chore(deps): update node dependencies

[ggrossetie]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
bpmn-js	dependencies	minor	18.12.0 → 18.14.0
esbuild	devDependencies	patch	0.27.3 → 0.27.5
lodash (source)	dependencies	minor	4.17.23 → 4.18.1
mermaid	devDependencies	minor	11.12.3 → 11.14.0
node (source)	volta	patch	24.14.0 → 24.14.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

bpmn-io/bpmn-js (bpmn-js)

v18.14.0

Compare Source

• FEAT: prioritize full word matches in search (bpmn-io/diagram-js#1017)
• FEAT: factor match density into search (bpmn-io/diagram-js#1017)
• CHORE: prioritize later search matches slightly lower (bpmn-io/diagram-js#1017)
• DEPS: update to diagram-js@15.11.0
• DEPS: update to ids@3.0.3

v18.13.2

Compare Source

• FIX: disable grouping in popup menu during search (bpmn-io/diagram-js#1014)
• FIX: correct handling of annotations during sub-process collapse/expand, copy/paste, and remove actions (#​2388)
• FIX: allow undo of pasted sub-process (#​2388, #​2269)
• DEPS: update to diagram-js@15.10.0

v18.13.1

Compare Source

• FIX: correct sequence flow layout for corner boundary events whose target is strictly axis-aligned (#​2270)

v18.13.0

Compare Source

• FEAT: allow to create child elements from the context pad (#​2391)

v18.12.1

Compare Source

• FIX: correctly replace non-interrupting event with an interrupting one (#​2313)

evanw/esbuild (esbuild)

v0.27.5

Compare Source

• Fix for an async generator edge case (#​4401, #​4417)

  Support for transforming async generators into the equivalent state machine was added in version 0.19.0. However, the generated state machine didn't work correctly when polling async generators concurrently, such as in the following code:

  async function* inner() { yield 1; yield 2 }
  async function* outer() { yield* inner() }
  let gen = outer()
  for await (let x of [gen.next(), gen.next()]) console.log(x)

  Previously esbuild's output of the above code behaved incorrectly when async generators were transformed (such as with --supported:async-generator=false). The transformation should be fixed starting with this release.

  This fix was contributed by @​2767mr.

• Fix a regression when metafile is enabled (#​4420, #​4418)

  This release fixes a regression introduced by the previous release. When metafile: true was enabled in esbuild's JavaScript API, builds with build errors were incorrectly throwing an error about an empty JSON string instead of an object containing the build errors.

• Use define semantics for TypeScript parameter properties (#​4421)

  Parameter properties are a TypeScript-specific code generation feature that converts constructor parameters into class fields when they are prefixed by certain keywords. When "useDefineForClassFields": true is present in tsconfig.json, the TypeScript compiler automatically generates class field declarations for parameter properties. Previously esbuild didn't do this, but esbuild will now do this starting with this release:

  // Original code
  class Foo {
    constructor(public x: number) {}
  }
  
  // Old output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
  }
  
  // New output (with --loader=ts)
  class Foo {
    constructor(x) {
      this.x = x;
    }
    x;
  }

• Allow es2025 as a target in tsconfig.json (#​4432)

  TypeScript recently added es2025 as a compilation target, so esbuild now supports this in the target field of tsconfig.json files, such as in the following configuration file:

  {
    "compilerOptions": {
      "target": "ES2025"
    }
  }

  As a reminder, the only thing that esbuild uses this field for is determining whether or not to use legacy TypeScript behavior for class fields. You can read more in the documentation.

v0.27.4

Compare Source

• Fix a regression with CSS media queries (#​4395, #​4405, #​4406)

  Version 0.25.11 of esbuild introduced support for parsing media queries. This unintentionally introduced a regression with printing media queries that use the <media-type> and <media-condition-without-or> grammar. Specifically, esbuild was failing to wrap an or clause with parentheses when inside <media-condition-without-or>. This release fixes the regression.

