Expose security levels #56601

mhdawson · 2025-01-14T22:49:20Z

No description provided.

nodejs-github-bot · 2025-01-14T22:49:25Z

Review requested:

@nodejs/crypto

mhdawson · 2025-01-14T22:52:30Z

Run which tests on the different OpenSSL versions - https://ci.nodejs.org/job/node-test-commit-linux-containered/48401/

All passed, so I think that confirms it is working correctly.

In terms of testing I don't think we can change the default except at compile time, and I also think comparing against a specific version could cause problems for the shared library testing.

I can add a test that just calls the method and makes sure it is within the range documented which is currently 1-5. Does that makes sense to people?

codecov · 2025-01-15T00:16:09Z

Codecov Report

Attention: Patch coverage is 70.58824% with 5 lines in your changes missing coverage. Please review.

Project coverage is 89.22%. Comparing base (50d405a) to head (c68d14d).
Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
src/crypto/crypto_util.cc	66.66%	2 Missing and 3 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #56601      +/-   ##
==========================================
- Coverage   89.22%   89.22%   -0.01%     
==========================================
  Files         663      663              
  Lines      191974   191991      +17     
  Branches    36926    36925       -1     
==========================================
+ Hits       171286   171295       +9     
- Misses      13561    13569       +8     
  Partials     7127     7127

Files with missing lines	Coverage Δ
lib/internal/crypto/util.js	`93.08% <100.00%> (+0.02%)`	⬆️
src/crypto/crypto_util.cc	`71.25% <66.66%> (+0.07%)`	⬆️

... and 21 files with indirect coverage changes

doc/api/crypto.md

src/crypto/crypto_util.cc

lib/crypto.js

test/parallel/test-tls-dhe.js

mhdawson · 2025-01-15T14:00:16Z

Yes, the values mean different things for different OpenSSL versions.

@richardlau what are the differences in meaning between the openssl levels ?

They all seem to say 80, 112, 128, 192 and 256 bits in terms of what the security levels map to. The default level might be different but that is what the API exposes.

mhdawson · 2025-01-15T14:25:02Z

Added the test since I had it ready to go.

mhdawson · 2025-01-15T14:25:44Z

In terms of doc Returns: {number} The [default OpenSSL security level][]. is a link to the description of the security levels.

mhdawson · 2025-01-15T14:27:20Z

The main question though is if it should just be private method, if that seems to be the consensus are there suggestions of where I should best add it?

richardlau · 2025-01-15T14:30:55Z

Yes, the values mean different things for different OpenSSL versions.

@richardlau what are the differences in meaning between the openssl levels ?

For example. compare the Level 1 description for OpenSSL 3.0:

The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export cipher suites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Note that signatures using SHA1 and MD5 are also forbidden at this level as they have less than 80 security bits.

to OpenSSL 3.4 (emphasis is added by me):

The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. Any cipher suite using MD5 for the MAC is also prohibited. Any cipher suites using CCM with a 64 bit authentication tag are prohibited. Note that signatures using SHA1 and MD5 are also forbidden at this level as they have less than 80 security bits. Additionally, SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 are all disabled at this level.

OpenSSL 3.4 adds disabling SSLv3, TLS 1.0, TLS 1.1 and DTLS 1.0 at Level 1. In OpenSSL 3.0, SSLv3 is disabled at Level 2, TLS 1.0 at Level 3 and TLS 1.1 at Level 4. Also the OpenSSL 3.4 mentions "Any cipher suites using CCM with a 64 bit authentication tag are prohibited", which is not present in the description for OpenSSL 3.0.

mhdawson · 2025-01-15T19:22:51Z

Looks like failures were due to changes landed since I rebased yesterday.

mhdawson · 2025-01-15T19:25:02Z

@richardlau thanks for pointing out the specific differences. Seems odd that they would change what a security level means but some of those do seem like functional changes.

mhdawson · 2025-01-15T23:13:11Z

@jasnell I think I addressed your comments as well as moving the method so it is internal only.

