chore(deps): update node.js to v24.7.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
node	stage	minor	24.6.0 -> 24.7.0

---

Release Notes

nodejs/node (node)

v24.7.0: 2025-08-27, Version 24.7.0 (Current), @​targos

Compare Source

Notable Changes

Post-Quantum Cryptography in node:crypto

OpenSSL 3.5 on 24.x kicked off post-quantum cryptography efforts in Node.js by
allowing use of NIST's post-quantum cryptography standards for future-proofing
applications against quantum computing threats. The following post-quantum
algorithms are now available in node:crypto:

• ML-KEM (FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard) through new crypto.encapsulate() and crypto.decapsulate() methods.
• ML-DSA (FIPS 204, Module-Lattice-Based Digital Signature Standard) in the existing crypto.sign() and crypto.verify() methods.

Contributed by Filip Skokan in #​59259 and #​59491.

Modern Algorithms in Web Cryptography API

The second substantial extension to the Web Cryptography API
(globalThis.crypto.subtle) was recently accepted for incubation by WICG.
The following algorithms and methods from this extension are now available in
the Node.js Web Cryptography API implementation:

• AES-OCB
• ChaCha20-Poly1305
• ML-DSA
• ML-KEM
• SHA-3
• SHAKE
• subtle.getPublicKey()
• SubtleCrypto.supports()
• ... with more coming in future releases.

Contributed by Filip Skokan in #​59365, #​59569, #​59461, and #​59539.

Node.js execution argument support in single executable applications

The single executable application configuration now supports additional fields
to specify Node.js execution arguments and control how they can be extended when
the application is run.

• execArgv takes an array of strings for the execution arguments to be used.
• execArgvExtension takes one of the following values:
  • "none": No additional execution arguments are allowed.
  • "cli": Additional execution arguments can be provided via a special command-line flag --node-options="--flag1 --flag2=value" at run time.
  • "env" (default): Additional execution arguments can be provided via the NODE_OPTIONS environment variable at run time.

For example, with the following configuration:

{
  "main": "/path/to/bundled/script.js",
  "output": "/path/to/write/the/generated/blob.blob",
  "execArgv": ["--no-warnings"],
  "execArgvExtension": "cli",
}

If the generated single executable application is named sea, then running:

sea --node-options="--max-old-space-size=4096" user-arg1 user-arg2

Would be equivalent to running:

node --no-warnings --max-old-space-size=4096 /path/to/bundled/script.js user-arg1 user-arg2

Contributed by Joyee Cheung in #​59314 and #​59560.

Root certificates updated to NSS 3.114

Certificates added:

• TrustAsia TLS ECC Root CA
• TrustAsia TLS RSA Root CA
• SwissSign RSA TLS Root CA 2022 - 1

Certificates removed:

• GlobalSign Root CA
• Entrust.net Premium 2048 Secure Server CA
• Baltimore CyberTrust Root
• Comodo AAA Services root
• XRamp Global CA Root
• Go Daddy Class 2 CA
• Starfield Class 2 CA

Other Notable Changes

• [d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #​50353
• [6ae202fcdf] - (SEMVER-MINOR) http: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #​59315
• [dafee05358] - (SEMVER-MINOR) http2: add support for raw header arrays in h2Stream.respond() (Tim Perry) #​59455
• [8dc6f5b696] - (SEMVER-MINOR) stream: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #​59464