  Here is an example:

  /* Original code */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a { color: red }
  }
  
  /* Old output (incorrect) */
  @​media only screen and (min-width: 10px) or (min-height: 10px) {
    a {
      color: red;
    }
  }
  
  /* New output (correct) */
  @​media only screen and ((min-width: 10px) or (min-height: 10px)) {
    a {
      color: red;
    }
  }

• Fix an edge case with the inject feature (#​4407)

  This release fixes an edge case where esbuild's inject feature could not be used with arbitrary module namespace names exported using an export {} from statement with bundling disabled and a target environment where arbitrary module namespace names is unsupported.

  With the fix, the following inject file:

  import jquery from 'jquery';
  export { jquery as 'window.jQuery' };

  Can now always be rewritten as this without esbuild sometimes incorrectly generating an error:

  export { default as 'window.jQuery' } from 'jquery';

• Attempt to improve API handling of huge metafiles (#​4329, #​4415)

  This release contains a few changes that attempt to improve the behavior of esbuild's JavaScript API with huge metafiles (esbuild's name for the build metadata, formatted as a JSON object). The JavaScript API is designed to return the metafile JSON as a JavaScript object in memory, which makes it easy to access from within a JavaScript-based plugin. Multiple people have encountered issues where this API breaks down with a pathologically-large metafile.

  The primary issue is that V8 has an implementation-specific maximum string length, so using the JSON.parse API with large enough strings is impossible. This release will now attempt to use a fallback JavaScript-based JSON parser that operates directly on the UTF8-encoded JSON bytes instead of using JSON.parse when the JSON metafile is too big to fit in a JavaScript string. The new fallback path has not yet been heavily-tested. The metafile will also now be generated with whitespace removed if the bundle is significantly large, which will reduce the size of the metafile JSON slightly.

  However, hitting this case is potentially a sign that something else is wrong. Ideally you wouldn't be building something so enormous that the build metadata can't even fit inside a JavaScript string. You may want to consider optimizing your project, or breaking up your project into multiple parts that are built independently. Another option could potentially be to use esbuild's command-line API instead of its JavaScript API, which is more efficient (although of course then you can't use JavaScript plugins, so it may not be an option).

lodash/lodash (lodash)

v4.18.1

Compare Source

Bugs

Fixes a ReferenceError issue in lodash lodash-es lodash-amd and lodash.template when using the template and fromPairs functions from the modular builds. See #​6167 (comment)

These defects were related to how lodash distributions are built from the main branch using https://github.com/lodash-archive/lodash-cli. When internal dependencies change inside lodash functions, equivalent updates need to be made to a mapping in the lodash-cli. (hey, it was ahead of its time once upon a time!). We know this, but we missed it in the last release. It's the kind of thing that passes in CI, but fails bc the build is not the same thing you tested.

There is no diff on main for this, but you can see the diffs for each of the npm packages on their respective branches:

• lodash: lodash/lodash@4.18.0-npm...4.18.1-npm
• lodash-es: lodash/lodash@4.18.0-es...4.18.1-es
• lodash-amd: lodash/lodash@4.18.0-amd...4.18.1-amd
• lodash.templatelodash/lodash@4.18.0-npm-packages...4.18.1-npm-packages

v4.18.0

Compare Source

v4.18.0

Full Changelog: lodash/lodash@4.17.23...4.18.0

Security

_.unset / _.omit: Fixed prototype pollution via constructor/prototype path traversal (GHSA-f23m-r3pf-42rh, fe8d32e). Previously, array-wrapped path segments and primitive roots could bypass the existing guards, allowing deletion of properties from built-in prototypes. Now constructor and prototype are blocked unconditionally as non-terminal path keys, matching baseSet. Calls that previously returned true and deleted the property now return false and leave the target untouched.

_.template: Fixed code injection via imports keys (GHSA-r5fr-rjxr-66jc, CVE-2026-4800, 879aaa9). Fixes an incomplete patch for CVE-2021-23337. The variable option was validated against reForbiddenIdentifierChars but importsKeys was left unguarded, allowing code injection via the same Function() constructor sink. imports keys containing forbidden identifier characters now throw "Invalid imports option passed into _.template".

Docs

• Add security notice for _.template in threat model and API docs (#​6099)
• Document lower > upper behavior in _.random (#​6115)
• Fix quotes in _.compact jsdoc (#​6090)

lodash.* modular packages

Diff

We have also regenerated and published a select number of the lodash.* modular packages.

