zys-contrib · pull · May 27, 2026 · May 26, 2026 · May 26, 2026 · May 26, 2026
diff --git a/Makefile b/Makefile
@@ -856,7 +856,7 @@ VERSION=v$(RAWVER)
 
 .PHONY: doc-only
 .NOTPARALLEL: doc-only
-doc-only: $(apidoc_dirs) $(apidocs_html) $(apidocs_json) out/doc/api/all.html out/doc/api/all.json out/doc/apilinks.json  ## Builds the docs with the local or the global Node.js binary.
+doc-only: $(apidoc_dirs) $(apidocs_html) $(apidocs_json) out/doc/api/all.html out/doc/api/all.json out/doc/llms.txt out/doc/apilinks.json  ## Builds the docs with the local or the global Node.js binary.
 
 .PHONY: doc
 doc: $(NODE_EXE) doc-only ## Build Node.js, and then build the documentation with the new binary.
@@ -901,6 +901,22 @@ $(apidocs_html) $(apidocs_json) out/doc/api/all.html out/doc/api/all.json &: $(a
 	fi
 endif
 
+out/doc/llms.txt: $(apidoc_sources) tools/doc/node_modules | out/doc
+	@if [ "$(shell $(node_use_openssl_and_icu))" != "true" ]; then \
+		echo "Skipping $@ (no crypto and/or no ICU)"; \
+	else \
+		$(call available-node, \
+			$(DOC_KIT) generate \
+			-t llms-txt \
+			-i doc/api/*.md \
+			--ignore $(skip_apidoc_files) \
+			-o $(@D) \
+			-c ./CHANGELOG.md \
+			-v $(VERSION) \
+			--type-map doc/type-map.json \
+		) \
+	fi
+
 out/doc/apilinks.json: $(wildcard lib/*.js) tools/doc/node_modules | out/doc
 	@if [ "$(shell $(node_use_openssl_and_icu))" != "true" ]; then \
 		echo "Skipping $@ (no crypto and/or no ICU)"; \

diff --git a/SECURITY.md b/SECURITY.md
@@ -85,6 +85,7 @@ When reporting security vulnerabilities, reporters must adhere to the following
 
 4. **Report Quality**
    * Provide clear, detailed steps to reproduce the vulnerability.
+   * Include reproducible code written in JavaScript.
    * Include only the minimum proof of concept required to demonstrate the issue.
    * Remove any malicious payloads or components that could cause harm.
 

diff --git a/doc/api/worker_threads.md b/doc/api/worker_threads.md
@@ -1369,17 +1369,14 @@ port2.postMessage(new Foo());
 // Prints: { c: 3 }
 ```
 
-This limitation extends to many built-in objects, such as the global `URL`
-object:
+Some built-in objects cannot be cloned at all. For example, posting a
+`URL` object throws a `DataCloneError`:
 
 ```js
 const { port1, port2 } = new MessageChannel();
 
-port1.onmessage = ({ data }) => console.log(data);
-
 port2.postMessage(new URL('https://example.org'));
-
-// Prints: { }
+// Throws DataCloneError: Cannot clone object of unsupported type.
 ```
 
 ### `port.hasRef()`

diff --git a/test/parallel/test-webcrypto-crypto-job-mode.js b/test/parallel/test-webcrypto-crypto-job-mode.js
@@ -163,7 +163,7 @@ async function withObjectPrototypeSetters(names, fn) {
       { name: 'AES-CBC', iv },
       key,
       Buffer.alloc(16)));
-    ciphertext[ciphertext.length - 1] ^= 0xff;
+    ciphertext[0] ^= 0xff;
 
     await assert.rejects(
       subtle.decrypt({ name: 'AES-CBC', iv }, key, ciphertext),

diff --git a/tools/eslint/package-lock.json b/tools/eslint/package-lock.json