This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.
🐛 Bug Fixes
AxiosError Serialisation: Made AxiosError#cause non-enumerable to prevent circular JSON serialisation failures when errors include nested causes. (#10913)
Node HTTP Adapter: Guarded socket.setKeepAlive for proxy agent streams, accepted path-only URLs when socketPath is configured, deferred environment proxy handling to Node, and explicitly passed maxBodyLength through to follow-redirects. (#10917, #10930, #10942, #10993)
Runtime and Type Correctness: Fixed several runtime crashes, type definition mismatches, and incorrect error handling paths. (#10959, #11021)
AxiosURLSearchParams: Switched the encoder callback to an arrow function so encoder.call(this) receives the AxiosURLSearchParams instance correctly. (#11019)
🔧 Maintenance & Chores
Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)
This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.
This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.
This release ships a defence-in-depth fix for prototype pollution in formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.
This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in allowedSocketPaths allowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.
This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
Added a clear() function to the request and response interceptors object so a user can ensure that all interceptors have been removed from an axios instance #4248
There are multiple deprecations, refactors and fixes provided in this release. Please read through the full release notes to see how this may impact your project and use case.
Removed
Removed incorrect argument for NetworkError constructor #4656
Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.
[!NOTE]
This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.
Core Changes
Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
Deduplicate output assets and detect content conflicts on emit (#92292)
Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)
MockModuleOptions.defaultExport and MockModuleOptions.namedExports have been
consolidated into a single option MockModuleOptions.exports to align with user
expectations and other test runners.
A default property on MockModuleOptions.exports represents the default
export, and own enumerable properties are treated as named exports.
352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. A pnpm-workspace.yaml with a traversal-shaped configDependencies name (such as ../../PWNED) or version (such as ../../../PWNED) could previously cause pnpm install to create symlinks or write package files outside node_modules/.pnpm-config and the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.
352ae48: Reject path-traversal and reserved dependency aliases (such as ../../../escape, .bin, .pnpm, or node_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoisted node_modules directory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.
The nodeLinker: hoisted graph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.
352ae48: Prevent pnpm patch-remove from removing files outside the configured patches directory.
217fbe0: Hardened the warning printed when a project .npmrc uses environment variables in registry/auth settings: the suggested pnpm config set command is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled .npmrc and a shell expands $(...), backticks, and $VAR even inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.
⚠️ Security fix — environment variables in a project .npmrc (action may be required)
Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:
This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).
Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.
If your authentication broke after upgrading, move the token out of the committed .npmrc:
# Writes to your user/global config, not the repository:
pnpm config set"//registry.npmjs.org/:_authToken""$NPM_TOKEN"
Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.
Improved the warning printed when a project .npmrc uses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by running pnpm config set "<key>" <value> to store it in the global config, or by keeping the ${...} line in the user-level ~/.npmrc — with a link to https://pnpm.io/npmrc.
A repository-controlled project or workspace .npmrc can no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could set userconfig, globalconfig, or prefix to point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to set tokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace .npmrc files are read. Fixed by upgrading @pnpm/npm-conf to 3.0.3.
⚠️ Security fix — environment variables in a project .npmrc (action may be required)
Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands ${ENV_VAR} placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:
This release also closes a bypass where a project .npmrc could set userconfig, globalconfig, or prefix to make pnpm load a repo-supplied file as trusted config (via @pnpm/npm-conf@3.0.3).
Environment variables are still expanded in trusted config: your user-level ~/.npmrc, the global config, CLI options, and environment config.
If your authentication broke after upgrading, move the token out of the committed .npmrc:
# Writes to your user/global config, not the repository:
pnpm config set"//registry.npmjs.org/:_authToken""$NPM_TOKEN"
Or keep the ${NPM_TOKEN} line but put it in your user-level ~/.npmrc instead of the repo. In GitHub Actions, actions/setup-node with registry-url already writes a user-level .npmrc, so NODE_AUTH_TOKEN keeps working. For other CI where editing each pipeline is hard, set NPM_CONFIG_USERCONFIG=.npmrc in the CI environment to declare the project .npmrc trusted.
Package-manager bootstrap traffic is now resolved through trusted registries and trusted network config. When pnpm downloads the pnpm version requested by a repository's packageManager field, the registry it fetches from (and the proxy/TLS settings used for that traffic) now come exclusively from trusted config sources — CLI options, env config, user and global .npmrc — defaulting to the public npm registry, instead of the repository's project/workspace settings.
pnpm now verifies the npm registry signature of a package-manager binary before spawning it. When the packageManager field (or pnpm self-update) makes pnpm download another pnpm version, the staged install is verified corepack-style: the integrity recorded in the staged lockfile must carry a valid npm registry signature for the exact name@version, validated against npm's public signing keys that ship embedded in the pnpm CLI. Verification fails closed — a tampered download, an unsigned package, or an unreachable registry refuses the version switch rather than running an unverified binary. It runs only when the wanted version is actually downloaded (a tools-directory cache miss), so repeated commands pay no extra network round trip.
Environment variable expansion is now trust-aware for registry/auth config and request destinations. Repository-controlled config files (the project and workspace .npmrc and pnpm-workspace.yaml) can no longer expand ${...} placeholders in registry/proxy request destinations, URL-scoped keys, or registry credential values, preventing repository-controlled configuration from exfiltrating environment secrets through request URLs. Trusted user/global/CLI/env config keeps full env expansion, so existing token and registry setup flows continue to work.
Reject reserved manifest bin names ("", ".", "..", and scoped forms such as @scope/..) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted.
Require trusted package identity before package-name onlyBuiltDependencies (and allowBuilds) entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the key. Lockfile entries are now rejected when a registry-style dependency path (name@semver) is backed by a git, directory, or git-hosted tarball resolution (ERR_PNPM_RESOLUTION_SHAPE_MISMATCH), so the dependency path is a reliable artifact identity by the time scripts can run.
pnpm now verifies the detached OpenPGP signature of a Node.js release's SHASUMS256.txt against the Node.js release team's public keys (embedded in the pnpm CLI) before trusting its hashes. The Node.js download mirror is repository-configurable (node-mirror:<channel> in .npmrc), and the integrity check previously trusted a SHASUMS256.txt fetched from that same mirror — a circular check that a malicious mirror could satisfy with a tampered binary and matching hashes. A mirror that proxies the real signed SHASUMS keeps working unchanged. Only the release channel publishes signed SHASUMS files, so pre-release channels (rc, nightly, …) remain unverified.
Reject pnpm-lock.yaml entries whose remote tarball resolution: block is missing the integrity field. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that strips integrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under --frozen-lockfile. pnpm now fails closed at lockfile-read time with ERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: true or a URL on codeload.github.com / bitbucket.org / gitlab.com) and file: tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously, pnpm install (non-frozen) would log ERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.
pnpm install now exits with ERR_PNPM_TARBALL_INTEGRITY and a hint pointing at the new opt-in flag.
The only opt-in is pnpm install --update-checksums — narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.
--force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.
Patch Changes
Pin unscoped per-registry settings (_authToken, _auth, username/_password, tokenHelper, inline cert/key) to the registry declared in the same config source at load time, so a later layer overriding registry= (workspace .npmrc, pnpm-workspace.yaml, CLI --registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.