These modular packages had fallen out of sync significantly from the minor/patch updates to lodash. Specifically, we have brought the following packages up to parity w/ the latest lodash release because they have had CVEs on them in the past:

• lodash.orderby
• lodash.tonumber
• lodash.trim
• lodash.trimend
• lodash.sortedindexby
• lodash.zipobjectdeep
• lodash.unset
• lodash.omit
• lodash.template

mermaid-js/mermaid (mermaid)

v11.14.0

Compare Source

Thanks to our awesome mermaid community that contributed to this release: @​ashishjain0512, @​tractorjuice, @​autofix-ci[bot], @​aloisklink, @​knsv, @​kibanana, @​chandershekhar22, @​khalil, @​ytatsuno, @​sidharthv96, @​github-actions[bot], @​dripcoding, @​knsv-bot, @​jeroensmink98, @​Alex9583, @​GhassenS, @​omkarht, @​darshanr0107, @​leentaylor, @​lee-treehouse, @​veeceey, @​turntrout, @​Mermaid-Chart, @​BambioGaming, Claude

Releases

@​mermaid-js/examples@​1.2.0

Minor Changes

• #​7526 efe218a - add new TreeView diagram

mermaid@​11.14.0

Minor Changes

• #​7526 efe218a - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  • Component positioning with [visibility, evolution] coordinates (OWM format)
  • Anchors for users/customers
  • Multiple link types: dependencies, flows, labeled links
  • Evolution arrows and trend indicators
  • Custom evolution stages with optional dual labels
  • Custom stage widths using @​boundary notation
  • Pipeline components with visibility inheritance
  • Annotations, notes, and visual elements
  • Source strategy markers: build, buy, outsource, market
  • Inertia indicators
  • Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

• #​7526 efe218a - feat: implement neo look styling for state diagrams

• #​7526 efe218a - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

• #​7526 efe218a - feat: add randomize config option for architecture diagrams, defaulting to false for deterministic layout

• #​7526 efe218a - feat: Add option to change timeline direction

• #​7526 efe218a - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like #arrowhead should use attribute-ending selectors like [id$="-arrowhead"] instead.

• #​7526 efe218a - feat: implement neo look styling for ER diagrams

• #​7526 efe218a - feat: implement neo look styling for requirement diagrams

• #​7526 efe218a - feat: add theme support for data label colour in xy chart

• #​7526 efe218a - feat: implement neo look styling for mindmap diagrams

• #​7526 efe218a - feat: implement neo look for mermaid flowchart diagrams

• #​7526 efe218a - feat: implement neo look and themes for class diagram

• #​7526 efe218a - feat: add showDataLabelOutsideBar option for xy chart

• #​7526 efe218a - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

• #​7526 efe218a - feat: implement neo look and themes for gitGraph diagram

• #​7526 efe218a - add new TreeView diagram

Patch Changes

• #​7526 efe218a - add link to ishikawa diagram on mermaid.js.org

• #​7526 efe218a - docs: document valid duration token formats in gantt.md

• #​7526 efe218a - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like a many to 1 1: because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern "1"(?=\s+[0-9]) to correctly identify the cardinality alias before a numeric entity name.

  Fixes #​7472

• #​7526 efe218a - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

• #​7526 efe218a - fix: support inline annotation syntax in class diagrams (class Shape <>)

• #​7526 efe218a - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

• #​7526 efe218a - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

• #​7526 efe218a - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

• #​7526 efe218a - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

• #​7526 efe218a - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

• #​7526 efe218a - fix: warn when style statement targets a non-existent node in flowcharts

• #​7526 efe218a - fix: group state diagram SVG children under single root element

• #​7526 efe218a - fix: Allow :::className syntax inside composite state blocks

• #​7526 efe218a Thanks @​aloisklink, @​BambioGaming! - fix: prevent escaping < and & when htmlLabels: false

• #​7526 efe218a - fix: treemap title and labels use theme-aware colors for dark backgrounds

• Updated dependencies [efe218a]:

