
+                                    remove_handler();
+                                });
+                        });
+                    },
+                }
+            },
+            /**
+             * `emulation <https://www.w3.org/TR/webdriver-bidi/#module-emulation>`_ module.
+             */
+            emulation: {
+                /**
+                 * Overrides the geolocation coordinates for the specified
+                 * browsing contexts.
+                 * Matches the `emulation.setGeolocationOverride
+                 * <https://w3c.github.io/webdriver-bidi/#command-emulation-setGeolocationOverride>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.emulation.set_geolocation_override({
+                 *     coordinates: {
+                 *         latitude: 52.51,
+                 *         longitude: 13.39,
+                 *         accuracy: 0.5,
+                 *         altitude: 34,
+                 *         altitudeAccuracy: 0.75,
+                 *         heading: 180,
+                 *         speed: 2.77
+                 *     }
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {null|object} params.coordinates - The optional
+                 * geolocation coordinates to set. Matches the
+                 * `emulation.GeolocationCoordinates <https://w3c.github.io/webdriver-bidi/#commands-emulationsetgeolocationoverride>`_
+                 * value. If null or omitted and the `params.error` is set, the
+                 * emulation will be removed. Mutually exclusive with
+                 * `params.error`.
+                 * @param {object} params.error - The optional
+                 * geolocation error to emulate. Matches the
+                 * `emulation.GeolocationPositionError <https://w3c.github.io/webdriver-bidi/#commands-emulationsetgeolocationoverride>`_
+                 * value. Mutually exclusive with `params.coordinates`.
+                 * @param {null|Array.<(Context)>} [params.contexts] The
+                 * optional contexts parameter specifies which browsing contexts
+                 * to set the geolocation override on. It should be either an
+                 * array of Context objects (window or browsing context id), or
+                 * null. If null or omitted, the override will be set on the
+                 * current browsing context.
+                 * @returns {Promise<void>} Resolves when the geolocation
+                 * override is successfully set.
+                 */
+                set_geolocation_override: function (params) {
+                    // Ensure the bidi feature is enabled before calling the internal method
+                    assertBidiIsEnabled();
+                    return window.test_driver_internal.bidi.emulation.set_geolocation_override(
+                        params);
+                },
+                /**
+                 * Overrides the locale for the specified browsing contexts.
+                 * Matches the `emulation.setLocaleOverride
+                 * <https://www.w3.org/TR/webdriver-bidi/#commands-emulationsetlocaleoverride>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.emulation.set_locale_override({
+                 *     locale: 'de-DE'
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {null|string} params.locale - The optional
+                 * locale to set.
+                 * @param {null|Array.<(Context)>} [params.contexts] The
+                 * optional contexts parameter specifies which browsing contexts
+                 * to set the locale override on. It should be either an array
+                 * of Context objects (window or browsing context id), or null.
+                 * If null or omitted, the override will be set on the current
+                 * browsing context.
+                 * @returns {Promise<void>} Resolves when the locale override
+                 * is successfully set.
+                 */
+                set_locale_override: function (params) {
+                    assertBidiIsEnabled();
+                    return window.test_driver_internal.bidi.emulation.set_locale_override(
+                        params);
+                },
+                /**
+                 * Overrides the screen orientation for the specified browsing
+                 * contexts.
+                 * Matches the `emulation.setScreenOrientationOverride
+                 * <https://www.w3.org/TR/webdriver-bidi/#commands-emulationsetscreenorientationoverride>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.emulation.set_screen_orientation_override({
+                 *     screenOrientation: {
+                 *         natural: 'portrait',
+                 *         type: 'landscape-secondary'
+                 *     }
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {null|object} params.screenOrientation - The optional
+                 * screen orientation. Matches the
+                 * `emulation.ScreenOrientation <https://www.w3.org/TR/webdriver-bidi/#cddl-type-emulationscreenorientation>`_
+                 * type. If null or omitted, the override will be removed.
+                 * @param {null|Array.<(Context)>} [params.contexts] The
+                 * optional contexts parameter specifies which browsing contexts
+                 * to set the screen orientation override on. It should be
+                 * either an array of Context objects (window or browsing
+                 * context id), or null. If null or omitted, the override will
+                 * be set on the current browsing context.
+                 * @returns {Promise<void>} Resolves when the screen orientation
+                 * override is successfully set.
+                 */
+                set_screen_orientation_override: function (params) {
+                    // Ensure the bidi feature is enabled before calling the internal method
+                    assertBidiIsEnabled();
+                    return window.test_driver_internal.bidi.emulation.set_screen_orientation_override(
+                        params);
+                },
+            },
+            /**
+             * `log <https://www.w3.org/TR/webdriver-bidi/#module-log>`_ module.
+             */
+            log: {
+                entry_added: {
+                    /**
+                     * @typedef {object} LogEntryAdded `log.entryAdded <https://www.w3.org/TR/webdriver-bidi/#event-log-entryAdded>`_ event.
+                     */
+
+                    /**
+                     * Subscribes to the event. Events will be emitted only if
+                     * there is a subscription for the event. This method does
+                     * not add actual listeners. To listen to the event, use the
+                     * `on` or `once` methods. The buffered events will be
+                     * emitted before the command promise is resolved.
+                     *
+                     * @param {object} [params] Parameters for the subscription.
+                     * @param {null|Array.<(Context)>} [params.contexts] The
+                     * optional contexts parameter specifies which browsing
+                     * contexts to subscribe to the event on. It should be
+                     * either an array of Context objects, or null. If null, the
+                     * event will be subscribed to globally. If omitted, the
+                     * event will be subscribed to on the current browsing
+                     * context.
+                     * @returns {Promise<(function(): Promise<void>)>} Callback
+                     * for unsubscribing from the created subscription.
+                     */
+                    subscribe: async function (params = {}) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.log.entry_added.subscribe(params);
+                    },
+                    /**
+                     * Adds an event listener for the event.
+                     *
+                     * @param {function(LogEntryAdded): void} callback The
+                     * callback to be called when the event is emitted. The
+                     * callback is called with the event object as a parameter.
+                     * @returns {function(): void} A function that removes the
+                     * added event listener when called.
+                     */
+                    on: function (callback) {
+                        assertBidiIsEnabled();
+                        return window.test_driver_internal.bidi.log.entry_added.on(callback);
+                    },
+                    /**
+                     * Adds an event listener for the event that is only called
+                     * once and removed afterward.
+                     *
+                     * @return {Promise<LogEntryAdded>} The promise which is resolved
+                     * with the event object when the event is emitted.
+                     */
+                    once: function () {
+                        assertBidiIsEnabled();
+                        return new Promise(resolve => {
+                            const remove_handler = window.test_driver_internal.bidi.log.entry_added.on(
+                                event => {
+                                    resolve(event);
+                                    remove_handler();
+                                });
+                        });
+                    },
+                }
+            },
+            /**
+             * `permissions <https://www.w3.org/TR/permissions/>`_ module.
+             */
+            permissions: {
+                /**
+                 * Sets the state of a permission
+                 *
+                 * This function causes permission requests and queries for the status
+                 * of a certain permission type (e.g. "push", or "background-fetch") to
+                 * always return ``state`` for the specific origin.
+                 *
+                 * Matches the `permissions.setPermission <https://w3c.github.io/permissions/#webdriver-bidi-command-permissions-setPermission>`_
+                 * WebDriver BiDi command.
+                 *
+                 * @example
+                 * await test_driver.bidi.permissions.set_permission({
+                 *     {name: "geolocation"},
+                 *     state: "granted",
+                 * });
+                 *
+                 * @param {object} params - Parameters for the command.
+                 * @param {PermissionDescriptor} params.descriptor - a `PermissionDescriptor
+                 *                               <https://w3c.github.io/permissions/#dom-permissiondescriptor>`_
+                 *                               or derived object.
+                 * @param {PermissionState} params.state - a `PermissionState
+                 *                          <https://w3c.github.io/permissions/#dom-permissionstate>`_
+                 *                          value.
+                 * @param {string} [params.origin] - an optional `origin` string to set the
+                 *                 permission for. If omitted, the permission is set for the
+                 *                 current window's origin.
+                 * @returns {Promise} fulfilled after the permission is set, or rejected if setting
+                 *                    the permission fails.
+                 */
+                set_permission: function (params) {
+                    assertBidiIsEnabled();
+                    return window.test_driver_internal.bidi.permissions.set_permission(
+                        params);
+                }
+            }
+        },
+
         /**
          * Set the context in which testharness.js is loaded
          *
@@ -112,8 +1050,8 @@
             let wait_click = new Promise(resolve => button.addEventListener("click", resolve));
 
             return test_driver.click(button)
-                .then(wait_click)
-                .then(function() {
+                .then(() => wait_click)
+                .then(() => {
                     button.remove();
 
                     if (typeof action === "function") {
@@ -124,11 +1062,10 @@
         },
 
         /**
-         * Triggers a user-initiated click
+         * Triggers a user-initiated mouse click.
          *
-         * If ``element`` isn't inside the
-         * viewport, it will be scrolled into view before the click
-         * occurs.
+         * If ``element`` isn't inside the viewport, it will be
+         * scrolled into view before the click occurs.
          *
          * If ``element`` is from a different browsing context, the
          * command will be run in that context.
@@ -322,7 +1259,7 @@
         /**
          * Minimizes the browser window.
          *
-         * Matches the the behaviour of the `Minimize
+         * Matches the behaviour of the `Minimize
          * <https://www.w3.org/TR/webdriver/#minimize-window>`_
          * WebDriver command
          *
@@ -357,6 +1294,25 @@
             return window.test_driver_internal.set_window_rect(rect, context);
         },
 
+        /**
+         * Gets a rect with the size and position on the screen from the current window state.
+         *
+         * Matches the behaviour of the `Get Window Rect
+         * <https://www.w3.org/TR/webdriver/#get-window-rect>`_
+         * WebDriver command
+         *
+         * @param {WindowProxy} context - Browsing context in which
+         *                                to run the call, or null for the current
+         *                                browsing context.
+         *
+         * @returns {Promise} fulfilled after the window rect is returned, or rejected
+         * in cases the WebDriver command returns errors. Returns a
+         * `WindowRect <https://www.w3.org/TR/webdriver/#dfn-windowrect-object>`_
+         */
+        get_window_rect: function(context=null) {
+            return window.test_driver_internal.get_window_rect(context);
+        },
+
         /**
          * Send a sequence of actions
          *
@@ -647,7 +1603,7 @@
          *
          * This function places `Secure Payment
          * Confirmation <https://w3c.github.io/secure-payment-confirmation>`_ into
-         * an automated 'autoaccept' or 'autoreject' mode, to allow testing
+         * an automated 'autoAccept' or 'autoReject' mode, to allow testing
          * without user interaction with the transaction UX prompt.
          *
          * Matches the `Set SPC Transaction Mode
@@ -667,8 +1623,8 @@
          * @param {String} mode - The `transaction mode
          *                        <https://w3c.github.io/secure-payment-confirmation/#enumdef-transactionautomationmode>`_
          *                        to set. Must be one of "``none``",
-         *                        "``autoaccept``", or
-         *                        "``autoreject``".
+         *                        "``autoAccept``", or
+         *                        "``autoReject``".
          * @param {WindowProxy} context - Browsing context in which
          *                                to run the call, or null for the current
          *                                browsing context.
@@ -680,6 +1636,42 @@
           return window.test_driver_internal.set_spc_transaction_mode(mode, context);
         },
 
+        /**
+         * Sets the current registration automation mode for Register Protocol Handlers.
+         *
+         * This function places `Register Protocol Handlers
+         * <https://html.spec.whatwg.org/multipage/system-state.html#custom-handlers>`_ into
+         * an automated 'autoAccept' or 'autoReject' mode, to allow testing
+         * without user interaction with the transaction UX prompt.
+         *
+         * Matches the `Set Register Protocol Handler Mode
+         * <https://html.spec.whatwg.org/multipage/system-state.html#set-rph-registration-mode>`_
+         * WebDriver command.
+         *
+         * @example
+         * await test_driver.set_rph_registration_mode("autoAccept");
+         * test.add_cleanup(() => {
+         *   return test_driver.set_rph_registration_mode("none");
+         * });
+         *
+         * navigator.registerProtocolHandler('web+soup', 'soup?url=%s');
+         *
+         * @param {String} mode - The `registration mode
+         *                        <https://html.spec.whatwg.org/multipage/system-state.html#registerprotocolhandler()-automation-mode>`_
+         *                        to set. Must be one of "``none``",
+         *                        "``autoAccept``", or
+         *                        "``autoReject``".
+         * @param {WindowProxy} context - Browsing context in which
+         *                                to run the call, or null for the current
+         *                                browsing context.
+         *
+         * @returns {Promise} Fulfilled after the transaction mode has been set,
+         *                    or rejected if setting the mode fails.
+         */
+        set_rph_registration_mode: function(mode, context=null) {
+          return window.test_driver_internal.set_rph_registration_mode(mode, context);
+        },
+
         /**
          * Cancels the Federated Credential Management dialog
          *
@@ -968,6 +1960,215 @@
          */
         get_virtual_sensor_information: function(sensor_type, context=null) {
             return window.test_driver_internal.get_virtual_sensor_information(sensor_type, context);
+        },
+
+        /**
+         * Overrides device posture set by hardware.
+         *
+         * Matches the `Set device posture
+         * <https://w3c.github.io/device-posture/#set-device-posture>`_
+         * WebDriver command.
+         *
+         * @param {String} posture - A `DevicePostureType
+         *                           <https://w3c.github.io/device-posture/#dom-deviceposturetype>`_
+         *                           either "continuous" or "folded".
+         * @param {WindowProxy} [context=null] - Browsing context in which to
+         *                                       run the call, or null for the
+         *                                       current browsing context.
+         *
+         * @returns {Promise} Fulfilled when device posture is set.
+         *                    Rejected in case the WebDriver command errors out
+         *                    (including if a device posture of the given type
+         *                    does not exist).
+         */
+        set_device_posture: function(posture, context=null) {
+            return window.test_driver_internal.set_device_posture(posture, context);
+        },
+
+        /**
+         * Removes device posture override and returns device posture control
+         * back to hardware.
+         *
+         * Matches the `Clear device posture
+         * <https://w3c.github.io/device-posture/#clear-device-posture>`_
+         * WebDriver command.
+         *
+         * @param {WindowProxy} [context=null] - Browsing context in which to
+         *                                       run the call, or null for the
+         *                                       current browsing context.
+         *
+         * @returns {Promise} Fulfilled after the device posture override has
+         *                    been removed. Rejected in case the WebDriver
+         *                    command errors out.
+         */
+        clear_device_posture: function(context=null) {
+            return window.test_driver_internal.clear_device_posture(context);
+        },
+
+        /**
+         * Runs the `bounce tracking timer algorithm
+         * <https://privacycg.github.io/nav-tracking-mitigations/#bounce-tracking-timer>`_,
+         * which removes all hosts from the stateful bounce tracking map, without
+         * regard for the bounce tracking grace period and returns a list of the
+         * deleted hosts.
+         *
+         * Matches the `Run Bounce Tracking Mitigations
+         * <https://privacycg.github.io/nav-tracking-mitigations/#run-bounce-tracking-mitigations-command>`_
+         * WebDriver command.
+         *
+         * @param {WindowProxy} [context=null] - Browsing context in which to
+         *                                       run the call, or null for the
+         *                                       current browsing context.
+         * @returns {Promise} Fulfilled after the bounce tracking timer
+         *                    algorithm has finished running. Returns an array
+         *                    of all hosts that were in the stateful bounce
+         *                    tracking map before deletion occurred.
+         */
+        run_bounce_tracking_mitigations: function (context = null) {
+            return window.test_driver_internal.run_bounce_tracking_mitigations(context);
+        },
+
+        /**
+         * Creates a virtual pressure source.
+         *
+         * Matches the `Create virtual pressure source
+         * <https://w3c.github.io/compute-pressure/#create-virtual-pressure-source>`_
+         * WebDriver command.
+         *
+         * @param {String} source_type - A `virtual pressure source type
+         *                               <https://w3c.github.io/compute-pressure/#dom-pressuresource>`_
+         *                               such as "cpu".
+         * @param {Object} [metadata={}] - Optional parameters described
+         *                                 in `Create virtual pressure source
+         *                                 <https://w3c.github.io/compute-pressure/#create-virtual-pressure-source>`_.
+         * @param {WindowProxy} [context=null] - Browsing context in which to
+         *                                       run the call, or null for the
+         *                                       current browsing context.
+         *
+         * @returns {Promise} Fulfilled when virtual pressure source is created.
+         *                    Rejected in case the WebDriver command errors out
+         *                    (including if a virtual pressure source of the
+         *                    same type already exists).
+         */
+        create_virtual_pressure_source: function(source_type, metadata={}, context=null) {
+            return window.test_driver_internal.create_virtual_pressure_source(source_type, metadata, context);
+        },
+
+        /**
+         * Causes a virtual pressure source to report a new reading.
+         *
+         * Matches the `Update virtual pressure source
+         * <https://w3c.github.io/compute-pressure/?experimental=1#update-virtual-pressure-source>`_
+         * WebDriver command.
+         *
+         * @param {String} source_type - A `virtual pressure source type
+         *                               <https://w3c.github.io/compute-pressure/#dom-pressuresource>`_
+         *                               such as "cpu".
+         * @param {String} sample - A `virtual pressure state
+         *                          <https://w3c.github.io/compute-pressure/#dom-pressurestate>`_
+         *                          such as "critical".
+         * @param {number} own_contribution_estimate - Optional, A `virtual own contribution estimate`
+         *                          <https://w3c.github.io/compute-pressure/?experimental=1#the-owncontributionestimate-attribute>`_
+         * @param {WindowProxy} [context=null] - Browsing context in which to
+         *                                       run the call, or null for the
+         *                                       current browsing context.
+         *
+         * @returns {Promise} Fulfilled after the reading update reaches the
+         *                    virtual pressure source. Rejected in case the
+         *                    WebDriver command errors out (including if a
+         *                    virtual pressure source of the given type does not
+         *                    exist).
+         */
+        update_virtual_pressure_source: function(source_type, sample, own_contribution_estimate, context=null) {
+            return window.test_driver_internal.update_virtual_pressure_source(source_type, sample, own_contribution_estimate, context);
+        },
+
+        /**
+         * Removes created virtual pressure source.
+         *
+         * Matches the `Delete virtual pressure source
+         * <https://w3c.github.io/compute-pressure/#delete-virtual-pressure-source>`_
+         * WebDriver command.
+         *
+         * @param {String} source_type - A `virtual pressure source type
+         *                               <https://w3c.github.io/compute-pressure/#dom-pressuresource>`_
+         *                               such as "cpu".
+         * @param {WindowProxy} [context=null] - Browsing context in which to
+         *                                       run the call, or null for the
+         *                                       current browsing context.
+         *
+         * @returns {Promise} Fulfilled after the virtual pressure source has
+         *                    been removed or if a pressure source of the given
+         *                    type does not exist. Rejected in case the
+         *                    WebDriver command errors out.
+         */
+        remove_virtual_pressure_source: function(source_type, context=null) {
+            return window.test_driver_internal.remove_virtual_pressure_source(source_type, context);
+        },
+
+        /**
+         * Sets which hashes are considered k-anonymous for the Protected
+         * Audience interest group with specified `owner` and `name`.
+         *
+         * Matches the `Set Protected Audience K-Anonymity
+         * <https://wicg.github.io/turtledove/#sctn-automation-set-protected-audience-k-anonymity>
+         * WebDriver command.
+         *
+         *  @param {String} owner - Origin of the owner of the interest group
+         *                          to modify
+         *  @param {String} name -  Name of the interest group to modify
+         *  @param {Array} hashes - An array of strings, each of which is a
+         *                          base64 ecoded hash to consider k-anonymous.
+         *
+         *  @returns {Promise} Fulfilled after the k-anonymity status for the
+         *                     specified Protected Audience interest group has
+         *                     been updated.
+         *
+         */
+        set_protected_audience_k_anonymity: function(owner, name, hashes, context = null) {
+            return window.test_driver_internal.set_protected_audience_k_anonymity(owner, name, hashes, context);
+        },
+
+        /**
+         * Overrides the display features provided by the hardware so the viewport segments
+         * can be emulated.
+         *
+         * Matches the `Set display features
+         * <https://drafts.csswg.org/css-viewport/#set-display-features>`_
+         * WebDriver command.
+         *
+         * @param {Array} features - An array of `DisplayFeatureOverride
+         *                           <https://drafts.csswg.org/css-viewport/#display-feature-override>`.
+         * @param {WindowProxy} [context=null] - Browsing context in which to
+         *                                       run the call, or null for the
+         *                                       current browsing context.
+         *
+         * @returns {Promise} Fulfilled when the display features are set.
+         *                    Rejected in case the WebDriver command errors out
+         *                    (including if the array is malformed).
+         */
+        set_display_features: function(features, context=null) {
+            return window.test_driver_internal.set_display_features(features, context);
+        },
+
+        /**
+         * Removes display features override and returns the control
+         * back to hardware.
+         *
+         * Matches the `Clear display features
+         * <https://drafts.csswg.org/css-viewport/#clear-display-features>`_
+         * WebDriver command.
+         *
+         * @param {WindowProxy} [context=null] - Browsing context in which to
+         *                                       run the call, or null for the
+         *                                       current browsing context.
+         *
+         * @returns {Promise} Fulfilled after the display features override has
+         *                    been removed. Rejected in case the WebDriver
+         *                    command errors out.
+         */
+        clear_display_features: function(context=null) {
+            return window.test_driver_internal.clear_display_features(context);
         }
     };
 
@@ -980,6 +2181,99 @@
          */
         in_automation: false,
 
+        bidi: {
+            bluetooth: {
+                handle_request_device_prompt: function() {
+                    throw new Error(
+                        'bidi.bluetooth.handle_request_device_prompt is not implemented by testdriver-vendor.js');
+                },
+                simulate_adapter: function () {
+                    throw new Error(
+                        "bidi.bluetooth.simulate_adapter is not implemented by testdriver-vendor.js");
+                },
+                disable_simulation: function () {
+                    throw new Error(
+                        "bidi.bluetooth.disable_simulation is not implemented by testdriver-vendor.js");
+                },
+                simulate_preconnected_peripheral: function() {
+                    throw new Error(
+                        'bidi.bluetooth.simulate_preconnected_peripheral is not implemented by testdriver-vendor.js');
+                },
+                request_device_prompt_updated: {
+                    async subscribe() {
+                        throw new Error(
+                            'bidi.bluetooth.request_device_prompt_updated.subscribe is not implemented by testdriver-vendor.js');
+                    },
+                    on() {
+                        throw new Error(
+                            'bidi.bluetooth.request_device_prompt_updated.on is not implemented by testdriver-vendor.js');
+                    }
+                },
+                gatt_connection_attempted: {
+                    async subscribe() {
+                        throw new Error(
+                            'bidi.bluetooth.gatt_connection_attempted.subscribe is not implemented by testdriver-vendor.js');
+                    },
+                    on() {
+                        throw new Error(
+                            'bidi.bluetooth.gatt_connection_attempted.on is not implemented by testdriver-vendor.js');
+                    }
+                },
+                characteristic_event_generated: {
+                    async subscribe() {
+                        throw new Error(
+                            'bidi.bluetooth.characteristic_event_generated.subscribe is not implemented by testdriver-vendor.js');
+                    },
+                    on() {
+                        throw new Error(
+                            'bidi.bluetooth.characteristic_event_generated.on is not implemented by testdriver-vendor.js');
+                    }
+                },
+                descriptor_event_generated: {
+                    async subscribe() {
+                        throw new Error(
+                            'bidi.bluetooth.descriptor_event_generated.subscribe is not implemented by testdriver-vendor.js');
+                    },
+                    on() {
+                        throw new Error(
+                            'bidi.bluetooth.descriptor_event_generated.on is not implemented by testdriver-vendor.js');
+                    }
+                }
+            },
+            emulation: {
+                set_geolocation_override: function (params) {
+                    throw new Error(
+                        "bidi.emulation.set_geolocation_override is not implemented by testdriver-vendor.js");
+                },
+                set_locale_override: function (params) {
+                    throw new Error(
+                        "bidi.emulation.set_locale_override is not implemented by testdriver-vendor.js");
+                },
+                set_screen_orientation_override: function (params) {
+                    throw new Error(
+                        "bidi.emulation.set_screen_orientation_override is not implemented by testdriver-vendor.js");
+                }
+            },
+            log: {
+                entry_added: {
+                    async subscribe() {
+                        throw new Error(
+                            "bidi.log.entry_added.subscribe is not implemented by testdriver-vendor.js");
+                    },
+                    on() {
+                        throw new Error(
+                            "bidi.log.entry_added.on is not implemented by testdriver-vendor.js");
+                    }
+                }
+            },
+            permissions: {
+                async set_permission() {
+                    throw new Error(
+                        "bidi.permissions.set_permission() is not implemented by testdriver-vendor.js");
+                }
+            }
+        },
+
         async click(element, coords) {
             if (this.in_automation) {
                 throw new Error("click() is not implemented by testdriver-vendor.js");
@@ -1002,6 +2296,14 @@
             throw new Error("get_named_cookie() is not implemented by testdriver-vendor.js");
         },
 
+        async get_computed_role(element) {
+            throw new Error("get_computed_role is a testdriver.js function which cannot be run in this context.");
+        },
+
+        async get_computed_name(element) {
+            throw new Error("get_computed_name is a testdriver.js function which cannot be run in this context.");
+        },
+
         async send_keys(element, keys) {
             if (this.in_automation) {
                 throw new Error("send_keys() is not implemented by testdriver-vendor.js");
@@ -1046,6 +2348,10 @@
             throw new Error("set_window_rect() is not implemented by testdriver-vendor.js");
         },
 
+        async get_window_rect(context=null) {
+            throw new Error("get_window_rect() is not implemented by testdriver-vendor.js");
+        },
+
         async action_sequence(actions, context=null) {
             throw new Error("action_sequence() is not implemented by testdriver-vendor.js");
         },
@@ -1094,6 +2400,10 @@
             throw new Error("set_spc_transaction_mode() is not implemented by testdriver-vendor.js");
         },
 
+        set_rph_registration_mode: function(mode, context=null) {
+            return Promise.reject(new Error("unimplemented"));
+        },
+
         async cancel_fedcm_dialog(context=null) {
             throw new Error("cancel_fedcm_dialog() is not implemented by testdriver-vendor.js");
         },
@@ -1140,6 +2450,42 @@
 
         async get_virtual_sensor_information(sensor_type, context=null) {
             throw new Error("get_virtual_sensor_information() is not implemented by testdriver-vendor.js");
+        },
+
+        async set_device_posture(posture, context=null) {
+            throw new Error("set_device_posture() is not implemented by testdriver-vendor.js");
+        },
+
+        async clear_device_posture(context=null) {
+            throw new Error("clear_device_posture() is not implemented by testdriver-vendor.js");
+        },
+
+        async run_bounce_tracking_mitigations(context=null) {
+            throw new Error("run_bounce_tracking_mitigations() is not implemented by testdriver-vendor.js");
+        },
+
+        async create_virtual_pressure_source(source_type, metadata={}, context=null) {
+            throw new Error("create_virtual_pressure_source() is not implemented by testdriver-vendor.js");
+        },
+
+        async update_virtual_pressure_source(source_type, sample, own_contribution_estimate, context=null) {
+            throw new Error("update_virtual_pressure_source() is not implemented by testdriver-vendor.js");
+        },
+
+        async remove_virtual_pressure_source(source_type, context=null) {
+            throw new Error("remove_virtual_pressure_source() is not implemented by testdriver-vendor.js");
+        },
+
+        async set_protected_audience_k_anonymity(owner, name, hashes, context=null) {
+            throw new Error("set_protected_audience_k_anonymity() is not implemented by testdriver-vendor.js");
+        },
+
+        async set_display_features(features, context=null) {
+            throw new Error("set_display_features() is not implemented by testdriver-vendor.js");
+        },
+
+        async clear_display_features(context=null) {
+            throw new Error("clear_display_features() is not implemented by testdriver-vendor.js");
         }
     };
 })();
diff --git a/test/fixtures/wpt/resources/testharness-shadowrealm-audioworkletprocessor.js b/test/fixtures/wpt/resources/testharness-shadowrealm-audioworkletprocessor.js
new file mode 100644
index 00000000000000..a87d9130908f86
--- /dev/null
+++ b/test/fixtures/wpt/resources/testharness-shadowrealm-audioworkletprocessor.js
@@ -0,0 +1,52 @@
+/**
+ * AudioWorkletProcessor intended for hosting a ShadowRealm and running a test
+ * inside of that ShadowRealm.
+ */
+globalThis.TestRunner = class TestRunner extends AudioWorkletProcessor {
+  constructor() {
+    super();
+    this.createShadowRealmAndStartTests();
+  }
+
+  /**
+   * Fetch adaptor function intended as a drop-in replacement for fetchAdaptor()
+   * (see testharness-shadowrealm-outer.js), but it does not assume fetch() is
+   * present in the realm. Instead, it relies on setupFakeFetchOverMessagePort()
+   * having been called on the port on the other side of this.port's channel.
+   */
+  fetchOverPortExecutor(resource) {
+    return (resolve, reject) => {
+      const listener = (event) => {
+        if (typeof event.data !== "string" || !event.data.startsWith("fetchResult::")) {
+          return;
+        }
+
+        const result = event.data.slice("fetchResult::".length);
+        if (result.startsWith("success::")) {
+          resolve(result.slice("success::".length));
+        } else {
+          reject(result.slice("fail::".length));
+        }
+
+        this.port.removeEventListener("message", listener);
+      }
+      this.port.addEventListener("message", listener);
+      this.port.start();
+      this.port.postMessage(`fetchRequest::${resource}`);
+    }
+  }
+
+  /**
+   * Async method, which is patched over in
+   * (test).any.audioworklet-shadowrealm.js; see serve.py
+   */
+  async createShadowRealmAndStartTests() {
+    throw new Error("Forgot to overwrite this method!");
+  }
+
+  /** Overrides AudioWorkletProcessor.prototype.process() */
+  process() {
+    return false;
+  }
+};
+registerProcessor("test-runner", TestRunner);
diff --git a/test/fixtures/wpt/resources/testharness-shadowrealm-inner.js b/test/fixtures/wpt/resources/testharness-shadowrealm-inner.js
new file mode 100644
index 00000000000000..a9bdf9fc76ceea
--- /dev/null
+++ b/test/fixtures/wpt/resources/testharness-shadowrealm-inner.js
@@ -0,0 +1,38 @@
+// testharness file with ShadowRealm utilities to be imported inside ShadowRealm
+
+/**
+ * Set up all properties on the ShadowRealm's global object that tests will
+ * expect to be present.
+ *
+ * @param {string} queryString - string to use as value for location.search,
+ *   used for subsetting some tests
+ * @param {function} fetchAdaptor - a function that takes a resource URI and
+ *   returns a function which itself takes a (resolve, reject) pair from the
+ *   hosting realm, and calls resolve with the text result of fetching the
+ *   resource, or reject with a string indicating the error that occurred
+ */
+globalThis.setShadowRealmGlobalProperties = function (queryString, fetchAdaptor) {
+  globalThis.fetch_json = (resource) => {
+    const executor = fetchAdaptor(resource);
+    return new Promise(executor).then((s) => JSON.parse(s));
+  };
+
+  // Used only by idlharness.js
+  globalThis.fetch_spec = (spec) => {
+    const resource = `/interfaces/${spec}.idl`;
+    const executor = fetchAdaptor(resource);
+    return new Promise(executor).then(
+      idl => ({ spec, idl }),
+      () => {
+        throw new IdlHarnessError(`Error fetching ${resource}.`);
+      });
+  }
+
+  globalThis.location = { search: queryString };
+};
+
+globalThis.GLOBAL = {
+  isWindow: function() { return false; },
+  isWorker: function() { return false; },
+  isShadowRealm: function() { return true; },
+};
diff --git a/test/fixtures/wpt/resources/testharness-shadowrealm-outer.js b/test/fixtures/wpt/resources/testharness-shadowrealm-outer.js
new file mode 100644
index 00000000000000..1affa72c2c56a2
--- /dev/null
+++ b/test/fixtures/wpt/resources/testharness-shadowrealm-outer.js
@@ -0,0 +1,151 @@
+// testharness file with ShadowRealm utilities to be imported in the realm
+// hosting the ShadowRealm
+
+/**
+ * Convenience function for evaluating some async code in the ShadowRealm and
+ * waiting for the result.
+ *
+ * In case of error, this function intentionally exposes the stack trace (if it
+ * is available) to the hosting realm, for debugging purposes.
+ *
+ * @param {ShadowRealm} realm - the ShadowRealm to evaluate the code in
+ * @param {string} asyncBody - the code to evaluate; will be put in the body of
+ *   an async function, and must return a value explicitly if a value is to be
+ *   returned to the hosting realm.
+ */
+globalThis.shadowRealmEvalAsync = function (realm, asyncBody) {
+  return new Promise(realm.evaluate(`
+    (resolve, reject) => {
+      (async () => {
+        ${asyncBody}
+      })().then(resolve, (e) => reject(e.toString() + "\\n" + (e.stack || "")));
+    }
+  `));
+};
+
+/**
+ * Convenience adaptor function for fetch() that can be passed to
+ * setShadowRealmGlobalProperties() (see testharness-shadowrealm-inner.js).
+ * Used to adapt the hosting realm's fetch(), if present, to fetch a resource
+ * and pass its text through the callable boundary to the ShadowRealm.
+ */
+globalThis.fetchAdaptor = (resource) => (resolve, reject) => {
+  fetch(resource)
+    .then(res => res.text())
+    .then(resolve, (e) => reject(e.toString()));
+};
+
+let workerMessagePortPromise;
+/**
+ * Used when the hosting realm is a worker. This value is a Promise that
+ * resolves to a function that posts a message to the worker's message port,
+ * just like postMessage(). The message port is only available asynchronously in
+ * SharedWorkers and ServiceWorkers.
+ */
+globalThis.getPostMessageFunc = async function () {
+  if (typeof postMessage === "function") {
+    return postMessage;  // postMessage available directly in dedicated worker
+  }
+
+  if (workerMessagePortPromise) {
+    return await workerMessagePortPromise;
+  }
+
+  throw new Error("getPostMessageFunc is intended for Worker scopes");
+}
+
+// Port available asynchronously in shared worker, but not via an async func
+let savedResolver;
+if (globalThis.constructor.name === "SharedWorkerGlobalScope") {
+  workerMessagePortPromise = new Promise((resolve) => {
+    savedResolver = resolve;
+  });
+  addEventListener("connect", function (event) {
+    const port = event.ports[0];
+    savedResolver(port.postMessage.bind(port));
+  });
+} else if (globalThis.constructor.name === "ServiceWorkerGlobalScope") {
+  workerMessagePortPromise = new Promise((resolve) => {
+    savedResolver = resolve;
+  });
+  addEventListener("message", (e) => {
+    if (typeof e.data === "object" && e.data !== null && e.data.type === "connect") {
+      const client = e.source;
+      savedResolver(client.postMessage.bind(client));
+    }
+  });
+}
+
+/**
+ * Used when the hosting realm does not permit dynamic import, e.g. in
+ * ServiceWorkers or AudioWorklets. Requires an adaptor function such as
+ * fetchAdaptor() above, or an equivalent if fetch() is not present in the
+ * hosting realm.
+ *
+ * @param {ShadowRealm} realm - the ShadowRealm in which to setup a
+ *   fakeDynamicImport() global function.
+ * @param {function} adaptor - an adaptor function that does what fetchAdaptor()
+ *   does.
+ */
+globalThis.setupFakeDynamicImportInShadowRealm = function(realm, adaptor) {
+  function fetchModuleTextExecutor(url) {
+    return (resolve, reject) => {
+      new Promise(adaptor(url))
+        .then(text => realm.evaluate(text + ";\nundefined"))
+        .then(resolve, (e) => reject(e.toString()));
+    }
+  }
+
+  realm.evaluate(`
+    (fetchModuleTextExecutor) => {
+      globalThis.fakeDynamicImport = function (url) {
+        return new Promise(fetchModuleTextExecutor(url));
+      }
+    }
+  `)(fetchModuleTextExecutor);
+};
+
+/**
+ * Used when the hosting realm does not expose fetch(), i.e. in worklets. The
+ * port on the other side of the channel needs to send messages starting with
+ * 'fetchRequest::' and listen for messages starting with 'fetchResult::'. See
+ * testharness-shadowrealm-audioworkletprocessor.js.
+ *
+ * @param {port} MessagePort - the message port on which to listen for fetch
+ *   requests
+ */
+globalThis.setupFakeFetchOverMessagePort = function (port) {
+  port.addEventListener("message", (event) => {
+    if (typeof event.data !== "string" || !event.data.startsWith("fetchRequest::")) {
+      return;
+    }
+
+    fetch(event.data.slice("fetchRequest::".length))
+      .then(res => res.text())
+      .then(
+        text => port.postMessage(`fetchResult::success::${text}`),
+        error => port.postMessage(`fetchResult::fail::${error}`),
+      );
+  });
+  port.start();
+}
+
+/**
+ * Returns a message suitable for posting with postMessage() that will signal to
+ * the test harness that the tests are finished and there was an error in the
+ * setup code.
+ *
+ * @param {message} any - error
+ */
+globalThis.createSetupErrorResult = function (message) {
+  return {
+    type: "complete",
+    tests: [],
+    asserts: [],
+    status: {
+      status: 1, // TestsStatus.ERROR,
+      message: String(message),
+      stack: typeof message === "object" && message !== null && "stack" in message ? message.stack : undefined,
+    },
+  };
+};
diff --git a/test/fixtures/wpt/resources/testharness.js b/test/fixtures/wpt/resources/testharness.js
index 126ae96423bc83..f495b62458ba75 100644
--- a/test/fixtures/wpt/resources/testharness.js
+++ b/test/fixtures/wpt/resources/testharness.js
@@ -88,10 +88,15 @@
                                                  status: harness_status.structured_clone(),
                                                  asserts: asserts.map(assert => assert.structured_clone())});
                          }]
-        }
+        };
 
         on_event(window, 'load', function() {
+          setTimeout(() => {
             this_obj.all_loaded = true;
+            if (tests.all_done()) {
+              tests.complete();
+            }
+          },0);
         });
 
         on_event(window, 'message', function(event) {
@@ -198,7 +203,7 @@
             }
         });
         this.message_events = new_events;
-    }
+    };
 
     WindowTestEnvironment.prototype.next_default_test_name = function() {
         var suffix = this.name_counter > 0 ? " " + this.name_counter : "";
@@ -220,8 +225,8 @@
     WindowTestEnvironment.prototype.test_timeout = function() {
         var metas = document.getElementsByTagName("meta");
         for (var i = 0; i < metas.length; i++) {
-            if (metas[i].name == "timeout") {
-                if (metas[i].content == "long") {
+            if (metas[i].name === "timeout") {
+                if (metas[i].content === "long") {
                     return settings.harness_timeout.long;
                 }
                 break;
@@ -482,7 +487,7 @@
         this.all_loaded = false;
         this.on_loaded_callback = null;
         Promise.resolve().then(function() {
-            this.all_loaded = true
+            this.all_loaded = true;
             if (this.on_loaded_callback) {
                 this.on_loaded_callback();
             }
@@ -558,7 +563,7 @@
         // The worker object may be from another execution context,
         // so do not use instanceof here.
         return 'ServiceWorker' in global_scope &&
-            Object.prototype.toString.call(worker) == '[object ServiceWorker]';
+            Object.prototype.toString.call(worker) === '[object ServiceWorker]';
     }
 
     var seen_func_name = Object.create(null);
@@ -600,7 +605,7 @@
 
     /**
      * @callback TestFunction
-     * @param {Test} test - The test currently being run.
+     * @param {Test} test - The test currnetly being run.
      * @param {Any[]} args - Additional args to pass to function.
      *
      */
@@ -805,7 +810,7 @@
         return bring_promise_to_current_realm(promise)
             .then(test.unreached_func("Should have rejected: " + description))
             .catch(function(e) {
-                assert_throws_js_impl(constructor, function() { throw e },
+                assert_throws_js_impl(constructor, function() { throw e; },
                                       description, "promise_rejects_js");
             });
     }
@@ -852,16 +857,64 @@
             promise = promiseOrConstructor;
             description = descriptionOrPromise;
             assert(maybeDescription === undefined,
-                   "Too many args pased to no-constructor version of promise_rejects_dom");
+                   "Too many args passed to no-constructor version of promise_rejects_dom, or accidentally explicitly passed undefined");
         }
         return bring_promise_to_current_realm(promise)
             .then(test.unreached_func("Should have rejected: " + description))
             .catch(function(e) {
-                assert_throws_dom_impl(type, function() { throw e }, description,
+                assert_throws_dom_impl(type, function() { throw e; }, description,
                                        "promise_rejects_dom", constructor);
             });
     }
 
+/**
+     * Assert that a `Promise` is rejected with a `QuotaExceededError` with the
+     * expected values.
+     *
+     * For the remaining arguments, there are two ways of calling
+     * `promise_rejects_quotaexceedederror`:
+     *
+     * 1) If the `QuotaExceededError` is expected to come from the
+     *    current global, the second argument should be the promise
+     *    expected to reject, the third and a fourth the expected
+     *    `requested` and `quota` property values, and the fifth,
+     *    optional, argument is the assertion description.
+     *
+     * 2) If the `QuotaExceededError` is expected to come from some
+     *    other global, the second argument should be the
+     *    `QuotaExceededError` constructor from that global, the third
+     *    argument should be the promise expected to reject, the fourth
+     *    and fifth the expected `requested` and `quota` property
+     *    values, and the sixth, optional, argument is the assertion
+     *    description.
+     *
+     */
+    function promise_rejects_quotaexceedederror(test, promiseOrConstructor, requestedOrPromise, quotaOrRequested, descriptionOrQuota, maybeDescription)
+    {
+        let constructor, promise, requested, quota, description;
+        if (typeof promiseOrConstructor === "function" &&
+            promiseOrConstructor.name === "QuotaExceededError") {
+            constructor = promiseOrConstructor;
+            promise = requestedOrPromise;
+            requested = quotaOrRequested;
+            quota = descriptionOrQuota;
+            description = maybeDescription;
+        } else {
+            constructor = self.QuotaExceededError;
+            promise = promiseOrConstructor;
+            requested = requestedOrPromise;
+            quota = quotaOrRequested;
+            description = descriptionOrQuota;
+            assert(maybeDescription === undefined,
+                   "Too many args passed to no-constructor version of promise_rejects_quotaexceedederror");
+        }
+        return bring_promise_to_current_realm(promise)
+            .then(test.unreached_func("Should have rejected: " + description))
+            .catch(function(e) {
+                assert_throws_quotaexceedederror_impl(function() { throw e; }, requested, quota, description, "promise_rejects_quotaexceedederror", constructor);
+            });
+    }
+
     /**
      * Assert that a Promise is rejected with the provided value.
      *
@@ -876,7 +929,7 @@
         return bring_promise_to_current_realm(promise)
             .then(test.unreached_func("Should have rejected: " + description))
             .catch(function(e) {
-                assert_throws_exactly_impl(exception, function() { throw e },
+                assert_throws_exactly_impl(exception, function() { throw e; },
                                            description, "promise_rejects_exactly");
             });
     }
@@ -902,7 +955,7 @@
      */
     function EventWatcher(test, watchedNode, eventTypes, timeoutPromise)
     {
-        if (typeof eventTypes == 'string') {
+        if (typeof eventTypes === 'string') {
             eventTypes = [eventTypes];
         }
 
@@ -967,7 +1020,7 @@
             if (waitingFor) {
                 return Promise.reject('Already waiting for an event or events');
             }
-            if (typeof types == 'string') {
+            if (typeof types === 'string') {
                 types = [types];
             }
             if (options && options.record && options.record === 'all') {
@@ -982,7 +1035,7 @@
 
                     // This should always fail, otherwise we should have
                     // resolved the promise.
-                    assert_true(waitingFor.types.length == 0,
+                    assert_true(waitingFor.types.length === 0,
                                 'Timed out waiting for ' + waitingFor.types.join(', '));
                     var result = recordedEvents;
                     recordedEvents = null;
@@ -1006,13 +1059,13 @@
         /**
          * Stop listening for events
          */
-        function stop_watching() {
+        this.stop_watching = function() {
             for (var i = 0; i < eventTypes.length; i++) {
                 watchedNode.removeEventListener(eventTypes[i], eventHandler, false);
             }
         };
 
-        test._add_cleanup(stop_watching);
+        test._add_cleanup(this.stop_watching);
 
         return this;
     }
@@ -1089,7 +1142,7 @@
     {
         if (typeof func !== "function") {
             tests.set_status(tests.status.ERROR,
-                             "promise_test invoked without a function");
+                             "`promise_setup` invoked without a function");
             tests.complete();
             return;
         }
@@ -1127,7 +1180,7 @@
      *
      * Typically this function is called implicitly on page load; it's
      * only necessary for users to call this when either the
-     * ``explicit_done`` or ``single_page`` properties have been set
+     * ``explicit_done`` or ``single_test`` properties have been set
      * via the :js:func:`setup` function.
      *
      * For single page tests this marks the test as complete and sets its status.
@@ -1196,6 +1249,23 @@
         object.addEventListener(event, callback, false);
     }
 
+    // Internal helper function to provide timeout-like functionality in
+    // environments where there is no setTimeout(). (No timeout ID or
+    // clearTimeout().)
+    function fake_set_timeout(callback, delay) {
+        var p = Promise.resolve();
+        var start = Date.now();
+        var end = start + delay;
+        function check() {
+            if ((end - Date.now()) > 0) {
+                p.then(check);
+            } else {
+                callback();
+            }
+        }
+        p.then(check);
+    }
+
     /**
      * Global version of :js:func:`Test.step_timeout` for use in single page tests.
      *
@@ -1207,7 +1277,8 @@
     function step_timeout(func, timeout) {
         var outer_this = this;
         var args = Array.prototype.slice.call(arguments, 2);
-        return setTimeout(function() {
+        var local_set_timeout = typeof global_scope.setTimeout === "undefined" ? fake_set_timeout : setTimeout;
+        return local_set_timeout(function() {
             func.apply(outer_this, args);
         }, timeout * tests.timeout_multiplier);
     }
@@ -1217,6 +1288,7 @@
     expose(promise_test, 'promise_test');
     expose(promise_rejects_js, 'promise_rejects_js');
     expose(promise_rejects_dom, 'promise_rejects_dom');
+    expose(promise_rejects_quotaexceedederror, 'promise_rejects_quotaexceedederror');
     expose(promise_rejects_exactly, 'promise_rejects_exactly');
     expose(generate_tests, 'generate_tests');
     expose(setup, 'setup');
@@ -1307,6 +1379,15 @@
         "0xffff": "uffff",
     };
 
+    const formatEscapeMap = {
+        "\\": "\\\\",
+        '"': '\\"'
+    };
+    for (const p in replacements) {
+        formatEscapeMap[String.fromCharCode(p)] = "\\" + replacements[p];
+    }
+    const formatEscapePattern = new RegExp(`[${Object.keys(formatEscapeMap).map(k => k === "\\" ? "\\\\" : k).join("")}]`, "g");
+
     /**
      * Convert a value to a nice, human-readable string
      *
@@ -1357,12 +1438,7 @@
 
         switch (typeof val) {
         case "string":
-            val = val.replace(/\\/g, "\\\\");
-            for (var p in replacements) {
-                var replace = "\\" + replacements[p];
-                val = val.replace(RegExp(String.fromCharCode(p), "g"), replace);
-            }
-            return '"' + val.replace(/"/g, '\\"') + '"';
+            return '"' + val.replace(formatEscapePattern, match => formatEscapeMap[match]) + '"';
         case "boolean":
         case "undefined":
             return String(val);
@@ -1373,6 +1449,8 @@
                 return "-0";
             }
             return String(val);
+        case "bigint":
+            return String(val) + 'n';
         case "object":
             if (val === null) {
                 return "null";
@@ -1396,11 +1474,11 @@
                 case Node.COMMENT_NODE:
                     return "Comment node <!--" + truncate(val.data, 60) + "-->";
                 case Node.DOCUMENT_NODE:
-                    return "Document node with " + val.childNodes.length + (val.childNodes.length == 1 ? " child" : " children");
+                    return "Document node with " + val.childNodes.length + (val.childNodes.length === 1 ? " child" : " children");
                 case Node.DOCUMENT_TYPE_NODE:
                     return "DocumentType node";
                 case Node.DOCUMENT_FRAGMENT_NODE:
-                    return "DocumentFragment node with " + val.childNodes.length + (val.childNodes.length == 1 ? " child" : " children");
+                    return "DocumentFragment node with " + val.childNodes.length + (val.childNodes.length === 1 ? " child" : " children");
                 default:
                     return "Node object of unknown type";
                 }
@@ -1744,20 +1822,25 @@
     /**
      * Assert that ``actual`` is a number less than ``expected``.
      *
-     * @param {number} actual - Test value.
-     * @param {number} expected - Number that ``actual`` must be less than.
+     * @param {number|bigint} actual - Test value.
+     * @param {number|bigint} expected - Value that ``actual`` must be less than.
      * @param {string} [description] - Description of the condition being tested.
      */
     function assert_less_than(actual, expected, description)
     {
         /*
-         * Test if a primitive number is less than another
+         * Test if a primitive number (or bigint) is less than another
          */
-        assert(typeof actual === "number",
+        assert(typeof actual === "number" || typeof actual === "bigint",
                "assert_less_than", description,
                "expected a number but got a ${type_actual}",
                {type_actual:typeof actual});
 
+        assert(typeof actual === typeof expected,
+               "assert_less_than", description,
+               "expected a ${type_expected} but got a ${type_actual}",
+               {type_expected:typeof expected, type_actual:typeof actual});
+
         assert(actual < expected,
                "assert_less_than", description,
                "expected a number less than ${expected} but got ${actual}",
@@ -1768,20 +1851,25 @@
     /**
      * Assert that ``actual`` is a number greater than ``expected``.
      *
-     * @param {number} actual - Test value.
-     * @param {number} expected - Number that ``actual`` must be greater than.
+     * @param {number|bigint} actual - Test value.
+     * @param {number|bigint} expected - Value that ``actual`` must be greater than.
      * @param {string} [description] - Description of the condition being tested.
      */
     function assert_greater_than(actual, expected, description)
     {
         /*
-         * Test if a primitive number is greater than another
+         * Test if a primitive number (or bigint) is greater than another
          */
-        assert(typeof actual === "number",
+        assert(typeof actual === "number" || typeof actual === "bigint",
                "assert_greater_than", description,
                "expected a number but got a ${type_actual}",
                {type_actual:typeof actual});
 
+        assert(typeof actual === typeof expected,
+               "assert_greater_than", description,
+               "expected a ${type_expected} but got a ${type_actual}",
+               {type_expected:typeof expected, type_actual:typeof actual});
+
         assert(actual > expected,
                "assert_greater_than", description,
                "expected a number greater than ${expected} but got ${actual}",
@@ -1793,21 +1881,31 @@
      * Assert that ``actual`` is a number greater than ``lower`` and less
      * than ``upper`` but not equal to either.
      *
-     * @param {number} actual - Test value.
-     * @param {number} lower - Number that ``actual`` must be greater than.
-     * @param {number} upper - Number that ``actual`` must be less than.
+     * @param {number|bigint} actual - Test value.
+     * @param {number|bigint} lower - Value that ``actual`` must be greater than.
+     * @param {number|bigint} upper - Value that ``actual`` must be less than.
      * @param {string} [description] - Description of the condition being tested.
      */
     function assert_between_exclusive(actual, lower, upper, description)
     {
         /*
-         * Test if a primitive number is between two others
+         * Test if a primitive number (or bigint) is between two others
          */
-        assert(typeof actual === "number",
+        assert(typeof lower === typeof upper,
+               "assert_between_exclusive", description,
+               "expected lower (${type_lower}) and upper (${type_upper}) types to match (test error)",
+               {type_lower:typeof lower, type_upper:typeof upper});
+
+        assert(typeof actual === "number" || typeof actual === "bigint",
                "assert_between_exclusive", description,
                "expected a number but got a ${type_actual}",
                {type_actual:typeof actual});
 
+        assert(typeof actual === typeof lower,
+               "assert_between_exclusive", description,
+               "expected a ${type_lower} but got a ${type_actual}",
+               {type_lower:typeof lower, type_actual:typeof actual});
+
         assert(actual > lower && actual < upper,
                "assert_between_exclusive", description,
                "expected a number greater than ${lower} " +
@@ -1819,21 +1917,26 @@
     /**
      * Assert that ``actual`` is a number less than or equal to ``expected``.
      *
-     * @param {number} actual - Test value.
-     * @param {number} expected - Number that ``actual`` must be less
+     * @param {number|bigint} actual - Test value.
+     * @param {number|bigint} expected - Value that ``actual`` must be less
      * than or equal to.
      * @param {string} [description] - Description of the condition being tested.
      */
     function assert_less_than_equal(actual, expected, description)
     {
         /*
-         * Test if a primitive number is less than or equal to another
+         * Test if a primitive number (or bigint) is less than or equal to another
          */
-        assert(typeof actual === "number",
+        assert(typeof actual === "number" || typeof actual === "bigint",
                "assert_less_than_equal", description,
                "expected a number but got a ${type_actual}",
                {type_actual:typeof actual});
 
