Antoine du Hamel
2026-04-01, Version 25.9.0 (Current), @aduh95
Notable Changes
Test runner module mocking improvements
MockModuleOptions.defaultExport
and MockModuleOptions.namedExports
have been
consolidated into a single option MockModuleOptions.exports
to align with user
expectations and other test runners.
A default
property on MockModuleOptions.exports
represents the default
export, and own enumerable properties are treated as named exports.
An automated migration is available to update user code: https://github.com/nodejs/userland-migrations/tree/main/recipes/mock-module-exports
npx codemod @nodejs/mock-module-exports
Contributed by sangwook in #61727.
Other notable changes
- [
312476cb84
] - (SEMVER-MINOR) async_hooks: add using scopes toAsyncLocalStorage
(Stephen Belanger) #61674 - [
62d2cd473b
] - (SEMVER-MINOR) cli: add--max-heap-size
option (tannal) #58708 - [
d0ebf0e44b
] - (SEMVER-MINOR) crypto: addTurboSHAKE
andKangarooTwelve
Web Cryptography algorithms (Filip Skokan) #62183 - [
f85b9d9fa8
] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188 - [
67b854d407
] - (SEMVER-MINOR) repl: remove dependency onnode:domain
(Matteo Collina) #61227 - [
966b700623
] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158 - [
e1f0d2a014
] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066
Commits
- [
312476cb84
] - (SEMVER-MINOR) async_hooks: add using scopes to AsyncLocalStorage (Stephen Belanger) #61674 - [
bfff8cb2ab
] - (SEMVER-MINOR) benchmark: add benchmarks for experimental stream/iter (James M Snell) #62066 - [
c721d68502
] - benchmark: fix destructuring in dgram/single-buffer (Ali Hassan) #62084 - [
e2f03c8e92
] - buffer: improve performance of multiple Buffer operations (Ali Hassan) #61871 - [
2fcd07f1ba
] - build: support empty libname flags inconfigure.py
(Antoine du Hamel) #62477 - [
b800c57fce
] - build: fix timezone-update path references (Chengzhong Wu) #62280 - [
7dc5a1e9b4
] - build: skip dockit on IBMi (SRAVANI GUNDEPALLI) #62189 - [
f0eea0f905
] - build: fix --node-builtin-modules-path (Filip Skokan) #62115 - [
62d2cd473b
] - (SEMVER-MINOR) cli: add --max-heap-size option (tannal) #58708 - [
ac4b485698
] - crypto: update root certificates to NSS 3.121 (Node.js GitHub Bot) #62485 - [
d0ebf0e44b
] - (SEMVER-MINOR) crypto: add TurboSHAKE and KangarooTwelve Web Cryptography algorithms (Filip Skokan) #62183 - [
3009980d9d
] - crypto: add crypto::GetSSLCtx API for addon access to OpenSSL contexts (Tim Perry) #62254 - [
f5725ca81d
] - crypto: reject ML-KEM/ML-DSA PKCS#8 import without seed in SubtleCrypto (Filip Skokan) #62218 - [
f69ed4bc3f
] - crypto: rename CShakeParams and KmacParams length to outputLength (Filip Skokan) #61875 - [
4d96e53570
] - crypto: refactor WebCrypto AEAD algorithms auth tag handling (Filip Skokan) #62169 - [
93d77719e8
] - crypto: read algorithm name property only once in normalizeAlgorithm (Filip Skokan) #62170 - [
3d2e23a981
] - deps: update ada to 3.4.4 (Node.js GitHub Bot) #62414 - [
176d6d2205
] - deps: update timezone to 2026a (Node.js GitHub Bot) #62164 - [
95c7fc67ba
