[pull] main from nodejs:main

CHANGELOG.md

@@ -41,7 +41,8 @@ release.
 </tr>
 <tr>
   <td valign="top">
-<b><a href="doc/changelogs/CHANGELOG_V25.md#25.8.2">25.8.2</a></b><br/>
+<b><a href="doc/changelogs/CHANGELOG_V25.md#25.9.0">25.9.0</a></b><br/>
+<a href="doc/changelogs/CHANGELOG_V25.md#25.8.2">25.8.2</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.8.1">25.8.1</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.8.0">25.8.0</a><br/>
 <a href="doc/changelogs/CHANGELOG_V25.md#25.7.0">25.7.0</a><br/>

SECURITY.md

@@ -152,28 +152,33 @@ does not trust is considered a vulnerability:
   the correct use of Node.js APIs.
 * The unavailability of the runtime, including the unbounded degradation of its
   performance.
-* Memory leaks qualify as vulnerabilities when all of the following criteria are met:
-  * The API is being correctly used.
-  * The API doesn't have a warning against its usage in a production environment.
-  * The API is public and documented.
-  * The API is on stable (2.0) status.
-  * The memory leak is significant enough to cause a denial of service quickly
-    or in a context not controlled by the user (for example, HTTP parsing).
-  * The memory leak is directly exploitable by an untrusted source without requiring application mistakes.
-  * The leak cannot be reasonably mitigated through standard operational practices (like process recycling).
-  * The leak occurs deterministically under normal usage patterns rather than edge cases.
-  * The leak occurs at a rate that would cause practical resource exhaustion within a practical timeframe under
-    typical workloads.
-  * The attack demonstrates [asymmetric resource consumption](https://cwe.mitre.org/data/definitions/405.html),
-    where the attacker expends significantly fewer resources than what's required by the server to process the
-    attack. Attacks requiring comparable resources on the attacker's side (which can be mitigated through common
-    practices like rate limiting) may not qualify.
 
 If Node.js loads configuration files or runs code by default (without a
 specific request from the user), and this is not documented, it is considered a
 vulnerability.
 Vulnerabilities related to this case may be fixed by a documentation update.
 
+#### Denial of Service (DoS) vulnerabilities
+
+For a behavior to be considered a DoS vulnerability, the PoC must meet the following criteria:
+
+* The API is being correctly used.
+* The API doesn't have a warning against its usage in a production environment.
+* The API is public and documented. If the API comes from JavaScript, the behavior must be
+  well-defined in the [ECMAScript specification](https://tc39.es/ecma262/).
+* The API has stable (2.0) status.
+* The behavior is significant enough to cause a denial of service quickly
+  or in a context not controlled by the Node.js application developer (for example, HTTP parsing).
+* The behavior is directly exploitable by an untrusted source without requiring application mistakes.
+* The behavior cannot be reasonably mitigated through standard operational practices (like process recycling).
+* The behavior occurs deterministically under normal usage patterns rather than edge cases.
+* The behavior occurs at a rate that would cause practical resource exhaustion within a practical timeframe under
+  typical workloads.
+* The attack demonstrates [asymmetric resource consumption](https://cwe.mitre.org/data/definitions/405.html),
+  where the attacker expends significantly fewer resources than what's required by the server to process the
+  attack. Attacks requiring comparable resources on the attacker's side (which can be mitigated through common
+  practices like rate limiting) may not qualify.
+
 **Node.js does NOT trust**:
 
 * Data received from the remote end of inbound network connections

doc/api/async_context.md

@@ -389,7 +389,7 @@ try {
 ### `asyncLocalStorage.withScope(store)`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental
@@ -527,7 +527,7 @@ probably responsible for the context loss.
 ## Class: `RunScope`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental
@@ -543,7 +543,7 @@ exits, whether through normal completion or by throwing an error.
 ### `scope.dispose()`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 Explicitly ends the scope and restores the previous store value. This method

doc/api/cli.md

@@ -1280,7 +1280,7 @@ Enable experimental support for storage inspection
 ### `--experimental-stream-iter`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental

doc/api/deprecations.md

@@ -4488,7 +4488,7 @@
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/62453
     description: Runtime deprecation.
-  - version: REPLACEME
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/62321
     description: Documentation-only deprecation.
 -->
@@ -4513,7 +4513,7 @@
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/62453
     description: Runtime deprecation.
-  - version: REPLACEME
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/62321
     description: Documentation-only deprecation.
 -->
@@ -4528,15 +4528,26 @@
 <!-- YAML
 changes:
   - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/62401
+    description: Runtime deprecation.
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/62395
     description: Documentation-only deprecation.
 -->
 
-Type: Documentation-only
+Type: Runtime
 
 [`module.register()`][] is deprecated. Use [`module.registerHooks()`][]
 instead.
 