+        assert(typeof actual === typeof expected,
+               "assert_less_than_equal", description,
+               "expected a ${type_expected} but got a ${type_actual}",
+               {type_expected:typeof expected, type_actual:typeof actual});
+
         assert(actual <= expected,
                "assert_less_than_equal", description,
                "expected a number less than or equal to ${expected} but got ${actual}",
@@ -1844,21 +1947,26 @@
     /**
      * Assert that ``actual`` is a number greater than or equal to ``expected``.
      *
-     * @param {number} actual - Test value.
-     * @param {number} expected - Number that ``actual`` must be greater
+     * @param {number|bigint} actual - Test value.
+     * @param {number|bigint} expected - Value that ``actual`` must be greater
      * than or equal to.
      * @param {string} [description] - Description of the condition being tested.
      */
     function assert_greater_than_equal(actual, expected, description)
     {
         /*
-         * Test if a primitive number is greater than or equal to another
+         * Test if a primitive number (or bigint) is greater than or equal to another
          */
-        assert(typeof actual === "number",
+        assert(typeof actual === "number" || typeof actual === "bigint",
                "assert_greater_than_equal", description,
                "expected a number but got a ${type_actual}",
                {type_actual:typeof actual});
 
+        assert(typeof actual === typeof expected,
+               "assert_greater_than_equal", description,
+               "expected a ${type_expected} but got a ${type_actual}",
+               {type_expected:typeof expected, type_actual:typeof actual});
+
         assert(actual >= expected,
                "assert_greater_than_equal", description,
                "expected a number greater than or equal to ${expected} but got ${actual}",
@@ -1870,21 +1978,31 @@
      * Assert that ``actual`` is a number greater than or equal to ``lower`` and less
      * than or equal to ``upper``.
      *
-     * @param {number} actual - Test value.
-     * @param {number} lower - Number that ``actual`` must be greater than or equal to.
-     * @param {number} upper - Number that ``actual`` must be less than or equal to.
+     * @param {number|bigint} actual - Test value.
+     * @param {number|bigint} lower - Value that ``actual`` must be greater than or equal to.
+     * @param {number|bigint} upper - Value that ``actual`` must be less than or equal to.
      * @param {string} [description] - Description of the condition being tested.
      */
     function assert_between_inclusive(actual, lower, upper, description)
     {
         /*
-         * Test if a primitive number is between to two others or equal to either of them
+         * Test if a primitive number (or bigint) is between to two others or equal to either of them
          */
-        assert(typeof actual === "number",
+        assert(typeof lower === typeof upper,
+               "assert_between_inclusive", description,
+               "expected lower (${type_lower}) and upper (${type_upper}) types to match (test error)",
+               {type_lower:typeof lower, type_upper:typeof upper});
+
+        assert(typeof actual === "number" || typeof actual === "bigint",
                "assert_between_inclusive", description,
                "expected a number but got a ${type_actual}",
                {type_actual:typeof actual});
 
+        assert(typeof actual === typeof lower,
+               "assert_between_inclusive", description,
+               "expected a ${type_lower} but got a ${type_actual}",
+               {type_lower:typeof lower, type_actual:typeof actual});
+
         assert(actual >= lower && actual <= upper,
                "assert_between_inclusive", description,
                "expected a number greater than or equal to ${lower} " +
@@ -2009,30 +2127,46 @@
 
 
     /**
-     * Assert that ``object`` has a property named ``property_name`` and that the property is readonly.
+     * Assert that ``object`` has a property named ``property_name`` and that the property is not writable or has no setter.
      *
-     * Note: The implementation tries to update the named property, so
-     * any side effects of updating will be triggered. Users are
-     * encouraged to instead inspect the property descriptor of ``property_name`` on ``object``.
-     *
-     * @param {Object} object - Object that should have the given property in its prototype chain.
+     * @param {Object} object - Object that should have the given (not necessarily own) property.
      * @param {string} property_name - Expected property name.
      * @param {string} [description] - Description of the condition being tested.
      */
     function assert_readonly(object, property_name, description)
     {
-         var initial_value = object[property_name];
-         try {
-             //Note that this can have side effects in the case where
-             //the property has PutForwards
-             object[property_name] = initial_value + "a"; //XXX use some other value here?
-             assert(same_value(object[property_name], initial_value),
-                    "assert_readonly", description,
-                    "changing property ${p} succeeded",
-                    {p:property_name});
-         } finally {
-             object[property_name] = initial_value;
-         }
+        assert(property_name in object,
+               "assert_readonly", description,
+               "property ${p} not found",
+               {p:property_name});
+
+        let desc;
+        while (object && (desc = Object.getOwnPropertyDescriptor(object, property_name)) === undefined) {
+            object = Object.getPrototypeOf(object);
+        }
+
+        assert(desc !== undefined,
+               "assert_readonly", description,
+               "could not find a descriptor for property ${p}",
+               {p:property_name});
+
+        if (desc.hasOwnProperty("value")) {
+            // We're a data property descriptor
+            assert(desc.writable === false, "assert_readonly", description,
+                   "descriptor [[Writable]] expected false got ${actual}", {actual:desc.writable});
+        } else if (desc.hasOwnProperty("get") || desc.hasOwnProperty("set")) {
+            // We're an accessor property descriptor
+            assert(desc.set === undefined, "assert_readonly", description,
+                   "property ${p} is an accessor property with a [[Set]] attribute, cannot test readonly-ness",
+                   {p:property_name});
+        } else {
+            // We're a generic property descriptor
+            // This shouldn't happen, because Object.getOwnPropertyDescriptor
+            // forwards the return value of [[GetOwnProperty]] (P), which must
+            // be a fully populated Property Descriptor or Undefined.
+            assert(false, "assert_readonly", description,
+                   "Object.getOwnPropertyDescriptor must return a fully populated property descriptor");
+        }
     }
     expose_assert(assert_readonly, "assert_readonly");
 
@@ -2078,7 +2212,7 @@
                    {func:func});
 
             // Basic sanity-check on the passed-in constructor
-            assert(typeof constructor == "function",
+            assert(typeof constructor === "function",
                    assertion_type, description,
                    "${constructor} is not a constructor",
                    {constructor:constructor});
@@ -2151,9 +2285,9 @@
             func = funcOrConstructor;
             description = descriptionOrFunc;
             assert(maybeDescription === undefined,
-                   "Too many args pased to no-constructor version of assert_throws_dom");
+                   "Too many args passed to no-constructor version of assert_throws_dom, or accidentally explicitly passed undefined");
         }
-        assert_throws_dom_impl(type, func, description, "assert_throws_dom", constructor)
+        assert_throws_dom_impl(type, func, description, "assert_throws_dom", constructor);
     }
     expose_assert(assert_throws_dom, "assert_throws_dom");
 
@@ -2186,8 +2320,8 @@
                    {func:func});
 
             // Sanity-check our type
-            assert(typeof type == "number" ||
-                   typeof type == "string",
+            assert(typeof type === "number" ||
+                   typeof type === "string",
                    assertion_type, description,
                    "${type} is not a number or string",
                    {type:type});
@@ -2211,7 +2345,6 @@
                 NETWORK_ERR: 'NetworkError',
                 ABORT_ERR: 'AbortError',
                 URL_MISMATCH_ERR: 'URLMismatchError',
-                QUOTA_EXCEEDED_ERR: 'QuotaExceededError',
                 TIMEOUT_ERR: 'TimeoutError',
                 INVALID_NODE_TYPE_ERR: 'InvalidNodeTypeError',
                 DATA_CLONE_ERR: 'DataCloneError'
@@ -2236,7 +2369,6 @@
                 NetworkError: 19,
                 AbortError: 20,
                 URLMismatchError: 21,
-                QuotaExceededError: 22,
                 TimeoutError: 23,
                 InvalidNodeTypeError: 24,
                 DataCloneError: 25,
@@ -2267,12 +2399,19 @@
             if (typeof type === "number") {
                 if (type === 0) {
                     throw new AssertionError('Test bug: ambiguous DOMException code 0 passed to assert_throws_dom()');
-                } else if (!(type in code_name_map)) {
+                }
+                if (type === 22) {
+                    throw new AssertionError('Test bug: QuotaExceededError needs to be tested for using assert_throws_quotaexceedederror()');
+                }
+                if (!(type in code_name_map)) {
                     throw new AssertionError('Test bug: unrecognized DOMException code "' + type + '" passed to assert_throws_dom()');
                 }
                 name = code_name_map[type];
                 required_props.code = type;
             } else if (typeof type === "string") {
+                if (name === "QuotaExceededError") {
+                    throw new AssertionError('Test bug: QuotaExceededError needs to be tested for using assert_throws_quotaexceedederror()');
+                }
                 name = type in codename_name_map ? codename_name_map[type] : type;
                 if (!(name in name_code_map)) {
                     throw new AssertionError('Test bug: unrecognized DOMException code name or name "' + type + '" passed to assert_throws_dom()');
@@ -2307,6 +2446,137 @@
         }
     }
 
+    /**
+     * Assert a `QuotaExceededError` with the expected values is thrown.
+     *
+     * There are two ways of calling `assert_throws_quotaexceedederror`:
+     *
+     * 1) If the `QuotaExceededError` is expected to come from the
+     *    current global, the first argument should be the function
+     *    expected to throw, the second and a third the expected
+     *    `requested` and `quota` property values, and the fourth,
+     *    optional, argument is the assertion description.
+     *
+     * 2) If the `QuotaExceededError` is expected to come from some
+     *    other global, the first argument should be the
+     *    `QuotaExceededError` constructor from that global, the second
+     *    argument should be the function expected to throw, the third
+     *    and fourth the expected `requested` and `quota` property
+     *    values, and the fifth, optional, argument is the assertion
+     *    description.
+     *
+     * For the `requested` and `quota` values, instead of `null` or a
+     * number, the caller can provide a function which determines
+     * whether the value is acceptable by returning a boolean.
+     *
+     */
+    function assert_throws_quotaexceedederror(funcOrConstructor, requestedOrFunc, quotaOrRequested, descriptionOrQuota, maybeDescription)
+    {
+        let constructor, func, requested, quota, description;
+        if (funcOrConstructor.name === "QuotaExceededError") {
+            constructor = funcOrConstructor;
+            func = requestedOrFunc;
+            requested = quotaOrRequested;
+            quota = descriptionOrQuota;
+            description = maybeDescription;
+        } else {
+            constructor = self.QuotaExceededError;
+            func = funcOrConstructor;
+            requested = requestedOrFunc;
+            quota = quotaOrRequested;
+            description = descriptionOrQuota;
+            assert(maybeDescription === undefined,
+                   "Too many args passed to no-constructor version of assert_throws_quotaexceedederror");
+        }
+        assert_throws_quotaexceedederror_impl(func, requested, quota, description, "assert_throws_quotaexceedederror", constructor);
+    }
+    expose_assert(assert_throws_quotaexceedederror, "assert_throws_quotaexceedederror");
+
+    /**
+     * Similar to `assert_throws_quotaexceedederror` but allows
+     * specifying the assertion type
+     * (`"assert_throws_quotaexceedederror"` or
+     * `"promise_rejects_quotaexceedederror"`, in practice). The
+     * `constructor` argument must be the `QuotaExceededError`
+     * constructor from the global we expect the exception to come from.
+     */
+    function assert_throws_quotaexceedederror_impl(func, requested, quota, description, assertion_type, constructor)
+    {
+        try {
+            func.call(this);
+            assert(false, assertion_type, description, "${func} did not throw",
+                   {func});
+        } catch (e) {
+            if (e instanceof AssertionError) {
+                throw e;
+            }
+
+            // Basic sanity-checks on the thrown exception.
+            assert(typeof e === "object",
+                   assertion_type, description,
+                   "${func} threw ${e} with type ${type}, not an object",
+                   {func, e, type:typeof e});
+
+            assert(e !== null,
+                   assertion_type, description,
+                   "${func} threw null, not an object",
+                   {func});
+
+            // Sanity-check our requested and quota.
+            assert(requested === null ||
+                   typeof requested === "number" ||
+                   typeof requested === "function",
+                   assertion_type, description,
+                   "${requested} is not null, a number, or a function",
+                   {requested});
+            assert(quota === null ||
+                   typeof quota === "number" ||
+                   typeof quota === "function",
+                   assertion_type, description,
+                   "${quota} is not null or a number",
+                   {quota});
+
+            const required_props = {
+                code: 22,
+                name: "QuotaExceededError"
+            };
+            if (typeof requested !== "function") {
+                required_props.requested = requested;
+            }
+            if (typeof quota !== "function") {
+                required_props.quota = quota;
+            }
+
+            for (const [prop, expected] of Object.entries(required_props)) {
+                assert(prop in e && e[prop] == expected,
+                       assertion_type, description,
+                       "${func} threw ${e} that is not a correct QuotaExceededError: property ${prop} is equal to ${actual}, expected ${expected}",
+                       {func, e, prop, actual:e[prop], expected});
+            }
+
+            if (typeof requested === "function") {
+                assert(requested(e.requested),
+                       assertion_type, description,
+                       "${func} threw ${e} that is not a correct QuotaExceededError: requested value ${requested} did not pass the requested predicate",
+                       {func, e, requested});
+            }
+            if (typeof quota === "function") {
+                assert(quota(e.quota),
+                       assertion_type, description,
+                       "${func} threw ${e} that is not a correct QuotaExceededError: quota value ${quota} did not pass the quota predicate",
+                       {func, e, quota});
+            }
+
+            // Check that the exception is from the right global.  This check is last
+            // so more specific, and more informative, checks on the properties can
+            // happen in case a totally incorrect exception is thrown.
+            assert(e.constructor === constructor,
+                   assertion_type, description,
+                   "${func} threw an exception from the wrong global",
+                   {func});
+        }
+    }
+
     /**
      * Assert the provided value is thrown.
      *
@@ -2416,7 +2686,7 @@
     function assert_implements(condition, description) {
         assert(!!condition, "assert_implements", description);
     }
-    expose_assert(assert_implements, "assert_implements")
+    expose_assert(assert_implements, "assert_implements");
 
     /**
      * Assert that an optional feature is implemented, based on a 'truthy' condition.
@@ -2530,11 +2800,11 @@
         2: "Timeout",
         3: "Not Run",
         4: "Optional Feature Unsupported",
-    }
+    };
 
     Test.prototype.format_status = function() {
         return this.status_formats[this.status];
-    }
+    };
 
     Test.prototype.structured_clone = function()
     {
@@ -2715,7 +2985,8 @@
     Test.prototype.step_timeout = function(func, timeout) {
         var test_this = this;
         var args = Array.prototype.slice.call(arguments, 2);
-        return setTimeout(this.step_func(function() {
+        var local_set_timeout = typeof global_scope.setTimeout === "undefined" ? fake_set_timeout : setTimeout;
+        return local_set_timeout(this.step_func(function() {
             return func.apply(test_this, args);
         }), timeout * tests.timeout_multiplier);
     };
@@ -2746,6 +3017,7 @@
         var timeout_full = timeout * tests.timeout_multiplier;
         var remaining = Math.ceil(timeout_full / interval);
         var test_this = this;
+        var local_set_timeout = typeof global_scope.setTimeout === 'undefined' ? fake_set_timeout : setTimeout;
 
         const step = test_this.step_func((result) => {
             if (result) {
@@ -2756,7 +3028,7 @@
                            "Timed out waiting on condition");
                 }
                 remaining--;
-                setTimeout(wait_for_inner, interval);
+                local_set_timeout(wait_for_inner, interval);
             }
         });
 
@@ -2842,7 +3114,7 @@
         return new Promise(resolve => {
             this.step_wait_func(cond, resolve, description, timeout, interval);
         });
-    }
+    };
 
     /*
      * Private method for registering cleanup functions. `testharness.js`
@@ -3075,7 +3347,7 @@
             throw new Error("AbortController is not supported in this browser");
         }
         return this._abortController.signal;
-    }
+    };
 
     /**
      * A RemoteTest object mirrors a Test object on a remote worker. The
@@ -3151,11 +3423,11 @@
                 function(callback) {
                     callback();
                 });
-    }
+    };
 
     RemoteTest.prototype.format_status = function() {
         return Test.prototype.status_formats[this.status];
-    }
+    };
 
     /*
      * A RemoteContext listens for test events from a remote test context, such
@@ -3427,7 +3699,7 @@
         this.all_done_callbacks = [];
 
         this.hide_test_state = false;
-        this.pending_remotes = [];
+        this.remotes = [];
 
         this.current_test = null;
         this.asserts_run = [];
@@ -3469,26 +3741,26 @@
         for (var p in properties) {
             if (properties.hasOwnProperty(p)) {
                 var value = properties[p];
-                if (p == "allow_uncaught_exception") {
+                if (p === "allow_uncaught_exception") {
                     this.allow_uncaught_exception = value;
-                } else if (p == "explicit_done" && value) {
+                } else if (p === "explicit_done" && value) {
                     this.wait_for_finish = true;
-                } else if (p == "explicit_timeout" && value) {
+                } else if (p === "explicit_timeout" && value) {
                     this.timeout_length = null;
                     if (this.timeout_id)
                     {
                         clearTimeout(this.timeout_id);
                     }
-                } else if (p == "single_test" && value) {
+                } else if (p === "single_test" && value) {
                     this.set_file_is_test();
-                } else if (p == "timeout_multiplier") {
+                } else if (p === "timeout_multiplier") {
                     this.timeout_multiplier = value;
                     if (this.timeout_length) {
                          this.timeout_length *= this.timeout_multiplier;
                     }
-                } else if (p == "hide_test_state") {
+                } else if (p === "hide_test_state") {
                     this.hide_test_state = value;
-                } else if (p == "output") {
+                } else if (p === "output") {
                     this.output = value;
                 } else if (p === "debug") {
                     settings.debug = value;
@@ -3581,11 +3853,14 @@
 
     Tests.prototype.push = function(test)
     {
+        if (this.phase === this.phases.COMPLETE) {
+            return;
+        }
         if (this.phase < this.phases.HAVE_TESTS) {
             this.start();
         }
         this.num_pending++;
-        test.index = this.tests.push(test);
+        test.index = this.tests.push(test) - 1;
         this.notify_test_state(test);
     };
 
@@ -3598,11 +3873,11 @@
     };
 
     Tests.prototype.all_done = function() {
-        return (this.tests.length > 0 || this.pending_remotes.length > 0) &&
+        return (this.tests.length > 0 || this.remotes.length > 0) &&
                 test_environment.all_loaded &&
                 (this.num_pending === 0 || this.is_aborted) && !this.wait_for_finish &&
                 !this.processing_callbacks &&
-                !this.pending_remotes.some(function(w) { return w.running; });
+                !this.remotes.some(function(w) { return w.running; });
     };
 
     Tests.prototype.start = function() {
@@ -3671,7 +3946,8 @@
                   function(test, testDone)
                   {
                       if (test.phase === test.phases.INITIAL) {
-                          test.phase = test.phases.COMPLETE;
+                          test.phase = test.phases.HAS_RESULT;
+                          test.done();
                           testDone();
                       } else {
                           add_test_done_callback(test, testDone);
@@ -3682,14 +3958,14 @@
     };
 
     Tests.prototype.set_assert = function(assert_name, args) {
-        this.asserts_run.push(new AssertRecord(this.current_test, assert_name, args))
-    }
+        this.asserts_run.push(new AssertRecord(this.current_test, assert_name, args));
+    };
 
     Tests.prototype.set_assert_status = function(index, status, stack) {
         let assert_record = this.asserts_run[index];
         assert_record.status = status;
         assert_record.stack = stack;
-    }
+    };
 
     /**
      * Update the harness status to reflect an unrecoverable harness error that
@@ -3831,7 +4107,7 @@
         }
 
         var remoteContext = this.create_remote_worker(worker);
-        this.pending_remotes.push(remoteContext);
+        this.remotes.push(remoteContext);
         return remoteContext.done;
     };
 
@@ -3854,7 +4130,7 @@
         }
 
         var remoteContext = this.create_remote_window(remote);
-        this.pending_remotes.push(remoteContext);
+        this.remotes.push(remoteContext);
         return remoteContext.done;
     };
 
@@ -4066,8 +4342,8 @@
             } else {
                 var root = output_document.documentElement;
                 var is_html = (root &&
-                               root.namespaceURI == "http://www.w3.org/1999/xhtml" &&
-                               root.localName == "html");
+                               root.namespaceURI === "http://www.w3.org/1999/xhtml" &&
+                               root.localName === "html");
                 var is_svg = (output_document.defaultView &&
                               "SVGSVGElement" in output_document.defaultView &&
                               root instanceof output_document.defaultView.SVGSVGElement);
@@ -4169,11 +4445,7 @@
                                                  status
                                                 ],
                                                ],
-                                               ["button",
-                                                {"onclick": "let evt = new Event('__test_restart'); " +
-                                                 "let canceled = !window.dispatchEvent(evt);" +
-                                                 "if (!canceled) { location.reload() }"},
-                                                "Rerun"]
+                                               ["button", {"id":"rerun"}, "Rerun"]
                                               ]];
 
                                     if (harness_status.status === harness_status.ERROR) {
@@ -4205,6 +4477,13 @@
 
         log.appendChild(render(summary_template, {num_tests:tests.length}, output_document));
 
+        output_document.getElementById("rerun").addEventListener("click",
+            function() {
+                let evt = new Event('__test_restart');
+                let canceled = !window.dispatchEvent(evt);
+                if (!canceled) { location.reload(); }
+            });
+
         forEach(output_document.querySelectorAll("section#summary label"),
                 function(element)
                 {
@@ -4229,18 +4508,6 @@
                              });
                 });
 
-        // This use of innerHTML plus manual escaping is not recommended in
-        // general, but is necessary here for performance.  Using textContent
-        // on each individual <td> adds tens of seconds of execution time for
-        // large test suites (tens of thousands of tests).
-        function escape_html(s)
-        {
-            return s.replace(/\&/g, "&amp;")
-                .replace(/</g, "&lt;")
-                .replace(/"/g, "&quot;")
-                .replace(/'/g, "&#39;");
-        }
-
         function has_assertions()
         {
             for (var i = 0; i < tests.length; i++) {
@@ -4271,81 +4538,63 @@
         });
 
         function get_asserts_output(test) {
+            const asserts_output = render(
+                ["details", {},
+                    ["summary", {}, "Asserts run"],
+                    ["table", {}, ""] ]);
+
             var asserts = asserts_run_by_test.get(test);
             if (!asserts) {
-                return "No asserts ran";
+                asserts_output.querySelector("summary").insertAdjacentText("afterend", "No asserts ran");
+                return asserts_output;
             }
-            rv = "<table>";
-            rv += asserts.map(assert => {
-                var output_fn = "<strong>" + escape_html(assert.assert_name) + "</strong>(";
-                var prefix_len = output_fn.length;
-                var output_args = assert.args;
-                var output_len = output_args.reduce((prev, current) => prev+current, prefix_len);
-                if (output_len[output_len.length - 1] > 50) {
-                    output_args = output_args.map((x, i) =>
-                    (i > 0 ? "  ".repeat(prefix_len) : "" )+ x + (i < output_args.length - 1 ? ",\n" : ""));
-                } else {
-                    output_args = output_args.map((x, i) => x + (i < output_args.length - 1 ? ", " : ""));
-                }
-                output_fn += escape_html(output_args.join(""));
-                output_fn += ')';
-                var output_location;
+
+            const table = asserts_output.querySelector("table");
+            for (const assert of asserts) {
+                const status_class_name = status_class(Test.prototype.status_formats[assert.status]);
+                var output_fn = "(" + assert.args.join(", ") + ")";
                 if (assert.stack) {
-                    output_location = assert.stack.split("\n", 1)[0].replace(/@?\w+:\/\/[^ "\/]+(?::\d+)?/g, " ");
+                    output_fn += "\n";
+                    output_fn += assert.stack.split("\n", 1)[0].replace(/@?\w+:\/\/[^ "\/]+(?::\d+)?/g, " ");
                 }
-                return "<tr class='overall-" +
-                    status_class(Test.prototype.status_formats[assert.status]) + "'>" +
-                    "<td class='" +
-                    status_class(Test.prototype.status_formats[assert.status]) + "'>" +
-                    Test.prototype.status_formats[assert.status] + "</td>" +
-                    "<td><pre>" +
-                    output_fn +
-                    (output_location ? "\n" + escape_html(output_location) : "") +
-                    "</pre></td></tr>";
+                table.appendChild(render(
+                    ["tr", {"class":"overall-" + status_class_name},
+                        ["td", {"class":status_class_name}, Test.prototype.status_formats[assert.status]],
+                        ["td", {}, ["pre", {}, ["strong", {}, assert.assert_name], output_fn]] ]));
             }
-            ).join("\n");
-            rv += "</table>";
-            return rv;
+            return asserts_output;
         }
 
-        log.appendChild(document.createElementNS(xhtml_ns, "section"));
         var assertions = has_assertions();
-        var html = "<h2>Details</h2><table id='results' " + (assertions ? "class='assertions'" : "" ) + ">" +
-            "<thead><tr><th>Result</th><th>Test Name</th>" +
-            (assertions ? "<th>Assertion</th>" : "") +
-            "<th>Message</th></tr></thead>" +
-            "<tbody>";
-        for (var i = 0; i < tests.length; i++) {
-            var test = tests[i];
-            html += '<tr class="overall-' +
-                status_class(test.format_status()) +
-                '">' +
-                '<td class="' +
-                status_class(test.format_status()) +
-                '">' +
-                test.format_status() +
-                "</td><td>" +
-                escape_html(test.name) +
-                "</td><td>" +
-                (assertions ? escape_html(get_assertion(test)) + "</td><td>" : "") +
-                escape_html(test.message ? tests[i].message : " ") +
-                (tests[i].stack ? "<pre>" +
-                 escape_html(tests[i].stack) +
-                 "</pre>": "");
+        const section = render(
+            ["section", {},
+                ["h2", {}, "Details"],
+                ["table", {"id":"results", "class":(assertions ? "assertions" : "")},
+                    ["thead", {},
+                        ["tr", {},
+                            ["th", {}, "Result"],
+                            ["th", {}, "Test Name"],
+                            (assertions ? ["th", {}, "Assertion"] : ""),
+                            ["th", {}, "Message" ]]],
+                    ["tbody", {}]]]);
+
+        const tbody = section.querySelector("tbody");
+        for (const test of tests) {
+            const status = test.format_status();
+            const status_class_name = status_class(status);
+            tbody.appendChild(render(
+                ["tr", {"class":"overall-" + status_class_name},
+                    ["td", {"class":status_class_name}, status],
+                    ["td", {}, test.name],
+                    (assertions ? ["td", {}, get_assertion(test)] : ""),
+                    ["td", {},
+                        test.message ?? "",
+                        ["pre", {}, test.stack ?? ""]]]));
             if (!(test instanceof RemoteTest)) {
-                 html += "<details><summary>Asserts run</summary>" + get_asserts_output(test) + "</details>"
+                tbody.lastChild.lastChild.appendChild(get_asserts_output(test));
             }
-            html += "</td></tr>";
-        }
-        html += "</tbody></table>";
-        try {
-            log.lastChild.innerHTML = html;
-        } catch (e) {
-            log.appendChild(document.createElementNS(xhtml_ns, "p"))
-               .textContent = "Setting innerHTML for the log threw an exception.";
-            log.appendChild(document.createElementNS(xhtml_ns, "pre"))
-               .textContent = html;
         }
+        log.appendChild(section);
     };
 
     /*
@@ -4410,13 +4659,20 @@
     {
         var substitution_re = /\$\{([^ }]*)\}/g;
 
-        function do_substitution(input) {
+        function do_substitution(input)
+        {
             var components = input.split(substitution_re);
             var rv = [];
-            for (var i = 0; i < components.length; i += 2) {
-                rv.push(components[i]);
-                if (components[i + 1]) {
-                    rv.push(String(substitutions[components[i + 1]]));
+            if (components.length === 1) {
+                rv = components;
+            } else if (substitutions) {
+                for (var i = 0; i < components.length; i += 2) {
+                    if (components[i]) {
+                        rv.push(components[i]);
+                    }
+                    if (substitutions[components[i + 1]]) {
+                        rv.push(String(substitutions[components[i + 1]]));
+                    }
                 }
             }
             return rv;
@@ -4532,7 +4788,7 @@
      */
     function AssertionError(message)
     {
-        if (typeof message == "string") {
+        if (typeof message === "string") {
             message = sanitize_unpaired_surrogates(message);
         }
         this.message = message;
@@ -4578,7 +4834,7 @@
         }
 
         return lines.slice(i).join("\n");
-    }
+    };
 
     function OptionalFeatureUnsupportedError(message)
     {
@@ -4767,11 +5023,21 @@
             return META_TITLE;
         }
         if ('location' in global_scope && 'pathname' in location) {
-            return location.pathname.substring(location.pathname.lastIndexOf('/') + 1, location.pathname.indexOf('.'));
+            var filename = location.pathname.substring(location.pathname.lastIndexOf('/') + 1);
+            return filename.substring(0, filename.indexOf('.'));
         }
         return "Untitled";
     }
 
+    /** Fetches a JSON resource and parses it */
+    async function fetch_json(resource) {
+        const response = await fetch(resource);
+        return await response.json();
+    }
+    if (!global_scope.GLOBAL || !global_scope.GLOBAL.isShadowRealm()) {
+        expose(fetch_json, 'fetch_json');
+    }
+
     /**
      * Setup globals
      */
diff --git a/test/fixtures/wpt/resources/testharnessreport.js b/test/fixtures/wpt/resources/testharnessreport.js
index e5cb40fe0ef652..405a2d8b06f00f 100644
--- a/test/fixtures/wpt/resources/testharnessreport.js
+++ b/test/fixtures/wpt/resources/testharnessreport.js
@@ -14,31 +14,6 @@
  * parameters they are called with see testharness.js
  */
 
-function dump_test_results(tests, status) {
-    var results_element = document.createElement("script");
-    results_element.type = "text/json";
-    results_element.id = "__testharness__results__";
-    var test_results = tests.map(function(x) {
-        return {name:x.name, status:x.status, message:x.message, stack:x.stack}
-    });
-    var data = {test:window.location.href,
-                tests:test_results,
-                status: status.status,
-                message: status.message,
-                stack: status.stack};
-    results_element.textContent = JSON.stringify(data);
-
-    // To avoid a HierarchyRequestError with XML documents, ensure that 'results_element'
-    // is inserted at a location that results in a valid document.
-    var parent = document.body
-        ? document.body                 // <body> is required in XHTML documents
-        : document.documentElement;     // fallback for optional <body> in HTML5, SVG, etc.
-
-    parent.appendChild(results_element);
-}
-
-add_completion_callback(dump_test_results);
-
 /* If the parent window has a testharness_properties object,
  * we use this to provide the test settings. This is used by the
  * default in-browser runner to configure the timeout and the
diff --git a/test/fixtures/wpt/resources/web-bluetooth-bidi-test.js b/test/fixtures/wpt/resources/web-bluetooth-bidi-test.js
new file mode 100644
index 00000000000000..3283fef43fc7d2
--- /dev/null
+++ b/test/fixtures/wpt/resources/web-bluetooth-bidi-test.js
@@ -0,0 +1,408 @@
+'use strict'
+
+// Convert `manufacturerData` to an array of bluetooth.BluetoothManufacturerData
+// defined in
+// https://webbluetoothcg.github.io/web-bluetooth/#bluetooth-bidi-definitions.
+function convertToBidiManufacturerData(manufacturerData) {
+  const bidiManufacturerData = [];
+  for (const key in manufacturerData) {
+    bidiManufacturerData.push({
+      key: parseInt(key),
+      data: btoa(String.fromCharCode(...manufacturerData[key]))
+    })
+  }
+  return bidiManufacturerData;
+}
+
+function ArrayToMojoCharacteristicProperties(arr) {
+  const struct = {};
+  arr.forEach(property => {
+    struct[property] = true;
+  });
+  return struct;
+}
+
+class FakeBluetooth {
+  constructor() {
+    this.fake_central_ = null;
+  }
+
+  // Returns a promise that resolves with a FakeCentral that clients can use
+  // to simulate events that a device in the Central/Observer role would
+  // receive as well as monitor the operations performed by the device in the
+  // Central/Observer role.
+  //
+  // A "Central" object would allow its clients to receive advertising events
+  // and initiate connections to peripherals i.e. operations of two roles
+  // defined by the Bluetooth Spec: Observer and Central.
+  // See Bluetooth 4.2 Vol 3 Part C 2.2.2 "Roles when Operating over an
+  // LE Physical Transport".
+  async simulateCentral({state}) {
+    if (this.fake_central_) {
+      throw 'simulateCentral() should only be called once';
+    }
+
+    await test_driver.bidi.bluetooth.simulate_adapter({state: state});
+    this.fake_central_ = new FakeCentral();
+    return this.fake_central_;
+  }
+}
+
+// FakeCentral allows clients to simulate events that a device in the
+// Central/Observer role would receive as well as monitor the operations
+// performed by the device in the Central/Observer role.
+class FakeCentral {
+  constructor() {
+    this.peripherals_ = new Map();
+  }
+
+  // Simulates a peripheral with |address|, |name|, |manufacturerData| and
+  // |known_service_uuids| that has already been connected to the system. If the
+  // peripheral existed already it updates its name, manufacturer data, and
+  // known UUIDs. |known_service_uuids| should be an array of
+  // BluetoothServiceUUIDs
+  // https://webbluetoothcg.github.io/web-bluetooth/#typedefdef-bluetoothserviceuuid
+  //
+  // Platforms offer methods to retrieve devices that have already been
+  // connected to the system or weren't connected through the UA e.g. a user
+  // connected a peripheral through the system's settings. This method is
+  // intended to simulate peripherals that those methods would return.
+  async simulatePreconnectedPeripheral(
+      {address, name, manufacturerData = {}, knownServiceUUIDs = []}) {
+    await test_driver.bidi.bluetooth.simulate_preconnected_peripheral({
+      address: address,
+      name: name,
+      manufacturerData: convertToBidiManufacturerData(manufacturerData),
+      knownServiceUuids:
+          knownServiceUUIDs.map(uuid => BluetoothUUID.getService(uuid))
+    });
+
+    return this.fetchOrCreatePeripheral_(address);
+  }
+
+  // Create a fake_peripheral object from the given address.
+  fetchOrCreatePeripheral_(address) {
+    let peripheral = this.peripherals_.get(address);
+    if (peripheral === undefined) {
+      peripheral = new FakePeripheral(address);
+      this.peripherals_.set(address, peripheral);
+    }
+    return peripheral;
+  }
+}
+
+class FakePeripheral {
+  constructor(address) {
+    this.address = address;
+  }
+
+  // Adds a fake GATT Service with |uuid| to be discovered when discovering
+  // the peripheral's GATT Attributes. Returns a FakeRemoteGATTService
+  // corresponding to this service. |uuid| should be a BluetoothServiceUUIDs
+  // https://webbluetoothcg.github.io/web-bluetooth/#typedefdef-bluetoothserviceuuid
+  async addFakeService({uuid}) {
+    const service_uuid = BluetoothUUID.getService(uuid);
+    await test_driver.bidi.bluetooth.simulate_service({
+      address: this.address,
+      uuid: service_uuid,
+      type: 'add',
+    });
+    return new FakeRemoteGATTService(service_uuid, this.address);
+  }
+
+  // Sets the next GATT Connection request response to |code|. |code| could be
+  // an HCI Error Code from BT 4.2 Vol 2 Part D 1.3 List Of Error Codes or a
+  // number outside that range returned by specific platforms e.g. Android
+  // returns 0x101 to signal a GATT failure
+  // https://developer.android.com/reference/android/bluetooth/BluetoothGatt.html#GATT_FAILURE
+  async setNextGATTConnectionResponse({code}) {
+    const remove_handler =
+        test_driver.bidi.bluetooth.gatt_connection_attempted.on((event) => {
+          if (event.address != this.address) {
+            return;
+          }
+          remove_handler();
+          test_driver.bidi.bluetooth.simulate_gatt_connection_response({
+            address: event.address,
+            code,
+          });
+        });
+  }
+
+  async setNextGATTDiscoveryResponse({code}) {
+    // No-op for Web Bluetooth Bidi test, it will be removed when migration
+    // completes.
+    return Promise.resolve();
+  }
+
+  // Simulates a GATT connection response with |code| from the peripheral.
+  async simulateGATTConnectionResponse(code) {
+    await test_driver.bidi.bluetooth.simulate_gatt_connection_response(
+        {address: this.address, code});
+  }
+
+  // Simulates a GATT disconnection in the peripheral.
+  async simulateGATTDisconnection() {
+    await test_driver.bidi.bluetooth.simulate_gatt_disconnection(
+        {address: this.address});
+  }
+}
+
+class FakeRemoteGATTService {
+  constructor(service_uuid, peripheral_address) {
+    this.service_uuid_ = service_uuid;
+    this.peripheral_address_ = peripheral_address;
+  }
+
+  // Adds a fake GATT Characteristic with |uuid| and |properties|
+  // to this fake service. The characteristic will be found when discovering
+  // the peripheral's GATT Attributes. Returns a FakeRemoteGATTCharacteristic
+  // corresponding to the added characteristic.
+  async addFakeCharacteristic({uuid, properties}) {
+    const characteristic_uuid = BluetoothUUID.getCharacteristic(uuid);
+    await test_driver.bidi.bluetooth.simulate_characteristic({
+      address: this.peripheral_address_,
+      serviceUuid: this.service_uuid_,
+      characteristicUuid: characteristic_uuid,
+      characteristicProperties: ArrayToMojoCharacteristicProperties(properties),
+      type: 'add'
+    });
+    return new FakeRemoteGATTCharacteristic(
+        characteristic_uuid, this.service_uuid_, this.peripheral_address_);
+  }
+
+  // Removes the fake GATT service from its fake peripheral.
+  async remove() {
+    await test_driver.bidi.bluetooth.simulate_service({
+      address: this.peripheral_address_,
+      uuid: this.service_uuid_,
+      type: 'remove'
+    });
+  }
+}
+
+class FakeRemoteGATTCharacteristic {
+  constructor(characteristic_uuid, service_uuid, peripheral_address) {
+    this.characteristic_uuid_ = characteristic_uuid;
+    this.service_uuid_ = service_uuid;
+    this.peripheral_address_ = peripheral_address;
+    this.last_written_value_ = {lastValue: null, lastWriteType: 'none'};
+  }
+
+  // Adds a fake GATT Descriptor with |uuid| to be discovered when
+  // discovering the peripheral's GATT Attributes. Returns a
+  // FakeRemoteGATTDescriptor corresponding to this descriptor. |uuid| should
+  // be a BluetoothDescriptorUUID
+  // https://webbluetoothcg.github.io/web-bluetooth/#typedefdef-bluetoothdescriptoruuid
+  async addFakeDescriptor({uuid}) {
+    const descriptor_uuid = BluetoothUUID.getDescriptor(uuid);
+    await test_driver.bidi.bluetooth.simulate_descriptor({
+      address: this.peripheral_address_,
+      serviceUuid: this.service_uuid_,
+      characteristicUuid: this.characteristic_uuid_,
+      descriptorUuid: descriptor_uuid,
+      type: 'add'
+    });
+    return new FakeRemoteGATTDescriptor(
+        descriptor_uuid, this.characteristic_uuid_, this.service_uuid_,
+        this.peripheral_address_);
+  }
+
+  // Simulate a characteristic for operation |type| with response |code| and
+  // |data|.
+  async simulateResponse(type, code, data) {
+    await test_driver.bidi.bluetooth.simulate_characteristic_response({
+      address: this.peripheral_address_,
+      serviceUuid: this.service_uuid_,
+      characteristicUuid: this.characteristic_uuid_,
+      type,
+      code,
+      data,
+    });
+  }
+
+  // Simulate a characteristic response for read operation with response |code|
+  // and |data|.
+  async simulateReadResponse(code, data) {
+    await this.simulateResponse('read', code, data);
+  }
+
+  // Simulate a characteristic response for write operation with response
+  // |code|.
+  async simulateWriteResponse(code) {
+    await this.simulateResponse('write', code);
+  }
+
+  // Sets the next read response for characteristic to |code| and |value|.
+  // |code| could be a GATT Error Response from
+  // BT 4.2 Vol 3 Part F 3.4.1.1 Error Response or a number outside that range
+  // returned by specific platforms e.g. Android returns 0x101 to signal a GATT
+  // failure.
+  // https://developer.android.com/reference/android/bluetooth/BluetoothGatt.html#GATT_FAILURE
+  async setNextReadResponse(gatt_code, value = null) {
+    if (gatt_code === 0 && value === null) {
+      throw '|value| can\'t be null if read should success.';
+    }
+    if (gatt_code !== 0 && value !== null) {
+      throw '|value| must be null if read should fail.';
+    }
+
+    const remove_handler =
+        test_driver.bidi.bluetooth.characteristic_event_generated.on(
+            (event) => {
+              if (event.address != this.peripheral_address_) {
+                return;
+              }
+              remove_handler();
+              this.simulateReadResponse(gatt_code, value);
+            });
+  }
+
+  // Sets the next write response for this characteristic to |code|. If
+  // writing to a characteristic that only supports 'write-without-response'
+  // the set response will be ignored.
+  // |code| could be a GATT Error Response from
+  // BT 4.2 Vol 3 Part F 3.4.1.1 Error Response or a number outside that range
+  // returned by specific platforms e.g. Android returns 0x101 to signal a GATT
+  // failure.
+  async setNextWriteResponse(gatt_code) {
+    const remove_handler =
+        test_driver.bidi.bluetooth.characteristic_event_generated.on(
+            (event) => {
+              if (event.address != this.peripheral_address_) {
+                return;
+              }
+              this.last_written_value_ = {
+                lastValue: event.data,
+                lastWriteType: event.type
+              };
+              remove_handler();
+              if (event.type == 'write-with-response') {
+                this.simulateWriteResponse(gatt_code);
+              }
+            });
+  }
+
+  // Gets the last successfully written value to the characteristic and its
+  // write type. Write type is one of 'none', 'default-deprecated',
+  // 'with-response', 'without-response'. Returns {lastValue: null,
+  // lastWriteType: 'none'} if no value has yet been written to the
+  // characteristic.
+  async getLastWrittenValue() {
+    return this.last_written_value_;
+  }
+
+  // Removes the fake GATT Characteristic from its fake service.
+  async remove() {
+    await test_driver.bidi.bluetooth.simulate_characteristic({
+      address: this.peripheral_address_,
+      serviceUuid: this.service_uuid_,
+      characteristicUuid: this.characteristic_uuid_,
+      characteristicProperties: undefined,
+      type: 'remove'
+    });
+  }
+}
+
+class FakeRemoteGATTDescriptor {
+  constructor(
+      descriptor_uuid, characteristic_uuid, service_uuid, peripheral_address) {
+    this.descriptor_uuid_ = descriptor_uuid;
+    this.characteristic_uuid_ = characteristic_uuid;
+    this.service_uuid_ = service_uuid;
+    this.peripheral_address_ = peripheral_address;
+    this.last_written_value_ = null;
+  }
+
+  // Simulate a descriptor for operation |type| with response |code| and
+  // |data|.
+  async simulateResponse(type, code, data) {
+    await test_driver.bidi.bluetooth.simulate_descriptor_response({
+      address: this.peripheral_address_,
+      serviceUuid: this.service_uuid_,
+      characteristicUuid: this.characteristic_uuid_,
+      descriptorUuid: this.descriptor_uuid_,
+      type,
+      code,
+      data,
+    });
+  }
+
+  // Simulate a descriptor response for read operation with response |code| and
+  // |data|.
+  async simulateReadResponse(code, data) {
+    await this.simulateResponse('read', code, data);
+  }
+
+  // Simulate a descriptor response for write operation with response |code|.
+  async simulateWriteResponse(code) {
+    await this.simulateResponse('write', code);
+  }
+
+  // Sets the next read response for descriptor to |code| and |value|.
+  // |code| could be a GATT Error Response from
+  // BT 4.2 Vol 3 Part F 3.4.1.1 Error Response or a number outside that range
+  // returned by specific platforms e.g. Android returns 0x101 to signal a GATT
+  // failure.
+  // https://developer.android.com/reference/android/bluetooth/BluetoothGatt.html#GATT_FAILURE
+  async setNextReadResponse(gatt_code, value = null) {
+    if (gatt_code === 0 && value === null) {
+      throw '|value| can\'t be null if read should success.';
+    }
+    if (gatt_code !== 0 && value !== null) {
+      throw '|value| must be null if read should fail.';
+    }
+
+    const remove_handler =
+        test_driver.bidi.bluetooth.descriptor_event_generated.on((event) => {
+          if (event.address != this.peripheral_address_) {
+            return;
+          }
+          remove_handler();
+          this.simulateReadResponse(gatt_code, value);
+        });
+  }
+
+  // Sets the next write response for this descriptor to |code|.
+  // |code| could be a GATT Error Response from
+  // BT 4.2 Vol 3 Part F 3.4.1.1 Error Response or a number outside that range
+  // returned by specific platforms e.g. Android returns 0x101 to signal a GATT
+  // failure.
+  async setNextWriteResponse(gatt_code) {
+    const remove_handler =
+        test_driver.bidi.bluetooth.descriptor_event_generated.on((event) => {
+          if (event.address != this.peripheral_address_) {
+            return;
+          }
+          this.last_written_value_ = {
+            lastValue: event.data,
+            lastWriteType: event.type
+          };
+          remove_handler();
+          if (event.type == 'write-with-response') {
+            this.simulateWriteResponse(gatt_code);
+          }
+        });
+  }
+
+  // Gets the last successfully written value to the descriptor.
+  // Returns null if no value has yet been written to the descriptor.
+  async getLastWrittenValue() {
+    return this.last_written_value_;
+  }
+
+  // Removes the fake GATT Descriptor from its fake characteristic.
+  async remove() {
+    await test_driver.bidi.bluetooth.simulate_descriptor({
+      address: this.peripheral_address_,
+      serviceUuid: this.service_uuid_,
+      characteristicUuid: this.characteristic_uuid_,
+      descriptorUuid: this.descriptor_uuid_,
+      type: 'remove'
+    });
+  }
+}
+
+function initializeBluetoothBidiResources() {
+  navigator.bluetooth.test = new FakeBluetooth();
+}
diff --git a/test/fixtures/wpt/versions.json b/test/fixtures/wpt/versions.json
index 86b594dd5ef9a2..5c4c0305254155 100644
--- a/test/fixtures/wpt/versions.json
+++ b/test/fixtures/wpt/versions.json
@@ -64,7 +64,7 @@
     "path": "resource-timing"
   },
   "resources": {
-    "commit": "1e140d63ec885703ce24b3798abd81912696bb85",
+    "commit": "1d2c5fb36a6e477c8f915bde7eca027be6abe792",
     "path": "resources"
   },
   "streams": {
@@ -96,7 +96,7 @@
     "path": "web-locks"
   },
   "WebCryptoAPI": {
-    "commit": "ab08796857072c5a93e27e0a25effba2e07dad11",
+    "commit": "1d2c5fb36a6e477c8f915bde7eca027be6abe792",
     "path": "WebCryptoAPI"
   },
   "webidl/ecmascript-binding/es-exceptions": {
@@ -108,7 +108,7 @@
     "path": "webmessaging/broadcastchannel"
   },
   "webstorage": {
-    "commit": "1291340aaaa6e73db43b412e47401eca3830c556",
+    "commit": "1d2c5fb36a6e477c8f915bde7eca027be6abe792",
     "path": "webstorage"
   }
 }
diff --git a/test/fixtures/wpt/webstorage/storage_local_setitem_quotaexceedederr.window.js b/test/fixtures/wpt/webstorage/storage_local_setitem_quotaexceedederr.window.js
index fff7d6444a039e..f2f3c4d6887542 100644
--- a/test/fixtures/wpt/webstorage/storage_local_setitem_quotaexceedederr.window.js
+++ b/test/fixtures/wpt/webstorage/storage_local_setitem_quotaexceedederr.window.js
@@ -1,16 +1,18 @@
-test(function() {
+test(t => {
     localStorage.clear();
 
     var index = 0;
     var key = "name";
     var val = "x".repeat(1024);
 
-    assert_throws_dom("QUOTA_EXCEEDED_ERR", function() {
+    t.add_cleanup(() => {
+        localStorage.clear();
+    });
+
+    assert_throws_quotaexceedederror(() => {
         while (true) {
             index++;
             localStorage.setItem("" + key + index, "" + val + index);
         }
-    });
-
-    localStorage.clear();
+    }, null, null);
 }, "Throws QuotaExceededError when the quota has been exceeded");
diff --git a/test/fixtures/wpt/webstorage/storage_session_setitem_quotaexceedederr.window.js b/test/fixtures/wpt/webstorage/storage_session_setitem_quotaexceedederr.window.js
index 42a895470efa62..693c98d29f99fd 100644
--- a/test/fixtures/wpt/webstorage/storage_session_setitem_quotaexceedederr.window.js
+++ b/test/fixtures/wpt/webstorage/storage_session_setitem_quotaexceedederr.window.js
@@ -1,16 +1,18 @@
-test(function() {
+test(t => {
     sessionStorage.clear();
 
     var index = 0;
     var key = "name";
     var val = "x".repeat(1024);
 
-    assert_throws_dom("QUOTA_EXCEEDED_ERR", function() {
+    t.add_cleanup(() => {
+        sessionStorage.clear();
+    });
+
+    assert_throws_quotaexceedederror(() => {
         while (true) {
             index++;
             sessionStorage.setItem("" + key + index, "" + val + index);
         }
-    });
-
-    sessionStorage.clear();
+    }, null, null);
 }, "Throws QuotaExceededError when the quota has been exceeded");
diff --git a/test/fixtures/wpt/webstorage/symbol-props.window.js b/test/fixtures/wpt/webstorage/symbol-props.window.js
index 61dd8f83dc4f5b..8f598d7076909d 100644
--- a/test/fixtures/wpt/webstorage/symbol-props.window.js
+++ b/test/fixtures/wpt/webstorage/symbol-props.window.js
@@ -39,10 +39,10 @@
         Object.defineProperty(storage, key, { "value": "test", "configurable": false });
         assert_equals(storage[key], "test");
         var desc = Object.getOwnPropertyDescriptor(storage, key);
-        assert_true(desc.configurable, "configurable");
+        assert_false(desc.configurable, "configurable");
 
-        assert_true(delete storage[key]);
-        assert_equals(storage[key], undefined);
+        assert_false(delete storage[key]);
+        assert_equals(storage[key], "test");
     }, name + ": defineProperty not configurable");
 
     test(function() {
diff --git a/test/known_issues/test-fs-cp-sync-dereference.js b/test/known_issues/test-fs-cp-sync-dereference.js
new file mode 100644
index 00000000000000..fbb07a8f781520
--- /dev/null
+++ b/test/known_issues/test-fs-cp-sync-dereference.js
@@ -0,0 +1,39 @@
+'use strict';
+
+// Refs: https://github.com/nodejs/node/issues/58939
+//
+// The cpSync function is not correctly handling the `dereference` option.
+// In this test, both the cp and cpSync functions are attempting to copy
+// a file over a symlinked directory. In the cp case it works fine. In the
+// cpSync case it fails with an error.
+
+const common = require('../common');
+
+const {
+  cp,
+  cpSync,
+  mkdirSync,
+  symlinkSync,
+  writeFileSync,
+} = require('fs');
+
+const {
+  join,
+} = require('path');
+
+const tmpdir = require('../common/tmpdir');
+tmpdir.refresh();
+
+const pathA = join(tmpdir.path, 'a');
+const pathB = join(tmpdir.path, 'b');
+const pathC = join(tmpdir.path, 'c');
+const pathD = join(tmpdir.path, 'd');
+
+writeFileSync(pathA, 'file a');
+mkdirSync(pathB);
+symlinkSync(pathB, pathC, 'dir');
+symlinkSync(pathB, pathD, 'dir');
+
+cp(pathA, pathD, { dereference: false }, common.mustSucceed());
+
+cpSync(pathA, pathC, { dereference: false });
diff --git a/test/message/assert_throws_stack.out b/test/message/assert_throws_stack.out
index 897ddf36a04eb0..2b5587292a2c7a 100644
--- a/test/message/assert_throws_stack.out
+++ b/test/message/assert_throws_stack.out
@@ -9,6 +9,7 @@ AssertionError [ERR_ASSERTION]: Expected values to be strictly deep-equal:
 - Comparison {
 -   bar: true
 - }
+
     at Object.<anonymous> (*assert_throws_stack.js:*:*)
     at *
     at *
@@ -32,7 +33,8 @@ AssertionError [ERR_ASSERTION]: Expected values to be strictly deep-equal:
       at *
       at *,
   expected: { bar: true },
-  operator: 'throws'
+  operator: 'throws',
+  diff: 'simple'
 }
 