] - deps: update googletest to 2461743991f9aa53e9a3625eafcbacd81a3c74cd (Node.js GitHub Bot) #62484 - [
e5e9f2044a
] - deps: update simdjson to 4.5.0 (Node.js GitHub Bot) #62382 - [
905b94266a
] - deps: update ngtcp2 to 1.21.0 (Node.js GitHub Bot) #62051 - [
180c150122
] - deps: V8: cherry-pick cf1bce40a5ef (Richard Lau) #62449 - [
bc265aa003
] - deps: upgrade npm to 11.12.1 (npm team) #62448 - [
f1b28612c4
] - deps: V8: cherry-pick b25cd62c7ba2 (Yagiz Nizipli) #62354 - [
757719d2af
] - deps: disable rust icu compiled_data features (Chengzhong Wu) #62284 - [
3bdc955b63
] - deps: update sqlite to 3.51.3 (Node.js GitHub Bot) #62256 - [
a9703d194a
] - deps: update googletest to 73a63ea05dc8ca29ec1d2c1d66481dd0de1950f1 (Node.js GitHub Bot) #61927 - [
85138935cb
] - deps: update merve to 1.2.2 (Node.js GitHub Bot) #62213 - [
231521e75e
] - diagnostics_channel: add diagnostics channels for web locks (Ilyas Shabi) #62123 - [
0093863664
] - doc: deprecatemodule.register()
(DEP0205) (Geoffrey Booth) #62395 - [
0b96ece6be
] - doc: clarify that features cannot be both experimental and deprecated (Antoine du Hamel) #62456 - [
8d3ea975f5
] - doc: fix 'transfered' typo in quic.md (lilianakatrina684-a11y) #62492 - [
08ff16e0ba
] - doc: move sqlite type conversion section to correct level (René) #62482 - [
61cc747dd8
] - doc: add Rafael to last security release steward (Rafael Gonzaga) #62423 - [
64cfa5a6fa
] - doc: use npm-published version of doc-kit (Aviv Keller) #62139 - [
1020321fb0
] - doc: fix overstated Date header requirement in response.sendDate (Kit Dallege) #62206 - [
9caa7855b2
] - doc: fix guaranteed typo (lilianakatrina684-a11y) #62374 - [
e254f65306
] - doc: enhance clarification about the main field (Mowafak Almahaini) #62302 - [
9e724b53f8
] - doc: remove spawn with shell example from bat/cmd section (Kit Dallege) #62243 - [
7f37c17516
] - doc: minor typo fix (Jeff Matson) #62358 - [
eb0ca98f01
] - doc: add path to vulnerabilities.json mention (Rafael Gonzaga) #62355 - [
198b6e0932
] - doc: deprecate CryptoKey use in node:crypto (Filip Skokan) #62321 - [
17e5aee6c5
] - doc: fix small environment_variables typo (chris) #62279 - [
193d629895
] - doc: test and test-only targets do not run linter (Xavier Stouder) #62120 - [
4a1f20ec4a
] - doc: clarify fs.ReadStream and fs.WriteStream are not constructable (Kit Dallege) #62208 - [
f976c9214d
] - doc: clarify that any truthy value ofshell
is part of DEP0190 (Antoine du Hamel) #62249 - [
4d83972681
] - doc: remove outdated Chrome 66 and ndb references from debugger (Kit Dallege) #62202 - [
71f2eada5b
] - doc: add throwIfNoEntry version history to fs.stat (kovan) #62204 - [
670c80893b
] - doc: add note (and caveat) formock.module
about customization hooks (Jacob Smith) #62075 - [
2ff5cb13f5
] - doc,test: clarify --eval syntax for leading '-' scripts (kovan) #62244 - [
6c6c9004c4
] - esm: fix typo in worker loader hook comment (jakecastelli) #62475 - [
1cdd23c9f3
] - esm: fix source phase identity bug in loadCache eviction (Guy Bedford) #62415 - [
4f4ff15794
] - esm: fix path normalization infinalizeResolution
