v2.8.6

Compare Source

==================

• Improve documentation (API, context, examples...)
• Remove additional markdown files from tarball

v4.22.2

Compare Source

v4.22.1

Compare Source

v4.22.0

Compare Source

v4.21.2

Compare Source

What's Changed

• Add funding field (v4) by @​bjohansebas in #​6065
• deps: path-to-regexp@​0.1.11 by @​blakeembrey in #​5956
• deps: bump path-to-regexp@​0.1.12 by @​jonchurch in #​6209
• Release: 4.21.2 by @​UlisesGascon in #​6094

Full Changelog: expressjs/express@4.21.1...4.21.2

v4.21.1

Compare Source

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in #​6029
• Release: 4.21.1 by @​UlisesGascon in #​6031

Full Changelog: expressjs/express@4.21.0...4.21.1

v4.21.0

Compare Source

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in #​5935
• finalhandler@​1.3.1 by @​wesleytodd in #​5954
• fix(deps): serve-static@​1.16.2 by @​wesleytodd in #​5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in #​5946

New Contributors

• @​agadzinski93 made their first contribution in #​5946

Full Changelog: expressjs/express@4.20.0...4.21.0

v4.20.0

Compare Source

==========

• deps: serve-static@​0.16.0
  • Remove link renderization in html while redirecting
• deps: send@​0.19.0
  • Remove link renderization in html while redirecting
• deps: body-parser@​0.6.0
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: path-to-regexp@​0.1.10
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

v4.19.2

Compare Source

==========

• Improved fix for open redirect allow list bypass

v4.19.1

Compare Source

==========

• Allow passing non-strings to res.location with new encoding handling checks

v4.19.0

Compare Source

==========

• Prevent open redirect allow list bypass due to encodeurl
• deps: cookie@​0.6.0

v4.18.3

Compare Source

==========

• Fix routing requests without method
• deps: body-parser@​1.20.2
  • Fix strict json error message on Node.js 19+
  • deps: content-type@~1.0.5
  • deps: raw-body@​2.5.2
• deps: cookie@​0.6.0
  • Add partitioned option