+The `module.register()` API provides off-thread async hooks for customizing ES modules;
+the `module.registerHooks()` API provides similar hooks that are synchronous, in-thread, and
+work for all types of modules.
+Supporting async hooks has proven to be complex, involving worker threads orchestration, and there are issues
+that have proven unresolveable. See [caveats of asynchronous customization hooks][]. Please migrate to
+`module.registerHooks()` as soon as possible as `module.register()` will be
+removed in a future version of Node.js.
+
 [DEP0142]: #dep0142-repl_builtinlibs
 [NIST SP 800-38D]: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-38d.pdf
 [RFC 6066]: https://tools.ietf.org/html/rfc6066#section-3
@@ -4696,6 +4707,7 @@
 [`zlib.bytesWritten`]: zlib.md#zlibbyteswritten
 [alloc]: buffer.md#static-method-bufferallocsize-fill-encoding
 [alloc_unsafe_size]: buffer.md#static-method-bufferallocunsafesize
+[caveats of asynchronous customization hooks]: module.md#caveats-of-asynchronous-customization-hooks
 [from_arraybuffer]: buffer.md#static-method-bufferfromarraybuffer-byteoffset-length
 [from_string_encoding]: buffer.md#static-method-bufferfromstring-encoding
 [legacy URL API]: url.md#legacy-url-api

doc/api/diagnostics_channel.md

@@ -1858,7 +1858,7 @@ Emitted when [`process.execve()`][] is invoked.
 > Stability: 1 - Experimental
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 These channels are emitted for each [`locks.request()`][] call. See

doc/api/fs.md

@@ -380,7 +380,7 @@ added: v10.0.0
 #### `filehandle.pull([...transforms][, options])`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental
@@ -457,7 +457,7 @@ run().catch(console.error);
 #### `filehandle.pullSync([...transforms][, options])`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental
@@ -1010,7 +1010,7 @@ the end of the file.
 #### `filehandle.writer([options])`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental

doc/api/module.md

@@ -178,12 +178,11 @@
 added:
   - v20.6.0
   - v18.19.0
-deprecated: REPLACEME
+deprecated: v25.9.0
 changes:
   - version: REPLACEME
-    pr-url: https://github.com/nodejs/node/pull/62395
-    description: Documentation-only deprecation (DEP0205). Use
-                 `module.registerHooks()` instead.
+    pr-url: https://github.com/nodejs/node/pull/62401
+    description: Runtime deprecation (DEP0205).
   - version:
     - v23.6.1
     - v22.13.1

doc/api/process.md

@@ -739,7 +739,7 @@ This feature is not available in [`Worker`][] threads.
 ## `process.addUncaughtExceptionCaptureCallback(fn)`
 
 <!-- YAML
-added: REPLACEME
+added: v25.9.0
 -->
 
 > Stability: 1 - Experimental
@@ -4060,7 +4060,7 @@ This implies calling `module.setSourceMapsSupport()` with an option
 <!-- YAML
 added: v9.3.0
 changes:
-  - version: REPLACEME
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/61227
     description: Use `process.addUncaughtExceptionCaptureCallback()` to
       register multiple callbacks.

doc/api/quic.md

@@ -1198,7 +1198,7 @@ True to enable TLS keylogging output.
 <!-- YAML
 added: v23.8.0
 changes:
-  - version: REPLACEME
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/62335
     description: CryptoKey is no longer accepted.
 -->

doc/api/repl.md

@@ -709,7 +709,7 @@ npx codemod@latest @nodejs/repl-builtin-modules
 <!-- YAML
 added: v0.1.91
 changes:
-  - version: REPLACEME
+  - version: v25.9.0
     pr-url: https://github.com/nodejs/node/pull/62188
     description: The `handleError` parameter has been added.
   - version: v24.1.0