[pull] main from nodejs:main

CHANGELOG.md

@@ -41,13 +41,15 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V25.md#25.2.1">25.2.1</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V25.md#25.3.0">25.3.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V25.md#25.2.1">25.2.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.2.0">25.2.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.1.0">25.1.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.0.0">25.0.0</a><br/>
   </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V24.md#24.12.0">24.12.0</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V24.md#24.13.0">24.13.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V24.md#24.12.0">24.12.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.11.1">24.11.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.11.0">24.11.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V24.md#24.10.0">24.10.0</a><br/>
@@ -66,7 +68,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V24.md#24.0.0">24.0.0</a><br/>
   </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V22.md#22.21.1">22.21.1</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V22.md#22.22.0">22.22.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V22.md#22.21.1">22.21.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.21.0">22.21.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.20.0">22.20.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V22.md#22.19.0">22.19.0</a><br/>
@@ -96,7 +99,8 @@ release.
 <a href="doc/changelogs/CHANGELOG_V22.md#22.0.0">22.0.0</a><br/>
   </td>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V20.md#20.19.6">20.19.6</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V20.md#20.20.0">20.20.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V20.md#20.19.6">20.19.6</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.19.5">20.19.5</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.19.4">20.19.4</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.19.3">20.19.3</a><br/>

doc/changelogs/CHANGELOG_V20.md

@@ -9,6 +9,7 @@
 </tr>
 <tr>
 <td>
+<a href="#20.20.0">20.20.0</a><br/>
 <a href="#20.19.6">20.19.6</a><br/>
 <a href="#20.19.5">20.19.5</a><br/>
 <a href="#20.19.4">20.19.4</a><br/>
@@ -80,6 +81,38 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="20.20.0"></a>
+
+## 2026-01-13, Version 20.20.0 'Iron' (LTS), @marco-ippolito
+
+This is a security release.
+
+### Notable Changes
+
+lib:
+
+* (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/802>
+* (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/797>
+  lib,permission:
+* (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/760>
+  src:
+* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/773>
+  src,lib:
+* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) <https://github.com/nodejs-private/node-private/pull/759>
+  tls:
+* (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/796>
+
+### Commits
+
+* \[[`8f9ba3f623`](https://github.com/nodejs/node/commit/8f9ba3f623)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997)
+* \[[`97fc9b0eb7`](https://github.com/nodejs/node/commit/97fc9b0eb7)] - **deps**: update undici to 6.23.0 (Matteo Collina) [nodejs-private/node-private#792](https://github.com/nodejs-private/node-private/pull/792)
+* \[[`14fbbb510c`](https://github.com/nodejs/node/commit/14fbbb510c)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#802](https://github.com/nodejs-private/node-private/pull/802)
+* \[[`1febc48d5b`](https://github.com/nodejs/node/commit/1febc48d5b)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797)
+* \[[`494f62dc23`](https://github.com/nodejs/node/commit/494f62dc23)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760)
+* \[[`d7a5c587c0`](https://github.com/nodejs/node/commit/d7a5c587c0)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773)
+* \[[`51f4de4b4a`](https://github.com/nodejs/node/commit/51f4de4b4a)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759)
+* \[[`85f73e7057`](https://github.com/nodejs/node/commit/85f73e7057)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796)
+
 <a id="20.19.6"></a>
 