 Node.js *
diff --git a/test/parallel/parallel.status b/test/parallel/parallel.status
index 11820732a7bf21..76e46b80719e07 100644
--- a/test/parallel/parallel.status
+++ b/test/parallel/parallel.status
@@ -24,10 +24,14 @@ test-snapshot-incompatible: SKIP
 test-async-context-frame: PASS, FLAKY
 # https://github.com/nodejs/node/issues/54534
 test-runner-run-watch: PASS, FLAKY
-# https://github.com/nodejs/node/issues/56794
-test-fs-cp: PASS, FLAKY
-# https://github.com/nodejs/node/issues/59090
-test-inspector-network-fetch: PASS, FLAKY
+# https://github.com/nodejs/node/pull/59408#issuecomment-3170650933
+test-fs-cp-sync-error-on-exist: PASS, FLAKY
+test-fs-cp-sync-copy-symlink-not-pointing-to-folder: PASS, FLAKY
+test-fs-cp-sync-symlink-points-to-dest-error: PASS, FLAKY
+test-fs-cp-sync-resolve-relative-symlinks-false: PASS, FLAKY
+test-fs-cp-async-symlink-points-to-dest: PASS, FLAKY
+test-fs-cp-sync-unicode-folder-names: PASS, FLAKY
+test-fs-cp-sync-resolve-relative-symlinks-default: PASS, FLAKY
 
 # https://github.com/nodejs/node/issues/56751
 test-without-async-context-frame: PASS, FLAKY
diff --git a/test/parallel/test-assert-class-destructuring.js b/test/parallel/test-assert-class-destructuring.js
new file mode 100644
index 00000000000000..eb353f095d2da2
--- /dev/null
+++ b/test/parallel/test-assert-class-destructuring.js
@@ -0,0 +1,133 @@
+'use strict';
+
+require('../common');
+const assert = require('assert');
+const { Assert } = require('assert');
+const { test } = require('node:test');
+
+// Disable colored output to prevent color codes from breaking assertion
+// message comparisons. This should only be an issue when process.stdout
+// is a TTY.
+if (process.stdout.isTTY) {
+  process.env.NODE_DISABLE_COLORS = '1';
+}
+
+test('Assert class destructuring behavior - diff option', () => {
+  const assertInstanceFull = new Assert({ diff: 'full' });
+  const assertInstanceSimple = new Assert({ diff: 'simple' });
+
+  assertInstanceFull.throws(
+    () => assertInstanceFull.strictEqual({ a: 1 }, { a: 2 }),
+    (err) => {
+      assert.strictEqual(err.diff, 'full');
+      return true;
+    }
+  );
+
+  assertInstanceSimple.throws(
+    () => assertInstanceSimple.strictEqual({ a: 1 }, { a: 2 }),
+    (err) => {
+      assert.strictEqual(err.diff, 'simple');
+      return true;
+    }
+  );
+
+  const { strictEqual: strictEqualSimple } = assertInstanceSimple;
+  const { strictEqual: strictEqualFull } = assertInstanceFull;
+  const { deepStrictEqual: deepStrictEqualFull } = assertInstanceFull;
+  const { equal: equalFull } = assertInstanceFull;
+
+  assert.throws(
+    () => strictEqualSimple({ a: 1 }, { a: 2 }),
+    (err) => {
+      assert.strictEqual(err.diff, 'simple');
+      return true;
+    }
+  );
+
+  assert.throws(
+    () => strictEqualFull({ a: 1 }, { a: 2 }),
+    (err) => {
+      assert.strictEqual(err.diff, 'simple');
+      return true;
+    }
+  );
+
+  assert.throws(
+    () => deepStrictEqualFull({ a: 1 }, { a: 2 }),
+    (err) => {
+      assert.strictEqual(err.diff, 'simple');
+      return true;
+    }
+  );
+
+  assert.throws(
+    () => equalFull({ a: 1 }, { a: 2 }),
+    (err) => {
+      assert.strictEqual(err.diff, 'simple');
+      return true;
+    }
+  );
+});
+
+test('Assert class destructuring behavior - strict option', () => {
+  const assertInstanceNonStrict = new Assert({ strict: false });
+  const assertInstanceStrict = new Assert({ strict: true });
+
+  assertInstanceNonStrict.equal(2, '2');
+
+  assert.throws(
+    () => assertInstanceStrict.equal(2, '2'),
+    assert.AssertionError
+  );
+
+  const { equal: equalNonStrict } = assertInstanceNonStrict;
+  const { equal: equalStrict } = assertInstanceStrict;
+
+  equalNonStrict(2, '2');
+  assert.throws(
+    () => equalStrict(2, '2'),
+    assert.AssertionError
+  );
+});
+
+test('Assert class destructuring behavior - comprehensive methods', () => {
+  const myAssert = new Assert({ diff: 'full', strict: false });
+
+  const {
+    fail,
+    equal,
+    strictEqual,
+    deepStrictEqual,
+    throws,
+    match,
+    doesNotMatch
+  } = myAssert;
+
+  assert.throws(() => fail('test message'), (err) => {
+    assert.strictEqual(err.diff, 'simple');
+    assert.strictEqual(err.message, 'test message');
+    return true;
+  });
+
+  assert.throws(() => equal({ a: 1 }, { a: 2 }), (err) => {
+    assert.strictEqual(err.diff, 'simple');
+    return true;
+  });
+
+  assert.throws(() => strictEqual({ a: 1 }, { a: 2 }), (err) => {
+    assert.strictEqual(err.diff, 'simple');
+    return true;
+  });
+
+  assert.throws(() => deepStrictEqual({ a: 1 }, { a: 2 }), (err) => {
+    assert.strictEqual(err.diff, 'simple');
+    return true;
+  });
+
+  throws(() => { throw new Error('test'); }, Error);
+
+  match('hello world', /world/);
+
+  doesNotMatch('hello world', /xyz/);
+});
diff --git a/test/parallel/test-assert-class.js b/test/parallel/test-assert-class.js
new file mode 100644
index 00000000000000..91b4ce8feac12b
--- /dev/null
+++ b/test/parallel/test-assert-class.js
@@ -0,0 +1,480 @@
+'use strict';
+
+require('../common');
+const assert = require('assert');
+const { Assert } = require('assert');
+const { inspect } = require('util');
+const { test } = require('node:test');
+
+// Disable colored output to prevent color codes from breaking assertion
+// message comparisons. This should only be an issue when process.stdout
+// is a TTY.
+if (process.stdout.isTTY) {
+  process.env.NODE_DISABLE_COLORS = '1';
+}
+
+test('Assert constructor requires new', () => {
+  assert.throws(() => Assert(), {
+    code: 'ERR_CONSTRUCT_CALL_REQUIRED',
+    name: 'TypeError',
+  });
+});
+
+test('Assert class non strict', () => {
+  const assertInstance = new Assert({ diff: undefined, strict: false });
+
+  assertInstance.ok(
+    assert.AssertionError.prototype instanceof Error,
+    'assert.AssertionError instanceof Error'
+  );
+  assert.strictEqual(typeof assertInstance.ok, 'function');
+  assert.strictEqual(assertInstance.ok.strictEqual, undefined);
+  assert.strictEqual(typeof assertInstance.strictEqual, 'function');
+  assertInstance.ok(true);
+  assertInstance.throws(
+    () => {
+      assertInstance.fail();
+    },
+    {
+      code: 'ERR_ASSERTION',
+      name: 'AssertionError',
+      message: 'Failed',
+      operator: 'fail',
+      actual: undefined,
+      expected: undefined,
+      generatedMessage: true,
+      stack: /Failed/,
+    }
+  );
+  assertInstance.equal(undefined, undefined);
+  assertInstance.equal(null, undefined);
+  assertInstance.equal(2, '2');
+  assertInstance.notEqual(true, false);
+  assertInstance.throws(() => assertInstance.deepEqual(/a/), {
+    code: 'ERR_MISSING_ARGS',
+  });
+  assertInstance.throws(() => assertInstance.notDeepEqual('test'), {
+    code: 'ERR_MISSING_ARGS',
+  });
+  assertInstance.notStrictEqual(2, '2');
+  assertInstance.throws(
+    () => assertInstance.strictEqual(2, '2'),
+    assertInstance.AssertionError,
+    "strictEqual(2, '2')"
+  );
+  assertInstance.throws(
+    () => {
+      assertInstance.partialDeepStrictEqual(
+        { a: true },
+        { a: false },
+        'custom message'
+      );
+    },
+    {
+      code: 'ERR_ASSERTION',
+      name: 'AssertionError',
+      message:
+        'custom message\n+ actual - expected\n\n  {\n+   a: true\n-   a: false\n  }\n',
+    }
+  );
+  assertInstance.throws(() => assertInstance.match(/abc/, 'string'), {
+    code: 'ERR_INVALID_ARG_TYPE',
+    message:
+      'The "regexp" argument must be an instance of RegExp. ' +
+      "Received type string ('string')",
+  });
+  assertInstance.throws(() => assertInstance.doesNotMatch(/abc/, 'string'), {
+    code: 'ERR_INVALID_ARG_TYPE',
+    message:
+      'The "regexp" argument must be an instance of RegExp. ' +
+      "Received type string ('string')",
+  });
+
+  /* eslint-disable no-restricted-syntax */
+  {
+    function thrower(errorConstructor) {
+      throw new errorConstructor({});
+    }
+
+    let threw = false;
+    try {
+      assertInstance.doesNotThrow(
+        () => thrower(TypeError),
+        assertInstance.AssertionError
+      );
+    } catch (e) {
+      threw = true;
+      assertInstance.ok(e instanceof TypeError);
+    }
+    assertInstance.ok(
+      threw,
+      'assertInstance.doesNotThrow with an explicit error is eating extra errors'
+    );
+  }
+  {
+    let threw = false;
+    const rangeError = new RangeError('my range');
+
+    try {
+      assertInstance.doesNotThrow(
+        () => {
+          throw new TypeError('wrong type');
+        },
+        TypeError,
+        rangeError
+      );
+    } catch (e) {
+      threw = true;
+      assertInstance.ok(e.message.includes(rangeError.message));
+      assertInstance.ok(e instanceof assertInstance.AssertionError);
+      assertInstance.ok(!e.stack.includes('doesNotThrow'), e);
+    }
+    assertInstance.ok(threw);
+  }
+  /* eslint-enable no-restricted-syntax */
+});
+
+test('Assert class strict', () => {
+  const assertInstance = new Assert();
+
+  assertInstance.equal(assertInstance.equal, assertInstance.strictEqual);
+  assertInstance.equal(
+    assertInstance.deepEqual,
+    assertInstance.deepStrictEqual
+  );
+  assertInstance.equal(assertInstance.notEqual, assertInstance.notStrictEqual);
+  assertInstance.equal(
+    assertInstance.notDeepEqual,
+    assertInstance.notDeepStrictEqual
+  );
+});
+
+test('Assert class with invalid diff option', () => {
+  assert.throws(() => new Assert({ diff: 'invalid' }), {
+    code: 'ERR_INVALID_ARG_VALUE',
+    name: 'TypeError',
+    message: "The property 'options.diff' must be one of: 'simple', 'full'. Received 'invalid'",
+  });
+});
+
+const longLinesOfAs = 'A\n'.repeat(100);
+const longLinesOFBs = 'B\n'.repeat(100);
+const truncatedAs = 'A\\n'.repeat(10) + '...';
+const truncatedBs = 'B\\n'.repeat(10) + '...';
+
+const longStringOfAs = 'A'.repeat(10_000);
+const longStringOfBs = 'B'.repeat(10_000);
+
+const longLinesOfAsWithEllipsis = longStringOfAs.substring(0, 9_488) + '...';
+const longLinesOFBsWithEllipsis = longStringOfBs.substring(0, 9_488) + '...';
+test('Assert class non strict with full diff', () => {
+  const assertInstance = new Assert({ diff: 'full', strict: false });
+
+  // long strings
+  {
+    assertInstance.throws(
+      () => {
+        assertInstance.strictEqual(longStringOfAs, longStringOfBs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'strictEqual');
+        assertInstance.strictEqual(err.diff, 'full');
+        assertInstance.strictEqual(err.actual, longStringOfAs);
+        assertInstance.strictEqual(err.expected, longStringOfBs);
+
+        assertInstance.strictEqual(
+          err.message,
+          `Expected values to be strictly equal:\n+ actual - expected\n\n` +
+            `+ '${longStringOfAs}'\n- '${longStringOfBs}'\n`
+        );
+        assertInstance.ok(
+          inspect(err).includes(`actual: '${longLinesOfAsWithEllipsis}'`)
+        );
+        assertInstance.ok(
+          inspect(err).includes(`expected: '${longLinesOFBsWithEllipsis}'`)
+        );
+        return true;
+      }
+    );
+
+    assertInstance.throws(
+      () => {
+        assertInstance.notStrictEqual(longStringOfAs, longStringOfAs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'notStrictEqual');
+        assertInstance.strictEqual(err.diff, 'full');
+        assertInstance.strictEqual(err.actual, longStringOfAs);
+        assertInstance.strictEqual(err.expected, longStringOfAs);
+
+        assertInstance.strictEqual(
+          err.message,
+          `Expected "actual" to be strictly unequal to:\n\n` +
+            `'${longStringOfAs}'`
+        );
+        assertInstance.ok(
+          inspect(err).includes(`actual: '${longLinesOfAsWithEllipsis}'`)
+        );
+        assertInstance.ok(
+          inspect(err).includes(`expected: '${longLinesOfAsWithEllipsis}'`)
+        );
+        return true;
+      }
+    );
+
+    assertInstance.throws(
+      () => {
+        assertInstance.deepEqual(longStringOfAs, longStringOfBs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'deepEqual');
+        assertInstance.strictEqual(err.diff, 'full');
+        assertInstance.strictEqual(err.actual, longStringOfAs);
+        assertInstance.strictEqual(err.expected, longStringOfBs);
+
+        assertInstance.strictEqual(
+          err.message,
+          `Expected values to be loosely deep-equal:\n\n` +
+            `'${longStringOfAs}'\n\nshould loosely deep-equal\n\n'${longStringOfBs}'`
+        );
+        assertInstance.ok(
+          inspect(err).includes(`actual: '${longLinesOfAsWithEllipsis}'`)
+        );
+        assertInstance.ok(
+          inspect(err).includes(`expected: '${longLinesOFBsWithEllipsis}'`)
+        );
+        return true;
+      }
+    );
+  }
+
+  // long lines
+  {
+    assertInstance.throws(
+      () => {
+        assertInstance.strictEqual(longLinesOfAs, longLinesOFBs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'strictEqual');
+        assertInstance.strictEqual(err.diff, 'full');
+        assertInstance.strictEqual(err.actual, longLinesOfAs);
+        assertInstance.strictEqual(err.expected, longLinesOFBs);
+
+        assertInstance.strictEqual(err.message.split('\n').length, 204);
+        assertInstance.strictEqual(err.actual.split('\n').length, 101);
+        assertInstance.ok(
+          err.message.includes('Expected values to be strictly equal')
+        );
+        assertInstance.ok(inspect(err).includes(`actual: '${truncatedAs}`));
+        assertInstance.ok(inspect(err).includes(`expected: '${truncatedBs}`));
+        return true;
+      }
+    );
+
+    assertInstance.throws(
+      () => {
+        assertInstance.notStrictEqual(longLinesOfAs, longLinesOfAs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'notStrictEqual');
+        assertInstance.strictEqual(err.diff, 'full');
+        assertInstance.strictEqual(err.actual, longLinesOfAs);
+        assertInstance.strictEqual(err.expected, longLinesOfAs);
+
+        assertInstance.strictEqual(err.message.split('\n').length, 103);
+        assertInstance.strictEqual(err.actual.split('\n').length, 101);
+        assertInstance.ok(
+          err.message.includes(`Expected "actual" to be strictly unequal to:`)
+        );
+        assertInstance.ok(inspect(err).includes(`actual: '${truncatedAs}`));
+        assertInstance.ok(inspect(err).includes(`expected: '${truncatedAs}`));
+        return true;
+      }
+    );
+
+    assertInstance.throws(
+      () => {
+        assertInstance.deepEqual(longLinesOfAs, longLinesOFBs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'deepEqual');
+        assertInstance.strictEqual(err.diff, 'full');
+        assertInstance.strictEqual(err.actual, longLinesOfAs);
+        assertInstance.strictEqual(err.expected, longLinesOFBs);
+
+        assertInstance.strictEqual(err.message.split('\n').length, 205);
+        assertInstance.strictEqual(err.actual.split('\n').length, 101);
+        assertInstance.ok(
+          err.message.includes(`Expected values to be loosely deep-equal:`)
+        );
+        assertInstance.ok(inspect(err).includes(`actual: '${truncatedAs}`));
+        assertInstance.ok(inspect(err).includes(`expected: '${truncatedBs}`));
+        return true;
+      }
+    );
+  }
+});
+
+test('Assert class non strict with simple diff', () => {
+  const assertInstance = new Assert({ diff: 'simple', strict: false });
+
+  // long strings
+  {
+    assertInstance.throws(
+      () => {
+        assertInstance.strictEqual(longStringOfAs, longStringOfBs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'strictEqual');
+        assertInstance.strictEqual(err.diff, 'simple');
+        assertInstance.strictEqual(err.actual, longStringOfAs);
+        assertInstance.strictEqual(err.expected, longStringOfBs);
+
+        assertInstance.strictEqual(
+          err.message,
+          `Expected values to be strictly equal:\n+ actual - expected\n\n` +
+            `+ '${longStringOfAs}'\n- '${longStringOfBs}'\n`
+        );
+        assertInstance.ok(
+          inspect(err).includes(`actual: '${longLinesOfAsWithEllipsis}'`)
+        );
+        assertInstance.ok(
+          inspect(err).includes(`expected: '${longLinesOFBsWithEllipsis}'`)
+        );
+        return true;
+      }
+    );
+
+    assertInstance.throws(
+      () => {
+        assertInstance.notStrictEqual(longStringOfAs, longStringOfAs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'notStrictEqual');
+        assertInstance.strictEqual(err.diff, 'simple');
+        assertInstance.strictEqual(err.actual, longStringOfAs);
+        assertInstance.strictEqual(err.expected, longStringOfAs);
+
+        assertInstance.strictEqual(
+          err.message,
+          `Expected "actual" to be strictly unequal to:\n\n` +
+            `'${longStringOfAs}'`
+        );
+        assertInstance.ok(
+          inspect(err).includes(`actual: '${longLinesOfAsWithEllipsis}'`)
+        );
+        assertInstance.ok(
+          inspect(err).includes(`expected: '${longLinesOfAsWithEllipsis}'`)
+        );
+        return true;
+      }
+    );
+
+    assertInstance.throws(
+      () => {
+        assertInstance.deepEqual(longStringOfAs, longStringOfBs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'deepEqual');
+        assertInstance.strictEqual(err.diff, 'simple');
+        assertInstance.strictEqual(err.actual, longStringOfAs);
+        assertInstance.strictEqual(err.expected, longStringOfBs);
+
+        assertInstance.strictEqual(
+          err.message,
+          `Expected values to be loosely deep-equal:\n\n` +
+            `'${
+              longStringOfAs.substring(0, 508) + '...'
+            }\n\nshould loosely deep-equal\n\n'${
+              longStringOfBs.substring(0, 508) + '...'
+            }`
+        );
+        assertInstance.ok(
+          inspect(err).includes(`actual: '${longLinesOfAsWithEllipsis}'`)
+        );
+        assertInstance.ok(
+          inspect(err).includes(`expected: '${longLinesOFBsWithEllipsis}'`)
+        );
+        return true;
+      }
+    );
+  }
+
+  // long lines
+  {
+    assertInstance.throws(
+      () => {
+        assertInstance.strictEqual(longLinesOfAs, longLinesOFBs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'strictEqual');
+        assertInstance.strictEqual(err.diff, 'simple');
+        assertInstance.strictEqual(err.actual, longLinesOfAs);
+        assertInstance.strictEqual(err.expected, longLinesOFBs);
+        assertInstance.strictEqual(err.message.split('\n').length, 204);
+        assertInstance.strictEqual(err.actual.split('\n').length, 101);
+
+        assertInstance.ok(
+          err.message.includes('Expected values to be strictly equal')
+        );
+        assertInstance.ok(inspect(err).includes(`actual: '${truncatedAs}`));
+        assertInstance.ok(inspect(err).includes(`expected: '${truncatedBs}`));
+        return true;
+      }
+    );
+
+    assertInstance.throws(
+      () => {
+        assertInstance.notStrictEqual(longLinesOfAs, longLinesOfAs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'notStrictEqual');
+        assertInstance.strictEqual(err.diff, 'simple');
+        assertInstance.strictEqual(err.actual, longLinesOfAs);
+        assertInstance.strictEqual(err.expected, longLinesOfAs);
+
+        assertInstance.strictEqual(err.message.split('\n').length, 50);
+        assertInstance.strictEqual(err.actual.split('\n').length, 101);
+        assertInstance.ok(
+          err.message.includes(`Expected "actual" to be strictly unequal to:`)
+        );
+        assertInstance.ok(inspect(err).includes(`actual: '${truncatedAs}`));
+        assertInstance.ok(inspect(err).includes(`expected: '${truncatedAs}`));
+        return true;
+      }
+    );
+
+    assertInstance.throws(
+      () => {
+        assertInstance.deepEqual(longLinesOfAs, longLinesOFBs);
+      },
+      (err) => {
+        assertInstance.strictEqual(err.code, 'ERR_ASSERTION');
+        assertInstance.strictEqual(err.operator, 'deepEqual');
+        assertInstance.strictEqual(err.diff, 'simple');
+        assertInstance.strictEqual(err.actual, longLinesOfAs);
+        assertInstance.strictEqual(err.expected, longLinesOFBs);
+
+        assertInstance.strictEqual(err.message.split('\n').length, 109);
+        assertInstance.strictEqual(err.actual.split('\n').length, 101);
+        assertInstance.ok(
+          err.message.includes(`Expected values to be loosely deep-equal:`)
+        );
+        assertInstance.ok(inspect(err).includes(`actual: '${truncatedAs}`));
+        assertInstance.ok(inspect(err).includes(`expected: '${truncatedBs}`));
+        return true;
+      }
+    );
+  }
+});
diff --git a/test/parallel/test-crypto-aes-wrap.js b/test/parallel/test-crypto-aes-wrap.js
index 21d48d8a3fbae7..951e93d728e32b 100644
--- a/test/parallel/test-crypto-aes-wrap.js
+++ b/test/parallel/test-crypto-aes-wrap.js
@@ -53,6 +53,11 @@ const key3 = Buffer.from('29c9eab5ed5ad44134a1437fe2e673b4d88a5b7c72e68454fea087
     text: '12345678123456781234567812345678123'
   },
 ].forEach(({ algorithm, key, iv, text }) => {
+  if (!crypto.getCiphers().includes(algorithm)) {
+    common.printSkipMessage(`Skipping unsupported ${algorithm} test case`);
+    return;
+  }
+
   const cipher = crypto.createCipheriv(algorithm, key, iv);
   const decipher = crypto.createDecipheriv(algorithm, key, iv);
   const msg = decipher.update(cipher.update(text, 'utf8'), 'buffer', 'utf8');
diff --git a/test/parallel/test-crypto-authenticated-stream.js b/test/parallel/test-crypto-authenticated-stream.js
index fcd53aa4696abc..51b928ec36be1f 100644
--- a/test/parallel/test-crypto-authenticated-stream.js
+++ b/test/parallel/test-crypto-authenticated-stream.js
@@ -115,6 +115,11 @@ function fstream(config) {
 fstream.count = 0;
 
 function test(config) {
+  if (!crypto.getCiphers().includes(config.cipher)) {
+    common.printSkipMessage(`unsupported cipher: ${config.cipher}`);
+    return;
+  }
+
   direct(config);
   mstream(config);
   fstream(config);
diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
index 5f74f7c2611138..e8fedf2d5d5072 100644
--- a/test/parallel/test-crypto-authenticated.js
+++ b/test/parallel/test-crypto-authenticated.js
@@ -248,49 +248,24 @@ for (const test of TEST_CASES) {
 // Test that create(De|C)ipheriv throws if the mode is CCM and an invalid
 // authentication tag length has been specified.
 {
-  for (const authTagLength of [-1, true, false, NaN, 5.5]) {
-    assert.throws(() => {
-      crypto.createCipheriv('aes-256-ccm',
-                            'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                            'qkuZpJWCewa6S',
-                            {
-                              authTagLength
-                            });
-    }, {
-      name: 'TypeError',
-      code: 'ERR_INVALID_ARG_VALUE',
-      message: "The property 'options.authTagLength' is invalid. " +
-               `Received ${inspect(authTagLength)}`
-    });
-
-    assert.throws(() => {
-      crypto.createDecipheriv('aes-256-ccm',
+  if (!ciphers.includes('aes-256-ccm')) {
+    common.printSkipMessage(`unsupported aes-256-ccm test`);
+  } else {
+    for (const authTagLength of [-1, true, false, NaN, 5.5]) {
+      assert.throws(() => {
+        crypto.createCipheriv('aes-256-ccm',
                               'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
                               'qkuZpJWCewa6S',
                               {
                                 authTagLength
                               });
-    }, {
-      name: 'TypeError',
-      code: 'ERR_INVALID_ARG_VALUE',
-      message: "The property 'options.authTagLength' is invalid. " +
-        `Received ${inspect(authTagLength)}`
-    });
-  }
-
-  // The following values will not be caught by the JS layer and thus will not
-  // use the default error codes.
-  for (const authTagLength of [0, 1, 2, 3, 5, 7, 9, 11, 13, 15, 17, 18]) {
-    assert.throws(() => {
-      crypto.createCipheriv('aes-256-ccm',
-                            'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                            'qkuZpJWCewa6S',
-                            {
-                              authTagLength
-                            });
-    }, errMessages.authTagLength);
+      }, {
+        name: 'TypeError',
+        code: 'ERR_INVALID_ARG_VALUE',
+        message: "The property 'options.authTagLength' is invalid. " +
+                `Received ${inspect(authTagLength)}`
+      });
 
-    if (!isFipsEnabled) {
       assert.throws(() => {
         crypto.createDecipheriv('aes-256-ccm',
                                 'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
@@ -298,7 +273,36 @@ for (const test of TEST_CASES) {
                                 {
                                   authTagLength
                                 });
+      }, {
+        name: 'TypeError',
+        code: 'ERR_INVALID_ARG_VALUE',
+        message: "The property 'options.authTagLength' is invalid. " +
+          `Received ${inspect(authTagLength)}`
+      });
+    }
+
+    // The following values will not be caught by the JS layer and thus will not
+    // use the default error codes.
+    for (const authTagLength of [0, 1, 2, 3, 5, 7, 9, 11, 13, 15, 17, 18]) {
+      assert.throws(() => {
+        crypto.createCipheriv('aes-256-ccm',
+                              'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                              'qkuZpJWCewa6S',
+                              {
+                                authTagLength
+                              });
       }, errMessages.authTagLength);
+
+      if (!isFipsEnabled) {
+        assert.throws(() => {
+          crypto.createDecipheriv('aes-256-ccm',
+                                  'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                  'qkuZpJWCewa6S',
+                                  {
+                                    authTagLength
+                                  });
+        }, errMessages.authTagLength);
+      }
     }
   }
 }
@@ -307,6 +311,11 @@ for (const test of TEST_CASES) {
 // authentication tag length has been specified.
 {
   for (const mode of ['ccm', 'ocb']) {
+    if (!ciphers.includes(`aes-256-${mode}`)) {
+      common.printSkipMessage(`unsupported aes-256-${mode} test`);
+      continue;
+    }
+
     assert.throws(() => {
       crypto.createCipheriv(`aes-256-${mode}`,
                             'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
@@ -330,84 +339,96 @@ for (const test of TEST_CASES) {
 
 // Test that setAAD throws if an invalid plaintext length has been specified.
 {
-  const cipher = crypto.createCipheriv('aes-256-ccm',
-                                       'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                                       'qkuZpJWCewa6S',
-                                       {
-                                         authTagLength: 10
-                                       });
-
-  for (const plaintextLength of [-1, true, false, NaN, 5.5]) {
-    assert.throws(() => {
-      cipher.setAAD(Buffer.from('0123456789', 'hex'), { plaintextLength });
-    }, {
-      name: 'TypeError',
-      code: 'ERR_INVALID_ARG_VALUE',
-      message: "The property 'options.plaintextLength' is invalid. " +
-        `Received ${inspect(plaintextLength)}`
-    });
+  if (!ciphers.includes('aes-256-ccm')) {
+    common.printSkipMessage(`unsupported aes-256-ccm test`);
+  } else {
+    const cipher = crypto.createCipheriv('aes-256-ccm',
+                                         'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                         'qkuZpJWCewa6S',
+                                         {
+                                           authTagLength: 10
+                                         });
+
+    for (const plaintextLength of [-1, true, false, NaN, 5.5]) {
+      assert.throws(() => {
+        cipher.setAAD(Buffer.from('0123456789', 'hex'), { plaintextLength });
+      }, {
+        name: 'TypeError',
+        code: 'ERR_INVALID_ARG_VALUE',
+        message: "The property 'options.plaintextLength' is invalid. " +
+          `Received ${inspect(plaintextLength)}`
+      });
+    }
   }
 }
 
 // Test that setAAD and update throw if the plaintext is too long.
 {
-  for (const ivLength of [13, 12]) {
-    const maxMessageSize = (1 << (8 * (15 - ivLength))) - 1;
-    const key = 'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8';
-    const cipher = () => crypto.createCipheriv('aes-256-ccm', key,
-                                               '0'.repeat(ivLength),
-                                               {
-                                                 authTagLength: 10
-                                               });
+  if (!ciphers.includes('aes-256-ccm')) {
+    common.printSkipMessage(`unsupported aes-256-ccm test`);
+  } else {
+    for (const ivLength of [13, 12]) {
+      const maxMessageSize = (1 << (8 * (15 - ivLength))) - 1;
+      const key = 'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8';
+      const cipher = () => crypto.createCipheriv('aes-256-ccm', key,
+                                                 '0'.repeat(ivLength),
+                                                 {
+                                                   authTagLength: 10
+                                                 });
 
-    assert.throws(() => {
-      cipher().setAAD(Buffer.alloc(0), {
-        plaintextLength: maxMessageSize + 1
-      });
-    }, /Invalid message length$/);
+      assert.throws(() => {
+        cipher().setAAD(Buffer.alloc(0), {
+          plaintextLength: maxMessageSize + 1
+        });
+      }, /Invalid message length$/);
 
-    const msg = Buffer.alloc(maxMessageSize + 1);
-    assert.throws(() => {
-      cipher().update(msg);
-    }, /Invalid message length/);
+      const msg = Buffer.alloc(maxMessageSize + 1);
+      assert.throws(() => {
+        cipher().update(msg);
+      }, /Invalid message length/);
 
-    const c = cipher();
-    c.setAAD(Buffer.alloc(0), {
-      plaintextLength: maxMessageSize
-    });
-    c.update(msg.slice(1));
+      const c = cipher();
+      c.setAAD(Buffer.alloc(0), {
+        plaintextLength: maxMessageSize
+      });
+      c.update(msg.slice(1));
+    }
   }
 }
 
 // Test that setAAD throws if the mode is CCM and the plaintext length has not
 // been specified.
 {
-  assert.throws(() => {
-    const cipher = crypto.createCipheriv('aes-256-ccm',
-                                         'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                                         'qkuZpJWCewa6S',
-                                         {
-                                           authTagLength: 10
-                                         });
-    cipher.setAAD(Buffer.from('0123456789', 'hex'));
-  }, /options\.plaintextLength required for CCM mode with AAD/);
-
-  if (!isFipsEnabled) {
+  if (!ciphers.includes('aes-256-ccm')) {
+    common.printSkipMessage(`unsupported aes-256-ccm test`);
+  } else {
     assert.throws(() => {
-      const cipher = crypto.createDecipheriv('aes-256-ccm',
-                                             'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
-                                             'qkuZpJWCewa6S',
-                                             {
-                                               authTagLength: 10
-                                             });
+      const cipher = crypto.createCipheriv('aes-256-ccm',
+                                           'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                           'qkuZpJWCewa6S',
+                                           {
+                                             authTagLength: 10
+                                           });
       cipher.setAAD(Buffer.from('0123456789', 'hex'));
     }, /options\.plaintextLength required for CCM mode with AAD/);
+
+    if (!isFipsEnabled) {
+      assert.throws(() => {
+        const cipher = crypto.createDecipheriv('aes-256-ccm',
+                                               'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                               'qkuZpJWCewa6S',
+                                               {
+                                                 authTagLength: 10
+                                               });
+        cipher.setAAD(Buffer.from('0123456789', 'hex'));
+      }, /options\.plaintextLength required for CCM mode with AAD/);
+    }
   }
 }
 
 // Test that final() throws in CCM mode when no authentication tag is provided.
 {
-  if (!isFipsEnabled) {
+  if (!isFipsEnabled && ciphers.includes('aes-128-ccm')) {
     const key = Buffer.from('1ed2233fa2223ef5d7df08546049406c', 'hex');
     const iv = Buffer.from('7305220bca40d4c90e1791e9', 'hex');
     const ct = Buffer.from('8beba09d4d4d861f957d51c0794f4abf8030848e', 'hex');
@@ -439,12 +460,16 @@ for (const test of TEST_CASES) {
 
 // Test that an IV length of 11 does not overflow max_message_size_.
 {
-  const key = 'x'.repeat(16);
-  const iv = Buffer.from('112233445566778899aabb', 'hex');
-  const options = { authTagLength: 8 };
-  const encrypt = crypto.createCipheriv('aes-128-ccm', key, iv, options);
-  encrypt.update('boom');  // Should not throw 'Message exceeds maximum size'.
-  encrypt.final();
+  if (!ciphers.includes('aes-128-ccm')) {
+    common.printSkipMessage(`unsupported aes-128-ccm test`);
+  } else {
+    const key = 'x'.repeat(16);
+    const iv = Buffer.from('112233445566778899aabb', 'hex');
+    const options = { authTagLength: 8 };
+    const encrypt = crypto.createCipheriv('aes-128-ccm', key, iv, options);
+    encrypt.update('boom');  // Should not throw 'Message exceeds maximum size'.
+    encrypt.final();
+  }
 }
 
 // Test that the authentication tag can be set at any point before calling
@@ -499,6 +524,11 @@ for (const test of TEST_CASES) {
   }
 
   for (const alg of ['aes-256-gcm', 'aes-256-ocb', 'chacha20-poly1305']) {
+    if (!ciphers.includes(alg)) {
+      common.printSkipMessage(`unsupported ${alg} test`);
+      continue;
+    }
+
     for (const authTagLength of alg === 'aes-256-gcm' ? [undefined, 8] : [8]) {
       for (const [useAAD, useMessage] of [
         [false, false],  // No AAD, no update.
@@ -520,6 +550,11 @@ for (const test of TEST_CASES) {
   const opts = { authTagLength: 8 };
 
   for (const mode of ['gcm', 'ccm', 'ocb']) {
+    if (!ciphers.includes(`aes-128-${mode}`)) {
+      common.printSkipMessage(`unsupported aes-128-${mode} test`);
+      continue;
+    }
+
     const cipher = crypto.createCipheriv(`aes-128-${mode}`, key, iv, opts);
     const ciphertext = Buffer.concat([cipher.update(plain), cipher.final()]);
     const tag = cipher.getAuthTag();
@@ -563,25 +598,29 @@ for (const test of TEST_CASES) {
     tampered: false,
   };
 
-  // Invalid IV lengths should be detected:
-  // - 12 and below are valid.
-  // - 13-16 are not detected as invalid by some OpenSSL versions.
-  check(13);
-  check(14);
-  check(15);
-  check(16);
-  // - 17 and above were always detected as invalid by OpenSSL.
-  check(17);
-
-  function check(ivLength) {
-    const prefix = ivLength - valid.iv.length / 2;
-    assert.throws(() => crypto.createCipheriv(
-      valid.algo,
-      Buffer.from(valid.key, 'hex'),
-      Buffer.from(H(prefix) + valid.iv, 'hex')
-    ), errMessages.length, `iv length ${ivLength} was not rejected`);
-
-    function H(length) { return '00'.repeat(length); }
+  if (!ciphers.includes(valid.algo)) {
+    common.printSkipMessage(`unsupported ${valid.algo} test`);
+  } else {
+    // Invalid IV lengths should be detected:
+    // - 12 and below are valid.
+    // - 13-16 are not detected as invalid by some OpenSSL versions.
+    check(13);
+    check(14);
+    check(15);
+    check(16);
+    // - 17 and above were always detected as invalid by OpenSSL.
+    check(17);
+
+    function check(ivLength) {
+      const prefix = ivLength - valid.iv.length / 2;
+      assert.throws(() => crypto.createCipheriv(
+        valid.algo,
+        Buffer.from(valid.key, 'hex'),
+        Buffer.from(H(prefix) + valid.iv, 'hex')
+      ), errMessages.length, `iv length ${ivLength} was not rejected`);
+
+      function H(length) { return '00'.repeat(length); }
+    }
   }
 }
 
diff --git a/test/parallel/test-crypto-default-shake-lengths.js b/test/parallel/test-crypto-default-shake-lengths.js
index 1e558814ca0e4a..36c01d078a04a9 100644
--- a/test/parallel/test-crypto-default-shake-lengths.js
+++ b/test/parallel/test-crypto-default-shake-lengths.js
@@ -5,6 +5,11 @@ const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
+const crypto = require('crypto');
+if (!crypto.getHashes().includes('shake128')) {
+  common.skip('unsupported shake128 test');
+}
+
 const { createHash } = require('crypto');
 
 common.expectWarning({
diff --git a/test/parallel/test-crypto-des3-wrap.js b/test/parallel/test-crypto-des3-wrap.js
index 75c8cd574fd662..54d8a4c4014abc 100644
--- a/test/parallel/test-crypto-des3-wrap.js
+++ b/test/parallel/test-crypto-des3-wrap.js
@@ -6,6 +6,10 @@ if (!common.hasCrypto)
 const assert = require('assert');
 const crypto = require('crypto');
 
+const ciphers = crypto.getCiphers();
+if (!ciphers.includes('des3-wrap'))
+  common.skip('des3-wrap cipher is not available');
+
 // Test case for des-ede3 wrap/unwrap. des3-wrap needs extra 2x blocksize
 // then plaintext to store ciphertext.
 const test = {
diff --git a/test/parallel/test-crypto-ecb.js b/test/parallel/test-crypto-ecb.js
index 6439c9354a059e..06c88272438a05 100644
--- a/test/parallel/test-crypto-ecb.js
+++ b/test/parallel/test-crypto-ecb.js
@@ -37,6 +37,10 @@ if (hasOpenSSL3) {
     'OpenSSl 3.x');
 }
 
+if (!crypto.getCiphers().includes('BF-ECB')) {
+  common.skip('BF-ECB cipher is not available');
+}
+
 const assert = require('assert');
 
 // Testing whether EVP_CipherInit_ex is functioning correctly.
diff --git a/test/parallel/test-crypto-padding-aes256.js b/test/parallel/test-crypto-padding-aes256.js
index 14d853bdfd0a5d..164d06413a7d14 100644
--- a/test/parallel/test-crypto-padding-aes256.js
+++ b/test/parallel/test-crypto-padding-aes256.js
@@ -27,6 +27,9 @@ if (!common.hasCrypto)
 const assert = require('assert');
 const crypto = require('crypto');
 