Fixed minimumReleaseAge handling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-version time field) by default, which made the maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch when minimumReleaseAge is active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast-path fall through to the network fetch even under strict mode.
Reject git resolutions whose commit field is not a 40-character hexadecimal SHA before invoking git. A malicious lockfile could otherwise smuggle a value such as --upload-pack=<command> through git fetch / git checkout, which on SSH or local-file transports executes the supplied command.
Reject patch files whose diff --git headers reference paths outside the patched package directory. Previously a malicious .patch file added via a pull request could write, delete, or rename arbitrary files reachable by the user running pnpm install.
Fixed --prefix=<dir> not being honored when locating the workspace root. The --prefix → dir rename was applied after workspace detection, so workspace settings declared in <dir>/pnpm-workspace.yaml were not loaded when pnpm was invoked from outside <dir>#11535.
Reject dependency aliases that contain path-traversal segments (such as @x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them into node_modules. A malicious registry package could otherwise use a transitive dependency key to make pnpm install create symlinks at attacker-chosen paths outside the intended node_modules directory.
Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
A new gitHosted: true field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.
Fix a regression where pnpm --recursive --filter '!<pkg>' run/exec/test/add would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative --filter arguments are provided, matching the documented behavior. To include the root, pass --include-workspace-root#11341.
When self-updating from v10's @pnpm/exe to v11+ on Intel macOS (darwin-x64), pnpm self-update now transparently switches to the JS-only pnpm package on npm instead of installing @pnpm/exe@v11+ (which doesn't ship a working binary for Intel Macs because of an upstream Node.js SEA bug — see #11423 and nodejs/node#62893). Without this, the self-update would silently leave the user with no working pnpm binary. The new install requires Node.js to be available on PATH; a warning is printed when the swap happens. All other host/version combinations are unchanged.
pnpm self-update (with no version argument) no longer downgrades pnpm when the registry's latest dist-tag points to an older release than the currently active version. Run pnpm self-update latest to force a downgrade #11418.
Globally-installed bins no longer fail with ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND when pnpm was installed via the standalone @pnpm/exe binary (e.g. curl -fsSL https://get.pnpm.io/install.sh | sh -) on a system without a separate Node.js installation. Previously, when which('node') failed during pnpm add --global, pnpm fell back to process.execPath, which in @pnpm/exe is the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node #11291, #4645.
Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g. npm install -g pnpm@A) and run inside a project whose package.json selected a different pnpm version via the packageManager field (e.g. pnpm@B), while a pnpm-workspace.yaml also existed at the project root.
The child's environment is now forced to manage-package-manager-versions=false (v10) and pm-on-fail=ignore (v11+), which disables the package-manager-version handling in whichever pnpm runs as the child.
When a project's packageManager field selects pnpm v11 or newer, commands that v10 would have passed through to npm (version, login, logout, publish, unpublish, deprecate, dist-tag, docs, ping, search, star, stars, unstar, whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example, pnpm version --help print npm's help on a project with packageManager: pnpm@11.0.0-rc.3#11328.
Global sequence.concurrent: true with top-level test(..., { concurrent: false }) + depreacte sequential test API and options - by @hi-ogawa, Codex and @sheremet-va in #10196(2847d)
web-worker: Support MessagePort objects referenced inside postMessage data - by @whitphx and Claude Opus 4.6 (1M context) in #9927 and #10124(7ad7d)
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
This PR contains the following updates:
25.5.0→25.9.419.2.14→19.2.1710.4.27→10.5.21.14.0→1.18.110.1.0→10.6.016.2.1→16.2.1016.2.1→16.2.1025.8.2→25.9.010.33.0→10.34.48.5.8→8.5.1619.2.4→19.2.719.2.4→19.2.74.1.2→4.1.104.13.0→4.17.0Release Notes
postcss/autoprefixer (autoprefixer)
v10.5.2Compare Source
-webkit-fill-availablebefore-moz-available, so Firefoxwill use
-webkit-version which is closer tostretch.v10.5.1Compare Source
grid-areaspan reset for overriding areas (by @puneetdixit200).v10.5.0Compare Source
mask-position-xandmask-position-ysupport (by @toporek).axios/axios (axios)
v1.18.1Compare Source
v1.18.1 — June 21, 2026
This release focuses on Node HTTP adapter fixes, safer AxiosError serialisation, runtime/type correctness fixes, documentation updates, and dependency maintenance.
🐛 Bug Fixes
encoder.call(this)receives theAxiosURLSearchParamsinstance correctly. (#11019)🔧 Maintenance & Chores
Documentation: Documented sensitive headers and status transition behaviour, prepared cleaned-up docs, added Deno install instructions, and clarified that request data is request-specific (#11007, #11010, #11023, #11025)
Dependencies: Bumped vite, rollup, form-data, js-yaml, and multer across the root project, docs, smoke tests, and module test workspaces. (#11011, #11012, #11013, #11014, #11015, #11016, #11017, #11026)
🌟 New Contributors
We are thrilled to welcome our new contributors. Thank you for helping improve axios:
Full Changelog
v1.18.0Compare Source
This release hardens redirect and URL handling, improves the validateStatus configuration semantics, and includes updates to documentation, dependencies, and release metadata.
v1.17.0Compare Source
This release adds Node HTTP zstd decompression, hardens config and release workflows, and fixes authentication, header, proxy, and type-handling regressions.
v1.16.1Compare Source
This release ships a defence-in-depth fix for prototype pollution in
formDataToJSON, hardens proxy and CI workflows, restores Webpack 4 compatibility for the fetch adapter, and includes several small bug fixes and maintenance improvements.v1.16.0Compare Source
This release adds support for the QUERY HTTP method and a new
ECONNREFUSEDerror constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.v1.15.2Compare Source
This release delivers prototype-pollution hardening for the Node HTTP adapter, adds an opt-in
allowedSocketPathsallowlist to mitigate SSRF via Unix domain sockets, fixes a keep-alive socket memory leak, and ships supply-chain hardening across CI and security docs.v1.15.1Compare Source
This release ships a coordinated set of security hardening fixes across headers, body/redirect limits, multipart handling, and XSRF/prototype-pollution vectors, alongside a broad sweep of bug fixes, test migrations, and threat-model documentation updates.
