Skip to content

[pull] main from nodejs:main #1953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pull merged 3 commits into from
Jun 18, 2026
+350 −0
Merged

[pull] main from nodejs:main #1953

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
eb23fec
feat(blog): create post for v22.23.0 (#8959)
github-actions[bot] Jun 18, 2026
2bd5c8d
feat(blog): create post for v24.17.0 (#8960)
github-actions[bot] Jun 18, 2026
221839b
feat(blog): create post for v26.3.1 (#8961)
github-actions[bot] Jun 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
131 changes: 131 additions & 0 deletions apps/site/pages/en/blog/release/v22.23.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,131 @@
---
date: '2026-06-18T04:38:19.322Z'
category: release
title: Node.js 22.23.0 (LTS)
layout: blog-post
author: Antoine du Hamel
---

## 2026-06-18, Version 22.23.0 'Jod' (LTS), @aduh95

This is a security release.

### Notable Changes

- (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
- (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
- (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
- (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
- (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
- (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
- (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
- (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
- (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
- (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
- (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

### Commits

- \[[`38b4c5ed51`](https://github.com/nodejs/node/commit/38b4c5ed51)] - **(CVE-2026-48933)** **crypto**: guard WebCrypto cipher output length (Filip Skokan) [nodejs-private/node-private#878](https://github.com/nodejs-private/node-private/pull/878)
- \[[`ad8a10c1bb`](https://github.com/nodejs/node/commit/ad8a10c1bb)] - **deps**: update llhttp to 9.4.2 (Antoine du Hamel) [nodejs-private/node-private#890](https://github.com/nodejs-private/node-private/pull/890)
- \[[`ca825a87cc`](https://github.com/nodejs/node/commit/ca825a87cc)] - **deps**: update undici to 6.27.0 (aduh95) [#63711](https://github.com/nodejs/node/pull/63711)
- \[[`a1a5bb9683`](https://github.com/nodejs/node/commit/a1a5bb9683)] - **(CVE-2026-48937)** **deps**: fix integration issues with the latest nghttp2 (Tim Perry) [#62891](https://github.com/nodejs/node/pull/62891)
- \[[`0f48583512`](https://github.com/nodejs/node/commit/0f48583512)] - **(SEMVER-MAJOR)** **deps**: update nghttp2 to 1.69.0 (Node.js GitHub Bot) [#62891](https://github.com/nodejs/node/pull/62891)
- \[[`38c869fc05`](https://github.com/nodejs/node/commit/38c869fc05)] - **deps**: update nghttp2 to 1.68.0 (nodejs-github-bot) [#61136](https://github.com/nodejs/node/pull/61136)
- \[[`290667c84f`](https://github.com/nodejs/node/commit/290667c84f)] - **deps**: update nghttp2 to 1.67.1 (nodejs-github-bot) [#59790](https://github.com/nodejs/node/pull/59790)
- \[[`c9f3da76aa`](https://github.com/nodejs/node/commit/c9f3da76aa)] - **deps**: update nghttp2 to 1.66.0 (Node.js GitHub Bot) [#58786](https://github.com/nodejs/node/pull/58786)
- \[[`60890be563`](https://github.com/nodejs/node/commit/60890be563)] - **deps**: update nghttp2 to 1.65.0 (Node.js GitHub Bot) [#57269](https://github.com/nodejs/node/pull/57269)
- \[[`5024c7d5d8`](https://github.com/nodejs/node/commit/5024c7d5d8)] - **deps**: update archs files for openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820)
- \[[`7f4eb5af2e`](https://github.com/nodejs/node/commit/7f4eb5af2e)] - **deps**: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) [#63820](https://github.com/nodejs/node/pull/63820)
