v20.19.3 proposal

.github/workflows/build-tarball.yml

@@ -96,7 +96,7 @@ jobs:
           echo "TAR_DIR=$RUNNER_TEMP/`basename tarballs/*.tar.gz .tar.gz`" >> $GITHUB_ENV
       - name: Copy directories needed for testing
         run: |
-          cp -r tools/eslint $TAR_DIR/tools
+          cp -r tools/node_modules $TAR_DIR/tools
           cp -r tools/eslint-rules $TAR_DIR/tools
       - name: Build
         run: |

.github/workflows/test-linux.yml

@@ -35,16 +35,11 @@ permissions:
 jobs:
   test-linux:
     if: github.event.pull_request.draft == false
-    runs-on: ${{ matrix.os }}
-    strategy:
-      fail-fast: false
-      matrix:
-        os: [ubuntu-24.04, ubuntu-24.04-arm]
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
           persist-credentials: false
-          path: node
       - name: Set up Python ${{ env.PYTHON_VERSION }}
         uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55  # v5.5.0
         with:
@@ -56,13 +51,6 @@ jobs:
       - name: Environment Information
         run: npx envinfo
       - name: Build
-        run: make -C node build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn"
+        run: make build-ci -j4 V=1 CONFIG_FLAGS="--error-on-warn"
       - name: Test
-        run: make -C node run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"
-      - name: Re-run test in a folder whose name contains unusual chars
-        run: |
-          mv node "$DIR"
-          cd "$DIR"
-          ./tools/test.py --flaky-tests keep_retrying -p actions -j 4
-        env:
-          DIR: dir%20with $unusual"chars?'åß∂ƒ©∆¬…`
+        run: make run-ci -j4 V=1 TEST_CI_ARGS="-p actions --measure-flakiness 9"

.github/workflows/test-macos.yml

@@ -58,7 +58,7 @@ jobs:
       - name: Set up sccache
         uses: Mozilla-Actions/sccache-action@7d986dd989559c6ecdb630a3fd2557667be217ad  # v0.0.9
         with:
-          version: v0.8.1
+          version: v0.10.0
       - name: Environment Information
         run: npx envinfo
       # The `npm ci` for this step fails a lot as part of the Test step. Run it

CHANGELOG.md

@@ -35,7 +35,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V20.md#20.19.2">20.19.2</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V20.md#20.19.3">20.19.3</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V20.md#20.19.2">20.19.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.19.1">20.19.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.19.0">20.19.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V20.md#20.18.3">20.18.3</a><br/>

Makefile

@@ -171,8 +171,7 @@ with-code-cache test-code-cache:
 	$(warning '$@' target is a noop)
 
 out/Makefile: config.gypi common.gypi node.gyp \
-	deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
-	deps/simdutf/simdutf.gyp deps/ada/ada.gyp \
+	deps/*/*.gyp \
 	tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
 	tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 	$(PYTHON) tools/gyp_node.py -f make

README.md

@@ -317,6 +317,8 @@ For information about the governance of the Node.js project, see
   **Kohei Ueno** <<[email protected]>> (he/him)
 * [daeyeon](https://github.com/daeyeon) -
   **Daeyeon Jeong** <<[email protected]>> (he/him)
+* [dario-piotrowicz](https://github.com/dario-piotrowicz) -
+  **Dario Piotrowicz** <<[email protected]>> (he/him)
 * [debadree25](https://github.com/debadree25) -
   **Debadree Chatterjee** <<[email protected]>> (he/him)
 * [deokjinkim](https://github.com/deokjinkim) -
@@ -745,6 +747,8 @@ maintaining the Node.js project.
   **Feng Yu** <<[email protected]>> (he/him)
 * [gireeshpunathil](https://github.com/gireeshpunathil) -
   **Gireesh Punathil** <<[email protected]>> (he/him)
+* [gurgunday](https://github.com/gurgunday) -
+  **Gürgün Dayıoğlu** <<[email protected]>>
 * [iam-frankqiu](https://github.com/iam-frankqiu) -
   **Frank Qiu** <<[email protected]>> (he/him)
 * [KevinEady](https://github.com/KevinEady) -

SECURITY.md

@@ -55,6 +55,39 @@ Here is the security disclosure policy for Node.js
   possible; however, we must follow the release process above to ensure that we
   handle disclosure consistently.
 
