v20.20.0
Breaking Changes📦 node-jsView on GitHub →
⚠ 2 breaking🐛 4 fixes🔧 6 symbols
Summary
This is a security release addressing several CVEs by disabling futimes under the permission model, improving TLS error handling, tightening symlink API permissions, and fixing stack overflow and buffer creation issues.
⚠️ Breaking Changes
- The refactoring of unsafe buffer creation removed the zero-fill toggle. Code relying on this toggle for buffer initialization behavior may need adjustment.
- Symlink APIs now require full read and write permissions, which might break existing operations that previously succeeded with fewer permissions.
Migration Steps
- Review usage of unsafe buffer creation if relying on the previous zero-fill toggle behavior.
- Ensure applications using symlink APIs have the necessary full read and write permissions if the permission model is enabled.
🐛 Bug Fixes
- (CVE-2025-55132) futimes is now disabled when the permission model is enabled.
- (CVE-2025-59465) A default error handler has been added to TLSSocket.
- (CVE-2025-59466) Stack overflow exceptions in async_hooks are now rethrown.
- (CVE-2026-21637) Callback exceptions in TLS are now routed through error handlers.