- \[[`ebb4ec78a8`](https://github.com/nodejs/node/commit/ebb4ec78a8)] - **deps**: fix aix implicit declaration in OpenSSL (Abdirahim Musse) [#62656](https://github.com/nodejs/node/pull/62656)
- \[[`5763d40826`](https://github.com/nodejs/node/commit/5763d40826)] - **deps**: update llhttp to 9.4.1 (Node.js GitHub Bot) [#63045](https://github.com/nodejs/node/pull/63045)
- \[[`c551a51d0c`](https://github.com/nodejs/node/commit/c551a51d0c)] - **(CVE-2026-48930)** **dns,net**: reject hostnames with embedded NUL bytes (Matteo Collina) [nodejs-private/node-private#868](https://github.com/nodejs-private/node-private/pull/868)
- \[[`0a22d40180`](https://github.com/nodejs/node/commit/0a22d40180)] - **(CVE-2026-48931)** **http**: fix response queue poisoning in http.Agent (Matteo Collina) [nodejs-private/node-private#846](https://github.com/nodejs-private/node-private/pull/846)
- \[[`c79968e108`](https://github.com/nodejs/node/commit/c79968e108)] - **(CVE-2026-48619)** **http2**: cap originSet size to prevent unbounded memory growth (Matteo Collina) [nodejs-private/node-private#855](https://github.com/nodejs-private/node-private/pull/855)
- \[[`0c37bff2ff`](https://github.com/nodejs/node/commit/0c37bff2ff)] - **http2**: fix DEP0194 message (KaKa) [#58669](https://github.com/nodejs/node/pull/58669)
- \[[`ea5dc6b529`](https://github.com/nodejs/node/commit/ea5dc6b529)] - **(SEMVER-MAJOR)** **http2**: remove support for priority signaling (Matteo Collina) [#58293](https://github.com/nodejs/node/pull/58293)
- \[[`9b6af26132`](https://github.com/nodejs/node/commit/9b6af26132)] - **(CVE-2026-48615)** **lib,test**: redact proxy credentials in tunnel errors (Matteo Collina) [nodejs-private/node-private#867](https://github.com/nodejs-private/node-private/pull/867)
- \[[`28dcd38864`](https://github.com/nodejs/node/commit/28dcd38864)] - **(CVE-2026-48935)** **permission**: disable FileHandle utimes with permission model (RafaelGSS) [nodejs-private/node-private#873](https://github.com/nodejs-private/node-private/pull/873)
- \[[`2f62693801`](https://github.com/nodejs/node/commit/2f62693801)] - **(CVE-2026-48617)** **permission**: handle process.chdir on writereport (RafaelGSS) [nodejs-private/node-private#870](https://github.com/nodejs-private/node-private/pull/870)
- \[[`1662a3ea09`](https://github.com/nodejs/node/commit/1662a3ea09)] - **test**: add session reuse host verification regressions (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
- \[[`718d5d0e2c`](https://github.com/nodejs/node/commit/718d5d0e2c)] - **test**: skip `test-fs-utimes-y2K38` on armv7 (Richard Lau) [#63836](https://github.com/nodejs/node/pull/63836)
- \[[`041185b61f`](https://github.com/nodejs/node/commit/041185b61f)] - **test**: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) [#62238](https://github.com/nodejs/node/pull/62238)
- \[[`fd890ba01d`](https://github.com/nodejs/node/commit/fd890ba01d)] - **(CVE-2026-48934)** **tls**: bind reusable sessions to authenticated host (Matteo Collina) [nodejs-private/node-private#854](https://github.com/nodejs-private/node-private/pull/854)
- \[[`39d1d09684`](https://github.com/nodejs/node/commit/39d1d09684)] - **(CVE-2026-48928)** **tls**: fix case-sensitive SNI context matching (Matteo Collina) [nodejs-private/node-private#857](https://github.com/nodejs-private/node-private/pull/857)
- \[[`2197a47144`](https://github.com/nodejs/node/commit/2197a47144)] - **(CVE-2026-48618)** **tls**: normalize hostname for server identity checks (Matteo Collina) [nodejs-private/node-private#869](https://github.com/nodejs-private/node-private/pull/869)

