Changelog

denoland/deno · · 20 commits

Node compat, coverage thresholds, install fixes

Big Node.js compatibility and CLI coverage/install changes, plus several important bug fixes across HTTP, fetch, and core error formatting.

Node HTTP server now respects active streaming timeouts (bartlomieju576c38f)

Deno's node:http layer no longer applies requestTimeout to the entire request/response lifetime. That fixes long-lived streaming responses like SSE and proxies getting reset around the default 300s timeout.

HTTP/2 works on DENO_SERVE_ADDRESS override listeners (bartlomiejuab81178)

Node servers behind the address override now accept both HTTP/1.1 and HTTP/2, matching Deno.serve(). This fixes a compatibility break where HTTP/2 clients were being answered with HTTP/1.1 errors.

deno serve now exits cleanly on SIGTERM/SIGINT (bartlomiejubf4017d)

The serve process now shuts down gracefully instead of leaving termination behavior inconsistent. This matters for containerized and orchestrated deployments that rely on signal handling.

Net-deny checks now run against the actual connected peer (bartlomiejue4444d5)

The fetch connector no longer relies on the earlier task-local port hack to enforce network permissions after DNS resolution. This makes denied IP-literal and resolved-address cases line up more cleanly with the real peer being contacted.

npm bin entrypoints no longer inherit the root import map (divybota249752)

npm run bin main modules are now isolated from the project import map, avoiding accidental resolution changes. This fixes a long-standing bug where package bin execution could pick up unrelated import-map aliases.

Doc tests now use # as their virtual file sigil (lowlighter55f2eee)

The doc-test extraction path switched from $ to # for virtual filenames. That aligns the tooling with the intended marker and fixes a broad set of doc-test/check/coverage edge cases.

util.styleText stops coloring non-TTY streams (KnorpelSenfbfc32bd)

Node-compat util.styleText now avoids emitting ANSI color codes when the output stream is not a TTY. This fixes incorrect colored output in logs and other redirected streams.

deno install warns on package.json engine mismatches (bartlomiejub40113d)

Install now checks engines.node and engines.deno and emits warnings when the current runtime doesn't satisfy them. It also rejects invalid engine ranges with a warning, giving users earlier feedback instead of silent mismatch.

Coverage can now fail CI below a threshold (bartlomiejuf8be21c)

deno coverage and deno test --coverage now support minimum coverage thresholds, with config-file support as well. This lets teams enforce coverage gates instead of only reporting numbers.

Global installs now resolve package.json dependencies (bartlomieju7479822)

deno install --global now flattens the entrypoint's nearest package.json dependencies into the copied config's import map. That fixes bare-specifier failures for globally installed commands that depend on local package.json entries.

Error/test formatting preserves custom .stack getters (932bd1d)

Top-level error rendering and test failures now keep custom stack strings instead of collapsing them into a single internal frame. That improves output for libraries and runtimes that define their own stack formatting.

deno upgrade streams zstd delta patches to reduce OOM risk (bartlomiejue19228d)

The upgrade path no longer needs to materialize the full decompressed delta patch in memory up front. This is a practical fix for low-memory machines where the old path could hit a 2GiB allocation failure.

TlsListener now reports the correct transport address (Reububblecc733e3)

TLS listener address metadata is now set correctly, fixing mismatches in server/serve behavior. This is a small but important compatibility fix for code that inspects listener transport details.

Node version reporting is now single-sourced (bartlomieju82e8ca0)

Deno's emulated Node version is now defined once and reused across process.version, process.versions.node, and the N-API version report. That prevents version drift between Rust and JS shims when the emulated Node release changes.

node:http(s) proxy requests now enforce target permissions (bartlomieju2d710e6)

Proxied Node HTTP(S) requests now permission-check the real target host, not just the proxy socket. That closes a security/parity gap where --allow-net=<proxy> could otherwise reach disallowed destinations.

npm cache now trims oversized full packuments (bartlomiejuadb7a2b)

When minimumDependencyAge forces a full packument fetch, the cached registry metadata is now slimmed down to avoid ballooning registry.json. This reduces cache size and avoids unnecessary disk and memory pressure.

Other misc changes

  • Node compat shim for node on PATH when no real Node.js is installed (bartlomiejuf2f8666)
  • Deprecate no-op --unstable-node-globals flag (bartlomieju6516647)
  • Fix npm bin import map handling for global installs (divybota249752)
  • LSP tsconfig root/script-name fixes (fibibot792bea4)
  • Chocolatey install link update (sanjibanid32108f)
  • Misc test updates and dependency bumps