chore(deps): update node.js to v22.18.0

[tradeshift-renovate]

This PR contains the following updates:

Package	Update	Change
node (source)	minor	22.17.0 -> 22.18.0

---

Release Notes

nodejs/node (node)

v22.18.0: 2025-07-31, Version 22.18.0 'Jod' (LTS), @​aduh95

Compare Source

Notable Changes

Type stripping is enabled by default

Node.js will be able to execute TypeScript files without additional configuration:

$ echo 'const foo: string = 'World'; console.log(`Hello ${foo}!`);' > file.ts
$ node file.ts
Hello World!

There are some limitations in the supported syntax documented at
https://nodejs.org/api/typescript.html#type-stripping.

This feature is experimental and is subject to change. Disable it by passing
--no-experimental-strip-types CLI flag.

Contributed by Marco Ippolito in #​56350.

Other notable changes

• [26f3711228] - (SEMVER-MINOR) deps: update amaro to 1.1.0 (Node.js GitHub Bot) #​56350
• [d80ef2a71f] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #​58719
• [8ab24d21c9] - doc: add islandryu to collaborators (Shima Ryuhei) #​58714
• [430e66b9b8] - (SEMVER-MINOR) esm: implement import.meta.main (Joe) #​57804
• [62f7926b6a] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #​58490
• [65f19a00c3] - (SEMVER-MINOR) permission: propagate permission model flags on spawn (Rafael Gonzaga) #​58853
• [ccca1517f9] - (SEMVER-MINOR) sqlite: add support for readBigInts option in db connection level (Miguel Marcondes Filho) #​58697
• [48003e87e8] - (SEMVER-MINOR) src,permission: add support to permission.has(addon) (Rafael Gonzaga) #​58951
• [fe4290a0e6] - (SEMVER-MINOR) url: add fileURLToPathBuffer API (James M Snell) #​58700
• [4dc6b4c67a] - (SEMVER-MINOR) watch: add --watch-kill-signal flag (Dario Piotrowicz) #​58719
• [8dbc6b210f] - (SEMVER-MINOR) worker: make Worker async disposable (James M Snell) #​58385

