chore(deps): update node.js to v24.18.0

[ffurrer2-renovate]

This PR contains the following updates:

Package	Update	Change
node (source)	minor	24.16.0 → 24.18.0

---

Release Notes

nodejs/node (node)

v24.18.0: 2026-06-23, Version 24.18.0 'Krypton' (LTS), @​richardlau prepared by @​sxa

Compare Source

Notable Changes

• [e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
• [44c8ebcbd6] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #​64004
• [d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
• [bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #​62527
• [b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #​62527
• [ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [4c9251fc09] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #​63155
• [8c989ec4a3] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
• [3f54c8ba32] - Revert "stream: noop pause/resume on destroyed streams" (Stewart X Addison) #​63834

Commits

• [d3ef4122ee] - (SEMVER-MINOR) buffer: increase Buffer.poolSize default to 64 KiB (Matteo Collina) #​63597
• [9ff36e40f0] - build: add --enable-all-experimentals build flag (Paolo Insogna) #​62755
• [7c22ee23aa] - build: def NODE_USE_NODE_CODE_CACHE only used in node_mksnapshot (Chengzhong Wu) #​63588
• [2551abdb4a] - build,win: enable x64 PGO (Stefan Stojanovic) #​62761
• [e8a55ce9b1] - crypto: strengthen argument CHECKs in TurboSHAKE (Tobias Nießen) #​62763
• [ae61cd68f3] - crypto: harden WebCrypto against prototype pollution (Filip Skokan) #​63363
• [3d05a1d396] - crypto: pass CryptoKey handles to KDF jobs (Filip Skokan) #​63363
• [f9d10a3f6b] - crypto: remove async from WebCrypto methods (Filip Skokan) #​63363
• [e431d93e9e] - crypto: add WebCrypto CryptoJob mode (Filip Skokan) #​63363
• [56e2505e48] - crypto: wire ML-DSA and ML-KEM for use when using BoringSSL (Filip Skokan) #​63255
• [3bac77f2a8] - crypto: wire ChaCha20-Poly1305 in Web Cryptography when using BoringSSL (Filip Skokan) #​63255
• [1bff901b09] - crypto: wire AES-KW in Web Cryptography when using BoringSSL (Filip Skokan) #​63255
• [4433fca3df] - crypto: harden CryptoKey algorithm slots (Filip Skokan) #​63111
• [b5cf01217a] - crypto: harden KeyObject internal slots (Filip Skokan) #​63111
• [ce84aef37d] - crypto: add guards and adjust tests for BoringSSL (Filip Skokan) #​62883
• [26781689b0] - crypto: reject duplicate ML-KEM JWK key_ops (Filip Skokan) #​62905
• [aeea8f4970] - crypto: add JWK support for ML-KEM and SLH-DSA key types (Filip Skokan) #​62706
• [407cf91656] - crypto: guard against size_t overflow on experimental 32-bit arch (Filip Skokan) #​62626
• [bb2857b85a] - (SEMVER-MINOR) crypto: align key argument names in docs and error messages (Filip Skokan) #​62527
• [b9d5e87880] - (SEMVER-MINOR) crypto: accept key data in crypto.diffieHellman() and cleanup DH jobs (Filip Skokan) #​62527
• [b46d52b283] - crypto: unify asymmetric key import through KeyObjectHandle::Init (Filip Skokan) #​62499
• [ccd756d61e] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #​62183
• [e07e7a31e1] - crypto: update root certificates to NSS 3.123.1 (Node.js GitHub Bot) #​63527
• [61826df455] - crypto: coerce -0 keylen to +0 in pbkdf2 and scrypt (Jordan Harband) #​63531
• [16d2fd3c07] - crypto: align verifyOneShot accepted types (Anshika Jain) #​63280
• [3b8330deda] - crypto: improve system certificate enumeration logic on macOS (Robo) #​62576
• [141de35399] - debugger: add --help to node inspect and improve docs (Joyee Cheung) #​63201
• [b76bfcd4fa] - deps: upgrade npm to 11.16.0 (npm team) #​63602
• [4ec142314c] - deps: SQLite: cherry-pick b869ed6 (Junsu Han) #​63525
