v22.22.0
Breaking Changes📦 node-jsView on GitHub →
⚠ 2 breaking✨ 1 features🐛 3 fixes🔧 6 symbols
Summary
This is a security release addressing several CVEs by improving TLS error handling, updating dependency versions, and tightening permissions around symlink operations and buffer creation.
⚠️ Breaking Changes
- Refactor of unsafe buffer creation removed the zero-fill toggle. Code relying on the previous behavior of zero-filling might now see uninitialized memory if not explicitly handled.
- Symlink APIs now require full read and write permissions, which may break existing code that previously operated with fewer permissions.
Migration Steps
- If using unsafe buffer creation, ensure that explicit zero-filling is performed if required, as the automatic zero-fill toggle has been removed.
- Verify that processes interacting with symlink APIs have full read and write permissions, or update the application logic to handle potential permission errors.
✨ New Features
- Added a default error handler for TLSSocket to address CVE-2025-59465.
🐛 Bug Fixes
- Disabled futimes when the permission model is enabled to address CVE-2025-55132.
- Stack overflow exceptions in async_hooks are now rethrown (CVE-2025-59466).
- Callback exceptions in TLS are now routed through error handlers (CVE-2026-21637).