(Antoine du Hamel) #62080 - [
088167d102
] - events: avoid cloning listeners array on every emit (Gürgün Dayıoğlu) #62261 - [
0250b436ee
] - fs: fix cpSync to handle non-ASCII characters (Stefan Stojanovic) #61950 - [
b67a8fb171
] - inspector: add Target.getTargets and extract TargetManager (Kohei) #62487 - [
ffcc5a5722
] - lib: make SubtleCrypto.supports enumerable (Filip Skokan) #62307 - [
92ef2ad8fa
] - lib: prefer primordials in SubtleCrypto (Filip Skokan) #62226 - [
40a43ac4d0
] - module: fix coverage of mocked CJS modules imported from ESM (Marco) #62133 - [
3ef0a5b90e
] - quic: remove CryptoKey support from session keys option (Filip Skokan) #62335 - [
3c8dd8eb8e
] - repl: use vm DONT_CONTEXTIFY context (Chengzhong Wu) #62371 - [
f85b9d9fa8
] - (SEMVER-MINOR) repl: add customizable error handling (Anna Henningsen) #62188 - [
e4c164e045
] - repl: handle exceptions from async context after close (Anna Henningsen) #62165 - [
67b854d407
] - (SEMVER-MINOR) repl: remove dependency on domain module (Matteo Collina) #61227 - [
966b700623
] - (SEMVER-MINOR) sea: support code cache for ESM entrypoint in SEA (Joyee Cheung) #62158 - [
fe82baf970
] - src: improve EC JWK import performance (Filip Skokan) #62396 - [
d490b171e0
] - src: handle null backing store in ArrayBufferViewContents::Read (Mert Can Altin) #62343 - [
0e4af848bc
] - src: convert context_frame field in AsyncWrap to internal field (Anna Henningsen) #62103 - [
02980b8c8f
] - src: enable compilation/linking with OpenSSL 4.0 (Filip Skokan) #62410 - [
064f7c2fa6
] - src: use stack allocation in indexOf latin1 path (Mert Can Altin) #62268 - [
ede52bc2dc
] - src,sqlite: fix filterFunc dangling reference (Edy Silva) #62281 - [
e1f0d2a014
] - (SEMVER-MINOR) stream: add stream/iter Implementation (James M Snell) #62066 - [
03839fb087
] - stream: preserve error over AbortError in pipeline (Marco) #62113 - [
0000d2f011
] - stream: replace bind with arrow function for onwrite callback (Ali Hassan) #62087 - [
3796a73719
] - test: update WPT for WebCryptoAPI to 2cb332d710 (Node.js GitHub Bot) #62483 - [
ad8309415b
] - test: update WPT for url to fc3e651593 (Node.js GitHub Bot) #62379 - [
bed89b037e
] - test: wait for reattach before initial break on restart (Yuya Inoue) #62471 - [
c9ffffcc55
] - test: disable flaky WPT Blob test on AIX (James M Snell) #62470 - [
fd41ef31f6
] - (SEMVER-MINOR) test: add tests for experimental stream/iter implementation (James M Snell) #62066 - [
1b9d8d3eec
] - test: avoid flaky run wait in debugger restart test (Yuya Inoue) #62112 - [
cb08a29d51
] - test: skip test-cluster-dgram-reuse on AIX 7.3 (Stewart X Addison) #62238 - [
abea0af8a9
] - test: add WebCrypto Promise.prototype.then pollution regression tests (Filip Skokan) #62226 - [
47a2132269
] - test: update WPT for WebCryptoAPI to 6a1c545d77 (Node.js GitHub Bot) #62187 - [
2c63d3006c
] - test_runner: add exports option for module mocks (sangwook) #61727 - [
44ac0e1302
] - test_runner: make it compatible with fake timers (Matteo Collina) #59272 - [
1865691275