+if (!crypto.getCiphers().includes('aes256'))
+  common.skip('aes256 cipher is not available');
+
 const iv = Buffer.from('00000000000000000000000000000000', 'hex');
 const key = Buffer.from('0123456789abcdef0123456789abcdef' +
                         '0123456789abcdef0123456789abcdef', 'hex');
diff --git a/test/parallel/test-crypto-pqc-key-objects-ml-dsa.js b/test/parallel/test-crypto-pqc-key-objects-ml-dsa.js
new file mode 100644
index 00000000000000..37eab463deae47
--- /dev/null
+++ b/test/parallel/test-crypto-pqc-key-objects-ml-dsa.js
@@ -0,0 +1,179 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const { hasOpenSSL } = require('../common/crypto');
+
+const assert = require('assert');
+const {
+  createPublicKey,
+  createPrivateKey,
+} = require('crypto');
+
+const fixtures = require('../common/fixtures');
+
+function getKeyFileName(type, suffix) {
+  return `${type.replaceAll('-', '_')}_${suffix}.pem`;
+}
+
+for (const [asymmetricKeyType, pubLen] of [
+  ['ml-dsa-44', 1312], ['ml-dsa-65', 1952], ['ml-dsa-87', 2592],
+]) {
+  const keys = {
+    public: fixtures.readKey(getKeyFileName(asymmetricKeyType, 'public'), 'ascii'),
+    private: fixtures.readKey(getKeyFileName(asymmetricKeyType, 'private'), 'ascii'),
+    private_seed_only: fixtures.readKey(getKeyFileName(asymmetricKeyType, 'private_seed_only'), 'ascii'),
+    private_priv_only: fixtures.readKey(getKeyFileName(asymmetricKeyType, 'private_priv_only'), 'ascii'),
+  };
+
+  function assertJwk(jwk) {
+    assert.strictEqual(jwk.kty, 'AKP');
+    assert.strictEqual(jwk.alg, asymmetricKeyType.toUpperCase());
+    assert.ok(jwk.pub);
+    assert.strictEqual(Buffer.from(jwk.pub, 'base64url').byteLength, pubLen);
+  }
+
+  function assertPublicJwk(jwk) {
+    assertJwk(jwk);
+    assert.ok(!jwk.priv);
+  }
+
+  function assertPrivateJwk(jwk) {
+    assertJwk(jwk);
+    assert.ok(jwk.priv);
+    assert.strictEqual(Buffer.from(jwk.priv, 'base64url').byteLength, 32);
+  }
+
+  function assertKey(key) {
+    assert.deepStrictEqual(key.asymmetricKeyDetails, {});
+    assert.strictEqual(key.asymmetricKeyType, asymmetricKeyType);
+    assert.strictEqual(key.equals(key), true);
+    assert.deepStrictEqual(key, key);
+  }
+
+  function assertPublicKey(key) {
+    assertKey(key);
+    assert.strictEqual(key.type, 'public');
+    assert.strictEqual(key.export({ format: 'pem', type: 'spki' }), keys.public);
+    key.export({ format: 'der', type: 'spki' });
+    const jwk = key.export({ format: 'jwk' });
+    assertPublicJwk(jwk);
+    assert.strictEqual(key.equals(createPublicKey({ format: 'jwk', key: jwk })), true);
+  }
+
+  function assertPrivateKey(key, hasSeed) {
+    assertKey(key);
+    assert.strictEqual(key.type, 'private');
+    assertPublicKey(createPublicKey(key));
+    key.export({ format: 'der', type: 'pkcs8' });
+    if (hasSeed) {
+      assert.strictEqual(key.export({ format: 'pem', type: 'pkcs8' }), keys.private);
+    } else {
+      assert.strictEqual(key.export({ format: 'pem', type: 'pkcs8' }), keys.private_priv_only);
+    }
+    if (hasSeed) {
+      const jwk = key.export({ format: 'jwk' });
+      assertPrivateJwk(jwk);
+      assert.strictEqual(key.equals(createPrivateKey({ format: 'jwk', key: jwk })), true);
+      assert.ok(createPublicKey({ format: 'jwk', key: jwk }));
+    } else {
+      assert.throws(() => key.export({ format: 'jwk' }),
+                    { code: 'ERR_CRYPTO_OPERATION_FAILED', message: 'key does not have an available seed' });
+    }
+  }
+
+  if (!hasOpenSSL(3, 5)) {
+    assert.throws(() => createPublicKey(keys.public), {
+      code: hasOpenSSL(3) ? 'ERR_OSSL_EVP_DECODE_ERROR' : 'ERR_OSSL_EVP_UNSUPPORTED_ALGORITHM',
+    });
+
+    for (const pem of [keys.private, keys.private_seed_only, keys.private_priv_only]) {
+      assert.throws(() => createPrivateKey(pem), {
+        code: hasOpenSSL(3) ? 'ERR_OSSL_UNSUPPORTED' : 'ERR_OSSL_EVP_UNSUPPORTED_ALGORITHM',
+      });
+    }
+  } else {
+    const publicKey = createPublicKey(keys.public);
+    assertPublicKey(publicKey);
+
+    {
+      for (const [pem, hasSeed] of [
+        [keys.private, true],
+        [keys.private_seed_only, true],
+        [keys.private_priv_only, false],
+      ]) {
+        const pubFromPriv = createPublicKey(pem);
+        assertPublicKey(pubFromPriv);
+        assertPrivateKey(createPrivateKey(pem), hasSeed);
+        assert.strictEqual(pubFromPriv.equals(publicKey), true);
+      }
+    }
+  }
+}
+
+{
+  const format = 'jwk';
+  const jwk = {
+    kty: 'AKP',
+    alg: 'ML-DSA-44',
+    priv: '9_uqvxH0WKJFgfLyse1a1des2bwPgsHctl_jCt5AfEo',
+    // eslint-disable-next-line @stylistic/js/max-len
+    pub: 'SXghXj9P-DJ5eznNa_zLJxRxpa0mt86WlIid0EVEv1qraLBkC1UKevSZrjtgo1QUEN0oa3tP-HyYj8Onnc1zEnxsSoeC5A-PgywKgYuZP581wGPS-cbA2-5acsg-YUi_9fDkLR5YOTQQ3Iu952K1m8w0QDIBxZjecm32HgkD56CCC6ZyBOwfx9qcNUeO0aImya1igzL2_LRsqomogl9OuduWhtussAavGlAK7ZR4_4lmyjWcdeIc-z--iy42biV5d_tnopfNTJFlycBKinZu3h0lr4-ldl6apGDIyvSdZulhgj_j6jgEX-AgQZgS93ctx680GvROkBL7YI_3iXW3REWzVgS9HLasagEi2h6-RYQ9RzgUTODbei5fNRj3bNSqr8IKTZ08DCsRasN61TGwE3F7meoauw2NYkV51mhTxIafwhLWJrRA4C09Y-afrOtqk6a7Fiy21ObP95TGujXwThuwQSjKcUzTdCbD94ERhleZLqnPYEpb6_Jcc1OBY3kUJvCjoUhXwbW6PhWr533JDEFHoNCkPfhHS7vVCUFx4mQASkPLBud5arFSZU1uDStuiftJXfnQTWaMoJeA1N6rywB3xwLH__lHZQwEh4KnuYVuCeOMU1t8inuHI4EpZ4iTi2LrL0Cl6HadpHv-GENYwuPDVq9qg2Mo75o1X6wpPSN1J5KUDAATyR_0hurg4A1DlVpVWtykP5YWEmx_g5w4MZfEVwH-JJjEhJRxLKajxrjfG4XlnwwxPTznr1k1Mb7getKbLSbiMA3fvAgl1IjBIB8eFaISauFPpLPSpKHCVZrQYPIKSxMVdlXHgwm3CRrkR29GevCM5iSwRHQK6_HWfIQIlJ8H7uVQqXkNMvNmFldnfi3dj-oY6wMhs1ffP4RAsb5UTljvhJc6GoygBL_b0rv4aKcywDF8wa2P6B8gGFl6cVvWBQmWLJ-HL5RR68J_OmvJUm3PD-wwX3YigStd6thdTNlHOZhl4ysn8ulkFY3Rz2jEBV_nO6EXBLdOmxn_yX77qQ9yPcE64uC8iDTFWpQU1gmOF38od96oYD-T-whVl1NLD2bOvFVdd4UmWpb3Ui8AYzKzFBHNczAogQfplFmr8VABsgtWk8hW8csam70NADWK54SZOPQHeiOt1Mb488OZiDpX0FifEnCac78C_5uEiOPa8FAHpgUJ_XeXg83doDsAvrE1ZkrgFDwzT5pUTLyqh9eI1PAQKCoKmAbofcZM65o_qGvmnpN8fGVudOoHb0_Dqu_E2RBbaLcxsIe5jWmGmth4sb_4ANLFCmtt8T8sDmOdcYtQmhpUzg6rjDqeU76yq6fC15bGjT6Qc-EAgrUftFVwLw2UIGAbHmeAyFbSuJiMaUDJeYoZ3zxoID_DRCP9kN3ty-EQMHM9BZgXlH9dJ8ZUCAeH59h4PinM5LQuiS_kvP1iyT1Be6sYglV2dB7W_AziOcrrBiLfjazbUUpwqLm4_Yt_QwYJrAWfYyFOxkKxkT5qi2c1RNGBtiYjv8X_TRJDg0uxX_Hbq0Pc7yYezFQdFYIlRAvJcnc8PiOfhWtQZpCIYKTskg_Y2UfVvjydXYcGuIA2700PzR9ga-1VR7mv9UOLHe2x4ALiOO7Iz6KgOfVYMJ9dIC7f4HY9nrnLdhfKw5dcIf7RDhDqrkPyz8LLTuAuO-hGSwoP35XFkf0FQ8f1Cg5J_k-S3S2dCj8DXIRLcEJ9Qb5zvDofIPSmNKlvwJkqplDLBWlAow'
+  };
+
+  if (hasOpenSSL(3, 5)) {
+    assert.throws(() => createPrivateKey({ format, key: { ...jwk, alg: 'ml-dsa-44' } }),
+                  { code: 'ERR_INVALID_ARG_VALUE', message: /must be one of: 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87'/ });
+    assert.throws(() => createPrivateKey({ format, key: { ...jwk, alg: undefined } }),
+                  { code: 'ERR_INVALID_ARG_VALUE', message: /must be one of: 'ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87'/ });
+    assert.throws(() => createPrivateKey({ format, key: { ...jwk, pub: undefined } }),
+                  { code: 'ERR_INVALID_ARG_TYPE', message: /The "key\.pub" property must be of type string/ });
+    assert.throws(() => createPrivateKey({ format, key: { ...jwk, priv: undefined } }),
+                  { code: 'ERR_INVALID_ARG_TYPE', message: /The "key\.priv" property must be of type string/ });
+    assert.throws(() => createPrivateKey({ format, key: { ...jwk, priv: Buffer.alloc(33).toString('base64url') } }),
+                  { code: 'ERR_CRYPTO_INVALID_JWK' });
+    assert.throws(() => createPublicKey({ format, key: { ...jwk, pub: Buffer.alloc(1313).toString('base64url') } }),
+                  { code: 'ERR_CRYPTO_INVALID_JWK' });
+
+    assert.ok(createPrivateKey({ format, key: jwk }));
+    assert.ok(createPublicKey({ format, key: jwk }));
+
+    // Test vectors from ietf-cose-dilithium
+    {
+      for (const jwk of [
+        {
+          kty: 'AKP',
+          alg: 'ML-DSA-44',
+          // eslint-disable-next-line @stylistic/js/max-len
+          pub: 'unH59k4RuutY-pxvu24U5h8YZD2rSVtHU5qRZsoBmBMcRPgmu9VuNOVdteXi1zNIXjnqJg_GAAxepLqA00Vc3lO0bzRIKu39VFD8Lhuk8l0V-cFEJC-zm7UihxiQMMUEmOFxe3x1ixkKZ0jqmqP3rKryx8tSbtcXyfea64QhT6XNje2SoMP6FViBDxLHBQo2dwjRls0k5a-XSQSu2OTOiHLoaWsLe8pQ5FLNfTDqmkrawDEdZyxr3oSWJAsHQxRjcIiVzZuvwxYy1zl2STiP2vy_fTBaPemkleynQzqPg7oPCyXEE8bjnJbrfWkbNNN8438e6tHPIX4l7zTuzz98YPhLjt_d6EBdT4MldsYe-Y4KLyjaGHcAlTkk9oa5RhRwW89T0z_t1DSO3dvfKLUGXh8gd1BD6Fz5MfgpF5NjoafnQEqDjsAAhrCXY4b-Y3yYJEdX4_dp3dRGdHG_rWcPmgX4JG7lCnser4f8QGnDriqiAzJYEXeS8LzUngg_0bx0lqv_KcyU5IaLISFO0xZSU5mmEPvdSoDnyAcV8pV44qhLtAvd29n0ehG259oRihtljTWeiu9V60a1N2tbZVl5mEqSK-6_xZvNYA1TCdzNctvweH24unV7U3wer9XA9Q6kvJWDVJ4oKaQsKMrCSMlteBJMRxWbGK7ddUq6F7GdQw-3j2M-qdJvVKm9UPjY9rc1lPgol25-oJxTu7nxGlbJUH-4m5pevAN6NyZ6lfhbjWTKlxkrEKZvQXs_Yf6cpXEwpI_ZJeriq1UC1XHIpRkDwdOY9MH3an4RdDl2r9vGl_IwlKPNdh_5aF3jLgn7PCit1FNJAwC8fIncAXgAlgcXIpRXdfJk4bBiO89GGccSyDh2EgXYdpG3XvNgGWy7npuSoNTE7WIyblAk13UQuO4sdCbMIuriCdyfE73mvwj15xgb07RZRQtFGlFTmnFcIdZ90zDrWXDbANntv7KCKwNvoTuv64bY3HiGbj-NQ-U9eMylWVpvr4hrXcES8c9K3PqHWADZC0iIOvlzFv4VBoc_wVflcOrL_SIoaNFCNBAZZq-2v5lAgpJTqVOtqJ_HVraoSfcKy5g45p-qULunXj6Jwq21fobQiKubBKKOZwcJFyJD7F4ACKXOrz-HIvSHMCWW_9dVrRuCpJw0s0aVFbRqopDNhu446nqb4_EDYQM1tTHMozPd_jKxRRD0sH75X8ZoToxFSpLBDbtdWcenxj-zBf6IGWfZnmaetjKEBYJWC7QDQx1A91pJVJCEgieCkoIfTqkeQuePpIyu48g2FG3P1zjRF-kumhUTfSjo5qS0YiZQy0E1BMs6M11EvuxXRsHClLHoy5nLYI2Sj4zjVjYyxSHyPRPGGo9hwB34yWxzYNtPPGiqXS_dNCpi_zRZwRY4lCGrQ-hYTEWIK1Dm5OlttvC4_eiQ1dv63NiGkLRJ5kJA3bICN0fzCDY-MBqnd1cWn8YVBijVkgtaoascjL9EywDgJdeHnXK0eeOvUxHHhXJVkNqcibn8O4RQdpVU60TSA-uiu675ytIjcBHC6kTv8A8pmkj_4oypPd-F92YIJC741swkYQoeIHj8rE-ThcMUkF7KqC5VORbZTRp8HsZSqgiJcIPaouuxd1-8Rxrid3fXkE6p8bkrysPYoxWEJgh7ZFsRCPDWX-yTeJwFN0PKFP1j0F6YtlLfK5wv-c4F8ZQHA_-yc_gODicy7KmWDZgbTP07e7gEWzw4MFRrndjbDQ',
+          priv: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
+        },
+        {
+          kty: 'AKP',
+          alg: 'ML-DSA-65',
+          // eslint-disable-next-line @stylistic/js/max-len
+          pub: 'QksvJn5Y1bO0TXGs_Gpla7JpUNV8YdsciAvPof6rRD8JQquL2619cIq7w1YHj22ZolInH-YsdAkeuUr7m5JkxQqIjg3-2AzV-yy9NmfmDVOevkSTAhnNT67RXbs0VaJkgCufSbzkLudVD-_91GQqVa3mk4aKRgy-wD9PyZpOMLzP-opHXlOVOWZ067galJN1h4gPbb0nvxxPWp7kPN2LDlOzt_tJxzrfvC1PjFQwNSDCm_l-Ju5X2zQtlXyJOTZSLQlCtB2C7jdyoAVwrftUXBFDkisElvgmoKlwBks23fU0tfjhwc0LVWXqhGtFQx8GGBQ-zol3e7P2EXmtIClf4KbgYq5u7Lwu848qwaItyTt7EmM2IjxVth64wHlVQruy3GXnIurcaGb_qWg764qZmteoPl5uAWwuTDX292Sa071S7GfsHFxue5lydxIYvpVUu6dyfwuExEubCovYMfz_LJd5zNTKMMatdbBJg-Qd6JPuXznqc1UYC3CccEXCLTOgg_auB6EUdG0b_cy-5bkEOHm7Wi4SDipGNig_ShzUkkot5qSqPZnd2I9IqqToi_0ep2nYLBB3ny3teW21Qpccoom3aGPt5Zl7fpzhg7Q8zsJ4sQ2SuHRCzgQ1uxYlFx21VUtHAjnFDSoMOkGyo4gH2wcLR7-z59EPPNl51pljyNefgCnMSkjrBPyz1wiET-uqi23f8Bq2TVk1jmUFxOwdfLsU7SIS30WOzvwD_gMDexUFpMlEQyL1-Y36kaTLjEWGCi2tx1FTULttQx5JpryPW6lW5oKw5RMyGpfRliYCiRyQePYqipZGoxOHpvCWhCZIN4meDY7H0RxWWQEpiyCzRQgWkOtMViwao6Jb7wZWbLNMebwLJeQJXWunk-gTEeQaMykVJobwDUiX-E_E7fSybVRTZXherY1jrvZKh8C5Gi5VADg5Vs319uN8-dVILRyOOlvjjxclmsRcn6HEvTvxd9MS7lKm2gI8BXIqhzgnTdqNGwTpmDHPV8hygqJWxWXCltBSSgY6OkGkioMAmXjZjYq_Ya9o6AE7WU_hUdm-wZmQLExwtJWEIBdDxrUxA9L9JL3weNyQtaGItPjXcheZiNBBbJTUxXwIYLnXtT1M0mHzMqGFFWXVKsN_AIdHyv4yDzY9m-tuQRfbQ_2K7r5eDOL1Tj8DZ-s8yXG74MMBqOUvlglJNgNcbuPKLRPbSDoN0E3BYkfeDgiUrXy34a5-vU-PkAWCsgAh539wJUUBxqw90V1Du7eTHFKDJEMSFYwusbPhEX4ZTwoeTHg--8Ysn4HCFWLQ00pfBCteqvMvMflcWwVfTnogcPsJb1bEFVSc3nTzhk6Ln8J-MplyS0Y5mGBEtVko_WlyeFsoDCWj4hqrgU7L-ww8vsCRSQfskH8lodiLzj0xmugiKjWUXbYq98x1zSnB9dmPy5P3UNwwMQdpebtR38N9I-jup4Bzok0-JsaOe7EORZ8ld7kAgDWa4K7BAxjc2eD540Apwxs-VLGFVkXbQgYYeDNG2tW1Xt20-XezJqZVUl6-IZXsqc7DijwNInO3fT5o8ZAcLKUUlzSlEXe8sIlHaxjLoJ-oubRtlKKUbzWOHeyxmYZSxYqQhSQj4sheedGXJEYWJ-Y5DRqB-xpy-cftxL10fdXIUhe1hWFBAoQU3b5xRY8KCytYnfLhsFF4O49xhnax3vuumLpJbCqTXpLureoKg5PvWfnpFPB0P-ZWQN35mBzqbb3ZV6U0rU55DvyXTuiZOK2Z1TxbaAd1OZMmg0cpuzewgueV-Nh_UubIqNto5RXCd7vqgqdXDUKAiWyYegYIkD4wbGMqIjxV8Oo2ggOcSj9UQPS1rD5u0rLckAzsxyty9Q5JsmKa0w8Eh7Jwe4Yob4xPVWWbJfm916avRgzDxXo5gmY7txdGFYHhlolJKdhBU9h6f0gtKEtbiUzhp4IWsqAR8riHQs7lLVEz6P537a4kL1r5FjfDf_yjJDBQmy_kdWMDqaNln-MlKK8eENjUO-qZGy0Ql4bMZtNbHXjfJUuSzapA-RqYfkqSLKgQUOW8NTDKhUk73yqCU3TQqDEKaGAoTsPscyMm7u_8QrvUK8kbc-XnxrWZ0BZJBjdinzh2w-QvjbWQ5mqFp4OMgY94__tIU8vvCUNJiYA1RdyodlfPfH5-avpxOCvBD6C7ZIDyQ-6huGEQEAb6DP8ydWIZQ8xY603DoEKKXkJWcP6CJo3nHFEdj_vcEbDQ-WESDpcQFa1fRIiGuALj-sEWcjGdSHyE8QATOcuWl4TLVzRPKAf4tCXx1zyvhJbXQu0jf0yfzVpOhPun4n-xqK4SxPBCeuJOkQ2VG9jDXWH4pnjbAcrqjveJqVti7huMXTLGuqU2uoihBw6mGqu_WSlOP2-XTEyRyvxbv2t-z9V6GPt1V9ceBukA0oGwtJqgD-q7NXFK8zhw7desI5PZMXf3nuVgbJ3xdvAlzkmm5f9RoqQS6_hqwPQEcclq1MEZ3yML5hc99TDtZWy9gGkhR0Hs3QJxxgP7bEqGFP-HjTPnJsrGaT6TjKP7qCxJlcFKLUr5AU_kxMULeUysWWtSGJ9mpxBvsyW1Juo',
+          priv: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
+        },
+        {
+          kty: 'AKP',
+          alg: 'ML-DSA-87',
+          // eslint-disable-next-line @stylistic/js/max-len
+          pub: '5F_8jMc9uIXcZi5ioYzY44AylxF_pWWIFKmFtf8dt7Roz8gruSnx2Gt37RT1rhamU2h3LOUZEkEBBeBFaXWukf22Q7US8STV5gvWi4x-Mf4Bx7DcZa5HBQHMVlpuHfz8_RJWVDPEr-3VEYIeLpYQxFJ14oNt7jXO1p1--mcv0eQxi-9etuiX6LRRqiAt7QQrKq73envj9pkUbaIpqL2z_6SWRFln51IXv7yQSPmVZEPYcx-DPrMN4Q2slv_-fPZeoERcPjHoYB4TO-ahAHZP4xluJncmRB8xdR-_mm9YgGRPTnJ15X3isPEF5NsFXVDdHJyTT931NbjeKLDHTARJ8iLNLtC7j7x3XM7oyUBmW0D3EvT34AdQ6eHkzZz_JdGUXD6bylPM1PEu7nWBhW69aPJoRZVuPnvrdh8P51vdMb_i-gGBEzl7OHvVnWKmi4r3-iRauTLmn3eOLO79ITBPu4CZ6hPY6lfBgTGXovda4lEHW1Ha04-FNmnp1fmKNlUJiUGZOhWUhg-6cf5TDuXCn1jyl4r2iMy3Wlg4o1nBEumOJahYOsjawfhh_Vjir7pd5aUuAgkE9bQrwIdONb788-YRloR2jzbgCPBHEhd86-YnYHOB5W6q7hYcFym43lHb3kdNSMxoJJ6icWK4eZPmDITtbMZCPLNnbZ61CyyrWjoEnvExOB1iP6b7y8nbHnzAJeoEGLna0sxszU6V-izsJP7spwMYp1Fxa3IT9j7b9lpjM4NX-Dj5TsBxgiwkhRJIiFEHs9HE6SRnjHYU6hrwOBBGGfKuNylAvs-mninLtf9sPiCke-Sk90usNMEzwApqcGrMxv_T2OT71pqZcE4Sg8hQ2MWNHldTzZWHuDxMNGy5pYE3IT7BCDTGat_iu1xQGo7y7K3Rtnej3xpt64br8HIsT1Aw4g-QGN1bb8U-6iT9kre1tAJf6umW0-SP1MZQ2C261-r5NmOWmFEvJiU9LvaEfIUY6FZcyaVJXG__V83nMjiCxUp9tHCrLa-P_Sv3lPp8aS2ef71TLuzB14gOLKCzIWEovii0qfHRUfrJeAiwvZi3tDphKprIZYEr_qxvR0YCd4QLUqOwh_kWynztwPdo6ivRnqIRVfhLSgTEAArSrgWHFU1WC8Ckd6T5MpqJhN0x6x8qBePZGHAdYwz8qa9h7wiNLFWBrLRj5DmQLl1CVxnpVrjW33MFso4P8n060N4ghdKSSZsZozkNQ5b7O6yajYy-rSp6QpD8msb8oEX5imFKRaOcviQ2D4TRT45HJxKs63Tb9FtT1JoORzfkdv_E1bL3zSR6oYbTt2Stnpz-7kVqc8KR2N45EkFKxDkRw3IXOte0cq81xoU87S_ntf4KiVZaszuqb2XN2SgxnXBl4EDnpehPmqkD92SAlLrQcTaxaSe47G28K-8MwoVt4eeVkj4UEsSfJN7rbCH2yKl2XJx5huDaS0xn2ODQyNRmgk-5I9hXMUiZDNLvEzx4zuyrcu2d0oXFo3ZoUtVFNCB__TQCf2x27ej9GjLXLDAEi7qnl9Xfb94n0IfeVyGte3-j6NP3DWv8OrLiUjNTaLv6Fay1yzfUaU6LI86-Jd6ckloiGhg7kE0_hd-ZKakZxU1vh0Vzc6DW7MFAPky75iCZlDXoBpZjTNGo5HR-mCW_ozblu60U9zZA8bn-voANuu_hYwxh-uY1sHTFZOqp2xicnnMChz_GTm1Je8XCkICYegeiHUryEHA6T6B_L9gW8S_R4ptMD0Sv6b1KHqqKeubwKltCWPUsr2En9iYypnz06DEL5Wp8KMhrLid2AMPpLI0j1CWGJExXHpBWjfIC8vbYH4YKVl-euRo8eDcuKosb5hxUGM9Jvy1siVXUpIKpkZt2YLP5pEBP_EVOoHPh5LJomrLMpORr1wBKbEkfom7npX1g817bK4IeYmZELI8zXUUtUkx3LgNTckwjx90Vt6oVXpFEICIUDF_LAVMUftzz6JUvbwOZo8iAZqcnVslAmRXeY_ZPp5eEHFfHlsb8VQ73Rd_p8XlFf5R1WuWiUGp2TzJ-VQvj3BTdQfOwSxR9RUk4xjqNabLqTFcQ7As246bHJXH6XVnd4DbEIDPfNa8FaWb_DNEgQAiXGqa6n7l7aFq5_6Kp0XeBBM0sOzJt4fy8JC6U0DEcMnWxKFDtMM7q06LubQYFCEEdQ5b1Qh2LbQZ898tegmeF--EZ4F4hvYebZPV8sM0ZcsKBXyCr585qs00PRxr0S6rReekGRBIvXzMojmid3dxc6DPpdV3x5zxlxaIBxO3i_6axknSSdxnS04_bemWqQ3CLf6mpSqfTIQJT1407GB4QINAAC9Ch3AXUR_n1jr64TGWzbIr8uDcnoVCJlOgmlXpmOwubigAzJattbWRi7k4QYBnA3_4QMjt73n2Co4-F_Qh4boYLpmwWG2SwcIw2PeXGr2LY2zwkPR4bcSyx1Z6UK5trQpWlpQCxgsvV_RvGzpN22RtHoihPH74K0cBIzCz7tK-jqeuWl1A7af7KmQ66fpRBr5ykTLOsa17WblkcIB_jDvqKfEcdxhPWJUwmOo4TIQS-xH8arLOy_NQFG2m14_yxwUemXC-QxLUYi6_FIcqwPBKjCdpQtadRdyftQSKO0SP-GxUvamMZzWI780rXuOBkq5kyYLy9QF9bf_-bL6QLpe1WMCQlOeXZaCPoncgYoT0WZ17jB52Xb2lPWsyXYK54npszkbKJ4OIqfvF8xqRXcVe22VwJuqT9Uy4-4KKQgQ7TXla7Gdm2H7mKl8YXQlsGCT2Ypc8O4t0Sfw7qYAuaDGf752Hbm3fl1bupcB2huIPlIaDP6IRR9XvTYIW2flbwYfhKLmoVKnG85uUi2qtqCjPOIuU3-peT0othfmwKQXaoOqO-V4r6wPL1VHxVFtIYmEdVt0RccUOvpOVR_OAHG9uHOzTmueK5557Qxp0ojtZCHyN-hgoMZJLrvdKkTCxPNo2-mZQbHoVh2FnThZ9JbO49dB8lKXP4_MU5xAnjXMgKXtbfI8w6ZWATE_XWgf2VQMUpGp4wpy44yWQTxHxh_4T9540BGwG0FU0bkgrwA_erseGZnepqdmz5_ScCs84O5Xr5MbYhJLCGGxY6O5GqS-ooB2w0Mt87KbbE4bpYje9CAHH8FX3pDrJyLsyasA3zxmk4OmGpG7Z70ofONJtHRe56R5287vFmuazEEutXn81kNzB-3aJT1ga3vnWZw4CSvFKoWYSA7auLgrHSHFZdITfOrgtmQmGbFhM9kSBdY1UCnpzf65oos3PZWRa2twfUxxLAnPNtrxpRGyvtsapw7ljUagZmuyh3hLCjhAxYmnoE1dbyIWvpCqSlEtVjL1yb_nuLEzgvmZuV02fHxGuWgHTOMVGXpf81Rce3eoBK3lapW1wkzezlk3tcA2bZOtA9qbxdsbVR37kemzQ9K1e3Y0OWhtSj',
+          priv: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'
+        },
+      ]) {
+        assert.partialDeepStrictEqual(jwk, createPublicKey({ format, key: jwk }).export({ format: 'jwk' }));
+        assert.deepStrictEqual(createPrivateKey({ format, key: jwk }).export({ format: 'jwk' }), jwk);
+      }
+
+    }
+  } else {
+    assert.throws(() => createPrivateKey({ format, key: jwk }),
+                  { code: 'ERR_INVALID_ARG_VALUE', message: /must be one of: 'RSA', 'EC', 'OKP'\. Received 'AKP'/ });
+    assert.throws(() => createPublicKey({ format, key: jwk }),
+                  { code: 'ERR_INVALID_ARG_VALUE', message: /must be one of: 'RSA', 'EC', 'OKP'\. Received 'AKP'/ });
+  }
+}
diff --git a/test/parallel/test-crypto-pqc-keygen-ml-dsa.js b/test/parallel/test-crypto-pqc-keygen-ml-dsa.js
new file mode 100644
index 00000000000000..9fa0a0ffef5d72
--- /dev/null
+++ b/test/parallel/test-crypto-pqc-keygen-ml-dsa.js
@@ -0,0 +1,69 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const { hasOpenSSL } = require('../common/crypto');
+
+const assert = require('assert');
+const {
+  generateKeyPair,
+} = require('crypto');
+
+if (!hasOpenSSL(3, 5)) {
+  for (const asymmetricKeyType of ['ml-dsa-44', 'ml-dsa-65', 'ml-dsa-87']) {
+    assert.throws(() => generateKeyPair(asymmetricKeyType, common.mustNotCall()), {
+      code: 'ERR_INVALID_ARG_VALUE',
+      message: /The argument 'type' must be a supported key type/
+    });
+  }
+} else {
+  for (const [asymmetricKeyType, pubLen] of [
+    ['ml-dsa-44', 1312], ['ml-dsa-65', 1952], ['ml-dsa-87', 2592],
+  ]) {
+
+    function assertJwk(jwk) {
+      assert.strictEqual(jwk.kty, 'AKP');
+      assert.strictEqual(jwk.alg, asymmetricKeyType.toUpperCase());
+      assert.ok(jwk.pub);
+      assert.strictEqual(Buffer.from(jwk.pub, 'base64url').byteLength, pubLen);
+    }
+
+    function assertPublicJwk(jwk) {
+      assertJwk(jwk);
+      assert.ok(!jwk.priv);
+    }
+
+    function assertPrivateJwk(jwk) {
+      assertJwk(jwk);
+      assert.ok(jwk.priv);
+      assert.strictEqual(Buffer.from(jwk.priv, 'base64url').byteLength, 32);
+    }
+
+    for (const [publicKeyEncoding, validate] of [
+      [undefined, (publicKey) => {
+        assert.strictEqual(publicKey.type, 'public');
+        assert.strictEqual(publicKey.asymmetricKeyType, asymmetricKeyType);
+        assert.deepStrictEqual(publicKey.asymmetricKeyDetails, {});
+      }],
+      [{ format: 'jwk' }, (publicKey) => assertPublicJwk(publicKey)],
+      [{ format: 'pem', type: 'spki' }, (publicKey) => assert.strictEqual(typeof publicKey, 'string')],
+      [{ format: 'der', type: 'spki' }, (publicKey) => assert.strictEqual(Buffer.isBuffer(publicKey), true)],
+    ]) {
+      generateKeyPair(asymmetricKeyType, { publicKeyEncoding }, common.mustSucceed(validate));
+    }
+    for (const [privateKeyEncoding, validate] of [
+      [undefined, (_, privateKey) => {
+        assert.strictEqual(privateKey.type, 'private');
+        assert.strictEqual(privateKey.asymmetricKeyType, asymmetricKeyType);
+        assert.deepStrictEqual(privateKey.asymmetricKeyDetails, {});
+      }],
+      [{ format: 'jwk' }, (_, privateKey) => assertPrivateJwk(privateKey)],
+      [{ format: 'pem', type: 'pkcs8' }, (_, privateKey) => assert.strictEqual(typeof privateKey, 'string')],
+      [{ format: 'der', type: 'pkcs8' }, (_, privateKey) => assert.strictEqual(Buffer.isBuffer(privateKey), true)],
+    ]) {
+      generateKeyPair(asymmetricKeyType, { privateKeyEncoding }, common.mustSucceed(validate));
+    }
+  }
+}
diff --git a/test/parallel/test-crypto-pqc-sign-verify-ml-dsa.js b/test/parallel/test-crypto-pqc-sign-verify-ml-dsa.js
new file mode 100644
index 00000000000000..de3937dbc07486
--- /dev/null
+++ b/test/parallel/test-crypto-pqc-sign-verify-ml-dsa.js
@@ -0,0 +1,121 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const { hasOpenSSL } = require('../common/crypto');
+
+if (!hasOpenSSL(3, 5))
+  common.skip('requires OpenSSL >= 3.5');
+
+const assert = require('assert');
+const {
+  randomBytes,
+  sign,
+  verify,
+  createPublicKey,
+  createPrivateKey,
+} = require('crypto');
+
+const fixtures = require('../common/fixtures');
+
+function getKeyFileName(type, suffix) {
+  return `${type.replaceAll('-', '_')}_${suffix}.pem`;
+}
+
+for (const [asymmetricKeyType, sigLen] of [
+  ['ml-dsa-44', 2420], ['ml-dsa-65', 3309], ['ml-dsa-87', 4627],
+]) {
+  const keys = {
+    public: fixtures.readKey(getKeyFileName(asymmetricKeyType, 'public'), 'ascii'),
+    private: fixtures.readKey(getKeyFileName(asymmetricKeyType, 'private'), 'ascii'),
+    private_seed_only: fixtures.readKey(getKeyFileName(asymmetricKeyType, 'private_seed_only'), 'ascii'),
+    private_priv_only: fixtures.readKey(getKeyFileName(asymmetricKeyType, 'private_priv_only'), 'ascii'),
+  };
+
+  for (const privateKey of [keys.private, keys.private_seed_only, keys.private_priv_only]) {
+    for (const data of [randomBytes(0), randomBytes(1), randomBytes(32), randomBytes(128), randomBytes(1024)]) {
+      // sync
+      {
+        const signature = sign(undefined, data, privateKey);
+        assert.strictEqual(signature.byteLength, sigLen);
+        assert.strictEqual(verify(undefined, randomBytes(32), keys.public, signature), false);
+        assert.strictEqual(verify(undefined, data, keys.public, Buffer.alloc(sigLen)), false);
+        assert.strictEqual(verify(undefined, data, keys.public, signature), true);
+        assert.strictEqual(verify(undefined, data, privateKey, signature), true);
+        assert.throws(() => sign('sha256', data, privateKey), { code: 'ERR_OSSL_INVALID_DIGEST' });
+        assert.throws(
+          () => verify('sha256', data, keys.public, Buffer.alloc(sigLen)),
+          { code: 'ERR_OSSL_INVALID_DIGEST' });
+      }
+
+      // async
+      {
+        sign(undefined, data, privateKey, common.mustSucceed((signature) => {
+          assert.strictEqual(signature.byteLength, sigLen);
+          verify(undefined, data, privateKey, signature, common.mustSucceed((valid) => {
+            assert.strictEqual(valid, true);
+          }));
+          verify(undefined, data, privateKey, Buffer.alloc(sigLen), common.mustSucceed((valid) => {
+            assert.strictEqual(valid, false);
+          }));
+        }));
+
+        sign('sha256', data, privateKey, common.expectsError(/invalid digest/));
+        verify('sha256', data, keys.public, Buffer.alloc(sigLen), common.expectsError(/invalid digest/));
+      }
+    }
+  }
+}
+
+// Test vectors from ietf-cose-dilithium
+{
+  for (const { jwk, data, signature } of [
+    {
+      // eslint-disable-next-line @stylistic/js/max-len
+      data: Buffer.from('65794a68624763694f694a4e54433145553045744e4451694c434a72615751694f694a554e4868734e7a42544e3031554e6c706c63545a794f5659355a6c424b52315a754e7a5a335a6d3559536a49784c576435627a424864545a76496e302e53585469674a6c7a494745675a4746755a3256796233567a49474a3163326c755a584e7a4c434247636d396b627977675a323970626d63676233563049486c76645849675a473976636934', 'hex'),
+      // eslint-disable-next-line @stylistic/js/max-len
+      signature: Buffer.from('92723543ff422332c7e57cbde0a91ced654aa9970082d27798d7f41948f5b8b03a6170161497d7921fb343152d125dd4202ef33c2894c0a4c347a66cb949858fc0ad6ffe9a1fae2112537bc1e4bfd66e68902cbc1aa1cd2f696c7dc9421f76367f840d3fe0cb552d57b2e6e80c0ec3c378abd887582887d6272214ed138781ddb89eeba7d7325bc5c2c90b610ab7633c474c19b9d70813d9e6e683f3617ab4cfe84fb0aa17a7d95e55892a80c98ef4ba3c48fff5618204b61dc1f2ff86b8fdb8f4a0d315128f8c84a62b868f0a49e3b638a11ec415bf65de3d7c4a1316ad1e5e2a86c8a25becbe1095dad4a7f0e166292c0ec1e3fe4876cfbe708266231edfeb1c4058a879aa8056ab540839a685bb3b00ada456dcd384bb34e17b0d449fce6023719c453646a7e5431b2c479b4025d387325a8d9bc4054e1747db0dcdbae623f6982370e90835d232097808460783803187015162401b497530dd54fe4a049868797572a7413465e3ad5e6bf0aadc32e4700d838f6c285941720d3990f283bfca178049f25a732466effb2e8fcf33e5714da3c179dcff0ec531bdc543e5af0bc7f9302aec01f7354e12357029c95293537ce1c75b49df89e54c82dc4ee8d7549568fdfd0365f531afa252098aafcb8cf52a5d300d0cdde796a8a7216d431bce3e17021db00ddf8836520ef9d099bcdf97e5ecd3b172aa0c6ee4dc807ebc92bdfb33e3dd8762bd59acd7509802ba981d2165bc5a37ce8e64e2179f42ad5b5f56d2b6a83cc5e343843427eab4d3d09597b970de69d0ff1aae3e14481f0708f87b35da90040796af0d30b1885d88cdfd96b4a403c98b458321667a8a1824cf0ab1d70dd12344a61135aa88513e3895a625e5cdbb2b4bfea338ca3eeeadcc48646120b85d9dcb7a1105b66033384d261db84a3205ea8e83c98ceac620f89b5f78f02bcfd0e5198c397b57a3c477bd77c1694750a0b79ecb2c0d604d2721cb25e33e5af3fbadc0416255fd152b6a5dbe2ca238f5528b7cce3009aacfa805855cbc68c310396640100b93c83c3b6561ba762c29b66ae0497668b56eb7235f52d991fb91e097448abfa452ee6213ae1ba743e0c928b882d1742f5b5d930bacd0eaec23a950e3bce9a415958774a51f77e56a54c3e57aa1b4919c79511594a6512201ee1d50d0899c891ce88cdf775e1c3baa9cc6cddcc310edce3936b25da486ff4607432cbe787e2105b9a0b7f2c1c75db4835798e171de1c545f4df7ad1e42f9659bac5f58d0fe793d7b3e17046ffa851b53352b9506c6251fcf8a52e479faa4cff1d92f45ff16936847a14af6b33e583bfc4314230c4ebb7c6a188cc9f8e8e62879170a37ae215b15418a89b9e24cb5eca45778b2970d2bf59c86564b46090f2b88e1e99fd7f092641f1bd0869ca8b87405c86c6006b976e31fbf101d736d632126d8669bc0e22adfa7cca689cfc0a3bb5f87c02a60efa091a91b04cf6872284a5b6f83392904a3dc0b04342ae8566439408bf72b65cd464bdee2f8c198feac5766fa19263f51e46f3c4940ed25200464ca6e7f9cd1a62106e07ca653e145305ae79fdc16a0263666af175f9f74c92d26e21a1f67fe2b4cd90b36c7c39e3df7c4fb9085a0c8cb3218202fca7101fe484eab04fbb428e0e4743c4888dd9d1616d248d97e3b792c96c603e3e7468f203d541519e6033f6bec49784d258f78022b4a098d6cadc4acb980eb84d04aae7a09d6e12c30f547b20170fd91ccc8011a550ba0852356e1f9bcabaff536fe332eeb43213ce600be9aea2ebe592e90448b3fe1552dc2be5c5d72050c378755678670d8af43a5bdbab1143f872b82e8aaef3fc34e261a19f524b2e6fe4fb9b0d3353c668392779a544e924bbfe218214025e82b1c1efba79d12c42aaa56d526b575c159b3954fe007d1de683bc17e1596ad401e7a45c44d8bd4b6622a84dcf630c43af4c3931afcea0324c0c9ba45dc8f17fab8f00549d5bafc429f3cfb807ce17e76cd9e5cc3e20961ef87895276f4ba5e626df8d3fad68afa72f940798bd4ca94caf17fde32d689336533db3f7fefd7f5d7d2713b4532f3f7c100f7a7ae27b9771296c4aa4b3b9a1ea2d4524d9efbe533fbb6f6c6286c9e8f513fa2d559509c5fc904044a133ef8a415e6d65e58e4ba35e6bb0895a4078a750108ef1f1c21c8e7d2c07cabac378266a1d0ea2d8c245a28c42ffb1fac2e8bb6b6d7aa9335a70d3dcd2aecfed4b5450f8b9d61ee3eb53928b0b3bf9dc92ab87c954fdc741a307bf17e21bfd48b86d0d85304fb49a7c86d178a31d4b2b18c67d75fa30bc892bf37269ab09453990303264863cd3c4251c3d903b218e8b677540794b55027effd4e08a159fb5a0bf17824be041c6ac967e1ed84dd7fbdc49e61b0558c558e55da1c279e4d999469c9d3e0c41401c6c58d3aba04195ba0040658fd85656a5de87367aeebfbe3855e5a67e02e4f73e79ebbc05870b97324984db1bc3a38c0ff34c6eb6351fb1e3f1e5890bc616355ec5aa4d9af5f6d227c49596abc44b66c58f9adab9c19e6e70131ab022e938005e9d865d4807103610bbdf02d2d19dacd47421068225ee5af5a77ef62d9b3f49ebb5bbff05a3b0e826a46929a368736fc950c9a7ed35194bcccbcb3c607aaf11f2235b44fdb40f00c1357a1cb130c129a42bb41f908843f2490b496b81bad5778d672879686cdfa1667d3a68d91bda5b6de85cab022bb7e1128cfc9e4fab1f4abbce7d366bedf057c2952cdab4b806b94db1ee60fe1f024228a4f1a68e4ce10f9178b2838b390dec119600d91d2fb783e6173d420134eeb6fc7c649e4329909bca5beb64bc36e0b71bf2e271bcd2e97a5bf29e46ca042834d160d2995b15e36484cd6b487a6a09f034224a11b160dd086b7b7f787348bad267cff582202935eb097dd8b76797fba98fcd898b6d26d5e631faf6fe9666a615d96023fbd0d4d1d891e2139f6106899c16614ed29bf9242c62216e375043277bfd78cf4af21abdd4d05d08755af93864f43a2ff8991c4d99d91914725b9c971d457834e125b415e1f069238c3bece58a37bbedab3c25e32b56863d22355bc05a5092d0639b1b7c054202e50706ff95961e506a6b7e96078a82e86a4d2bb2fad8da6ce6f992204e1bbc4642ddf3f97617b675850c28a2fb9875d577d9b10fb1431cbc8127dd333e210caf4dc3f550b7a7f35a2418d1387f747cd5922d0c51f55fb0352381b9610fa8f4c206ecdf3763f86337aedb7ca22b74c17c75d5b20e68e2a07f4eed3f4c229955cc46a4567bb2c25002931393e444a535c7f8788aeb2bce2e6ec0a0e17384a64709ba2acb0dae608092234364244454a777c8c9eb8c0e0f0060f374a595a6570727a8ca9abb1bac4ced1ddf5000000000000000000000000121f3044', 'hex'),
+      jwk: {
+        kty: 'AKP',
+        alg: 'ML-DSA-44',
+        // eslint-disable-next-line @stylistic/js/max-len
+        pub: 'unH59k4RuutY-pxvu24U5h8YZD2rSVtHU5qRZsoBmBMcRPgmu9VuNOVdteXi1zNIXjnqJg_GAAxepLqA00Vc3lO0bzRIKu39VFD8Lhuk8l0V-cFEJC-zm7UihxiQMMUEmOFxe3x1ixkKZ0jqmqP3rKryx8tSbtcXyfea64QhT6XNje2SoMP6FViBDxLHBQo2dwjRls0k5a-XSQSu2OTOiHLoaWsLe8pQ5FLNfTDqmkrawDEdZyxr3oSWJAsHQxRjcIiVzZuvwxYy1zl2STiP2vy_fTBaPemkleynQzqPg7oPCyXEE8bjnJbrfWkbNNN8438e6tHPIX4l7zTuzz98YPhLjt_d6EBdT4MldsYe-Y4KLyjaGHcAlTkk9oa5RhRwW89T0z_t1DSO3dvfKLUGXh8gd1BD6Fz5MfgpF5NjoafnQEqDjsAAhrCXY4b-Y3yYJEdX4_dp3dRGdHG_rWcPmgX4JG7lCnser4f8QGnDriqiAzJYEXeS8LzUngg_0bx0lqv_KcyU5IaLISFO0xZSU5mmEPvdSoDnyAcV8pV44qhLtAvd29n0ehG259oRihtljTWeiu9V60a1N2tbZVl5mEqSK-6_xZvNYA1TCdzNctvweH24unV7U3wer9XA9Q6kvJWDVJ4oKaQsKMrCSMlteBJMRxWbGK7ddUq6F7GdQw-3j2M-qdJvVKm9UPjY9rc1lPgol25-oJxTu7nxGlbJUH-4m5pevAN6NyZ6lfhbjWTKlxkrEKZvQXs_Yf6cpXEwpI_ZJeriq1UC1XHIpRkDwdOY9MH3an4RdDl2r9vGl_IwlKPNdh_5aF3jLgn7PCit1FNJAwC8fIncAXgAlgcXIpRXdfJk4bBiO89GGccSyDh2EgXYdpG3XvNgGWy7npuSoNTE7WIyblAk13UQuO4sdCbMIuriCdyfE73mvwj15xgb07RZRQtFGlFTmnFcIdZ90zDrWXDbANntv7KCKwNvoTuv64bY3HiGbj-NQ-U9eMylWVpvr4hrXcES8c9K3PqHWADZC0iIOvlzFv4VBoc_wVflcOrL_SIoaNFCNBAZZq-2v5lAgpJTqVOtqJ_HVraoSfcKy5g45p-qULunXj6Jwq21fobQiKubBKKOZwcJFyJD7F4ACKXOrz-HIvSHMCWW_9dVrRuCpJw0s0aVFbRqopDNhu446nqb4_EDYQM1tTHMozPd_jKxRRD0sH75X8ZoToxFSpLBDbtdWcenxj-zBf6IGWfZnmaetjKEBYJWC7QDQx1A91pJVJCEgieCkoIfTqkeQuePpIyu48g2FG3P1zjRF-kumhUTfSjo5qS0YiZQy0E1BMs6M11EvuxXRsHClLHoy5nLYI2Sj4zjVjYyxSHyPRPGGo9hwB34yWxzYNtPPGiqXS_dNCpi_zRZwRY4lCGrQ-hYTEWIK1Dm5OlttvC4_eiQ1dv63NiGkLRJ5kJA3bICN0fzCDY-MBqnd1cWn8YVBijVkgtaoascjL9EywDgJdeHnXK0eeOvUxHHhXJVkNqcibn8O4RQdpVU60TSA-uiu675ytIjcBHC6kTv8A8pmkj_4oypPd-F92YIJC741swkYQoeIHj8rE-ThcMUkF7KqC5VORbZTRp8HsZSqgiJcIPaouuxd1-8Rxrid3fXkE6p8bkrysPYoxWEJgh7ZFsRCPDWX-yTeJwFN0PKFP1j0F6YtlLfK5wv-c4F8ZQHA_-yc_gODicy7KmWDZgbTP07e7gEWzw4MFRrndjbDQ',
+        priv: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
+      }
+    },
+    {
+      // eslint-disable-next-line @stylistic/js/max-len
+      data: Buffer.from('65794a68624763694f694a4e54433145553045744e6a55694c434a72615751694f694a5464576c314d6a6c78596d5a3159554a68556a524264484d74597a5a5955554a6c55454a66543342426545463359315253587a424c57465a4e496e302e53585469674a6c7a494745675a4746755a3256796233567a49474a3163326c755a584e7a4c434247636d396b627977675a323970626d63676233563049486c76645849675a473976636934', 'hex'),
+      // eslint-disable-next-line @stylistic/js/max-len
+      signature: Buffer.from('ce63bdff46cb80901e82854dca67d1a389c63cae6556d4851a70dbcdfcd8003e665045e9681520e22b6f67cac05198b81cb6f9f50a83412052a4c5c2d1ac5a8d738c57f62db5f9b01a00ba14cc9a311664c7e03dd9b1a234bbada97f6373044b26a5e3324506873d98a477bf995f50a71a244421fd2ba8e4c85669e21648c055e146dd73d0e1886b9acea072acc4e0805198535ca88049bdef93d9540125b4f98e7c58a4f8ad59acb7bfddbe4ec555b7bd03d236d481fe4ea960d7348ca08f28ce1d5a0521bddae3eeaec05de4a45c3a527084d51824380749c2075cce87ce4eaef7c5b9a2b28f1eed6b0c82bbac7248e19aee8b8c018e640bb0f134d4b7191d1c78cdec43093302192a236cbd45893f42537a147a9e2858ecad4c401fd9e0a2dea0c3d224aba7922c942b9ea0d8ed18e1529d42a5b2709e89917eb4da93cb52a927712b4da34f702cc2bec11a96127015aecd396c90384254cdc2da3d8fd5105c1c097d469386c423ed6b2c38b266a917827cbe536a119e5974777bbe7b64bf460fbf78bd47fd711b3ecfe49bef36d86ec963d962e26b99e4a56f7d07ffe61cdad55e06c1eaaf99e5ae64bd60054d873d2ef1d6d58befdf002ce935acc9f1b2f04e3e248bc4011d3e822ec34fea3252a34dabc970315a8a18028063149394a353ae485904bdb78ae0c6ff4876ed0e0aca33a3d88206aad572768ec14a6432157a29e89703b91035c7a055a322a38d1c8d2c8c88492118838439ff0be9ea213a1fdb3cf458b3ef0dad9f953812426b4b9b25c0d4d5c4ee18d09aee7596c40a9f56370cc8d0f1f571c16019d239c14d7cc3fb4bd9efab0dca0b9d14fedd8f1f949fc12f70e032ef720ae510ffe0c1280e5ee7fe8b4b5118b425cb720c07b3bc40e9e4a1fc8568250365ebab164193a6805f4fa9736c9ce74003080cf35c594b1194d4d7b07edab42d67c65e310c92e698f2c2c6212b7f16c25b980c5a8c7490b0f07ec163e7b86c5c6ef9719e238816eaf5bd158c3ed591ff3195cd3a131773061197cfca0989a4f95870ecbb31adac59a1e9d88dd5c3b80b18ebe8a74d13c225cb1b1f5f1438008fb491ede03328b40ce19e1e01ee35cf891c3ee867a9e350c49306447569430d4fb9ffda77c54c309da96d4768cb0cc081df2ce93a75ac8a5c4d6832a6393a9f12e64fd201a927474bcdc668654c0e61ddb649dbc359c4ce91ec3d34fde04462b1f6d2b9913fb1bb9172b32ef99679a280878a101e2aa356181aba278f0d188c9a3c743a17509cc0ad3bc3d66f1d3a4a2be2467ff986cc1d555d3c078f0c547a9b33603108b2c96229c2d84a74df4d94a340c8fab4cd6756679f9f2433b542b247310cbb07f4062f3f3f8742bdc7ed7834125c23627fa3257819fdc7672c5b78fd3b8a41da70fea86fcab3633b1d0c75cfb53ebc285aaa40f6c4affe94b9970236a8d547236563da6647072a1dd5051e3901317f74818cffc51c4014cd4bb538af0cfb5490646cc94f6b2eddae999cc9e9d14e6a757c8c38d1682368c9da10e3b7b40442c2f1fabbda2f164c26d736cf4307770246002fe4ba0ed78c7dd259067306eef3ceb788692c2bd80da8a1b799880c9dc1bf0b5f642c63d26bfcda61180300ab3ae992e68cc8177fa454ca329f6cd06631c321b5643f6e46e3c8f62980e024bb6edf8ef18bdb5a0e9e43ea9af4ea8397136ddd7737d939e240557157137a3c3637dd75d4f91a6f775c38ecd678f279322738c3f1795bbe4f69db29f1587afe4ada391d765daeee23f044d45bbae2de6106d66fddc406c07b69156ec069d88d6f429a6e81b9917b1b8c44b7581482aa366d2aa50a164ebfe4dade4a1e75a896b49b147ed4b26f0fc328b8b0d861e3fc911c00cedaada8d7dcc20b1da994348c79823be0240f4462e52bf18b3381390737e7cb713679a139fe04014d218d1e942d241d22a4fc038eab230c25ea5eea42911b5ad6fc678387288b6faf598bcabba9aaf4785da2f1c0696ad9472bee3cf23864337f36499f411f07a2047a34b5612e5469d5cc0c02b4920c0ddff109678dd6da7aeb71457bc59c20a3064efdc2cf1519d580b919885a0a0415e5405719098c9d3bcce5bc23790d7c1ea99f1b19989c16006a967355253e690d06cb664978a70336dd97e5be927d57443ba1cd369f1e79026ca4b95e024ab160f616b85c9c26b1c51c6ec481b18a3a1f8c3e22866268603161d4562cf48702faccc47cc49e91a9d63886421ddd5f5734d26cbaf96cd68e5d1dac3b59ae157ef0db69bca41543ddfc8e1cad899cae050429c406baee3080daaaabbc678c5eb001ca7f163aef0fb6e5e52ebd50862f7c695d2ca9f74ebce080a41b8493ced3f5b212d5b3128303edfbb0a2a996a7a611194c3d8e2f0ccd4da7c26555ac1b48622ea26db483aa76295ff3a483f0c7dbddd6702269e65baf27f737982d2fe74eabe73ab998530b1f4e2c1b4b184dc17009a7e49163306405c724cbd3b065b8dbb6e0a7fe96db468fd8f36f03d962ba24f929cc8a55c6144a81dc3ddc2823a55a3b2083fddc516d6e329e0a95642f922995f4f77b718ef4c3ad3b8dc601277325159f047967983d9f6abbac7089d03c5e52c7c57c5f2c824e81fa54f0c4e9a5fc5d9cc86a352bc7fc7c79ee80e985b524b392b567cf8ee1d4a736a43e6566e1680c9d6101432ae505e8761302f6968499800b1853913a76b7af8fddb7aff8571d14876ccc90bd2f15ad27de8b63f195e10be9d218887723f506e916347b6c5cad91c6b7acdffe029dd83604e1b155c299f58a500c2532efa1916d309e9ea8c3f921b9b155045616b9cb16ca02b3ebdbe5e9824f1cb990514807663cd45dc42814b6575f08b78bef1849bebc8ca2ec5f43be4f30168898772c31df79d3be5e3edfd59029546948f9e58f44f3515b3847213dfb9ddb0dd3b52bd13ef07cf91818f2c2c9500725c5c5061383e7292649ed320152d1c3eaec99d3e9c2e4a1b16d766c044cd47879ece22c745a6a3afbabc03383c62b7a9103554086d297caf35c01f55c7158bc28930af4ccf67883973c04efc91cb7e0bb6b720f2d7202b47ed62a116629019d9f5696415dc61f4c88a7b8b374faa2eb6b7f3c119baee7d8ef9910fb994bf59ac31654c195781a0d3f794968918658af22632bb8abb1ababee965ebe6a0b3ffb93002d54975bfb35bc5378cb277b514989728e5a737950068c343a6278b9cbdc78045fb9414a9ca0630b2e0972c7658e0842d3f085bb9ec576d509eaa806ed0b367be94b4476652e10e4f2aa229067496b8cc466dd8ac2bc92b1b51e6d8614d191aef4f0dcc1bf0491b3e271186fff1168c7853f9a07854bdc82ffa33de6b77890a2ccdf03e4b31dc294d65699301b940b2c64b3a2a22604066513d7c9ac710eda9975a44ff087390a6b8f7b2bb791a7e2d0be8b1628ec5319d21b14e982eee17ef726a304228df13dff296f83c93f11b2369a21b5d6088e0d50986fb93d623cab8b073d75251467b5e8892db88566145fa04619034ddf05473e40e43954830584e3b68f7dba5aaeaf2c782bf50c0aef6c41537105f321f2d2cdecef7e31796725b1df29fa851e23c674860e069c2ea89740262ca2b921b7809c4c1bfc2ec0d9015a83befa23a6e8f21aac2caf2fcfcffadb947d3e332208c9277a3a60985ba3eab62bcd991661ee20bcb37c3486b470d9a59211ed79d14167adf747091072f993ae7792fc841c9834894884d22c0d03977fe2006adef9b0d49ef8870007c7467f89811c3d2ea10c6a30f0cf03ed425364391457ff3ace3d98a869bf402fda01e0fffcd3fab1aeb56c8f7e8133b3bd87342621312930e338af5f22f1da57e1cde31af6bd69deafca3a8cfc844ef18cf03eda11ece551538417000b9a124f48c02afc593d26570852e0be21325936d373f40c1f8abbb7c243e36b56d737be9602e4478e26b4c79a6d80c0b2da9cbfbd21d9c9b7c84bce598ec390fa2fdefe7881ce1cb35f0cc168b132122b5b178650c7973cf255ca0cca5ef6d8ab008e9701ca8b7f8519903f169b6615ee18557f12d0d4058b7a4584f436658c2b44f926d2d4458d191f1f697282bda6739d1ca8a9d5b3f08377c3b2af680fd9ac42a4217924adeced1baa48d3a0e50c70a5fec53aac23a8c907facb5018efb39be12764491a011c6811e94bfe2ebc47a7227ab6bcdc72ed24ab1b9b1eb916db21dca9ee9e9d57f8df363058a51e249675d1bb776bddb38929defb76a3eafde0ba22a82682e757ff61f2b505eb3a2b4d613e4eae7cb587dbe529867f8882279732f4b4d8d023887f026d3e4526c81099c14856267576e0fe693993defc2724436f31bf927b65fe01beaaeafeb86e6c51214c9e49bdd31fcfc5a1739e964875fb19128432a5d5a77a47a2106f3b24fd066a2dcc89626d5925272e20ce4cd47232493a577e04e68cfdc9cc887a68c8a5d22405d33705e78331296ef0cfd98d1f9eb82a0e93b7451de020d6992d199e1b4588e3058130c7f0f0f1e3a72575ec2ff58667d123e75aadb65c5fb3c3dcde11c38941002ca4ff09ce1c17004bee5c2d913336616685ce223b89accffb1e43537476b6c1d0da14556066718de9182f53898e9fe8f9fe141527424b81848c8fb60000000000000000060c151c252f', 'hex'),
+      jwk: {
+        kty: 'AKP',
+        alg: 'ML-DSA-65',
+        // eslint-disable-next-line @stylistic/js/max-len
+        pub: 'QksvJn5Y1bO0TXGs_Gpla7JpUNV8YdsciAvPof6rRD8JQquL2619cIq7w1YHj22ZolInH-YsdAkeuUr7m5JkxQqIjg3-2AzV-yy9NmfmDVOevkSTAhnNT67RXbs0VaJkgCufSbzkLudVD-_91GQqVa3mk4aKRgy-wD9PyZpOMLzP-opHXlOVOWZ067galJN1h4gPbb0nvxxPWp7kPN2LDlOzt_tJxzrfvC1PjFQwNSDCm_l-Ju5X2zQtlXyJOTZSLQlCtB2C7jdyoAVwrftUXBFDkisElvgmoKlwBks23fU0tfjhwc0LVWXqhGtFQx8GGBQ-zol3e7P2EXmtIClf4KbgYq5u7Lwu848qwaItyTt7EmM2IjxVth64wHlVQruy3GXnIurcaGb_qWg764qZmteoPl5uAWwuTDX292Sa071S7GfsHFxue5lydxIYvpVUu6dyfwuExEubCovYMfz_LJd5zNTKMMatdbBJg-Qd6JPuXznqc1UYC3CccEXCLTOgg_auB6EUdG0b_cy-5bkEOHm7Wi4SDipGNig_ShzUkkot5qSqPZnd2I9IqqToi_0ep2nYLBB3ny3teW21Qpccoom3aGPt5Zl7fpzhg7Q8zsJ4sQ2SuHRCzgQ1uxYlFx21VUtHAjnFDSoMOkGyo4gH2wcLR7-z59EPPNl51pljyNefgCnMSkjrBPyz1wiET-uqi23f8Bq2TVk1jmUFxOwdfLsU7SIS30WOzvwD_gMDexUFpMlEQyL1-Y36kaTLjEWGCi2tx1FTULttQx5JpryPW6lW5oKw5RMyGpfRliYCiRyQePYqipZGoxOHpvCWhCZIN4meDY7H0RxWWQEpiyCzRQgWkOtMViwao6Jb7wZWbLNMebwLJeQJXWunk-gTEeQaMykVJobwDUiX-E_E7fSybVRTZXherY1jrvZKh8C5Gi5VADg5Vs319uN8-dVILRyOOlvjjxclmsRcn6HEvTvxd9MS7lKm2gI8BXIqhzgnTdqNGwTpmDHPV8hygqJWxWXCltBSSgY6OkGkioMAmXjZjYq_Ya9o6AE7WU_hUdm-wZmQLExwtJWEIBdDxrUxA9L9JL3weNyQtaGItPjXcheZiNBBbJTUxXwIYLnXtT1M0mHzMqGFFWXVKsN_AIdHyv4yDzY9m-tuQRfbQ_2K7r5eDOL1Tj8DZ-s8yXG74MMBqOUvlglJNgNcbuPKLRPbSDoN0E3BYkfeDgiUrXy34a5-vU-PkAWCsgAh539wJUUBxqw90V1Du7eTHFKDJEMSFYwusbPhEX4ZTwoeTHg--8Ysn4HCFWLQ00pfBCteqvMvMflcWwVfTnogcPsJb1bEFVSc3nTzhk6Ln8J-MplyS0Y5mGBEtVko_WlyeFsoDCWj4hqrgU7L-ww8vsCRSQfskH8lodiLzj0xmugiKjWUXbYq98x1zSnB9dmPy5P3UNwwMQdpebtR38N9I-jup4Bzok0-JsaOe7EORZ8ld7kAgDWa4K7BAxjc2eD540Apwxs-VLGFVkXbQgYYeDNG2tW1Xt20-XezJqZVUl6-IZXsqc7DijwNInO3fT5o8ZAcLKUUlzSlEXe8sIlHaxjLoJ-oubRtlKKUbzWOHeyxmYZSxYqQhSQj4sheedGXJEYWJ-Y5DRqB-xpy-cftxL10fdXIUhe1hWFBAoQU3b5xRY8KCytYnfLhsFF4O49xhnax3vuumLpJbCqTXpLureoKg5PvWfnpFPB0P-ZWQN35mBzqbb3ZV6U0rU55DvyXTuiZOK2Z1TxbaAd1OZMmg0cpuzewgueV-Nh_UubIqNto5RXCd7vqgqdXDUKAiWyYegYIkD4wbGMqIjxV8Oo2ggOcSj9UQPS1rD5u0rLckAzsxyty9Q5JsmKa0w8Eh7Jwe4Yob4xPVWWbJfm916avRgzDxXo5gmY7txdGFYHhlolJKdhBU9h6f0gtKEtbiUzhp4IWsqAR8riHQs7lLVEz6P537a4kL1r5FjfDf_yjJDBQmy_kdWMDqaNln-MlKK8eENjUO-qZGy0Ql4bMZtNbHXjfJUuSzapA-RqYfkqSLKgQUOW8NTDKhUk73yqCU3TQqDEKaGAoTsPscyMm7u_8QrvUK8kbc-XnxrWZ0BZJBjdinzh2w-QvjbWQ5mqFp4OMgY94__tIU8vvCUNJiYA1RdyodlfPfH5-avpxOCvBD6C7ZIDyQ-6huGEQEAb6DP8ydWIZQ8xY603DoEKKXkJWcP6CJo3nHFEdj_vcEbDQ-WESDpcQFa1fRIiGuALj-sEWcjGdSHyE8QATOcuWl4TLVzRPKAf4tCXx1zyvhJbXQu0jf0yfzVpOhPun4n-xqK4SxPBCeuJOkQ2VG9jDXWH4pnjbAcrqjveJqVti7huMXTLGuqU2uoihBw6mGqu_WSlOP2-XTEyRyvxbv2t-z9V6GPt1V9ceBukA0oGwtJqgD-q7NXFK8zhw7desI5PZMXf3nuVgbJ3xdvAlzkmm5f9RoqQS6_hqwPQEcclq1MEZ3yML5hc99TDtZWy9gGkhR0Hs3QJxxgP7bEqGFP-HjTPnJsrGaT6TjKP7qCxJlcFKLUr5AU_kxMULeUysWWtSGJ9mpxBvsyW1Juo',
+        priv: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
+      }
+    },
+    {
+      // eslint-disable-next-line @stylistic/js/max-len
+      data: Buffer.from('65794a68624763694f694a4e54433145553045744f4463694c434a72615751694f694a30556d3478536b354a6132644e63304643566c46436246686c5245683451556c6a5932786f4c544a4a574442565a455246656c42304e566856496e302e53585469674a6c7a494745675a4746755a3256796233567a49474a3163326c755a584e7a4c434247636d396b627977675a323970626d63676233563049486c76645849675a473976636934', 'hex'),
+      // eslint-disable-next-line @stylistic/js/max-len
+      signature: Buffer.from('86632b2a452067018f415fd65285d456afd9f5639e9c365b7cc987a4aae2b65d1bb568b6f530bc788c90c93d4502e5b6920de1e802ecbc2ae35f9b67dd0285419602d2c05d46dd153620e6d018f22788d67289920a06f4f9c19768b94e0c0cfe9e31ab89d61f3b50e918cc071ec86e2aebc40afe2a9d7dd78193c4fba0bc2dae374d9ad83bc6ebcc15c68aec8630babe4d29976af39e89a76da69ea24d4a890c1810498bcf07a3ef8a97823e5407d99422f2a92b6b1b298b4960cbc261d9a4588f8e035f664aabe325fa17c1241e221d1a569b03e9107ec47782e404895aa99a0f71cacf829190a72cf8fc571a86b25cf02186b533b9237e28e4172e65e8fb58e42f27a9919af62a22b630a0bb3edff60566455d5f8294dfca29accbc01e339b3a1cbfbd9640acc9c281f62508aac035b84e646f0ed015e0aa8c3906abffa11233b4641932b8afa7fd424b48442daaf09308ddab21f947be3b9dd576e884247b29facbd75a5d16485b1682f4a9806834a6e7e62c455a62000af44267da579d73d3ae7faf9a9998e305201111562f416e6fd9ee2a4992820bd92a95b1e3c04df1de581f21b85a5517175e1242543c3b81b6d85ac741e1c6946e102a453497f6c40ef41e9e42e55648b22e443b6d47b91a62c6234a9973f9c2186c9ffbaffc1ed1e1fe035fa5fa039de516b51fa4522b4df390bc102f9845144d219c3de4fe17b7ffd65cf7e2e172377653e0509e0a1e27e32c996357d23d530db4e7caf06acbad1a16762f20324df4a132a06fdcc590553bb99855115455f3a03fd3ad1b805487583cf97655cb7f20a826c6ec1e53bd58189b4c292b32fea59e3878733a6bae8da9ad1b490090768d5c12d5dbf69a8e303f594562a63adf233d23d75e5387f1cba9a4c2283b5f071526c920f235ffd1a8004ea9ab29f616308e32190f5f72261a72037c5f6b921ea88f53572043c5541ac480b30e0f39d66999c52dfc369c54b4fcfaac27aba356a66f1baa6fee510bb7263a9c1ca2f3ef358aa2978b1bf658edae3922a510a706cc83d20213564d4dee67b0c1c02677af80b7d6935e309ef550c9156f952bdab5d51383412305ce8fdf96b8958d76bc83aad8436903e9b9d937d7797c572b4bed65f4fd498df7b618b811f6400562ff8d0ca28a8e9be8092b87afcf810f9b8761f6169bbc6771889ab6c7a1d71b9ea16998a62530bc310c79ca3f163b3e9cb257c1ec59f123a959405f9eacb402081b8fe8c30ccc64c705c20b9c00fd7be93c2369726a9bdbf6f835e2b03d9c363c86949feb79cebbd2bbfad6d863889176b99ac1f59db3a105589dcdd8f6c24c30f3e6ba751c5e93556564ac3e5143a0f6b5001a059d16cff2b3bea9b3463f937bc58d83b8f4583a9dc2772c5ec833e61810b6e79e8535e2d18fe3e13c091deb57e05ec419c92f4dda31e615420a6cbf28f9eddb427a96ede6c49fbcc08d2fcb4360ed8087489de52ef38861f0076ea16f64cbf68ea6abc15267671d4c191d089249d7823e710eb2c5416ee0ddde06dc41ffd55afa65c1c8d34eb24fb2aa99a62ae37d518f154095033ea40f4be115cbd3750b7a0c6ab2b3ad7183f54e7e3eb0c692ac5ee5c3baac1a79be0aa469e21f1fb6de710280a1bce8dff50415fc45102f62792cc48231231832ae783ecb8e0257d14bff019f3f43e5c7a26349414e2f580365373936b00fa0eced128d456c9d8babc82a051f4abbd6336b769800d00942f02b6935f3034b758faa9c9a1f96b57788d4613ef2778e26d95155bcd3e51bcf8912590159aef4f83def06cb2d034f268a88629f9cf6689e1ac0f1022ef90b633502b46709ae242495ebba9833433cc579f5b2691908bc2d8c3fd33007f67f358de6a77a2970d953d5374a2ebd6c9dc2d4924dea2743f0cabfb976c2ab0ba69e9daa411ceec6d0e9c0d2a4e2f3e3b2f7556a25861c56370e5106b135e32d9e4fa92c92fb8f7333a8d88391cf8e7d1d7d7dc5af0e699df59f30b63db49212f89930e7eea4d4a3e3ec551ec69e9aa4226984984f2c6b86653c76b8fc87191856dd730a7dc6e3a7748365cd61ab20acb014f435c76eb35c311aedf3b1e5fd35697f1d214fca58d00675a6713c896a2d6e6a6c2e9d8a94aa7fd3706e564b26ce430a22d5f271d2f90336eb1409554347db69ffdd9ffccf5480f005fc77b8f4fa0d4f7fb3590bc7bc2299e6e01dd81a903b9e7e3bd5a4db25be0e51a99f832b35ecc57f84f0cafdfec517b357a74ebe76d5580e672cfbced992b0ee96e3a451a462bca50bc2312d49b8a229900a8ab19f00ebb0c826dbcf2804a6a62f133b4005298361dfc5fdabad925a1bff475e2aebef4581695426b179a610ed6224a5f05b3317a1f50722ee43df8320791fd6a3584255ddf811935d10d51696c9351d750fe359a96e8836b7183feddfdb14ac6ed08577363b3d4d3cf36863af80e2315b142b57485d66bb3b6acb4c5ac28adc3621d8d7cc9e2f80b0da260b2754373b8367168dc4fb021799817808bc5989faf626477a231d70fb096c37abf209c0ecf0978081e267d3f39a864d6682f461573f0515e89d49d16a241c4629b7d9df617f6ae270aec2f28cdfd28714d21687f2290cb65c27e854c928e1ebb9a3a99debac419a366f4ef22d5cbedff9e0f427121206c064646de616b02964a6dda48d6511aebcd596c2c514d8a71511ecc7136ecd10e52f4f08de44954cff6b17deba92086c24c4e12d3e650b88750710da99f58fee2dd9cd388ed2c4e96148fb501204279d9599ab6548917a06decc4d3584c8859df377d81841bbb65c9e5042756c23f6151fa4476e24881a03769c5e1cac1ace349ea47347d8a6bd7f42050609663ac21ebfb039117ab2f9af1791400d18306ccec273da6e2602c1890c17ae10f8dc1ea48d7fce5e2e4ed9435916400faf458e34126c8a9f02811ea9b75bbf9882a522b60cf6433e89d246193d0367d514e0b331d3ef7fd8a0829230ea818375ad2f4303ffc63fdb52ddd27e5cb4a593651142ea079b85ee6efe2fc208d44bb2730317105870741ed1c5a19dfeb58570fc645b470c8e0e6dc4f8de4edcbfd1fa9bdaf5fbe53e390234cadfd8897103104a30bd600b1b12aa116be72a0f796e342d3c4c17f7583cd2e30b797b991465ff07d8fc586f6b223b86b80261f32059e6fe717cb1e5e5ee9adf65305383ddd42d106d4851b744ee95571be6daad62b4665e370ed40c350ce808afc12f17c2b1a99bc9145c23a1384137ea7b9956b557fc5a2e0aa6ba1e9d6c828e3cc48c941d5b0e20f9a7bf6e31a37d90a9dfc460b17b56808fedbb32b2445e56c23c8df5512845777c5b60dcb6605e8c71765c36336cc16427edfce12a243d7ea29ed9e5a8118cb34b2cc6b88986c14e03ebe00eb6ba444c770d431bf3fbbf52673ece9e04ea2b17e03f9e4588049668f47b3f78e67ab1a7762588ef2644b316e84e0eba92ed85fc38be62b762a4c0b977271b162b7fb26a02431fcf9b803e2d12a8f583419abbc9cbbd06690c5c022131bd7d5c10e32fb859183c0346b9fdc8105c6253da14f3578cc256247ff1c5428db13146839f89fd67715e2f199fab433316f1aaa8c8a70fc551a334d23276321a5b933844c7b5fce69051e3b49c460afa589a5fe192d216e57b353d562373c805afdb61e0a2ab6f5fa774a133ed5b4457491bf94665df7b4ee00c17f414ebe2835c1bf98bc914675357749533f98680d1145534580c18ce67d29281e481677003cafad693cc72c8649f6eb8174fdb2d87c706f0f184259b2dbe313e5713901effd931baf208952ce3a5f2cdf74d761d29d7e2d67cc77696c287f713bb378e3cf0eea6c1b68524618a4819538a7f61299a112a7af4a55d85a90583775f66588ecac0f422fd3d3beb3ddc962f028199f87b70325b8cd5c94902de28bee81f389cae594007347d0a4933edbdb85c65752a571ab7f3a0e2807dab188edb32595b3d860d300bd21a2c5251cb5a7ad062fa85cf37483b31a589fc08c8682844d6f8e0844ccf3b04af1ba8aa476365ec157383f3aee1d1955ddc58ae8ced952258bb71b4ccdab36b1f004472f01752ec848bce3e4f111a16c985d25bef3df160f7cdee4c25ca52b0060d1263c206d77117d97e433d4bc6e0daf213824365b379fd5ad96145e6908169945c00afe479feb9c51b2de961698d664608b654a870611432c439dec891bc3b77d57c75ce2700eeb93507317d3f490d465a752da3990262a7c18b0f83fd9464b5472fbcac70a730def35c3a78dd37f26214a0bfdba3e312a2db098030c6019749f644d7a6c7c9edf8afdd9271a061818ec9b0e4836b805285ddc4fdf729f8918db46962a655022ab44b8e502c0231c468832686519f222c71d33a96bc90b578f43ceebbbd17fa89fc42df02eff7b1c750a7ab8295dc020fb8feb363fd9c7fc621cc7c201edaadc31b56bf0dc4a6bb9bb538f9011e6cc707d56cf07574136fb3e38b25dc4c6a6f92fca4c6290e767b416f906f5f92fb3a04494cbffc02a191158f0bb1a6be6249247babe9244648ad17d8acacce4118a1efbc361c29bcbad89cdb9593b4249c14bdd4a1f6abc0b407c14aa9c638d12e482e42263fd88e1885d89796554657a80c1a47f41a28b561f66b3e65edcfdefaf7c11aced7a6e76802ae70ce17bff80301bca3c29b4068097e41fcd1946ac5ef116a1ba946fad66a4a0ae54977356d7b193e9bc25fbe675cf28a0f244603fe8a2c639fd2d4bb87a1cec61cb9e861d0d56f616120f84e2422d009e7fe63776d35386a384a39df8660ed1ef69d2792421750d6170152c739d14da817d3a53a757dcf986c7cdc08c5d50ef5b7685d16059a8b26b699837c6c407a6d2ce623c9d0427ff2cce5697da98ba93a54ff9c8be9fb27ca440702f647773e7a2da2a81ec974b8bb1a0ea25d5329408153c6cc21d076e01adc995e047ff8033dd5746cce6fe4025a801d3009ec1fb46796c980c1846364ad05d846cde97f80d3d56b17a60b70d3d3dd3819b094d99ddabd41dc79d79b234dbf31d20b750c725dbc35e392a3a82d790aa79a1befbac7a5b3a40b928eb15046ecfa67953289b5ba032f51dcfdb973e83099a44cf2b3d6e58910b5075fcebb6f199eb0ca121c057bdba54d363a80a17d10c5e312362ef9da5b783a85021419ee65b9e235dc0ad84408590b42c728fb957efe4e29e32ac5846d70ddd82ba0dd735b7ad6bb00ecc5357002b3386b2243b68dc8d0501ce57acfe5b8fb0b3f0e764a611333d03fe1c1b7873b464a85c8979e0e550c25f88726f8ecb13198ee4dd667e284dde21c4917ff5f6b220ba77e449bf6077d07f01a6b302db4110f3cbb5bb286677905c1465dcf5a20e90bfc9788b4d601dd7700e0581f304c29e278869954aac0064da192ced6e9bd5f76c33fd85fd90c12e70732ee61a0cf9325bb96a217a28a22921413512bf83faea5d9a355198c33a71e91c62713a794904fa7de19bf087cb0a2cea4e778a9e38c2db9d82a26a0d346a5e71ff77c15eaf8a234637d4e25f80374268a010d03517ef51cde970ce96f535230878f220122477501839a385c4bc628797f689b03e262171b1891b3115ae7dc7ee1db87887ffedb551a6270c863c20841d31b6a4d3d1e55a9b597c92bd7ee647a6ec3af62b2aa6d87a44c1b8b728f5ca6035d045b1c494485accc098af6c278f1fc1c766a2dae65af2e4328cdd738757235871f44e270bd9e03273a60f29f2a999ce50c0bae04f475d40386f5e40a4379d1f391d526e5e7a885a002fc828165dd0039c01939d6fb03b2ab84b7b9e5cfab064c7ce49c435bf9e11acab5e7c3e43916e785c2ace826952b1180d74f180e53c5d586b3efd0eb7e04ee8e45fce7dffd604447078e1adce91745d3534dab2cf2546d0175c932c2f027cd41ac9167427cfeb674a771e3a94021154f777c46e2d562690efd18078c567a927822d76cecaa7e727084e4f67e04332f0c5c8f5b6a18105ddcf7f1d9de7ed745a22ff9a2b34bde9fa82896a68bab5110b2f79bf40269918809c5d05ec87657c4d2cc878fd702e2b5648b3d17c0b3d6f14455c0058a97aff9c17246fb1d70d236f872b69ce1a4ca911cb95013c8bb40d2329ec8fb44e13277fe5f0a5e5b446635b271001dffc4e3f62b37c22b02f1b7f38e597c5018c5669fabce60abf240387198a1f60976ed38829a1c8a86031f0d42149ae0cbfd19fd0cbc44013dc46e5d525b44e809c88db4a4c7f683bec2790f77e8e0d470a8a0b720f8afd090e4e9b493594456d7a68a0aab01f967daac0b1bab6719d2fccb1c9c4d2a4dae04aab9698839e3e0506ce2af5210f94a7aab9f6331668d08acd62c2c45ebad7faa479acbd19b3f60c79bdde8d308908d3921e2cd0c496f94e183d389b5bd1e1921276674768081a5bdfc050f1b1d2f3f546a7b7e9cbde6f05184a7cdd6d9ef2d6cecf1fb197179afbccd13363d6c7997bec8dbdcdfeef4191e9f09107d9192e9ecf400000000000000000b1920252b383b43', 'hex'),
+      jwk: {
+        kty: 'AKP',
+        alg: 'ML-DSA-87',
+        // eslint-disable-next-line @stylistic/js/max-len
+        pub: '5F_8jMc9uIXcZi5ioYzY44AylxF_pWWIFKmFtf8dt7Roz8gruSnx2Gt37RT1rhamU2h3LOUZEkEBBeBFaXWukf22Q7US8STV5gvWi4x-Mf4Bx7DcZa5HBQHMVlpuHfz8_RJWVDPEr-3VEYIeLpYQxFJ14oNt7jXO1p1--mcv0eQxi-9etuiX6LRRqiAt7QQrKq73envj9pkUbaIpqL2z_6SWRFln51IXv7yQSPmVZEPYcx-DPrMN4Q2slv_-fPZeoERcPjHoYB4TO-ahAHZP4xluJncmRB8xdR-_mm9YgGRPTnJ15X3isPEF5NsFXVDdHJyTT931NbjeKLDHTARJ8iLNLtC7j7x3XM7oyUBmW0D3EvT34AdQ6eHkzZz_JdGUXD6bylPM1PEu7nWBhW69aPJoRZVuPnvrdh8P51vdMb_i-gGBEzl7OHvVnWKmi4r3-iRauTLmn3eOLO79ITBPu4CZ6hPY6lfBgTGXovda4lEHW1Ha04-FNmnp1fmKNlUJiUGZOhWUhg-6cf5TDuXCn1jyl4r2iMy3Wlg4o1nBEumOJahYOsjawfhh_Vjir7pd5aUuAgkE9bQrwIdONb788-YRloR2jzbgCPBHEhd86-YnYHOB5W6q7hYcFym43lHb3kdNSMxoJJ6icWK4eZPmDITtbMZCPLNnbZ61CyyrWjoEnvExOB1iP6b7y8nbHnzAJeoEGLna0sxszU6V-izsJP7spwMYp1Fxa3IT9j7b9lpjM4NX-Dj5TsBxgiwkhRJIiFEHs9HE6SRnjHYU6hrwOBBGGfKuNylAvs-mninLtf9sPiCke-Sk90usNMEzwApqcGrMxv_T2OT71pqZcE4Sg8hQ2MWNHldTzZWHuDxMNGy5pYE3IT7BCDTGat_iu1xQGo7y7K3Rtnej3xpt64br8HIsT1Aw4g-QGN1bb8U-6iT9kre1tAJf6umW0-SP1MZQ2C261-r5NmOWmFEvJiU9LvaEfIUY6FZcyaVJXG__V83nMjiCxUp9tHCrLa-P_Sv3lPp8aS2ef71TLuzB14gOLKCzIWEovii0qfHRUfrJeAiwvZi3tDphKprIZYEr_qxvR0YCd4QLUqOwh_kWynztwPdo6ivRnqIRVfhLSgTEAArSrgWHFU1WC8Ckd6T5MpqJhN0x6x8qBePZGHAdYwz8qa9h7wiNLFWBrLRj5DmQLl1CVxnpVrjW33MFso4P8n060N4ghdKSSZsZozkNQ5b7O6yajYy-rSp6QpD8msb8oEX5imFKRaOcviQ2D4TRT45HJxKs63Tb9FtT1JoORzfkdv_E1bL3zSR6oYbTt2Stnpz-7kVqc8KR2N45EkFKxDkRw3IXOte0cq81xoU87S_ntf4KiVZaszuqb2XN2SgxnXBl4EDnpehPmqkD92SAlLrQcTaxaSe47G28K-8MwoVt4eeVkj4UEsSfJN7rbCH2yKl2XJx5huDaS0xn2ODQyNRmgk-5I9hXMUiZDNLvEzx4zuyrcu2d0oXFo3ZoUtVFNCB__TQCf2x27ej9GjLXLDAEi7qnl9Xfb94n0IfeVyGte3-j6NP3DWv8OrLiUjNTaLv6Fay1yzfUaU6LI86-Jd6ckloiGhg7kE0_hd-ZKakZxU1vh0Vzc6DW7MFAPky75iCZlDXoBpZjTNGo5HR-mCW_ozblu60U9zZA8bn-voANuu_hYwxh-uY1sHTFZOqp2xicnnMChz_GTm1Je8XCkICYegeiHUryEHA6T6B_L9gW8S_R4ptMD0Sv6b1KHqqKeubwKltCWPUsr2En9iYypnz06DEL5Wp8KMhrLid2AMPpLI0j1CWGJExXHpBWjfIC8vbYH4YKVl-euRo8eDcuKosb5hxUGM9Jvy1siVXUpIKpkZt2YLP5pEBP_EVOoHPh5LJomrLMpORr1wBKbEkfom7npX1g817bK4IeYmZELI8zXUUtUkx3LgNTckwjx90Vt6oVXpFEICIUDF_LAVMUftzz6JUvbwOZo8iAZqcnVslAmRXeY_ZPp5eEHFfHlsb8VQ73Rd_p8XlFf5R1WuWiUGp2TzJ-VQvj3BTdQfOwSxR9RUk4xjqNabLqTFcQ7As246bHJXH6XVnd4DbEIDPfNa8FaWb_DNEgQAiXGqa6n7l7aFq5_6Kp0XeBBM0sOzJt4fy8JC6U0DEcMnWxKFDtMM7q06LubQYFCEEdQ5b1Qh2LbQZ898tegmeF--EZ4F4hvYebZPV8sM0ZcsKBXyCr585qs00PRxr0S6rReekGRBIvXzMojmid3dxc6DPpdV3x5zxlxaIBxO3i_6axknSSdxnS04_bemWqQ3CLf6mpSqfTIQJT1407GB4QINAAC9Ch3AXUR_n1jr64TGWzbIr8uDcnoVCJlOgmlXpmOwubigAzJattbWRi7k4QYBnA3_4QMjt73n2Co4-F_Qh4boYLpmwWG2SwcIw2PeXGr2LY2zwkPR4bcSyx1Z6UK5trQpWlpQCxgsvV_RvGzpN22RtHoihPH74K0cBIzCz7tK-jqeuWl1A7af7KmQ66fpRBr5ykTLOsa17WblkcIB_jDvqKfEcdxhPWJUwmOo4TIQS-xH8arLOy_NQFG2m14_yxwUemXC-QxLUYi6_FIcqwPBKjCdpQtadRdyftQSKO0SP-GxUvamMZzWI780rXuOBkq5kyYLy9QF9bf_-bL6QLpe1WMCQlOeXZaCPoncgYoT0WZ17jB52Xb2lPWsyXYK54npszkbKJ4OIqfvF8xqRXcVe22VwJuqT9Uy4-4KKQgQ7TXla7Gdm2H7mKl8YXQlsGCT2Ypc8O4t0Sfw7qYAuaDGf752Hbm3fl1bupcB2huIPlIaDP6IRR9XvTYIW2flbwYfhKLmoVKnG85uUi2qtqCjPOIuU3-peT0othfmwKQXaoOqO-V4r6wPL1VHxVFtIYmEdVt0RccUOvpOVR_OAHG9uHOzTmueK5557Qxp0ojtZCHyN-hgoMZJLrvdKkTCxPNo2-mZQbHoVh2FnThZ9JbO49dB8lKXP4_MU5xAnjXMgKXtbfI8w6ZWATE_XWgf2VQMUpGp4wpy44yWQTxHxh_4T9540BGwG0FU0bkgrwA_erseGZnepqdmz5_ScCs84O5Xr5MbYhJLCGGxY6O5GqS-ooB2w0Mt87KbbE4bpYje9CAHH8FX3pDrJyLsyasA3zxmk4OmGpG7Z70ofONJtHRe56R5287vFmuazEEutXn81kNzB-3aJT1ga3vnWZw4CSvFKoWYSA7auLgrHSHFZdITfOrgtmQmGbFhM9kSBdY1UCnpzf65oos3PZWRa2twfUxxLAnPNtrxpRGyvtsapw7ljUagZmuyh3hLCjhAxYmnoE1dbyIWvpCqSlEtVjL1yb_nuLEzgvmZuV02fHxGuWgHTOMVGXpf81Rce3eoBK3lapW1wkzezlk3tcA2bZOtA9qbxdsbVR37kemzQ9K1e3Y0OWhtSj',
+        priv: 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA',
+      }
+    },
+  ]) {
+    const privateKey = createPrivateKey({ format: 'jwk', key: jwk });
+    const publicKey = createPublicKey({ format: 'jwk', key: { ...jwk, priv: undefined } });
+    assert.strictEqual(verify(null, data, publicKey, signature), true);
+    assert.strictEqual(verify(null, data, publicKey, sign(null, data, privateKey)), true);
+  }
+
+}
diff --git a/test/parallel/test-fastutf8stream-destroy.js b/test/parallel/test-fastutf8stream-destroy.js
new file mode 100644
index 00000000000000..aa267d4e859e7f
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-destroy.js
@@ -0,0 +1,67 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+  throws,
+} = require('node:assert');
+const {
+  openSync,
+  readFile,
+  readFileSync,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { isMainThread } = require('node:worker_threads');
+const { join } = require('node:path');
+
+let fileCounter = 0;
+tmpdir.refresh();
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  const stream = new Utf8Stream({ fd, sync: false });
+
+  // Test successful write
+  ok(stream.write('hello world\n'));
+  stream.destroy();
+
+  throws(() => stream.write('hello world\n'), Error);
+
+  readFile(dest, 'utf8', common.mustSucceed((data) => {
+    strictEqual(data, 'hello world\n');
+  }));
+
+  stream.on('finish', common.mustNotCall());
+  stream.on('close', common.mustCall());
+};
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  const stream = new Utf8Stream({ fd, sync: true });
+
+  ok(stream.write('hello world\n'));
+  stream.destroy();
+  throws(() => stream.write('hello world\n'), Error);
+
+  const data = readFileSync(dest, 'utf8');
+  strictEqual(data, 'hello world\n');
+};
+
+{
+  const dest = getTempFile();
+  const stream = new Utf8Stream({ dest });
+  stream.destroy();
+  stream.on('close', common.mustCall());
+}
diff --git a/test/parallel/test-fastutf8stream-end.js b/test/parallel/test-fastutf8stream-end.js
new file mode 100644
index 00000000000000..75138f1ce181e2
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-end.js
@@ -0,0 +1,112 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  strictEqual,
+} = require('node:assert');
+const fs = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, minLength: 4096, sync });
+
+    stream.once('ready', common.mustCall(() => {
+      const after = `${dest}-moved`;
+      stream.reopen(after);
+      stream.write('after reopen\n');
+      stream.on('finish', common.mustCall(() => {
+        fs.readFile(after, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'after reopen\n');
+        }));
+      }));
+      stream.end();
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, minLength: 4096, sync });
+
+    stream.once('ready', common.mustCall(() => {
+      stream.reopen(`${dest}-moved`);
+      const after = `${dest}-moved-moved`;
+      stream.reopen(after);
+      stream.write('after reopen\n');
+      stream.on('finish', common.mustCall(() => {
+        fs.readFile(after, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'after reopen\n');
+        }));
+      }));
+      stream.end();
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, minLength: 4096, sync });
+    const after = dest + '-moved';
+
+    stream.reopen(after);
+    stream.write('after reopen\n');
+    stream.on('finish', common.mustCall(() => {
+      fs.readFile(after, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'after reopen\n');
+      }));
+    }));
+
+    stream.end();
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, sync });
+    const str = Buffer.alloc(10000).fill('a').toString();
+
+    let totalWritten = 0;
+    function writeData() {
+      if (totalWritten >= 10000) {
+        stream.end();
+        return;
+      }
+
+      const chunk = str.slice(totalWritten, totalWritten + 1000);
+      if (stream.write(chunk)) {
+        totalWritten += chunk.length;
+        setImmediate(common.mustCall(writeData));
+      } else {
+        stream.once('drain', common.mustCall(() => {
+          totalWritten += chunk.length;
+          setImmediate(common.mustCall(writeData));
+        }));
+      }
+    };
+
+    stream.on('finish', common.mustCall(() => {
+      fs.readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data.length, 10000);
+        strictEqual(data, str);
+      }));
+    }));
+
+    writeData();
+  }
+}
diff --git a/test/parallel/test-fastutf8stream-flush-mocks.js b/test/parallel/test-fastutf8stream-flush-mocks.js
new file mode 100644
index 00000000000000..fa17a9e58320cb
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-flush-mocks.js
@@ -0,0 +1,105 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+} = require('node:assert');
+const {
+  openSync,
+  fsyncSync,
+  writeSync,
+  write,
+} = require('node:fs');
+const { join } = require('node:path');
+const { Utf8Stream } = require('node:fs');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+let fileCounter = 0;
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+
+    const fsOverride = {
+      fsync: common.mustNotCall(),
+      fsyncSync: common.mustCall(() => fsyncSync(fd)),
+    };
+    if (sync) {
+      fsOverride.writeSync = common.mustCall((...args) => writeSync(...args));
+      fsOverride.write = common.mustNotCall();
+    } else {
+      fsOverride.write = common.mustCall((...args) => write(...args));
+      fsOverride.writeSync = common.mustNotCall();
+    }
+
+    const stream = new Utf8Stream({
+      fd,
+      sync,
+      fsync: true,
+      minLength: 4096,
+      fs: fsOverride,
+    });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+
+      stream.flush(common.mustSucceed(() => stream.end()));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+
+    const testError = new Error('fsync failed');
+    testError.code = 'ETEST';
+
+    const fsOverride = {
+      fsync: common.mustCall((fd, cb) => {
+        process.nextTick(() => cb(testError));
+      }, 2),
+    };
+
+    if (sync) {
+      fsOverride.writeSync = common.mustCall((...args) => {
+        return writeSync(...args);
+      });
+    } else {
+      fsOverride.write = common.mustCall((...args) => {
+        return write(...args);
+      });
+    }
+
+    const stream = new Utf8Stream({
+      fd,
+      sync,
+      minLength: 4096,
+      fs: fsOverride,
+    });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      stream.flush(common.mustCall((err) => {
+        ok(err, 'flush should return an error');
+        strictEqual(err.code, 'ETEST');
+        stream.end();
+      }));
+    }));
+  }
+}
diff --git a/test/parallel/test-fastutf8stream-flush-sync.js b/test/parallel/test-fastutf8stream-flush-sync.js
new file mode 100644
index 00000000000000..f3f9869ba5cd5d
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-flush-sync.js
@@ -0,0 +1,139 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+  throws,
+} = require('node:assert');
+const {
+  openSync,
+  readFile,
+  readFileSync,
+  writeSync,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+const { isMainThread } = require('node:worker_threads');
+
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  const stream = new Utf8Stream({ fd, minLength: 4096, sync });
+
+  ok(stream.write('hello world\n'));
+  ok(stream.write('something else\n'));
+
+  stream.flushSync();
+
+  setImmediate(common.mustCall(() => {
+    stream.end();
+    const data = readFileSync(dest, 'utf8');
+    strictEqual(data, 'hello world\nsomething else\n');
+    stream.on('close', common.mustCall());
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  let reportEagain = true;
+
+  const fsOverride = {
+    writeSync: common.mustCall((...args) => {
+      if (reportEagain) {
+        reportEagain = false;
+        const err = new Error('EAGAIN');
+        err.code = 'EAGAIN';
+        throw err;
+      }
+      writeSync(...args);
+    }, 2),
+  };
+
+  const stream = new Utf8Stream({
+    fd,
+    sync: false,
+    minLength: 0,
+    fs: fsOverride,
+  });
+
+  stream.on('ready', common.mustCall(() => {
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+    stream.flushSync();
+    stream.end();
+
+    stream.on('finish', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\nsomething else\n');
+      }));
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  let retryCallCount = 0;
+  const err = new Error('EAGAIN');
+  err.code = 'EAGAIN';
+  let reportError = true;
+
+  const fsOverride = {
+    writeSync: common.mustCall((...args) => {
+      if (reportError) {
+        reportError = false;
+        throw err;
+      }
+      return writeSync(...args);
+    }, 2),
+  };
+
+  const stream = new Utf8Stream({
+    fd,
+    sync: false,
+    minLength: 1000,
+    retryEAGAIN: (err, writeBufferLen, remainingBufferLen) => {
+      retryCallCount++;
+      strictEqual(err.code, 'EAGAIN');
+      strictEqual(writeBufferLen, 12);
+      strictEqual(remainingBufferLen, 0);
+      return false; // Don't retry
+    },
+    fs: fsOverride,
+  });
+
+  stream.on('ready', common.mustCall(() => {
+    ok(stream.write('hello world\n'));
+    throws(() => stream.flushSync(), err);
+    ok(stream.write('something else\n'));
+    stream.flushSync();
+    stream.end();
+
+    stream.on('finish', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\nsomething else\n');
+        strictEqual(retryCallCount, 1);
+      }));
+    }));
+  }));
+}
diff --git a/test/parallel/test-fastutf8stream-flush.js b/test/parallel/test-fastutf8stream-flush.js
new file mode 100644
index 00000000000000..262b61370ee38f
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-flush.js
@@ -0,0 +1,142 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+} = require('node:assert');
+const {
+  openSync,
+  readFile,
+  writeFileSync,
+} = require('node:fs');
+const { join } = require('node:path');
+const { Utf8Stream } = require('node:fs');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+  {
+    const dest = getTempFile();
+    writeFileSync(dest, 'hello world\n');
+    const stream = new Utf8Stream({ dest, append: false, sync });
+
+    stream.on('ready', () => {
+      ok(stream.write('something else\n'));
+      stream.flush();
+
+      stream.on('drain', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'something else\n');
+          stream.end();
+        }));
+      }));
+    });
+  }
+
+  {
+    const dest = join(getTempFile(), 'out.log');
+    const stream = new Utf8Stream({ dest, mkdir: true, sync });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      stream.flush();
+
+      stream.on('drain', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\n');
+          stream.end();
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, minLength: 4096, sync });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+      stream.flush();
+
+      stream.on('drain', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\nsomething else\n');
+          stream.end();
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, minLength: 4096, sync });
+
+    stream.on('ready', common.mustCall(() => {
+      stream.flush();
+      stream.on('drain', common.mustCall(() => {
+        stream.end();
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, minLength: 4096, sync });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+
+      stream.flush(common.mustSucceed(() => {
+        stream.end();
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, minLength: 4096, sync });
+    stream.on('ready', common.mustCall(() => {
+      stream.flush(common.mustSucceed(() => {
+        stream.end();
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, minLength: 0, sync });
+
+    stream.flush(common.mustSucceed(() => {
+      stream.end();
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, minLength: 4096, sync });
+    stream.destroy();
+    stream.flush(common.mustCall(ok));
+  }
+}
diff --git a/test/parallel/test-fastutf8stream-fsync.js b/test/parallel/test-fastutf8stream-fsync.js
new file mode 100644
index 00000000000000..205f958d859767
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-fsync.js
@@ -0,0 +1,74 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+} = require('node:assert');
+const {
+  fsyncSync,
+  openSync,
+  readFile,
+  readFileSync,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  const stream = new Utf8Stream({
+    fd,
+    sync: true,
+    fsync: true,
+    fs: {
+      fsyncSync: common.mustCall(fsyncSync, 2),
+    },
+  });
+
+  ok(stream.write('hello world\n'));
+  ok(stream.write('something else\n'));
+  stream.end();
+
+  const data = readFileSync(dest, 'utf8');
+  strictEqual(data, 'hello world\nsomething else\n');
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  const stream = new Utf8Stream({
+    fd,
+    fsync: true,
+    fs: {
+      fsyncSync: common.mustCall(fsyncSync, 2),
+    }
+  });
+
+  ok(stream.write('hello world\n'));
+  ok(stream.write('something else\n'));
+  stream.end();
+
+  stream.on('finish', common.mustCall(() => {
+    readFile(dest, 'utf8', common.mustSucceed((data) => {
+      strictEqual(data, 'hello world\nsomething else\n');
+    }));
+  }));
+
+  stream.on('close', common.mustCall());
+}
diff --git a/test/parallel/test-fastutf8stream-minlength.js b/test/parallel/test-fastutf8stream-minlength.js
new file mode 100644
index 00000000000000..71613018c63399
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-minlength.js
@@ -0,0 +1,49 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  throws,
+} = require('node:assert');
+const {
+  closeSync,
+  openSync,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+const MAX_WRITE = 16 * 1024;
+
+{
+  const dest = getTempFile();
+  const stream = new Utf8Stream({ dest, sync: false, minLength: 9999 });
+
+  ok(stream.write(Buffer.alloc(1500).fill('x').toString()));
+  ok(stream.write(Buffer.alloc(1500).fill('x').toString()));
+  ok(!stream.write(Buffer.alloc(MAX_WRITE).fill('x').toString()));
+
+  stream.on('drain', common.mustCall(() => stream.end()));
+
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  throws(() => {
+    new Utf8Stream({
+      fd,
+      minLength: MAX_WRITE
+    });
+  }, Error);
+
+  closeSync(fd);
+}
diff --git a/test/parallel/test-fastutf8stream-mode.js b/test/parallel/test-fastutf8stream-mode.js
new file mode 100644
index 00000000000000..e2cc8d60d0ba91
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-mode.js
@@ -0,0 +1,111 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir'); ;
+const {
+  ok,
+  strictEqual,
+} = require('node:assert');
+const {
+  readFile,
+  statSync,
+  writeFileSync,
+} = require('node:fs');
+const { join } = require('node:path');
+const { Utf8Stream } = require('node:fs');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+const isWindows = process.platform === 'win32';
+
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+  {
+    const dest = getTempFile();
+    const mode = 0o666;
+    const stream = new Utf8Stream({ dest, sync, mode });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+
+      stream.end();
+
+      stream.on('finish', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\nsomething else\n');
+          // The actual mode may vary depending on the platform,
+          // so we check only the first bit.
+          strictEqual(statSync(dest).mode & 0o700, 0o600);
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const defaultMode = 0o600;
+    const stream = new Utf8Stream({ dest, sync });
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+
+      stream.end();
+
+      stream.on('finish', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\nsomething else\n');
+          strictEqual(statSync(dest).mode & 0o700, defaultMode);
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = join(getTempFile(), 'out.log');
+    const mode = 0o666;
+    const stream = new Utf8Stream({ dest, mkdir: true, mode, sync });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      stream.flush();
+      stream.on('drain', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\n');
+          stream.end();
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    // Create file with writable mode first, then change mode after Utf8Stream creation
+    writeFileSync(dest, 'hello world\n', { encoding: 'utf8' });
+    const mode = isWindows ? 0o444 : 0o666;
+    const stream = new Utf8Stream({ dest, append: false, mode, sync });
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('something else\n'));
+      stream.flush();
+      stream.on('drain', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'something else\n');
+          stream.end();
+        }));
+      }));
+    }));
+  }
+}
diff --git a/test/parallel/test-fastutf8stream-periodicflush.js b/test/parallel/test-fastutf8stream-periodicflush.js
new file mode 100644
index 00000000000000..5eb25a247fb944
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-periodicflush.js
@@ -0,0 +1,81 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+} = require('node:assert');
+const {
+  openSync,
+  readFile,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, sync, minLength: 5000 });
+
+    ok(stream.write('hello world\n'));
+
+    setTimeout(common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, '');
+      }));
+    }), 1500);
+
+    stream.destroy();
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+
+    // Test that periodicFlush property is set correctly
+    const stream1 = new Utf8Stream({ fd, sync, minLength: 5000 });
+    strictEqual(stream1.periodicFlush, 0);
+    stream1.destroy();
+
+    const fd2 = openSync(dest, 'w');
+    const stream2 = new Utf8Stream({ fd: fd2, sync, minLength: 5000, periodicFlush: 1000 });
+    strictEqual(stream2.periodicFlush, 1000);
+    stream2.destroy();
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, sync, minLength: 5000 });
+
+    ok(stream.write('hello world\n'));
+
+    // Manually flush to test that data can be written
+    stream.flush(common.mustSucceed());
+
+    setTimeout(common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\n');
+      }));
+    }), 500);
+
+    stream.destroy();
+  }
+}
diff --git a/test/parallel/test-fastutf8stream-reopen.js b/test/parallel/test-fastutf8stream-reopen.js
new file mode 100644
index 00000000000000..cb929247d55443
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-reopen.js
@@ -0,0 +1,192 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+  throws,
+} = require('node:assert');
+const {
+  open,
+  openSync,
+  readFile,
+  renameSync,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, sync });
+
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+
+    const after = dest + '-moved';
+
+    stream.once('drain', common.mustCall(() => {
+      renameSync(dest, after);
+      stream.reopen();
+
+      stream.once('ready', common.mustCall(() => {
+        ok(stream.write('after reopen\n'));
+
+        stream.once('drain', common.mustCall(() => {
+          readFile(after, 'utf8', common.mustSucceed((data) => {
+            strictEqual(data, 'hello world\nsomething else\n');
+            readFile(dest, 'utf8', common.mustSucceed((data) => {
+              strictEqual(data, 'after reopen\n');
+              stream.end();
+            }));
+          }));
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, sync });
+
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+
+    stream.reopen();
+    stream.end();
+
+    stream.on('close', common.mustCall());
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, minLength: 0, sync });
+
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+
+    const after = dest + '-new';
+
+    stream.once('drain', common.mustCall(() => {
+      stream.reopen(after);
+      strictEqual(stream.file, after);
+
+      stream.once('ready', common.mustCall(() => {
+        ok(stream.write('after reopen\n'));
+
+        stream.once('drain', common.mustCall(() => {
+          readFile(dest, 'utf8', common.mustSucceed((data) => {
+            strictEqual(data, 'hello world\nsomething else\n');
+            readFile(after, 'utf8', common.mustSucceed((data) => {
+              strictEqual(data, 'after reopen\n');
+              stream.end();
+            }));
+          }));
+        }));
+      }));
+    }));
+  }
+
+  {
+    let throwOnNextOpen = false;
+    const err = new Error('open error');
+    const fsOverride = {};
+    if (sync) {
+      fsOverride.openSync = function(...args) {
+        if (throwOnNextOpen) {
+          throwOnNextOpen = false;
+          throw err;
+        }
+        return openSync(...args);
+      };
+    } else {
+      fsOverride.open = function(file, flags, mode, cb) {
+        if (throwOnNextOpen) {
+          throwOnNextOpen = false;
+          process.nextTick(() => cb(err));
+          return;
+        }
+        return open(file, flags, mode, cb);
+      };
+    }
+
+    const dest = getTempFile();
+    const stream = new Utf8Stream({
+      dest,
+      sync,
+      fs: fsOverride,
+    });
+
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+
+    const after = dest + '-moved';
+    stream.on('error', common.mustCall());
+
+    stream.once('drain', common.mustCall(() => {
+      renameSync(dest, after);
+      throwOnNextOpen = true;
+      if (sync) {
+        throws(() => stream.reopen(), err);
+      } else {
+        stream.reopen();
+      }
+
+      setTimeout(common.mustCall(() => {
+        ok(stream.write('after reopen\n'));
+
+        stream.end();
+        stream.on('finish', common.mustCall(() => {
+          readFile(after, 'utf8', common.mustSucceed((data) => {
+            strictEqual(data, 'hello world\nsomething else\nafter reopen\n');
+          }));
+        }));
+      }), 10);
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, sync });
+
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+
+    const after = dest + '-moved';
+    stream.once('drain', common.mustCall(() => {
+      renameSync(dest, after);
+      stream.reopen();
+
+      stream.once('drain', common.mustCall(() => {
+        ok(stream.write('after reopen\n'));
+
+        stream.once('drain', common.mustCall(() => {
+          readFile(after, 'utf8', common.mustSucceed((data) => {
+            strictEqual(data, 'hello world\nsomething else\n');
+            readFile(dest, 'utf8', common.mustSucceed((data) => {
+              strictEqual(data, 'after reopen\n');
+              stream.end();
+            }));
+          }));
+        }));
+      }));
+    }));
+  }
+}
diff --git a/test/parallel/test-fastutf8stream-retry.js b/test/parallel/test-fastutf8stream-retry.js
new file mode 100644
index 00000000000000..5537c3427c7c79
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-retry.js
@@ -0,0 +1,216 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+} = require('node:assert');
+const {
+  openSync,
+  writeSync,
+  write,
+  readFile,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+
+    const fsOverride = {};
+    let errOnNext = true;
+    const err = new Error('EAGAIN');
+    err.code = 'EAGAIN';
+    if (sync) {
+      fsOverride.writeSync = common.mustCall((...args) => {
+        if (errOnNext) {
+          errOnNext = false;
+          throw err;
+        }
+        writeSync(...args);
+      }, 3);
+    } else {
+      fsOverride.write = common.mustCall((...args) => {
+        if (errOnNext) {
+          errOnNext = false;
+          const callback = args[args.length - 1];
+          process.nextTick(callback, err);
+          return;
+        }
+        write(...args);
+      }, 3);
+    }
+
+    const stream = new Utf8Stream({
+      fd,
+      sync,
+      minLength: 0,
+      fs: fsOverride,
+    });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+      stream.end();
+      stream.on('finish', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\nsomething else\n');
+        }));
+      }));
+    }));
+  }
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  const err = new Error('EAGAIN');
+  err.code = 'EAGAIN';
+  let errorOnNext = true;
+
+  const stream = new Utf8Stream({
+    fd,
+    sync: false,
+    minLength: 12,
+    retryEAGAIN: (err, writeBufferLen, remainingBufferLen) => {
+      strictEqual(err.code, 'EAGAIN');
+      strictEqual(writeBufferLen, 12);
+      strictEqual(remainingBufferLen, 0);
+      return false; // Don't retry
+    },
+    fs: {
+      write: common.mustCall((...args) => {
+        if (errorOnNext) {
+          errorOnNext = false;
+          const callback = args[args.length - 1];
+          process.nextTick(callback, err);
+          return;
+        }
+        write(...args);
+      }, 3),
+    }
+  });
+
+  stream.on('ready', common.mustCall(() => {
+    stream.once('error', common.mustCall((err) => {
+      strictEqual(err.code, 'EAGAIN');
+      ok(stream.write('something else\n'));
+    }));
+
+    ok(stream.write('hello world\n'));
+    stream.end();
+
+    stream.on('finish', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\nsomething else\n');
+      }));
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  const err = new Error('EBUSY');
+  err.code = 'EBUSY';
+  let errorOnNext = true;
+
+  const stream = new Utf8Stream({
+    fd,
+    sync: false,
+    minLength: 0,
+    fs: {
+      write: common.mustCall((...args) => {
+        if (errorOnNext) {
+          errorOnNext = false;
+          const callback = args[args.length - 1];
+          process.nextTick(callback, err);
+          return;
+        }
+        write(...args);
+      }, 3),
+    }
+  });
+
+  stream.on('ready', common.mustCall(() => {
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+
+    stream.end();
+
+    stream.on('finish', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\nsomething else\n');
+      }));
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  const err = new Error('EBUSY');
+  err.code = 'EBUSY';
+  let errorOnNext = true;
+
+  const stream = new Utf8Stream({
+    fd,
+    sync: false,
+    minLength: 12,
+    retryEAGAIN: (err, writeBufferLen, remainingBufferLen) => {
+      strictEqual(err.code, 'EBUSY');
+      strictEqual(writeBufferLen, 12);
+      strictEqual(remainingBufferLen, 0);
+      return false; // Don't retry
+    },
+    fs: {
+      write: common.mustCall((...args) => {
+        if (errorOnNext) {
+          errorOnNext = false;
+          const callback = args[args.length - 1];
+          process.nextTick(callback, err);
+          return;
+        }
+        write(...args);
+      }, 3),
+    }
+  });
+
+  stream.on('ready', common.mustCall(() => {
+    stream.once('error', common.mustCall((err) => {
+      strictEqual(err.code, 'EBUSY');
+      ok(stream.write('something else\n'));
+    }));
+
+    ok(stream.write('hello world\n'));
+
+    stream.end();
+
+    stream.on('finish', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\nsomething else\n');
+      }));
+    }));
+  }));
+}
diff --git a/test/parallel/test-fastutf8stream-sync.js b/test/parallel/test-fastutf8stream-sync.js
new file mode 100644
index 00000000000000..6100991d7a27f2
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-sync.js
@@ -0,0 +1,211 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+  throws,
+} = require('node:assert');
+const {
+  openSync,
+  closeSync,
+  readFile,
+  readSync,
+  readFileSync,
+  writeSync,
+  stat,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  let callCount = 0;
+
+  const stream = new Utf8Stream({
+    fd,
+    minLength: 0,
+    sync: true,
+    fs: {
+      writeSync: common.mustCall((...args) => {
+        if (callCount++ === 0) return 0;
+        writeSync(...args);
+      }, 3),
+    }
+  });
+
+  stream.on('ready', common.mustCall(() => {
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+
+    stream.end();
+
+    stream.on('finish', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\nsomething else\n');
+      }));
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  let callCount = 0;
+
+  const stream = new Utf8Stream({
+    fd,
+    minLength: 100,
+    sync: false,
+    fs: {
+      writeSync: common.mustCall((...args) => {
+        if (callCount++ === 0) return 0;
+        return writeSync(...args);
+      }, 2),
+    }
+  });
+
+  stream.on('ready', common.mustCall(() => {
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+    stream.flushSync();
+    stream.on('write', common.mustNotCall());
+    stream.end();
+    stream.on('finish', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\nsomething else\n');
+      }));
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  const stream = new Utf8Stream({
+    fd,
+    minLength: 0,
+    sync: true,
+    fs: {
+      writeSync: common.mustCall(writeSync, 2),
+    }
+  });
+
+  ok(stream.write('hello world\n'));
+  ok(stream.write('something else\n'));
+
+  stream.on('drain', common.mustCall(() => {
+    const data = readFileSync(dest, 'utf8');
+    strictEqual(data, 'hello world\nsomething else\n');
+  }));
+
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  const stream = new Utf8Stream({ fd, minLength: 0, sync: true });
+
+  const buf = Buffer.alloc(1024).fill('x').toString(); // 1 KB
+  let length = 0;
+
+  // Reduce iterations to avoid test timeout
+  for (let i = 0; i < 1024; i++) {
+    length += buf.length;
+    stream.write(buf);
+  }
+
+  stream.end();
+
+  stream.on('finish', common.mustCall(() => {
+    stat(dest, common.mustSucceed((stat) => {
+      strictEqual(stat.size, length);
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  const stream = new Utf8Stream({ fd, minLength: 0, sync: true });
+
+  let buf = Buffer.alloc((1024 * 16) - 2).fill('x'); // 16KB - 2B
+  const length = buf.length + 4;
+  buf = buf.toString() + '🌲'; // 16 KB + 4B emoji
+
+  stream.write(buf);
+  stream.end();
+
+  stream.on('finish', common.mustCall(() => {
+    stat(dest, common.mustSucceed((stat) => {
+      strictEqual(stat.size, length);
+      const char = Buffer.alloc(4);
+      const readFd = openSync(dest, 'r');
+      readSync(readFd, char, 0, 4, length - 4);
+      closeSync(readFd);
+      strictEqual(char.toString(), '🌲');
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+
+  const stream = new Utf8Stream({ dest, sync: true });
+  ok(stream.write('hello world\n'));
+  ok(stream.write('something else\n'));
+  stream.flushSync();
+  // If we get here without error, the test passes
+  stream.end();
+}
+throws(() => {
+  new Utf8Stream({ dest: '/path/to/nowhere', sync: true });
+}, /ENOENT|EACCES/);
+
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  const stream = new Utf8Stream({ fd, sync: true });
+
+  ok(stream.write('hello world 👀\n'));
+  ok(stream.write('another line 👀\n'));
+
+  // Check internal buffer length (may not be available in Utf8Stream)
+  // This is implementation-specific, so we just verify writes succeeded
+  ok(true, 'writes completed successfully');
+
+  stream.end();
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  const stream = new Utf8Stream({ fd, sync: true, minLength: 20 });
+
+  let str = '';
+  for (let i = 0; i < 20; i++) {
+    ok(stream.write('👀'));
+    str += '👀';
+  }
+
+  // Check internal buffer length (implementation-specific)
+  ok(true, 'writes completed successfully');
+  readFile(dest, 'utf8', common.mustSucceed((data) => {
+    strictEqual(data, str);
+  }));
+}
diff --git a/test/parallel/test-fastutf8stream-write.js b/test/parallel/test-fastutf8stream-write.js
new file mode 100644
index 00000000000000..2257a854d50574
--- /dev/null
+++ b/test/parallel/test-fastutf8stream-write.js
@@ -0,0 +1,273 @@
+'use strict';
+
+const common = require('../common');
+const tmpdir = require('../common/tmpdir');
+const {
+  ok,
+  strictEqual,
+} = require('node:assert');
+const {
+  openSync,
+  readFile,
+  createReadStream,
+  write,
+  writeSync,
+  stat,
+} = require('node:fs');
+const { Utf8Stream } = require('node:fs');
+const { join } = require('node:path');
+const { isMainThread } = require('node:worker_threads');
+
+tmpdir.refresh();
+let fileCounter = 0;
+if (isMainThread) {
+  process.umask(0o000);
+}
+
+function getTempFile() {
+  return join(tmpdir.path, `fastutf8stream-${process.pid}-${Date.now()}-${fileCounter++}.log`);
+}
+
+runTests(false);
+runTests(true);
+
+function runTests(sync) {
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, sync });
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+
+      stream.end();
+
+      stream.on('finish', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\nsomething else\n');
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, sync });
+
+    stream.once('drain', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\n');
+        ok(stream.write('something else\n'));
+
+        stream.once('drain', common.mustCall(() => {
+          readFile(dest, 'utf8', common.mustSucceed((data) => {
+            strictEqual(data, 'hello world\nsomething else\n');
+            stream.end();
+          }));
+        }));
+      }));
+    }));
+
+    ok(stream.write('hello world\n'));
+  };
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+    const stream = new Utf8Stream({ fd, sync });
+    const source = createReadStream(__filename, { encoding: 'utf8' });
+
+    source.pipe(stream);
+
+    stream.on('finish', common.mustCall(() => {
+      readFile(__filename, 'utf8', common.mustSucceed((expected) => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, expected);
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, sync });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+
+      stream.end();
+
+      stream.on('finish', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\nsomething else\n');
+        }));
+      }));
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, minLength: 4096, sync });
+
+    stream.on('ready', common.mustCall(() => {
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+
+      stream.on('drain', common.mustNotCall());
+
+      setTimeout(common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, ''); // Should be empty due to minLength
+
+          stream.end();
+
+          stream.on('finish', common.mustCall(() => {
+            readFile(dest, 'utf8', common.mustSucceed((data) => {
+              strictEqual(data, 'hello world\nsomething else\n');
+            }));
+          }));
+        }));
+      }), 100);
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const fd = openSync(dest, 'w');
+
+    let throwOnNext = true;
+
+    const fsOverride = {};
+    if (sync) {
+      fsOverride.writeSync = common.mustCall((...args) => {
+        if (throwOnNext) {
+          throw new Error('recoverable error');
+        }
+        return writeSync(...args);
+      }, 3);
+    } else {
+      fsOverride.write = common.mustCall((...args) => {
+        if (throwOnNext) {
+          const callback = args[args.length - 1];
+          process.nextTick(callback, new Error('recoverable error'));
+          return;
+        }
+        return write(...args);
+      }, 3);
+    }
+
+    const stream = new Utf8Stream({
+      fd,
+      minLength: 0,
+      sync,
+      fs: fsOverride,
+    });
+
+    stream.on('ready', common.mustCall(() => {
+      stream.on('error', common.mustCall());
+      ok(stream.write('hello world\n'));
+
+      setTimeout(common.mustCall(() => {
+        throwOnNext = false;
+        ok(stream.write('something else\n'));
+        stream.end();
+        stream.on('finish', common.mustCall(() => {
+          readFile(dest, 'utf8', common.mustSucceed((data) => {
+            strictEqual(data, 'hello world\nsomething else\n');
+          }));
+        }));
+      }), 10);
+    }));
+  }
+
+  {
+    const dest = getTempFile();
+    const stream = new Utf8Stream({ dest, sync });
+
+    stream.on('ready', common.mustCall(() => {
+      let length = 0;
+      stream.on('write', (bytes) => {
+        length += bytes;
+      });
+
+      ok(stream.write('hello world\n'));
+      ok(stream.write('something else\n'));
+
+      stream.end();
+
+      stream.on('finish', common.mustCall(() => {
+        readFile(dest, 'utf8', common.mustSucceed((data) => {
+          strictEqual(data, 'hello world\nsomething else\n');
+          strictEqual(length, 27);
+        }));
+      }));
+    }));
+  }
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+
+  let callCount = 0;
+
+  const stream = new Utf8Stream({
+    fd,
+    minLength: 0,
+    sync: false,
+    fs: {
+      write: common.mustCall((...args) => {
+        if (callCount++ === 0) {
+          const callback = args[args.length - 1];
+          process.nextTick(callback, null, 0);
+          return;
+        }
+        write(...args);
+      }, 3),
+    }
+  });
+  stream.on('ready', common.mustCall(() => {
+    ok(stream.write('hello world\n'));
+    ok(stream.write('something else\n'));
+
+    stream.end();
+
+    stream.on('finish', common.mustCall(() => {
+      readFile(dest, 'utf8', common.mustSucceed((data) => {
+        strictEqual(data, 'hello world\nsomething else\n');
+      }));
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const fd = openSync(dest, 'w');
+  const stream = new Utf8Stream({ fd, minLength: 0, sync: false });
+
+  const buf = Buffer.alloc(1024).fill('x').toString(); // 1 KB
+  let length = 0;
+
+  // Reduce iterations to avoid test timeout
+  for (let i = 0; i < 1024; i++) {
+    length += buf.length;
+    stream.write(buf);
+  }
+
+  stream.end();
+
+  stream.on('finish', common.mustCall(() => {
+    stat(dest, common.mustSucceed((stat) => {
+      strictEqual(stat.size, length);
+    }));
+  }));
+}
+
+{
+  const dest = getTempFile();
+  const stream = new Utf8Stream({ dest, maxLength: 65536 });
+  strictEqual(stream.maxLength, 65536);
+  stream.end();
+}
diff --git a/test/parallel/test-fs-cp-async-async-filter-function.mjs b/test/parallel/test-fs-cp-async-async-filter-function.mjs
new file mode 100644
index 00000000000000..91b17a0f8823de
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-async-filter-function.mjs
@@ -0,0 +1,32 @@
+// This tests that cp() supports async filter function.
+
+import { mustCall } from '../common/index.mjs';
+import { nextdir, collectEntries } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, statSync } from 'node:fs';
+import { setTimeout } from 'node:timers/promises';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cp(src, dest, {
+  filter: async (path) => {
+    await setTimeout(5, 'done');
+    const pathStat = statSync(path);
+    return pathStat.isDirectory() || path.endsWith('.js');
+  },
+  dereference: true,
+  recursive: true,
+}, mustCall((err) => {
+  assert.strictEqual(err, null);
+  const destEntries = [];
+  collectEntries(dest, destEntries);
+  for (const entry of destEntries) {
+    assert.strictEqual(
+      entry.isDirectory() || entry.name.endsWith('.js'),
+      true
+    );
+  }
+}));
diff --git a/test/parallel/test-fs-cp-async-copy-non-directory-symlink.mjs b/test/parallel/test-fs-cp-async-copy-non-directory-symlink.mjs