Commits

• [0fa22cbf7c] - benchmark: calibrate config v8/serialize.js (Rafael Gonzaga) #​59586
• [f5ece45b45] - benchmark: reduce readfile-permission-enabled config (Rafael Gonzaga) #​59589
• [8ebd4f4434] - benchmark: calibrate length of util.diff (Rafael Gonzaga) #​59588
• [7dee3ffd14] - benchmark: reflect current OpenSSL in crypto key benchmarks (Filip Skokan) #​59459
• [027b861ca1] - benchmark, test: replace CRLF variable with string literal (Lee Jiho) #​59466
• [89dd770889] - build: do not set -mminimal-toc with clang (Richard Lau) #​59484
• [e13de4542f] - child_process: remove unsafe array iteration (hotpineapple) #​59347
• [89fe63551e] - crypto: load system CA certificates off thread (Joyee Cheung) #​59550
• [152c5ef518] - (SEMVER-MINOR) crypto: add AES-OCB Web Cryptography algorithm (Filip Skokan) #​59539
• [c6c418343d] - crypto: update root certificates to NSS 3.114 (Node.js GitHub Bot) #​59571
• [18a2ee5b6c] - (SEMVER-MINOR) crypto: support ML-KEM in Web Cryptography (Filip Skokan) #​59569
• [72937e5144] - crypto: require HMAC key length with SHA-3 hashes in Web Cryptography (Filip Skokan) #​59567
• [b7383186c7] - crypto: fix subtle.getPublicKey error for secret type key inputs (Filip Skokan) #​59558
• [2d05c046db] - crypto: return cached copies from CryptoKey algorithm and usages getters (Filip Skokan) #​59538
• [207ffbeb07] - crypto: use CryptoKey internal slots in Web Cryptography (Filip Skokan) #​59538
• [4276516781] - crypto: normalize RsaHashedKeyParams publicExponent (Filip Skokan) #​59538
• [14741539a7] - (SEMVER-MINOR) crypto: support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms (Filip Skokan) #​59491
• [d3afc63c44] - (SEMVER-MINOR) crypto: add argon2() and argon2Sync() methods (Ranieri Althoff) #​50353
• [4fe383e45a] - (SEMVER-MINOR) crypto: support ML-DSA spki/pkcs8 key formats in Web Cryptography (Filip Skokan) #​59365
• [a95386fbf9] - (SEMVER-MINOR) crypto: subject some algorithms in Web Cryptography on BoringSSL absence (Filip Skokan) #​59365
• [3f47a2fb63] - (SEMVER-MINOR) crypto: add ChaCha20-Poly1305 Web Cryptography algorithm (Filip Skokan) #​59365
• [6fcce9058a] - (SEMVER-MINOR) crypto: add subtle.getPublicKey() utility function in Web Cryptography (Filip Skokan) #​59365
• [76cde76429] - (SEMVER-MINOR) crypto: add SHA-3 Web Cryptography digest algorithms (Filip Skokan) #​59365
• [247d017501] - (SEMVER-MINOR) crypto: add SHAKE Web Cryptography digest algorithms (Filip Skokan) #​59365
• [f4fbcca5ce] - (SEMVER-MINOR) crypto: add SubtleCrypto.supports feature detection in Web Cryptography (Filip Skokan) #​59365
• [a55382214f] - (SEMVER-MINOR) crypto: support ML-DSA in Web Cryptography (Filip Skokan) #​59365
• [c38988c860] - crypto: fix EVPKeyCtxPointer::publicCheck() (Tobias Nießen) #​59471
• [61c3bcdc56] - (SEMVER-MINOR) crypto: support ML-KEM KeyObject (Filip Skokan) #​59461
• [0821b446fb] - deps: update undici to 7.14.0 (Node.js GitHub Bot) #​59507
• [b3af17c065] - deps: V8: cherry-pick 7b91e3e (Milad Fa) #​59485
• [9b69baf146] - deps: V8: cherry-pick 59d52e3 (Milad Fa) #​59485
• [b4f202c2f1] - doc: improve sqlite.backup() progress/fulfillment documentation (René) #​59598
• [40b217a2f9] - doc: clarify experimental platform vulnerability policy (Matteo Collina) #​59591
• [cf84fffea5] - doc: link to TypedArray.from() in signature (Aviv Keller) #​59226
• [4bf6ed0bf5] - doc: fix typos in environment_variables.md (PhistucK) #​59536
