crypto: update root-certificates to 3.114 #59571

nodejs-github-bot · 2025-08-21T23:06:55Z

This is an automated update of root-certificates to NSS 3.114.

Certificates added:

TrustAsia TLS ECC Root CA
TrustAsia TLS RSA Root CA
SwissSign RSA TLS Root CA 2022 - 1

Certificates removed:

GlobalSign Root CA
Entrust.net Premium 2048 Secure Server CA
Baltimore CyberTrust Root
Comodo AAA Services root
XRamp Global CA Root
Go Daddy Class 2 CA
Starfield Class 2 CA

This is the certdata.txt[0] from NSS 3.114. This is the version of NSS that shipped in Firefox 142.0 on 2025-08-19. Certificates added: - TrustAsia TLS ECC Root CA - TrustAsia TLS RSA Root CA - SwissSign RSA TLS Root CA 2022 - 1 Certificates removed: - GlobalSign Root CA - Entrust.net Premium 2048 Secure Server CA - Baltimore CyberTrust Root - Comodo AAA Services root - XRamp Global CA Root - Go Daddy Class 2 CA - Starfield Class 2 CA [0] https://github.com/raw/nss-dev/nss/refs/tags/NSS_3_114_RTM/lib/ckfw/builtins/certdata.txt

github-actions · 2025-08-21T23:07:06Z

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @nodejs-github-bot.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.

codecov · 2025-08-21T23:59:05Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 89.85%. Comparing base (553f236) to head (a9bc648).
⚠️ Report is 16 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #59571      +/-   ##
==========================================
- Coverage   89.88%   89.85%   -0.03%     
==========================================
  Files         667      667              
  Lines      195320   195320              
  Branches    38352    38350       -2     
==========================================
- Hits       175561   175503      -58     
- Misses      12216    12265      +49     
- Partials     7543     7552       +9

see 26 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

nodejs-github-bot · 2025-08-22T01:51:20Z

CI: https://ci.nodejs.org/job/node-test-pull-request/68810/

nodejs-github-bot · 2025-08-23T23:12:45Z

Landed in 28e6ba8

This is the certdata.txt[0] from NSS 3.114. This is the version of NSS that shipped in Firefox 142.0 on 2025-08-19. Certificates added: - TrustAsia TLS ECC Root CA - TrustAsia TLS RSA Root CA - SwissSign RSA TLS Root CA 2022 - 1 Certificates removed: - GlobalSign Root CA - Entrust.net Premium 2048 Secure Server CA - Baltimore CyberTrust Root - Comodo AAA Services root - XRamp Global CA Root - Go Daddy Class 2 CA - Starfield Class 2 CA [0] https://github.com/raw/nss-dev/nss/refs/tags/NSS_3_114_RTM/lib/ckfw/builtins/certdata.txt PR-URL: #59571 Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Michaël Zasso <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>

Notable changes: crypto: * (SEMVER-MINOR) add AES-OCB Web Cryptography algorithm (Filip Skokan) #59539 * update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571 * (SEMVER-MINOR) support ML-KEM in Web Cryptography (Filip Skokan) #59569 * (SEMVER-MINOR) support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms (Filip Skokan) #59491 * (SEMVER-MINOR) add argon2() and argon2Sync() methods (Ranieri Althoff) #50353 * (SEMVER-MINOR) support ML-DSA spki/pkcs8 key formats in Web Cryptography (Filip Skokan) #59365 * (SEMVER-MINOR) subject some algorithms in Web Cryptography on BoringSSL absence (Filip Skokan) #59365 * (SEMVER-MINOR) add ChaCha20-Poly1305 Web Cryptography algorithm (Filip Skokan) #59365 * (SEMVER-MINOR) add subtle.getPublicKey() utility function in Web Cryptography (Filip Skokan) #59365 * (SEMVER-MINOR) add SHA-3 Web Cryptography digest algorithms (Filip Skokan) #59365 * (SEMVER-MINOR) add SHAKE Web Cryptography digest algorithms (Filip Skokan) #59365 * (SEMVER-MINOR) add SubtleCrypto.supports feature detection in Web Cryptography (Filip Skokan) #59365 * (SEMVER-MINOR) support ML-DSA in Web Cryptography (Filip Skokan) #59365 * (SEMVER-MINOR) support ML-KEM KeyObject (Filip Skokan) #59461 doc: * (SEMVER-MINOR) compress Web Cryptography Algorithm matrix (Filip Skokan) #59365 http: * (SEMVER-MINOR) add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315 http2: * (SEMVER-MINOR) add support for raw header arrays in h2Stream.respond() (Tim Perry) #59455 lib: * (SEMVER-MINOR) refactor kSupportedAlgorithms (Filip Skokan) #59365 sea: * (SEMVER-MINOR) support execArgv in sea config (Joyee Cheung) #59314 stream: * (SEMVER-MINOR) add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464 test: * (SEMVER-MINOR) add Web Cryptography wrap/unwrap vectors (Filip Skokan) #59365 * (SEMVER-MINOR) cleanup test-webcrypto-supports (Filip Skokan) #59365 PR-URL: #59629