In terms of boringssl one remaining question I had was how version numbers are reported in process.versions when boringssl is used because the existing checks:

const hasOpenSSL = (major = 0, minor = 0, patch = 0) => {
  if (!hasCrypto) return false;
  if (OPENSSL_VERSION_NUMBER === undefined) {
    const regexp = /(?<m>\d+)\.(?<n>\d+)\.(?<p>\d+)/;
    const { m, n, p } = process.versions.openssl.match(regexp).groups;
    OPENSSL_VERSION_NUMBER = opensslVersionNumber(m, n, p);
  }
  return OPENSSL_VERSION_NUMBER >= opensslVersionNumber(major, minor, patch);
};

Only seem to consider openSSL, unless process.versions still look like OpenSSL is being used even though its boringssl under the covers. Do you know how the versions are reported when boringssl is used?

mhdawson · 2025-01-20T16:38:58Z

@richardlau are you ok with the PR after the latest updates?

jasnell · 2025-01-20T16:54:11Z

@mhdawson .... I'm not sure how boringssl is represented in process.versions. This might be helpful https://github.com/search?q=repo%3Aelectron%2Felectron+%22process.versions%22+%22boringssl%22&type=code

mhdawson · 2025-01-20T16:59:19Z

@jasnell, it looks like that means that if BoringSSL is used then process.vesions.openssl is not defined. In that case none of the existing checks being moved over to the check against the security level should help/hurt the BoringSSL case.

jasnell · 2025-01-20T17:02:40Z

I would confirm that with the electron team before progressing. @codebytere

src/crypto/crypto_util.cc

test/parallel/test-tls-dhe.js

test/parallel/test-crypto-sec-level.js

mhdawson · 2025-01-23T20:46:43Z

Test that failed in first run is already marked as flaky, resuming.

Distros may compile with a different openssl security level than the default. In addition there has been some discussion with respect to shipping with a different default security security level in different Node.js versions in order to main stabilty. Exposing the default openssl security level with let us have tests that work in these situations as well as allow applications to better cope with the avialable crypto algorithms. - add API to get openssl security level - modify one test to use security level instead of openssl version as an example Signed-off-by: Michael Dawson <[email protected]>

Signed-off-by: Michael Dawson <[email protected]>

mhdawson · 2025-01-27T20:22:13Z

Rebased

Signed-off-by: Michael Dawson <[email protected]>

mhdawson · 2025-01-27T22:29:49Z

pushed commit to address linter

nodejs-github-bot · 2025-01-28T14:28:02Z

CI: https://ci.nodejs.org/job/node-test-pull-request/64801/

Distros may compile with a different openssl security level than the default. In addition there has been some discussion with respect to shipping with a different default security security level in different Node.js versions in order to main stabilty. Exposing the default openssl security level with let us have tests that work in these situations as well as allow applications to better cope with the avialable crypto algorithms. - add API to get openssl security level - modify one test to use security level instead of openssl version as an example Signed-off-by: Michael Dawson <[email protected]> PR-URL: #56601 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]>

mhdawson · 2025-01-28T19:01:40Z

Landed in f2d2747

Distros may compile with a different openssl security level than the default. In addition there has been some discussion with respect to shipping with a different default security security level in different Node.js versions in order to main stabilty. Exposing the default openssl security level with let us have tests that work in these situations as well as allow applications to better cope with the avialable crypto algorithms. - add API to get openssl security level - modify one test to use security level instead of openssl version as an example Signed-off-by: Michael Dawson <[email protected]> PR-URL: #56601 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Richard Lau <[email protected]> Reviewed-By: Juan José Arboleda <[email protected]>