v1.15.0Compare Source
Bug Fixes
Features
Contributors to this release
PRs
1.2.6 (2023-01-28)
Bug Fixes
CommonRequestHeadersList&CommonResponseHeadersListtypes to be private in commonJS; (#5503) (5a3d0a3)Contributors to this release
PRs
1.2.5 (2023-01-26)
Bug Fixes
Contributors to this release
PRs
1.2.4 (2023-01-22)
Bug Fixes
RawAxiosRequestConfigback toAxiosRequestConfig; (#5486) (2a71f49)AxiosRequestConfiggeneric; (#5478) (9bce81b)Contributors to this release
PRs
1.2.3 (2023-01-10)
Bug Fixes
Contributors to this release
PRs
[1.2.2] - 2022-12-29
Fixed
Chores
Contributors to this release
[1.2.1] - 2022-12-05
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.2.0] - 2022-11-10
Changed
Fixed
Refactors
Chores
Contributors to this release
PRs
[1.1.3] - 2022-10-15
Added
Fixed
Chores
Contributors to this release
PRs
[1.1.2] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.1] - 2022-10-07
Fixed
Contributors to this release
PRs
[1.1.0] - 2022-10-06
Fixed
Contributors to this release
PRs
[1.0.0] - 2022-10-04
Added
Changed
Deprecated
Removed
Fixed
Chores
Security
Contributors to this release
Bertrand Marron
Dmitriy Mozgovoy
Dan Mooney
Michael Li
aong
Des Preston
Ted Robertson
zhoulixiang
Arthur Fiorette
Kumar Shanu
JALAL
Jingyi Lin
Philipp Loose
Alexander Shchukin
Dave Cardwell
Cat Scarlet
Luca Pizzini
Kai
Maxime Bargiel
Brian Helba
reslear
Jamie Slome
Landro3
rafw87
Afzal Sayed
Koki Oyatsu
Dave
暴走老七
Spencer
Adrian Wieprzkowicz
Jamie Telin
毛呆
Kirill Shakirov
Rraji Abdelbari
Jelle Schutter
Tom Ceuppens
Johann Cooper
Dimitris Halatsis
chenjigeng
João Gabriel Quaresma
Victor Augusto
neilnaveen
Pavlos
Kiryl Valkovich
Naveen
wenzheng
hcwhan
Bassel Rachid
Grégoire Pineau
felipedamin
Karl Horky
Yue JIN
Usman Ali Siddiqui
WD
Günther Foidl
Stephen Jennings
C.T.Lin
mia-z
Parth Banathia
parth0105pluang
Marco Weber
Luca Pizzini
Willian Agostini
Huyen Nguyen
eslint/eslint (eslint)
v10.6.0Compare Source
Features
b1f9106feat: detect Symbol() and BigInt() in no-constant-binary-expression (#20981) (Taejin Kim)f291007feat: add checkRelationalComparisons to no-constant-binary-expression (#20948) (sethamus)Bug Fixes
6b05784fix: prefer-exponentiation-operator invalid autofix at statement start (#20997) (Milos Djermanovic)bb9eb2afix: account for shadowedBooleaninno-extra-boolean-cast(#21013) (den$)8fd8741fix: don't report shadowed undefined inradixrule (#21011) (Pixel)5784980fix: don't report shadowed undefined in no-throw-literal (#21010) (Pixel)9cd1e6dfix: suppress invalid class suggestion in no-promise-executor-return (#21008) (Pixel)d4eb2dcfix: don't report shadowed undefined in prefer-promise-reject-errors (#21006) (Pixel)2360464fix: prefer-promise-reject-errors false positives for shadowed Promise (#21003) (den$)63d52d2fix: restore max-classes-per-file report range (#21002) (Pixel)7feaff0fix: callback detection logic for IIFEs in max-nested-callbacks (#20979) (fnx)399a2ecfix: don't report inner non-callbacks inmax-nested-callbacks(#20995) (Milos Djermanovic)Documentation
a83683ddocs: Update README (GitHub Actions Bot)f5449f9docs: document userland patterns for global assertionOptions in RuleT… (#20986) (playgirl)bea49f7docs: Update README (GitHub Actions Bot)e5f70f9docs: update code-path diagrams (#20984) (Tanuj Kanti)8890c2ddocs: add TypeScript config guidance for MCP server (#20796) (Pierluigi Lenoci)3eb3d9bdocs: Update README (GitHub Actions Bot)c5bb59cdocs: Update README (GitHub Actions Bot)eb3c97cdocs: fix grammar in prefer-const rule description (#20983) (lumir)Chores
6a42034ci: run ecosystem tests on main branch (#20891) (sethamus)3dbacdbci: bump actions/checkout from 6 to 7 (#21014) (dependabot[bot])c3abfcachore: correct JSDoc param types in html formatter (#21018) (Minseon Kim)a832320ci: split ecosystem tests into separate jobs (#21001) (xbinaryx)27166e7chore: update ecosystem plugins (#21005) (ESLint Bot)865d76eci: bump pnpm/action-setup from 6.0.8 to 6.0.9 (#20989) (dependabot[bot])27a88c9chore: update dependency markdown-it to v14 in root (#20994) (Milos Djermanovic)970cea6chore: update dependency markdown-it to v14 (#20993) (Milos Djermanovic)b482120chore: update dependency prettier to v3.8.4 (#20990) (renovate[bot])6993fb3chore: update ecosystem plugins (#20985) (ESLint Bot)v10.5.0Compare Source
Features
5ca8c52feat: correct stack tracking in max-nested-callbacks (#20973) (Pixel998)b565783feat: report no-with violations at the with keyword (#20971) (Pixel998)2ce032ffeat: report max-lines-per-function violations at function head (#20966) (Pixel998)732cb3efeat: report max-nested-callbacks violations at function head (#20967) (Pixel998)f9c138afeat: report max-depth violations on keywords (#20943) (Pixel998)bdb496cfeat: correct max-depth handling for else-if chains (#20944) (Pixel998)c296873feat: update error loc inmax-statementsto function header (#20907) (Taejin Kim)Documentation
8ae1b5bdocs: Update README (GitHub Actions Bot)ca7eb90docs: update Node.js prerequisites to include ICU support (#20962) (Francesco Trotta)f99b47adocs: Update README (GitHub Actions Bot)acf03d4docs: clarify precedence of parserOptions over languageOptions (#20926) (sethamus)Chores
b18bf58chore: update ecosystem plugins (#20959) (ESLint Bot)c2d1444refactor: replace areAllSegmentsUnreachable with !isAnySegmentReachable (#20951) (Taejin Kim)243b8c5chore: enhance config-rule to support oneOf, anyOf, and nested schemas (#20788) (kuldeep kumar)217b2a9test: add unit tests for ParserService (#20949) (Taejin Kim)72003e7test: add location information to error messages inmax-statements(#20945) (lumir)7797c26refactor: deduplicate isAnySegmentReachable across rules (#20890) (Taejin Kim)67c46fachore: update ecosystem plugins (#20938) (ESLint Bot)95d8c7achore: update dependency @eslint/json to v2 (#20934) (renovate[bot])cf9e496chore: update @arethetypeswrong/cli to 0.18.3 (#20933) (Pixel998)fb6d396test: run type tests with TypeScript 7 (#20868) (sethamus)v10.4.1Compare Source
Bug Fixes
e557467fix: update@eslint/plugin-kitversion to 0.7.2 (#20930) (Francesco Trotta)d4ce898fix: propagate failures from delegated commands (#20917) (Minh Vu)f4f3507fix: prefer-arrow-callback invalid autofix with newline afterasync(#20916) (kuldeep kumar)c5bc78bfix: false positive for reference infinallyblock (#20655) (Tanuj Kanti)27538c0fix: add missing CodePath and CodePathSegment types (#20853) (Pixel998)Documentation
61b0adddocs: remove deprecated rule from related rules ofmax-params(#20921) (Tanuj Kanti)305d5b9docs: remove deprecated rules from related rules section (#20911) (Tanuj Kanti)49b0202docs: fixdisplay: noneof ad (#20901) (Tanuj Kanti)9067f94docs: switch build to Node.js 24 (#20893) (Milos Djermanovic)c91b041docs: Update README (GitHub Actions Bot)e349265docs: clarify semver strings in rule deprecation objects (#20885) (Milos Djermanovic)Chores
b0e466btest: adddataproperty to invalid tests cases for rules (#20924) (Tanuj Kanti)f78838btest: add CodePath type coverage (#20904) (Pixel998)1daa4bdchore: updateeslint-plugin-eslint-commentstest data to latest commit (#20922) (Francesco Trotta)002942cci: declare contents:read on update-readme workflow (#20919) (Arpit Jain)64bca24chore: update ecosystem plugins (#20912) (ESLint Bot)6d7c832chore: ignore fflate updates in renovate (#20908) (Pixel998)b2c8638ci: bump pnpm/action-setup from 6.0.7 to 6.0.8 (#20889) (dependabot[bot])a9b8d7fchore: increase maxBuffer for ecosystem tests (#20881) (sethamus)b702eadchore: update ecosystem update PR settings (#20884) (Pixel998)507f60echore: update ecosystem plugins (#20882) (ESLint Bot)92f5c5btest: add unit test for message-count (#20878) (kuldeep kumar)df32108chore: add @eslint/markdown and typescript-eslint ecosystem tests (#20837) (sethamus)327f91dchore: use includeIgnoreFile internally (#20876) (Kirk Waiblinger)f0dc4bdchore: pin fflate@0.8.2 (#20877) (Milos Djermanovic)0f4bd25ci: run Discord alert for ecosystem test failures (#20873) (Copilot)v10.4.0Compare Source