v16.20.2: 16.20.2

Compare Source

Node.js 16.20.2

v16.20.1: 16.20.1

Compare Source

Node.js 16.20.1

v16.20.0: 16.20.0

Compare Source

Node.js 16.20.0

v16.19.1: 16.19.1

Compare Source

Node.js 16.19.1

v16.19.0: 16.19.0

Compare Source

Node.js 16.19.0

v16.18.1: 16.18.1

Compare Source

Node.js 16.18.1

v16.18.0: 16.18.0

Compare Source

Node.js 16.18.0

v16.17.1: 16.17.1

Compare Source

Node.js 16.17.1

v16.17.0: 16.17.0

Compare Source

Node.js 16.17.0

v16.16.0: 16.16.0

Compare Source

Node.js 16.16.0

v16.15.1: 16.15.1

Compare Source

Node.js 16.15.1

v16.15.0: 16.15.0

Compare Source

Node.js 16.15.0

v16.14.2: 16.14.2

Compare Source

Node.js 16.14.2

v16.14.1: 16.14.1

Compare Source

Node.js 16.14.1

v16.14.0: 16.14.0

Compare Source

Node.js 16.14.0

v16.13.2: 16.13.2

Compare Source

Node.js 16.13.2

v16.13.1: 16.13.1

Compare Source

Node.js 16.13.1

v16.13.0: 16.13.0

Compare Source

Node.js 16.13.0

v16.12.0: 16.12.0

Compare Source

Node.js 16.12.0

v16.11.1: 16.11.1

Compare Source

Node.js 16.11.1

v16.11.0: 16.11.0

Compare Source

Node.js 16.11.0

v16.10.0: 16.10.0

Compare Source

Node.js 16.10.0

v16.9.1: 16.9.1

Compare Source

Node.js 16.9.1

v16.9.0: 16.9.0

Compare Source

Node.js 16.9.0

v16.8.0: 16.8.0

Compare Source

Node.js 16.8.0

v16.7.0: 16.7.0

Compare Source

Node.js 16.7.0

v16.6.2: 16.6.2

Compare Source

Node.js 16.6.2

v16.6.1: 16.6.1

Compare Source

Node.js 16.6.1

v16.6.0: 16.6.0

Compare Source

Node.js 16.6.0

v16.5.0: 16.5.0

Compare Source

Node.js 16.5.0

v16.4.2: 16.4.2

Compare Source

Node.js 16.4.2

v16.4.1: 16.4.1

Compare Source

Node.js 16.4.1

v16.4.0: 16.4.0

Compare Source

Node.js 16.4.0

v22.22.3: 2026-05-13, Version 22.22.3 'Jod' (LTS), @​marco-ippolito

Compare Source

Commits

• [4f780905c5] - crypto: fix potential null pointer dereference when BIO_meth_new() fails (Nora Dossche) #​61788
• [4a09efb947] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #​62485
• [e4c0d99839] - deps: update timezone to 2026a (Node.js GitHub Bot) #​62164
• [0226c8dd7a] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #​62382
• [e742ab748c] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #​62256
• [73cac0571a] - deps: update amaro to 1.1.8 (Node.js GitHub Bot) #​62151
• [ae5c162b93] - deps: update amaro to 1.1.7 (Node.js GitHub Bot) #​61730
• [b819cb9977] - deps: update amaro to 1.1.6 (Node.js GitHub Bot) #​61603
• [bbcce09dc7] - deps: update sqlite to 3.52.0 (Node.js GitHub Bot) #​62150
• [22ff2d81ce] - deps: update simdjson to 4.3.1 (Node.js GitHub Bot) #​61930
• [f49b51d75c] - deps: update acorn-walk to 8.3.5 (Node.js GitHub Bot) #​61928
• [1a5cec0d49] - deps: update acorn to 8.16.0 (Node.js GitHub Bot) #​61925
• [d339497688] - deps: update nbytes to 0.1.3 (Node.js GitHub Bot) #​61879
• [3ff8ffd459] - deps: remove stale OpenSSL arch configs (René) #​61834
• [b8ddbc1e9a] - deps: update llhttp to 9.3.1 (Node.js GitHub Bot) #​61827
• [ffda97afd4] - deps: update googletest to 2461743 (Node.js GitHub Bot) #​62484
• [79aa32cf4f] - deps: update googletest to 73a63ea (Node.js GitHub Bot) #​61927
• [b6957e13b6] - deps: update archs files for openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [3a27669063] - deps: upgrade openssl sources to openssl-3.5.6 (Node.js GitHub Bot) #​62629
• [d568a1bb53] - deps: upgrade npm to 10.9.8 (npm team) #​62463
• [ec11f3c1d5] - deps: V8: backport 85b3900 (Thibaud Michaud) #​62783
• [08609712ed] - deps: V8: backport 1b27e46 (Thibaud Michaud) #​62783
• [dcc60d5ab2] - deps: V8: backport 9997fc0 (Thibaud Michaud) #​62783
• [1d1f4451fb] - deps: V8: cherry-pick b96e40d (Clemens Backes) #​62783
• [2268567237] - deps: V8: cherry-pick 7cb6188 (Thibaud Michaud) #​62783
• [92804cdbea] - deps: V8: cherry-pick e7ccf0a (Thibaud Michaud) #​62783
• [eae2c27a40] - deps: V8: cherry-pick 8e214ec (Thibaud Michaud) #​62783
• [a1799a49bb] - deps: V8: backport 63b8849 (Thibaud Michaud) #​62783
• [a2df2d8731] - deps: V8: backport 3239427 (Thibaud Michaud) #​62783
• [e3d65c7dca] - deps: V8: backport 89dc6ea (Thibaud Michaud) #​62783
• [5e7db133de] - deps: V8: backport 910cb91 (Jakob Kummerow) #​62783
• [d0c24a28af] - deps: V8: cherry-pick b8f91e5 (Thibaud Michaud) #​62783
• [d358687824] - deps: V8: cherry-pick cf03d55 (Thibaud Michaud) #​62783
• [67c8b2c349] - deps: V8: cherry-pick 692f3d5 (Sébastien Doeraene) #​62783