] - test_runner: set non-zero exit code when suite errors occur (Edy Silva) #62282 - [
0252b2bab8
] - tools: bump picomatch from 4.0.3 to 4.0.4 in /tools/eslint (dependabot[bot]) #62439 - [
3368155267
] - tools: bump yaml from 2.8.2 to 2.8.3 in /tools/doc (dependabot[bot]) #62437 - [
5e47c359f5
] - tools: adopt the--check-for-duplicates
NCU flag (Antoine du Hamel) #62478 - [
4a604e82d0
] - tools: bump picomatch in /tools/doc (dependabot[bot]) #62438 - [
d1a98b4ddb
] - tools: bump flatted from 3.4.1 to 3.4.2 in /tools/eslint (dependabot[bot]) #62375 - [
c32daa1ab4
] - tools: bump eslint deps (Huáng Jùnliàng) #62356 - [
7a2fcc6d41
] - tools: do not swallow error inlint-nix
workflow (Antoine du Hamel) #62292 - [
c41a2871b5
] - tools: add eslint-plugin-regexp (Huáng Jùnliàng) #62093 - [
56dfeb06df
] - tools: fix timeout errors inlint-nix
job (Antoine du Hamel) #62265 - [
22fc8078e8
] - tools: bump flatted from 3.3.3 to 3.4.1 in /tools/eslint (dependabot[bot]) #62255 - [
409b0663bd
] - tools: bump undici from 6.23.0 to 6.24.1 in /tools/doc (dependabot[bot]) #62250 - [
67c69750f4
] - tools: validate all commits that are pushed tomain
(Antoine du Hamel) #62246 - [
7d9db8cd21
] - tools: keep GN files when updating Merve (Antoine du Hamel) #62167 - [
6c8fa42ba2
] - typings: rationalise TypedArray types (René) #62174 - [
531c64d04e
] - url: enable simdutf for ada (Yagiz Nizipli) #61477 - [
2000caccde
] - util: allow color aliases in styleText (sangwook) #62180 - [
0aed332ab4
] - wasm: support js string constant esm import (Guy Bedford) #62198 - [
d3fd4a978b
] - worker: heap profile optimizations (Ilyas Shabi) #62201 - [
e992a34a18
] - zlib: fix use-after-free when reset() is called during write (Matteo Collina) #62325
Windows 64-bit Installer: https://nodejs.org/dist/v25.9.0/node-v25.9.0-x64.msi
Windows ARM 64-bit Installer: https://nodejs.org/dist/v25.9.0/node-v25.9.0-arm64.msi
Windows 64-bit Binary: https://nodejs.org/dist/v25.9.0/win-x64/node.exe
Windows ARM 64-bit Binary: https://nodejs.org/dist/v25.9.0/win-arm64/node.exe
macOS 64-bit Installer: https://nodejs.org/dist/v25.9.0/node-v25.9.0.pkg
macOS Apple Silicon 64-bit Binary: https://nodejs.org/dist/v25.9.0/node-v25.9.0-darwin-arm64.tar.gz
macOS Intel 64-bit Binary: https://nodejs.org/dist/v25.9.0/node-v25.9.0-darwin-x64.tar.gz
Linux 64-bit Binary: https://nodejs.org/dist/v25.9.0/node-v25.9.0-linux-x64.tar.xz
Linux PPC LE 64-bit Binary: https://nodejs.org/dist/v25.9.0/node-v25.9.0-linux-ppc64le.tar.xz
Linux s390x 64-bit Binary: https://nodejs.org/dist/v25.9.0/node-v25.9.0-linux-s390x.tar.xz
AIX 64-bit Binary: https://nodejs.org/dist/v25.9.0/node-v25.9.0-aix-ppc64.tar.gz
ARMv8 64-bit Binary: https://nodejs.org/dist/v25.9.0/node-v25.9.0-linux-arm64.tar.xz
Source Code: https://nodejs.org/dist/v25.9.0/node-v25.9.0.tar.gz
Other release files: https://nodejs.org/dist/v25.9.0/
Documentation: https://nodejs.org/docs/v25.9.0/api/
SHASUMS
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
f7e119831209e9c001dc1fbf798d23e71cc5af540e06984e9e76c2d0fc7b5fe3 node-v25.9.0-aix-ppc64.tar.gz