new file mode 100644
index 00000000000000..a5064a9a71a269
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-copy-non-directory-symlink.mjs
@@ -0,0 +1,22 @@
+// This tests that cp() copies link if it does not point to folder in src.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, mkdirSync, readlinkSync, symlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(src, join(src, 'a', 'c'));
+const dest = nextdir();
+mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(dest, join(dest, 'a', 'c'));
+cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
+  assert.strictEqual(err, null);
+  const link = readlinkSync(join(dest, 'a', 'c'));
+  assert.strictEqual(link, src);
+}));
diff --git a/test/parallel/test-fs-cp-async-dereference-force-false-silent-fail.mjs b/test/parallel/test-fs-cp-async-dereference-force-false-silent-fail.mjs
new file mode 100644
index 00000000000000..0c92b3eb6276c5
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-dereference-force-false-silent-fail.mjs
@@ -0,0 +1,25 @@
+// This tests that it does not fail if the same directory is copied to dest
+// twice, when dereference is true, and force is false (fails silently).
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp, cpSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import { nextdir } from '../common/fs.js';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+const destFile = join(dest, 'a/b/README2.md');
+cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
+cp(src, dest, {
+  dereference: true,
+  recursive: true
+}, mustCall((err) => {
+  assert.strictEqual(err, null);
+  const stat = lstatSync(destFile);
+  assert(stat.isFile());
+}));
diff --git a/test/parallel/test-fs-cp-async-dereference-symlink.mjs b/test/parallel/test-fs-cp-async-dereference-symlink.mjs
new file mode 100644
index 00000000000000..7edc8b8c66bbc6
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-dereference-symlink.mjs
@@ -0,0 +1,27 @@
+// This tests that cp() copies file itself, rather than symlink, when dereference is true.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, lstatSync, mkdirSync, symlinkSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
+symlinkSync(join(src, 'foo.js'), join(src, 'bar.js'));
+
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+const destFile = join(dest, 'foo.js');
+
+cp(join(src, 'bar.js'), destFile, mustNotMutateObjectDeep({ dereference: true }),
+   mustCall((err) => {
+     assert.strictEqual(err, null);
+     const stat = lstatSync(destFile);
+     assert(stat.isFile());
+   })
+);
diff --git a/test/parallel/test-fs-cp-async-dest-symlink-points-to-src-error.mjs b/test/parallel/test-fs-cp-async-dest-symlink-points-to-src-error.mjs
new file mode 100644
index 00000000000000..da8d606963bf53
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-dest-symlink-points-to-src-error.mjs
@@ -0,0 +1,21 @@
+// This tests that cp() returns error if parent directory of symlink in dest points to src.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, mkdirSync, symlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a'), mustNotMutateObjectDeep({ recursive: true }));
+const dest = nextdir();
+// Create symlink in dest pointing to src.
+const destLink = join(dest, 'b');
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(src, destLink);
+cp(src, join(dest, 'b', 'c'), mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_CP_EINVAL');
+}));
diff --git a/test/parallel/test-fs-cp-async-dir-to-file.mjs b/test/parallel/test-fs-cp-async-dir-to-file.mjs
new file mode 100644
index 00000000000000..16d9ce6f0c23f2
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-dir-to-file.mjs
@@ -0,0 +1,17 @@
+// This tests that cp() returns error if attempt is made to copy directory to file.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, mkdirSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+const dest = fixtures.path('copy/kitchen-sink/README.md');
+cp(src, dest, mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_CP_DIR_TO_NON_DIR');
+}));
diff --git a/test/parallel/test-fs-cp-async-error-on-exist.mjs b/test/parallel/test-fs-cp-async-error-on-exist.mjs
new file mode 100644
index 00000000000000..c6df45db7f3117
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-error-on-exist.mjs
@@ -0,0 +1,22 @@
+// This tests that cp() returns error if errorOnExist is true, force is false, and file or folder copied over.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+cp(src, dest, {
+  dereference: true,
+  errorOnExist: true,
+  force: false,
+  recursive: true,
+}, mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_CP_EEXIST');
+}));
diff --git a/test/parallel/test-fs-cp-async-file-to-dir.mjs b/test/parallel/test-fs-cp-async-file-to-dir.mjs
new file mode 100644
index 00000000000000..94dc193f5c529a
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-file-to-dir.mjs
@@ -0,0 +1,17 @@
+// This tests that cp() returns error if attempt is made to copy file to directory.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, mkdirSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink/README.md');
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+cp(src, dest, mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_CP_NON_DIR_TO_DIR');
+}));
diff --git a/test/parallel/test-fs-cp-async-file-to-file.mjs b/test/parallel/test-fs-cp-async-file-to-file.mjs
new file mode 100644
index 00000000000000..faff91e6a2bb8c
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-file-to-file.mjs
@@ -0,0 +1,19 @@
+// This tests that cp() allows file to be copied to a file path.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const srcFile = fixtures.path('copy/kitchen-sink/README.md');
+const destFile = join(nextdir(), 'index.js');
+cp(srcFile, destFile, mustNotMutateObjectDeep({ dereference: true }), mustCall((err) => {
+  assert.strictEqual(err, null);
+  const stat = lstatSync(destFile);
+  assert(stat.isFile());
+}));
diff --git a/test/parallel/test-fs-cp-async-file-url.mjs b/test/parallel/test-fs-cp-async-file-url.mjs
new file mode 100644
index 00000000000000..4c1ea1fdd56b8d
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-file-url.mjs
@@ -0,0 +1,18 @@
+// This tests that it accepts file URL as src and dest.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp } from 'node:fs';
+import { pathToFileURL } from 'node:url';
+import tmpdir from '../common/tmpdir.js';
+import { assertDirEquivalent, nextdir } from '../common/fs.js';
+
+tmpdir.refresh();
+
+const src = './test/fixtures/copy/kitchen-sink';
+const dest = nextdir();
+cp(pathToFileURL(src), pathToFileURL(dest), mustNotMutateObjectDeep({ recursive: true }),
+   mustCall((err) => {
+     assert.strictEqual(err, null);
+     assertDirEquivalent(src, dest);
+   }));
diff --git a/test/parallel/test-fs-cp-async-filter-child-folder.mjs b/test/parallel/test-fs-cp-async-filter-child-folder.mjs
new file mode 100644
index 00000000000000..b1ebeca514e438
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-filter-child-folder.mjs
@@ -0,0 +1,26 @@
+// This tests that cp() should not throw exception if child folder is filtered out.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, cpSync, mkdirSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'test-cp'), mustNotMutateObjectDeep({ recursive: true }));
+
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(dest, 'test-cp'), 'test-content', mustNotMutateObjectDeep({ mode: 0o444 }));
+
+const opts = {
+  filter: (path) => !path.includes('test-cp'),
+  recursive: true,
+};
+cp(src, dest, opts, mustCall((err) => {
+  assert.strictEqual(err, null);
+}));
+cpSync(src, dest, opts);
diff --git a/test/parallel/test-fs-cp-async-filter-function.mjs b/test/parallel/test-fs-cp-async-filter-function.mjs
new file mode 100644
index 00000000000000..bb8145b035b881
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-filter-function.mjs
@@ -0,0 +1,31 @@
+// This tests that cp() applies filter function.
+
+import { mustCall } from '../common/index.mjs';
+import { nextdir, collectEntries } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, statSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cp(src, dest, {
+  filter: (path) => {
+    const pathStat = statSync(path);
+    return pathStat.isDirectory() || path.endsWith('.js');
+  },
+  dereference: true,
+  recursive: true,
+}, mustCall((err) => {
+  assert.strictEqual(err, null);
+  const destEntries = [];
+  collectEntries(dest, destEntries);
+  for (const entry of destEntries) {
+    assert.strictEqual(
+      entry.isDirectory() || entry.name.endsWith('.js'),
+      true
+    );
+  }
+}));
diff --git a/test/parallel/test-fs-cp-async-identical-src-dest.mjs b/test/parallel/test-fs-cp-async-identical-src-dest.mjs
new file mode 100644
index 00000000000000..20bed5f9268576
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-identical-src-dest.mjs
@@ -0,0 +1,14 @@
+// This tests that cp() returns error when src and dest are identical.
+
+import { mustCall } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+cp(src, src, mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_CP_EINVAL');
+}));
diff --git a/test/parallel/test-fs-cp-async-invalid-mode-range.mjs b/test/parallel/test-fs-cp-async-invalid-mode-range.mjs
new file mode 100644
index 00000000000000..12be6a6fadd284
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-invalid-mode-range.mjs
@@ -0,0 +1,13 @@
+// This tests that cp() throws if mode is out of range.
+
+import '../common/index.mjs';
+import assert from 'node:assert';
+import { cp } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+assert.throws(
+  () => cp('a', 'b', { mode: -1 }, () => {}),
+  { code: 'ERR_OUT_OF_RANGE' }
+);
diff --git a/test/parallel/test-fs-cp-async-invalid-options-type.mjs b/test/parallel/test-fs-cp-async-invalid-options-type.mjs
new file mode 100644
index 00000000000000..7c84d5f680132b
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-invalid-options-type.mjs
@@ -0,0 +1,13 @@
+// This tests that cp() throws if options is not object.
+
+import '../common/index.mjs';
+import assert from 'node:assert';
+import { cp } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+assert.throws(
+  () => cp('a', 'b', 'hello', () => {}),
+  { code: 'ERR_INVALID_ARG_TYPE' }
+);
diff --git a/test/parallel/test-fs-cp-async-nested-files-folders.mjs b/test/parallel/test-fs-cp-async-nested-files-folders.mjs
new file mode 100644
index 00000000000000..9cc2115bc1fc7e
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-nested-files-folders.mjs
@@ -0,0 +1,17 @@
+// This tests that cp() copies a nested folder structure with files and folders.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
+  assert.strictEqual(err, null);
+  assertDirEquivalent(src, dest);
+}));
diff --git a/test/parallel/test-fs-cp-async-no-errors-force-false.mjs b/test/parallel/test-fs-cp-async-no-errors-force-false.mjs
new file mode 100644
index 00000000000000..609706a8306f7c
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-no-errors-force-false.mjs
@@ -0,0 +1,28 @@
+// This tests that it does not throw errors when directory is copied over and force is false.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp, cpSync, lstatSync, mkdirSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+import { assertDirEquivalent, nextdir } from '../common/fs.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'README.md'), 'hello world', 'utf8');
+const dest = nextdir();
+cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
+const initialStat = lstatSync(join(dest, 'README.md'));
+cp(src, dest, {
+  dereference: true,
+  force: false,
+  recursive: true,
+}, mustCall((err) => {
+  assert.strictEqual(err, null);
+  assertDirEquivalent(src, dest);
+  // File should not have been copied over, so access times will be identical:
+  const finalStat = lstatSync(join(dest, 'README.md'));
+  assert.strictEqual(finalStat.ctime.getTime(), initialStat.ctime.getTime());
+}));
diff --git a/test/parallel/test-fs-cp-async-no-recursive.mjs b/test/parallel/test-fs-cp-async-no-recursive.mjs
new file mode 100644
index 00000000000000..fd58ee81d58eaa
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-no-recursive.mjs
@@ -0,0 +1,16 @@
+// This tests that cp() returns error if directory copied without recursive flag.
+
+import { mustCall } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cp(src, dest, mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_EISDIR');
+}));
diff --git a/test/parallel/test-fs-cp-async-overwrites-force-true.mjs b/test/parallel/test-fs-cp-async-overwrites-force-true.mjs
new file mode 100644
index 00000000000000..1d5006256a7a12
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-overwrites-force-true.mjs
@@ -0,0 +1,23 @@
+// This tests that it overwrites existing files if force is true.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+import { assertDirEquivalent, nextdir } from '../common/fs.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(dest, 'README.md'), '# Goodbye', 'utf8');
+
+cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
+  assert.strictEqual(err, null);
+  assertDirEquivalent(src, dest);
+  const content = readFileSync(join(dest, 'README.md'), 'utf8');
+  assert.strictEqual(content.trim(), '# Hello');
+}));
diff --git a/test/parallel/test-fs-cp-async-preserve-timestamps-readonly-file.mjs b/test/parallel/test-fs-cp-async-preserve-timestamps-readonly-file.mjs
new file mode 100644
index 00000000000000..fff2e199fcd039
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-preserve-timestamps-readonly-file.mjs
@@ -0,0 +1,26 @@
+// This tests that it makes file writeable when updating timestamp, if not writeable.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp, lstatSync, mkdirSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+import { assertDirEquivalent, nextdir } from '../common/fs.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'foo.txt'), 'foo', mustNotMutateObjectDeep({ mode: 0o444 }));
+cp(src, dest, {
+  preserveTimestamps: true,
+  recursive: true,
+}, mustCall((err) => {
+  assert.strictEqual(err, null);
+  assertDirEquivalent(src, dest);
+  const srcStat = lstatSync(join(src, 'foo.txt'));
+  const destStat = lstatSync(join(dest, 'foo.txt'));
+  assert.strictEqual(srcStat.mtime.getTime(), destStat.mtime.getTime());
+}));
diff --git a/test/parallel/test-fs-cp-async-preserve-timestamps.mjs b/test/parallel/test-fs-cp-async-preserve-timestamps.mjs
new file mode 100644
index 00000000000000..8e55f07ca6024e
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-preserve-timestamps.mjs
@@ -0,0 +1,24 @@
+// This tests that cp() copies timestamps from src to dest if preserveTimestamps is true.
+
+import { mustCall } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cp(src, dest, {
+  preserveTimestamps: true,
+  recursive: true
+}, mustCall((err) => {
+  assert.strictEqual(err, null);
+  assertDirEquivalent(src, dest);
+  const srcStat = lstatSync(join(src, 'index.js'));
+  const destStat = lstatSync(join(dest, 'index.js'));
+  assert.strictEqual(srcStat.mtime.getTime(), destStat.mtime.getTime());
+}));
diff --git a/test/parallel/test-fs-cp-async-same-dir-twice.mjs b/test/parallel/test-fs-cp-async-same-dir-twice.mjs
new file mode 100644
index 00000000000000..0c92b3eb6276c5
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-same-dir-twice.mjs
@@ -0,0 +1,25 @@
+// This tests that it does not fail if the same directory is copied to dest
+// twice, when dereference is true, and force is false (fails silently).
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp, cpSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import { nextdir } from '../common/fs.js';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+const destFile = join(dest, 'a/b/README2.md');
+cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
+cp(src, dest, {
+  dereference: true,
+  recursive: true
+}, mustCall((err) => {
+  assert.strictEqual(err, null);
+  const stat = lstatSync(destFile);
+  assert(stat.isFile());
+}));
diff --git a/test/parallel/test-fs-cp-async-skip-validation-when-filtered.mjs b/test/parallel/test-fs-cp-async-skip-validation-when-filtered.mjs
new file mode 100644
index 00000000000000..4778bc23319158
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-skip-validation-when-filtered.mjs
@@ -0,0 +1,29 @@
+// This tests that cp() should not throw exception if dest is invalid but filtered out.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, cpSync, mkdirSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+// Create dest as a file.
+// Expect: cp skips the copy logic entirely and won't throw any exception in path validation process.
+const src = join(nextdir(), 'bar');
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+
+const destParent = nextdir();
+const dest = join(destParent, 'bar');
+mkdirSync(destParent, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(dest, 'test-content', mustNotMutateObjectDeep({ mode: 0o444 }));
+
+const opts = {
+  filter: (path) => !path.includes('bar'),
+  recursive: true,
+};
+cp(src, dest, opts, mustCall((err) => {
+  assert.strictEqual(err, null);
+}));
+cpSync(src, dest, opts);
diff --git a/test/parallel/test-fs-cp-async-socket.mjs b/test/parallel/test-fs-cp-async-socket.mjs
new file mode 100644
index 00000000000000..4ebc56cc3f664f
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-socket.mjs
@@ -0,0 +1,34 @@
+// This tests that cp() returns an error if attempt is made to copy socket.
+
+import * as common from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp, mkdirSync } from 'node:fs';
+import { createServer } from 'node:net';
+import { join } from 'node:path';
+import { nextdir } from '../common/fs.js';
+import tmpdir from '../common/tmpdir.js';
+
+const isWindows = process.platform === 'win32';
+if (isWindows) {
+  common.skip('No socket support on Windows');
+}
+
+// See https://github.com/nodejs/node/pull/48409
+if (common.isInsideDirWithUnusualChars) {
+  common.skip('Test is borken in directories with unusual characters');
+}
+
+tmpdir.refresh();
+
+{
+  const src = nextdir();
+  mkdirSync(src);
+  const dest = nextdir();
+  const sock = join(src, `${process.pid}.sock`);
+  const server = createServer();
+  server.listen(sock);
+  cp(sock, dest, common.mustCall((err) => {
+    assert.strictEqual(err.code, 'ERR_FS_CP_SOCKET');
+    server.close();
+  }));
+}
diff --git a/test/parallel/test-fs-cp-async-subdirectory-of-self.mjs b/test/parallel/test-fs-cp-async-subdirectory-of-self.mjs
new file mode 100644
index 00000000000000..6884b2ddcd6998
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-subdirectory-of-self.mjs
@@ -0,0 +1,12 @@
+// This tests that cp() returns error if attempt is made to copy to subdirectory of self.
+
+import { mustCall } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp } from 'node:fs';
+import fixtures from '../common/fixtures.js';
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = fixtures.path('copy/kitchen-sink/a');
+cp(src, dest, mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_CP_EINVAL');
+}));
diff --git a/test/parallel/test-fs-cp-async-symlink-dest-points-to-src.mjs b/test/parallel/test-fs-cp-async-symlink-dest-points-to-src.mjs
new file mode 100644
index 00000000000000..dab9c572f9d7d1
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-symlink-dest-points-to-src.mjs
@@ -0,0 +1,21 @@
+// This tests that cp() returns error if symlink in dest points to location in src.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, mkdirSync, symlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(join(src, 'a', 'b'), join(src, 'a', 'c'));
+
+const dest = nextdir();
+mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(src, join(dest, 'a', 'c'));
+cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_CP_SYMLINK_TO_SUBDIRECTORY');
+}));
diff --git a/test/parallel/test-fs-cp-async-symlink-over-file.mjs b/test/parallel/test-fs-cp-async-symlink-over-file.mjs
new file mode 100644
index 00000000000000..8685a3d611dcf2
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-symlink-over-file.mjs
@@ -0,0 +1,21 @@
+// This tests that cp() returns EEXIST error if attempt is made to copy symlink over file.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, mkdirSync, symlinkSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(join(src, 'a', 'b'), join(src, 'a', 'c'));
+
+const dest = nextdir();
+mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(dest, 'a', 'c'), 'hello', 'utf8');
+cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
+  assert.strictEqual(err.code, 'EEXIST');
+}));
diff --git a/test/parallel/test-fs-cp-async-symlink-points-to-dest.mjs b/test/parallel/test-fs-cp-async-symlink-points-to-dest.mjs
new file mode 100644
index 00000000000000..f8e60fe1fa2b2e
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-symlink-points-to-dest.mjs
@@ -0,0 +1,20 @@
+// This tests that cp() returns error if symlink in src points to location in dest.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cp, cpSync, mkdirSync, symlinkSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+const dest = nextdir();
+mkdirSync(dest);
+symlinkSync(dest, join(src, 'link'));
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
+  assert.strictEqual(err.code, 'ERR_FS_CP_EINVAL');
+}));
diff --git a/test/parallel/test-fs-cp-async-with-mode-flags.mjs b/test/parallel/test-fs-cp-async-with-mode-flags.mjs
new file mode 100644
index 00000000000000..99f6b5fe09d916
--- /dev/null
+++ b/test/parallel/test-fs-cp-async-with-mode-flags.mjs
@@ -0,0 +1,31 @@
+// This tests that it copies a nested folder structure with mode flags.
+
+import { mustCall, mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cp, constants } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import { assertDirEquivalent, nextdir } from '../common/fs.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cp(src, dest, mustNotMutateObjectDeep({
+  recursive: true,
+  mode: constants.COPYFILE_FICLONE_FORCE,
+}), mustCall((err) => {
+  if (!err) {
+    // If the platform support `COPYFILE_FICLONE_FORCE` operation,
+    // it should reach to here.
+    assert.strictEqual(err, null);
+    assertDirEquivalent(src, dest);
+    return;
+  }
+
+  // If the platform does not support `COPYFILE_FICLONE_FORCE` operation,
+  // it should enter this path.
+  assert.strictEqual(err.syscall, 'copyfile');
+  assert(err.code === 'ENOTSUP' || err.code === 'ENOTTY' ||
+    err.code === 'ENOSYS' || err.code === 'EXDEV');
+}));
diff --git a/test/parallel/test-fs-cp-promises-async-error.mjs b/test/parallel/test-fs-cp-promises-async-error.mjs
new file mode 100644
index 00000000000000..b7817cfd8073de
--- /dev/null
+++ b/test/parallel/test-fs-cp-promises-async-error.mjs
@@ -0,0 +1,23 @@
+// This tests that fs.promises.cp() allows async error to be caught.
+
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import fs from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+await fs.promises.cp(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+await assert.rejects(
+  fs.promises.cp(src, dest, {
+    dereference: true,
+    errorOnExist: true,
+    force: false,
+    recursive: true,
+  }),
+  { code: 'ERR_FS_CP_EEXIST' }
+);
diff --git a/test/parallel/test-fs-cp-promises-file-url.mjs b/test/parallel/test-fs-cp-promises-file-url.mjs
new file mode 100644
index 00000000000000..552e9c0b272f9a
--- /dev/null
+++ b/test/parallel/test-fs-cp-promises-file-url.mjs
@@ -0,0 +1,21 @@
+// This tests that fs.promises.cp() accepts file URL as src and dest.
+
+import '../common/index.mjs';
+import assert from 'node:assert';
+import { promises as fs } from 'node:fs';
+import { pathToFileURL } from 'node:url';
+import { assertDirEquivalent, nextdir } from '../common/fs.js';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+const p = await fs.cp(
+  pathToFileURL(src),
+  pathToFileURL(dest),
+  { recursive: true }
+);
+assert.strictEqual(p, undefined);
+assertDirEquivalent(src, dest);
diff --git a/test/parallel/test-fs-cp-promises-invalid-mode.mjs b/test/parallel/test-fs-cp-promises-invalid-mode.mjs
new file mode 100644
index 00000000000000..2e200e56afe0bd
--- /dev/null
+++ b/test/parallel/test-fs-cp-promises-invalid-mode.mjs
@@ -0,0 +1,15 @@
+// This tests that fs.promises.cp() rejects if options.mode is invalid.
+
+import '../common/index.mjs';
+import assert from 'node:assert';
+import fs from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+await assert.rejects(
+  fs.promises.cp('a', 'b', {
+    mode: -1,
+  }),
+  { code: 'ERR_OUT_OF_RANGE' }
+);
diff --git a/test/parallel/test-fs-cp-promises-mode-flags.mjs b/test/parallel/test-fs-cp-promises-mode-flags.mjs
new file mode 100644
index 00000000000000..b5633ae5e7f409
--- /dev/null
+++ b/test/parallel/test-fs-cp-promises-mode-flags.mjs
@@ -0,0 +1,36 @@
+// This tests that fs.promises.cp() copies a nested folder structure with mode flags.
+// This test is based on fs.promises.copyFile() with `COPYFILE_FICLONE_FORCE`.
+
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { promises as fs, constants } from 'node:fs';
+import { assertDirEquivalent, nextdir } from '../common/fs.js';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+let p = null;
+let successFiClone = false;
+try {
+  p = await fs.cp(src, dest, mustNotMutateObjectDeep({
+    recursive: true,
+    mode: constants.COPYFILE_FICLONE_FORCE,
+  }));
+  successFiClone = true;
+} catch (err) {
+  // If the platform does not support `COPYFILE_FICLONE_FORCE` operation,
+  // it should enter this path.
+  assert.strictEqual(err.syscall, 'copyfile');
+  assert(err.code === 'ENOTSUP' || err.code === 'ENOTTY' ||
+    err.code === 'ENOSYS' || err.code === 'EXDEV');
+}
+
+if (successFiClone) {
+  // If the platform support `COPYFILE_FICLONE_FORCE` operation,
+  // it should reach to here.
+  assert.strictEqual(p, undefined);
+  assertDirEquivalent(src, dest);
+}
diff --git a/test/parallel/test-fs-cp-promises-nested-folder-recursive.mjs b/test/parallel/test-fs-cp-promises-nested-folder-recursive.mjs
new file mode 100644
index 00000000000000..21cd1ba9d257a6
--- /dev/null
+++ b/test/parallel/test-fs-cp-promises-nested-folder-recursive.mjs
@@ -0,0 +1,16 @@
+// This tests that fs.promises.cp() copies a nested folder structure with files and folders.
+
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import fs from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+const p = await fs.promises.cp(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+assert.strictEqual(p, undefined);
+assertDirEquivalent(src, dest);
diff --git a/test/parallel/test-fs-cp-promises-options-validation.mjs b/test/parallel/test-fs-cp-promises-options-validation.mjs
new file mode 100644
index 00000000000000..a2cfad4552e429
--- /dev/null
+++ b/test/parallel/test-fs-cp-promises-options-validation.mjs
@@ -0,0 +1,13 @@
+// This tests that fs.promises.cp() rejects if options is not object.
+
+import '../common/index.mjs';
+import assert from 'node:assert';
+import fs from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+await assert.rejects(
+  fs.promises.cp('a', 'b', () => {}),
+  { code: 'ERR_INVALID_ARG_TYPE' }
+);
diff --git a/test/parallel/test-fs-cp-sync-apply-filter-function.mjs b/test/parallel/test-fs-cp-sync-apply-filter-function.mjs
new file mode 100644
index 00000000000000..02e7446c572ee9
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-apply-filter-function.mjs
@@ -0,0 +1,28 @@
+// This tests that cpSync applies filter function.
+import '../common/index.mjs';
+import { nextdir, collectEntries } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, statSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cpSync(src, dest, {
+  filter: (path) => {
+    const pathStat = statSync(path);
+    return pathStat.isDirectory() || path.endsWith('.js');
+  },
+  dereference: true,
+  recursive: true,
+});
+const destEntries = [];
+collectEntries(dest, destEntries);
+for (const entry of destEntries) {
+  assert.strictEqual(
+    entry.isDirectory() || entry.name.endsWith('.js'),
+    true
+  );
+}
diff --git a/test/parallel/test-fs-cp-sync-async-filter-error.mjs b/test/parallel/test-fs-cp-sync-async-filter-error.mjs
new file mode 100644
index 00000000000000..0bb2e62e768bbe
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-async-filter-error.mjs
@@ -0,0 +1,24 @@
+// This tests that cpSync throws error if filter function is asynchronous.
+import '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, statSync } from 'node:fs';
+import { setTimeout } from 'node:timers/promises';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+assert.throws(() => {
+  cpSync(src, dest, {
+    filter: async (path) => {
+      await setTimeout(5, 'done');
+      const pathStat = statSync(path);
+      return pathStat.isDirectory() || path.endsWith('.js');
+    },
+    dereference: true,
+    recursive: true,
+  });
+}, { code: 'ERR_INVALID_RETURN_VALUE' });
diff --git a/test/parallel/test-fs-cp-sync-copy-directory-to-file-error.mjs b/test/parallel/test-fs-cp-sync-copy-directory-to-file-error.mjs
new file mode 100644
index 00000000000000..60438cbe98b8bb
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-directory-to-file-error.mjs
@@ -0,0 +1,24 @@
+// This tests that cpSync throws error if attempt is made to copy directory to file.
+import { isInsideDirWithUnusualChars, mustNotMutateObjectDeep, skip } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+// See https://github.com/nodejs/node/pull/48409
+if (isInsideDirWithUnusualChars) {
+  skip('Test is borken in directories with unusual characters');
+}
+
+tmpdir.refresh();
+
+{
+  const src = nextdir();
+  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+  const dest = fixtures.path('copy/kitchen-sink/README.md');
+  assert.throws(
+    () => cpSync(src, dest),
+    { code: 'ERR_FS_CP_DIR_TO_NON_DIR' }
+  );
+}
diff --git a/test/parallel/test-fs-cp-sync-copy-directory-without-recursive-error.mjs b/test/parallel/test-fs-cp-sync-copy-directory-without-recursive-error.mjs
new file mode 100644
index 00000000000000..114089977974f8
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-directory-without-recursive-error.mjs
@@ -0,0 +1,16 @@
+// This tests that cpSync throws error if directory copied without recursive flag.
+import '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+assert.throws(
+  () => cpSync(src, dest),
+  { code: 'ERR_FS_EISDIR' }
+);
diff --git a/test/parallel/test-fs-cp-sync-copy-file-to-directory-error.mjs b/test/parallel/test-fs-cp-sync-copy-file-to-directory-error.mjs
new file mode 100644
index 00000000000000..96e1fa3b4e2ad1
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-file-to-directory-error.mjs
@@ -0,0 +1,22 @@
+// This tests that cpSync throws error if attempt is made to copy file to directory.
+import { mustNotMutateObjectDeep, isInsideDirWithUnusualChars, skip } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+// See https://github.com/nodejs/node/pull/48409
+if (isInsideDirWithUnusualChars) {
+  skip('Test is borken in directories with unusual characters');
+}
+
+const src = fixtures.path('copy/kitchen-sink/README.md');
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+assert.throws(
+  () => cpSync(src, dest),
+  { code: 'ERR_FS_CP_NON_DIR_TO_DIR' }
+);
diff --git a/test/parallel/test-fs-cp-sync-copy-file-to-file-path.mjs b/test/parallel/test-fs-cp-sync-copy-file-to-file-path.mjs
new file mode 100644
index 00000000000000..fa7ad45d82ac9f
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-file-to-file-path.mjs
@@ -0,0 +1,13 @@
+// This tests that cpSync allows file to be copied to a file path.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import fixtures from '../common/fixtures.js';
+
+const srcFile = fixtures.path('copy/kitchen-sink/index.js');
+const destFile = join(nextdir(), 'index.js');
+cpSync(srcFile, destFile, mustNotMutateObjectDeep({ dereference: true }));
+const stat = lstatSync(destFile);
+assert(stat.isFile());
diff --git a/test/parallel/test-fs-cp-sync-copy-socket-error.mjs b/test/parallel/test-fs-cp-sync-copy-socket-error.mjs
new file mode 100644
index 00000000000000..81a06cc224aee1
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-socket-error.mjs
@@ -0,0 +1,34 @@
+// This tests that cpSync throws an error if attempt is made to copy socket.
+import * as common from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync } from 'node:fs';
+import { createServer } from 'node:net';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+const isWindows = process.platform === 'win32';
+if (isWindows) {
+  common.skip('No socket support on Windows');
+}
+
+// See https://github.com/nodejs/node/pull/48409
+if (common.isInsideDirWithUnusualChars) {
+  common.skip('Test is borken in directories with unusual characters');
+}
+
+tmpdir.refresh();
+
+{
+  const src = nextdir();
+  mkdirSync(src);
+  const dest = nextdir();
+  const sock = join(src, `${process.pid}.sock`);
+  const server = createServer();
+  server.listen(sock);
+  assert.throws(
+    () => cpSync(sock, dest),
+    { code: 'ERR_FS_CP_SOCKET' }
+  );
+  server.close();
+}
diff --git a/test/parallel/test-fs-cp-sync-copy-symlink-not-pointing-to-folder.mjs b/test/parallel/test-fs-cp-sync-copy-symlink-not-pointing-to-folder.mjs
new file mode 100644
index 00000000000000..d23a2c8be63e6c
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-symlink-not-pointing-to-folder.mjs
@@ -0,0 +1,19 @@
+// This tests that cpSync copies link if it does not point to folder in src.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, symlinkSync, readlinkSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(src, join(src, 'a', 'c'));
+const dest = nextdir();
+mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(dest, join(dest, 'a', 'c'));
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+const link = readlinkSync(join(dest, 'a', 'c'));
+assert.strictEqual(link, src);
diff --git a/test/parallel/test-fs-cp-sync-copy-symlink-over-file-error.mjs b/test/parallel/test-fs-cp-sync-copy-symlink-over-file-error.mjs
new file mode 100644
index 00000000000000..cf8f055bc2422a
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-symlink-over-file-error.mjs
@@ -0,0 +1,21 @@
+// This tests that cpSync throws EEXIST error if attempt is made to copy symlink over file.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, symlinkSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(join(src, 'a', 'b'), join(src, 'a', 'c'));
+
+const dest = nextdir();
+mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(dest, 'a', 'c'), 'hello', 'utf8');
+assert.throws(
+  () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
+  { code: 'EEXIST' }
+);
diff --git a/test/parallel/test-fs-cp-sync-copy-symlinks-to-existing-symlinks.mjs b/test/parallel/test-fs-cp-sync-copy-symlinks-to-existing-symlinks.mjs
new file mode 100644
index 00000000000000..a84dc07873beee
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-symlinks-to-existing-symlinks.mjs
@@ -0,0 +1,17 @@
+// This tests that cpSync allows copying symlinks in src to locations in dest with
+// existing symlinks not pointing to a directory.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import { cpSync, mkdirSync, writeFileSync, symlinkSync } from 'node:fs';
+import { resolve, join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+const dest = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(`${src}/test.txt`, 'test');
+symlinkSync(resolve(`${src}/test.txt`), join(src, 'link.txt'));
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
diff --git a/test/parallel/test-fs-cp-sync-copy-to-subdirectory-error.mjs b/test/parallel/test-fs-cp-sync-copy-to-subdirectory-error.mjs
new file mode 100644
index 00000000000000..034c54efec25aa
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-copy-to-subdirectory-error.mjs
@@ -0,0 +1,14 @@
+// This tests that cpSync throws error if attempt is made to copy to subdirectory of self.
+import '../common/index.mjs';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = fixtures.path('copy/kitchen-sink/a');
+assert.throws(
+  () => cpSync(src, dest),
+  { code: 'ERR_FS_CP_EINVAL' }
+);
diff --git a/test/parallel/test-fs-cp-sync-dereference-directory.mjs b/test/parallel/test-fs-cp-sync-dereference-directory.mjs
new file mode 100644
index 00000000000000..0fdb827301d1bf
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-dereference-directory.mjs
@@ -0,0 +1,23 @@
+// This tests that cpSync overrides target directory with what symlink points to, when dereference is true.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, writeFileSync, symlinkSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+const symlink = nextdir();
+const dest = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
+symlinkSync(src, symlink);
+
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+
+cpSync(symlink, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
+const destStat = lstatSync(dest);
+assert(!destStat.isSymbolicLink());
+assertDirEquivalent(src, dest);
diff --git a/test/parallel/test-fs-cp-sync-dereference-file.mjs b/test/parallel/test-fs-cp-sync-dereference-file.mjs
new file mode 100644
index 00000000000000..3615dde9aaadbb
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-dereference-file.mjs
@@ -0,0 +1,23 @@
+// This tests that cpSync copies file itself, rather than symlink, when dereference is true.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'assert';
+
+import { cpSync, mkdirSync, writeFileSync, symlinkSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
+symlinkSync(join(src, 'foo.js'), join(src, 'bar.js'));
+
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+const destFile = join(dest, 'foo.js');
+
+cpSync(join(src, 'bar.js'), destFile, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
+const stat = lstatSync(destFile);
+assert(stat.isFile());
diff --git a/test/parallel/test-fs-cp-sync-dereference-twice.mjs b/test/parallel/test-fs-cp-sync-dereference-twice.mjs
new file mode 100644
index 00000000000000..921b65902f1c83
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-dereference-twice.mjs
@@ -0,0 +1,20 @@
+// This tests that cpSync does not fail if the same directory is copied to dest twice,
+// when dereference is true, and force is false (fails silently).
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'assert';
+
+import { cpSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+const destFile = join(dest, 'a/b/README2.md');
+cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
+cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
+const stat = lstatSync(destFile);
+assert(stat.isFile());
diff --git a/test/parallel/test-fs-cp-sync-dest-name-prefix-match.mjs b/test/parallel/test-fs-cp-sync-dest-name-prefix-match.mjs
new file mode 100644
index 00000000000000..5322188f34db10
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-dest-name-prefix-match.mjs
@@ -0,0 +1,14 @@
+// This tests that cpSync must not throw error if attempt is made to copy to dest
+// directory with same prefix as src directory.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import { cpSync, mkdirSync } from 'node:fs';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir('prefix', tmpdir);
+const dest = nextdir('prefix-a', tmpdir);
+mkdirSync(src);
+mkdirSync(dest);
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
diff --git a/test/parallel/test-fs-cp-sync-dest-parent-name-prefix-match.mjs b/test/parallel/test-fs-cp-sync-dest-parent-name-prefix-match.mjs
new file mode 100644
index 00000000000000..4b136398e654c9
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-dest-parent-name-prefix-match.mjs
@@ -0,0 +1,16 @@
+// This tests that cpSync must not throw error if attempt is made to copy to dest
+// directory if the parent of dest has same prefix as src directory.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import { cpSync, mkdirSync } from 'node:fs';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir('aa', tmpdir);
+const destParent = nextdir('aaa', tmpdir);
+const dest = nextdir('aaa/aabb', tmpdir);
+mkdirSync(src);
+mkdirSync(destParent);
+mkdirSync(dest);
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
diff --git a/test/parallel/test-fs-cp-sync-directory-not-exist-error.mjs b/test/parallel/test-fs-cp-sync-directory-not-exist-error.mjs
new file mode 100644
index 00000000000000..2ea2b0aaf63a98
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-directory-not-exist-error.mjs
@@ -0,0 +1,15 @@
+// This tests that cpSync throws an error when attempting to copy a dir that does not exist.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+const dest = nextdir();
+assert.throws(
+  () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
+  { code: 'ENOENT' }
+);
diff --git a/test/parallel/test-fs-cp-sync-error-on-exist.mjs b/test/parallel/test-fs-cp-sync-error-on-exist.mjs
new file mode 100644
index 00000000000000..700e52e3b3c86e
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-error-on-exist.mjs
@@ -0,0 +1,22 @@
+// This tests that cpSync throws error if errorOnExist is true, force is false, and file or folder copied over.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+assert.throws(
+  () => cpSync(src, dest, {
+    dereference: true,
+    errorOnExist: true,
+    force: false,
+    recursive: true,
+  }),
+  { code: 'ERR_FS_CP_EEXIST' }
+);
diff --git a/test/parallel/test-fs-cp-sync-file-url.mjs b/test/parallel/test-fs-cp-sync-file-url.mjs
new file mode 100644
index 00000000000000..8da791b5c376c7
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-file-url.mjs
@@ -0,0 +1,14 @@
+// This tests that cpSync accepts file URL as src and dest.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import { cpSync } from 'node:fs';
+import { pathToFileURL } from 'node:url';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cpSync(pathToFileURL(src), pathToFileURL(dest), mustNotMutateObjectDeep({ recursive: true }));
+assertDirEquivalent(src, dest);
diff --git a/test/parallel/test-fs-cp-sync-filename-too-long-error.mjs b/test/parallel/test-fs-cp-sync-filename-too-long-error.mjs
new file mode 100644
index 00000000000000..363a84b366f798
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-filename-too-long-error.mjs
@@ -0,0 +1,17 @@
+// This tests that cpSync throws an error when attempting to copy a file with a name that is too long.
+import '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+
+const isWindows = process.platform === 'win32';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = 'a'.repeat(5000);
+const dest = nextdir();
+assert.throws(
+  () => cpSync(src, dest),
+  { code: isWindows ? 'ENOENT' : 'ENAMETOOLONG' }
+);
diff --git a/test/parallel/test-fs-cp-sync-incompatible-options-error.mjs b/test/parallel/test-fs-cp-sync-incompatible-options-error.mjs
new file mode 100644
index 00000000000000..629da5d9dfd6bf
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-incompatible-options-error.mjs
@@ -0,0 +1,14 @@
+// This tests that cpSync throws an error when both dereference and verbatimSymlinks are enabled.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+assert.throws(
+  () => cpSync(src, src, mustNotMutateObjectDeep({ dereference: true, verbatimSymlinks: true })),
+  { code: 'ERR_INCOMPATIBLE_OPTION_PAIR' }
+);
diff --git a/test/parallel/test-fs-cp-sync-mode-flags.mjs b/test/parallel/test-fs-cp-sync-mode-flags.mjs
new file mode 100644
index 00000000000000..5471a6008520b1
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-mode-flags.mjs
@@ -0,0 +1,30 @@
+// This tests that cpSync copies a nested folder structure with mode flags.
+// This test is based on fs.promises.copyFile() with `COPYFILE_FICLONE_FORCE`.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, constants } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+try {
+  cpSync(src, dest, mustNotMutateObjectDeep({
+    recursive: true,
+    mode: constants.COPYFILE_FICLONE_FORCE,
+  }));
+} catch (err) {
+  // If the platform does not support `COPYFILE_FICLONE_FORCE` operation,
+  // it should enter this path.
+  assert.strictEqual(err.syscall, 'copyfile');
+  assert(err.code === 'ENOTSUP' || err.code === 'ENOTTY' ||
+    err.code === 'ENOSYS' || err.code === 'EXDEV');
+  process.exit(0);
+}
+
+// If the platform support `COPYFILE_FICLONE_FORCE` operation,
+// it should reach to here.
+assertDirEquivalent(src, dest);
diff --git a/test/parallel/test-fs-cp-sync-mode-invalid.mjs b/test/parallel/test-fs-cp-sync-mode-invalid.mjs
new file mode 100644
index 00000000000000..2ebbd2431238fc
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-mode-invalid.mjs
@@ -0,0 +1,12 @@
+// This tests that cpSync rejects if options.mode is invalid.
+import '../common/index.mjs';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+assert.throws(
+  () => cpSync('a', 'b', { mode: -1 }),
+  { code: 'ERR_OUT_OF_RANGE' }
+);
diff --git a/test/parallel/test-fs-cp-sync-nested-files-folders.mjs b/test/parallel/test-fs-cp-sync-nested-files-folders.mjs
new file mode 100644
index 00000000000000..378bb538645594
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-nested-files-folders.mjs
@@ -0,0 +1,13 @@
+// This tests that cpSync copies a nested folder structure with files and folders.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import { cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+assertDirEquivalent(src, dest);
diff --git a/test/parallel/test-fs-cp-sync-no-overwrite-force-false.mjs b/test/parallel/test-fs-cp-sync-no-overwrite-force-false.mjs
new file mode 100644
index 00000000000000..696d48d3edc5c5
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-no-overwrite-force-false.mjs
@@ -0,0 +1,21 @@
+// This tests that cpSync does not throw errors when directory is copied over and force is false.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, writeFileSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'README.md'), 'hello world', 'utf8');
+const dest = nextdir();
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+const initialStat = lstatSync(join(dest, 'README.md'));
+cpSync(src, dest, mustNotMutateObjectDeep({ force: false, recursive: true }));
+// File should not have been copied over, so access times will be identical:
+assertDirEquivalent(src, dest);
+const finalStat = lstatSync(join(dest, 'README.md'));
+assert.strictEqual(finalStat.ctime.getTime(), initialStat.ctime.getTime());
diff --git a/test/parallel/test-fs-cp-sync-options-invalid-type-error.mjs b/test/parallel/test-fs-cp-sync-options-invalid-type-error.mjs
new file mode 100644
index 00000000000000..d7d8bea38fff3e
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-options-invalid-type-error.mjs
@@ -0,0 +1,12 @@
+// This tests that cpSync throws if options is not object.
+import '../common/index.mjs';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+assert.throws(
+  () => cpSync('a', 'b', () => {}),
+  { code: 'ERR_INVALID_ARG_TYPE' }
+);
diff --git a/test/parallel/test-fs-cp-sync-overwrite-force-true.mjs b/test/parallel/test-fs-cp-sync-overwrite-force-true.mjs
new file mode 100644
index 00000000000000..cd9f8ab3e3ee9f
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-overwrite-force-true.mjs
@@ -0,0 +1,19 @@
+// This tests that cpSync overwrites existing files if force is true.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, writeFileSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(dest, 'README.md'), '# Goodbye', 'utf8');
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+assertDirEquivalent(src, dest);
+const content = readFileSync(join(dest, 'README.md'), 'utf8');
+assert.strictEqual(content.trim(), '# Hello');
diff --git a/test/parallel/test-fs-cp-sync-parent-symlink-dest-points-to-src-error.mjs b/test/parallel/test-fs-cp-sync-parent-symlink-dest-points-to-src-error.mjs
new file mode 100644
index 00000000000000..52feaf8120165e
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-parent-symlink-dest-points-to-src-error.mjs
@@ -0,0 +1,26 @@
+// This tests that cpSync throws error if parent directory of symlink in dest points to src.
+import { mustNotMutateObjectDeep, isInsideDirWithUnusualChars, skip } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, symlinkSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+// See https://github.com/nodejs/node/pull/48409
+if (isInsideDirWithUnusualChars) {
+  skip('Test is borken in directories with unusual characters');
+}
+
+const src = nextdir();
+mkdirSync(join(src, 'a'), mustNotMutateObjectDeep({ recursive: true }));
+const dest = nextdir();
+// Create symlink in dest pointing to src.
+const destLink = join(dest, 'b');
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(src, destLink);
+assert.throws(
+  () => cpSync(src, join(dest, 'b', 'c')),
+  { code: 'ERR_FS_CP_EINVAL' }
+);
diff --git a/test/parallel/test-fs-cp-sync-preserve-timestamps-readonly.mjs b/test/parallel/test-fs-cp-sync-preserve-timestamps-readonly.mjs
new file mode 100644
index 00000000000000..69a4de434f7408
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-preserve-timestamps-readonly.mjs
@@ -0,0 +1,24 @@
+// This tests that cpSync makes file writeable when updating timestamp, if not writeable.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, writeFileSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import { setTimeout } from 'node:timers/promises';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'foo.txt'), 'foo', mustNotMutateObjectDeep({ mode: 0o444 }));
+// Small wait to make sure that destStat.mtime.getTime() would produce a time
+// different from srcStat.mtime.getTime() if preserveTimestamps wasn't set to true
+await setTimeout(5);
+cpSync(src, dest, mustNotMutateObjectDeep({ preserveTimestamps: true, recursive: true }));
+assertDirEquivalent(src, dest);
+const srcStat = lstatSync(join(src, 'foo.txt'));
+const destStat = lstatSync(join(dest, 'foo.txt'));
+assert.strictEqual(srcStat.mtime.getTime(), destStat.mtime.getTime());
diff --git a/test/parallel/test-fs-cp-sync-preserve-timestamps.mjs b/test/parallel/test-fs-cp-sync-preserve-timestamps.mjs
new file mode 100644
index 00000000000000..3fb35c2e6359b4
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-preserve-timestamps.mjs
@@ -0,0 +1,18 @@
+// This tests that cpSync copies timestamps from src to dest if preserveTimestamps is true.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, lstatSync } from 'node:fs';
+import { join } from 'node:path';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+const dest = nextdir();
+cpSync(src, dest, mustNotMutateObjectDeep({ preserveTimestamps: true, recursive: true }));
+assertDirEquivalent(src, dest);
+const srcStat = lstatSync(join(src, 'index.js'));
+const destStat = lstatSync(join(dest, 'index.js'));
+assert.strictEqual(srcStat.mtime.getTime(), destStat.mtime.getTime());
diff --git a/test/parallel/test-fs-cp-sync-resolve-relative-symlinks-default.mjs b/test/parallel/test-fs-cp-sync-resolve-relative-symlinks-default.mjs
new file mode 100644
index 00000000000000..070fabd438749e
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-resolve-relative-symlinks-default.mjs
@@ -0,0 +1,21 @@
+// This tests that cpSync resolves relative symlinks to their absolute path by default.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, writeFileSync, symlinkSync, readlinkSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
+symlinkSync('foo.js', join(src, 'bar.js'));
+
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+const link = readlinkSync(join(dest, 'bar.js'));
+assert.strictEqual(link, join(src, 'foo.js'));
diff --git a/test/parallel/test-fs-cp-sync-resolve-relative-symlinks-false.mjs b/test/parallel/test-fs-cp-sync-resolve-relative-symlinks-false.mjs
new file mode 100644
index 00000000000000..e5f59d655f33f7
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-resolve-relative-symlinks-false.mjs
@@ -0,0 +1,21 @@
+// This tests that cpSync resolves relative symlinks when verbatimSymlinks is false.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, writeFileSync, symlinkSync, readlinkSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
+symlinkSync('foo.js', join(src, 'bar.js'));
+
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true, verbatimSymlinks: false }));
+const link = readlinkSync(join(dest, 'bar.js'));
+assert.strictEqual(link, join(src, 'foo.js'));
diff --git a/test/parallel/test-fs-cp-sync-src-dest-identical-error.mjs b/test/parallel/test-fs-cp-sync-src-dest-identical-error.mjs
new file mode 100644
index 00000000000000..81d7e1fcb63eb2
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-src-dest-identical-error.mjs
@@ -0,0 +1,14 @@
+// This tests that cpSync throws error when src and dest are identical.
+import '../common/index.mjs';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+assert.throws(
+  () => cpSync(src, src),
+  { code: 'ERR_FS_CP_EINVAL' }
+);
diff --git a/test/parallel/test-fs-cp-sync-src-parent-of-dest-error.mjs b/test/parallel/test-fs-cp-sync-src-parent-of-dest-error.mjs
new file mode 100644
index 00000000000000..55e4c7014b7497
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-src-parent-of-dest-error.mjs
@@ -0,0 +1,25 @@
+// This tests that cpSync throws error if attempt is made to copy src to dest when
+// src is parent directory of the parent of dest.
+import { mustNotMutateObjectDeep, isInsideDirWithUnusualChars, skip } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync } from 'node:fs';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+// See https://github.com/nodejs/node/pull/48409
+if (isInsideDirWithUnusualChars) {
+  skip('Test is borken in directories with unusual characters');
+}
+
+const src = nextdir('a', tmpdir);
+const destParent = nextdir('a/b', tmpdir);
+const dest = nextdir('a/b/c', tmpdir);
+mkdirSync(src);
+mkdirSync(destParent);
+mkdirSync(dest);
+assert.throws(
+  () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
+  { code: 'ERR_FS_CP_EINVAL' },
+);
diff --git a/test/parallel/test-fs-cp-sync-symlink-dest-points-to-src-error.mjs b/test/parallel/test-fs-cp-sync-symlink-dest-points-to-src-error.mjs
new file mode 100644
index 00000000000000..580e2ada0e2780
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-symlink-dest-points-to-src-error.mjs
@@ -0,0 +1,21 @@
+// This tests that cpSync throws error if symlink in dest points to location in src.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, symlinkSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(join(src, 'a', 'b'), join(src, 'a', 'c'));
+
+const dest = nextdir();
+mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
+symlinkSync(src, join(dest, 'a', 'c'));
+assert.throws(
+  () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
+  { code: 'ERR_FS_CP_SYMLINK_TO_SUBDIRECTORY' }
+);
diff --git a/test/parallel/test-fs-cp-sync-symlink-points-to-dest-error.mjs b/test/parallel/test-fs-cp-sync-symlink-points-to-dest-error.mjs
new file mode 100644
index 00000000000000..141798f1d27d4e
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-symlink-points-to-dest-error.mjs
@@ -0,0 +1,22 @@
+// This tests that cpSync throws error if symlink in src points to location in dest.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, symlinkSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+const dest = nextdir();
+mkdirSync(dest);
+symlinkSync(dest, join(src, 'link'));
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+assert.throws(
+  () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
+  {
+    code: 'ERR_FS_CP_EINVAL'
+  }
+);
diff --git a/test/parallel/test-fs-cp-sync-unicode-folder-names.mjs b/test/parallel/test-fs-cp-sync-unicode-folder-names.mjs
new file mode 100644
index 00000000000000..6393aeb2c15859
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-unicode-folder-names.mjs
@@ -0,0 +1,13 @@
+// This tests that cpSync copies a nested folder containing UTF characters.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir, assertDirEquivalent } from '../common/fs.js';
+import { cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/utf/新建文件夹');
+const dest = nextdir();
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
+assertDirEquivalent(src, dest);
diff --git a/test/parallel/test-fs-cp-sync-verbatim-symlinks-invalid.mjs b/test/parallel/test-fs-cp-sync-verbatim-symlinks-invalid.mjs
new file mode 100644
index 00000000000000..3db176487f715d
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-verbatim-symlinks-invalid.mjs
@@ -0,0 +1,17 @@
+// This tests that cpSync throws error when verbatimSymlinks is not a boolean.
+import '../common/index.mjs';
+import assert from 'node:assert';
+import { cpSync } from 'node:fs';
+import tmpdir from '../common/tmpdir.js';
+import fixtures from '../common/fixtures.js';
+
+tmpdir.refresh();
+
+const src = fixtures.path('copy/kitchen-sink');
+[1, [], {}, null, 1n, undefined, null, Symbol(), '', () => {}]
+  .forEach((verbatimSymlinks) => {
+    assert.throws(
+      () => cpSync(src, src, { verbatimSymlinks }),
+      { code: 'ERR_INVALID_ARG_TYPE' }
+    );
+  });
diff --git a/test/parallel/test-fs-cp-sync-verbatim-symlinks-true.mjs b/test/parallel/test-fs-cp-sync-verbatim-symlinks-true.mjs
new file mode 100644
index 00000000000000..e8d0010119fac5
--- /dev/null
+++ b/test/parallel/test-fs-cp-sync-verbatim-symlinks-true.mjs
@@ -0,0 +1,21 @@
+// This tests that cpSync does not resolve relative symlinks when verbatimSymlinks is true.
+import { mustNotMutateObjectDeep } from '../common/index.mjs';
+import { nextdir } from '../common/fs.js';
+import assert from 'node:assert';
+import { cpSync, mkdirSync, writeFileSync, symlinkSync, readlinkSync } from 'node:fs';
+import { join } from 'node:path';
+
+import tmpdir from '../common/tmpdir.js';
+tmpdir.refresh();
+
+const src = nextdir();
+mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
+writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
+symlinkSync('foo.js', join(src, 'bar.js'));
+
+const dest = nextdir();
+mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
+
+cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true, verbatimSymlinks: true }));
+const link = readlinkSync(join(dest, 'bar.js'));
+assert.strictEqual(link, 'foo.js');
diff --git a/test/parallel/test-fs-cp.mjs b/test/parallel/test-fs-cp.mjs
deleted file mode 100644
index 589d407d756b51..00000000000000
--- a/test/parallel/test-fs-cp.mjs
+++ /dev/null
@@ -1,1098 +0,0 @@
-import { mustCall, mustNotMutateObjectDeep, isInsideDirWithUnusualChars } from '../common/index.mjs';
-
-import assert from 'assert';
-import fs from 'fs';
-const {
-  cp,
-  cpSync,
-  lstatSync,
-  mkdirSync,
-  readdirSync,
-  readFileSync,
-  readlinkSync,
-  symlinkSync,
-  statSync,
-  writeFileSync,
-} = fs;
-import net from 'net';
-import { join, resolve } from 'path';
-import { pathToFileURL } from 'url';
-import { setTimeout } from 'timers/promises';
-
-const isWindows = process.platform === 'win32';
-import tmpdir from '../common/tmpdir.js';
-tmpdir.refresh();
-
-let dirc = 0;
-function nextdir(dirname) {
-  return tmpdir.resolve(dirname || `copy_%${++dirc}`);
-}
-
-// Synchronous implementation of copy.
-
-// It copies a nested folder containing UTF characters.
-{
-  const src = './test/fixtures/copy/utf/新建文件夹';
-  const dest = nextdir();
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  assertDirEquivalent(src, dest);
-}
-
-// It copies a nested folder structure with files and folders.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  assertDirEquivalent(src, dest);
-}
-
-// It copies a nested folder structure with mode flags.
-// This test is based on fs.promises.copyFile() with `COPYFILE_FICLONE_FORCE`.
-(() => {
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  try {
-    cpSync(src, dest, mustNotMutateObjectDeep({
-      recursive: true,
-      mode: fs.constants.COPYFILE_FICLONE_FORCE,
-    }));
-  } catch (err) {
-    // If the platform does not support `COPYFILE_FICLONE_FORCE` operation,
-    // it should enter this path.
-    assert.strictEqual(err.syscall, 'copyfile');
-    assert(err.code === 'ENOTSUP' || err.code === 'ENOTTY' ||
-      err.code === 'ENOSYS' || err.code === 'EXDEV');
-    return;
-  }
-
-  // If the platform support `COPYFILE_FICLONE_FORCE` operation,
-  // it should reach to here.
-  assertDirEquivalent(src, dest);
-})();
-
-// It does not throw errors when directory is copied over and force is false.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'README.md'), 'hello world', 'utf8');
-  const dest = nextdir();
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  const initialStat = lstatSync(join(dest, 'README.md'));
-  cpSync(src, dest, mustNotMutateObjectDeep({ force: false, recursive: true }));
-  // File should not have been copied over, so access times will be identical:
-  assertDirEquivalent(src, dest);
-  const finalStat = lstatSync(join(dest, 'README.md'));
-  assert.strictEqual(finalStat.ctime.getTime(), initialStat.ctime.getTime());
-}
-
-// It overwrites existing files if force is true.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(dest, 'README.md'), '# Goodbye', 'utf8');
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  assertDirEquivalent(src, dest);
-  const content = readFileSync(join(dest, 'README.md'), 'utf8');
-  assert.strictEqual(content.trim(), '# Hello');
-}
-
-// It does not fail if the same directory is copied to dest twice,
-// when dereference is true, and force is false (fails silently).
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  const destFile = join(dest, 'a/b/README2.md');
-  cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
-  cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
-  const stat = lstatSync(destFile);
-  assert(stat.isFile());
-}
-
-
-// It copies file itself, rather than symlink, when dereference is true.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
-  symlinkSync(join(src, 'foo.js'), join(src, 'bar.js'));
-
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  const destFile = join(dest, 'foo.js');
-
-  cpSync(join(src, 'bar.js'), destFile, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
-  const stat = lstatSync(destFile);
-  assert(stat.isFile());
-}
-
-
-// It overrides target directory with what symlink points to, when dereference is true.
-{
-  const src = nextdir();
-  const symlink = nextdir();
-  const dest = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
-  symlinkSync(src, symlink);
-
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-
-  cpSync(symlink, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
-  const destStat = lstatSync(dest);
-  assert(!destStat.isSymbolicLink());
-  assertDirEquivalent(src, dest);
-}
-
-// It throws error when verbatimSymlinks is not a boolean.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  [1, [], {}, null, 1n, undefined, null, Symbol(), '', () => {}]
-    .forEach((verbatimSymlinks) => {
-      assert.throws(
-        () => cpSync(src, src, { verbatimSymlinks }),
-        { code: 'ERR_INVALID_ARG_TYPE' }
-      );
-    });
-}
-
-// It rejects if options.mode is invalid.
-{
-  assert.throws(
-    () => cpSync('a', 'b', { mode: -1 }),
-    { code: 'ERR_OUT_OF_RANGE' }
-  );
-}
-
-
-// It throws an error when both dereference and verbatimSymlinks are enabled.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  assert.throws(
-    () => cpSync(src, src, mustNotMutateObjectDeep({ dereference: true, verbatimSymlinks: true })),
-    { code: 'ERR_INCOMPATIBLE_OPTION_PAIR' }
-  );
-}
-
-
-// It resolves relative symlinks to their absolute path by default.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
-  symlinkSync('foo.js', join(src, 'bar.js'));
-
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  const link = readlinkSync(join(dest, 'bar.js'));
-  assert.strictEqual(link, join(src, 'foo.js'));
-}
-
-
-// It resolves relative symlinks when verbatimSymlinks is false.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
-  symlinkSync('foo.js', join(src, 'bar.js'));
-
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true, verbatimSymlinks: false }));
-  const link = readlinkSync(join(dest, 'bar.js'));
-  assert.strictEqual(link, join(src, 'foo.js'));
-}
-
-
-// It does not resolve relative symlinks when verbatimSymlinks is true.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
-  symlinkSync('foo.js', join(src, 'bar.js'));
-
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true, verbatimSymlinks: true }));
-  const link = readlinkSync(join(dest, 'bar.js'));
-  assert.strictEqual(link, 'foo.js');
-}
-
-
-// It throws error when src and dest are identical.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  assert.throws(
-    () => cpSync(src, src),
-    { code: 'ERR_FS_CP_EINVAL' }
-  );
-}
-
-// It throws error if symlink in src points to location in dest.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  const dest = nextdir();
-  mkdirSync(dest);
-  symlinkSync(dest, join(src, 'link'));
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  assert.throws(
-    () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
-    {
-      code: 'ERR_FS_CP_EINVAL'
-    }
-  );
-}
-
-// It allows cpSync copying symlinks in src to locations in dest with existing synlinks not pointing to a directory.
-{
-  const src = nextdir();
-  const dest = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(`${src}/test.txt`, 'test');
-  symlinkSync(resolve(`${src}/test.txt`), join(src, 'link.txt'));
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-}
-
-// It allows cp copying symlinks in src to locations in dest with existing synlinks not pointing to a directory.
-{
-  const src = nextdir();
-  const dest = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(`${src}/test.txt`, 'test');
-  symlinkSync(resolve(`${src}/test.txt`), join(src, 'link.txt'));
-  cp(src, dest, { recursive: true },
-     mustCall((err) => {
-       assert.strictEqual(err, null);
-
-       cp(src, dest, { recursive: true }, mustCall((err) => {
-         assert.strictEqual(err, null);
-       }));
-     }));
-}
-
-// It throws error if symlink in dest points to location in src.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(join(src, 'a', 'b'), join(src, 'a', 'c'));
-
-  const dest = nextdir();
-  mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(src, join(dest, 'a', 'c'));
-  assert.throws(
-    () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
-    { code: 'ERR_FS_CP_SYMLINK_TO_SUBDIRECTORY' }
-  );
-}
-
-// It throws error if parent directory of symlink in dest points to src.
-if (!isInsideDirWithUnusualChars) {
-  const src = nextdir();
-  mkdirSync(join(src, 'a'), mustNotMutateObjectDeep({ recursive: true }));
-  const dest = nextdir();
-  // Create symlink in dest pointing to src.
-  const destLink = join(dest, 'b');
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(src, destLink);
-  assert.throws(
-    () => cpSync(src, join(dest, 'b', 'c')),
-    { code: 'ERR_FS_CP_EINVAL' }
-  );
-}
-
-// It throws error if attempt is made to copy directory to file.
-if (!isInsideDirWithUnusualChars) {
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  const dest = './test/fixtures/copy/kitchen-sink/README.md';
-  assert.throws(
-    () => cpSync(src, dest),
-    { code: 'ERR_FS_CP_DIR_TO_NON_DIR' }
-  );
-}
-
-// It allows file to be copied to a file path.
-{
-  const srcFile = './test/fixtures/copy/kitchen-sink/index.js';
-  const destFile = join(nextdir(), 'index.js');
-  cpSync(srcFile, destFile, mustNotMutateObjectDeep({ dereference: true }));
-  const stat = lstatSync(destFile);
-  assert(stat.isFile());
-}
-
-// It throws error if directory copied without recursive flag.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  assert.throws(
-    () => cpSync(src, dest),
-    { code: 'ERR_FS_EISDIR' }
-  );
-}
-
-
-// It throws error if attempt is made to copy file to directory.
-if (!isInsideDirWithUnusualChars) {
-  const src = './test/fixtures/copy/kitchen-sink/README.md';
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  assert.throws(
-    () => cpSync(src, dest),
-    { code: 'ERR_FS_CP_NON_DIR_TO_DIR' }
-  );
-}
-
-// It must not throw error if attempt is made to copy to dest
-// directory with same prefix as src directory
-// regression test for https://github.com/nodejs/node/issues/54285
-{
-  const src = nextdir('prefix');
-  const dest = nextdir('prefix-a');
-  mkdirSync(src);
-  mkdirSync(dest);
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-}
-
-// It must not throw error if attempt is made to copy to dest
-// directory if the parent of dest has same prefix as src directory
-// regression test for https://github.com/nodejs/node/issues/54285
-{
-  const src = nextdir('aa');
-  const destParent = nextdir('aaa');
-  const dest = nextdir('aaa/aabb');
-  mkdirSync(src);
-  mkdirSync(destParent);
-  mkdirSync(dest);
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-}
-
-// It throws error if attempt is made to copy src to dest
-// when src is parent directory of the parent of dest
-if (!isInsideDirWithUnusualChars) {
-  const src = nextdir('a');
-  const destParent = nextdir('a/b');
-  const dest = nextdir('a/b/c');
-  mkdirSync(src);
-  mkdirSync(destParent);
-  mkdirSync(dest);
-  assert.throws(
-    () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
-    { code: 'ERR_FS_CP_EINVAL' },
-  );
-}
-
-// It throws error if attempt is made to copy to subdirectory of self.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = './test/fixtures/copy/kitchen-sink/a';
-  assert.throws(
-    () => cpSync(src, dest),
-    { code: 'ERR_FS_CP_EINVAL' }
-  );
-}
-
-// It throws an error if attempt is made to copy socket.
-if (!isWindows && !isInsideDirWithUnusualChars) {
-  const src = nextdir();
-  mkdirSync(src);
-  const dest = nextdir();
-  const sock = join(src, `${process.pid}.sock`);
-  const server = net.createServer();
-  server.listen(sock);
-  assert.throws(
-    () => cpSync(sock, dest),
-    { code: 'ERR_FS_CP_SOCKET' }
-  );
-  server.close();
-}
-
-// It copies timestamps from src to dest if preserveTimestamps is true.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cpSync(src, dest, mustNotMutateObjectDeep({ preserveTimestamps: true, recursive: true }));
-  assertDirEquivalent(src, dest);
-  const srcStat = lstatSync(join(src, 'index.js'));
-  const destStat = lstatSync(join(dest, 'index.js'));
-  assert.strictEqual(srcStat.mtime.getTime(), destStat.mtime.getTime());
-}
-
-// It applies filter function.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cpSync(src, dest, {
-    filter: (path) => {
-      const pathStat = statSync(path);
-      return pathStat.isDirectory() || path.endsWith('.js');
-    },
-    dereference: true,
-    recursive: true,
-  });
-  const destEntries = [];
-  collectEntries(dest, destEntries);
-  for (const entry of destEntries) {
-    assert.strictEqual(
-      entry.isDirectory() || entry.name.endsWith('.js'),
-      true
-    );
-  }
-}
-
-// It throws error if filter function is asynchronous.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  assert.throws(() => {
-    cpSync(src, dest, {
-      filter: async (path) => {
-        await setTimeout(5, 'done');
-        const pathStat = statSync(path);
-        return pathStat.isDirectory() || path.endsWith('.js');
-      },
-      dereference: true,
-      recursive: true,
-    });
-  }, { code: 'ERR_INVALID_RETURN_VALUE' });
-}
-
-// It throws error if errorOnExist is true, force is false, and file or folder
-// copied over.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  assert.throws(
-    () => cpSync(src, dest, {
-      dereference: true,
-      errorOnExist: true,
-      force: false,
-      recursive: true,
-    }),
-    { code: 'ERR_FS_CP_EEXIST' }
-  );
-}
-
-// It throws EEXIST error if attempt is made to copy symlink over file.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(join(src, 'a', 'b'), join(src, 'a', 'c'));
-
-  const dest = nextdir();
-  mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(dest, 'a', 'c'), 'hello', 'utf8');
-  assert.throws(
-    () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
-    { code: 'EEXIST' }
-  );
-}
-
-// It throws an error when attempting to copy a file with a name that is too long.
-{
-  const src = 'a'.repeat(5000);
-  const dest = nextdir();
-  assert.throws(
-    () => cpSync(src, dest),
-    { code: isWindows ? 'ENOENT' : 'ENAMETOOLONG' }
-  );
-}
-
-// It throws an error when attempting to copy a dir that does not exist.
-{
-  const src = nextdir();
-  const dest = nextdir();
-  assert.throws(
-    () => cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true })),
-    { code: 'ENOENT' }
-  );
-}
-
-// It makes file writeable when updating timestamp, if not writeable.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'foo.txt'), 'foo', mustNotMutateObjectDeep({ mode: 0o444 }));
-  // Small wait to make sure that destStat.mtime.getTime() would produce a time
-  // different from srcStat.mtime.getTime() if preserveTimestamps wasn't set to true
-  await setTimeout(5);
-  cpSync(src, dest, mustNotMutateObjectDeep({ preserveTimestamps: true, recursive: true }));
-  assertDirEquivalent(src, dest);
-  const srcStat = lstatSync(join(src, 'foo.txt'));
-  const destStat = lstatSync(join(dest, 'foo.txt'));
-  assert.strictEqual(srcStat.mtime.getTime(), destStat.mtime.getTime());
-}
-
-// It copies link if it does not point to folder in src.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(src, join(src, 'a', 'c'));
-  const dest = nextdir();
-  mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(dest, join(dest, 'a', 'c'));
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  const link = readlinkSync(join(dest, 'a', 'c'));
-  assert.strictEqual(link, src);
-}
-
-// It accepts file URL as src and dest.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cpSync(pathToFileURL(src), pathToFileURL(dest), mustNotMutateObjectDeep({ recursive: true }));
-  assertDirEquivalent(src, dest);
-}
-
-// It throws if options is not object.
-{
-  assert.throws(
-    () => cpSync('a', 'b', () => {}),
-    { code: 'ERR_INVALID_ARG_TYPE' }
-  );
-}
-
-// Callback implementation of copy.
-
-// It copies a nested folder structure with files and folders.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
-    assert.strictEqual(err, null);
-    assertDirEquivalent(src, dest);
-  }));
-}
-
-// It copies a nested folder structure with mode flags.
-// This test is based on fs.promises.copyFile() with `COPYFILE_FICLONE_FORCE`.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cp(src, dest, mustNotMutateObjectDeep({
-    recursive: true,
-    mode: fs.constants.COPYFILE_FICLONE_FORCE,
-  }), mustCall((err) => {
-    if (!err) {
-      // If the platform support `COPYFILE_FICLONE_FORCE` operation,
-      // it should reach to here.
-      assert.strictEqual(err, null);
-      assertDirEquivalent(src, dest);
-      return;
-    }
-
-    // If the platform does not support `COPYFILE_FICLONE_FORCE` operation,
-    // it should enter this path.
-    assert.strictEqual(err.syscall, 'copyfile');
-    assert(err.code === 'ENOTSUP' || err.code === 'ENOTTY' ||
-      err.code === 'ENOSYS' || err.code === 'EXDEV');
-  }));
-}
-
-// It does not throw errors when directory is copied over and force is false.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'README.md'), 'hello world', 'utf8');
-  const dest = nextdir();
-  cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
-  const initialStat = lstatSync(join(dest, 'README.md'));
-  cp(src, dest, {
-    dereference: true,
-    force: false,
-    recursive: true,
-  }, mustCall((err) => {
-    assert.strictEqual(err, null);
-    assertDirEquivalent(src, dest);
-    // File should not have been copied over, so access times will be identical:
-    const finalStat = lstatSync(join(dest, 'README.md'));
-    assert.strictEqual(finalStat.ctime.getTime(), initialStat.ctime.getTime());
-  }));
-}
-
-// It overwrites existing files if force is true.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(dest, 'README.md'), '# Goodbye', 'utf8');
-
-  cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
-    assert.strictEqual(err, null);
-    assertDirEquivalent(src, dest);
-    const content = readFileSync(join(dest, 'README.md'), 'utf8');
-    assert.strictEqual(content.trim(), '# Hello');
-  }));
-}
-
-// It does not fail if the same directory is copied to dest twice,
-// when dereference is true, and force is false (fails silently).
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  const destFile = join(dest, 'a/b/README2.md');
-  cpSync(src, dest, mustNotMutateObjectDeep({ dereference: true, recursive: true }));
-  cp(src, dest, {
-    dereference: true,
-    recursive: true
-  }, mustCall((err) => {
-    assert.strictEqual(err, null);
-    const stat = lstatSync(destFile);
-    assert(stat.isFile());
-  }));
-}
-
-// It copies file itself, rather than symlink, when dereference is true.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'foo.js'), 'foo', 'utf8');
-  symlinkSync(join(src, 'foo.js'), join(src, 'bar.js'));
-
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  const destFile = join(dest, 'foo.js');
-
-  cp(join(src, 'bar.js'), destFile, mustNotMutateObjectDeep({ dereference: true }),
-     mustCall((err) => {
-       assert.strictEqual(err, null);
-       const stat = lstatSync(destFile);
-       assert(stat.isFile());
-     })
-  );
-}
-
-// It returns error when src and dest are identical.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  cp(src, src, mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_EINVAL');
-  }));
-}
-
-// It returns error if symlink in src points to location in dest.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  const dest = nextdir();
-  mkdirSync(dest);
-  symlinkSync(dest, join(src, 'link'));
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_EINVAL');
-  }));
-}
-
-// It returns error if symlink in dest points to location in src.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(join(src, 'a', 'b'), join(src, 'a', 'c'));
-
-  const dest = nextdir();
-  mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(src, join(dest, 'a', 'c'));
-  cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_SYMLINK_TO_SUBDIRECTORY');
-  }));
-}
-
-// It returns error if parent directory of symlink in dest points to src.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a'), mustNotMutateObjectDeep({ recursive: true }));
-  const dest = nextdir();
-  // Create symlink in dest pointing to src.
-  const destLink = join(dest, 'b');
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(src, destLink);
-  cp(src, join(dest, 'b', 'c'), mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_EINVAL');
-  }));
-}
-
-// It returns error if attempt is made to copy directory to file.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  const dest = './test/fixtures/copy/kitchen-sink/README.md';
-  cp(src, dest, mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_DIR_TO_NON_DIR');
-  }));
-}
-
-// It allows file to be copied to a file path.
-{
-  const srcFile = './test/fixtures/copy/kitchen-sink/README.md';
-  const destFile = join(nextdir(), 'index.js');
-  cp(srcFile, destFile, mustNotMutateObjectDeep({ dereference: true }), mustCall((err) => {
-    assert.strictEqual(err, null);
-    const stat = lstatSync(destFile);
-    assert(stat.isFile());
-  }));
-}
-
-// It returns error if directory copied without recursive flag.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cp(src, dest, mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_EISDIR');
-  }));
-}
-
-// It returns error if attempt is made to copy file to directory.
-{
-  const src = './test/fixtures/copy/kitchen-sink/README.md';
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  cp(src, dest, mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_NON_DIR_TO_DIR');
-  }));
-}
-
-// It returns error if attempt is made to copy to subdirectory of self.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = './test/fixtures/copy/kitchen-sink/a';
-  cp(src, dest, mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_EINVAL');
-  }));
-}
-
-// It returns an error if attempt is made to copy socket.
-if (!isWindows && !isInsideDirWithUnusualChars) {
-  const src = nextdir();
-  mkdirSync(src);
-  const dest = nextdir();
-  const sock = join(src, `${process.pid}.sock`);
-  const server = net.createServer();
-  server.listen(sock);
-  cp(sock, dest, mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_SOCKET');
-    server.close();
-  }));
-}
-
-// It copies timestamps from src to dest if preserveTimestamps is true.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cp(src, dest, {
-    preserveTimestamps: true,
-    recursive: true
-  }, mustCall((err) => {
-    assert.strictEqual(err, null);
-    assertDirEquivalent(src, dest);
-    const srcStat = lstatSync(join(src, 'index.js'));
-    const destStat = lstatSync(join(dest, 'index.js'));
-    assert.strictEqual(srcStat.mtime.getTime(), destStat.mtime.getTime());
-  }));
-}
-
-// It applies filter function.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cp(src, dest, {
-    filter: (path) => {
-      const pathStat = statSync(path);
-      return pathStat.isDirectory() || path.endsWith('.js');
-    },
-    dereference: true,
-    recursive: true,
-  }, mustCall((err) => {
-    assert.strictEqual(err, null);
-    const destEntries = [];
-    collectEntries(dest, destEntries);
-    for (const entry of destEntries) {
-      assert.strictEqual(
-        entry.isDirectory() || entry.name.endsWith('.js'),
-        true
-      );
-    }
-  }));
-}
-
-// It supports async filter function.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cp(src, dest, {
-    filter: async (path) => {
-      await setTimeout(5, 'done');
-      const pathStat = statSync(path);
-      return pathStat.isDirectory() || path.endsWith('.js');
-    },
-    dereference: true,
-    recursive: true,
-  }, mustCall((err) => {
-    assert.strictEqual(err, null);
-    const destEntries = [];
-    collectEntries(dest, destEntries);
-    for (const entry of destEntries) {
-      assert.strictEqual(
-        entry.isDirectory() || entry.name.endsWith('.js'),
-        true
-      );
-    }
-  }));
-}
-
-// It returns error if errorOnExist is true, force is false, and file or folder
-// copied over.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cpSync(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  cp(src, dest, {
-    dereference: true,
-    errorOnExist: true,
-    force: false,
-    recursive: true,
-  }, mustCall((err) => {
-    assert.strictEqual(err.code, 'ERR_FS_CP_EEXIST');
-  }));
-}
-
-// It returns EEXIST error if attempt is made to copy symlink over file.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(join(src, 'a', 'b'), join(src, 'a', 'c'));
-
-  const dest = nextdir();
-  mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(dest, 'a', 'c'), 'hello', 'utf8');
-  cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
-    assert.strictEqual(err.code, 'EEXIST');
-  }));
-}
-
-// It makes file writeable when updating timestamp, if not writeable.
-{
-  const src = nextdir();
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(src, 'foo.txt'), 'foo', mustNotMutateObjectDeep({ mode: 0o444 }));
-  cp(src, dest, {
-    preserveTimestamps: true,
-    recursive: true,
-  }, mustCall((err) => {
-    assert.strictEqual(err, null);
-    assertDirEquivalent(src, dest);
-    const srcStat = lstatSync(join(src, 'foo.txt'));
-    const destStat = lstatSync(join(dest, 'foo.txt'));
-    assert.strictEqual(srcStat.mtime.getTime(), destStat.mtime.getTime());
-  }));
-}
-
-// It copies link if it does not point to folder in src.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'a', 'b'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(src, join(src, 'a', 'c'));
-  const dest = nextdir();
-  mkdirSync(join(dest, 'a'), mustNotMutateObjectDeep({ recursive: true }));
-  symlinkSync(dest, join(dest, 'a', 'c'));
-  cp(src, dest, mustNotMutateObjectDeep({ recursive: true }), mustCall((err) => {
-    assert.strictEqual(err, null);
-    const link = readlinkSync(join(dest, 'a', 'c'));
-    assert.strictEqual(link, src);
-  }));
-}
-
-// It accepts file URL as src and dest.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  cp(pathToFileURL(src), pathToFileURL(dest), mustNotMutateObjectDeep({ recursive: true }),
-     mustCall((err) => {
-       assert.strictEqual(err, null);
-       assertDirEquivalent(src, dest);
-     }));
-}
-
-// Copy should not throw exception if child folder is filtered out.
-{
-  const src = nextdir();
-  mkdirSync(join(src, 'test-cp'), mustNotMutateObjectDeep({ recursive: true }));
-
-  const dest = nextdir();
-  mkdirSync(dest, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(join(dest, 'test-cp'), 'test-content', mustNotMutateObjectDeep({ mode: 0o444 }));
-
-  const opts = {
-    filter: (path) => !path.includes('test-cp'),
-    recursive: true,
-  };
-  cp(src, dest, opts, mustCall((err) => {
-    assert.strictEqual(err, null);
-  }));
-  cpSync(src, dest, opts);
-}
-
-// Copy should not throw exception if dest is invalid but filtered out.
-{
-  // Create dest as a file.
-  // Expect: cp skips the copy logic entirely and won't throw any exception in path validation process.
-  const src = join(nextdir(), 'bar');
-  mkdirSync(src, mustNotMutateObjectDeep({ recursive: true }));
-
-  const destParent = nextdir();
-  const dest = join(destParent, 'bar');
-  mkdirSync(destParent, mustNotMutateObjectDeep({ recursive: true }));
-  writeFileSync(dest, 'test-content', mustNotMutateObjectDeep({ mode: 0o444 }));
-
-  const opts = {
-    filter: (path) => !path.includes('bar'),
-    recursive: true,
-  };
-  cp(src, dest, opts, mustCall((err) => {
-    assert.strictEqual(err, null);
-  }));
-  cpSync(src, dest, opts);
-}
-
-// It throws if options is not object.
-{
-  assert.throws(
-    () => cp('a', 'b', 'hello', () => {}),
-    { code: 'ERR_INVALID_ARG_TYPE' }
-  );
-}
-
-// It throws if options is not object.
-{
-  assert.throws(
-    () => cp('a', 'b', { mode: -1 }, () => {}),
-    { code: 'ERR_OUT_OF_RANGE' }
-  );
-}
-
-// Promises implementation of copy.
-
-// It copies a nested folder structure with files and folders.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  const p = await fs.promises.cp(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  assert.strictEqual(p, undefined);
-  assertDirEquivalent(src, dest);
-}
-
-// It copies a nested folder structure with mode flags.
-// This test is based on fs.promises.copyFile() with `COPYFILE_FICLONE_FORCE`.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  let p = null;
-  let successFiClone = false;
-  try {
-    p = await fs.promises.cp(src, dest, mustNotMutateObjectDeep({
-      recursive: true,
-      mode: fs.constants.COPYFILE_FICLONE_FORCE,
-    }));
-    successFiClone = true;
-  } catch (err) {
-    // If the platform does not support `COPYFILE_FICLONE_FORCE` operation,
-    // it should enter this path.
-    assert.strictEqual(err.syscall, 'copyfile');
-    assert(err.code === 'ENOTSUP' || err.code === 'ENOTTY' ||
-      err.code === 'ENOSYS' || err.code === 'EXDEV');
-  }
-
-  if (successFiClone) {
-    // If the platform support `COPYFILE_FICLONE_FORCE` operation,
-    // it should reach to here.
-    assert.strictEqual(p, undefined);
-    assertDirEquivalent(src, dest);
-  }
-}
-
-// It accepts file URL as src and dest.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  const p = await fs.promises.cp(
-    pathToFileURL(src),
-    pathToFileURL(dest),
-    { recursive: true }
-  );
-  assert.strictEqual(p, undefined);
-  assertDirEquivalent(src, dest);
-}
-
-// It allows async error to be caught.
-{
-  const src = './test/fixtures/copy/kitchen-sink';
-  const dest = nextdir();
-  await fs.promises.cp(src, dest, mustNotMutateObjectDeep({ recursive: true }));
-  await assert.rejects(
-    fs.promises.cp(src, dest, {
-      dereference: true,
-      errorOnExist: true,
-      force: false,
-      recursive: true,
-    }),
-    { code: 'ERR_FS_CP_EEXIST' }
-  );
-}
-
-// It rejects if options is not object.
-{
-  await assert.rejects(
-    fs.promises.cp('a', 'b', () => {}),
-    { code: 'ERR_INVALID_ARG_TYPE' }
-  );
-}
-
-// It rejects if options.mode is invalid.
-{
-  await assert.rejects(
-    fs.promises.cp('a', 'b', {
-      mode: -1,
-    }),
-    { code: 'ERR_OUT_OF_RANGE' }
-  );
-}
-
-function assertDirEquivalent(dir1, dir2) {
-  const dir1Entries = [];
-  collectEntries(dir1, dir1Entries);
-  const dir2Entries = [];
-  collectEntries(dir2, dir2Entries);
-  assert.strictEqual(dir1Entries.length, dir2Entries.length);
-  for (const entry1 of dir1Entries) {
-    const entry2 = dir2Entries.find((entry) => {
-      return entry.name === entry1.name;
-    });
-    assert(entry2, `entry ${entry2.name} not copied`);
-    if (entry1.isFile()) {
-      assert(entry2.isFile(), `${entry2.name} was not file`);
-    } else if (entry1.isDirectory()) {
-      assert(entry2.isDirectory(), `${entry2.name} was not directory`);
-    } else if (entry1.isSymbolicLink()) {
-      assert(entry2.isSymbolicLink(), `${entry2.name} was not symlink`);
-    }
-  }
-}
-
-function collectEntries(dir, dirEntries) {
-  const newEntries = readdirSync(dir, mustNotMutateObjectDeep({ withFileTypes: true }));
-  for (const entry of newEntries) {
-    if (entry.isDirectory()) {
-      collectEntries(join(dir, entry.name), dirEntries);
-    }
-  }
-  dirEntries.push(...newEntries);
-}
diff --git a/test/parallel/test-fs-glob.mjs b/test/parallel/test-fs-glob.mjs
index b3708f466379fa..490ea2478232ae 100644
--- a/test/parallel/test-fs-glob.mjs
+++ b/test/parallel/test-fs-glob.mjs
@@ -2,7 +2,7 @@ import * as common from '../common/index.mjs';
 import tmpdir from '../common/tmpdir.js';
 import { resolve, dirname, sep, relative, join, isAbsolute } from 'node:path';
 import { mkdir, writeFile, symlink, glob as asyncGlob } from 'node:fs/promises';
-import { glob, globSync, Dirent } from 'node:fs';
+import { glob, globSync, Dirent, chmodSync } from 'node:fs';
 import { test, describe } from 'node:test';
 import { pathToFileURL } from 'node:url';
 import { promisify } from 'node:util';
@@ -518,3 +518,24 @@ describe('fsPromises glob - exclude', function() {
     });
   }
 });
+
+describe('glob - with restricted directory', function() {
+  test('*', async () => {
+    const restrictedDir = tmpdir.resolve('restricted');
+    await mkdir(restrictedDir, { recursive: true });
+    chmodSync(restrictedDir, 0o000);
+    try {
+      const results = [];
+      for await (const match of asyncGlob('*', { cwd: restrictedDir })) {
+        results.push(match);
+      }
+      assert.ok(true, 'glob completed without throwing on readdir error');
+    } finally {
+      try {
+        chmodSync(restrictedDir, 0o755);
+      } catch {
+        // ignore
+      }
+    }
+  });
+});
diff --git a/test/parallel/test-http-keep-alive-timeout-buffer.js b/test/parallel/test-http-keep-alive-timeout-buffer.js
new file mode 100644
index 00000000000000..fee8a26f66a637
--- /dev/null
+++ b/test/parallel/test-http-keep-alive-timeout-buffer.js
@@ -0,0 +1,39 @@
+'use strict';
+
+const common = require('../common');
+const http = require('http');
+const assert = require('assert');
+
+const server = http.createServer(common.mustCall((req, res) => {
+  const body = 'buffer test\n';
+
+  res.writeHead(200, { 'Content-Length': body.length });
+  res.write(body);
+  res.end();
+}));
+
+server.keepAliveTimeout = 100;
+
+if (server.keepAliveTimeoutBuffer === undefined) {
+  server.keepAliveTimeoutBuffer = 1000;
+}
+assert.strictEqual(server.keepAliveTimeoutBuffer, 1000);
+
+server.listen(0, () => {
+  http.get({
+    port: server.address().port,
+    path: '/',
+  }, (res) => {
+    res.resume();
+    server.close();
+  });
+});
+
+{
+  const customBuffer = 3000;
+  const server = http.createServer(() => {});
+  server.keepAliveTimeout = 200;
+  server.keepAliveTimeoutBuffer = customBuffer;
+  assert.strictEqual(server.keepAliveTimeoutBuffer, customBuffer);
+  server.close();
+}
diff --git a/test/parallel/test-http-outgoing-buffer.js b/test/parallel/test-http-outgoing-buffer.js
index d7db15f0ffae9c..ba102b382542b1 100644
--- a/test/parallel/test-http-outgoing-buffer.js
+++ b/test/parallel/test-http-outgoing-buffer.js
@@ -1,8 +1,7 @@
-// Flags: --expose-internals
 'use strict';
 require('../common');
 const assert = require('assert');
-const { getDefaultHighWaterMark } = require('internal/streams/state');
+const { getDefaultHighWaterMark } = require('stream');
 