  • @​mermaid-js/parser@​1.1.0

@​mermaid-js/parser@​1.1.0

Minor Changes

• #​7526 efe218a - add new TreeView diagram

@​mermaid-js/tiny@​11.14.0

Minor Changes

• #​7526 efe218a - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  • Component positioning with [visibility, evolution] coordinates (OWM format)
  • Anchors for users/customers
  • Multiple link types: dependencies, flows, labeled links
  • Evolution arrows and trend indicators
  • Custom evolution stages with optional dual labels
  • Custom stage widths using @​boundary notation
  • Pipeline components with visibility inheritance
  • Annotations, notes, and visual elements
  • Source strategy markers: build, buy, outsource, market
  • Inertia indicators
  • Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

• #​7526 efe218a - feat: implement neo look styling for state diagrams

• #​7526 efe218a - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

• #​7526 efe218a - feat: add randomize config option for architecture diagrams, defaulting to false for deterministic layout

• #​7526 efe218a - feat: Add option to change timeline direction

• #​7526 efe218a - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like #arrowhead should use attribute-ending selectors like [id$="-arrowhead"] instead.

• #​7526 efe218a - feat: implement neo look styling for ER diagrams

• #​7526 efe218a - feat: implement neo look styling for requirement diagrams

• #​7526 efe218a - feat: add theme support for data label colour in xy chart

• #​7526 efe218a - feat: implement neo look styling for mindmap diagrams

• #​7526 efe218a - feat: implement neo look for mermaid flowchart diagrams

• #​7526 efe218a - feat: implement neo look and themes for class diagram

• #​7526 efe218a - feat: add showDataLabelOutsideBar option for xy chart

• #​7526 efe218a - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

• #​7526 efe218a - feat: implement neo look and themes for gitGraph diagram

• #​7526 efe218a - add new TreeView diagram

Patch Changes

• #​7526 efe218a - add link to ishikawa diagram on mermaid.js.org

• #​7526 efe218a - docs: document valid duration token formats in gantt.md

• #​7526 efe218a - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like a many to 1 1: because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern "1"(?=\s+[0-9]) to correctly identify the cardinality alias before a numeric entity name.

  Fixes #​7472

• #​7526 efe218a - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

• #​7526 efe218a - fix: support inline annotation syntax in class diagrams (class Shape <>)

• #​7526 efe218a - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

• #​7526 efe218a - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

• #​7526 efe218a - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

• #​7526 efe218a - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

• #​7526 efe218a - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

• #​7526 efe218a - fix: warn when style statement targets a non-existent node in flowcharts

• #​7526 efe218a - fix: group state diagram SVG children under single root element

• #​7526 efe218a - fix: Allow :::className syntax inside composite state blocks

• #​7526 efe218a Thanks @​aloisklink, @​BambioGaming! - fix: prevent escaping < and & when htmlLabels: false

• #​7526 efe218a - fix: treemap title and labels use theme-aware colors for dark backgrounds

• Updated dependencies [efe218a]:

  • @​mermaid-js/parser@​1.1.0

v11.13.0

Compare Source

Minor Changes

• #​7352 d6db0b0 Thanks @​remcohaszing! - feat: Export the AsyncIconLoader, SyncIconLoader, and IconLoader types.

• #​5932 cdacb0b Thanks @​exoego! - feat: Add venn-beta diagram

• #​6789 73e9849 Thanks @​omkarht! - feat: Add half-arrowheads (solid & stick) and central connection support

• #​7387 acce4db Thanks @​exoego! - feat: Add Ishikawa diagram (ishikawa-beta)

• #​6995 9745f32 Thanks @​darshanr0107! - feat: Deprecate flowchart.htmlLabels in favor of root-level htmlLabels in Mermaid config

• #​5814 2dd29be Thanks @​kairi003! - feat: allow to put notes in namespaces on classDiagram

Patch Changes

• #​7075 96a766d Thanks @​darshanr0107! - fix: Prevent HTML tags from being escaped in sandbox label rendering

• #​6843 32723b2 Thanks @​saurabhg772244! - fix: Support edge animation in hand drawn look

• #​7453 a60e615 Thanks @​darshanr0107! - fix: ER diagram edge label positioning

• #​6989 1a9d45a Thanks @​darshanr0107! - fix: Resolved parsing error where direction TD was not recognized within subgraphs