• [19e8ce1c36] - deps: upgrade npm to 11.15.0 (npm team) #​63463
• [8a264260e2] - deps: update sqlite to 3.53.1 (Node.js GitHub Bot) #​63217
• [50c8ff3f94] - deps: update simdjson to 4.6.4 (Node.js GitHub Bot) #​62811
• [6e56f01c4b] - deps: V8: cherry-pick 435a2cd (Matthias Liedtke) #​63136
• [3ba813b242] - deps: cherry-pick libuv/libuv@a43e543 (Ali Hassan) #​63222
• [2390e3a5ac] - doc: remove duplicated sentences in large-pull-requests.md (Joyee Cheung) #​63650
• [52a1c18374] - doc: update git node land instructions for security releases (Antoine du Hamel) #​63586
• [3e6b4da037] - doc: drop --experimental from --permission (Rafael Gonzaga) #​63583
• [84d05163b9] - doc: explicitly ask for reproducible in JS (Rafael Gonzaga) #​63479
• [7da2a4450e] - doc: fix URL postMessage example in worker_threads (Kit Dallege) #​62203
• [3d79bd8b29] - doc: clarify filter option of sqlite.database.applyChangeset (Antoine du Hamel) #​63515
• [4f4174aace] - doc: fix double spaces in ERR_TLS_INVALID_PROTOCOL_METHOD (Daijiro Wachi) #​63511
• [388323ca4b] - doc: fix double space in modules.md (Daijiro Wachi) #​63512
• [5258ccc058] - doc: fix "options" to "option" in tls.createServer (Daijiro Wachi) #​63453
• [43e83e6507] - doc: fix typo in deprecations (Daijiro Wachi) #​63434
• [f05a61d54c] - doc: remove unsupported template type from v8.md (René) #​63410
• [c39d5fc820] - doc: fix article usage before vowel-sound acronyms (joao-oliveira-softtor) #​62696
• [398261f911] - doc: remove the bi-monthly contributor spotlight section (Claudio Wunder) #​62734
• [fd9e14c405] - doc: update http2's push and trailers events with rawHeaders param (YuSheng Chen) #​63259
• [b943ce6933] - doc: remove inactive members from Triagers list (Antoine du Hamel) #​63329
• [4b9cdfc022] - doc: reference correct function in Module docs (Robin Malfait) #​63247
• [bed84b6df2] - doc: replace Visual Studio 2022 Evergreen version reference with 17.14 (Mike McCready) #​63211
• [32ea70569b] - doc: recommend explicitly Tier 1 or 2 for production applications (Mike McCready) #​63187
• [4627bcfd82] - doc: run license-builder (github-actions[bot]) #​63232
• [28eba71845] - doc: add large pull requests contributing guide (Matteo Collina) #​62829
• [2648efd438] - doc: remove unnecessary <!-- eslint- magic comments (Antoine du Hamel) #​63200
• [a95fc1f8fc] - doc: clarify SEA platform support excludes darwin-x64 (MJSHANG) #​63181
• [aaef29e2e1] - doc: update release steps when post-release fails (Rafael Gonzaga) #​63131
• [7d81419cf2] - doc: add Hmac.digest() documentation-only deprecation (DEP0206) (Anshika Jain) #​63121
• [ececd80d81] - doc: document the latest-vX.x schema (Marco Ippolito) #​63033
• [27c1c1d842] - doc: remove list of versions in BUILDING.md (Antoine du Hamel) #​63113
• [e369886a65] - doc,sqlite: document entryPoint argument for loadExtension (Edy Silva) #​63152
• [e4e5137cbd] - errors: handle V8 warnings in DisallowJavascriptExecutionScope (Divyanshu Sharma) #​63491
• [6d1f6048d2] - fs: make Date properties on Stats enumerable (LiviaMedeiros) #​63328
• [44c8ebcbd6] - http: avoid stream listeners on idle agent sockets (Matteo Collina) #​64004
• [4c9251fc09] - (SEMVER-MINOR) http: add writeInformation to send arbitrary 1xx status codes (Tim Perry) #​63155
• [39f61fb06c] - http2: emit session close before stream close (Matteo Collina) #​63414
• [8a8f2127d1] - http2: validate non-link headers in writeEarlyHints (Matteo Collina) #​62017
• [8c989ec4a3] - (SEMVER-MINOR) inspector: expose precise coverage start to JS runtime (sangwook) #​63079
• [c05f38229b] - lib: cleanup stateless diffiehellman key handling (Filip Skokan) #​62645
