Update docker minor+patch+digest updates #76
No Assignees
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: Thilawyn/website#76
Reference in New Issue
Block a user
Delete Branch "renovate/docker-minor-patch-digest"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
This PR contains the following updates:
793c871→3625fdfcfe9b6a→547036522.21.1-trixie-slim→22.22.2-trixie-slim22.21.1→22.22.21.3.4→1.3.131.3.4→1.3.13v3.8.0→v3.11.3Release Notes
nodejs/node (node)
v22.22.2: 2026-03-24, Version 22.22.2 'Jod' (LTS), @RafaelGSS prepared by @aduh95Compare Source
This is a security release.
Notable Changes
SNICallbackinvocation intry/catch(Matteo Collina) - HighheadersDistinct/trailersDistinct(Matteo Collina) - HighNGHTTP2_ERR_FLOW_CONTROLerror code (RafaelGSS) - Mediumrealpath.native(RafaelGSS) - Lowlib/fs/promises(RafaelGSS) - LowCommits
6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#80952a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#82230a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pickaac14dd(Joyee Cheung) nodejs-private/node-private#809e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport1361b2a(Joyee Cheung) nodejs-private/node-private#8097dc00fa5f4] - (CVE-2026-21717) deps: V8: backport185f0fe(Joyee Cheung) nodejs-private/node-private#809076acd052d] - (CVE-2026-21717) deps: V8: backport0a8b1cd(snek) nodejs-private/node-private#809963c60a951] - deps: V8: overridedepot_toolsversion (Richard Lau) #62344a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #62330859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #62285d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #62215a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#82173deff77c1] - lib: backport_tls_commonand_tls_wraprefactors (Dario Piotrowicz) #5764306fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#7942a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#83291b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819v22.22.1: 2026-03-05, Version 22.22.1 'Jod' (LTS)Compare Source
Notable Changes
7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #599836063d888fe] - cli: mark--heapsnapshot-near-heap-limitas stable (Joyee Cheung) #60956d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #614194f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #6111535854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #610945c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #60714Commits
5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #61076feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #61388096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #61401b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #60129fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #60129ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #6084153596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #60663e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #606031155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #60574e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #60162623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #602057f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #60991db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #5893866aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #60503c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #60399f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #617902145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #603695b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #6141424724cde40] - build: fix misplaced comma in ldflags (hqzing) #61294c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #613298659d7cd07] - build: fix inconsistent quoting inMakefile(Antoine du Hamel) #6051144f339b315] - build: remove temporal updater (Chengzhong Wu) #61151d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #6102434ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #610737b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #608509408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #599842166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #6009873ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #602967b93a65f27] - build: test on Python 3.14 (Christian Clauss) #59983508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #59999c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #6132140904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #614316d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #613446063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #609563d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #6014140a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #60422d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #614194f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #60741a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #606628c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #5995691dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #604640781bd3764] - deps: V8: backport6a0a25a(Vivian Wang) #616880cf1f9c3e9] - deps: update googletest to8508785(Node.js GitHub Bot) #61417521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #6133958b9d219a3] - deps: update icu to 78.2 (Node.js GitHub Bot) #60523cbc1e4306d] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #61135db59c35ed8] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #61271c18518ee3c] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #61270376df62d63] - deps: update timezone to 2025c (Node.js GitHub Bot) #61138993e905302] - deps: update simdjson to 4.2.4 (Node.js GitHub Bot) #61056b72fd2a5d3] - deps: update googletest to065127f(Node.js GitHub Bot) #61055d765147405] - deps: update sqlite to 3.51.1 (Node.js GitHub Bot) #6089937abe2a7d2] - deps: update zlib to 1.3.1-63d7e16 (Node.js GitHub Bot) #6089897241fcb86] - deps: update sqlite to 3.51.0 (Node.js GitHub Bot) #606143669c7b4f4] - deps: update simdjson to 4.2.2 (Node.js GitHub Bot) #607409a056ec89c] - deps: update googletest to1b96fa1(Node.js GitHub Bot) #60739b5803b3ea0] - deps: update minimatch to 10.1.1 (Node.js GitHub Bot) #605435bf99f3d46] - deps: update cjs-module-lexer to 2.1.1 (Node.js GitHub Bot) #60646801f187357] - deps: update simdjson to 4.2.1 (Node.js GitHub Bot) #6064403c16e5a4c] - deps: update simdjson to 4.1.0 (Node.js GitHub Bot) #605422ebfc2ca56] - deps: update amaro to 1.1.5 (Node.js GitHub Bot) #60541d24ba4fed6] - deps: update simdjson to 4.0.7 (Node.js GitHub Bot) #598839480a139bf] - deps: update googletest to279f847(Node.js GitHub Bot) #60219635e67379e] - deps: update archs files for openssl-3.5.5 (Node.js GitHub Bot) #61547c7b774047d] - deps: upgrade openssl sources to openssl-3.5.5 (Node.js GitHub Bot) #615475b324d7d7f] - deps: update corepack to 0.34.6 (Node.js GitHub Bot) #61510eef8ba0667] - deps: update corepack to 0.34.5 (Node.js GitHub Bot) #60842490f7c7fb1] - deps: update corepack to 0.34.4 (Node.js GitHub Bot) #6064366903ea3b3] - deps: update corepack to 0.34.2 (Node.js GitHub Bot) #60550a2f0b69282] - deps: update corepack to 0.34.1 (Node.js GitHub Bot) #60314c8044a48a6] - deps: V8: backport2e4c5cf(Michaël Zasso) #60654642f518198] - doc: supported toolchain with Visual Studio 2022 only (Mike McCready) #61451625f674487] - doc: move Security-Team from TSC to SECURITY (Rafael Gonzaga) #61495029e32f8ba] - doc: addedrequestOCSPoption totls.connect(ikeyan) #6106468e33dfa89] - doc: restore @ChALkeR to collaborators (Сковорода Никита Андреевич) #61553e016770d62] - doc: update IBM/Red Hat volunteers with dedicated project time (Beth Griggs) #61588ec63954657] - doc: mention constructor comparison in assert.deepStrictEqual (Hamza Kargin) #60253c8e1563a98] - doc: add CVE delay mention (Rafael Gonzaga) #614654b00cf2b54] - doc: include OpenJSF handle for security stewards (Rafael Gonzaga) #614544b73bf5bc8] - doc: clarify process.argv[1] behavior for -e/--eval (Jeevankumar S) #61366d3151df4b3] - doc: remove Windows Dev Home instructions from BUILDING (Mike McCready) #614342323462e35] - doc: clarify TypedArray properties on Buffer (Roman Reiss) #613556c5478c8b2] - doc: note resume build should not be done on node-test-commit (Stewart X Addison) #61373ba4a043103] - doc: refine WebAssembly error documentation (sangwook) #61382cd315ea589] - doc: add deprecation history for url.parse (Eng Zer Jun) #6138942db0c392d] - doc: add marco and rafael in last sec release (Marco Ippolito) #613834c3b680fc7] - doc: packages: example of private import switch to internal (coderaiser) #61343684d15e421] - doc: add esm and cjs examples to node:v8 (Alfredo González) #61328c3f9c7a7d9] - doc: added 'secure' event to tls.TLSSocket (ikeyan) #61066aa9acad5ca] - doc: restore @watilde to collaborators (Daijiro Wachi) #613509cafec084e] - doc: run license-builder (github-actions[bot]) #61348cdb12ccbc6] - doc: document ALPNCallback option for TLSSocket constructor (ikeyan) #61331461c5e65c5] - doc: update MDN links (Livia Medeiros) #61062dde45baeab] - doc: add documentation for process.traceProcessWarnings (Alireza Ebrahimkhani) #5364159a7aeec92] - doc: fix filename typo (Hardanish Singh) #612979a0a40d1ed] - doc: fix typos and grammar inBUILDING.md&onboarding.md(Hardanish Singh) #61267dca7005f9d] - doc: mention --newVersion release script (Rafael