• #​7178 96ca7c0 Thanks @​omkarht! - fix(treemap): Fixed treemap classDef style application to properly apply user-defined styles

• #​7076 60f6331 Thanks @​darshanr0107! - fix: Correct viewBox casing and make SVGs responsive

• #​7055 fa15ce8 Thanks @​darshanr0107! - fix: Improve participant parsing and prevent recursive loops on invalid syntax

• #​7276 33c7c72 Thanks @​darshanr0107! - fix: respect markdownAutoWrap: false to prevent text auto-wrapping in flowchart markdown labels with htmlLabels enabled.

  Markdown labels with markdownAutoWrap: false, htmlLabels: false set doesn't work
  correctly.

• #​7416 3c069b5 Thanks @​Crafter-Y! - fix: architecture diagram lines should now have the correct length

• #​6995 9745f32 Thanks @​darshanr0107! - fix: Support the htmlLabels Mermaid config value whenever possible

• #​7293 a408b55 Thanks @​darshanr0107! - fix: Prevent browser hang when using multiline accDescr in XY charts

• #​6119 712c1ec Thanks @​NealGooch! - fix: correct block positioning when nested blocks span multiple columns

• #​7424 981a62e Thanks @​knsv! - fix: correct BT orientation arc sweep flags in gitGraph drawArrow()

  Swapped SVG arc sweep-flag values in the BT (bottom-to-top) orientation branches of drawArrow() so curves bend in the correct direction. Affects both rerouting and non-rerouting code paths for merge and non-merge arrows.

  Resolves #​6593

• #​7430 a4bb0b5 Thanks @​knsv! - fix: allow colons in stateDiagram-v2 transition and state description text

• #​7432 b0f9d5b Thanks @​knsv! - fix: derive taskTextDarkColor from doneTaskBkgColor in dark theme for readable done-task text

• #​7456 981fbb8 Thanks @​knsv-bot! - fix(gantt): restore readable outside-text color for done tasks in dark mode

• #​7139 93aa657 Thanks @​omkarht! - revert: restore original hexagon and roundedRect implementations

• #​7136 6bc6617 Thanks @​omkarht! - feat: add alias support for new participant syntax of sequence diagrams

• #​7375 9d0669a Thanks @​kaigritun! - fix(er): recognize '1' cardinality alias before relationship operators

• #​7275 7eed6a1 Thanks @​darshanr0107! - fix: change createLabel to call createText

  This adds support for KaTeX and FontAwesome icons loaded via iconpacks in some
  older labels. There are some small changes in formatting due to standardizing this code.

• #​7265 2000680 Thanks @​omkarht! - fix: prevent unintended opacity on SVG aws icons containing rect elements

• #​7139 b7c66a2 Thanks @​omkarht! - chore: restore original hexagon and roundedRect implementations

• #​7425 f16bfbb Thanks @​knsv! - fix: use rounded right-angle edges for ELK layout

  ELK layout edges now default to rounded curve (right-angle segments with rounded corners) instead of inheriting the global basis default. This fixes ELK edges that were curving instead of routing at right angles (#​7213). Non-ELK layouts are unaffected and keep their existing basis default.

• #​7296 aac86f7 Thanks @​darshanr0107! - fix: Ensure correct edge label rendering for ER and requirement diagrams when flowchart htmlLabels are false

• #​7019 ace0367 Thanks @​darshanr0107! - fix: Mindmap breaking in ELK layout

• #​6984 09b74f1 Thanks @​omkarht! - fix(er-diagram): prevent syntax error when using 'u', numbers, and decimals in node names

• #​7276 33c7c72 Thanks @​darshanr0107! - fix: Restore proper rendering of plain text flowchart labels without auto line-wrapping

  This fix restores backwards compatibility with Mermaid v10 by ensuring that plain text labels in flowcharts are rendered correctly. In Mermaid v11, all labels were incorrectly being treated as markdown by default, which caused issues with text wrapping, multiline breaks, and backwards compatibility.