This MR contains the following updates: | Package | Update | Change | |---|---|---| | [node](https://nodejs.org) ([source](https://github.com/nodejs/node)) | minor | `23.7.0` -> `23.8.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>nodejs/node (node)</summary> ### [`v23.8.0`](https://github.com/nodejs/node/releases/tag/v23.8.0): 2025-02-13, Version 23.8.0 (Current), @targos [Compare Source](nodejs/node@v23.7.0...v23.8.0) ##### Notable Changes ##### Support for using system CA certificates store on macOS and Windows This version adds the `--use-system-ca` command-line flag, which instructs Node.js to use the trusted CA certificates present in the system store along with the `--use-bundled-ca`, `--use-openssl-ca` options. This option is available on macOS and Windows for now. Contributed by Tim Jacomb in [#56599](nodejs/node#56599) and Joyee Cheung in [#56833](nodejs/node#56833). ##### Introduction of the URL Pattern API An implementation of the [URL Pattern API](https://developer.mozilla.org/en-US/docs/Web/API/URL_Pattern_API) is now available. The `URLPattern` constructor is exported from the `node:url` module and will be available as a global in Node.js 24. Contributed by Yagiz Nizipli and Daniel Lemire in [#56452](nodejs/node#56452). ##### Support for the zstd compression algorithm Node.js now includes support for the Zstandard (zstd) compression algorithm. Various APIs have been added to the `node:zlib` module for both compression and decompression of zstd streams. Contributed by Jan Krems in [#52100](nodejs/node#52100). ##### Node.js thread names Threads created by the Node.js process are now named to improve the debugging experience. Worker threads will use the `name` option that can be passed to the `Worker` constructor. Contributed by Rafael Gonzaga in [#56416](nodejs/node#56416). ##### Timezone data has been updated to 2025a Included changes: - Paraguay adopts permanent -03 starting spring 2024. - Improve pre-1991 data for the Philippines. ##### Other Notable Changes - \[[`39997867cf`](nodejs/node@39997867cf)] - **(SEMVER-MINOR)** **sqlite**: allow returning `ArrayBufferView`s from user-defined functions (René) [#56790](nodejs/node#56790) ##### Commits - \[[`0ee9c34d63`](nodejs/node@0ee9c34d63)] - **benchmark**: add simple parse and test benchmarks for URLPattern (James M Snell) [#56882](nodejs/node#56882) - \[[`b3f2045d14`](nodejs/node@b3f2045d14)] - **build**: gyp exclude libm linking on macOS (deepak1556) [#56901](nodejs/node#56901) - \[[`e0dd9aefd6`](nodejs/node@e0dd9aefd6)] - **build**: remove explicit linker call to libm on macOS (deepak1556) [#56901](nodejs/node#56901) - \[[`52399da780`](nodejs/node@52399da780)] - **build**: link with Security.framework in GN build (Cheng) [#56895](nodejs/node#56895) - \[[`582b9221c9`](nodejs/node@582b9221c9)] - **build**: do not put commands in sources variables (Cheng) [#56885](nodejs/node#56885) - \[[`ea61b956e9`](nodejs/node@ea61b956e9)] - **build**: add double quotes around <(python) (Luigi Pinca) [#56826](nodejs/node#56826) - \[[`14236ef778`](nodejs/node@14236ef778)] - **build**: add build option suppress_all_error_on_warn (Michael Dawson) [#56647](nodejs/node#56647) - \[[`dfd3f430f3`](nodejs/node@dfd3f430f3)] - **build,win**: enable ccache (Stefan Stojanovic) [#56847](nodejs/node#56847) - \[[`3e207bd9ec`](nodejs/node@3e207bd9ec)] - **(SEMVER-MINOR)** **crypto**: support --use-system-ca on Windows (Joyee Cheung) [#56833](nodejs/node#56833) - \[[`fe2694a992`](nodejs/node@fe2694a992)] - **crypto**: fix X509\* leak in --use-system-ca (Joyee Cheung) [#56832](nodejs/node#56832) - \[[`60039a2c36`](nodejs/node@60039a2c36)] - **crypto**: add api to get openssl security level (Michael Dawson) [#56601](nodejs/node#56601) - \[[`39a474f7c0`](nodejs/node@39a474f7c0)] - **(SEMVER-MINOR)** **crypto**: added support for reading certificates from macOS system store (Tim Jacomb) [#56599](nodejs/node#56599) - \[[`144bee8067`](nodejs/node@144bee8067)] - **deps**: update zlib to 1.3.0.1-motley-788cb3c (Node.js GitHub Bot) [#56655](nodejs/node#56655) - \[[`7fd39e3a79`](nodejs/node@7fd39e3a79)] - **deps**: update sqlite to 3.49.0 (Node.js GitHub Bot) [#56654](nodejs/node#56654) - \[[`d698cb5434`](nodejs/node@d698cb5434)] - **deps**: update amaro to 0.3.2 (marco-ippolito) [#56916](nodejs/node#56916) - \[[`dbd09067c0`](nodejs/node@dbd09067c0)] - **deps**: V8: cherry-pick [`9ab4059`](nodejs/node@9ab40592f697) (Levi Zim) [#56781](nodejs/node#56781) - \[[`ee33ef3aa6`](nodejs/node@ee33ef3aa6)] - **deps**: update cjs-module-lexer to 2.0.0 (Michael Dawson) [#56855](nodejs/node#56855) - \[[`c0542557d0`](nodejs/node@c0542557d0)] - **deps**: update timezone to 2025a (Node.js GitHub Bot) [#56876](nodejs/node#56876) - \[[`d67cb1f9bb`](nodejs/node@d67cb1f9bb)] - **deps**: update simdjson to 3.12.0 (Node.js GitHub Bot) [#56874](nodejs/node#56874) - \[[`70b04b4314`](nodejs/node@70b04b4314)] - **deps**: update googletest to [`e235eb3`](nodejs/node@e235eb3) (Node.js GitHub Bot) [#56873](nodejs/node#56873) - \[[`e11cda003f`](nodejs/node@e11cda003f)] - **(SEMVER-MINOR)** **deps**: update ada to v3.0.1 (Yagiz Nizipli) [#56452](nodejs/node#56452) - \[[`8743ef525d`](nodejs/node@8743ef525d)] - **deps**: update simdjson to 3.11.6 (Node.js GitHub Bot) [#56250](nodejs/node#56250) - \[[`0f553e5575`](nodejs/node@0f553e5575)] - **deps**: update amaro to 0.3.1 (Node.js GitHub Bot) [#56785](nodejs/node#56785) - \[[`380a8d8d2f`](nodejs/node@380a8d8d2f)] - **(SEMVER-MINOR)** **deps,tools**: add zstd 1.5.6 (Jan Krems) [#52100](nodejs/node#52100) - \[[`66898a7c3b`](nodejs/node@66898a7c3b)] - **doc**: update history of stream.Readable.toWeb() (Jimmy Leung) [#56928](nodejs/node#56928) - \[[`9e29416e12`](nodejs/node@9e29416e12)] - **doc**: make MDN links to global classes more consistent (Antoine du Hamel) [#56924](nodejs/node#56924) - \[[`6bc270728a`](nodejs/node@6bc270728a)] - **doc**: make MDN links to global classes more consistent in `assert.md` (Antoine du Hamel) [#56920](nodejs/node#56920) - \[[`00da003171`](nodejs/node@00da003171)] - **doc**: make MDN links to global classes more consistent (Antoine du