v25.3.0
Breaking Changes📦 node-jsView on GitHub →
⚠ 2 breaking🐛 4 fixes🔧 7 symbols
Summary
This is a security release addressing several CVEs across lib, permission, src, and tls modules. Key changes include improved error handling and stricter permission checks.
⚠️ Breaking Changes
- Refactor of unsafe buffer creation removed the zero-fill toggle. Code relying on this toggle for buffer initialization behavior may need adjustment.
- The `futimes` operation is now disabled when the permission model is enabled. Code using `futimes` in permission-enabled contexts will fail.
Migration Steps
- If relying on the zero-fill behavior of unsafe buffer creation, ensure buffers are explicitly zero-filled if necessary, as the toggle was removed.
- If using `futimes` in environments where the permission model is active, this function call will now be blocked.
🐛 Bug Fixes
- (CVE-2025-59465) Added a default error handler for TLSSocket.
- (CVE-2026-21636) Added a network check during pipe_wrap connect operations.
- (CVE-2025-59466) Stack overflow exceptions in async_hooks are now correctly rethrown.
- (CVE-2026-21637) Exceptions occurring in TLS callbacks are now routed through error handlers.