 ## 2025-11-25, Version 20.19.6 'Iron' (LTS), @marco-ippolito

doc/changelogs/CHANGELOG_V22.md

@@ -9,6 +9,7 @@
 </tr>
 <tr>
 <td>
+<a href="#22.22.0">22.22.0</a><br/>
 <a href="#22.21.1">22.21.1</a><br/>
 <a href="#22.21.0">22.21.0</a><br/>
 <a href="#22.20.0">22.20.0</a><br/>
@@ -70,6 +71,38 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="22.22.0"></a>
+
+## 2026-01-13, Version 22.22.0 'Jod' (LTS), @marco-ippolito
+
+This is a security release.
+
+### Notable Changes
+
+lib:
+
+* (CVE-2025-59465) add TLSSocket default error handler
+* (CVE-2025-55132) disable futimes when permission model is enabled
+  lib,permission:
+* (CVE-2025-55130) require full read and write to symlink APIs
+  src:
+* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks
+  src,lib:
+* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle
+  tls:
+* (CVE-2026-21637) route callback exceptions through error handlers
+
+### Commits
+
+* \[[`6badf4e6f4`](https://github.com/nodejs/node/commit/6badf4e6f4)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997)
+* \[[`37509c3ff0`](https://github.com/nodejs/node/commit/37509c3ff0)] - **deps**: update undici to 6.23.0 (Matteo Collina) [nodejs-private/node-private#791](https://github.com/nodejs-private/node-private/pull/791)
+* \[[`eb8e41f8db`](https://github.com/nodejs/node/commit/eb8e41f8db)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797)
+* \[[`ebbf942a83`](https://github.com/nodejs/node/commit/ebbf942a83)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748)
+* \[[`6b4849583a`](https://github.com/nodejs/node/commit/6b4849583a)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760)
+* \[[`ddadc31f09`](https://github.com/nodejs/node/commit/ddadc31f09)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773)
+* \[[`d4d9f3915f`](https://github.com/nodejs/node/commit/d4d9f3915f)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759)
+* \[[`25d6799df6`](https://github.com/nodejs/node/commit/25d6799df6)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796)
+
 <a id="22.21.1"></a>
 
 ## 2025-10-28, Version 22.21.1 'Jod' (LTS), @aduh95

doc/changelogs/CHANGELOG_V24.md

@@ -9,6 +9,7 @@
 </tr>
 <tr>
 <td>
+<a href="#24.13.0">24.13.0</a><br/>
 <a href="#24.12.0">24.12.0</a><br/>
 <a href="#24.11.1">24.11.1</a><br/>
 <a href="#24.11.0">24.11.0</a><br/>
@@ -59,6 +60,38 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="24.13.0"></a>
+
+## 2026-01-13, Version 24.13.0 'Krypton' (LTS), @marco-ippolito
+
+This is a security release.
+
+### Notable Changes
+
+lib:
+
+* (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/797>
+* (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/748>
+  lib,permission:
+* (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/760>
+  src:
+* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/773>
+  src,lib:
+* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) <https://github.com/nodejs-private/node-private/pull/759>
+  tls:
+* (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/796>
+
+### Commits
+
+* \[[`2092785d01`](https://github.com/nodejs/node/commit/2092785d01)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997)
+* \[[`3e58b7f2af`](https://github.com/nodejs/node/commit/3e58b7f2af)] - **deps**: update undici to 7.18.2 (Node.js GitHub Bot) [#61283](https://github.com/nodejs/node/pull/61283)
+* \[[`4ba536a5a6`](https://github.com/nodejs/node/commit/4ba536a5a6)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#797](https://github.com/nodejs-private/node-private/pull/797)
+* \[[`89adaa21fd`](https://github.com/nodejs/node/commit/89adaa21fd)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748)
+* \[[`7302b4dae1`](https://github.com/nodejs/node/commit/7302b4dae1)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760)
+* \[[`ac030753c4`](https://github.com/nodejs/node/commit/ac030753c4)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773)
+* \[[`20075692fe`](https://github.com/nodejs/node/commit/20075692fe)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759)
+* \[[`20591b0618`](https://github.com/nodejs/node/commit/20591b0618)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#796](https://github.com/nodejs-private/node-private/pull/796)
+
 <a id="24.12.0"></a>
 
 ## 2025-12-10, Version 24.12.0 'Krypton' (LTS), @targos

doc/changelogs/CHANGELOG_V25.md

@@ -8,6 +8,7 @@
 </tr>
 <tr>
 <td>
+<a href="#25.3.0">25.3.0</a><br/>
 <a href="#25.2.1">25.2.1</a><br/>
 <a href="#25.2.0">25.2.0</a><br/>
 <a href="#25.1.0">25.1.0</a><br/>
@@ -43,6 +44,40 @@
   * [io.js](CHANGELOG_IOJS.md)
   * [Archive](CHANGELOG_ARCHIVE.md)
 