 const http = require('http');
 const OutgoingMessage = http.OutgoingMessage;
diff --git a/test/parallel/test-http2-raw-headers.js b/test/parallel/test-http2-raw-headers.js
index cbcc73692b0a3d..8a84542a130fae 100644
--- a/test/parallel/test-http2-raw-headers.js
+++ b/test/parallel/test-http2-raw-headers.js
@@ -39,6 +39,16 @@ const http2 = require('http2');
       'a', 'c',
     ]).end();
 
+    assert.deepStrictEqual(req.sentHeaders, {
+      '__proto__': null,
+      ':path': '/foobar',
+      ':scheme': 'http',
+      ':authority': `localhost:${server.address().port}`,
+      ':method': 'GET',
+      'a': [ 'b', 'c' ],
+      'x-FOO': 'bar',
+    });
+
     req.on('response', common.mustCall((headers) => {
       assert.strictEqual(headers[':status'], 200);
       client.close();
diff --git a/test/parallel/test-http2-sensitive-headers.js b/test/parallel/test-http2-sensitive-headers.js
index bbd00ae0cdd117..006070d6337c49 100644
--- a/test/parallel/test-http2-sensitive-headers.js
+++ b/test/parallel/test-http2-sensitive-headers.js
@@ -72,6 +72,16 @@ const { duplexPair } = require('stream');
 