Gonzaga) #61255c0dc8ddf85] - doc: correct typo in api contributing doc (Mike McCready) #61260066af38fe1] - doc: add PR-URL requirement for security backports (Rafael Gonzaga) #6125671dd46bd0c] - doc: add reusePort error behavior to net module (mag123c) #61250f6abe3ba33] - doc: note corepack package removal in distribution doc (Mike McCready) #612079059d49d8c] - doc: fix tls.connect() timeout documentation (Azad Gupta) #61079e7b34b76b0] - doc: missingpassed,errorandpassedproperties onTestContext(Xavier Stouder) #611859ae2dcfbb6] - doc: clarify threat model for application-level API exposure (Rafael Gonzaga) #611849902331a7c] - doc: correct options for net.Socket class and socket.connect (Xavier Stouder) #61179a80122d2fe] - doc: document error event on readline InterfaceConstructor (Xavier Stouder) #6117038d73c9cfa] - doc: add a smooth scrolling effect to the sidebar (btea) #5900795c51fa984] - doc: correct invalid collaborator profile (JJ) #61091f5a044763c] - doc: exclude compile-time flag features from security policy (Matteo Collina) #61109b6ebf2cd53] - doc: add @avivkeller to collaborators (Aviv Keller) #6111535854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #610944932322c29] - doc: add File modes cross-references in fs methods (Mohit Raj Saxena) #60286c84904e047] - doc: add missingzstdto mjs example of zlib (Deokjin Kim) #60915e615b9e2f2] - doc: clarify fileURLToPath security considerations (Rafael Gonzaga) #6088799e384e6d4] - doc: replace column with columnNumber in example ofutil.getCallSites(Deokjin Kim) #608819351bb4d02] - doc: correct spelling in BUILDING.md (Rich Trott) #60875e1f6e7fc4d] - doc: update debuglog examples to use 'foo-bar' instead of 'foo' (xiaoyao) #60867ccbb2d7300] - doc: fix typos in changelogs (Rich Trott) #608551cb2fe8b35] - doc: mark module.register as active development (Chengzhong Wu) #60849ceeb4968a6] - doc: add fullName property to SuiteContext (PaulyBearCoding) #6076256155909dd] - doc: keep sidebar module visible when navigating docs (Botato) #604106b637763d5] - doc: correct concurrency wording in test() documentation (Azad Gupta) #607737183e8ffa1] - doc: clarify that CQ only picks up PRs targetingmain(René) #60731d5d94303be] - doc: clarify license section and add contributor note (KaleruMadhu) #60590e0210c8f53] - doc: correct tls ALPNProtocols types (René) #60143eff87b498a] - doc: remove mention of SMS 2FA (Antoine du Hamel) #60707e77ef94a51] - doc:domain.add()does not accept timer objects (René) #606754fe19c95ea] - doc: update Collaborators list to reflect hybrist handle change (Antoine du Hamel) #60650eece59b6ce] - doc: fix linter issues (Antoine du Hamel) #606366e17e596e4] - doc: correct values/references for buffer.kMaxLength (René) #60305ac327ae9a7] - doc: recommend events.once to manage 'close' event (Dan Fabulich) #60017d9b149ea42] - doc: highlight module loading difference between import and require (Ajay A) #59815f6d62cb22c] - doc: fix typo inprocess.unrefdocumentation (우혁) #596986d5078b196] - doc: add some entries toglossary.md(Mohataseem Khan) #59277b0a5820dea] - doc: improve agent.createConnection docs for http and https agents (JaeHo Jang) #58205b5db02fe67] - doc: fix pseudo code in modules.md (chirsz) #57677e9b912d481] - doc: add missing variable in code snippet (Koushil Mankali) #5547844c06c7812] - doc: add missing word insingle-executable-applications.md(Konstantin Tsabolov) #53864482b43f160] - doc: fix typo in http.md (Michael Solomon) #59354cd323bc718] - doc: update devcontainer.json and add documentation (Joyee Cheung) #60472c7c70f3a16] - doc: add haramj as triager (Haram Jeong) #6034804b8c4d14e] - doc: clarify require(esm) description (dynst) #60520de382dc832] - doc: instantiate resolver object (Donghoon Nam) #60476b6845ce460] - doc: clarify --use-system-ca support status (Joyee Cheung) #603400894dae9bc] - doc: add missing CAA type to dns.resolveAny() & dnsPromises.resolveAny() (Jimmy Leung) #58899c86a69f692] - doc: useanyforworker_threads.Worker'error' event argumenterr(Jonas Geiler) #603000c5031e233] - doc: update decorator documentation to reflect actual policy (Muhammad Salman Aziz) #60288b01f710175] - doc: document wildcard supported by tools/test.py (Joyee Cheung) #60265b4524dabcc] - doc: fixblob.bytes()heading level (XTY) #602525df02776e3] - doc: fix not working code example in vm docs (Artur Gawlik) #602246a4359a0b5] - doc: improve code snippet alternative of url.parse() using WHATWG URL (Steven) #60209ad06bee70d] - doc: use markdown when branch-diff major release (Rafael Gonzaga) #60179c0d4b11ed4] - doc: update teams in collaborator-guide.md and add links (Bart Louwers) #6006520b5ffcac3] - doc: update previous version links in BUILDING (Mike McCready) #61457de345ea3a3] - doc: correct description oferror.stackaccessor behavior (René) #61090d8418d9de7] - doc: fix link in--env-file=filesection (N. Bighetti) #605631107bda21e] - doc: fix v22 changelog after security release (Marco Ippolito) #6137142aab9469a] - doc: add missing history entry forsqlite.md(Antoine du Hamel) #60607deb6d5deff] - doc, module: change async customization hooks to experimental (Gerhard Stöbich) #60302c659add7d1] - doc,src,lib: clarify experimental status of Web Storage support (Antoine du Hamel) #60708dda95e91b9] - esm: avoid throw when module specifier is not url (Craig Macomber (Microsoft)) #61000912945be89] - events: remove redundant todo (Gürgün Dayıoğlu) #6059522e156eb10] - events: remove eventtarget custom inspect branding (Efe) #61128df6fd9b03f] - fs: remove duplicate getValidatedPath calls (Mert Can Altin) #613596ea3e4d850] - fs: fix errorOnExist behavior for directory copy in fs.cp (Nicholas Paun) #60946dd918b9980] - fs: fix ENOTDIR in globSync when file is treated as dir (sangwook) #612594908e67ba0] - fs: remove duplicate fd validation in sync functions (Mert Can Altin) #613614a27bce3d9] - fs: detect dot files when using globstar (Robin van Wijngaarden) #61012b0186ff65c] - fs: validate statfs path (Efe) #612306689775023] - gyp: aix: change gcc version detection so CXX="ccache g++" works (Stewart X Addison) #614645c4f4db663] - http: fix rawHeaders exceeding maxHeadersCount limit (Max Harari) #612857599e2eccd] - http: replace startsWith with strict equality (btea) #5939499a85213bf] - http: lazy allocate cookies array (Robert Nagy) #597347669e6a5ad] - http: fix http client leaky with double response (theanarkh) #60062f074c126a8] - http,https: fix double ERR_PROXY_TUNNEL emission (Shima Ryuhei) #60699d8ac368363] - http2: add diagnostics channels for client stream request body (Darshan Sen) #60480e26a7e464d] - http2: rename variable to additionalPseudoHeaders (Tobias Nießen) #602085df634f46e] - http2: validate initialWindowSize per HTTP/2 spec (Matteo Collina) #614022ccc9a6205] - http2: do not crash on mismatched ping buffer length (René) #601353e68a5f78a] - inspector: inspect HTTP response body (Chengzhong Wu) #60572a86ffa9a5d] - inspector: add network payload buffer size limits (Chengzhong Wu) #60236ea60ef5d74] - lib: fix typo inutil.jscomment (Taejin Kim) #613659d8d9322a4] - lib: fix TypeScript support check in jitless mode (sangwook) #61382fc26f5c78f] - lib: gbk decoder is gb18030 decoder per spec (Сковорода Никита Андреевич) #610993b87030012] - lib: enforce use ofURLParse(Antoine du Hamel) #610162a7479d4fc] - lib: useFastBufferfor empty buffer allocation (Gürgün Dayıoğlu) #605587cf4c43582] - lib: fix constructor in _errnoException stack tree (SeokHun) #60156f9d87fbfaa] - lib: fix typo in QuicSessionStats (SeokHun) #601558d26ccc652] - lib: remove redundant destroyHook checks (Gürgün Dayıoğlu) #60120705832a1be] - lib,src: isInsideNodeModules should test on the first non-internal frame (Chengzhong Wu) #609916f39ad190b] - meta: do not fast-track npm updates (Antoine du Hamel) #61475a6a0ff9486] - meta: fix typos in issue template config (Daijiro Wachi) #61399ec88c9b378] - meta: label v8 module PRs (René) #6132583143835de] - meta: bump step-security/harden-runner from 2.13.2 to 2.14.0 (dependabot[bot]) #612450802dc663a] - meta: bump actions/setup-node from 6.0.0 to 6.1.0 (dependabot[bot]) #61244587db55796] - meta: bump actions/cache from 4.3.0 to 5.0.1 (dependabot[bot]) #61243262c9d37a6] - meta: bump github/codeql-action from 4.31.6 to 4.31.9 (dependabot[bot]) #61241d9763b5afd] - meta: bump codecov/codecov-action from 5.5.1 to 5.5.2 (dependabot[bot]) #612400af73d1811] - meta: bump peter-evans/create-pull-request from 7.0.9 to 8.0.0 (dependabot[bot]) #612378be6afd239] - meta: move lukekarrys to emeritus (Node.js GitHub Bot) #60985c497de5c74] - meta: bump actions/setup-python from 6.0.0 to 6.1.0 (dependabot[bot]) #60927774920f169] - meta: bump github/codeql-action from 4.31.3 to 4.31.6 (dependabot[bot]) #60926ef3b1e5991] - meta: bump peter-evans/create-pull-request from 7.0.8 to 7.0.9 (dependabot[bot]) #609243ed667379f] - meta: bump github/codeql-action from 4.31.2 to 4.31.3 (dependabot[bot]) #607707c0cefb126] - meta: bump step-security/harden-runner from 2.13.1 to 2.13.2 (dependabot[bot]) #607695c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #607144f4dda2a18] - meta: bump actions/download-artifact from 5.0.0 to 6.0.0 (dependabot[bot]) #60532c436f8d57c] - meta: bump actions/upload-artifact from 4.6.2 to 5.0.0 (dependabot[bot]) #60531402d9f87a6] - meta: bump