Notable changes: crypto: * update root certificates to NSS 3.114 (Node.js GitHub Bot) #59571 * (SEMVER-MINOR) add AES-OCB Web Cryptography algorithm (Filip Skokan) #59539 * (SEMVER-MINOR) support ML-KEM in Web Cryptography (Filip Skokan) #59569 * (SEMVER-MINOR) support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms (Filip Skokan) #59491 * (SEMVER-MINOR) add argon2() and argon2Sync() methods (Ranieri Althoff) #50353 * (SEMVER-MINOR) support ML-DSA spki/pkcs8 key formats in Web Cryptography (Filip Skokan) #59365 * (SEMVER-MINOR) add ChaCha20-Poly1305 Web Cryptography algorithm (Filip Skokan) #59365 * (SEMVER-MINOR) add subtle.getPublicKey() utility function in Web Cryptography (Filip Skokan) #59365 * (SEMVER-MINOR) add SHA-3 Web Cryptography digest algorithms (Filip Skokan) #59365 * (SEMVER-MINOR) add SHAKE Web Cryptography digest algorithms (Filip Skokan) #59365 * (SEMVER-MINOR) add SubtleCrypto.supports feature detection in Web Cryptography (Filip Skokan) #59365 * (SEMVER-MINOR) support ML-DSA in Web Cryptography (Filip Skokan) #59365 * (SEMVER-MINOR) support ML-KEM KeyObject (Filip Skokan) #59461 http: * (SEMVER-MINOR) add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #59315 http2: * (SEMVER-MINOR) add support for raw header arrays in h2Stream.respond() (Tim Perry) #59455 sea: * (SEMVER-MINOR) support execArgv in sea config (Joyee Cheung) #59314 stream: * (SEMVER-MINOR) add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #59464 PR-URL: #59629

Notable changes: crypto: * update root certificates to NSS 3.114 (Node.js GitHub Bot) nodejs#59571 * (SEMVER-MINOR) add AES-OCB Web Cryptography algorithm (Filip Skokan) nodejs#59539 * (SEMVER-MINOR) support ML-KEM in Web Cryptography (Filip Skokan) nodejs#59569 * (SEMVER-MINOR) support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms (Filip Skokan) nodejs#59491 * (SEMVER-MINOR) add argon2() and argon2Sync() methods (Ranieri Althoff) nodejs#50353 * (SEMVER-MINOR) support ML-DSA spki/pkcs8 key formats in Web Cryptography (Filip Skokan) nodejs#59365 * (SEMVER-MINOR) add ChaCha20-Poly1305 Web Cryptography algorithm (Filip Skokan) nodejs#59365 * (SEMVER-MINOR) add subtle.getPublicKey() utility function in Web Cryptography (Filip Skokan) nodejs#59365 * (SEMVER-MINOR) add SHA-3 Web Cryptography digest algorithms (Filip Skokan) nodejs#59365 * (SEMVER-MINOR) add SHAKE Web Cryptography digest algorithms (Filip Skokan) nodejs#59365 * (SEMVER-MINOR) add SubtleCrypto.supports feature detection in Web Cryptography (Filip Skokan) nodejs#59365 * (SEMVER-MINOR) support ML-DSA in Web Cryptography (Filip Skokan) nodejs#59365 * (SEMVER-MINOR) support ML-KEM KeyObject (Filip Skokan) nodejs#59461 http: * (SEMVER-MINOR) add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) nodejs#59315 http2: * (SEMVER-MINOR) add support for raw header arrays in h2Stream.respond() (Tim Perry) nodejs#59455 sea: * (SEMVER-MINOR) support execArgv in sea config (Joyee Cheung) nodejs#59314 stream: * (SEMVER-MINOR) add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) nodejs#59464 PR-URL: nodejs#59629