Hamel) [#56923](nodejs/node#56923) - \[[`d90198793a`](nodejs/node@d90198793a)] - **doc**: make MDN links to global classes more consistent in `util.md` (Antoine du Hamel) [#56922](nodejs/node#56922) - \[[`5f4377a759`](nodejs/node@5f4377a759)] - **doc**: make MDN links to global classes more consistent in `buffer.md` (Antoine du Hamel) [#56921](nodejs/node#56921) - \[[`7353266b50`](nodejs/node@7353266b50)] - **doc**: improve type stripping documentation (Marco Ippolito) [#56916](nodejs/node#56916) - \[[`888d2acc3a`](nodejs/node@888d2acc3a)] - **doc**: specificy support for erasable ts syntax (Marco Ippolito) [#56916](nodejs/node#56916) - \[[`3c082d43bc`](nodejs/node@3c082d43bc)] - **doc**: update post sec release process (Rafael Gonzaga) [#56907](nodejs/node#56907) - \[[`f0bf35d3c5`](nodejs/node@f0bf35d3c5)] - **doc**: update websocket link to avoid linking to self (Chengzhong Wu) [#56897](nodejs/node#56897) - \[[`373dbb0e6c`](nodejs/node@373dbb0e6c)] - **doc**: mark `--env-file-if-exists` flag as experimental (Juan José) [#56893](nodejs/node#56893) - \[[`d436888cc8`](nodejs/node@d436888cc8)] - **doc**: fix typo in cjs example of `util.styleText` (Deokjin Kim) [#56769](nodejs/node#56769) - \[[`91638eeb4a`](nodejs/node@91638eeb4a)] - **doc**: clarify sqlite user-defined function behaviour (René) [#56786](nodejs/node#56786) - \[[`bab9c4d331`](nodejs/node@bab9c4d331)] - **events**: getMaxListeners detects 0 listeners (Matthew Aitken) [#56807](nodejs/node#56807) - \[[`ccaf7fe737`](nodejs/node@ccaf7fe737)] - **fs**: make `FileHandle.readableWebStream` always create byte streams (Ian Kerins) [#55461](nodejs/node#55461) - \[[`974cec7a0a`](nodejs/node@974cec7a0a)] - **http**: be more generational GC friendly (ywave620) [#56767](nodejs/node#56767) - \[[`be00058712`](nodejs/node@be00058712)] - **inspector**: add Network.Initiator in inspector protocol (Chengzhong Wu) [#56805](nodejs/node#56805) - \[[`31293a4b09`](nodejs/node@31293a4b09)] - **inspector**: fix GN build (Cheng) [#56798](nodejs/node#56798) - \[[`91a302356b`](nodejs/node@91a302356b)] - **inspector**: fix StringUtil::CharacterCount for unicodes (Chengzhong Wu) [#56788](nodejs/node#56788) - \[[`3b305f25f2`](nodejs/node@3b305f25f2)] - **lib**: filter node:quic from builtinModules when flag not used (James M Snell) [#56870](nodejs/node#56870) - \[[`f06ee4c54a`](nodejs/node@f06ee4c54a)] - **meta**: bump `actions/upload-artifact` from 4.4.3 to 4.6.0 (dependabot\[bot]) [#56861](nodejs/node#56861) - \[[`d230bc3b3c`](nodejs/node@d230bc3b3c)] - **meta**: bump `actions/setup-node` from 4.1.0 to 4.2.0 (dependabot\[bot]) [#56868](nodejs/node#56868) - \[[`d4ecfa745e`](nodejs/node@d4ecfa745e)] - **meta**: move one or more collaborators to emeritus (Node.js GitHub Bot) [#56889](nodejs/node#56889) - \[[`698c56bb94`](nodejs/node@698c56bb94)] - **meta**: add [@nodejs/url](https://github.com/nodejs/url) as codeowner (Chengzhong Wu) [#56783](nodejs/node#56783) - \[[`a274b28857`](nodejs/node@a274b28857)] - **module**: fix require.resolve() crash on non-string paths (Aditi) [#56942](nodejs/node#56942) - \[[`4e3052aeee`](nodejs/node@4e3052aeee)] - **quic**: fixup errant LocalVector usage (James M Snell) [#56564](nodejs/node#56564) - \[[`dfc61f7bb7`](nodejs/node@dfc61f7bb7)] - **readline**: fix unresolved promise on abortion (Daniel Venable) [#54030](nodejs/node#54030) - \[[`9e60501f5e`](nodejs/node@9e60501f5e)] - **sqlite**: fix coverity warnings related to backup() (Colin Ihrig) [#56961](nodejs/node#56961) - \[[`1913a4aabc`](nodejs/node@1913a4aabc)] - **sqlite**: restore changes from [#55373](nodejs/node#55373) (Colin Ihrig) [#56908](nodejs/node#56908) - \[[`8410c955b7`](nodejs/node@8410c955b7)] - **sqlite**: fix use-after-free in StatementSync due to premature GC (Divy Srivastava) [#56840](nodejs/node#56840) - \[[`01d732d629`](nodejs/node@01d732d629)] - **sqlite**: handle conflicting SQLite and JS errors (Colin Ihrig) [#56787](nodejs/node#56787) - \[[`39997867cf`](nodejs/node@39997867cf)] - **(SEMVER-MINOR)** **sqlite**: allow returning `ArrayBufferView`s from user-defined functions (René) [#56790](nodejs/node#56790) - \[[`8dc637681a`](nodejs/node@8dc637681a)] - **sqlite, test**: expose sqlite online backup api (Edy Silva) [#56253](nodejs/node#56253) - \[[`cfea53eccc`](nodejs/node@cfea53eccc)] - **src**: use `args.This()` in zlib (Michaël Zasso) [#56988](nodejs/node#56988) - \[[`6b398d6d0b`](nodejs/node@6b398d6d0b)] - **src**: replace `SplitString` with built-in (Yagiz Nizipli) [#54990](nodejs/node#54990) - \[[`fbb32e0a08`](nodejs/node@fbb32e0a08)] - **src**: add nullptr handling for `NativeKeyObject` (Burkov Egor) [#56900](nodejs/node#56900) - \[[`83ff7be9fd`](nodejs/node@83ff7be9fd)] - **src**: disallow copy/move fns/constructors (Yagiz Nizipli) [#56811](nodejs/node#56811) - \[[`63611d0331`](nodejs/node@63611d0331)] - **src**: add a hard dependency v8\_inspector_headers (Chengzhong Wu) [#56805](nodejs/node#56805) - \[[`3d957d135c`](nodejs/node@3d957d135c)] - **src**: improve error handling in encoding_binding.cc (James M Snell) [#56915](nodejs/node#56915) - \[[`9e9ac3ccd8`](nodejs/node@9e9ac3ccd8)] - **src**: avoid copy by using std::views::keys (Yagiz Nizipli) [#56080](nodejs/node#56080) - \[[`086cdc297a`](nodejs/node@086cdc297a)] - **src**: remove obsolete NoArrayBufferZeroFillScope (James M Snell) [#56913](nodejs/node#56913) - \[[`915d7aeb37`](nodejs/node@915d7aeb37)] - **src**: set signal inspector io thread name (RafaelGSS) [#56416](nodejs/node#56416) - \[[`f4b086d29d`](nodejs/node@f4b086d29d)] - **src**: set thread name for main thread and v8 worker (RafaelGSS) [#56416](nodejs/node#56416) - \[[`3579143630`](nodejs/node@3579143630)] - **src**: set worker thread name using worker.name (RafaelGSS) [#56416](nodejs/node#56416) - \[[`736ff5de6d`](nodejs/node@736ff5de6d)] - **src**: use a default thread name for inspector (RafaelGSS) [#56416](nodejs/node#56416) - \[[`be8e2b4d8f`](nodejs/node@be8e2b4d8f)] - **src**: improve error handling in permission.cc (James M Snell) [#56904](nodejs/node#56904) - \[[`d6cf0911ee`](nodejs/node@d6cf0911ee)] - **src**: improve error handling in node_sqlite (James M