• [71e5a59ffd] - deps: V8: cherry-pick c734674 (Manos Koukoutos) #​62783
• [f0dbe81c7b] - deps: V8: cherry-pick b2f3aea (Thibaud Michaud) #​62783
• [d333f480c3] - deps: V8: cherry-pick 5f1342c (Matthias Liedtke) #​62783
• [db722725bb] - deps: use npm undici@​six tag in update-undici.sh (Matteo Collina) #​63012
• [9b57979d9c] - doc: add Rafael to last security release steward (Rafael Gonzaga) #​62423
• [d8075585bf] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #​62355
• [6ec9a70204] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #​62208
• [1fc86fcb6e] - doc: add note (and caveat) for mock.module about customization hooks (Jacob Smith) #​62075
• [491be80bd9] - doc: add efekrskl as triager (Efe) #​61876
• [18558293a3] - doc: fix module.stripTypeScriptTypes indentation (René) #​61992
• [8e20976522] - doc: explicitly mention Slack handle (Rafael Gonzaga) #​61986
• [70b8e6b4fb] - doc: rename invalid function parameter (René) #​61942
• [4045c76f6c] - doc: clarify status of feature request issues (Antoine du Hamel) #​61505
• [c54652f2aa] - doc: remove incorrect mention of module in typescript.md (Rob Palmer) #​61839
• [9fad6cedf5] - doc: clarify async caveats for events.once() (René) #​61572
• [2f1e5733fe] - doc: update Juan's security steward info (Juan José) #​61754
• [a64bdb5068] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #​62206
• [02797de923] - doc: fix small environment_variables typo (chris) #​62279
• [f22ebdc809] - doc: fix small logic error in DETECT_MODULE_SYNTAX (René) #​62025
• [9f4508062a] - doc: fix methods being documented as properties in process.md (Antoine du Hamel) #​61765
• [3ea39ff135] - doc: fix dropdown menu being obscured at <600px due to stacking context (Jeff) #​61735
• [c22445079b] - doc: fix spacing in process message event (Aviv Keller) #​61756
• [32831b5223] - doc: fix broken links of net.md (YuSheng Chen) #​61673
• [005508d509] - doc: remove obsolete Boxstarter automated install (Mike McCready) #​61785
• [37c2fd6f7d] - esm: fix path normalization in finalizeResolution (Antoine du Hamel) #​62080
• [1769d74613] - esm: populate separate cache for require(esm) in imported CJS (Joyee Cheung) #​59679
• [ee02966ffc] - http: fix keep-alive socket reuse race in requestOnFinish (Martin Slota) #​61710
• [2fdb5ce6cc] - http2: fix FileHandle leak in respondWithFile (sangwook) #​61707
• [aa2c1eca04] - lib: fix source map url parse in dynamic imports (Chengzhong Wu) #​61990
• [785b00cbeb] - meta: pass release version to release worker (flakey5) #​62777
• [447fb9a0b5] - meta: persist sccache daemon until end of build workflows (René) #​61639
• [5065a0acb3] - module: do not invoke resolve hooks twice for imported cjs (Joyee Cheung) #​61529
• [9a2e21305d] - module: do not wrap module._load when tracing is not enabled (Joyee Cheung) #​61479
• [b9240bc063] - module: fix sync resolve hooks for require with node: prefixes (Joyee Cheung) #​61088
• [2e91b28aaf] - module: handle null source from async loader hooks in sync hooks (Joyee Cheung) #​59929
• [39147c154e] - module: use sync cjs when importing cts (Marco Ippolito) #​60072
• [12a2462b2c] - module: only put directly require-d ESM into require.cache (Joyee Cheung) #​59874
• [cf39566277] - src: fix flags argument offset in JSUdpWrap (Weixie Cui) #​61948
• [578a9a9230] - src: clamp WriteUtf8 capacity to INT_MAX in EncodeInto (semimikoh) #​62621
• [57c3035fec] - stream: fix decoded fromList chunk boundary check (Thomas Watson) #​61884
• [57fb008bb8] - test: update tls junk data error expectations (Filip Skokan) #​62629
• [363f9a9d18] - test: skip test-url on --shared-ada builds (Antoine du Hamel) #​62019
• [daaead342b] - test: simplify encodeInto large buffer regression test (semimikoh) #​62621
• [ecfa766b41] - tools: fix auto-start-ci (Antoine du Hamel) #​61900
• [17c0a610af] - tools: fix parsing of commit trailers in lint-release-proposal GHA (Antoine du Hamel) #​62077
• [89ad7dc63b] - tools: enforce removal of lts-watch-* labels on release proposals (Antoine du Hamel) #​61672
• [5f9bb8ef0c] - tools: revert tools GHA workflow to ubuntu-latest (Richard Lau) #​62024
• [977ef80ac1] - url: process crash via malformed UNC hostname in pathToFileURL() (Nicola Del Gobbo) #​62574
• [ad8f518a81] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #​62325

v22.22.2: 2026-03-24, Version 22.22.2 'Jod' (LTS), @​RafaelGSS prepared by @​aduh95