Features
1a45ec5feat: check sequence expressions infor-direction(#20701) (kuldeep kumar)450040bfeat: addincludeIgnoreFile()toeslint/config(#20735) (Kirk Waiblinger)Bug Fixes
544c0c3fix: escape code path DOT labels in debug output (#20866) (Pixel998)6799431fix: update dependency @eslint/config-helpers to ^0.6.0 (#20850) (renovate[bot])f078feffix: handle non-array deprecated rule replacements (#20825) (xbinaryx)Documentation
7e52a71docs: add mention of@eslint-react/eslint-plugin(#20869) (Pavel)db3468bdocs: tweak wording around ambiguous CJS-vs-ESM config (#20865) (Kirk Waiblinger)9084664docs: Update README (GitHub Actions Bot)9cc7387docs: Update README (GitHub Actions Bot)3d7b548docs: Update README (GitHub Actions Bot)191ec3cdocs: Update README (GitHub Actions Bot)Chores
6616856chore: upgrade knip to v6 (#20875) (Pixel998)d13b084ci: ensure auto-created PRs run CI (#20860) (lumir)e71c7afci: bump pnpm/action-setup from 6.0.5 to 6.0.7 (#20862) (dependabot[bot])d84393dtest: add unit tests for SuppressionsService.applySuppressions() (#20863) (kuldeep kumar)24db8cbtest: add tests for SuppressionsService.save() (#20802) (kuldeep kumar)2ef0549chore: update ecosystem plugins (#20857) (github-actions[bot])a429791ci: removeeslint-webpack-plugintypes integration test (#20668) (Milos Djermanovic)9e37386chore: replacerecastwith range approach in code-sample-minimizer (#20682) (Copilot)0dd1f9ftest: disable warning forvm.constants.USE_MAIN_CONTEXT_DEFAULT_LOADER(#20845) (Francesco Trotta)9da3c7brefactor: remove deprecatedmeta.languageand migratemeta.dialects(#20716) (Pixel998)2099ed1refactor: addmeta.defaultOptionsto more rules, enable linting (#20800) (xbinaryx)f1dfbc9chore: update ecosystem plugins (#20836) (github-actions[bot])c759413ci: bump pnpm/action-setup from 6.0.3 to 6.0.5 (#20843) (dependabot[bot])5b817d6test: add unit tests for lib/shared/ast-utils (#20838) (kuldeep kumar)1c13ae3test: add unit tests for lib/shared/severity (#20835) (kuldeep kumar)v10.3.0Compare Source
Features
379571afeat: add suggestions for no-unused-private-class-members (#20773) (sethamus)Bug Fixes
b6ae5cffix: handle unavailable require cache (#20812) (Simon Podlipsky)6fb3685fix: rule suggestions cause continuation in class body (#20787) (Milos Djermanovic)Documentation
32cc7abdocs: fix typos in docs and comments (#20809) (Tanuj Kanti)7f47937docs: Update README (GitHub Actions Bot)Chores
d32235eci: use pnpm ineslint-flat-config-utilstype integration test (#20826) (Francesco Trotta)3ffb14echore: clean up typos in comments and JSDoc (#20821) (Pixel998)22eb58achore: add missing continue-on-error to ecosystem-tests.yml (#20818) (Josh Goldberg ✨)88bf002ci: bump pnpm/action-setup from 6.0.1 to 6.0.3 (#20815) (dependabot[bot])97c8c33chore: update ilshidur/action-discord action to v0.4.0 (#20811) (renovate[bot])2f58136chore: pin peter-evans/create-pull-request action to5f6978f(#20810) (renovate[bot])77add7fchore: add initial ecosystem plugin tests workflow (#19643) (Josh Goldberg ✨)4023b55test: Add unit tests for SuppressionsService.prune() (#20797) (kuldeep kumar)54080datest: add unit tests for ForkContext (#20778) (kuldeep kumar)f0e2bcctest: add unit tests for SuppressionsService.suppress() method (#20765) (kuldeep kumar)a7f0b94chore: update dependency prettier to v3.8.3 (#20782) (renovate[bot])7bf93d9chore: update TypeScript to v6 (#20677) (sethamus)b42dd72ci: bump pnpm/action-setup from 6.0.0 to 6.0.1 (#20781) (dependabot[bot])2b252betest: add unit tests for IdGenerator (#20775) (kuldeep kumar)v10.2.1Compare Source
Bug Fixes
14be92bfix: model generator yield resumption paths in code path analysis (#20665) (sethamus)84a19d2fix: no-async-promise-executor false positives for shadowed Promise (#20740) (xbinaryx)af764affix: clarify language and processor validation errors (#20729) (Pixel998)e251b89fix: update eslint (#20715) (renovate[bot])Documentation
ca92ca0docs: reuse markdown-it instance for markdown filter (#20768) (Amaresh S M)57d2ee2docs: Enable Eleventy incremental mode for watch (#20767) (Amaresh S M)c1621b9docs: fix typos in code-path-analyzer.js (#20700) (Ayush Shukla)1418d52docs: Update README (GitHub Actions Bot)39771e6docs: Update README (GitHub Actions Bot)71e0469docs: fix incomplete JSDoc param description in no-shadow rule (#20728) (kuldeep kumar)22119cedocs: clarify scope of for-direction rule with dead code examples (#20723) (Amaresh S M)8f3fb77docs: documentmeta.docs.dialects(#20718) (Pixel998)Chores
7ddfea9chore: update dependency prettier to v3.8.2 (#20770) (renovate[bot])fac40e1ci: bump pnpm/action-setup from 5.0.0 to 6.0.0 (#20763) (dependabot[bot])7246f92test: add tests for SuppressionsService.load() error handling (#20734) (kuldeep kumar)4f34b1echore: update pnpm/action-setup action to v5 (#20762) (renovate[bot])51080ebtest: processor service (#20731) (kuldeep kumar)e7e1889chore: remove stale babel-eslint10 fixture and test (#20727) (kuldeep kumar)4e1a87ctest: remove redundant async/await in flat config array tests (#20722) (Pixel998)066eabbtest: add rule metadata coverage forlanguagesanddocs.dialects(#20717) (Pixel998)v10.2.0Compare Source
Features
586ec2ffeat: Addmeta.languagessupport to rules (#20571) (Copilot)14207defeat: addTemporaltono-obj-calls(#20675) (Pixel998)bbb2c93feat: add Temporal to ES2026 globals (#20672) (Pixel998)Bug Fixes
542cb3efix: update first-party dependencies (#20714) (Francesco Trotta)Documentation
a2af743docs: addlanguageto configuration objects (#20712) (Francesco Trotta)845f23fdocs: Update README (GitHub Actions Bot)5fbcf59docs: removesourceTypefrom ts playground link (#20477) (Tanuj Kanti)8702a47docs: Update README (GitHub Actions Bot)ddeadeddocs: Update README (GitHub Actions Bot)2b44966docs: add Major Releases section to Manage Releases (#20269) (Milos Djermanovic)eab65c7docs: updateeslintversions in examples (#20664) (루밀LuMir)3e4a299docs: update ESM Dependencies policies with note for own-usage packages (#20660) (Milos Djermanovic)Chores
8120e30refactor: extract no unmodified loop condition (#20679) (kuldeep kumar)46e8469chore: update dependency markdownlint-cli2 to ^0.22.0 (#20697) (renovate[bot])01ed3aatest: add unit tests for unicode utilities (#20622) (Manish chaudhary)811f493ci: remove--legacy-peer-depsfrom types integration tests (#20667) (Milos Djermanovic)6b86fcfchore: update dependency npm-run-all2 to v8 (#20663) (renovate[bot])632c4f8chore: addprettierupdate commit to.git-blame-ignore-revs(#20662) (루밀LuMir)b0b0f21chore: update dependency eslint-plugin-regexp to ^3.1.0 (#20659) (Milos Djermanovic)228a2ddchore: update dependency eslint-plugin-eslint-plugin to ^7.3.2 (#20661) (Milos Djermanovic)3ab4d7etest: Add tests for eslintrc-style keys (#20645) (kuldeep kumar)vercel/next.js (eslint-config-next)
v16.2.10Compare Source
Contains no changes except publishing
@next/swc-wasm-webwhich was accidentally not published since 16.2.4.v16.2.9Compare Source
Empty release to ensure
next@latestpoints at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.v16.2.8Compare Source
Release with no changes in an attempt to fix
next@latestpointing at a prerelease version.v16.2.7Compare Source
Core Changes