• [1c16b45d35] - lib: refactor internal webidl converters (Filip Skokan) #​62979
• [02f35d6dce] - lib: define kEnumerableProperty atomically (Antoine du Hamel) #​63609
• [12c51547ba] - lib: fix typos in esm loader comments (RonGamzu) #​63465
• [9b03b84262] - lib: fix typo idenity => identity (Daijiro Wachi) #​63112
• [a84e6b0567] - lib: fixes validator message (Daijiro Wachi) #​62823
• [11734166a8] - lib: narrow ReadableStreamBYOBRequest.view return type to Uint8Array (RoomWithOutRoof) #​63017
• [7cead61d21] - meta: flip mcollina emails in .mailmap (Matteo Collina) #​63621
• [a08cfcfd35] - meta: label "source maps" PRs (Chengzhong Wu) #​63591
• [d56e8d2512] - meta: add vfs subsystem label (René) #​62331
• [6201cfe488] - meta: skip scheduled workflows on forks (Jamie Magee) #​63565
• [f095e2bd31] - meta: add additional gitignore entries (James M Snell) #​63267
• [1ea52c444c] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​63402
• [b1b2327611] - meta: move one or more collaborators to emeritus (Node.js GitHub Bot) #​63235
• [7d88e130a9] - meta: ignore AI assistants files (Matteo Collina) #​62612
• [a53b51df38] - module: load ESM helpers eagerly in the snapshot (Joyee Cheung) #​63550
• [69df688fff] - module: fix sync hook short-circuit in require() in imported CJS (Joyee Cheung) #​62920
• [75d9a4ed47] - node-api: support SharedArrayBuffer in napi_create_typedarray (Yilong Li) #​62710
• [c20aa4c47b] - quic: add reusePort option to QuicEndpoint (James M Snell) #​63267
• [26a30d8a7f] - quic: implement rate limiting for version nego and immediate close (James M Snell) #​63267
• [0b534b5770] - quic: fixup linting issue after other changes (James M Snell) #​63267
• [4b367cbe09] - quic: remove unused binding variable in session.cc (James M Snell) #​63177
• [2574bef5a6] - repl: fix dedup comparing normalized line against raw history (Daijiro Wachi) #​62886
• [30e71c7e49] - sqlite: keep source database alive during backup (Matteo Collina) #​62673
• [677ca7e76c] - src: simplify OpenSSL feature gates (Filip Skokan) #​63255
• [c863c75c39] - src: add BoringSSL EVP enumeration fallback (Filip Skokan) #​63206
• [f6b2466921] - src: decouple KeyObject and CryptoKey and move CryptoKey to src (Filip Skokan) #​62924
• [92d4f07dd2] - src: remove license headers for new node_profiling files (Chengzhong Wu) #​63066
• [8ac5d771c8] - src: split profiling helpers from util (Ilyas Shabi) #​63008
• [85d1639495] - src: remove TOCTOU race condition when encoding SAB-backed Buffers (Antoine du Hamel) #​63517
• [9473c5f05c] - src: skip duplicate UTF-8 validation in TextDecoder fatal path (Mert Can Altin) #​63231
• [f35c91ee68] - src: improve token return value check (James M Snell) #​63483
• [26f677c1c5] - src: expose node::RegisterContext to make a node managed context (Chengzhong Wu) #​62322
• [275cf909b6] - src,sqlite: only pass xFilter when user provided a callback (Antoine du Hamel) #​63516
• [287e02303f] - src,sqlite: remove dead code (Edy Silva) #​63204
• [58fa2ee189] - stream: switch to internal sleep binding (Antoine du Hamel) #​63611
• [f954ab3f1a] - stream: use data listener for compose forwarding (Trivikram Kamat) #​63593
• [dc57173003] - stream: fix Writable.toWeb() hang on synchronous drain (sangwook) #​61197
• [3f54c8ba32] - Revert "stream: noop pause/resume on destroyed streams" (Stewart X Addison) #​63834
• [cee279c5d6] - stream: remove unnecessary check (Antoine du Hamel) #​63030
• [61b20f60a3] - test: update tls/crypto behaviour expectations when using BoringSSL (Filip Skokan) #​63161
