v22.23.0
Breaking Changes📦 node-jsView on GitHub →
⚠ 2 breaking🐛 16 fixes🔧 13 symbols
Summary
This is a security release addressing multiple high and medium severity CVEs across TLS, crypto, HTTP/2, and DNS modules. It also includes dependency updates and removes deprecated http2 priority signaling.
⚠️ Breaking Changes
- http2: Support for priority signaling has been removed, which may break compatibility if this feature was explicitly relied upon. Users should migrate away from using priority signaling.
- SEMVER-MAJOR: Removed support for priority signaling in http2.
Migration Steps
- If you were relying on http2 priority signaling, you must update your code as this feature has been removed.
- Ensure that hostnames passed to network operations do not contain embedded NUL bytes.
🐛 Bug Fixes
- (CVE-2026-48618) tls: Hostname normalization is now performed for server identity checks.
- (CVE-2026-48933) crypto: Guarded WebCrypto cipher output length.
- (CVE-2026-48937) deps: Fixed integration issues with the latest nghttp2.
- (CVE-2026-48930) dns,net: Hostnames containing embedded NUL bytes are now rejected.
- (CVE-2026-48619) http2: Capped originSet size to prevent unbounded memory growth.
- (CVE-2026-48615) lib,test: Proxy credentials are now redacted in tunnel errors.
- (CVE-2026-48934) tls: Reusable sessions are now bound to the authenticated host.
- (CVE-2026-48928) tls: Fixed case-sensitive SNI context matching.
- (CVE-2026-48617) permission: Handled process.chdir on writereport.
- (CVE-2026-48931) http: Fixed response queue poisoning in http.Agent.
- (CVE-2026-48935) permission: Disabled FileHandle utimes when using the permission model.
- deps: Updated llhttp to 9.4.2.
- deps: Updated undici to 6.27.0.
- deps: Upgraded openssl sources to openssl-3.5.7.
- deps: Fixed AIX implicit declaration issue in OpenSSL.
- http2: Fixed DEP0194 message.