   const req = client.request(rawHeaders);
 
+  assert.deepStrictEqual(req.sentHeaders, {
+    '__proto__': null,
+    ':method': 'GET',
+    ':authority': 'localhost:80',
+    ':scheme': 'http',
+    ':path': '/',
+    'secret': 'secret-value',
+    [http2.sensitiveHeaders]: [ 'secret' ],
+  });
+
   req.on('response', common.mustCall((headers) => {
     assert.strictEqual(headers[':status'], 200);
   }));
diff --git a/test/parallel/test-internal-module-wrap.js b/test/parallel/test-internal-module-wrap.js
index 760d717c69ef8c..bed940d1368fa7 100644
--- a/test/parallel/test-internal-module-wrap.js
+++ b/test/parallel/test-internal-module-wrap.js
@@ -6,6 +6,21 @@ const assert = require('assert');
 const { internalBinding } = require('internal/test/binding');
 const { ModuleWrap } = internalBinding('module_wrap');
 
+const unlinked = new ModuleWrap('unlinked', undefined, 'export * from "bar";', 0, 0);
+assert.throws(() => {
+  unlinked.instantiate();
+}, {
+  code: 'ERR_VM_MODULE_LINK_FAILURE',
+});
+
+const dependsOnUnlinked = new ModuleWrap('dependsOnUnlinked', undefined, 'export * from "unlinked";', 0, 0);
+dependsOnUnlinked.link([unlinked]);
+assert.throws(() => {
+  dependsOnUnlinked.instantiate();
+}, {
+  code: 'ERR_VM_MODULE_LINK_FAILURE',
+});
+
 const foo = new ModuleWrap('foo', undefined, 'export * from "bar";', 0, 0);
 const bar = new ModuleWrap('bar', undefined, 'export const five = 5', 0, 0);
 
@@ -22,4 +37,5 @@ const bar = new ModuleWrap('bar', undefined, 'export const five = 5', 0, 0);
 
   // Check that the module requests are the same after linking, instantiate, and evaluation.
   assert.deepStrictEqual(moduleRequests, foo.getModuleRequests());
+
 })().then(common.mustCall());
diff --git a/test/parallel/test-max-old-space-size-percentage.js b/test/parallel/test-max-old-space-size-percentage.js
new file mode 100644
index 00000000000000..511a10109f9d2b
--- /dev/null
+++ b/test/parallel/test-max-old-space-size-percentage.js
@@ -0,0 +1,134 @@
+'use strict';
+
+// This test validates the --max-old-space-size-percentage flag functionality
+
+require('../common');
+const assert = require('node:assert');
+const { spawnSync } = require('child_process');
+const os = require('os');
+
+// Valid cases
+const validPercentages = [
+  '1', '10', '25', '50', '75', '99', '100', '25.5',
+];
+
+// Invalid cases
+const invalidPercentages = [
+  ['', /--max-old-space-size-percentage= requires an argument/],
+  ['0', /--max-old-space-size-percentage must be greater than 0 and up to 100\. Got: 0/],
+  ['101', /--max-old-space-size-percentage must be greater than 0 and up to 100\. Got: 101/],
+  ['-1', /--max-old-space-size-percentage must be greater than 0 and up to 100\. Got: -1/],
+  ['abc', /--max-old-space-size-percentage must be greater than 0 and up to 100\. Got: abc/],
+  ['1%', /--max-old-space-size-percentage must be greater than 0 and up to 100\. Got: 1%/],
+];
+
+// Test valid cases
+validPercentages.forEach((input) => {
+  const result = spawnSync(process.execPath, [
+    `--max-old-space-size-percentage=${input}`,
+  ], { stdio: ['pipe', 'pipe', 'pipe'] });
+  assert.strictEqual(result.status, 0, `Expected exit code 0 for valid input ${input}`);
+  assert.strictEqual(result.stderr.toString(), '', `Expected empty stderr for valid input ${input}`);
+});
+
+// Test invalid cases
+invalidPercentages.forEach((input) => {
+  const result = spawnSync(process.execPath, [
+    `--max-old-space-size-percentage=${input[0]}`,
+  ], { stdio: ['pipe', 'pipe', 'pipe'] });
+  assert.notStrictEqual(result.status, 0, `Expected non-zero exit for invalid input ${input[0]}`);
+  assert(input[1].test(result.stderr.toString()), `Unexpected error message for invalid input ${input[0]}`);
+});
+
+// Test NODE_OPTIONS with valid percentages
+validPercentages.forEach((input) => {
+  const result = spawnSync(process.execPath, [], {
+    stdio: ['pipe', 'pipe', 'pipe'],
+    env: { ...process.env, NODE_OPTIONS: `--max-old-space-size-percentage=${input}` }
+  });
+  assert.strictEqual(result.status, 0, `NODE_OPTIONS: Expected exit code 0 for valid input ${input}`);
+  assert.strictEqual(result.stderr.toString(), '', `NODE_OPTIONS: Expected empty stderr for valid input ${input}`);
+});
+
+// Test NODE_OPTIONS with invalid percentages
+invalidPercentages.forEach((input) => {
+  const result = spawnSync(process.execPath, [], {
+    stdio: ['pipe', 'pipe', 'pipe'],
+    env: { ...process.env, NODE_OPTIONS: `--max-old-space-size-percentage=${input[0]}` }
+  });
+  assert.notStrictEqual(result.status, 0, `NODE_OPTIONS: Expected non-zero exit for invalid input ${input[0]}`);
+  assert(input[1].test(result.stderr.toString()), `NODE_OPTIONS: Unexpected error message for invalid input ${input[0]}`);
+});
+
+// Test percentage calculation validation
+function getHeapSizeForPercentage(percentage) {
+  const result = spawnSync(process.execPath, [
+    '--max-old-space-size=3000', // This value should be ignored, since percentage takes precedence
+    `--max-old-space-size-percentage=${percentage}`,
+    '--max-old-space-size=1000', // This value should be ignored, since percentage take precedence
+    '-e', `
+      const v8 = require('v8');
+      const stats = v8.getHeapStatistics();
+      const heapSizeLimitMB = Math.floor(stats.heap_size_limit / 1024 / 1024);
+      console.log(heapSizeLimitMB);
+    `,
+  ], {
+    stdio: ['pipe', 'pipe', 'pipe'],
+    env: {
+      ...process.env,
+      NODE_OPTIONS: `--max-old-space-size=2000` // This value should be ignored, since percentage takes precedence
+    }
+  });
+
+  if (result.status !== 0) {
+    throw new Error(`Failed to get heap size for ${percentage}: ${result.stderr.toString()}`);
+  }
+
+  return parseInt(result.stdout.toString(), 10);
+}
+
+const testPercentages = [25, 50, 75, 100];
+const heapSizes = {};
+
+// Get heap sizes for all test percentages
+testPercentages.forEach((percentage) => {
+  heapSizes[percentage] = getHeapSizeForPercentage(percentage);
+});
+
+// Test relative relationships between percentages
+// 50% should be roughly half of 100%
+const ratio50to100 = heapSizes[50] / heapSizes[100];
+assert(
+  ratio50to100 >= 0.4 && ratio50to100 <= 0.6,
+  `50% heap size should be roughly half of 100% (got ${ratio50to100.toFixed(2)}, expected ~0.5)`
+);
+
+// 25% should be roughly quarter of 100%
+const ratio25to100 = heapSizes[25] / heapSizes[100];
+assert(
+  ratio25to100 >= 0.15 && ratio25to100 <= 0.35,
+  `25% heap size should be roughly quarter of 100% (got ${ratio25to100.toFixed(2)}, expected ~0.25)`
+);
+
+// 75% should be roughly three-quarters of 100%
+const ratio75to100 = heapSizes[75] / heapSizes[100];
+assert(
+  ratio75to100 >= 0.65 && ratio75to100 <= 0.85,
+  `75% heap size should be roughly three-quarters of 100% (got ${ratio75to100.toFixed(2)}, expected ~0.75)`
+);
+
+// Validate heap sizes against system memory
+const totalMemoryMB = Math.floor(os.totalmem() / 1024 / 1024);
+const margin = 10; // 5% margin
+testPercentages.forEach((percentage) => {
+  const upperLimit = totalMemoryMB * ((percentage + margin) / 100);
+  assert(
+    heapSizes[percentage] <= upperLimit,
+    `Heap size for ${percentage}% (${heapSizes[percentage]} MB) should not exceed upper limit (${upperLimit} MB)`
+  );
+  const lowerLimit = totalMemoryMB * ((percentage - margin) / 100);
+  assert(
+    heapSizes[percentage] >= lowerLimit,
+    `Heap size for ${percentage}% (${heapSizes[percentage]} MB) should not be less than lower limit (${lowerLimit} MB)`
+  );
+});
diff --git a/test/parallel/test-node-output-sourcemaps.mjs b/test/parallel/test-node-output-sourcemaps.mjs
index 81c36934ba0f3e..c11c2c36735dae 100644
--- a/test/parallel/test-node-output-sourcemaps.mjs
+++ b/test/parallel/test-node-output-sourcemaps.mjs
@@ -27,6 +27,7 @@ describe('sourcemaps output', { concurrency: !process.env.TEST_PARALLEL }, () =>
     { name: 'source-map/output/source_map_sourcemapping_url_string.js' },
     { name: 'source-map/output/source_map_throw_async_stack_trace.mjs' },
     { name: 'source-map/output/source_map_throw_catch.js' },
+    { name: 'source-map/output/source_map_throw_class_method.js' },
     { name: 'source-map/output/source_map_throw_construct.mjs' },
     { name: 'source-map/output/source_map_throw_first_tick.js' },
     { name: 'source-map/output/source_map_throw_icu.js' },
diff --git a/test/parallel/test-path-join.js b/test/parallel/test-path-join.js
index b8d6375989a75e..ec4f5fea7097a5 100644
--- a/test/parallel/test-path-join.js
+++ b/test/parallel/test-path-join.js
@@ -110,6 +110,14 @@ joinTests.push([
       [['c:.', 'file'], 'c:file'],
       [['c:', '/'], 'c:\\'],
       [['c:', 'file'], 'c:\\file'],
+      // UNC path join tests (Windows)
+      [['\\server\\share', 'file.txt'], '\\server\\share\\file.txt'],
+      [['\\server\\share', 'folder', 'another.txt'], '\\server\\share\\folder\\another.txt'],
+      [['\\server\\share', 'COM1:'], '\\server\\share\\COM1:'],
+      [['\\server\\share', 'path', 'LPT1:'], '\\server\\share\\path\\LPT1:'],
+      [['\\fileserver\\public\\uploads', 'CON:..\\..\\..\\private\\db.conf'],
+       '\\fileserver\\public\\uploads\\CON:..\\..\\..\\private\\db.conf'],
+
       // Path traversal in previous versions of Node.js.
       [['./upload', '/../C:/Windows'], '.\\C:\\Windows'],
       [['upload', '../', 'C:foo'], '.\\C:foo'],
diff --git a/test/parallel/test-path-win32-normalize-device-names.js b/test/parallel/test-path-win32-normalize-device-names.js
index 927bc5cec8a2e5..b34c9061e56539 100644
--- a/test/parallel/test-path-win32-normalize-device-names.js
+++ b/test/parallel/test-path-win32-normalize-device-names.js
@@ -9,6 +9,19 @@ if (!common.isWindows) {
 }
 
 const normalizeDeviceNameTests = [
+  // UNC paths: \\server\share\... is a Windows UNC path, where 'server' is the network server name and 'share'
+  // is the shared folder. These are used for network file access and are subject to reserved device name
+  // checks after the share.
+  { input: '\\\\server\\share\\COM1:', expected: '\\\\server\\share\\COM1:' },
+  { input: '\\\\server\\share\\PRN:', expected: '\\\\server\\share\\PRN:' },
+  { input: '\\\\server\\share\\AUX:', expected: '\\\\server\\share\\AUX:' },
+  { input: '\\\\server\\share\\LPT1:', expected: '\\\\server\\share\\LPT1:' },
+  { input: '\\\\server\\share\\COM1:\\foo\\bar', expected: '\\\\server\\share\\COM1:\\foo\\bar' },
+  { input: '\\\\server\\share\\path\\COM1:', expected: '\\\\server\\share\\path\\COM1:' },
+  { input: '\\\\server\\share\\COM1:..\\..\\..\\..\\Windows', expected: '\\\\server\\share\\Windows' },
+  { input: '\\\\server\\share\\path\\to\\LPT9:..\\..\\..\\..\\..\\..\\..\\..\\..\\file.txt',
+    expected: '\\\\server\\share\\file.txt' },
+
   { input: 'CON', expected: 'CON' },
   { input: 'con', expected: 'con' },
   { input: 'CON:', expected: '.\\CON:.' },
@@ -45,10 +58,18 @@ const normalizeDeviceNameTests = [
 