Commits

• [b19ffebea7] - assert: remove dead code (Yoshiya Hinosawa) #​58760
• [5bc828beae] - benchmark: add source map and source map cache (Miguel Marcondes Filho) #​58125
• [f7c16985a7] - build: disable v8_enable_pointer_compression_shared_cage on non-64bit (Shelley Vohr) #​58867
• [ba42c72f7f] - build: option to use custom inspector_protocol path (Shelley Vohr) #​58839
• [4fd8911653] - build: fix typo 'Stoage' to 'Storage' in help text (ganglike) #​58777
• [114cd95919] - crypto: fix inclusion of OPENSSL_IS_BORINGSSL define (Shelley Vohr) #​58845
• [6699c75eac] - crypto: fix SHAKE128/256 breaking change introduced with OpenSSL 3.4 (Filip Skokan) #​58942
• [f99aa748c0] - deps: upgrade npm to 10.9.3 (npm team) #​58847
• [02e971190b] - deps: update sqlite to 3.50.2 (Node.js GitHub Bot) #​58882
• [de2b85b5ae] - deps: update googletest to 35b75a2 (Node.js GitHub Bot) #​58710
• [e7591d7a19] - deps: update minimatch to 10.0.3 (Node.js GitHub Bot) #​58712
• [8c61b96c43] - deps: update acorn to 8.15.0 (Node.js GitHub Bot) #​58711
• [113f4e2d3c] - deps: update sqlite to 3.50.1 (Node.js GitHub Bot) #​58630
• [7ccd848995] - deps: update simdjson to 3.13.0 (Node.js GitHub Bot) #​58629
• [e9c51deb5c] - deps: update zlib to 1.3.1-470d3a2 (Node.js GitHub Bot) #​58628
• [26f3711228] - (SEMVER-MINOR) deps: update amaro to 1.1.0 (Node.js GitHub Bot) #​56350
• [752dde182f] - (SEMVER-MINOR) deps: update amaro to 1.0.0 (Node.js GitHub Bot) #​56350
• [258534d0dc] - (SEMVER-MINOR) deps: update amaro to 0.5.3 (Node.js GitHub Bot) #​56350
• [7fcf675503] - (SEMVER-MINOR) deps: update amaro to 0.5.2 (Node.js GitHub Bot) #​56350
• [81a10a67d5] - (SEMVER-MINOR) deps: update amaro to 0.5.1 (Marco Ippolito) #​56350
• [25f8682a62] - (SEMVER-MINOR) deps: update amaro to 0.5.0 (nodejs-github-bot) #​56350
• [4baf2167e7] - dns: fix parse memory leaky (theanarkh) #​58973
• [e8f4a7df22] - dns: set timeout to 1000ms when timeout < 0 (theanarkh) #​58441
• [1e373a0a25] - doc: update release key for aduh95 (Antoine du Hamel) #​58877
• [d5c104246f] - doc: remove broken link to permission model source code (Juan José) #​58972
• [b8885a25ff] - doc: clarify details of TSC public and private meetings (James M Snell) #​58925
• [aa05823b37] - doc: mark stability markers consistent in globals.md (Antoine du Hamel) #​58932
• [3856aee9b2] - doc: move "Core Promise APIs" to "Completed initiatives" (Antoine du Hamel) #​58934
• [c2f9735422] - doc: fix fetch subsections in globals.md (Antoine du Hamel) #​58933
• [5f4c7a9d2d] - doc: add missing Class: mentions (Antoine du Hamel) #​58931
• [88ee38b37c] - doc: remove myself from security steward rotation (Michael Dawson) #​58927
• [02031a9b0d] - doc: add ovflowd back to core collaborators (Claudio W.) #​58911
• [9551fa3c8f] - doc: update email address for Richard Lau (Richard Lau) #​58910
• [cd6bc982c0] - doc: update vm doc links (Chengzhong Wu) #​58885
• [ce49303cd0] - doc: add missing comma in child_process.md (ronijames008) #​58862
• [d80ef2a71f] - (SEMVER-MINOR) doc: add all watch-mode related flags to node.1 (Dario Piotrowicz) #​58719
• [f8fcb1c83a] - doc: fix jsdoc definition of assert.ifError() fn in lib/assert.js (jesh) #​58573
• [28fddc04ca] - doc: add array type in http request headers (Michael Henrique) #​58049
• [8bd698b688] - doc: add missing colon to headers in globals.md (Aviv Keller) #​58825
• [fa5818e3c1] - doc: fix stream.md section order (Antoine du Hamel) #​58811
• [2384bfdcbd] - doc: fix stability 1.x links excluding the decimal digit (Dario Piotrowicz) #​58783
• [4e9fe670c9] - doc: fix wrong RFC number in http2 (Deokjin Kim) #​58753
• [bbe4ad7351] - doc: add history entry for TS support in hooks (Antoine du Hamel) #​58732
• [ec60473ab1] - doc: run license-builder (github-actions[bot]) #​58722
• [8ab24d21c9] - doc: add islandryu to collaborators (Shima Ryuhei) #​58714
• [8c641105cd] - doc: punctuation fix for Node-API versioning clarification (Jiacai Liu) #​58599
• [133b10a0bb] - doc: add path rules and validation for export targets in package.json (0hm:shamrock:) #​58604
• [354a68c460] - doc: add history entries to --input-type section (Antoine du Hamel) #​56350
• [430e66b9b8] - (SEMVER-MINOR) esm: implement import.meta.main (Joe) #​57804
• [42c4ca6024] - esm: syncify default path of ModuleLoader.load (Jacob Smith) #​57419
• [3ac8c686a3] - esm: unwrap WebAssembly.Global on Wasm Namespaces (Guy Bedford) #​57525
• [c7ebf2e245] - fs: close dir before throwing if options.bufferSize is invalid (Livia Medeiros) #​58856