Windows 32-bit Installer: https://nodejs.org/dist/v22.23.0/node-v22.23.0-x86.msi \
Windows 64-bit Installer: https://nodejs.org/dist/v22.23.0/node-v22.23.0-x64.msi \
Windows ARM 64-bit Installer: https://nodejs.org/dist/v22.23.0/node-v22.23.0-arm64.msi \
Windows 32-bit Binary: https://nodejs.org/dist/v22.23.0/win-x86/node.exe \
Windows 64-bit Binary: https://nodejs.org/dist/v22.23.0/win-x64/node.exe \
Windows ARM 64-bit Binary: https://nodejs.org/dist/v22.23.0/win-arm64/node.exe \
macOS 64-bit Installer: https://nodejs.org/dist/v22.23.0/node-v22.23.0.pkg \
macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-darwin-arm64.tar.gz \
macOS Intel 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-darwin-x64.tar.gz \
Linux 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-x64.tar.xz \
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-ppc64le.tar.xz \
Linux s390x 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-s390x.tar.xz \
AIX 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-aix-ppc64.tar.gz \
ARMv7 32-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-armv7l.tar.xz \
ARMv8 64-bit Binary: https://nodejs.org/dist/v22.23.0/node-v22.23.0-linux-arm64.tar.xz \
Source Code: https://nodejs.org/dist/v22.23.0/node-v22.23.0.tar.gz \
Other release files: https://nodejs.org/dist/v22.23.0/ \
Documentation: https://nodejs.org/docs/v22.23.0/api/