This MR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | minor | `24.6.0` -> `24.7.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v24.7.0`](https://github.com/nodejs/node/releases/tag/v24.7.0): 2025-08-27, Version 24.7.0 (Current), @targos [Compare Source](nodejs/node@v24.6.0...v24.7.0) ##### Notable Changes ##### Post-Quantum Cryptography in `node:crypto` OpenSSL 3.5 on 24.x kicked off post-quantum cryptography efforts in Node.js by allowing use of NIST's post-quantum cryptography standards for future-proofing applications against quantum computing threats. The following post-quantum algorithms are now available in `node:crypto`: - ML-KEM (FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard) through new `crypto.encapsulate()` and `crypto.decapsulate()` methods. - ML-DSA (FIPS 204, Module-Lattice-Based Digital Signature Standard) in the existing `crypto.sign()` and `crypto.verify()` methods. Contributed by Filip Skokan in [#59259](nodejs/node#59259) and [#59491](nodejs/node#59491). ##### Modern Algorithms in Web Cryptography API The second substantial [extension to the Web Cryptography API](https://wicg.github.io/webcrypto-modern-algos/) (`globalThis.crypto.subtle`) was recently accepted for incubation by WICG. The following algorithms and methods from this extension are now available in the Node.js Web Cryptography API implementation: - AES-OCB - ChaCha20-Poly1305 - ML-DSA - ML-KEM - SHA-3 - SHAKE - `subtle.getPublicKey()` - `SubtleCrypto.supports()` - ... with more coming in future releases. Contributed by Filip Skokan in [#59365](nodejs/node#59365), [#59569](nodejs/node#59569), [#59461](nodejs/node#59461), and [#59539](nodejs/node#59539). ##### Node.js execution argument support in single executable applications The single executable application configuration now supports additional fields to specify Node.js execution arguments and control how they can be extended when the application is run. - `execArgv` takes an array of strings for the execution arguments to be used. - `execArgvExtension` takes one of the following values: - `"none"`: No additional execution arguments are allowed. - `"cli"`: Additional execution arguments can be provided via a special command-line flag `--node-options="--flag1 --flag2=value"` at run time. - `"env"` (default): Additional execution arguments can be provided via the `NODE_OPTIONS` environment variable at run time. For example, with the following configuration: ```json { "main": "/path/to/bundled/script.js", "output": "/path/to/write/the/generated/blob.blob", "execArgv": ["--no-warnings"], "execArgvExtension": "cli", } ``` If the generated single executable application is named `sea`, then running: ```console sea --node-options="--max-old-space-size=4096" user-arg1 user-arg2 ``` Would be equivalent to running: ```console node --no-warnings --max-old-space-size=4096 /path/to/bundled/script.js user-arg1 user-arg2 ``` Contributed by Joyee Cheung in [#59314](nodejs/node#59314) and [#59560](nodejs/node#59560). ##### Root certificates updated to NSS 3.114 Certificates added: - TrustAsia TLS ECC Root CA - TrustAsia TLS RSA Root CA - SwissSign RSA TLS Root CA 2022 - 1 Certificates removed: - GlobalSign Root CA - Entrust.net Premium 2048 Secure Server CA - Baltimore CyberTrust Root - Comodo AAA Services root - XRamp Global CA Root - Go Daddy Class 2 CA - Starfield Class 2 CA ##### Other Notable Changes - \[[`d3afc63c44`](nodejs/node@d3afc63c44)] - **(SEMVER-MINOR)** **crypto**: add argon2() and argon2Sync() methods (Ranieri Althoff) [#50353](nodejs/node#50353) - \[[`6ae202fcdf`](nodejs/node@6ae202fcdf)] - **(SEMVER-MINOR)** **http**: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) [#59315](nodejs/node#59315) - \[[`dafee05358`](nodejs/node@dafee05358)] - **(SEMVER-MINOR)** **http2**: add support for raw header arrays in h2Stream.respond() (Tim Perry) [#59455](nodejs/node#59455) - \[[`8dc6f5b696`](nodejs/node@8dc6f5b696)] - **(SEMVER-MINOR)** **stream**: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) [#59464](nodejs/node#59464) ##### Commits - \[[`0fa22cbf7c`](nodejs/node@0fa22cbf7c)] - **benchmark**: calibrate config v8/serialize.js (Rafael Gonzaga) [#59586](nodejs/node#59586) - \[[`f5ece45b45`](nodejs/node@f5ece45b45)] - **benchmark**: reduce readfile-permission-enabled config (Rafael Gonzaga) [#59589](nodejs/node#59589) - \[[`8ebd4f4434`](nodejs/node@8ebd4f4434)] - **benchmark**: calibrate length of util.diff (Rafael Gonzaga) [#59588](nodejs/node#59588) - \[[`7dee3ffd14`](nodejs/node@7dee3ffd14)] - **benchmark**: reflect current OpenSSL in crypto key benchmarks (Filip Skokan) [#59459](nodejs/node#59459) - \[[`027b861ca1`](nodejs/node@027b861ca1)] - **benchmark, test**: replace CRLF variable with string literal (Lee Jiho) [#59466](nodejs/node#59466) - \[[`89dd770889`](nodejs/node@89dd770889)] - **build**: do not set `-mminimal-toc` with `clang` (Richard Lau) [#59484](nodejs/node#59484) - \[[`e13de4542f`](nodejs/node@e13de4542f)] - **child\_process**: remove unsafe array iteration (hotpineapple) [#59347](nodejs/node#59347) - \[[`89fe63551e`](nodejs/node@89fe63551e)] - **crypto**: load system CA certificates off thread (Joyee Cheung) [#59550](nodejs/node#59550) - \[[`152c5ef518`](nodejs/node@152c5ef518)] - **(SEMVER-MINOR)** **crypto**: add AES-OCB Web Cryptography algorithm (Filip Skokan) [#59539](nodejs/node#59539) - \[[`c6c418343d`](nodejs/node@c6c418343d)] - **crypto**: update root certificates to NSS 3.114 (Node.js GitHub Bot) [#59571](nodejs/node#59571) - \[[`18a2ee5b6c`](nodejs/node@18a2ee5b6c)] - **(SEMVER-MINOR)** **crypto**: support ML-KEM in Web Cryptography (Filip Skokan) [#59569](nodejs/node#59569) - \[[`72937e5144`](nodejs/node@72937e5144)] - **crypto**: require HMAC key length with SHA-3 hashes in Web Cryptography (Filip Skokan) [#59567](nodejs/node#59567) - \[[`b7383186c7`](nodejs/node@b7383186c7)] - **crypto**: fix subtle.getPublicKey error for secret type key inputs (Filip Skokan) [#59558](nodejs/node#59558) - \[[`2d05c046db`](nodejs/node@2d05c046db)] - **crypto**: return cached copies from CryptoKey algorithm and usages getters (Filip Skokan) [#59538](nodejs/node#59538) - \[[`207ffbeb07`](nodejs/node@207ffbeb07)] - **crypto**: use CryptoKey internal slots in Web Cryptography (Filip Skokan) [#59538](nodejs/node#59538) - \[[`4276516781`](nodejs/node@4276516781)] - **crypto**: normalize RsaHashedKeyParams publicExponent (Filip Skokan) [#59538](nodejs/node#59538) - \[[`14741539a7`](nodejs/node@14741539a7)] - **(SEMVER-MINOR)** **crypto**: support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms (Filip Skokan) [#59491](nodejs/node#59491) - \[[`d3afc63c44`](nodejs/node@d3afc63c44)] - **(SEMVER-MINOR)** **crypto**: add argon2() and argon2Sync() methods (Ranieri Althoff) [#50353](nodejs/node#50353) - \[[`4fe383e45a`](nodejs/node@4fe383e45a)] - **(SEMVER-MINOR)** **crypto**: support ML-DSA spki/pkcs8 key formats in Web Cryptography (Filip Skokan) [#59365](nodejs/node#59365) - \[[`a95386fbf9`](nodejs/node@a95386fbf9)] - **(SEMVER-MINOR)** **crypto**: subject some algorithms in Web Cryptography on BoringSSL absence (Filip Skokan) [#59365](nodejs/node#59365) - \[[`3f47a2fb63`](nodejs/node@3f47a2fb63)] - **(SEMVER-MINOR)** **crypto**: add ChaCha20-Poly1305 Web Cryptography algorithm (Filip Skokan) [#59365](nodejs/node#59365) - \[[`6fcce9058a`](nodejs/node@6fcce9058a)] - **(SEMVER-MINOR)** **crypto**: add subtle.getPublicKey() utility function in Web Cryptography (Filip Skokan) [#59365](nodejs/node#59365) - \[[`76cde76429`](nodejs/node@76cde76429)] - **(SEMVER-MINOR)** **crypto**: add SHA-3 Web Cryptography digest algorithms (Filip Skokan) [#59365](nodejs/node#59365) - \[[`247d017501`](nodejs/node@247d017501)] - **(SEMVER-MINOR)** **crypto**: add SHAKE Web Cryptography digest algorithms (Filip Skokan) [#59365](nodejs/node#59365) - \[[`f4fbcca5ce`](nodejs/node@f4fbcca5ce)] - **(SEMVER-MINOR)** **crypto**: add SubtleCrypto.supports feature detection in Web Cryptography (Filip Skokan) [#59365](nodejs/node#59365) - \[[`a55382214f`](nodejs/node@a55382214f)] - **(SEMVER-MINOR)** **crypto**: support ML-DSA in Web Cryptography (Filip