Snell) [#56891](nodejs/node#56891) - \[[`521fed1bac`](nodejs/node@521fed1bac)] - **src**: improve error handling in node_os by removing ToLocalChecked (James M Snell) [#56888](nodejs/node#56888) - \[[`c9a99df8e7`](nodejs/node@c9a99df8e7)] - **src**: improve error handling in node_url (James M Snell) [#56886](nodejs/node#56886) - \[[`5c82ef3ace`](nodejs/node@5c82ef3ace)] - **src**: add memory retainer traits for external types (Chengzhong Wu) [#56881](nodejs/node#56881) - \[[`edb194b2d5`](nodejs/node@edb194b2d5)] - **src**: prevent URLPattern property accessors from crashing on invalid this (James M Snell) [#56877](nodejs/node#56877) - \[[`9624049414`](nodejs/node@9624049414)] - **src**: pull in more electron boringssl adjustments (James M Snell) [#56858](nodejs/node#56858) - \[[`f8910e384d`](nodejs/node@f8910e384d)] - **src**: make multiple improvements to node_url_pattern (James M Snell) [#56871](nodejs/node#56871) - \[[`94a0237b18`](nodejs/node@94a0237b18)] - **src**: clean up some obsolete crypto methods (James M Snell) [#56792](nodejs/node#56792) - \[[`b240ca67b9`](nodejs/node@b240ca67b9)] - **src**: add check for Bignum in GroupOrderSize (Burkov Egor) [#56702](nodejs/node#56702) - \[[`45692e9c7c`](nodejs/node@45692e9c7c)] - **src, deps**: port electron's boringssl workarounds (James M Snell) [#56812](nodejs/node#56812) - \[[`a9d80d43cb`](nodejs/node@a9d80d43cb)] - **(SEMVER-MINOR)** **src, quic**: refine more of the quic implementation (James M Snell) [#56328](nodejs/node#56328) - \[[`93d0beb6c8`](nodejs/node@93d0beb6c8)] - **src,test**: expand test coverage for urlpattern and fix error (James M Snell) [#56878](nodejs/node#56878) - \[[`5a9732e1d0`](nodejs/node@5a9732e1d0)] - **test**: improve timeout duration for debugger events (Yagiz Nizipli) [#56970](nodejs/node#56970) - \[[`60c8fc07ff`](nodejs/node@60c8fc07ff)] - **test**: remove unnecessary syscall to cpuinfo (Yagiz Nizipli) [#56968](nodejs/node#56968) - \[[`40cdf756e6`](nodejs/node@40cdf756e6)] - **test**: update webstorage wpt (Yagiz Nizipli) [#56963](nodejs/node#56963) - \[[`de77371a9e`](nodejs/node@de77371a9e)] - **test**: execute shell directly for refresh() (Yagiz Nizipli) [#55051](nodejs/node#55051) - \[[`f4254b8e70`](nodejs/node@f4254b8e70)] - **test**: automatically sync wpt urlpattern tests (Jonas) [#56949](nodejs/node#56949) - \[[`a473d3f57a`](nodejs/node@a473d3f57a)] - **test**: update snapshots for amaro v0.3.2 (Marco Ippolito) [#56916](nodejs/node#56916) - \[[`abca97f7e2`](nodejs/node@abca97f7e2)] - **test**: change jenkins reporter (Carlos Espa) [#56808](nodejs/node#56808) - \[[`7c9fa11127`](nodejs/node@7c9fa11127)] - **test**: fix race condition in test-child-process-bad-stdio (Colin Ihrig) [#56845](nodejs/node#56845) - \[[`b8b6e68836`](nodejs/node@b8b6e68836)] - **(SEMVER-MINOR)** **test**: add WPT for URLPattern (Yagiz Nizipli) [#56452](nodejs/node#56452) - \[[`b6d3d52e20`](nodejs/node@b6d3d52e20)] - **test**: adjust check to use OpenSSL sec level (Michael Dawson) [#56819](nodejs/node#56819) - \[[`3beac87f92`](nodejs/node@3beac87f92)] - **test**: test-crypto-scrypt.js doesn't