playwright-coreto resolve_finishedPromiseonrequestFailed(#93920)router.querycorruption withbasePath+rewrites(#93917)FormDataentries (#94240)Credits
Huge thanks to @eps1lon, @icyJoseph, @unstubbable, @mischnic, @bgw, @timneutkens, and @lukesandberg for helping!
v16.2.6Compare Source
Security Fixes
The following advisories have been addressed:
High:
Moderate:
Low:
Core Changes
cacheHandlerskeys (#93453)v16.2.5Compare Source
Security Fixes
The following advisories have been addressed:
High:
Moderate:
Low:
Core Changes
cacheHandlerskeys (#93453)v16.2.4Compare Source
Core Changes
Credits
Huge thanks to @Badbird5907, @lukesandberg, @andrewimm, @sokra, and @mischnic for helping!
v16.2.3Compare Source
Core Changes
Credits
Huge thanks to @icyJoseph, @sokra, @wbinnssmith, @eps1lon and @ztanner for helping!
v16.2.2Compare Source
Core Changes
Credits
Huge thanks to @nextjs-bot, @icyJoseph, @ijjk, @gaojude, @wbinnssmith, @lukesandberg, and @bgw for helping!
nodejs/node (node)
v25.9.0: 2026-04-01, Version 25.9.0 (Current), @aduh95Compare Source
Notable Changes
Test runner module mocking improvements
MockModuleOptions.defaultExportandMockModuleOptions.namedExportshave beenconsolidated into a single option
MockModuleOptions.exportsto align with userexpectations and other test runners.
A
defaultproperty onMockModuleOptions.exportsrepresents the defaultexport, and own enumerable properties are treated as named exports.
An automated migration is available to update user code:
https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports
Contributed by sangwook in #61727.
Other notable changes
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes toAsyncLocalStorage(Stephen Belanger) #6167462d2cd473b] - (SEMVER-MINOR) cli: add--max-heap-sizeoption (tannal) #58708d0ebf0e44b] - (SEMVER-MINOR) crypto: addTurboSHAKEandKangarooTwelveWeb Cryptography algorithms (Filip Skokan) #62183f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #6218867b854d407] - (SEMVER-MINOR) repl: remove dependency onnode:domain(Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066Commits
312476cb84] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674bfff8cb2ab] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066c721d68502] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084e2f03c8e92] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #618712fcd07f1ba] - build: support empty libname flags inconfigure.py(Antoine du Hamel) #62477b800c57fce] - build: fix timezone-update path references (Chengzhong Wu) #622807dc5a1e9b4] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189f0eea0f905] - build: fix --node-builtin-modules-path (Filip Skokan) #6211562d2cd473b] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708ac4b485698] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485d0ebf0e44b] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #621833009980d9d] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254f5725ca81d] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218f69ed4bc3f] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #618754d96e53570] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #6216993d77719e8] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #621703d2e23a981] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414176d6d2205] - deps: update timezone to 2026a (Node.js GitHub Bot) #6216495c7fc67ba] - deps: update googletest to2461743(Node.js GitHub Bot) #62484e5e9f2044a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382905b94266a] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051180c150122] - deps: V8: cherry-pickcf1bce4(Richard Lau) #62449bc265aa003] - deps: upgrade npm to 11.12.1 (npm team) #62448f1b28612c4] - deps: V8: cherry-pickb25cd62(Yagiz Nizipli) #62354757719d2af] - deps: disable rust icu compiled_data features (Chengzhong Wu) #622843bdc955b63] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256a9703d194a] - deps: update googletest to73a63ea(Node.js GitHub Bot) #6192785138935cb] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213231521e75e] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #621230093863664] - doc: deprecatemodule.register()(DEP0205) (Geoffrey Booth) #623950b96ece6be] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #624568d3ea975f5] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #6249208ff16e0ba] - doc: move sqlite type conversion section to correct level (René) #6248261cc747dd8] - doc: add Rafael to last security release steward (Rafael Gonzaga) #6242364cfa5a6fa] - doc: use npm-published version of doc-kit (Aviv Keller) #621391020321fb0] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #622069caa7855b2] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374e254f65306] - doc: enhance clarification about the main field (Mowafak Almahaini) #623029e724b53f8] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #622437f37c17516] - doc: minor typo fix (Jeff Matson) #62358eb0ca98f01] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355198b6e0932] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #6232117e5aee6c5] - doc: fix small environment_variables typo (chris) #62279193d629895] - doc: test and test-only targets do not run linter (Xavier Stouder) #621204a1f20ec4a] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208f976c9214d] - doc: clarify that any truthy value ofshellis part of DEP0190 (Antoine du Hamel) #622494d83972681] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #6220271f2eada5b] - doc: add throwIfNoEntry version history to fs.stat (kovan) #62204670c80893b] - doc: add note (and caveat) formock.moduleabout customization hooks (Jacob Smith) #620752ff5cb13f5] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #622446c6c9004c4] - esm: fix typo in worker loader hook comment (jakecastelli) #624751cdd23c9f3] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #624154f4ff15794] - esm: fix path normalization infinalizeResolution(Antoine du Hamel) #62080088167d102] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #622610250b436ee] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #61950b67a8fb171] - inspector: add Target.getTargets and extract TargetManager (Kohei) #62487ffcc5a5722] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #6230792ef2ad8fa] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #6222640a43ac4d0] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #621333ef0a5b90e] - quic: remove CryptoKey support from session keys option (Filip Skokan) #623353c8dd8eb8e] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #62371f85b9d9fa8] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188e4c164e045] - repl: handle exceptions from async context after close (Anna Henningsen) #6216567b854d407] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #61227966b700623] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158fe82baf970] - src: improve EC JWK import performance (Filip Skokan) #62396d490b171e0] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #623430e4af848bc] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #6210302980b8c8f] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #62410064f7c2fa6] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #62268ede52bc2dc] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #62281e1f0d2a014] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #6206603839fb087] - stream: preserve error over AbortError in pipeline (Marco) #621130000d2f011] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #620873796a73719] - test: update WPT for WebCryptoAPI to2cb332d(Node.js GitHub Bot) #62483ad8309415b] - test: update WPT for url tofc3e651(Node.js GitHub Bot) #62379bed89b037e] - test: wait for reattach before initial break on restart (Yuya Inoue) #62471c9ffffcc55] - test: disable flaky WPT Blob test on AIX (James M Snell) #62470fd41ef31f6] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #620661b9d8d3eec] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #62112cb08a29d51] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238abea0af8a9] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #6222647a2132269] - test: update WPT for WebCryptoAPI to6a1c545(Node.js GitHub Bot) #621872c63d3006c] - test_runner: add exports option for module mocks (sangwook) #6172744ac0e1302] - test_runner: make it compatible with fake timers (Matteo Collina) #592721865691275] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #622820252b2bab8] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #624393368155267] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #624375e47c359f5] - tools: adopt the--check-for-duplicatesNCU flag (Antoine du Hamel) #624784a604e82d0] - tools: bump picomatch in /tools/doc (dependabot[bot]) #62438d1a98b4ddb] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #62375c32daa1ab4] - tools: bump eslint deps (Huáng Jùnliàng) #623567a2fcc6d41] - tools: do not swallow error inlint-nixworkflow (Antoine du Hamel) #62292c41a2871b5] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #6209356dfeb06df] - tools: fix timeout errors inlint-nixjob (Antoine du Hamel) #6226522fc8078e8] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #62255409b0663bd] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #6225067c69750f4] - tools: validate all commits that are pushed tomain(Antoine du Hamel) #622467d9db8cd21] - tools: keep GN files when updating Merve (Antoine du Hamel) #621676c8fa42ba2] - typings: rationalise TypedArray types (René) #62174531c64d04e] - url: enable simdutf for ada (Yagiz Nizipli) #614772000caccde] - util: allow color aliases in styleText (sangwook) #621800aed332ab4] - wasm: support js string constant esm import (Guy Bedford) #62198d3fd4a978b] - worker: heap profile optimizations (Ilyas Shabi) #62201e992a34a18] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325pnpm/pnpm (pnpm)
v10.34.4: pnpm 10.34.4Compare Source
Patch Changes
352ae48: Security: validate config dependency names and versions before using them to build filesystem paths. Apnpm-workspace.yamlwith a traversal-shapedconfigDependenciesname (such as../../PWNED) or version (such as../../../PWNED) could previously causepnpm installto create symlinks or write package files outsidenode_modules/.pnpm-configand the store. Names must now be valid npm package names and versions must be exact semver versions. See GHSA-qrv3-253h-g69c.352ae48: Reject path-traversal and reserved dependency aliases (such as../../../escape,.bin,.pnpm, ornode_modules) that come from a lockfile rather than a freshly resolved manifest. A crafted lockfile alias could otherwise be joined directly under a hoistednode_modulesdirectory, letting package files be written outside the intended install root or overwrite pnpm-owned layout.The
nodeLinker: hoistedgraph builder now validates each alias at the directory sink (safeJoinModulesDir), matching the validation pnpm already performs when resolving aliases from manifests. See GHSA-fr4h-3cph-29xv.352ae48: Preventpnpm patch-removefrom removing files outside the configured patches directory.217fbe0: Hardened the warning printed when a project.npmrcuses environment variables in registry/auth settings: the suggestedpnpm config setcommand is now only included for keys made up of shell-inert characters. Because the key comes from a repository-controlled.npmrcand a shell expands$(...), backticks, and$VAReven inside double quotes, a crafted key could otherwise have turned the suggested copy-paste command into command execution.Platinum Sponsors
Gold Sponsors
v10.34.3: pnpm 10.34.3Compare Source
⚠️ Security fix — environment variables in a project
.npmrc(action may be required)Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands
${ENV_VAR}placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:.npmrc—registry,@scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken,_auth,_password,username,tokenHelper,cert,key);pnpm-workspace.yaml.This release also closes a bypass where a project
.npmrccould setuserconfig,globalconfig, orprefixto make pnpm load a repo-supplied file as trusted config (via@pnpm/npm-conf@3.0.3).Environment variables are still expanded in trusted config: your user-level
~/.npmrc, the global config, CLI options, and environment config.If your authentication broke after upgrading, move the token out of the committed
.npmrc:Or keep the
${NPM_TOKEN}line but put it in your user-level~/.npmrcinstead of the repo. In GitHub Actions,actions/setup-nodewithregistry-urlalready writes a user-level.npmrc, soNODE_AUTH_TOKENkeeps working. For other CI where editing each pipeline is hard, setNPM_CONFIG_USERCONFIG=.npmrcin the CI environment to declare the project.npmrctrusted.See https://pnpm.io/npmrc for full migration details.
Patch Changes
.npmrcuses an environment variable in a registry/proxy URL or in registry credentials. The message now explains why the setting was ignored and how to migrate it to a trusted source — for example by runningpnpm config set "<key>" <value>to store it in the global config, or by keeping the${...}line in the user-level~/.npmrc— with a link to https://pnpm.io/npmrc..npmrccan no longer redirect which files pnpm loads as its trusted user and global configuration. Previously such a file could setuserconfig,globalconfig, orprefixto point at an attacker-supplied file shipped in the repository, and pnpm would load it as a trusted config source — bypassing the protection that prevents repository config from expanding environment variables into registry request destinations and credentials, and allowing it to settokenHelper. The user/global config file locations are now resolved only from trusted sources (CLI options, environment config, the npm builtin config, and defaults) before the project and workspace.npmrcfiles are read. Fixed by upgrading@pnpm/npm-confto3.0.3.Platinum Sponsors
Gold Sponsors
v10.34.2: pnpm 10.34.2Compare Source
⚠️ Security fix — environment variables in a project
.npmrc(action may be required)Following GHSA-3qhv-2rgh-x77r, pnpm no longer expands
${ENV_VAR}placeholders that come from a repository-controlled config file, because a malicious repository could otherwise use them to leak your environment secrets (npm tokens, CI job tokens, etc.) to an attacker-controlled registry during install. This applies to:.npmrc—registry,@scope:registry, proxy URLs, URL-scoped keys (//host/…), and credential values (_authToken,_auth,_password,username,tokenHelper,cert,key);pnpm-workspace.yaml.This release also closes a bypass where a project
.npmrccould setuserconfig,globalconfig, orprefixto make pnpm load a repo-supplied file as trusted config (via@pnpm/npm-conf@3.0.3).Environment variables are still expanded in trusted config: your user-level
~/.npmrc, the global config, CLI options, and environment config.If your authentication broke after upgrading, move the token out of the committed
.npmrc:Or keep the
${NPM_TOKEN}line but put it in your user-level~/.npmrcinstead of the repo. In GitHub Actions,actions/setup-nodewithregistry-urlalready writes a user-level.npmrc, soNODE_AUTH_TOKENkeeps working. For other CI where editing each pipeline is hard, setNPM_CONFIG_USERCONFIG=.npmrcin the CI environment to declare the project.npmrctrusted.See https://pnpm.io/npmrc for full migration details.