  What changed:

  • Plain text labels in flowcharts (without markdown syntax) now render as regular text
    • For node labels and edge labels, these will line-wrap automatically. Although this isn't backwards compatible with v10, we think this is a minor change and it's worth keeping to avoid too many changes from diagrams created from v11 onwards.
    • Plain text labels in other diagrams will continue to not line wrap.
  • Plain text labels with \n characters now correctly create line breaks
  • Plain text that looks like markdown (e.g., "1.", "- x") is no longer misinterpreted

  If you want markdown formatting:
  You can still use markdown in your flowchart labels by using the proper markdown syntax. Wrap your markdown text with double quotes and backticks:
  node["`_markdown_ **text**`"]

  Example:

  ```mermaid
  flowchart TD
      plain["Plain text\nwith manual line break"]
      markdown["`This is a **markdown** _label_ that wraps and doesn't replace \n with newlines`"]
  ```

• #​7080 835de00 Thanks @​darshanr0107! - fix: Support ComponentQueue_Ext to prevent parsing error

• #​7310 a9e4c72 Thanks @​darshanr0107! - fix: Allow quoted string labels in architecture-beta diagrams

• #​7052 ff15e51 Thanks @​darshanr0107! - fix: Correct tooltip placement to appear near hovered element

• #​7197 8bfd477 Thanks @​omkarht! - fix: validate dates and tick interval to prevent UI freeze/crash in gantt diagramtype

• #​7099 b136acd Thanks @​darshanr0107! - fix: Mindmap rendering issue when the number of Level 2 nodes exceeds 11

• #​7217 e0317ac Thanks @​omkarht! - fix(gitgraph): pass gitGraphConfig to renderer functions for applying directives properly.

• Updated dependencies [fd3fc50]:

  • @​mermaid-js/parser@​1.0.1

nodejs/node (node)

v24.14.1: 2026-03-24, Version 24.14.1 'Krypton' (LTS), @​RafaelGSS prepared by @​juanarbol

Compare Source

This is a security release.

Notable Changes

• (CVE-2026-21710) use null prototype for headersDistinct/trailersDistinct (Matteo Collina) - High
• (CVE-2026-21637) wrap SNICallback invocation in try/catch (Matteo Collina) - High
• (CVE-2026-21717) test array index hash collision (Joyee Cheung) - Medium
• (CVE-2026-21713) use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) - Medium
• (CVE-2026-21714) handle NGHTTP2_ERR_FLOW_CONTROL error code (RafaelGSS) - Medium
• (CVE-2026-21712) handle url crash on different url formats (RafaelGSS) - Medium
• (CVE-2026-21716) include permission check on lib/fs/promises (RafaelGSS) - Low
• (CVE-2026-21715) add permission check to realpath.native (RafaelGSS) - Low

Commits

• [6fae244080] - (CVE-2026-21717) build,test: test array index hash collision (Joyee Cheung) nodejs-private/node-private#828
• [cc0910c62e] - (CVE-2026-21713) crypto: use timing-safe comparison in Web Cryptography HMAC and KMAC (Filip Skokan) nodejs-private/node-private#822
• [80cb042cf3] - deps: update undici to 7.24.4 (Node.js GitHub Bot) #​62271
• [f5b8667dc2] - deps: update undici to 7.24.3 (Node.js GitHub Bot) #​62233
• [08852637d9] - deps: update undici to 7.22.0 (Node.js GitHub Bot) #​62035
• [61097db9fb] - deps: upgrade npm to 11.11.0 (npm team) #​61994
• [9ac0f9f81e] - deps: upgrade npm to 11.10.1 (npm team) #​61892
• [3dab3c4698] - deps: V8: override depot_tools version (Richard Lau) #​62344
• [87521e99d1] - deps: V8: backport 1361b2a (Joyee Cheung) nodejs-private/node-private#828
• [045013366f] - deps: V8: backport 185f0fe (Joyee Cheung) nodejs-private/node-private#828
• [af22629ea8] - deps: V8: backport 0a8b1cd (snek) nodejs-private/node-private#828
• [380ea72eef] - (CVE-2026-21710) http: use null prototype for headersDistinct/trailersDistinct (Matteo Collina) [nodejs-private/node-private#821](https://redirect.github.com/nodejs-private/node-p

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.