+## Code of Conduct and Vulnerability Reporting Guidelines
+
+When reporting security vulnerabilities, reporters must adhere to the following guidelines:
+
+1. **Code of Conduct Compliance**: All security reports must comply with our
+   [Code of Conduct](CODE_OF_CONDUCT.md). Reports that violate our code of conduct
+   will not be considered and may result in being banned from future participation.
+
+2. **No Harmful Actions**: Security research and vulnerability reporting must not:
+   * Cause damage to running systems or production environments.
+   * Disrupt Node.js development or infrastructure.
+   * Affect other users' applications or systems.
+   * Include actual exploits that could harm users.
+   * Involve social engineering or phishing attempts.
+
+3. **Responsible Testing**: When testing potential vulnerabilities:
+   * Use isolated, controlled environments.
+   * Do not test on production systems.
+   * Do not attempt to access or modify other users' data.
+   * Immediately stop testing if unauthorized access is gained accidentally.
+
+4. **Report Quality**
+   * Provide clear, detailed steps to reproduce the vulnerability.
+   * Include only the minimum proof of concept required to demonstrate the issue.
+   * Remove any malicious payloads or components that could cause harm.
+
+Failure to follow these guidelines may result in:
+
+* Rejection of the vulnerability report.
+* Forfeiture of any potential bug bounty.
+* Temporary or permanent ban from the bug bounty program.
+* Legal action in cases of malicious intent.
+
 ## The Node.js threat model
 
 In the Node.js threat model, there are trusted elements such as the

common.gypi

@@ -36,7 +36,7 @@
 
     # Reset this number to 0 on major V8 upgrades.
     # Increment by one for each non-official patch applied to deps/v8.
-    'v8_embedder_string': '-node.26',
+    'v8_embedder_string': '-node.29',
 
     ##### V8 defaults for Node.js #####
 
@@ -268,6 +268,9 @@
     # Defines these mostly for node-gyp to pickup.
     'defines': [
       '_GLIBCXX_USE_CXX11_ABI=1',
+      # This help forks when building Node.js on a 32-bit arch as
+      # libuv is always compiled with _FILE_OFFSET_BITS=64
+      '_FILE_OFFSET_BITS=64'
     ],
 
     # Forcibly disable -Werror.  We support a wide range of compilers, it's

deps/corepack/CHANGELOG.md

@@ -1,5 +1,23 @@
 # Changelog
 
+## [0.32.0](https://github.com/nodejs/corepack/compare/v0.31.0...v0.32.0) (2025-02-28)
+
+
+### Features
+
+* add limited support for `devEngines` ([#643](https://github.com/nodejs/corepack/issues/643)) ([b456268](https://github.com/nodejs/corepack/commit/b4562688513f23e37e37b0d69a0daff33ca84c8d))
+* add more informative error when fetching latest stable fails ([#644](https://github.com/nodejs/corepack/issues/644)) ([53b1fe7](https://github.com/nodejs/corepack/commit/53b1fe75c47c06bd72a8b8f8bb699a47c9ca32fb))
+* add support for `.corepack.env` ([#642](https://github.com/nodejs/corepack/issues/642)) ([9b95b46](https://github.com/nodejs/corepack/commit/9b95b46f05e50fe1c60f05309c210ba8fe4e23c5))
+* update package manager versions ([#617](https://github.com/nodejs/corepack/issues/617)) ([b83bb5e](https://github.com/nodejs/corepack/commit/b83bb5ec150980c998b9c7053dff307d912cb508))
+
+
+### Bug Fixes
+
+* do not resolve fallback descriptor when `packageManager` is defined ([#632](https://github.com/nodejs/corepack/issues/632)) ([12e77e5](https://github.com/nodejs/corepack/commit/12e77e506946d42a0de9ce8e68d75af8454d6776))
+* **doc:** fix link to proxy library ([#636](https://github.com/nodejs/corepack/issues/636)) ([bae0839](https://github.com/nodejs/corepack/commit/bae08397943d4b99437389b4286546361091f4b3))
+* replace explicit with specify as verb ([#665](https://github.com/nodejs/corepack/issues/665)) ([351d86c](https://github.com/nodejs/corepack/commit/351d86c20226a8c18bfe212be27401f2908b1595))
+* **use:** do not throw on invalid `packageManager` ([#663](https://github.com/nodejs/corepack/issues/663)) ([4be72f6](https://github.com/nodejs/corepack/commit/4be72f6941afa0c9b2b7d26635016bb7b560df8a))
+
 ## [0.31.0](https://github.com/nodejs/corepack/compare/v0.30.0...v0.31.0) (2025-01-27)
 
 

deps/corepack/README.md

@@ -41,6 +41,25 @@ is distributed along with Node.js itself.
 