Patch Changes
packageManagerfield, the registry it fetches from (and the proxy/TLS settings used for that traffic) now come exclusively from trusted config sources — CLI options, env config, user and global.npmrc— defaulting to the public npm registry, instead of the repository's project/workspace settings.packageManagerfield (orpnpm self-update) makes pnpm download another pnpm version, the staged install is verified corepack-style: the integrity recorded in the staged lockfile must carry a valid npm registry signature for the exactname@version, validated against npm's public signing keys that ship embedded in the pnpm CLI. Verification fails closed — a tampered download, an unsigned package, or an unreachable registry refuses the version switch rather than running an unverified binary. It runs only when the wanted version is actually downloaded (a tools-directory cache miss), so repeated commands pay no extra network round trip..npmrcandpnpm-workspace.yaml) can no longer expand${...}placeholders in registry/proxy request destinations, URL-scoped keys, or registry credential values, preventing repository-controlled configuration from exfiltrating environment secrets through request URLs. Trusted user/global/CLI/env config keeps full env expansion, so existing token and registry setup flows continue to work.binnames ("",".","..", and scoped forms such as@scope/..) when resolving a package's bins. These names previously passed the bin-name guard and, when joined to the global bin directory during global remove/update/add operations, could resolve to the global bin directory itself or its parent and have it recursively deleted.onlyBuiltDependencies(andallowBuilds) entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the key. Lockfile entries are now rejected when a registry-style dependency path (name@semver) is backed by a git, directory, or git-hosted tarball resolution (ERR_PNPM_RESOLUTION_SHAPE_MISMATCH), so the dependency path is a reliable artifact identity by the time scripts can run.SHASUMS256.txtagainst the Node.js release team's public keys (embedded in the pnpm CLI) before trusting its hashes. The Node.js download mirror is repository-configurable (node-mirror:<channel>in.npmrc), and the integrity check previously trusted aSHASUMS256.txtfetched from that same mirror — a circular check that a malicious mirror could satisfy with a tampered binary and matching hashes. A mirror that proxies the real signed SHASUMS keeps working unchanged. Only thereleasechannel publishes signed SHASUMS files, so pre-release channels (rc, nightly, …) remain unverified.Platinum Sponsors
Gold Sponsors
v10.34.1: pnpm 10.34.1Compare Source
Patch Changes
pnpm-lock.yamlentries whose remote tarballresolution:block is missing theintegrityfield. Previously the worker that extracts a downloaded tarball skipped hash verification when no integrity was supplied and minted a fresh one from the unverified bytes, so an attacker who could both alter the lockfile (e.g. via a pull request that stripsintegrity:) and serve modified content at the referenced tarball URL could install a tampered package without any error — including under--frozen-lockfile. pnpm now fails closed at lockfile-read time withERR_PNPM_MISSING_TARBALL_INTEGRITY. Git-hosted tarballs (gitHosted: trueor a URL on codeload.github.com / bitbucket.org / gitlab.com) andfile:tarballs are exempt — the commit SHA in a git-host URL and the user-controlled local path already anchor the bytes.Platinum Sponsors
Gold Sponsors
v10.34.0: pnpm 10.34Compare Source
Minor Changes
Treat tarball-integrity mismatches against the lockfile as a hard failure by default. Previously,
pnpm install(non-frozen) would logERR_PNPM_TARBALL_INTEGRITY, silently re-resolve from the registry, and overwrite the locked integrity — which meant a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed lockfile.pnpm installnow exits withERR_PNPM_TARBALL_INTEGRITYand a hint pointing at the new opt-in flag.The only opt-in is
pnpm install --update-checksums— narrowly scoped to refreshing the locked integrity values from what the registry currently serves. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the operation is auditable.--forceandpnpm updatedeliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide.--frozen-lockfilebehavior is unchanged.--fix-lockfilekeeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.Patch Changes
_authToken,_auth,username/_password,tokenHelper, inlinecert/key) to the registry declared in the same config source at load time, so a later layer overridingregistry=(workspace.npmrc,pnpm-workspace.yaml, CLI--registry) cannot redirect a credential or client certificate authored for a different host. A deprecation warning is emitted whenever an unscoped per-registry setting is encountered, naming the source and the URL it was pinned to. Reported by JUNYI LIU.minimumReleaseAgehandling when cached metadata is abbreviated. The npm registry returns abbreviated package metadata (without the per-versiontimefield) by default, which made the maturity check throwERR_PNPM_MISSING_TIMEwhenever cached abbreviated metadata was reused. pnpm now upgrades cached abbreviated metadata to the full document via a follow-up fetch whenminimumReleaseAgeis active, persists the upgrade to the on-disk cache so subsequent installs skip the extra fetch, and letsERR_PNPM_MISSING_TIMEfrom the cache fast-path fall through to the network fetch even under strict mode.commitfield is not a 40-character hexadecimal SHA before invokinggit. A malicious lockfile could otherwise smuggle a value such as--upload-pack=<command>throughgit fetch/git checkout, which on SSH or local-file transports executes the supplied command.diff --githeaders reference paths outside the patched package directory. Previously a malicious.patchfile added via a pull request could write, delete, or rename arbitrary files reachable by the user runningpnpm install.--prefix=<dir>not being honored when locating the workspace root. The--prefix → dirrename was applied after workspace detection, so workspace settings declared in<dir>/pnpm-workspace.yamlwere not loaded when pnpm was invoked from outside<dir>#11535.@x/../../../../../.git/hooks) when reading them from a package manifest or symlinking them intonode_modules. A malicious registry package could otherwise use a transitive dependency key to makepnpm installcreate symlinks at attacker-chosen paths outside the intendednode_modulesdirectory.Platinum Sponsors
Gold Sponsors
v10.33.4: pnpm 10.33.4Compare Source
Patch Changes
Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
A new
gitHosted: truefield is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.Fix a regression where
pnpm --recursive --filter '!<pkg>' run/exec/test/addwould include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative--filterarguments are provided, matching the documented behavior. To include the root, pass--include-workspace-root#11341.Platinum Sponsors
Gold Sponsors
v10.33.3: pnpm 10.33.3Compare Source
Patch Changes
@pnpm/exeto v11+ on Intel macOS (darwin-x64),pnpm self-updatenow transparently switches to the JS-onlypnpmpackage on npm instead of installing@pnpm/exe@v11+(which doesn't ship a working binary for Intel Macs because of an upstream Node.js SEA bug — see #11423 and nodejs/node#62893). Without this, the self-update would silently leave the user with no workingpnpmbinary. The new install requires Node.js to be available onPATH; a warning is printed when the swap happens. All other host/version combinations are unchanged.pnpm self-update(with no version argument) no longer downgrades pnpm when the registry'slatestdist-tag points to an older release than the currently active version. Runpnpm self-update latestto force a downgrade #11418.Platinum Sponsors
Gold Sponsors
v10.33.2: pnpm 10.33.2Compare Source
Patch Changes
Globally-installed bins no longer fail with
ERR_PNPM_NO_IMPORTER_MANIFEST_FOUNDwhen pnpm was installed via the standalone@pnpm/exebinary (e.g.curl -fsSL https://get.pnpm.io/install.sh | sh -) on a system without a separate Node.js installation. Previously, whenwhich('node')failed duringpnpm add --global, pnpm fell back toprocess.execPath, which in@pnpm/exeis the pnpm binary itself — and that path was baked into the generated bin shim, causing the shim to invoke pnpm instead of Node #11291, #4645.Fix an infinite fork-bomb that could happen when pnpm was installed with one version (e.g.