Skokan) [#59365](nodejs/node#59365) - \[[`c38988c860`](nodejs/node@c38988c860)] - **crypto**: fix EVPKeyCtxPointer::publicCheck() (Tobias Nießen) [#59471](nodejs/node#59471) - \[[`61c3bcdc56`](nodejs/node@61c3bcdc56)] - **(SEMVER-MINOR)** **crypto**: support ML-KEM KeyObject (Filip Skokan) [#59461](nodejs/node#59461) - \[[`0821b446fb`](nodejs/node@0821b446fb)] - **deps**: update undici to 7.14.0 (Node.js GitHub Bot) [#59507](nodejs/node#59507) - \[[`b3af17c065`](nodejs/node@b3af17c065)] - **deps**: V8: cherry-pick [`7b91e3e`](nodejs/node@7b91e3e2cbaf) (Milad Fa) [#59485](nodejs/node#59485) - \[[`9b69baf146`](nodejs/node@9b69baf146)] - **deps**: V8: cherry-pick [`59d52e3`](nodejs/node@59d52e311bb1) (Milad Fa) [#59485](nodejs/node#59485) - \[[`b4f202c2f1`](nodejs/node@b4f202c2f1)] - **doc**: improve `sqlite.backup()` progress/fulfillment documentation (René) [#59598](nodejs/node#59598) - \[[`40b217a2f9`](nodejs/node@40b217a2f9)] - **doc**: clarify experimental platform vulnerability policy (Matteo Collina) [#59591](nodejs/node#59591) - \[[`cf84fffea5`](nodejs/node@cf84fffea5)] - **doc**: link to `TypedArray.from()` in signature (Aviv Keller) [#59226](nodejs/node#59226) - \[[`4bf6ed0bf5`](nodejs/node@4bf6ed0bf5)] - **doc**: fix typos in `environment_variables.md` (PhistucK) [#59536](nodejs/node#59536) - \[[`1784c35a49`](nodejs/node@1784c35a49)] - **doc**: add security incident reponse plan (Rafael Gonzaga) [#59470](nodejs/node#59470) - \[[`b962560240`](nodejs/node@b962560240)] - **doc**: clarify maxRSS unit in `process.resourceUsage()` (Alex Yang) [#59511](nodejs/node#59511) - \[[`e6a6cdb9df`](nodejs/node@e6a6cdb9df)] - **doc**: add missing Zstd strategy constants (RANDRIAMANANTENA Narindra Tiana Annaick) [#59312](nodejs/node#59312) - \[[`a6a31cb467`](nodejs/node@a6a31cb467)] - **(SEMVER-MINOR)** **doc**: compress Web Cryptography Algorithm matrix (Filip Skokan) [#59365](nodejs/node#59365) - \[[`8f8960cfcb`](nodejs/node@8f8960cfcb)] - **doc**: fix the version tls.DEFAULT\_CIPHERS was added (Allon Murienik) [#59247](nodejs/node#59247) - \[[`9e76089f1a`](nodejs/node@9e76089f1a)] - **doc**: clarify glob's exclude option behavior (hotpineapple) [#59245](nodejs/node#59245) - \[[`dd5f835af7`](nodejs/node@dd5f835af7)] - **doc**: add RafaelGSS as performance strategic lead (Rafael Gonzaga) [#59445](nodejs/node#59445) - \[[`2b7a7a525e`](nodejs/node@2b7a7a525e)] - **doc,crypto**: add supported asymmetric key types section (Filip Skokan) [#59492](nodejs/node#59492) - \[[`2fafe4c3bb`](nodejs/node@2fafe4c3bb)] - **esm**: link modules synchronously when no async loader hooks are used (Joyee Cheung) [#59519](nodejs/node#59519) - \[[`5347c4997a`](nodejs/node@5347c4997a)] - **esm**: show race error message for inner module job race (Joyee Cheung) [#59519](nodejs/node#59519) - \[[`b56d8af2fe`](nodejs/node@b56d8af2fe)] - **esm**: sync-ify module translation (Joyee Cheung) [#59453](nodejs/node#59453) - \[[`b4a23d6a69`](nodejs/node@b4a23d6a69)] - **http**: trim off brackets from IPv6 addresses with string operations (Krishnadas PC) [#59420](nodejs/node#59420) - \[[`6ae202fcdf`](nodejs/node@6ae202fcdf)] - **(SEMVER-MINOR)** **http**: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) [#59315](nodejs/node#59315) - \[[`dafee05358`](nodejs/node@dafee05358)] - **(SEMVER-MINOR)** **http2**: add support for raw header arrays in h2Stream.respond() (Tim Perry) [#59455](nodejs/node#59455) - \[[`b7ea39d860`](nodejs/node@b7ea39d860)] - **http2**: report sent headers object in client stream dcs (Darshan Sen) [#59419](nodejs/node#59419) - \[[`ebe9272dae`](nodejs/node@ebe9272dae)] - **inspector**: initial support websocket inspection (Shima Ryuhei) [#59404](nodejs/node#59404) - \[[`b35041c7dc`](nodejs/node@b35041c7dc)] - **inspector**: prevent propagation of promise hooks to noPromise hooks (Shima Ryuhei) [#58841](nodejs/node#58841) - \[[`fe7176d7c6`](nodejs/node@fe7176d7c6)] - **lib**: do not modify prototype deprecated asyncResource (encore) (Szymon Łągiewka) [#59518](nodejs/node#59518) - \[[`93fc80a1e2`](nodejs/node@93fc80a1e2)] - **(SEMVER-MINOR)** **lib**: refactor kSupportedAlgorithms (Filip Skokan) [#59365](nodejs/node#59365) - \[[`9a12f71ad9`](nodejs/node@9a12f71ad9)] - **lib**: simplify IPv6 checks in isLoopback() (Krishnadas) [#59375](nodejs/node#59375) - \[[`566fb04c82`](nodejs/node@566fb04c82)] - **meta**: update devcontainer to the latest schema (Aviv Keller) [#54347](nodejs/node#54347) - \[[`389a24bbff`](nodejs/node@389a24bbff)] - **module**: allow overriding linked requests for a ModuleWrap (Chengzhong Wu) [#59527](nodejs/node#59527) - \[[`7880978fe3`](nodejs/node@7880978fe3)] - **module**: correctly detect top-level await in ambiguous contexts (Shima Ryuhei) [#58646](nodejs/node#58646) - \[[`99128d9244`](nodejs/node@99128d9244)] - **node-api**: link to other programming language bindings (Chengzhong Wu) [#59516](nodejs/node#59516) - \[[`65c870e6cb`](nodejs/node@65c870e6cb)] - **node-api**: clarify enum value ABI stability (Chengzhong Wu) [#59085](nodejs/node#59085) - \[[`352d63541a`](nodejs/node@352d63541a)] - **sea**: implement execArgvExtension (Joyee Cheung) [#59560](nodejs/node#59560) - \[[`c6e3d5d98d`](nodejs/node@c6e3d5d98d)] - **(SEMVER-MINOR)** **sea**: support execArgv in sea config (Joyee Cheung) [#59314](nodejs/node#59314) - \[[`e7084df4db`](nodejs/node@e7084df4db)] - **sqlite**: add sqlite-type symbol for DatabaseSync (Alex Yang) [#59405](nodejs/node#59405) - \[[`e2b6bdc640`](nodejs/node@e2b6bdc640)] - **sqlite**: handle ?NNN parameters as positional (Edy Silva) [#59350](nodejs/node#59350) - \[[`99e4a12731`](nodejs/node@99e4a12731)] - **sqlite**: avoid useless call to FromMaybe() (Tobias Nießen) [#59490](nodejs/node#59490) - \[[`dfd4962e5f`](nodejs/node@dfd4962e5f)] - **src**: enforce assumptions in FIXED\_ONE\_BYTE\_STRING (Tobias Nießen) [#58155](nodejs/node#58155) - \[[`93a368df04`](nodejs/node@93a368df04)] - **src**: use simdjson to parse --snapshot-config (Joyee Cheung) [#59473](nodejs/node#59473) - \[[`716750fcf8`](nodejs/node@716750fcf8)] - **src**: fix order of CHECK\_NOT\_NULL/dereference (Tobias Nießen) [#59487](nodejs/node#59487) - \[[`44a8ecf8d4`](nodejs/node@44a8ecf8d4)] - **src**: assert memory calc for max-old-space-size-percentage (Asaf Federman) [#59460](nodejs/node#59460) - \[[`3462b46fca`](nodejs/node@3462b46fca)] - **src**: use simdjson::pad (0hm☘️) [#59391](nodejs/node#59391) - \[[`3e1551d845`](nodejs/node@3e1551d845)] - **src**: move shared\_ptr objects in KeyObjectData (Tobias Nießen) [#59472](nodejs/node#59472) - \[[`c022c1f85a`](nodejs/node@c022c1f85a)] - **src**: add internal GetOptionsAsFlags (Pietro Marchini) [#59138](nodejs/node#59138) - \[[`c0f08454a3`](nodejs/node@c0f08454a3)] - **src**: iterate metadata version entries with std::array (Chengzhong Wu) [#57866](nodejs/node#57866) - \[[`f87836f3ae`](nodejs/node@f87836f3ae)] - **src**: internalize `v8::ConvertableToTraceFormat` in traces (Chengzhong Wu) [#57866](nodejs/node#57866) - \[[`852b8e46d8`](nodejs/node@852b8e46d8)] - **src**: remove duplicate assignment of `O_EXCL` in node\_constants.cc (Daniel Osvaldo R) [#59049](nodejs/node#59049) - \[[`64ffde608f`](nodejs/node@64ffde608f)] - **src**: add Intel CET properties to large\_pages.S (tjuhaszrh) [#59363](nodejs/node#59363) - \[[`823dce32ec`](nodejs/node@823dce32ec)] - **src**: update OpenSSL pqc checks (Filip Skokan) [#59436](nodejs/node#59436) - \[[`8dc6f5b696`](nodejs/node@8dc6f5b696)] - **(SEMVER-MINOR)** **stream**: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) [#59464](nodejs/node#59464) - \[[`b2b8383755`](nodejs/node@b2b8383755)] - **test**: use mustSucceed in test-repl-tab-complete-import (Sohyeon Kim) [#59368](nodejs/node#59368) - \[[`e3ad5cc2c6`](nodejs/node@e3ad5cc2c6)] - **test**: skip sea tests on Linux ppc64le (Richard Lau) [#59563](nodejs/node#59563) - \[[`f78f47ca5a`](nodejs/node@f78f47ca5a)] - **test**: support standalone env comment in tests (Pietro Marchini) [#59546](nodejs/node#59546) - \[[`0e8bc2c7ac`](nodejs/node@0e8bc2c7ac)] - **test**: rename test-net-server-drop-connections-in-cluster.js to -http- (Meghan Denny) [#59532](nodejs/node#59532) - \[[`ed339580af`](nodejs/node@ed339580af)] - **test**: lazy-load internalTTy (Pietro Marchini) [#59517](nodejs/node#59517) - \[[`fe86bc6da8`](nodejs/node@fe86bc6da8)] - **test**: fix `test-setproctitle` status when `ps` is not available (Antoine du Hamel) [#59523](nodejs/node#59523) - \[[`e517792973`](nodejs/node@e517792973)] - **test**: add parseTestMetadata support (Pietro Marchini) [#59503](nodejs/node#59503) - \[[`31092972d6`](nodejs/node@31092972d6)] - **test**: update WPT for WebCryptoAPI to [`ff26d9b`](nodejs/node@ff26d9b307) (Node.js GitHub Bot) [#59497](nodejs/node#59497) - \[[`16afd103cc`](nodejs/node@16afd103cc)] - **(SEMVER-MINOR)** **test**: add Web Cryptography wrap/unwrap vectors (Filip Skokan) [#59365](nodejs/node#59365) - \[[`5598baf34e`](nodejs/node@5598baf34e)] - **(SEMVER-MINOR)** **test**: cleanup test-webcrypto-supports (Filip Skokan) [#59365](nodejs/node#59365) - \[[`e7809d6ddb`](nodejs/node@e7809d6ddb)] - **test**: make test-debug-process locale-independent (BCD1me) [#59254](nodejs/node#59254) - \[[`ca7856e73c`](nodejs/node@ca7856e73c)] - **test**: mark test-wasi-pthread as flaky (Joyee Cheung) [#59488](nodejs/node#59488) - \[[`0ecd82197f`](nodejs/node@0ecd82197f)] - **test**: split test-wasi.js (Joyee Cheung) [#59488](nodejs/node#59488) - \[[`0930c218d6`](nodejs/node@0930c218d6)] - **test**: deflake connection refused proxy tests (Joyee Cheung) [#59476](nodejs/node#59476) - \[[`7f457f886a`](nodejs/node@7f457f886a)] - **test**: use case-insensitive path checking on Windows in fs.cpSync tests (Joyee Cheung) [#59475](nodejs/node#59475) - \[[`37809115f9`](nodejs/node@37809115f9)] - **test**: add missing hasPostData in test-inspector-emit-protocol-event (Shima Ryuhei) [#59412](nodejs/node#59412) - \[[`f4722b1672`](nodejs/node@f4722b1672)] - **test**: refactor error checks to use assert.ifError/mustSucceed (Sohyeon Kim) [#59424](nodejs/node#59424) - \[[`9ff71a672d`](nodejs/node@9ff71a672d)] - **test**: fix typos (Lee Jiho) [#59330](nodejs/node#59330) - \[[`9a7700da62`](nodejs/node@9a7700da62)] - **test**: skip test-watch-mode inspect when no inspector (James M Snell) [#59440](nodejs/node#59440) - \[[`e964c4334e`](nodejs/node@e964c4334e)] - **test\_runner**: do not error when getting `fullName` of root context (René) [#59377](nodejs/node#59377) - \[[`e076f7857c`](nodejs/node@e076f7857c)] - **test\_runner**: add option to rerun only failed tests (Moshe Atlow) [#59443](nodejs/node#59443) - \[[`eb8b1939a4`](nodejs/node@eb8b1939a4)] - **test\_runner**: fix isSkipped check in junit (Sungwon) [#59414](nodejs/node#59414) - \[[`4e02ea1c52`](nodejs/node@4e02ea1c52)] - **tools**: update gyp-next to 0.20.3 (Node.js GitHub Bot) [#59603](nodejs/node#59603) - \[[`99da7fbe11`](nodejs/node@99da7fbe11)] - **tools**: avoid parsing test files twice (Pietro Marchini) [#59526](nodejs/node#59526) - \[[`9a6a8e319b`](nodejs/node@9a6a8e319b)] - **tools**: update coverage GitHub Actions to fixed version (Rich Trott) [#59512](nodejs/node#59512) - \[[`8d28236aff`](nodejs/node@8d28236aff)] - **tools**: fix return value of try\_check\_compiler (theanarkh) [#59434](nodejs/node#59434) - \[[`52ab64ec3a`](nodejs/node@52ab64ec3a)] - **tools**: bump [@eslint/plugin-kit](https://github.com/eslint/plugin-kit) from 0.3.3 to 0.3.4 in /tools/eslint (dependabot\[bot]) [#59271](nodejs/node#59271) - \[[`baa22893bb`](nodejs/node@baa22893bb)] - **typings**: add missing URLBinding methods (성우현 | Woohyun Sung) [#59468](nodejs/node#59468) - \[[`b68e0d1eca`](nodejs/node@b68e0d1eca)] - **util**: fix error's namespaced node\_modules highlighting using inspect (Ruben Bridgewater) [#59446](nodejs/node#59446) - \[[`15ae21b88a`](nodejs/node@15ae21b88a)] - **util**: add some additional error classes to `wellKnownPrototypes` (Mark S. Miller) [#59456](nodejs/node#59456) - \[[`c38b7cfa35`](nodejs/node@c38b7cfa35)] - **worker**: fix worker name with \0 (theanarkh) [#59214](nodejs/node#59214) - \[[`f54ace694a`](nodejs/node@f54ace694a)] - **worker**: add worker name to report (theanarkh) [#58935](nodejs/node#58935) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