   { input: 'COM1:', expected: '.\\COM1:.' },
   { input: 'COM9:', expected: '.\\COM9:.' },
+  { input: 'COM¹:', expected: '.\\COM¹:.' },
+  { input: 'COM²:', expected: '.\\COM²:.' },
+  { input: 'COM³:', expected: '.\\COM³:.' },
   { input: 'COM1:.\\..\\..\\foo', expected: '.\\COM1:..\\..\\foo' },
+  { input: 'COM¹:.\\..\\..\\foo', expected: '.\\COM¹:..\\..\\foo' },
   { input: 'LPT1:', expected: '.\\LPT1:.' },
+  { input: 'LPT¹:', expected: '.\\LPT¹:.' },
+  { input: 'LPT²:', expected: '.\\LPT²:.' },
+  { input: 'LPT³:', expected: '.\\LPT³:.' },
   { input: 'LPT9:', expected: '.\\LPT9:.' },
   { input: 'LPT1:.\\..\\..\\foo', expected: '.\\LPT1:..\\..\\foo' },
+  { input: 'LPT¹:.\\..\\..\\foo', expected: '.\\LPT¹:..\\..\\foo' },
   { input: 'LpT5:/another/path', expected: '.\\LpT5:another\\path' },
 
   { input: 'C:\\foo', expected: 'C:\\foo' },
@@ -73,6 +94,8 @@ const normalizeDeviceNameTests = [
   // Test cases from original vulnerability reports or similar scenarios
   { input: 'COM1:.\\..\\..\\foo.js', expected: '.\\COM1:..\\..\\foo.js' },
   { input: 'LPT1:.\\..\\..\\another.txt', expected: '.\\LPT1:..\\..\\another.txt' },
+  // UNC paths
+  { input: '\\\\?\\COM1:.\\..\\..\\foo2.js', expected: '\\\\?\\COM1:\\foo2.js' },
 
   // Paths with device names not at the beginning
   { input: 'C:\\CON', expected: 'C:\\CON' },
diff --git a/test/parallel/test-permission-fs-supported.js b/test/parallel/test-permission-fs-supported.js
index a6cf9146c629c0..bf5127efd91a8a 100644
--- a/test/parallel/test-permission-fs-supported.js
+++ b/test/parallel/test-permission-fs-supported.js
@@ -67,6 +67,10 @@ const ignoreList = [
   'R_OK',
   'F_OK',
   'Dir',
+  // the Utf8Stream is implemented in terms of functions
+  // on the fs module that have permission checks, so we don't
+  // need to check it here.
+  'Utf8Stream',
   'FileReadStream',
   'FileWriteStream',
   '_toUnixTimestamp',
diff --git a/test/parallel/test-runner-assert.js b/test/parallel/test-runner-assert.js
index 74384947278e4e..c74f9d03a28ee4 100644
--- a/test/parallel/test-runner-assert.js
+++ b/test/parallel/test-runner-assert.js
@@ -8,6 +8,8 @@ test('expected methods are on t.assert', (t) => {
     'AssertionError',
     'CallTracker',
     'strict',
+    'Assert',
+    'options',
   ];
   const assertKeys = Object.keys(assert).filter((key) => !uncopiedKeys.includes(key));
   const expectedKeys = ['snapshot', 'fileSnapshot'].concat(assertKeys).sort();
diff --git a/test/parallel/test-runner-output.mjs b/test/parallel/test-runner-output.mjs
index 8adac4dfa72b94..ccfca45e502fd5 100644
--- a/test/parallel/test-runner-output.mjs
+++ b/test/parallel/test-runner-output.mjs
@@ -329,6 +329,15 @@ const tests = [
             '--experimental-test-coverage',
             '--test-coverage-exclude=!test/**']
   } : false,
+  process.features.inspector ? {
+    name: 'test-runner/output/coverage-with-mock.mjs',
+    flags: ['--disable-warning=ExperimentalWarning',
+            '--test-reporter=tap',
+            '--experimental-transform-types',
+            '--experimental-test-module-mocks',
+            '--experimental-test-coverage',
+            '--test-coverage-exclude=!test/**']
+  } : false,
 ]
 .filter(Boolean)
 .map(({ flags, name, tty, transform, cwd }) => ({
diff --git a/test/parallel/test-single-executable-blob-config-errors.js b/test/parallel/test-single-executable-blob-config-errors.js
index 364a533c0c90fb..a30850010e2e4d 100644
--- a/test/parallel/test-single-executable-blob-config-errors.js
+++ b/test/parallel/test-single-executable-blob-config-errors.js
@@ -5,113 +5,88 @@
 require('../common');
 const tmpdir = require('../common/tmpdir');
 const { writeFileSync, mkdirSync } = require('fs');
-const { spawnSync } = require('child_process');
-const assert = require('assert');
+const { spawnSyncAndAssert } = require('../common/child_process');
 
 {
   tmpdir.refresh();
   const config = 'non-existent-relative.json';
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /Cannot read single executable configuration from non-existent-relative\.json/
     });
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert.match(
-    stderr,
-    /Cannot read single executable configuration from non-existent-relative\.json/
-  );
 }
 
 {
   tmpdir.refresh();
   const config = tmpdir.resolve('non-existent-absolute.json');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /Cannot read single executable configuration from .*non-existent-absolute\.json/
     });
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert(
-    stderr.includes(
-      `Cannot read single executable configuration from ${config}`
-    )
-  );
 }
 
 {
   tmpdir.refresh();
   const config = tmpdir.resolve('invalid.json');
   writeFileSync(config, '\n{\n"main"', 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /INCOMPLETE_ARRAY_OR_OBJECT/
     });
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert.match(stderr, /SyntaxError: Expected ':' after property name/);
-  assert(
-    stderr.includes(
-      `Cannot parse JSON from ${config}`
-    )
-  );
 }
 
 {
   tmpdir.refresh();
   const config = tmpdir.resolve('empty.json');
   writeFileSync(config, '{}', 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /"main" field of .*empty\.json is not a non-empty string/
     });
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert(
-    stderr.includes(
-      `"main" field of ${config} is not a non-empty string`
-    )
-  );
 }
 
 {
   tmpdir.refresh();
   const config = tmpdir.resolve('no-main.json');
   writeFileSync(config, '{"output": "test.blob"}', 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /"main" field of .*no-main\.json is not a non-empty string/
     });
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert(
-    stderr.includes(
-      `"main" field of ${config} is not a non-empty string`
-    )
-  );
 }
 
 {
   tmpdir.refresh();
   const config = tmpdir.resolve('no-output.json');
   writeFileSync(config, '{"main": "bundle.js"}', 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /"output" field of .*no-output\.json is not a non-empty string/
     });
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert(
-    stderr.includes(
-      `"output" field of ${config} is not a non-empty string`
-    )
-  );
 }
 
 {
@@ -124,32 +99,28 @@ const assert = require('assert');
   "disableExperimentalSEAWarning": "💥"
 }
   `, 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /"disableExperimentalSEAWarning" field of .*invalid-disableExperimentalSEAWarning\.json is not a Boolean/
     });
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert(
-    stderr.includes(
-      `"disableExperimentalSEAWarning" field of ${config} is not a Boolean`
-    )
-  );
 }
 
 {
   tmpdir.refresh();
   const config = tmpdir.resolve('nonexistent-main-relative.json');
   writeFileSync(config, '{"main": "bundle.js", "output": "sea.blob"}', 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /Cannot read main script .*bundle\.js/
     });
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert.match(stderr, /Cannot read main script bundle\.js/);
 }
 
 {
@@ -161,19 +132,14 @@ const assert = require('assert');
     output: 'sea.blob'
   });
   writeFileSync(config, configJson, 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /Cannot read main script .*bundle\.js/
     });
-
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert(
-    stderr.includes(
-      `Cannot read main script ${main}`
-    )
-  );
 }
 
 {
@@ -188,19 +154,14 @@ const assert = require('assert');
     output,
   });
   writeFileSync(config, configJson, 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /Cannot write output to .*output-dir/
     });
-
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert(
-    stderr.includes(
-      `Cannot write output to ${output}`
-    )
-  );
 }
 
 {
@@ -215,13 +176,12 @@ const assert = require('assert');
     output: 'output-dir'
   });
   writeFileSync(config, configJson, 'utf8');
-  const child = spawnSync(
+  spawnSyncAndAssert(
     process.execPath,
     ['--experimental-sea-config', config], {
       cwd: tmpdir.path,
+    }, {
+      status: 1,
+      stderr: /Cannot write output to output-dir/
     });
-
-  const stderr = child.stderr.toString();
-  assert.strictEqual(child.status, 1);
-  assert.match(stderr, /Cannot write output to output-dir/);
 }
diff --git a/test/parallel/test-stream-readable-to-web.js b/test/parallel/test-stream-readable-to-web.js
deleted file mode 100644
index 753672b509c173..00000000000000
--- a/test/parallel/test-stream-readable-to-web.js
+++ /dev/null
@@ -1,62 +0,0 @@
-'use strict';
-const common = require('../common');
-if (!common.hasCrypto) { common.skip('missing crypto'); }
-
-const { Readable } = require('stream');
-const process = require('process');
-const { randomBytes } = require('crypto');
-const assert = require('assert');
-
-// Based on: https://github.com/nodejs/node/issues/46347#issuecomment-1413886707
-// edit: make it cross-platform as /dev/urandom is not available on Windows
-{
-  let currentMemoryUsage = process.memoryUsage().arrayBuffers;
-
-  // We initialize a stream, but not start consuming it
-  const randomNodeStream = new Readable({
-    read(size) {
-      randomBytes(size, (err, buffer) => {
-        if (err) {
-          // If an error occurs, emit an 'error' event
-          this.emit('error', err);
-          return;
-        }
-
-        // Push the random bytes to the stream
-        this.push(buffer);
-      });
-    }
-  });
-  // after 2 seconds, it'll get converted to web stream
-  let randomWebStream;
-
-  // We check memory usage every second
-  // since it's a stream, it shouldn't be higher than the chunk size
-  const reportMemoryUsage = () => {
-    const { arrayBuffers } = process.memoryUsage();
-    currentMemoryUsage = arrayBuffers;
-
-    assert(currentMemoryUsage <= 256 * 1024 * 1024);
-  };
-  setInterval(reportMemoryUsage, 1000);
-
-  // after 1 second we use Readable.toWeb
-  // memory usage should stay pretty much the same since it's still a stream
-  setTimeout(() => {
-    randomWebStream = Readable.toWeb(randomNodeStream);
-  }, 1000);
-
-  // after 2 seconds we start consuming the stream
-  // memory usage will grow, but the old chunks should be garbage-collected pretty quickly
-  setTimeout(async () => {
-    // eslint-disable-next-line no-unused-vars
-    for await (const _ of randomWebStream) {
-      // Do nothing, just let the stream flow
-    }
-  }, 2000);
-
-  setTimeout(() => {
-    // Test considered passed if we don't crash
-    process.exit(0);
-  }, 5000);
-}
diff --git a/test/parallel/test-stream-readable-to-web.mjs b/test/parallel/test-stream-readable-to-web.mjs
new file mode 100644
index 00000000000000..8ff9f2fb16ed1c
--- /dev/null
+++ b/test/parallel/test-stream-readable-to-web.mjs
@@ -0,0 +1,64 @@
+import { mustCall } from '../common/index.mjs';
+import { Readable } from 'node:stream';
+import { memoryUsage } from 'node:process';
+import assert from 'node:assert';
+import { setImmediate } from 'node:timers/promises';
+
+// Based on: https://github.com/nodejs/node/issues/46347#issuecomment-1413886707
+// edit: make it cross-platform as /dev/urandom is not available on Windows
+
+const MAX_MEM = 256 * 1024 * 1024; // 256 MiB
+
+function checkMemoryUsage() {
+  assert(memoryUsage().arrayBuffers < MAX_MEM);
+}
+
+const MAX_BUFFERS = 1000;
+let buffersCreated = 0;
+
+const randomNodeStream = new Readable({
+  read(size) {
+    if (buffersCreated >= MAX_BUFFERS) {
+      this.push(null);
+      return;
+    }
+
+    this.push(Buffer.alloc(size));
+    buffersCreated++;
+  }
+});
+
+randomNodeStream.on('error', (err) => {
+  assert.fail(err);
+});
+
+// Before doing anything, make sure memory usage is okay
+checkMemoryUsage();
+
+// Create stream and check memory usage remains okay
+
+const randomWebStream = Readable.toWeb(randomNodeStream);
+
+checkMemoryUsage();
+
+let timeout;
+try {
+  // Wait two seconds before consuming the stream to see if memory usage increases
+  timeout = setTimeout(mustCall(async () => {
+    // Did the stream leak memory?
+    checkMemoryUsage();
+    // eslint-disable-next-line no-unused-vars
+    for await (const _ of randomWebStream) {
+      // Yield event loop to allow garbage collection
+      await setImmediate();
+      // consume the stream
+      // check memory usage remains okay
+      checkMemoryUsage();
+    }
+  }), 2000);
+} catch (err) {
+  if (timeout) {
+    clearTimeout(timeout);
+  }
+  assert.fail(err);
+}
diff --git a/test/parallel/test-tls-get-ca-certificates-node-use-system-ca.js b/test/parallel/test-tls-get-ca-certificates-node-use-system-ca.js
new file mode 100644
index 00000000000000..81a5cba4da77e2
--- /dev/null
+++ b/test/parallel/test-tls-get-ca-certificates-node-use-system-ca.js
@@ -0,0 +1,29 @@
+'use strict';
+// This tests that NODE_USE_SYSTEM_CA environment variable works the same
+// as --use-system-ca flag by comparing certificate counts.
+
+const common = require('../common');
+if (!common.hasCrypto) common.skip('missing crypto');
+
+const tls = require('tls');
+const { spawnSyncAndExitWithoutError } = require('../common/child_process');
+
+const systemCerts = tls.getCACertificates('system');
+if (systemCerts.length === 0) {
+  common.skip('no system certificates available');
+}
+
+const { child: { stdout: expectedLength } } = spawnSyncAndExitWithoutError(process.execPath, [
+  '--use-system-ca',
+  '-p',
+  `tls.getCACertificates('default').length`,
+], {
+  env: { ...process.env, NODE_USE_SYSTEM_CA: '0' },
+});
+
+spawnSyncAndExitWithoutError(process.execPath, [
+  '-p',
+  `assert.strictEqual(tls.getCACertificates('default').length, ${expectedLength.toString()})`,
+], {
+  env: { ...process.env, NODE_USE_SYSTEM_CA: '1' },
+});
diff --git a/test/parallel/test-tls-session-timeout-errors.js b/test/parallel/test-tls-session-timeout-errors.js
new file mode 100644
index 00000000000000..6e5646127c80b4
--- /dev/null
+++ b/test/parallel/test-tls-session-timeout-errors.js
@@ -0,0 +1,36 @@
+'use strict';
+// This tests validation of sessionTimeout option in TLS server.
+const common = require('../common');
+
+if (!common.hasCrypto) {
+  common.skip('missing crypto');
+}
+
+const tmpdir = require('../common/tmpdir');
+tmpdir.refresh();
+
+const assert = require('assert');
+const tls = require('tls');
+const fixtures = require('../common/fixtures');
+
+const key = fixtures.readKey('rsa_private.pem');
+const cert = fixtures.readKey('rsa_cert.crt');
+
+// Node.js should not allow setting negative timeouts since new versions of
+// OpenSSL do not handle those as users might expect
+
+for (const sessionTimeout of [-1, -100, -(2 ** 31)]) {
+  assert.throws(() => {
+    tls.createServer({
+      key: key,
+      cert: cert,
+      ca: [cert],
+      sessionTimeout,
+      maxVersion: 'TLSv1.2',
+    });
+  }, {
+    code: 'ERR_OUT_OF_RANGE',
+    message: 'The value of "options.sessionTimeout" is out of range. It ' +
+              `must be >= 0 && <= ${2 ** 31 - 1}. Received ${sessionTimeout}`,
+  });
+}
diff --git a/test/parallel/test-trace-sigint-in-worker.js b/test/parallel/test-trace-sigint-in-worker.js
new file mode 100644
index 00000000000000..ed7ca3908e7ca5
--- /dev/null
+++ b/test/parallel/test-trace-sigint-in-worker.js
@@ -0,0 +1,20 @@
+'use strict';
+
+const common = require('../common');
+
+const assert = require('assert');
+const util = require('util');
+const { Worker, workerData } = require('worker_threads');
+
+if (workerData?.isWorker) {
+  assert.throws(() => {
+    util.setTraceSigInt(true);
+  }, {
+    code: 'ERR_WORKER_UNSUPPORTED_OPERATION',
+  });
+} else {
+  const w = new Worker(__filename, { workerData: { isWorker: true } });
+  w.on('exit', common.mustCall((code) => {
+    assert.strictEqual(code, 0);
+  }));
+}
diff --git a/test/parallel/test-worker-cpu-usage.js b/test/parallel/test-worker-cpu-usage.js
new file mode 100644
index 00000000000000..b043f4fbd182f9
--- /dev/null
+++ b/test/parallel/test-worker-cpu-usage.js
@@ -0,0 +1,81 @@
+'use strict';
+const common = require('../common');
+const { isSunOS } = require('../common');
+const assert = require('assert');
+const {
+  Worker,
+} = require('worker_threads');
+
+function validate(result) {
+  assert.ok(typeof result == 'object' && result !== null);
+  assert.ok(result.user >= 0);
+  assert.ok(result.system >= 0);
+  assert.ok(Number.isFinite(result.user));
+  assert.ok(Number.isFinite(result.system));
+}
+
+function check(worker) {
+  [
+    -1,
+    1.1,
+    NaN,
+    undefined,
+    {},
+    [],
+    null,
+    function() {},
+    Symbol(),
+    true,
+    Infinity,
+    { user: -1, system: 1 },
+    { user: 1, system: -1 },
+  ].forEach((value) => {
+    try {
+      worker.cpuUsage(value);
+    } catch (e) {
+      assert.ok(/ERR_OUT_OF_RANGE|ERR_INVALID_ARG_TYPE/i.test(e.code));
+    }
+  });
+}
+
+const worker = new Worker(`
+  const { parentPort } = require('worker_threads');
+  parentPort.on('message', () => {});
+  `, { eval: true });
+
+// See test-process-threadCpuUsage-main-thread.js
+if (isSunOS) {
+  assert.throws(
+    () => worker.cpuUsage(),
+    {
+      code: 'ERR_OPERATION_FAILED',
+      name: 'Error',
+      message: 'Operation failed: worker.cpuUsage() is not available on SunOS'
+    }
+  );
+  worker.terminate();
+} else {
+  worker.on('online', common.mustCall(async () => {
+    check(worker);
+
+    const prev = await worker.cpuUsage();
+    validate(prev);
+
+    const curr = await worker.cpuUsage();
+    validate(curr);
+
+    assert.ok(curr.user >= prev.user);
+    assert.ok(curr.system >= prev.system);
+
+    const delta = await worker.cpuUsage(curr);
+    validate(delta);
+
+    worker.terminate();
+  }));
+
+  worker.once('exit', common.mustCall(async () => {
+    await assert.rejects(worker.cpuUsage(), {
+      code: 'ERR_WORKER_NOT_RUNNING'
+    });
+  }));
+}
diff --git a/test/parallel/test-worker-message-port-transfer-filehandle.js b/test/parallel/test-worker-message-port-transfer-filehandle.js
index 316c971bb0f1bc..41f9ebaff181ed 100644
--- a/test/parallel/test-worker-message-port-transfer-filehandle.js
+++ b/test/parallel/test-worker-message-port-transfer-filehandle.js
@@ -69,6 +69,11 @@ const { once } = require('events');
   assert.strictEqual(fh.fd, -1);
 
   port1.postMessage('second message');
+  await assert.rejects(() => fh.read(), {
+    code: 'EBADF',
+    message: 'The FileHandle has been transferred',
+    syscall: 'read'
+  });
 })().then(common.mustCall());
 
 (async function() {
diff --git a/test/parallel/test-worker-thread-name.js b/test/parallel/test-worker-thread-name.js
new file mode 100644
index 00000000000000..47e497b07b5164
--- /dev/null
+++ b/test/parallel/test-worker-thread-name.js
@@ -0,0 +1,18 @@
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const { Worker, threadName, workerData } = require('worker_threads');
+
+const name = 'test-worker-thread-name';
+
+if (workerData?.isWorker) {
+  assert.strictEqual(threadName, name);
+  process.exit(0);
+} else {
+  const w = new Worker(__filename, { name, workerData: { isWorker: true } });
+  assert.strictEqual(w.threadName, name);
+  w.on('exit', common.mustCall(() => {
+    assert.strictEqual(w.threadName, null);
+  }));
+}
diff --git a/test/parallel/test-zlib-zstd-dictionary.js b/test/parallel/test-zlib-zstd-dictionary.js
new file mode 100644
index 00000000000000..28dde28cb055b7
--- /dev/null
+++ b/test/parallel/test-zlib-zstd-dictionary.js
@@ -0,0 +1,26 @@
+'use strict';
+
+const common = require('../common');
+const assert = require('assert');
+const zlib = require('zlib');
+
+const dictionary = Buffer.from(
+  `Lorem ipsum dolor sit amet, consectetur adipiscing elit. 
+  Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. 
+  Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.`
+);
+
+const input = Buffer.from(
+  `Lorem ipsum dolor sit amet, consectetur adipiscing elit. 
+  Lorem ipsum dolor sit amet, consectetur adipiscing elit. 
+  Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. 
+  Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. 
+  Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.`
+);
+
+zlib.zstdCompress(input, { dictionary }, common.mustSucceed((compressed) => {
+  assert(compressed.length < input.length);
+  zlib.zstdDecompress(compressed, { dictionary }, common.mustSucceed((decompressed) => {
+    assert.strictEqual(decompressed.toString(), input.toString());
+  }));
+}));
diff --git a/test/pseudo-tty/test-start-trace-sigint.js b/test/pseudo-tty/test-start-trace-sigint.js
new file mode 100644
index 00000000000000..bbadae61093061
--- /dev/null
+++ b/test/pseudo-tty/test-start-trace-sigint.js
@@ -0,0 +1,32 @@
+'use strict';
+
+const { mustCall } = require('../common');
+const childProcess = require('child_process');
+const assert = require('assert');
+const util = require('util');
+
+if (process.env.CHILD === 'true') {
+  main();
+} else {
+  // Use inherited stdio child process to prevent test tools from determining
+  // the case as crashed from SIGINT
+  const cp = childProcess.spawn(
+    process.execPath,
+    [__filename],
+    {
+      env: { ...process.env, CHILD: 'true' },
+      stdio: 'inherit',
+    });
+  cp.on('exit', mustCall((code, signal) => {
+    assert.strictEqual(signal, 'SIGINT');
+    assert.strictEqual(code, null);
+  }));
+}
+
+function main() {
+  util.setTraceSigInt(true);
+  // Deactivate colors even if the tty does support colors.
+  process.env.NODE_DISABLE_COLORS = '1';
+  process.kill(process.pid, 'SIGINT');
+  while (true);
+}
diff --git a/test/pseudo-tty/test-start-trace-sigint.out b/test/pseudo-tty/test-start-trace-sigint.out
new file mode 100644
index 00000000000000..e5e4911f844080
--- /dev/null
+++ b/test/pseudo-tty/test-start-trace-sigint.out
@@ -0,0 +1,11 @@
+KEYBOARD_INTERRUPT: Script execution was interrupted by `SIGINT`
+    at main (*/test-start-trace-sigint.js:*)
+    at */test-start-trace-sigint.js:*
+    at *
+    at *
+    at *
+    at *
+    at *
+    at *
+    at *
+    at *
diff --git a/test/pseudo-tty/test-stop-trace-sigint.js b/test/pseudo-tty/test-stop-trace-sigint.js
new file mode 100644
index 00000000000000..363a4008371ba6
--- /dev/null
+++ b/test/pseudo-tty/test-stop-trace-sigint.js
@@ -0,0 +1,32 @@
+'use strict';
+
+const { mustCall } = require('../common');
+const childProcess = require('child_process');
+const assert = require('assert');
+const util = require('util');
+
+if (process.env.CHILD === 'true') {
+  main();
+} else {
+  // Use inherited stdio child process to prevent test tools from determining
+  // the case as crashed from SIGINT
+  const cp = childProcess.spawn(
+    process.execPath,
+    ['--trace-sigint', __filename],
+    {
+      env: { ...process.env, CHILD: 'true' },
+      stdio: 'inherit',
+    });
+  cp.on('exit', mustCall((code, signal) => {
+    assert.strictEqual(signal, 'SIGINT');
+    assert.strictEqual(code, null);
+  }));
+}
+
+function main() {
+  util.setTraceSigInt(false);
+  // Deactivate colors even if the tty does support colors.
+  process.env.NODE_DISABLE_COLORS = '1';
+  process.kill(process.pid, 'SIGINT');
+  while (true);
+}
diff --git a/test/pseudo-tty/test-stop-trace-sigint.out b/test/pseudo-tty/test-stop-trace-sigint.out
new file mode 100644
index 00000000000000..e69de29bb2d1d6
diff --git a/test/sequential/test-async-wrap-getasyncid.js b/test/sequential/test-async-wrap-getasyncid.js
index 5568cde0bc2a3a..64de37eb4bc96c 100644
--- a/test/sequential/test-async-wrap-getasyncid.js
+++ b/test/sequential/test-async-wrap-getasyncid.js
@@ -62,6 +62,7 @@ const { getSystemErrorName } = require('util');
     delete providers.SIGINTWATCHDOG;
     delete providers.WORKERHEAPSNAPSHOT;
     delete providers.WORKERHEAPSTATISTICS;
+    delete providers.WORKERCPUUSAGE;
     delete providers.BLOBREADER;
     delete providers.RANDOMPRIMEREQUEST;
     delete providers.CHECKPRIMEREQUEST;
diff --git a/test/parallel/test-inspector-network-resource.js b/test/sequential/test-inspector-network-resource.js
similarity index 100%
rename from test/parallel/test-inspector-network-resource.js
rename to test/sequential/test-inspector-network-resource.js
diff --git a/test/sequential/test-tls-session-timeout.js b/test/sequential/test-tls-session-timeout.js
index a93cdc793a2337..14baabd7a64b7d 100644
--- a/test/sequential/test-tls-session-timeout.js
+++ b/test/sequential/test-tls-session-timeout.js
@@ -35,34 +35,13 @@ const assert = require('assert');
 const tls = require('tls');
 const fixtures = require('../common/fixtures');
 
-const key = fixtures.readKey('rsa_private.pem');
-const cert = fixtures.readKey('rsa_cert.crt');
-
-{
-  // Node.js should not allow setting negative timeouts since new versions of
-  // OpenSSL do not handle those as users might expect
-
-  for (const sessionTimeout of [-1, -100, -(2 ** 31)]) {
-    assert.throws(() => {
-      tls.createServer({
-        key: key,
-        cert: cert,
-        ca: [cert],
-        sessionTimeout,
-        maxVersion: 'TLSv1.2',
-      });
-    }, {
-      code: 'ERR_OUT_OF_RANGE',
-      message: 'The value of "options.sessionTimeout" is out of range. It ' +
-               `must be >= 0 && <= ${2 ** 31 - 1}. Received ${sessionTimeout}`,
-    });
-  }
-}
-
 if (!opensslCli) {
   common.skip('node compiled without OpenSSL CLI.');
 }
 
+const key = fixtures.readKey('rsa_private.pem');
+const cert = fixtures.readKey('rsa_cert.crt');
+
 doTest();
 
 // This test consists of three TLS requests --
@@ -77,7 +56,7 @@ function doTest() {
   const fs = require('fs');
   const spawn = require('child_process').spawn;
 
-  const SESSION_TIMEOUT = 1;
+  const SESSION_TIMEOUT = 5;
 
   const options = {
     key: key,
@@ -85,32 +64,26 @@ function doTest() {
     ca: [cert],
     sessionTimeout: SESSION_TIMEOUT,
     maxVersion: 'TLSv1.2',
+    sessionIdContext: 'test-session-timeout',
   };
 
-  // We need to store a sample session ticket in the fixtures directory because
-  // `s_client` behaves incorrectly if we do not pass in both the `-sess_in`
-  // and the `-sess_out` flags, and the `-sess_in` argument must point to a
-  // file containing a proper serialization of a session ticket.
-  // To avoid a source control diff, we copy the ticket to a temporary file.
-
-  const sessionFileName = (function() {
-    const ticketFileName = 'tls-session-ticket.txt';
-    const tmpPath = tmpdir.resolve(ticketFileName);
-    fs.writeFileSync(tmpPath, fixtures.readSync(ticketFileName));
-    return tmpPath;
-  }());
-
-  // Expects a callback -- cb(connectionType : enum ['New'|'Reused'])
-
-  function Client(cb) {
+  const sessionFileName = tmpdir.resolve('tls-session-ticket.txt');
+  // Expects a callback -- cb()
+  function Client(port, sessIn, sessOut, expectedType, cb) {
     const flags = [
       's_client',
-      '-connect', `localhost:${common.PORT}`,
-      '-sess_in', sessionFileName,
-      '-sess_out', sessionFileName,
+      '-connect', `localhost:${port}`,
+      '-CAfile', fixtures.path('keys', 'rsa_cert.crt'),
+      '-servername', 'localhost',
     ];
+    if (sessIn) {
+      flags.push('-sess_in', sessIn);
+    }
+    if (sessOut) {
+      flags.push('-sess_out', sessOut);
+    }
     const client = spawn(opensslCli, flags, {
-      stdio: ['ignore', 'pipe', 'ignore']
+      stdio: ['ignore', 'pipe', 'inherit']
     });
 
     let clientOutput = '';
@@ -119,6 +92,20 @@ function doTest() {
     });
     client.on('exit', (code) => {
       let connectionType;
+      // Log the output for debugging purposes. Don't remove them or otherwise
+      // the CI output is useless when this test flakes.
+      console.log(' ----- [COMMAND] ---');
+      console.log(`${opensslCli}, ${flags.join(' ')}`);
+      console.log(' ----- [STDOUT] ---');
+      console.log(clientOutput);
+      console.log(' ----- [SESSION FILE] ---');
+      try {
+        const stat = fs.statSync(sessionFileName);
+        console.log(`Session file size: ${stat.size} bytes`);
+      } catch (err) {
+        console.log('Error reading session file:', err);
+      }
+
       const grepConnectionType = (line) => {
         const matches = line.match(/(New|Reused), /);
         if (matches) {
@@ -131,6 +118,7 @@ function doTest() {
         throw new Error('unexpected output from openssl client');
       }
       assert.strictEqual(code, 0);
+      assert.strictEqual(connectionType, expectedType);
       cb(connectionType);
     });
   }
@@ -143,18 +131,18 @@ function doTest() {
     cleartext.end();
   });
 
-  server.listen(common.PORT, () => {
-    Client((connectionType) => {
-      assert.strictEqual(connectionType, 'New');
-      Client((connectionType) => {
-        assert.strictEqual(connectionType, 'Reused');
-        setTimeout(() => {
-          Client((connectionType) => {
-            assert.strictEqual(connectionType, 'New');
-            server.close();
-          });
-        }, (SESSION_TIMEOUT + 1) * 1000);
-      });
+  server.listen(0, () => {
+    const port = server.address().port;
+    Client(port, undefined, sessionFileName, 'New', () => {
+      setTimeout(() => {
+        Client(port, sessionFileName, sessionFileName, 'Reused', () => {
+          setTimeout(() => {
+            Client(port, sessionFileName, sessionFileName, 'New', () => {
+              server.close();
+            });
+          }, (SESSION_TIMEOUT + 1) * 1000);
+        });
+      }, 100);  // Wait a bit to ensure the session ticket is saved.
     });
   });
 }
diff --git a/test/system-ca/test-native-root-certs-env.mjs b/test/system-ca/test-native-root-certs-env.mjs
new file mode 100644
index 00000000000000..bde7dfcd9610bc
--- /dev/null
+++ b/test/system-ca/test-native-root-certs-env.mjs
@@ -0,0 +1,56 @@
+// Env: NODE_USE_SYSTEM_CA=1
+// Same as test-native-root-certs.mjs, just testing the environment variable instead of the flag.
+
+import * as common from '../common/index.mjs';
+import assert from 'node:assert/strict';
+import https from 'node:https';
+import fixtures from '../common/fixtures.js';
+import { it, beforeEach, afterEach, describe } from 'node:test';
+import { once } from 'events';
+
+if (!common.hasCrypto) {
+  common.skip('requires crypto');
+}
+
+// To run this test, the system needs to be configured to trust
+// the CA certificate first (which needs an interactive GUI approval, e.g. TouchID):
+// see the README.md in this folder for instructions on how to do this.
+const handleRequest = (req, res) => {
+  const path = req.url;
+  switch (path) {
+    case '/hello-world':
+      res.writeHead(200);
+      res.end('hello world\n');
+      break;
+    default:
+      assert(false, `Unexpected path: ${path}`);
+  }
+};
+
+describe('use-system-ca', function() {
+
+  async function setupServer(key, cert) {
+    const theServer = https.createServer({
+      key: fixtures.readKey(key),
+      cert: fixtures.readKey(cert),
+    }, handleRequest);
+    theServer.listen(0);
+    await once(theServer, 'listening');
+
+    return theServer;
+  }
+
+  let server;
+
+  beforeEach(async function() {
+    server = await setupServer('agent8-key.pem', 'agent8-cert.pem');
+  });
+
+  it('trusts a valid root certificate', async function() {
+    await fetch(`https://localhost:${server.address().port}/hello-world`);
+  });
+
+  afterEach(async function() {
+    server?.close();
+  });
+});
diff --git a/test/wpt/status/WebCryptoAPI.cjs b/test/wpt/status/WebCryptoAPI.cjs
index 709d34b8f47c40..7e4639ca497ba0 100644
--- a/test/wpt/status/WebCryptoAPI.cjs
+++ b/test/wpt/status/WebCryptoAPI.cjs
@@ -26,4 +26,20 @@ module.exports = {
       ],
     },
   },
+  'getRandomValues.any.js': {
+    'fail': {
+      'note': 'https://github.com/nodejs/node/issues/58987',
+      'expected': [
+        'Large length: Int8Array',
+        'Large length: Int16Array',
+        'Large length: Int32Array',
+        'Large length: BigInt64Array',
+        'Large length: Uint8Array',
+        'Large length: Uint8ClampedArray',
+        'Large length: Uint16Array',
+        'Large length: Uint32Array',
+        'Large length: BigUint64Array',
+      ],
+    },
+  },
 };
diff --git a/test/wpt/status/webstorage.json b/test/wpt/status/webstorage.json
index 10171601480aad..1dad4e2dd48403 100644
--- a/test/wpt/status/webstorage.json
+++ b/test/wpt/status/webstorage.json
@@ -22,5 +22,30 @@
   },
   "storage_session_window_reopen.window.js": {
     "skip": "window.open() is not supported in Node.js."
+  },
+  "storage_session_setitem_quotaexceedederr.window.js": {
+    "fail": {
+      "note": "https://github.com/nodejs/node/issues/58987",
+      "expected": [
+        "Throws QuotaExceededError when the quota has been exceeded"
+      ]
+    }
+  },
+  "storage_local_setitem_quotaexceedederr.window.js": {
+    "fail": {
+      "note": "https://github.com/nodejs/node/issues/58987",
+      "expected": [
+        "Throws QuotaExceededError when the quota has been exceeded"
+      ]
+    }
+  },
+  "symbol-props.window.js": {
+    "fail": {
+      "note": "https://github.com/nodejs/node/issues/59310",
+      "expected": [
+        "localStorage: defineProperty not configurable",
+        "sessionStorage: defineProperty not configurable"
+      ]
+    }
   }
 }
diff --git a/tools/cpplint.py b/tools/cpplint.py
index 5d6172d5a4e8b1..622139efb1e2a7 100755
--- a/tools/cpplint.py
+++ b/tools/cpplint.py
@@ -6475,6 +6475,19 @@ def CheckItemIndentationInNamespace(filename, raw_lines_no_comments, linenum,
     error(filename, linenum, 'runtime/indentation_namespace', 4,
           'Do not indent within a namespace')
 
+def CheckLocalVectorUsage(filename, lines, error):
+  """Logs an error if std::vector<v8::Local<T>> is used.
+  Args:
+    filename: The name of the current file.
+    lines: An array of strings, each representing a line of the file.
+    error: The function to call with any errors found.
+  """
+  for linenum, line in enumerate(lines):
+    if (Search(r'\bstd::vector<v8::Local<[^>]+>>', line) or
+        Search(r'\bstd::vector<Local<[^>]+>>', line)):
+      error(filename, linenum, 'runtime/local_vector', 5,
+            'Do not use std::vector<v8::Local<T>>. '
+            'Use v8::LocalVector<T> instead.')
 
 def ProcessLine(filename, file_extension, clean_lines, line,
                 include_state, function_state, nesting_state, error,
@@ -6645,6 +6658,8 @@ def ProcessFileData(filename, file_extension, lines, error,
 
   CheckInlineHeader(filename, include_state, error)
 
+  CheckLocalVectorUsage(filename, lines, error)
+
 def ProcessConfigOverrides(filename):
   """ Loads the configuration files and processes the config overrides.
 
diff --git a/tools/license-builder.sh b/tools/license-builder.sh
index 979493d0ea68df..c02c1ebadd44ea 100755
--- a/tools/license-builder.sh
+++ b/tools/license-builder.sh
@@ -156,4 +156,7 @@ addlicense "node-fs-extra" "lib/internal/fs/cp" "$licenseText"
 licenseText="$(curl -sL https://raw.githubusercontent.com/mcollina/on-exit-leak-free/2a01c7e66c690aca17187b10b0cecbe43e083eb2/LICENSE)"
 addlicense "on-exit-leak-free" "lib/internal/process/finalization" "$licenseText"
 
+licenseText="$(curl -sL https://raw.githubusercontent.com/pinojs/sonic-boom/refs/heads/master/LICENSE)"
+addlicense "sonic-boom" "lib/internal/streams/fast-utf8-stream.js" "$licenseText"
+
 mv "$tmplicense" "$licensefile"
diff --git a/tools/msvs/msi/nodemsi/product.wxs b/tools/msvs/msi/nodemsi/product.wxs
index ff66ade6816aaa..a0100cc564405f 100644
--- a/tools/msvs/msi/nodemsi/product.wxs
+++ b/tools/msvs/msi/nodemsi/product.wxs
@@ -41,7 +41,7 @@
     <Property Id="WIXUI_INSTALLDIR" Value="INSTALLDIR"/>
 
     <!-- WiX 4 QueryWindowsWellKnownSIDs element replaces previously used PropertyRef. -->
-    <!-- It sets all properties with the WIX_ACCOUNT_ prefix eg. WIX_ACCOUNT_USERS, etc. -->
+    <!-- It sets all properties with the WIX_ACCOUNT_ prefix e.g. WIX_ACCOUNT_USERS, etc. -->
     <util:QueryWindowsWellKnownSIDs/>
 
     <Property Id="INSTALLDIR" Secure="yes">
diff --git a/tools/test.py b/tools/test.py
index 8725a9103fdb0f..e27222af3ac519 100755
--- a/tools/test.py
+++ b/tools/test.py
@@ -1605,7 +1605,7 @@ def ArgsToTestPaths(test_root, args, suites):
   if len(args) == 0 or 'default' in args:
     def_suites = [s for s in suites if s not in IGNORED_SUITES]
     args = [a for a in args if a != 'default'] + def_suites
-  subsystem_regex = re.compile(r'^[a-zA-Z-]*$')
+  subsystem_regex = re.compile(r'^[a-zA-Z0-9-]*$')
   check = lambda arg: subsystem_regex.match(arg) and (arg not in suites)
   mapped_args = ["*/test*-%s-*" % arg if check(arg) else arg for arg in args]
   paths = [SplitPath(NormalizePath(a)) for a in mapped_args]
diff --git a/tools/v8_gypfiles/toolchain.gypi b/tools/v8_gypfiles/toolchain.gypi
index 1c44c94b2ca946..e614c39a6b53b9 100644
--- a/tools/v8_gypfiles/toolchain.gypi
+++ b/tools/v8_gypfiles/toolchain.gypi
@@ -131,13 +131,27 @@
         'xcode_settings': {
           # -Wno-invalid-offsetof
           'GCC_WARN_ABOUT_INVALID_OFFSETOF_MACRO': 'NO',
+        },
+        'msvs_settings': {
+          'VCCLCompilerTool': {
+            'AdditionalOptions': ['-Wno-invalid-offsetof'],
+          },
+        },
+      }],
+      ['clang==1', {
+        'cflags_cc': [
+          '-Wno-nullability-completeness',
+        ],
+        'xcode_settings': {
           'OTHER_CFLAGS': [
             '-Wno-nullability-completeness',
           ],
         },
         'msvs_settings': {
           'VCCLCompilerTool': {
-            'AdditionalOptions': ['-Wno-invalid-offsetof'],
+            'AdditionalOptions': [
+              '-Wno-nullability-completeness',
+            ],
           },
         },
       }],
diff --git a/typings/globals.d.ts b/typings/globals.d.ts
index 7b53a869b9ca11..e9875cdcc3bfa1 100644
--- a/typings/globals.d.ts
+++ b/typings/globals.d.ts
@@ -1,17 +1,21 @@
+import { AsyncContextFrameBinding } from './internalBinding/async_context_frame';
 import { AsyncWrapBinding } from './internalBinding/async_wrap';
 import { BlobBinding } from './internalBinding/blob';
 import { ConfigBinding } from './internalBinding/config';
 import { ConstantsBinding } from './internalBinding/constants';
 import { DebugBinding } from './internalBinding/debug';
+import { EncodingBinding } from './internalBinding/encoding_binding';
 import { HttpParserBinding } from './internalBinding/http_parser';
 import { InspectorBinding } from './internalBinding/inspector';
 import { FsBinding } from './internalBinding/fs';
 import { FsDirBinding } from './internalBinding/fs_dir';
+import { ICUBinding } from './internalBinding/icu';
 import { LocksBinding } from './internalBinding/locks';
 import { MessagingBinding } from './internalBinding/messaging';
 import { OptionsBinding } from './internalBinding/options';
 import { OSBinding } from './internalBinding/os';
 import { ProcessBinding } from './internalBinding/process';
+import { SeaBinding } from './internalBinding/sea';
 import { SerdesBinding } from './internalBinding/serdes';
 import { SymbolsBinding } from './internalBinding/symbols';
 import { TimersBinding } from './internalBinding/timers';
@@ -25,14 +29,17 @@ import { ModulesBinding } from './internalBinding/modules';
 import { ZlibBinding } from './internalBinding/zlib';
 
 interface InternalBindingMap {
+  async_context_frame: AsyncContextFrameBinding;
   async_wrap: AsyncWrapBinding;
   blob: BlobBinding;
   config: ConfigBinding;
   constants: ConstantsBinding;
   debug: DebugBinding;
+  encoding_binding: EncodingBinding;
   fs: FsBinding;
   fs_dir: FsDirBinding;
   http_parser: HttpParserBinding;
+  icu: ICUBinding;
   inspector: InspectorBinding;
   locks: LocksBinding;
   messaging: MessagingBinding;
@@ -40,6 +47,7 @@ interface InternalBindingMap {
   options: OptionsBinding;
   os: OSBinding;
   process: ProcessBinding;
+  sea: SeaBinding;
   serdes: SerdesBinding;
   symbols: SymbolsBinding;
   timers: TimersBinding;
@@ -65,6 +73,7 @@ declare global {
     | Int8Array
     | Int16Array
     | Int32Array
+    | Float16Array
     | Float32Array
     | Float64Array
     | BigUint64Array
diff --git a/typings/internalBinding/async_context_frame.d.ts b/typings/internalBinding/async_context_frame.d.ts
new file mode 100644
index 00000000000000..e7387b57653fd1
--- /dev/null
+++ b/typings/internalBinding/async_context_frame.d.ts
@@ -0,0 +1,4 @@
+export interface AsyncContextFrameBinding {
+  getContinuationPreservedEmbedderData(): unknown,
+  setContinuationPreservedEmbedderData(frame: unknown): void,
+}
diff --git a/typings/internalBinding/constants.d.ts b/typings/internalBinding/constants.d.ts
index 75d2dcc65e8ea7..3c29df44c13303 100644
--- a/typings/internalBinding/constants.d.ts
+++ b/typings/internalBinding/constants.d.ts
@@ -287,6 +287,9 @@ export interface ConstantsBinding {
     BROTLI_ENCODE: 9;
     ZSTD_COMPRESS: 10;
     ZSTD_DECOMPRESS: 11;
+    ZSTD_e_continue: 0;
+    ZSTD_e_flush: 1;
+    ZSTD_e_end: 2;
     Z_MIN_WINDOWBITS: 8;
     Z_MAX_WINDOWBITS: 15;
     Z_DEFAULT_WINDOWBITS: 15;
diff --git a/typings/internalBinding/encoding_binding.d.ts b/typings/internalBinding/encoding_binding.d.ts
new file mode 100644
index 00000000000000..6e1d48efd81529
--- /dev/null
+++ b/typings/internalBinding/encoding_binding.d.ts
@@ -0,0 +1,8 @@
+export interface EncodingBinding {
+  encodeInto(source: string, dest: Uint8Array): void;
+  encodeUtf8String(str: string): Uint8Array;
+  decodeUTF8(buffer: ArrayBufferView | ArrayBuffer | SharedArrayBuffer, ignoreBOM?: boolean, hasFatal?: boolean): string;
+  toASCII(input: string): string;
+  toUnicode(input: string): string;
+  decodeLatin1(buffer: ArrayBufferView | ArrayBuffer | SharedArrayBuffer, ignoreBOM?: boolean, hasFatal?: boolean): string;
+}
diff --git a/typings/internalBinding/http_parser.d.ts b/typings/internalBinding/http_parser.d.ts
index 5ab5651b637176..124bdd5af2f152 100644
--- a/typings/internalBinding/http_parser.d.ts
+++ b/typings/internalBinding/http_parser.d.ts
@@ -2,6 +2,15 @@ declare namespace InternalHttpParserBinding {
   type Buffer = Uint8Array;
   type Stream = object;
 
+  class ConnectionsList {
+    constructor();
+
+    all(): HTTPParser[];
+    idle(): HTTPParser[];
+    active(): HTTPParser[];
+    expired(): HTTPParser[];
+  }
+
   class HTTPParser {
     static REQUEST: 1;
     static RESPONSE: 2;
@@ -40,6 +49,8 @@ declare namespace InternalHttpParserBinding {
 }
 
 export interface HttpParserBinding {
-  methods: string[];
+  ConnectionsList: typeof InternalHttpParserBinding.ConnectionsList;
   HTTPParser: typeof InternalHttpParserBinding.HTTPParser;
+  allMethods: string[];
+  methods: string[];
 }
diff --git a/typings/internalBinding/icu.d.ts b/typings/internalBinding/icu.d.ts
new file mode 100644
index 00000000000000..7a688a5f08233e
--- /dev/null
+++ b/typings/internalBinding/icu.d.ts
@@ -0,0 +1,18 @@
+export interface ICUBinding {
+  Converter: object;
+  decode(
+    converter: object,
+    input: ArrayBufferView | ArrayBuffer | SharedArrayBuffer,
+    flags: number,
+    fromEncoding: string,
+  ): string;
+  getConverter(label: string, flags: number): object | undefined;
+  getStringWidth(value: string, ambiguousAsFullWidth?: boolean, expandEmojiSequence?: boolean): number;
+  hasConverter(label: string): boolean;
+  icuErrName(status: number): string;
+  transcode(
+    input: ArrayBufferView | ArrayBuffer | SharedArrayBuffer,
+    fromEncoding: string,
+    toEncoding: string,
+  ): Buffer | number;
+}
diff --git a/typings/internalBinding/sea.d.ts b/typings/internalBinding/sea.d.ts
new file mode 100644
index 00000000000000..15f4430d87d1b4
--- /dev/null
+++ b/typings/internalBinding/sea.d.ts
@@ -0,0 +1,5 @@
+export interface SeaBinding {
+  getAsset(key: string): ArrayBuffer | undefined;
+  isExperimentalSeaWarningNeeded(): boolean;
+  isSea(): boolean;
+}
diff --git a/typings/internalBinding/symbols.d.ts b/typings/internalBinding/symbols.d.ts
index 96310970d5cdee..8f754b283c0351 100644
--- a/typings/internalBinding/symbols.d.ts
+++ b/typings/internalBinding/symbols.d.ts
@@ -1,5 +1,6 @@
 export const async_id_symbol: unique symbol;
 export const handle_onclose_symbol: unique symbol;
+export const imported_cjs_symbol: unique symbol;
 export const no_message_symbol: unique symbol;
 export const messaging_deserialize_symbol: unique symbol;
 export const messaging_transfer_symbol: unique symbol;
@@ -13,6 +14,7 @@ export const trigger_async_id_symbol: unique symbol;
 export interface SymbolsBinding {
   async_id_symbol: typeof async_id_symbol;
   handle_onclose_symbol: typeof handle_onclose_symbol;
+  imported_cjs_symbol: typeof imported_cjs_symbol;
   no_message_symbol: typeof no_message_symbol;
   messaging_deserialize_symbol: typeof messaging_deserialize_symbol;
   messaging_transfer_symbol: typeof messaging_transfer_symbol;
diff --git a/typings/internalBinding/util.d.ts b/typings/internalBinding/util.d.ts
index 2cd52dc7b8f4b4..2a68699283debe 100644
--- a/typings/internalBinding/util.d.ts
+++ b/typings/internalBinding/util.d.ts
@@ -46,4 +46,22 @@ export interface UtilBinding {
   parseEnv(content: string): Record<string, string>;
   styleText(format: Array<string> | string, text: string): string;
   isInsideNodeModules(frameLimit: number, defaultValue: unknown): boolean;
+
+  constants: {
+    kPending: 0;
+    kFulfilled: 1;
+    kRejected: 2;
+    kExiting: 0;
+    kExitCode: 1;
+    kHasExitCode: 2;
+    ALL_PROPERTIES: 0;
+    ONLY_WRITABLE: 1;
+    ONLY_ENUMERABLE: 2;
+    ONLY_CONFIGURABLE: 4;
+    SKIP_STRINGS: 8;
+    SKIP_SYMBOLS: 16;
+    kDisallowCloneAndTransfer: 0;
+    kTransferable: 1;
+    kCloneable: 2;
+  };
 }
diff --git a/typings/internalBinding/worker.d.ts b/typings/internalBinding/worker.d.ts
index 0a316aaf5e5bff..9dfd9776cec41c 100644
--- a/typings/internalBinding/worker.d.ts
+++ b/typings/internalBinding/worker.d.ts
@@ -16,6 +16,7 @@ declare namespace InternalWorkerBinding {
     getResourceLimits(): Float64Array;
     takeHeapSnapshot(): object;
     getHeapStatistics(): Promise<object>;
+    cpuUsage(): Promise<object>;
     loopIdleTime(): number;
     loopStartTime(): number;
   }
diff --git a/typings/primordials.d.ts b/typings/primordials.d.ts
index cba2cd0aead902..ed77d4112e2984 100644
--- a/typings/primordials.d.ts
+++ b/typings/primordials.d.ts
@@ -280,6 +280,7 @@ declare namespace primordials {
   export const FunctionPrototypeApply: UncurryThis<typeof Function.prototype.apply>
   export const FunctionPrototypeBind: UncurryThis<typeof Function.prototype.bind>
   export const FunctionPrototypeCall: UncurryThis<typeof Function.prototype.call>
+  export const FunctionPrototypeSymbolHasInstance: UncurryMethod<typeof Function.prototype, typeof Symbol.hasInstance>
   export const FunctionPrototypeToString: UncurryThis<typeof Function.prototype.toString>
   export import Int16Array = globalThis.Int16Array;
   export const Int16ArrayPrototype: typeof Int16Array.prototype
@@ -371,6 +372,8 @@ declare namespace primordials {
   export const RegExpPrototypeGetSource: UncurryGetter<typeof RegExp.prototype, "source">;
   export const RegExpPrototypeGetSticky: UncurryGetter<typeof RegExp.prototype, "sticky">;
   export const RegExpPrototypeGetUnicode: UncurryGetter<typeof RegExp.prototype, "unicode">;
+  export const RegExpPrototypeSymbolReplace: UncurryMethod<typeof RegExp.prototype, typeof Symbol.replace>
+  export const RegExpPrototypeSymbolSplit: UncurryMethod<typeof RegExp.prototype, typeof Symbol.split>
   export import Set = globalThis.Set;
   export const SetLength: typeof Set.length
   export const SetName: typeof Set.name
diff --git a/unofficial.gni b/unofficial.gni
index a6c2f8c39becd2..c742b62c484e9d 100644
--- a/unofficial.gni
+++ b/unofficial.gni
@@ -22,6 +22,11 @@ template("node_gn_build") {
     } else {
       defines += [ "HAVE_OPENSSL=0" ]
     }
+    if (node_use_sqlite) {
+      defines += [ "HAVE_SQLITE=1" ]
+    } else {
+      defines += [ "HAVE_SQLITE=0" ]
+    }
     if (node_use_amaro) {
       defines += [ "HAVE_AMARO=1" ]
     } else {
@@ -159,7 +164,6 @@ template("node_gn_build") {
       "deps/nghttp2",
       "deps/ngtcp2",
       "deps/postject",
-      "deps/sqlite",
       "deps/uvwasi",
       "deps/zstd",
       "//third_party/zlib",
@@ -193,6 +197,10 @@ template("node_gn_build") {
       public_deps += [ "$node_openssl_path" ]
       sources += gypi_values.node_crypto_sources
     }
+    if (node_use_sqlite) {
+      deps += [ "deps/sqlite" ]
+      sources += gypi_values.node_sqlite_sources
+    }
     if (node_enable_inspector) {
       deps += [
         "$node_inspector_protocol_path:crdtp",