npm install -g pnpm@A) and run inside a project whosepackage.jsonselected a different pnpm version via thepackageManagerfield (e.g.pnpm@B), while apnpm-workspace.yamlalso existed at the project root.The child's environment is now forced to
manage-package-manager-versions=false(v10) andpm-on-fail=ignore(v11+), which disables the package-manager-version handling in whichever pnpm runs as the child.Fixes #11337.
Platinum Sponsors
Gold Sponsors
v10.33.1: pnpm 10.33.1Compare Source
Patch Changes
packageManagerfield selects pnpm v11 or newer, commands that v10 would have passed through to npm (version,login,logout,publish,unpublish,deprecate,dist-tag,docs,ping,search,star,stars,unstar,whoami, etc.) are now handed over to the wanted pnpm, which implements them natively. Previously they silently shelled out to npm — making, for example,pnpm version --helpprint npm's help on a project withpackageManager: pnpm@11.0.0-rc.3#11328.Platinum Sponsors
Gold Sponsors
postcss/postcss (postcss)
v8.5.16Compare Source
Input#origin()position (by @mizdra).rawsafter rehydrating a JSON AST (by @sarathfrancis90).nodesof new node (by @MahinAnowar).offsetinpositionBy()(by @greymoth-jp).rangeBy()onindex: 0(by @sarathfrancis90).v8.5.15Compare Source
v8.5.14Compare Source
v8.5.13Compare Source
postcss-scsscommend regression.v8.5.12Compare Source
opts.unsafeMapto disable checks.v8.5.11Compare Source
v8.5.10Compare Source
</style>in non-bundler cases (by @TharVid).v8.5.9Compare Source
facebook/react (react)
v19.2.7Compare Source
React Server Components
FormDataentries in Server Actions which regressed in 19.2.6 (@unstubbable #36566)v19.2.6Compare Source
React Server Components
v19.2.5Compare Source
React Server Components
vitest-dev/vitest (vitest)
v4.1.10Compare Source
🐞 Bug Fixes
View changes on GitHub
v4.1.9Compare Source
🐞 Bug Fixes
importOriginalwith optimizer and query import [backport to v4] - by Hiroshi Ogawa, David Harris, Codexand Vladimir in #10546 (a5180)View changes on GitHub
v4.1.8Compare Source
🐞 Bug Fixes
cdpAPI whenallowWrite/allowExec: false[backport to v4] - by @hi-ogawa and Codex in #10450 (e4067)View changes on GitHub
v4.1.7Compare Source
🐞 Bug Fixes
View changes on GitHub
v4.1.6Compare Source
🐞 Bug Fixes
ToMatchScreenshotResolvePath- by @macarie and @sheremet-va in #10138 (31882)sequence.concurrent: truewith top-leveltest(..., { concurrent: false })+ depreactesequentialtest API and options - by @hi-ogawa, Codex and @sheremet-va in #10196 (2847d)🏎 Performance
View changes on GitHub
v4.1.5Compare Source
🚀 Experimental Features
instrumenteroption - by @BartWaardenburg and @AriPerkkio in #10119 (0e0ff)🐞 Bug Fixes
vi.defineHelpercalled as object method - by @hi-ogawa in #10163 (122c2)agentreporter tominimal- by @sheremet-va in #10157 (663b9)View changes on GitHub
v4.1.4Compare Source
🚀 Experimental Features
skipFullif agent detected - by @hi-ogawa in #10018 (53757)assertionas a public field - by @sheremet-va in #10095 (a120e)🐞 Bug Fixes
expect(..., message)consistent as error message prefix - by @hi-ogawa and Codex in #10068 (a1b5f)View changes on GitHub
v4.1.3Compare Source
🚀 Experimental Features
experimental.preParseflag - by @sheremet-va in #10070 (78273)browser.locators.exactoption - by @sheremet-va in #10013 (48799)TestAttachment.bodyEncoding- by @hi-ogawa in #9969 (89ca0)🐞 Bug Fixes
expect.pollinterval - by @hi-ogawa and Claude Sonnet 4.6 in #10022 (3f5bf)@vitest/coverage-v8and@vitest/coverage-istanbulas optional dependency - by @alan-agius4 in #10025 (146d4)defineHelperfor webkit async stack trace + update playwright 1.59.0 - by @hi-ogawa in #10036 (5a5fa)JestExtendError.contextfrom verbose error reporting - by @hi-ogawa in #9983 (66751)vitest- by @hi-ogawa and Codex in #10042 (691d3)View changes on GitHub
yarnpkg/berry (yarn)
v4.17.0: v4.17.0Compare Source
What's Changed
New Contributors
Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.16.0...@​yarnpkg/cli/4.17.0
v4.16.0: v4.16.0Compare Source
What's Changed
New Contributors
Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.15.0...@​yarnpkg/cli/4.16.0
v4.15.0: v4.15.0Compare Source
What's Changed
npmMinimalAgeGate: 1dthe default by @arcanis in #7135New Contributors
Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.14.1...@​yarnpkg/cli/4.15.0
v4.14.1: v4.14.1Compare Source
What's Changed
New Contributors
Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.14.0...@​yarnpkg/cli/4.14.1
v4.14.0: v4.14.0Compare Source
What's Changed
required under PnP by @clemyan in #7077enableScripts: falsethe default by @arcanis in #7089exec:protocol respectenableScriptsby @arcanis in #7090approvedGitRepositoriesby @arcanis in #7091New Contributors
Full Changelog: https://github.com/yarnpkg/berry/compare/@yarnpkg/cli/4.13.0...@​yarnpkg/cli/4.14.0
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.
This PR has been generated by Mend Renovate.
991c822f2dto7731a4c8d77731a4c8d7to558035b53a558035b53ato587fa1d358587fa1d358toaaf51c0940aaf51c0940to924ffa5dcc924ffa5dccto571f8c7fdd571f8c7fddto902b6a8862View command line instructions
Checkout
From your project repository, check out a new branch and test the changes.