Change8

v22.23.0

Breaking Changes
📦 node-jsView on GitHub →
2 breaking🐛 16 fixes🔧 13 symbols

Summary

This is a security release addressing multiple high and medium severity CVEs across TLS, crypto, HTTP/2, and DNS modules. It also includes dependency updates and removes deprecated http2 priority signaling.

⚠️ Breaking Changes

  • http2: Support for priority signaling has been removed, which may break compatibility if this feature was explicitly relied upon. Users should migrate away from using priority signaling.
  • SEMVER-MAJOR: Removed support for priority signaling in http2.

Migration Steps

  1. If you were relying on http2 priority signaling, you must update your code as this feature has been removed.
  2. Ensure that hostnames passed to network operations do not contain embedded NUL bytes.

🐛 Bug Fixes

  • (CVE-2026-48618) tls: Hostname normalization is now performed for server identity checks.
  • (CVE-2026-48933) crypto: Guarded WebCrypto cipher output length.
  • (CVE-2026-48937) deps: Fixed integration issues with the latest nghttp2.
  • (CVE-2026-48930) dns,net: Hostnames containing embedded NUL bytes are now rejected.
  • (CVE-2026-48619) http2: Capped originSet size to prevent unbounded memory growth.
  • (CVE-2026-48615) lib,test: Proxy credentials are now redacted in tunnel errors.
  • (CVE-2026-48934) tls: Reusable sessions are now bound to the authenticated host.
  • (CVE-2026-48928) tls: Fixed case-sensitive SNI context matching.
  • (CVE-2026-48617) permission: Handled process.chdir on writereport.
  • (CVE-2026-48931) http: Fixed response queue poisoning in http.Agent.
  • (CVE-2026-48935) permission: Disabled FileHandle utimes when using the permission model.
  • deps: Updated llhttp to 9.4.2.
  • deps: Updated undici to 6.27.0.
  • deps: Upgraded openssl sources to openssl-3.5.7.
  • deps: Fixed AIX implicit declaration issue in OpenSSL.
  • http2: Fixed DEP0194 message.

Affected Symbols