### SHASUMS

```
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

5c595ef33e1b1dcd48128690ab599cf246b51abed470928706edaf56f1d04248 node-v22.23.0-aix-ppc64.tar.gz
d963392c08a9d0f7f1458410a43c8c0e7dd78712f01b5ffa561f00a3044a47ff node-v22.23.0-arm64.msi
e0f383a215dd3093de6d2c74f87056dc2306a2e09ad494cbffdba28f89046f56 node-v22.23.0-darwin-arm64.tar.gz
69a741a8938e3efbd7098ca1681a179f771bc9bbf733a799e9ed81949a602f73 node-v22.23.0-darwin-arm64.tar.xz
dc2ccab261fd70c347e4cc52085d8d226f471ccba1fc2a7252283949b31ca9f9 node-v22.23.0-darwin-x64.tar.gz
c339a9bc031a98bac0dba90f57370ac5ae68e4549045c8f51e740f375a0b8799 node-v22.23.0-darwin-x64.tar.xz
ac07673009b92d70f3d842df28204e92785234bae6b4d5785f63fbca8408fc69 node-v22.23.0-headers.tar.gz
b0a0a71751aa17ac9190a47c34d1439a2118493dcc323c5eae27fb691b8446d9 node-v22.23.0-headers.tar.xz
0c96aa074abd109e0b5da8d10202a9bbcea9bcf9ddb587b20944f71b8f21f8c8 node-v22.23.0-linux-arm64.tar.gz
4018815ac1bed4f18208901bbde524fee881253b591ee7bc952660e69bd057af node-v22.23.0-linux-arm64.tar.xz
2a6ac877b2381711c55178052a6f481171e0964c2f8d33d0cfe36d8e35f1c2c0 node-v22.23.0-linux-armv7l.tar.gz
6f983135f5bbf1bf017686c93bbabcb616473578f75ef43c773c1556b404a50a node-v22.23.0-linux-armv7l.tar.xz
740fa84ba1d3e7f5d3155f9f7b71e2189d2fbba119df0c0c59533dc7e415efe1 node-v22.23.0-linux-ppc64le.tar.gz
864760dde36a03bf0da8f74b511c41a31adae4f50284a20066518775269539aa node-v22.23.0-linux-ppc64le.tar.xz
274c8946cd95bd3b7b586c1bfb35de315836f9e8863e29dd264decc73e652b8a node-v22.23.0-linux-s390x.tar.gz
8c5ba195dff6c11a292ffbe199931c7b52d3f233d25fa908718b99d0e0f9d09d node-v22.23.0-linux-s390x.tar.xz
535eeb608ca1e0b71d49a0e36991d449d5f935fbb04eca61677519b010cd673a node-v22.23.0-linux-x64.tar.gz
14d7de44f235534799f8b171a4050d9a6a4bc99c87e053a25d3d54afa580aa20 node-v22.23.0-linux-x64.tar.xz
e42354513cbee40eba62db30cd8132bbc2a1896c4f6f85483bd67e318c115cc0 node-v22.23.0-win-arm64.7z
8d540a7a1eeb3ff6681f516c47d786964b874acdaa4fd83338d6898bbb4f68a4 node-v22.23.0-win-arm64.zip
b9114632eff5fd061da5ec72656b13e50ca9736af5551f0737f10b26cba2a12b node-v22.23.0-win-x64.7z
425a5bd68cc95e8eb16bcccd0a75081b48983fc6a26f67126bd4d6c7198231e8 node-v22.23.0-win-x64.zip
21ef41b8a7e9904643f813db751d75599ef0c5774845b534ad70c46aa8d0c14c node-v22.23.0-win-x86.7z
28948dbed0828d20cf64aca0a451fa38967214ccb87d02e7048db6398545b0c0 node-v22.23.0-win-x86.zip
aea5493d05c20996a817c45312d9bc8c6b062bfb6737afc2bab542c42fbb8835 node-v22.23.0-x64.msi
87154158fa4ad843e0e03a08c2f7d17b414bbd4a74b1986d7b011403edffd511 node-v22.23.0-x86.msi
62e5eb26a68aadf2458e3a3eaf84fae9ecc4870aeaabcefc636b69997552842e node-v22.23.0.pkg
61fd42cd1c3ff04a849f5ad5d08c58b111831944b5b94bc90fc623eab41418a2 node-v22.23.0.tar.gz
3acfae100c7b855a4c76520ee0f95cadcace3f4254f16b7d4887f178fc95d4a0 node-v22.23.0.tar.xz
abe829ba4e4fbabdcf3117ac013ecbb61469c2ccebebb87f84b41c7cdd8dfaf9 win-arm64/node.exe
e56e62f4a7ae6643a40db01f09072e8a93ccbe73be8abff927b793344691d6b7 win-arm64/node.lib
35a4655f6475f6387e13938439f925cb8ab33cf74721f88b1d77f5c855285c95 win-arm64/node_pdb.7z
d81c12c2a42291a4f8317313f8e8d19ba9cd9a9fd722d0aba3e13e64d1fcdedc win-arm64/node_pdb.zip
17347995af08dadcc73a1a154f0942559fbc3f37b9ba57d4576b4d2bcb2834a2 win-x64/node.exe
ac15f1e9d7c8279353723a77f6319967f1a41c06026521094a8234c2e6fbe052 win-x64/node.lib
901e9eef6f41c2b2a4a17670edc7854f7434bbb3120815bb8c146e244c2527e4 win-x64/node_pdb.7z
8b4d97c4454f37dc2a4dbe5821f428fc45ef066fb076ce6f395cc45c76aab692 win-x64/node_pdb.zip
8b4369dd36679fcaf7146d6627d1ca1c1ea04bf933f91f9c61630d158df82bc0 win-x86/node.exe
66949ba371a159f5e3626f6ce960f85ab6bcdd237eafcdfbc11d1377a2767652 win-x86/node.lib
a52afc61556fee95d22f0a401a761714d585f5596b7cf92d175a3f238b08bdba win-x86/node_pdb.7z
8df46485e8d327e66eea65538845bdf31350ed76d921c6512ec6fa044a814a7e win-x86/node_pdb.zip

-----BEGIN PGP SIGNATURE-----

iHUEARYIAB0WIQRb6KP2yKXAHRBsCtggsaOQsWjTVgUCajN0uQAKCRAgsaOQsWjT
VrCOAQCGN/ZUCGhmojChsyAmHwY6dkE0C6v+pkT+R2Z0gi6M4AD9HGnS7wyeo2qY
+2RqcJ1iGGuYD7/DPIY1emFpLja9hws=
=nIm4
-----END PGP SIGNATURE-----
```
Loading
Loading