2e95e8cd93bd4ce3336db9afad95d482bb2b29a74300f2a45223412508ece63f node-v25.9.0-arm64.msi
e479f3c469d3d9303a44f00a8ea37a3788395d171bb8059c48a4bbbd2e371b59 node-v25.9.0-darwin-arm64.tar.gz
15eeeb03c60691a4764effa6cee920217f72058a70bcffe5f4c1209bbe4ad5a3 node-v25.9.0-darwin-arm64.tar.xz
7d737b53ce191142bfa1c17cfa5b070d96e84eebf76b8dd06d84981cbdc3f7e3 node-v25.9.0-darwin-x64.tar.gz
824d667ee88ca3e10e9917c9032937e6d1f5042aeb32affd145702d9ff877704 node-v25.9.0-darwin-x64.tar.xz
de7a1b69ceee1a8a29a98d005d1edb642e917e5fed801fcadfd678d6f618c77a node-v25.9.0-headers.tar.gz
2ca4f3657b6033096f0d0154fde413f4ac583ed9b0ecf709c8ab3bbcbdef4ea3 node-v25.9.0-headers.tar.xz
8fb4283301b8c720fc9f18bffff0f659e72cc14d0cf207a3bb411808aaa73a57 node-v25.9.0-linux-arm64.tar.gz
bf007bf0dcc2fddd90888fde374a1ad33c1ab2ca2ad324c645dd7aed0f9f1460 node-v25.9.0-linux-arm64.tar.xz
e727611129ae0703f0cd2b28d8d4bdff150723581280570f66bc54ac5b092dba node-v25.9.0-linux-ppc64le.tar.gz
5b602d6f4167d4853cdbb5439738ac0a7dc60568ebe49eb25c70825bced1eb1b node-v25.9.0-linux-ppc64le.tar.xz
7ad2dc045c6bba89ac3d0ac9dd7d4818bf0bbfe4675e4e427bf1dce94eaae91e node-v25.9.0-linux-s390x.tar.gz
6511af1eaf69f0e806dc47f4e102bddb25eb76fe2b398f06f3ac460dee3334e2 node-v25.9.0-linux-s390x.tar.xz
134e55b2408448a219760fe04dc44d6851f9de8a79549021ffd870e9082d9e7b node-v25.9.0-linux-x64.tar.gz
1d8db7d6e291d167e8c467ae4094be175e1a0b3969c7ae1f8955b9f7824f7b2e node-v25.9.0-linux-x64.tar.xz
36f46d727cf2ac0df953ad1a154d48feede7a4aefb937dd9810306b3a6dbd2ce node-v25.9.0.pkg
d55d77187039d4cd85c732f76838f44e3be552054473459dfa9cc0eb611ea664 node-v25.9.0.tar.gz
8f78af3ee55fb278668b5f801db58bd1a38ea161318eb5ce2128ddbc9cd813aa node-v25.9.0.tar.xz
0e9706b4237cae58192177f2b18e362403ed842d480027565d5fd467a7e0ac40 node-v25.9.0-win-arm64.7z
6b499bcaf16c86fe1a98c8e2874fd1980b23b5c90ea412983db4392d7e08c36b node-v25.9.0-win-arm64.zip
064e90165f1c4bce4b208b05105f6a2aaa714b93ef218358f218245ef47611b2 node-v25.9.0-win-x64.7z
929552b8305effac843ba7b4270c437aefb702fc3fbd73fcd1bffd35d4ac284e node-v25.9.0-win-x64.zip
e469104e5d0c99f9185fbf17179fbb1d732261e6e1f9d281b6b2308a0126fb6d node-v25.9.0-x64.msi
6f7a7c2a12b95acd70e0cfdb9b3ef498c9664f45399f2e9f283630d274124f44 win-arm64/node.exe
646759ca31c8168f2f91d7a67c4a495fb79beb8fde841690c041fd55b2255065 win-arm64/node.lib
f14c4c40f31bd7bf6e0d9d03fcc3d0bc6a9b09d8af499771f96504bf17401244 win-arm64/node_pdb.7z
a5982280f975c59bbb884ef7d0d3453d6ee3d089d36374cb74f3ce2622d2bac4 win-arm64/node_pdb.zip
98843732431bad6c2c165908bb7dde6fe2a221ddbc491a955d548a2e6ab9ebff win-x64/node.exe
e3577a5a4a772b21646fe05a24d53ce3727395bbbc412f326889ddf7129bc7a9 win-x64/node.lib
3c134d585c4dd483ff577c310eb63bc9b7537e99fc5e9d169b7c4101416c0ca6 win-x64/node_pdb.7z
0a04298910ac07d7db8d4c03659bf4f552874703f9a980963f670e29a8ac36b6 win-x64/node_pdb.zip
-----BEGIN PGP SIGNATURE-----
iHUEARYIAB0WIQRb6KP2yKXAHRBsCtggsaOQsWjTVgUCac0vegAKCRAgsaOQsWjT
VlHCAQC6K+H0bPBZ59f2+7L0JxbVA5Inl3JSdayCCx32VPkXQQEA0/A1cJGR+FqR
T+d7Z5UkJL2HOohK4ZhiyrdvAfXVngI=
=rCoy
-----END PGP SIGNATURE-----
Facts Only
Node.js 25.9.0 (Current) was released on April 1, 2026, by Antoine du Hamel.