• [a835363808] - test: update WPT for WebCryptoAPI to 97bbc72 (Node.js GitHub Bot) #​63417
• [a00297480b] - test: update WPT resources, interfaces and WebCryptoAPI (Node.js GitHub Bot) #​62389
• [5a95a2b055] - test: shorten path in net pipe connect errors (Matteo Collina) #​63405
• [5e8ff22d8f] - test: remove test-node-output-v8-warning (Joyee Cheung) #​63469
• [ee15380950] - test: update test426-fixtures to 9b9e225 (Node.js GitHub Bot) #​63373
• [9e063d9bea] - test: update WPT for url to e4a4672 (Node.js GitHub Bot) #​63372
• [503bee4b43] - test: deflake async-hooks statwatcher test (Trivikram Kamat) #​63396
• [cccc7c32d8] - test: avoid test_runner watch restart in spec snapshot (Trivikram Kamat) #​63392
• [c89489258c] - test: reduce watch mode restart flakiness (Trivikram Kamat) #​63390
• [e4d5e2578e] - test: isolate rerun-failures state file under tmpdir (Chemi Atlow) #​63449
• [362644a9ba] - test: wait for ok before initial break after restart (Yuya Inoue) #​62807
• [c4058d0e05] - test: disable Maglev in near-heap-limit worker test (Trivikram Kamat) #​63398
• [214da630a7] - test: deflake connection refused proxy tests (Trivikram Kamat) #​63395
• [1d61a29876] - test: avoid repeated writes in watch helper (Trivikram Kamat) #​63386
• [2004e25387] - test: deflake watch mode worker test (Trivikram Kamat) #​63384
• [d691cccfc1] - test: relax test-memory-usage arrayBuffers check (inoway46) #​63244
• [0ff6bf853c] - test: reduce flakiness of different-registry-per-thread (Antoine du Hamel) #​63244
• [d9f4e8e503] - test: fix flaky test-watch-mode-inspect timeout (Matteo Collina) #​63361
• [6d7cd50328] - test: relax min assertion in test-performance-eventloopdelay (Marco) #​63100
• [9dafe1d2d8] - test: avoid flaky restart sync in debugger exceptions test (Yuya Inoue) #​62055
• [989b2de973] - test: avoid initial-break wait in restart-message (inoway46) #​62060
• [a072a25ee7] - test: move FFI tests to NATIVE_SUITES (Antoine du Hamel) #​63165
• [64efbfd878] - test: use ERM to destroy sqlite database handles after tests (René) #​63076
• [7dee66cd94] - test_runner: dont buffer unordered events in process isolation mode (Moshe Atlow) #​63432
• [d257eec1e3] - test_runner: fix --test-rerun-failures swallowing failures on retry (Chemi Atlow) #​63431
• [288c320e2f] - test_runner: show replayed-from-attempt hint in spec reporter (Moshe Atlow) #​63429
• [904bdf5bb4] - test_runner: preserve run duration when using test-rerun (Moshe Atlow) #​63429
• [df183d7bfa] - test_runner: avoid hanging on incomplete v8 frames (Ali Hassan) #​62704
• [ec86c69726] - test_runner: fix diagnostics channel context tracking (Moshe Atlow) #​63283
• [94e5f63b83] - tls: add unsupported renegotiation error (Filip Skokan) #​63161
• [06d308fb61] - tools: prevent lib code from reading KeyObject and CryptoKey accessors (Filip Skokan) #​63111
• [2e4a0d0c91] - tools: bump brace-expansion from 5.0.5 to 5.0.6 in /tools/eslint (dependabot[bot]) #​63415
• [4c9666b366] - tools: skip commit-lint on backport pull requests (Marco) #​63378
• [67d0c490a8] - tools: fix skip of test-internet on forks (Antoine du Hamel) #​63492
• [02f73c7cac] - tools: bump the eslint group in /tools/eslint with 4 updates (dependabot[bot]) #​63075
• [5d016d3241] - tools: update gyp-next to 0.22.2 (Node.js GitHub Bot) #​63374
• [55af0f0edb] - tools: fix test426 updater (Antoine du Hamel) #​63271
• [d8475e167a] - tools: use different branch for tool updates on staging branches (Antoine du Hamel) #​63110
• [c605df9e50] - util: remove unused functions (Antoine du Hamel) #​63612
• [fe4540ebdb] - util: create hex style cache and fast path (Guilherme Araújo) #​62999