• [38ffed8744] - fs: special input -1 on chown, lchown and fchown (Alex Yang) #​58836
• [0e82f72a46] - fs: throw ERR_INVALID_THIS on illegal invocations (Livia Medeiros) #​58848
• [141b2b1954] - fs: make Dir disposers idempotent (René) #​58692
• [dedd9d1961] - fs: avoid computing time coefficient constants in runtime (Livia Medeiros) #​58728
• [a029a06b49] - fs: add UV_ENOSPC to list of things to pass to err directly (Jacky Zhao) #​56918
• [62f7926b6a] - (SEMVER-MINOR) fs: allow correct handling of burst in fs-events with AsyncIterator (Philipp Dunkel) #​58490
• [927d2e77f3] - http: fix keep-alive not timing out after post-request empty line (Shima Ryuhei) #​58178
• [5cd8145612] - http2: add diagnostics channel 'http2.server.stream.close' (Darshan Sen) #​58602
• [0f2b31cba4] - inspector: add protocol methods retrieving sent/received data (Chengzhong Wu) #​58645
• [79428d8946] - lib: fix getTypeScriptParsingMode jsdoc (沈鸿飞) #​58681
• [2c205d857c] - lib: rename validateInternalField into validateThisInternalField (LiviaMedeiros) #​58765
• [f67e927a5f] - lib: make validateInternalField() throw ERR_INVALID_THIS (LiviaMedeiros) #​58765
• [914701d4f8] - lib,src: support DOMException ser-des (Chengzhong Wu) #​58649
• [12a75dca8b] - meta: bump step-security/harden-runner from 2.12.0 to 2.12.2 (dependabot[bot]) #​58923
• [0d56fec6f0] - meta: bump github/codeql-action from 3.28.18 to 3.29.2 (dependabot[bot]) #​58922
• [7f4f6e0409] - meta: add IlyasShabi to collaborators (Ilyas Shabi) #​58916
• [50b62c9663] - meta: add @​nodejs/inspector as codeowner (Chengzhong Wu) #​58790
• [2fc89892ab] - module: fix typescript import.meta.main (Marco Ippolito) #​58661
• [bfc68c8ae8] - module: convert schema-only core module on convertCJSFilenameToURL (Alex Yang) #​58612
• [54634f5e53] - module: update tests for combined ambiguous module syntax error (Mert Can Altin) #​55874
• [10eb3db4af] - module: allow cycles in require() in the CJS handling in ESM loader (Joyee Cheung) #​58598
• [fe7994eb0c] - module: improve typescript error message format (Marco Ippolito) #​56350
• [c898491017] - (SEMVER-MINOR) module: remove experimental warning from type stripping (Marco Ippolito) #​56350
• [c07745a436] - module: refactor commonjs typescript loader (Marco Ippolito) #​56350
• [8d1f5df313] - (SEMVER-MINOR) module: unflag --experimental-strip-types (Marco Ippolito) #​56350
• [a8a1c9a960] - os: fix GetInterfaceAddresses memory lieaky (theanarkh) #​58940
• [65f19a00c3] - (SEMVER-MINOR) permission: propagate permission model flags on spawn (Rafael Gonzaga) #​58853
• [f0a165d89f] - repl: fix eval errors thrown after close throwing ERR_USE_AFTER_CLOSE (Dario Piotrowicz) #​58791
• [9ef1cd1607] - repl: avoid deprecated require.extensions in tab completion (baki gul) #​58653
• [22a4c60e08] - repl: fix tab completion not working with computer string properties (Dario Piotrowicz) #​58709
• [ccca1517f9] - (SEMVER-MINOR) sqlite: add support for readBigInts option in db connection level (Miguel Marcondes Filho) #​58697
• [690525881e] - src: simplify adding fast APIs to ExternalReferenceRegistry (René) #​58896
• [a381b4d990] - src: remove fast API for InternalModuleStat (Joyee Cheung) #​58489
• [390654e996] - src: fix internalModuleStat v8 fast path (Yagiz Nizipli) #​58054
• [b722647572] - src: fix -Wunreachable-code in src/node_api.cc (Shelley Vohr) #​58901
• [6d1fe67f56] - src: -Wunreachable-code error in crypto_context.cc (Shelley Vohr) #​58901
• [2d8e65c6db] - src: fix -Wunreachable-code-return in src/node_contextify.cc (Shelley Vohr) #​58901
• [e07adb3b18] - src: cleanup uv_fs_req before uv_fs_stat on existSync (RafaelGSS) #​58915
• [6b30c0a511] - src: -Wmismatched-new-delete in debug_utils.cc (Shelley Vohr) #​58844
• [74ef07f2e7] - src: add FromV8Value<T>() for integral and enum types (Aditi) #​57931
• [28bf6ed87d] - src: pass resource on permission checks for spawn (Rafael Gonzaga) #​58758
• [daf65d479b] - src: replace std::array with static arrays in contextify (Mert Can Altin) #​58580
• [9cb671fdb1] - src: add new CopyUtimes function to reduce code duplication (Dario Piotrowicz) #​58625
• [e515eb861c] - src: replace V8 Fast API todo comment with note comment (Dario Piotrowicz) #​58614
• [48003e87e8] - (SEMVER-MINOR) src,permission: add support to permission.has(addon) (Rafael Gonzaga) #​58951
• [72f75bb976] - src,permission: enhance permission model debug (Rafael Gonzaga) #​58898