github/codeql-action from 3.30.5 to 4.31.2 (dependabot[bot]) #6053361be78e326] - meta: bump actions/setup-node from 5.0.0 to 6.0.0 (dependabot[bot]) #605297e4164a623] - meta: bump actions/stale from 10.0.0 to 10.1.0 (dependabot[bot]) #605281bf6e1d010] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #60325c66fc0e9cf] - meta: loop userland-migrations in deprecations (Chengzhong Wu) #60299e4be0791e7] - meta: callcreate-release-post.ymlpost release (Aviv Keller) #603668674f6527f] - module: preserve URL in the parent created by createRequire() (Joyee Cheung) #6097441db87a975] - msi: fix WiX warnings (Stefan Stojanovic) #60251884f313f40] - node-api: use Node-API in comments (Vladimir Morozov) #61320375164190b] - node-api: use local files for instanceof test (Vladimir Morozov) #60190972a1107c0] - os: freeze signals constant (Xavier Stouder) #61038e992057ab7] - perf_hooks: fix stack overflow error (Antoine du Hamel) #600840bb1814fdf] - repl: fix pasting after moving the cursor to the left (Ruben Bridgewater) #6047035a12fb996] - src: replaceranges::sortfor libc++13 compatibility on armhf (Rebroad) #61789dbf00d4664] - src: add missing override specifier to Clean() (Tobias Nießen) #61429140eba35d3] - src: cache context lookup in vectored io loops (Mert Can Altin) #6138793e7e1708b] - src: use C++ nullptr in webstorage (Tobias Nießen) #61407ef868447bc] - src: fix pointer alignment (jhofstee) #61336a96256524c] - src: dump snapshot source with node:generate_default_snapshot_source (Joyee Cheung) #61101ec051b9efd] - src: add HandleScope to edge loop in heap_utils (Mert Can Altin) #6088541749eb5d6] - src: remove redundant CHECK (Tobias Nießen) #6113057c81e5af3] - src: fix off-thread cert loading in bundled cert mode (Joyee Cheung) #607644b0616e024] - src: handle DER decoding errors from system certificates (Joyee Cheung) #6078793393371f9] - src: use static_cast instead of C-style cast (Michaël Zasso) #60868900445b655] - src: move Node-API version detection to where it is used (Anna Henningsen) #605128353a6da2a] - src: avoid C strings in more C++ exception throws (Anna Henningsen) #6059227c860c51f] - src: movenapi_addon_register_functonode_api_types.h(Anna Henningsen) #60512e0517752e7] - src: remove unconditional NAPI_EXPERIMENTAL in node.h (Chengzhong Wu) #6034521e2a52f8e] - src: clean up generic counter implementation (Anna Henningsen) #60447aed23cb8ca] - src: add enum handle for ToStringHelper + formatting (Burkov Egor) #568292e93650ebc] - src: fix timing of snapshot serialize callback (Joyee Cheung) #60434ece4acc18f] - src: add COUNT_GENERIC_USAGE utility for tests (Joyee Cheung) #6043431c8e9d9ff] - src: use cached primordials_string (Sohyeon Kim) #602557f0ffddc14] - src: implement Windows-1252 encoding support and update related tests (Mert Can Altin) #60893c2ba56d6b2] - src,permission: fix permission.has on empty param (Rafael Gonzaga) #60674e55a2b895a] - src,permission: add debug log on is_tree_granted (Rafael Gonzaga) #60668902a78b43c] - stream: fix isErrored/isWritable for WritableStreams (René) #60905221b77cf41] - stream: don't try to read more if reading (Robert Nagy) #6045446d12d826f] - test: skip strace test with shared openssl (Richard Lau) #6198752e6b01a44] - test: marktest-strace-openat-opensslas flaky (Antoine du Hamel) #619214d7468d0e0] - test: skip --build-sea tests on platforms where SEA is flaky (Joyee Cheung) #61504f604b7ae67] - test: fix flaky debugger test (Ryuhei Shima) #58324fc2dc4024b] - test: ensure removeListener event fires for once() listeners (sangwook) #601375fba382816] - test: delay writing the files only on macOS (Luigi Pinca) #6153285cc9e20e4] - test: asserts that import.meta.resolve invokes sync loader hooks (Chengzhong Wu) #6115813831685ca] - test: check util.parseArgs argv parsing with actual process execution (René) #61089ec4b722cb8] - test: remove unneccessary repl magic_mode tests (Dario Piotrowicz) #610535c811106bc] - test: skip sea tests on riscv64 (Stewart X Addison) #611114e4a631c07] - test: mark stringbytes-external-max flaky on AIX (Stewart X Addison) #609959af0787043] - test: update test426 fixtures (Rich Trott) #60982277f16d247] - test: skip SEA inspect test if inspector is not available (Livia Medeiros) #608727dfa8c96bf] - test: useassert.matchfor non-literal regexp tests (René) #6087941e6cd8ce5] - test: fix embedtest in debug windows (Vladimir Morozov) #60806f65147b226] - test: fix debug test crashes caused by sea tests (Vladimir Morozov) #60807a93dff9e92] - test: replace deprecated regex test assertions in http trailers test (Aditya Chopra) #60831f90d5b954f] - test: prefer major GC in cppgc-object teardown (sangwook) #60672e1645cc78d] - test: skip test that cause timeout on IBM i (SRAVANI GUNDEPALLI) #607004f23eba22f] - test: limit the concurrency of WPTRunner for RISC-V (Levi Zim) #60591c2bef6522b] - test: fix test-strace-openat-openssl for RISC-V (Levi Zim) #605884c03a7f864] - test: fix status when compiled without inspector (Antoine du Hamel) #602892ef146a074] - test: apply a delay towatch-mode-kill-signaltests (Joyee Cheung) #60610dc3000c504] - test: async iife in repl (Tony Gorez) #448785e06e84db1] - test: parallelize sea tests when there's enough disk space (Joyee Cheung) #60604940d2752bc] - test: only show overridden env in child process failures (Joyee Cheung) #60556558a5743c6] - test: add more logs to test-esm-loader-hooks-inspect-wait (Joyee Cheung) #6046610fac8de45] - test: mark stringbytes-external-exceed-max tests as flaky on AIX (Joyee Cheung) #605658bc84046be] - test: correct conditional secure heap flags test (Shelley Vohr) #60385ccc805f184] - test: fix flaky test-watch-mode-kill-signal-* (Joyee Cheung) #604431b8274453d] - test: capture stack trace in debugger timeout errors (Joyee Cheung) #604579fcf889279] - test: ensure assertions are reachable intest/async-hooks(Antoine du Hamel) #601507f5230333e] - test: increase debugger waitFor timeout on macOS (Chengzhong Wu) #603670e5ea3b795] - test: fix small compile warning in test_network_requests_buffer.cc (xiaocainiao633) #60281012780c7e8] - test: split test-runner-watch-mode-kill-signal (Joyee Cheung) #60298b53d35a8f8] - test: fix incorrect calculation in test-perf-hooks.js (Joyee Cheung) #60271b8ef464c08] - test: skip sea tests on x64 macOS (Joyee Cheung) #60250a3c4d905da] - test: move sea tests into test/sea (Joyee Cheung) #6025080bec9fd07] - test: skip tests that cause timeouts on IBM i (SRAVANI GUNDEPALLI) #601481d05b44c7c] - test: deflake test-fs-promises-watch-iterator (Luigi Pinca) #600608958096840] - test: deflaketest-repl-paste-big-data(Livia Medeiros) #60975e261a59ca4] - test: add newstartNewREPLSevertesting utility (Dario Piotrowicz) #59964d4a2d8aa8a] - test: skip failing tests when compiled without amaro (Yuki Okita) #608150e407a88bb] - test: skip failing test on macOS 15.7+ (Antoine du Hamel) #60419a253b7b6dc] - tools: switch to ARM runners on GHA jobs (Antoine du Hamel) #619038862c41494] - tools: avoid building twice in coverage jobs (Antoine du Hamel) #618997d11a22802] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #61759d0e7d6cb89] - tools: use ubuntu-slim runner in GHA (Antoine du Hamel) #61734cf5ddd1811] - tools: use ubuntu-latest runner innotify-on-pushworkflow (Antoine du Hamel) #6174218bcf8e260] - tools: use ubuntu-slim runner in meta GitHub Actions (Tierney Cyren) #61663db76733b55] - tools: update gyp-next to 0.21.1 (Node.js GitHub Bot) #615281dd9d8a3b2] - tools: fix vcbuild lint-js-build (Vladimir Morozov) #61318ec67f8f9b5] - tools: only report commit validation failure on Slack (Antoine du Hamel) #611248e385c8c66] - tools: use sparse-checkout in linter jobs (Antoine du Hamel) #61123aed2e9c8eb] - tools: simplifynotify-on-push(Antoine du Hamel) #6105032680feefb] - tools: fix update-nghttp2 signature verification (Richard Lau) #61035c5f68f41e6] - tools: improve log output ofcreate-release-proposal(Antoine du Hamel) #6102832e0ae0ec7] - tools: fixvcbuild testwhen path contain spaces (stduhpf) #564819e0858e4a2] - tools: do not runtest-linuxworkflow for changes onvcbuild.bat(Antoine du Hamel) #60979fd656a79fc] - tools: disable some new cpplint rules before update (Michaël Zasso) #60901df4df52e67] - tools: don't fetch V8 deps in the source tree (Richard Lau) #60883e5c2fe8d6d] - tools: add temporal updater (Chengzhong Wu) #608287f031e097e] - tools: dump config.gypi as json (Chengzhong Wu) #607945e69488a5a] - tools: bump js-yaml from 4.1.0 to 4.1.1 in /tools/lint-md (dependabot[bot]) #607815119c50931] - tools: bump js-yaml from 4.1.0 to 4.1.1 in /tools/doc in the doc group (dependabot[bot]) #60766a4b073123d] - tools: remove unsupportedcooldownfrom Dependabot config (Antoine du Hamel) #60747a3df6b87bb] - tools: update sccache to v0.12.0 (Michaël Zasso) #607232efbd54a4a] - tools: update gyp-next to 0.21.0 (Node.js GitHub Bot) #60645bb7876e4f9] - tools: replace invalid expression in dependabot config (Riddhi) #60649e444e44d6a] - tools: skip unaffected GHA jobs for changes intest/internet(Antoine du Hamel) #60517a6a0ec107c] - tools: do not use short hashes for deps versioning to avoid collision (Antoine du Hamel) #60407c6e2eed65f] - tools: fix update-icu script (Michaël Zasso) #6052176fb3d123b] - tools: fix linter for semver-major release proposals (Antoine du Hamel) #60481f02889e24e] - tools: fix failing release-proposal linter for LTS transitions (Antoine du Hamel) #604658203df4432] - tools: remove undici from daily wpt.fyi job (Filip Skokan) #60444a58242b666] - tools: add lint rule to ensure assertions are reached (Antoine du Hamel) #6012558e3ef398f] - tools: update gyp-next to 0.20.5 (Node.js GitHub Bot) #60313996494482a] - tools: optimize wildcard execution in tools/test.py (Joyee Cheung) #60266cf84756d0d] - tools: use cooldown property correctly (Rafael Gonzaga) #601345469cb2651] - tools: validate release commit diff as part oflint-release-proposal(Antoine du Hamel) #614401b9eab4a1c] - tools,doc: fix format-md files list (Stefan Stojanovic) #61147b20d9c2ce7] - tools,doc: update JavaScript primitive types to match MDN Web Docs (JustApple) #6058131760b1beb] - typings: add typing for string_decoder (Taejin Kim) #61368d6b908917c] - typings: add missing properties and method in Worker (Woohyun Sung) #602571e8b6d5686] - typings: add missing properties in HTTPParser (Woohyun Sung) #6025727ae9b4a26] - typings: delete undefined property in ConfigBinding (Woohyun Sung) #60257f43c6434e2] - typings: add buffer internalBinding typing (방진혁) #60163e7f954f63a] - url: add fast path to getPathFromURL decoder (Gürgün Dayıoğlu) #60749c149b64473] - url: remove array.reduce usage (Gürgün Dayıoğlu) #607480bd291bff1] - util: optimize toASCIILower function using V8s native toLowerCase (Mert Can Altin) #61107bbc54b3c96] - util: limitinspectto only show own properties (Ruben Bridgewater) #6103278e5fa23c4] - util: fix parseArgs skipping positional arg with --eval and --print (azadgupta1) #60814f75ec19105] - util: assert getCallSites does not invoke Error.prepareStackTrace (Chengzhong Wu) #60922d77da9306c] - util: fix stylize of special properties in inspect (Ge Gao) #604793a4edc8f6d] - util: use more defensive code when inspecting error objects (Antoine du Hamel) #6013925c33af752] - util: mark special properties when inspecting them (Ruben Bridgewater) #601313f98b46716] - vm: make vm.Module.evaluate() conditionally synchronous (Joyee Cheung) #60205f64a691493] - win: upgrade Visual Studio workload from 2019 to 2022 (Jiawen Geng) #603188e04327954] - worker: update code examples fornode:worker_threadsmodule (fisker Cheung) #58264c4440dcc60] - worker: remove not implemented declarations (Artur Gawlik) #60655df4cc62954] - zlib: validate write_result array length (Ryuhei Shima) #61342v22.22.0: 2026-01-13, Version 22.22.0 'Jod' (LTS), @marco-ippolitoCompare Source
This is a security release.
Notable Changes
lib:
lib,permission:
src:
src,lib:
tls:
Commits
6badf4e6f4] - deps: update c-ares to v1.34.6 (Node.js GitHub Bot) #6099737509c3ff0] - deps: update undici to 6.23.0 (Matteo Collina) nodejs-private/node-private#791eb8e41f8db] - (CVE-2025-59465) lib: add TLSSocket default error handler (RafaelGSS) nodejs-private/node-private#797ebbf942a83] - (CVE-2025-55132) lib: disable futimes when permission model is enabled (RafaelGSS) nodejs-private/node-private#7486b4849583a] - (CVE-2025-55130) lib,permission: require full read and write to symlink APIs (RafaelGSS) nodejs-private/node-private#760ddadc31f09] - (CVE-2025-59466) src: rethrow stack overflow exceptions in async_hooks (Matteo Collina) nodejs-private/node-private#773d4d9f3915f] - (CVE-2025-55131) src,lib: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) nodejs-private/node-private#75925d6799df6] - (CVE-2026-21637) tls: route callback exceptions through error handlers (Matteo Collina) nodejs-private/node-private#796prometheus/prometheus (prom/prometheus)
v3.11.3: 3.11.3 / 2026-04-27Compare Source
This release fixes mutiple security issues.
We would like to thank the following people for the responsible disclosures:
Shadowbyte (4c1dr3aper) - Charlie Lewis for the Remote-Read snappy decode vulnerability.
Brett Gervasoni for the AzureAD OAuth
client_secretvulnerability.@iiihaiii and @Ngocnn97 for the Old UI XSS vulnerability.
[SECURITY] AzureAD remote write: Fix OAuth
client_secretbeing exposed in plaintext via/-/configendpoint. GHSA-wg65-39gg-5wfj / CVE-2026-42151 #18590[SECURITY] Remote-read: Reject snappy-compressed requests whose declared decoded length exceeds the decode limit. GHSA-8rm2-7qqf-34qm / CVE-2026-42154 #18584
[SECURITY] UI: Fix stored XSS via unescaped
lelabel values in old UI heatmap chart tick labels. GHSA-fw8g-cg8f-9j28 #18588v3.11.2: 3.11.2 / 2026-04-13Compare Source
This release has a fix for a Stored XSS vulnerability that can be triggered via crafted metric names and label values in Prometheus web UI tooltips and metrics explorer. Thanks to Duc Anh Nguyen from TinyxLab for reporting it.