+<a id="25.3.0"></a>
+
+## 2026-01-13, Version 25.3.0 (Current), @RafaelGSS
+
+This is a security release.
+
+### Notable Changes
+
+lib:
+
+* (CVE-2025-59465) add TLSSocket default error handler (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/750>
+  permission:
+* (CVE-2026-21636) add network check on pipe\_wrap connect (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/784>
+* (CVE-2025-55130) require full read and write to symlink APIs (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/760>
+* (CVE-2025-55132) disable futimes when permission model is enabled (RafaelGSS) <https://github.com/nodejs-private/node-private/pull/748>
+  src:
+* (CVE-2025-59466) rethrow stack overflow exceptions in async\_hooks (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/773>
+  src,lib:
+* (CVE-2025-55131) refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) <https://github.com/nodejs-private/node-private/pull/759>
+  tls:
+* (CVE-2026-21637) route callback exceptions through error handlers (Matteo Collina) <https://github.com/nodejs-private/node-private/pull/790>
+
+### Commits
+
+* \[[`a6a74b89a7`](https://github.com/nodejs/node/commit/a6a74b89a7)] - **deps**: update c-ares to v1.34.6 (Node.js GitHub Bot) [#60997](https://github.com/nodejs/node/pull/60997)
+* \[[`5100614e26`](https://github.com/nodejs/node/commit/5100614e26)] - **deps**: update undici to 7.18.2 (Node.js GitHub Bot) [#61283](https://github.com/nodejs/node/pull/61283)
+* \[[`f0a8916887`](https://github.com/nodejs/node/commit/f0a8916887)] - **(CVE-2025-59465)** **lib**: add TLSSocket default error handler (RafaelGSS) [nodejs-private/node-private#750](https://github.com/nodejs-private/node-private/pull/750)
+* \[[`b4b887c5f7`](https://github.com/nodejs/node/commit/b4b887c5f7)] - **(CVE-2025-55132)** **lib**: disable futimes when permission model is enabled (RafaelGSS) [nodejs-private/node-private#748](https://github.com/nodejs-private/node-private/pull/748)
+* \[[`26be208039`](https://github.com/nodejs/node/commit/26be208039)] - **(CVE-2025-55130)** **lib,permission**: require full read and write to symlink APIs (RafaelGSS) [nodejs-private/node-private#760](https://github.com/nodejs-private/node-private/pull/760)
+* \[[`bdf5873d44`](https://github.com/nodejs/node/commit/bdf5873d44)] - **(CVE-2026-21636)** **permission**: add network check on pipe\_wrap connect (RafaelGSS) [nodejs-private/node-private#784](https://github.com/nodejs-private/node-private/pull/784)
+* \[[`0578e3e921`](https://github.com/nodejs/node/commit/0578e3e921)] - **(CVE-2025-59466)** **src**: rethrow stack overflow exceptions in async\_hooks (Matteo Collina) [nodejs-private/node-private#773](https://github.com/nodejs-private/node-private/pull/773)
+* \[[`4d6b55a6d1`](https://github.com/nodejs/node/commit/4d6b55a6d1)] - **(CVE-2025-55131)** **src,lib**: refactor unsafe buffer creation to remove zero-fill toggle (Сковорода Никита Андреевич) [nodejs-private/node-private#759](https://github.com/nodejs-private/node-private/pull/759)
+* \[[`c357a39e14`](https://github.com/nodejs/node/commit/c357a39e14)] - **(CVE-2026-21637)** **tls**: route callback exceptions through error handlers (Matteo Collina) [nodejs-private/node-private#790](https://github.com/nodejs-private/node-private/pull/790)
+
 <a id="25.2.1"></a>
 
 ## 2025-11-17, Version 25.2.1 (Current), @aduh95