• [66fccc252b] - (SEMVER-MINOR) test: add test for async disposable worker thread (James M Snell) #​58385
• [43d2ad8599] - test: deflake test-runner-watch-mode-kill-signal (Dario Piotrowicz) #​58952
• [7c54085698] - test: add known issue tests for recursive readdir calls with Buffer path (Dario Piotrowicz) #​58893
• [cd2a5d9a51] - test: add known issue tests for fs.cp (James M Snell) #​58883
• [26072a7953] - test: add tests to ensure that node.1 is kept in sync with cli.md (Dario Piotrowicz) #​58878
• [3fd187f559] - test: replace .filter()[0] with .find() (Livia Medeiros) #​58872
• [0d538abb15] - test: remove reliance on in-tree deps/undici (Richard Lau) #​58866
• [e24dede403] - test: close dirs in fs-opendir test (Livia Medeiros) #​58855
• [ac6b8222e6] - test: correct SIMD support comment (Richard Lau) #​58767
• [9d3e451181] - test: add tests for REPL custom evals (Dario Piotrowicz) #​57850
• [17a3246718] - test: reduce the use of private symbols in test-events-once.js (Yoshiya Hinosawa) #​58685
• [bbf33efcd0] - test: use common.skipIfInspectorDisabled() to skip tests (Dario Piotrowicz) #​58675
• [d6660baff7] - test: update WPT for dom/abort to dc92816 (Node.js GitHub Bot) #​58644
• [6d9d5deb44] - test: split indirect eval import tests (Chengzhong Wu) #​58637
• [abd5b5fd20] - test: deflake async-hooks/test-improper-order on AIX (Baki Gul) #​58567
• [3fc630e7cf] - test: close FileHandle objects in tests explicitly (James M Snell) #​58615
• [7f0560dc4b] - test: skip broken sea on rhel8 (Marco Ippolito) #​58914
• [898e68a915] - test: save the config file in a temporary directory (Luigi Pinca) #​58799
• [9f2132a4f6] - test: deflake test-config-file (Luigi Pinca) #​58799
• [f1b74cff9a] - test: skip tests failing when run under root (Livia Medeiros) #​58610
• [4b0ee14a97] - tools: bump the eslint group in /tools/eslint with 6 updates (dependabot[bot]) #​58921
• [a84935fb0e] - tools: update inspector_protocol to 69d69dd (Shelley Vohr) #​58900
• [af805186cd] - tools: update gyp-next to 0.20.2 (Node.js GitHub Bot) #​58788
• [a2d2d36bb1] - tools: make nodedownload module compatible with Python 3.14 (Lumír 'Frenzy' Balhar) #​58752
• [cc8b9aa43d] - tools: include toolchain.gypi in abseil.gyp (Chengzhong Wu) #​58678
• [fbbf49a7d3] - tools: bump brace-expansion in /tools/clang-format (dependabot[bot]) #​58699
• [8db92a41c5] - tools: bump brace-expansion from 1.1.11 to 1.1.12 in /tools/eslint (dependabot[bot]) #​58698
• [3a099cf88f] - tools: switch to @stylistic/eslint-plugin (Michaël Zasso) #​58623
• [9798511e7c] - tools: remove config.status under make distclean (René) #​58603
• [011290a4eb] - tools: edit commit-queue workflow file (Antoine du Hamel) #​58667
• [a7406f56da] - tools: improve release proposal linter (Antoine du Hamel) #​58647
• [c855310f83] - tools,doc: move more MDN links to types (Antoine du Hamel) #​58930
• [805239c824] - typings: add Atomics primordials (Renegade334) #​58577
• [d28b2aa0a2] - typings: add ZSTD_COMPRESS, ZSTD_DECOMPRESS to internalBinding (Meghan Denny) #​58655
• [fe4290a0e6] - (SEMVER-MINOR) url: add fileURLToPathBuffer API (James M Snell) #​58700
• [db648b92c1] - util: inspect: do not crash on an Error stack pointing to itself (Sam Verschueren) #​58196
• [791ecfac14] - v8: fix missing callback in heap utils destroy (Ruben Bridgewater) #​58846
• [4dc6b4c67a] - (SEMVER-MINOR) watch: add --watch-kill-signal flag (Dario Piotrowicz) #​58719
• [8dbc6b210f] - (SEMVER-MINOR) worker: make Worker async disposable (James M Snell) #​58385

v22.17.1: 2025-07-15, Version 22.17.1 'Jod' (LTS), @​RafaelGSS

Compare Source

This is a security release.

Notable Changes

• (CVE-2025-27210) Windows Device Names (CON, PRN, AUX) Bypass Path Traversal Protection in path.normalize()

Commits

• [8cf5d66ab7] - (CVE-2025-27210) lib: handle all windows reserved driver name (RafaelGSS) nodejs-private/node-private#721
• [9c0cb487ec] - win,build: fix MSVS v17.14 compilation issue (StefanStojanovic) #​58902

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - "every weekday in 2125" in timezone Europe/Copenhagen.

🚦 Automerge: Enabled.

♻️ Rebasing: Never, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[ts-sonarqube]

Quality Gate passed

Issues

• 0 New Issues
• 0 Fixed Issues
• 0 Accepted Issues

Measures

• 0 Security Hotspots
• No data about coverage (0.00% Estimated after merge)
• No data about duplications (0.00% Estimated after merge)

Project ID: actions-coverage-upload

View in SonarQube