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low

Commits

• [6f14ee5101] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#809
• [52a52ef619] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC (Filip Skokan) nodejs-private/node-private#822
• [30a3ab11e2] - (CVE-2026-21717) deps: V8: cherry-pick aac14dd (Joyee Cheung) nodejs-private/node-private#809
• [e3f4d6a42e] - (CVE-2026-21717) deps: V8: backport 1361b2a (Joyee Cheung) nodejs-private/node-private#809
• [7dc00fa5f4] - (CVE-2026-21717) deps: V8: backport 185f0fe (Joyee Cheung) nodejs-private/node-private#809
• [076acd052d] - (CVE-2026-21717) deps: V8: backport 0a8b1cd (snek) nodejs-private/node-private#809
• [963c60a951] - deps: V8: override depot_tools version (Richard Lau) #​62344
• [a688117d5d] - deps: upgrade npm to 10.9.7 (npm team) #​62330
• [859c8c761b] - deps: update undici to v6.24.1 (Matteo Collina) #​62285
• [d5ed384a2f] - deps: upgrade npm to 10.9.6 (npm team) #​62215
• [a2fe9fd81a] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) nodejs-private/node-private#821
• [73deff77c1] - lib: backport _tls_common and _tls_wrap refactors (Dario Piotrowicz) #​57643
• [06fc3436f6] - (CVE-2026-21716) permission: include permission check on lib/fs/promises (RafaelGSS) nodejs-private/node-private#795
• [db48d9c675] - (CVE-2026-21715) permission: add permission check to realpath.native (RafaelGSS) nodejs-private/node-private#794
• [2a6105a63b] - (CVE-2026-21714) src: handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) nodejs-private/node-private#832
• [91b970886f] - (CVE-2026-21637) tls: wrap SNICallback invocation in try/catch (Matteo Collina) nodejs-private/node-private#819

v22.22.1: 2026-03-05, Version 22.22.1 'Jod' (LTS)

Compare Source

Notable Changes

• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [b6ebf2cd53] - doc: add avivkeller to collaborators (Aviv Keller) #​61115
• [35854f424d] - doc: add gurgunday to collaborators (Gürgün Dayıoğlu) #​61094
• [5c6a076e5d] - meta: add Renegade334 to collaborators (Renegade334) #​60714