 </details>
 
+<details><summary>Update Corepack using npm</summary>
+
+To install the latest version of Corepack, use:
+
+```shell
+npm install -g corepack@latest
+```
+
+If Corepack was installed on your system using a Node.js Windows Installer
+`.msi` package then you might need to remove it before attempting to install a
+different version of Corepack using npm. You can select the Modify option of the
+Node.js app settings to access the Windows Installer feature selection, and on
+the "corepack manager" feature of the Node.js `.msi` package by selecting
+"Entire feature will be unavailable". See
+[Repair apps and programs in Windows](https://support.microsoft.com/en-us/windows/repair-apps-and-programs-in-windows-e90eefe4-d0a2-7c1b-dd59-949a9030f317)
+for instructions on accessing the Windows apps page to modify settings.
+
+</details>
+
 <details><summary>Install Corepack from source</summary>
 
 See [`CONTRIBUTING.md`](./CONTRIBUTING.md).
@@ -94,6 +113,35 @@ use in the archive).
 }
 ```
 
+#### `devEngines.packageManager`
+
+When a `devEngines.packageManager` field is defined, and is an object containing
+a `"name"` field (can also optionally contain `version` and `onFail` fields),
+Corepack will use it to validate you're using a compatible package manager.
+
+Depending on the value of `devEngines.packageManager.onFail`:
+
+- if set to `ignore`, Corepack won't print any warning or error.
+- if unset or set to `error`, Corepack will throw an error in case of a mismatch.
+- if set to `warn` or some other value, Corepack will print a warning in case
+  of mismatch.
+
+If the top-level `packageManager` field is missing, Corepack will use the
+package manager defined in `devEngines.packageManager` – in which case you must
+provide a specific version in `devEngines.packageManager.version`, ideally with
+a hash, as explained in the previous section:
+
+```json
+{
+  "devEngines":{
+    "packageManager": {
+      "name": "yarn",
+      "version": "3.2.3+sha224.953c8233f7a92884eee2de69a1b92d1f2ec1655e66d08071ba9a02fa"
+    }
+  }
+}
+```
+
 ## Known Good Releases
 
 When running Corepack within projects that don't list a supported package
@@ -227,6 +275,7 @@ it.
 
 Unlike `corepack use` this command doesn't take a package manager name nor a
 version range, as it will always select the latest available version from the
+range specified in `devEngines.packageManager.version`, or fallback to the
 same major line. Should you need to upgrade to a new major, use an explicit
 `corepack use {name}@latest` call (or simply `corepack use {name}`).
 
@@ -248,6 +297,7 @@ same major line. Should you need to upgrade to a new major, use an explicit
   set to `1` to have the URL shown. By default, when Corepack is called
   explicitly (e.g. `corepack pnpm …`), it is set to `0`; when Corepack is called
   implicitly (e.g. `pnpm …`), it is set to `1`.
+  The default value cannot be overridden in a `.corepack.env` file.
   When standard input is a TTY and no CI environment is detected, Corepack will
   ask for user input before starting the download.
 
@@ -273,6 +323,14 @@ same major line. Should you need to upgrade to a new major, use an explicit
   project. This means that it will always use the system-wide package manager
   regardless of what is being specified in the project's `packageManager` field.
 
+- `COREPACK_ENV_FILE` can be set to `0` to request Corepack to not attempt to
+  load `.corepack.env`; it can be set to a path to specify a different env file.
+  Only keys that start with `COREPACK_` and are not in the exception list
+  (`COREPACK_ENABLE_DOWNLOAD_PROMPT` and `COREPACK_ENV_FILE` are ignored)
+  will be taken into account.
+  For Node.js 18.x users, this setting has no effect as that version doesn't
+  support parsing of `.env` files.
+
 - `COREPACK_HOME` can be set in order to define where Corepack should install
   the package managers. By default it is set to `%LOCALAPPDATA%\node\corepack`
   on Windows, and to `$HOME/.cache/node/corepack` everywhere else.
@@ -294,7 +352,7 @@ same major line. Should you need to upgrade to a new major, use an explicit
   empty password, explicitly set `COREPACK_NPM_PASSWORD` to an empty string.
 
 - `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` are supported through
-  [`node-proxy-agent`](https://github.com/TooTallNate/node-proxy-agent).
+  [`proxy-from-env`](https://github.com/Rob--W/proxy-from-env).
 
 - `COREPACK_INTEGRITY_KEYS` can be set to an empty string or `0` to
   instruct Corepack to skip integrity checks, or to a JSON string containing