health_filterfield for Health API filtering. #18499v3.11.1: 3.11.1 / 2026-04-07Compare Source
insecure: true. #18469v3.11.0: 3.11.0 / 2026-04-02Compare Source
__meta_hetzner_datacenterlabel is deprecated for the rolerobotbut kept for backward compatibility, use the__meta_hetzner_robot_datacenterlabel instead. For the rolehcloud, the label is deprecated and will stop working after the 1 July 2026. #17850__meta_hetzner_hcloud_datacenter_locationand__meta_hetzner_hcloud_datacenter_location_network_zonelabels are deprecated, use the__meta_hetzner_hcloud_locationand__meta_hetzner_hcloud_location_network_zonelabels instead. #17850prometheus_sd_last_update_timestamp_secondsmetric to track the last time a service discovery update was sent to consumers. #18194__meta_kubernetes_pod_deployment_name,__meta_kubernetes_pod_cronjob_nameand__meta_kubernetes_pod_job_name, respectively. #17774</and>/operators for trimming observations from native histograms. #17904histogram_quantilesvariadic function for computing multiple quantiles at once. #17285storage.tsdb.retention.percentageconfiguration to configure the maximum percent of disk usable for TSDB storage. #18080st-storagefeature flag. When enabled, Prometheus stores ingested start timestamps (ST, previously called Created Timestamp) from scrape or OTLP in the TSDB and Agent WAL, and exposes them via Remote Write 2. #18062xor2-encodingfeature flag for the new TSDB block float sample chunk encoding that is optimized for scraped data and allows encoding start timestamps. #18062external_idsupport for sigv4. #17916first_over_timeandts_of_first_over_timePromQL functions. #18318KahanAdd. #18252endpointoption, a regression from the AWS SDK v2 migration. #18133client_idis empty. #18323*DualStackEndpointSlices policies. #18192prometheus_remote_storage_sent_batch_duration_secondsmeasuring before the request was sent. #18214use-uncached-iofeature flag is set on unsupported environments. #18219v3.10.0: 3.10.0 / 2026-02-24Compare Source
Prometheus now offers a distroless Docker image variant alongside the default
busybox image. The distroless variant provides enhanced security with a minimal
base image, uses UID/GID 65532 (nonroot) instead of nobody, and removes the
VOLUME declaration. Both variants are available with
-busyboxand-distrolesstag suffixes (e.g.,
prom/prometheus:latest-busybox,prom/prometheus:latest-distroless).The busybox image remains the default with no suffix for backwards compatibility
(e.g.,
prom/prometheus:latestpoints to the busybox variant).For users migrating existing named volumes from the busybox image to the distroless variant, the ownership can be adjusted with:
Then, the container can be started with the old volume with:
User migrating from bind mounts might need to ajust permissions too, depending on their setup.
alertmanagerdimension to following metrics:prometheus_notifications_dropped_total,prometheus_notifications_queue_capacity,prometheus_notifications_queue_length. #16355/alertspage. #17611fill()/fill_left()/fill_right()binop modifiers for specifying default values for missing series. #17644/api/v1/openapi.yaml. #17825<URL>/debug/pprof/fgprof. #18027stale_series_compaction_thresholdin the config file. #16929remove_all_sdand individual service discoveries can be re-added with the build tagsenable_<sd name>_sd. Users can build a custom Prometheus with only the necessary SDs for a smaller binary size. #17736promql-duration-exprandpromql-extended-range-selectors. #17926.*-.*-.*. #17707/api/v1/targets/relabel_stepsin a single pass instead of re-running relabeling for each prefix. #17969X-Prometheus-Stoppingheader for/-/readyendpoint inNotReadystate. #17795info()function returning empty results when filtering by a label that exists on both the input metric andtarget_info. #17817__name__from OTLP attributes to prevent duplicate labels. #17917@modifier on empty ranges. #18020avg_over_timefor a single native histogram. #18058v3.9.1: 3.9.1 / 2026-01-07Compare Source
v3.9.0: 3.9.0 / 2026-01-06Compare Source
Note for users of Native Histograms
In version 3.9, Native Histograms is no longer experimental, and the feature flag
native-histogramhas no effect. You must now turn onthe config setting
scrape_native_histogramsto collect Native Histogram samples from exporters.Changelog
native-histogramfeature flag a no-op. Usescrape_native_histogramsconfig option instead. #17528start_timestampfield for unit tests. #17636--format seriesjsonoption totsdb dumpto output just series labels in JSON format. #13409--storage.tsdb.delay-compact-file.pathflag for better interoperability with Thanos. #17435--storage.tsdb.block-reload-intervalto configure TSDB Block Reload Interval. #16728prometheus_notifications_latency_histogram_secondsto complement the existing summary. #16637configlabel with job name for mostprometheus_sd_refreshmetrics. #17138prometheus_tsdb_sample_ooo_delta, the distribution of out-of-order samples in seconds. Collected for all samples, accepted or not. #17477_total. #17682ignoring()and non-empty grouping. #17643rate/increase/deltaof histograms results in a gauge histogram. #17608v3.8.1: 3.8.1 / 2025-12-16Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.
Update grafana/tempo:latest Docker digest to d82487fto Update docker minor+patch+digest updates5e7213109fto52c53fc729View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.