need internals (Meghan Denny) [#56673](nodejs/node#56673) - \[[`3af23a10f3`](nodejs/node@3af23a10f3)] - **test**: set `test-fs-cp` as flaky (Stefan Stojanovic) [#56799](nodejs/node#56799) - \[[`1146f48f67`](nodejs/node@1146f48f67)] - **test**: search cctest files (Chengzhong Wu) [#56791](nodejs/node#56791) - \[[`86c199b25a`](nodejs/node@86c199b25a)] - **test**: convert test_encoding_binding.cc to a JS test (Chengzhong Wu) [#56791](nodejs/node#56791) - \[[`bd5484717c`](nodejs/node@bd5484717c)] - **test**: test-crypto-prime.js doesn't need internals (Meghan Denny) [#56675](nodejs/node#56675) - \[[`f5f54414e4`](nodejs/node@f5f54414e4)] - **test**: temporary remove resource check from fs read-write (Rafael Gonzaga) [#56789](nodejs/node#56789) - \[[`c8bd2ba0ad`](nodejs/node@c8bd2ba0ad)] - **test**: mark test-without-async-context-frame flaky on windows (James M Snell) [#56753](nodejs/node#56753) - \[[`2c2e4a4ae0`](nodejs/node@2c2e4a4ae0)] - **test**: remove unnecessary code (Luigi Pinca) [#56784](nodejs/node#56784) - \[[`4606a5f79b`](nodejs/node@4606a5f79b)] - **test**: mark `test-esm-loader-hooks-inspect-wait` flaky (Richard Lau) [#56803](nodejs/node#56803) - \[[`38c77e3462`](nodejs/node@38c77e3462)] - **test**: update WPT for url to [`a23788b`](nodejs/node@a23788b77a) (Node.js GitHub Bot) [#56779](nodejs/node#56779) - \[[`50ebd5fd31`](nodejs/node@50ebd5fd31)] - **test**: remove duplicate error reporter from ci (Carlos Espa) [#56739](nodejs/node#56739) - \[[`0c3ae25aec`](nodejs/node@0c3ae25aec)] - **test_runner**: print formatted errors on summary (Pietro Marchini) [#56911](nodejs/node#56911) - \[[`b5a8a812fb`](nodejs/node@b5a8a812fb)] - **tools**: bump eslint version (dependabot\[bot]) [#56869](nodejs/node#56869) - \[[`e1f86c1b9d`](nodejs/node@e1f86c1b9d)] - **tools**: remove test-asan/ubsan workflows (Michaël Zasso) [#56823](nodejs/node#56823) - \[[`405a6678b7`](nodejs/node@405a6678b7)] - **tools**: run macOS test workflow with Xcode 16.1 (Michaël Zasso) [#56831](nodejs/node#56831) - \[[`16529c130f`](nodejs/node@16529c130f)] - **tools**: update sccache and sccache-action (Michaël Zasso) [#56815](nodejs/node#56815) - \[[`fe004111ea`](nodejs/node@fe004111ea)] - **tools**: fix license-builder for inspector_protocol (Michaël Zasso) [#56814](nodejs/node#56814) - \[[`bc97a90176`](nodejs/node@bc97a90176)] - **(SEMVER-MINOR)** **url**: add URLPattern implementation (Yagiz Nizipli) [#56452](nodejs/node#56452) - \[[`77294d8918`](nodejs/node@77294d8918)] - **util**: enforce shouldColorize in styleText array arg (Marco Ippolito) [#56722](nodejs/node#56722) - \[[`8e6c191601`](nodejs/node@8e6c191601)] - **zlib**: use modern class syntax for zstd classes (Yagiz Nizipli) [#56965](nodejs/node#56965) - \[[`a3ca7f37a2`](nodejs/node@a3ca7f37a2)] - **zlib**: make all zstd functions experimental (Yagiz Nizipli) [#56964](nodejs/node#56964) - \[[`4cc7907738`](nodejs/node@4cc7907738)] - **(SEMVER-MINOR)** **zlib**: add zstd support (Jan Krems) [#52100](nodejs/node#52100) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. labels Jan 14, 2025