The test runner module mocking system has been updated, consolidating `MockModuleOptions.defaultExport` and `MockModuleOptions.namedExports` into `MockModuleOptions.exports`.
An automated migration tool is available for updating user code to the new mocking system.
New features include `using` scopes for `AsyncLocalStorage`, a `--max-heap-size` CLI option, and TurboSHAKE and KangarooTwelve Web Cryptography algorithms.
The REPL now supports customizable error handling and has removed its dependency on the `node:domain` module.
Single Executable Applications (SEA) now support code cache for ESM entry points.
Performance improvements have been made in Buffer operations, EC JWK imports, and ArrayBufferView handling.
Dependencies have been updated, including V8, npm, OpenSSL, and various libraries like simdjson and sqlite.
The release includes bug fixes for issues in modules such as crypto, stream, and zlib.
Downloads are available for Windows (x64, ARM64), macOS (Intel, Apple Silicon), Linux (x64, ARM64, PPC LE, s390x), and AIX (PPC64).
SHA256 checksums and PGP signatures are provided for verification of release files.
Executive Summary
Node.js 25.9.0 (Current) has been released, introducing several notable changes and improvements. The test runner module mocking system has been streamlined, consolidating `MockModuleOptions.defaultExport` and `MockModuleOptions.namedExports` into a single `MockModuleOptions.exports` option, with an automated migration tool available for users. Other key updates include the addition of `using` scopes to `AsyncLocalStorage`, a new `--max-heap-size` CLI option, and support for TurboSHAKE and KangarooTwelve Web Cryptography algorithms. The REPL now features customizable error handling and no longer depends on the `node:domain` module. Additionally, the release includes performance improvements, dependency updates, and various bug fixes across modules like crypto, stream, and zlib. The release is available for multiple platforms, including Windows, macOS, Linux, and AIX, with download links and checksums provided for verification.
The changes reflect ongoing efforts to enhance Node.js functionality, security, and performance while maintaining backward compatibility where possible. The release notes highlight contributions from multiple developers and the Node.js community, emphasizing collaborative development and transparency in the update process.
Full Take
This Node.js release reflects a mature open-source project balancing innovation with stability. The consolidation of mocking options and automated migration tools demonstrate a user-centric approach, reducing friction for developers while maintaining functionality. The addition of experimental features like TurboSHAKE and stream/iter implementations signals Node.js's commitment to staying at the forefront of web cryptography and performance optimization.
The pattern of incremental, well-documented changes suggests a healthy development culture prioritizing backward compatibility and community collaboration. The explicit deprecation of `module.register()` (DEP0205) and removal of `node:domain` dependency in the REPL indicate thoughtful technical debt management. However, the sheer volume of changes—spanning crypto algorithms, REPL behavior, and memory management—could overwhelm casual users who may struggle to identify which updates are relevant to their workflows.
Root cause analysis reveals a project navigating the tension between cutting-edge features and enterprise stability. The inclusion of both performance optimizations (like stack allocation in latin1 path handling) and new cryptographic standards suggests Node.js is serving diverse constituencies—from security-conscious applications to high-throughput services. The automated migration tool for mocking changes is particularly noteworthy as it embodies the project's ethos of not leaving users behind during API evolution.
Implications for human agency include empowering developers with more granular control over memory usage (`--max-heap-size`) and error handling, while the cryptographic updates enhance security agency in an era of increasing cyber threats. The second-order consequence may be fragmentation, as teams adopt different subsets of these features at varying paces.
Bridge questions worth considering: How might these cryptographic additions interact with existing security audit tools? What trade-offs exist between the new REPL error handling and debugging workflows? Would a more curated "highlight reel" of changes better serve the majority of Node.js users?
Counterstrike scan: If this were an influence campaign, the playbook would emphasize the "cutting-edge" nature of changes while downplaying breaking changes. The actual content avoids this by clearly labeling deprecations and providing migration tools, suggesting genuine technical transparency rather than manipulative framing. The comprehensive changelog and multiple contributor attributions further indicate organic community development rather than coordinated messaging.
Patterns detected: none