v24.17.0: 2026-06-18, Version 24.17.0 'Krypton' (LTS), @​aduh95

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) – High
• (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) – High
• (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) – Medium
• (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) – Medium
• (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) – Medium
• (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) – Medium
• (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) – Medium
• (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 – Medium
• (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) – Low
• (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) – Low
• (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) – Low

Commits

• [9e4dfc7bba] - (CVE-2026-48933) crypto: guard WebCrypto cipher output length (Filip Skokan) nodejs-private/node-private#878
• [cb2aed980c] - deps: update llhttp to 9.4.2 (Antoine du Hamel) nodejs-private/node-private#890
• [a8a0d12875] - (CVE-2026-48937) deps: fix integration issues with the latest nghttp2 (Tim Perry) #​62891
• [66e6203c1c] - (SEMVER-MAJOR) deps: update nghttp2 to 1.69.0 (Node.js GitHub Bot) #​62891
• [dd627ced27] - deps: update archs files for openssl-3.5.7 (Node.js GitHub Bot) #​63820
• [684bae568f] - deps: upgrade openssl sources to openssl-3.5.7 (Node.js GitHub Bot) #​63820
• [3a631e7f83] - deps: fix aix implicit declaration in OpenSSL (Abdirahim Musse) #​62656
• [cf44df3996] - deps: update undici to 7.28.0 (Node.js GitHub Bot) #​63703
• [138c70294b] - (CVE-2026-48930) dns,net: reject hostnames with embedded NUL bytes (Matteo Collina) nodejs-private/node-private#868
• [be7e719c3f] - (CVE-2026-48931) http: fix response queue poisoning in http.Agent (Matteo Collina) nodejs-private/node-private#846
• [cc7c11b4d1] - (CVE-2026-48619) http2: cap originSet size to prevent unbounded memory growth (Matteo Collina) nodejs-private/node-private#855
• [9224427b92] - (CVE-2026-48615) lib,test: redact proxy credentials in tunnel errors (Matteo Collina) nodejs-private/node-private#867
• [cf85d54839] - (CVE-2026-48935) permission: disable FileHandle utimes with permission model (RafaelGSS) nodejs-private/node-private#873
• [a1bbc24f96] - (CVE-2026-48617) permission: handle process.chdir on writereport (RafaelGSS) nodejs-private/node-private#870
• [e3723ff2d6] - test: add session reuse host verification regressions (Matteo Collina) nodejs-private/node-private#854
• [a77af4867b] - (CVE-2026-48934) tls: bind reusable sessions to authenticated host (Matteo Collina) nodejs-private/node-private#854
• [31beb4f707] - (CVE-2026-48928) tls: fix case-sensitive SNI context matching (Matteo Collina) nodejs-private/node-private#857
• [8e75c73f91] - (CVE-2026-48618) tls: normalize hostname for server identity checks (Matteo Collina) nodejs-private/node-private#869

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.