Changelog

nodejs/node · · 12 commits

TLS, crypto hardening, and QUIC docs

Node.js tightened crypto internals and TLS renegotiation handling, while also refreshing QUIC docs and a few release notes.

panva Renegade334 nodejs-github-bot jasnell RafaelGSS geeksilva97 aduh95

Crypto internals hardened against accessor and slot abuse (panvab3ae59d, panvaf7c2628, panva9adddc5) Node.js now stores KeyObject and CryptoKey internals behind private/native-backed accessors, adds lint rules to keep lib code from reading user-replaceable properties, and clones algorithm data more defensively. This reduces the risk of prototype pollution, forged accessors, or stale/mutable state leaking into internal crypto flows and structured clone/export paths.

TLS renegotiation now maps BoringSSL failures to a Node error (panva34e62e9) Calling TLSSocket#renegotiate() on BoringSSL-backed builds now yields ERR_TLS_RENEGOTIATION_UNSUPPORTED instead of an implementation-specific SSL error. The new error is documented and the affected renegotiation test was updated to expect the backend-specific behavior.

QUIC docs were substantially expanded (jasnell64cf9a1) doc/api/quic.md received a large documentation refresh, adding detail and clarifications around the QUIC API. This should make the still-evolving interface easier to understand and use correctly.

Other misc changes

  • Bumped ngtcp2 to 1.22.1.
  • Updated release procedure docs for post-release failure handling.
  • Documented the entryPoint argument for sqlite.loadExtension().
  • Adjusted sqlite test cleanup to use ERM.
  • Fixed a deprecation list entry in the v26 changelog.
  • Updated TLS/crypto tests for BoringSSL behavior changes.