Commits

• [5f773488c2] - assert: use a set instead of an array for faster lookup (Ruben Bridgewater) #​61076
• [feecbb0eab] - assert,util: fix deep comparison for sets and maps with mixed types (Ruben Bridgewater) #​61388
• [096095b127] - benchmark: add SQLite benchmarks (Guilherme Araújo) #​61401
• [b5fe481415] - benchmark: use boolean options in benchmark tests (SeokhunEom) #​60129
• [fa9faacacb] - benchmark: allow boolean option values (SeokhunEom) #​60129
• [ba8714ac21] - benchmark: fix incorrect base64 input in byteLength benchmark (semimikoh) #​60841
• [53596de876] - benchmark: use typescript for import cjs benchmark (Joyee Cheung) #​60663
• [e8930e9d7c] - benchmark: focus on import.meta intialization in import-meta benchmark (Joyee Cheung) #​60603
• [1155e412b1] - benchmark: add per-suite setup option (Joyee Cheung) #​60574
• [e01903d304] - benchmark: improve cpu.sh for safety and usability (Nam Yooseong) #​60162
• [623a405747] - benchmark: add benchmark for leaf source text modules (Joyee Cheung) #​60205
• [7f5e7b9f7f] - benchmark: add microbench on isInsideNodeModules (Chengzhong Wu) #​60991
• [db132b85a8] - bootstrap: initialize http proxy after user module loader setup (Joyee Cheung) #​58938
• [66aab9f987] - buffer: let Buffer.of use heap (Сковорода Никита Андреевич) #​60503
• [c3cf00c671] - buffer: speed up concat via TypedArray#set (Gürgün Dayıoğlu) #​60399
• [f6fad231e9] - build: skip sscache action on non-main branches (Joyee Cheung) #​61790
• [2145f91f6b] - build: update android-patches/trap-handler.h.patch (Mo Luo) #​60369
• [5b49759dd8] - build: update devcontainer.json to use paired nix env (Joyee Cheung) #​61414
• [24724cde40] - build: fix misplaced comma in ldflags (hqzing) #​61294
• [c57a19934e] - build: fix crate vendor file checksums on windows (Chengzhong Wu) #​61329
• [8659d7cd07] - build: fix inconsistent quoting in Makefile (Antoine du Hamel) #​60511
• [44f339b315] - build: remove temporal updater (Chengzhong Wu) #​61151
• [d60a6cebd5] - build: update test-wpt-report to use NODE instead of OUT_NODE (Filip Skokan) #​61024
• [34ccf187f5] - build: skip build-ci on actions with a separate test step (Chengzhong Wu) #​61073
• [7b19e101a2] - build: run embedtest with node_g when BUILDTYPE=Debug (Chengzhong Wu) #​60850
• [9408c4459f] - build: upgrade Python linter ruff, add rules ASYNC,PERF (Christian Clauss) #​59984
• [2166ec7f0f] - build: use call command when calling python configure (Jacob Nichols) #​60098
• [73ef70145d] - build: remove V8_COMPRESS_POINTERS_IN_ISOLATE_CAGE defs (Joyee Cheung) #​60296
• [7b93a65f27] - build: test on Python 3.14 (Christian Clauss) #​59983
• [508ce6ec6c] - build, src: fix include paths for vtune files (Rahul) #​59999
• [c89d3cd570] - build,tools: fix addon build deadlock on errors (Vladimir Morozov) #​61321
• [40904a0591] - build,win: update WinGet configurations to Python 3.14 (Mike McCready) #​61431
• [6d6742e7db] - child_process: treat ipc length header as unsigned uint32 (Ryuhei Shima) #​61344
• [6063d888fe] - cli: mark --heapsnapshot-near-heap-limit as stable (Joyee Cheung) #​60956
• [3d324a0f88] - cluster: fix port reuse between cluster (Ryuhei Shima) #​60141
• [40a58709b4] - console: optimize single-string logging (Gürgün Dayıoğlu) #​60422
• [d950b151a2] - crypto: update root certificates to NSS 3.119 (Node.js GitHub Bot) #​61419
• [4f42f8c428] - crypto: update root certificates to NSS 3.117 (Node.js GitHub Bot) #​60741
• [a87499ae25] - crypto: ensure documented RSA-PSS saltLength default is used (Filip Skokan) #​60662
• [8c65cc11e2] - crypto: update root certificates to NSS 3.116 (Node.js GitHub Bot) #​59956
• [91dc00a2c1] - debugger: fix event listener leak in the run command (Joyee Cheung) #​60464
• [0781bd3764] - deps: V8: backport 6a0a25a (Vivian Wang) #​61688
• [0cf1f9c3e9] - deps: update googletest to 8508785 (Node.js GitHub Bot) #​61417
• [521b4b1f07] - deps: update sqlite to 3.51.2 (Node.js GitHub Bot) #​61339
• [58b9d219a3] - deps: update icu to 78.2 (Node.js GitHub Bot) #​60523
• [cbc1e4306d] - deps: update zlib to 1.3.1-e00f703 (Node.js GitHub Bot) #​61135
• [db59c35ed8] - deps: update cjs-module-lexer to 2.2.0 (Node.js GitHub Bot) #​61271
• [c18518ee3c] - deps: update nbytes to 0.1.2 (Node.js GitHub Bot) #​61270
• [376df62d63] - deps: update timezone to 2025c (Node.js GitHub Bot) #​61138
• [993e905302] - deps: update simdjson to 4.2.4 (Node.js GitHub Bot) #​61056
• [b72fd2a5d3] - deps: update googletest to 065127f (Node.js GitHub Bot) #​61055
• [d765147405] - deps: update sqlite to 3.51.1 (Node.js GitHub Bot) #​60899
• [[37abe2a7d2](https://redirect.github.

✂ Note

PR body was truncated to here.