richardlau mentioned this pull request Aug 21, 2025

Root certificate updater is broken #59212

Closed

richardlau approved these changes Aug 21, 2025

View reviewed changes

richardlau added the request-ci Add this label to start a Jenkins CI on a PR. label Aug 21, 2025

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Aug 21, 2025

This comment was marked as outdated.

Sign in to view

richardlau added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Aug 22, 2025

targos approved these changes Aug 22, 2025

View reviewed changes

richardlau added the commit-queue Add this label to land a pull request using GitHub Actions. label Aug 22, 2025

lpinca approved these changes Aug 22, 2025

View reviewed changes

nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Aug 23, 2025

nodejs-github-bot merged commit 28e6ba8 into main Aug 23, 2025
85 checks passed

nodejs-github-bot deleted the actions/tools-update-root-certificates branch August 23, 2025 23:12

richardlau added lts-watch-v20.x PRs that may need to be released in v20.x lts-watch-v22.x PRs that may need to be released in v22.x labels Aug 23, 2025

github-actions bot mentioned this pull request Aug 26, 2025

2025-08-27, Version 24.7.0 (Current) #59629

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

crypto: update root-certificates to 3.114 #59571

crypto: update root-certificates to 3.114 #59571

Uh oh!

nodejs-github-bot commented Aug 21, 2025 •

edited by richardlau

Loading

Uh oh!

github-actions bot commented Aug 21, 2025

Uh oh!

This comment was marked as outdated.

codecov bot commented Aug 21, 2025 •

edited

Loading

Uh oh!

nodejs-github-bot commented Aug 22, 2025

Uh oh!

Uh oh!

nodejs-github-bot commented Aug 23, 2025

Uh oh!

Uh oh!

Uh oh!

crypto: update root-certificates to 3.114 #59571

crypto: update root-certificates to 3.114 #59571

Uh oh!

Conversation

nodejs-github-bot commented Aug 21, 2025 • edited by richardlau Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Aug 21, 2025

Uh oh!

This comment was marked as outdated.

codecov bot commented Aug 21, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

nodejs-github-bot commented Aug 22, 2025

Uh oh!

Uh oh!

nodejs-github-bot commented Aug 23, 2025

Uh oh!

Uh oh!

nodejs-github-bot commented Aug 21, 2025 •

edited by richardlau

Loading

codecov bot commented Aug 21, 2025 •

edited

Loading