• [1784c35a49] - doc: add security incident reponse plan (Rafael Gonzaga) #​59470
• [b962560240] - doc: clarify maxRSS unit in process.resourceUsage() (Alex Yang) #​59511
• [e6a6cdb9df] - doc: add missing Zstd strategy constants (RANDRIAMANANTENA Narindra Tiana Annaick) #​59312
• [a6a31cb467] - (SEMVER-MINOR) doc: compress Web Cryptography Algorithm matrix (Filip Skokan) #​59365
• [8f8960cfcb] - doc: fix the version tls.DEFAULT_CIPHERS was added (Allon Murienik) #​59247
• [9e76089f1a] - doc: clarify glob's exclude option behavior (hotpineapple) #​59245
• [dd5f835af7] - doc: add RafaelGSS as performance strategic lead (Rafael Gonzaga) #​59445
• [2b7a7a525e] - doc,crypto: add supported asymmetric key types section (Filip Skokan) #​59492
• [2fafe4c3bb] - esm: link modules synchronously when no async loader hooks are used (Joyee Cheung) #​59519
• [5347c4997a] - esm: show race error message for inner module job race (Joyee Cheung) #​59519
• [b56d8af2fe] - esm: sync-ify module translation (Joyee Cheung) #​59453
• [b4a23d6a69] - http: trim off brackets from IPv6 addresses with string operations (Krishnadas PC) #​59420
• [6ae202fcdf] - (SEMVER-MINOR) http: add Agent.agentKeepAliveTimeoutBuffer option (Haram Jeong) #​59315
• [dafee05358] - (SEMVER-MINOR) http2: add support for raw header arrays in h2Stream.respond() (Tim Perry) #​59455
• [b7ea39d860] - http2: report sent headers object in client stream dcs (Darshan Sen) #​59419
• [ebe9272dae] - inspector: initial support websocket inspection (Shima Ryuhei) #​59404
• [b35041c7dc] - inspector: prevent propagation of promise hooks to noPromise hooks (Shima Ryuhei) #​58841
• [fe7176d7c6] - lib: do not modify prototype deprecated asyncResource (encore) (Szymon Łągiewka) #​59518
• [93fc80a1e2] - (SEMVER-MINOR) lib: refactor kSupportedAlgorithms (Filip Skokan) #​59365
• [9a12f71ad9] - lib: simplify IPv6 checks in isLoopback() (Krishnadas) #​59375
• [566fb04c82] - meta: update devcontainer to the latest schema (Aviv Keller) #​54347
• [389a24bbff] - module: allow overriding linked requests for a ModuleWrap (Chengzhong Wu) #​59527
• [7880978fe3] - module: correctly detect top-level await in ambiguous contexts (Shima Ryuhei) #​58646
• [99128d9244] - node-api: link to other programming language bindings (Chengzhong Wu) #​59516
• [65c870e6cb] - node-api: clarify enum value ABI stability (Chengzhong Wu) #​59085
• [352d63541a] - sea: implement execArgvExtension (Joyee Cheung) #​59560
• [c6e3d5d98d] - (SEMVER-MINOR) sea: support execArgv in sea config (Joyee Cheung) #​59314
• [e7084df4db] - sqlite: add sqlite-type symbol for DatabaseSync (Alex Yang) #​59405
• [e2b6bdc640] - sqlite: handle ?NNN parameters as positional (Edy Silva) #​59350
• [99e4a12731] - sqlite: avoid useless call to FromMaybe() (Tobias Nießen) #​59490
• [dfd4962e5f] - src: enforce assumptions in FIXED_ONE_BYTE_STRING (Tobias Nießen) #​58155
• [93a368df04] - src: use simdjson to parse --snapshot-config (Joyee Cheung) #​59473
• [716750fcf8] - src: fix order of CHECK_NOT_NULL/dereference (Tobias Nießen) #​59487
• [44a8ecf8d4] - src: assert memory calc for max-old-space-size-percentage (Asaf Federman) #​59460
• [3462b46fca] - src: use simdjson::pad (0hm☘️) #​59391
• [3e1551d845] - src: move shared_ptr objects in KeyObjectData (Tobias Nießen) #​59472
• [c022c1f85a] - src: add internal GetOptionsAsFlags (Pietro Marchini) #​59138
• [c0f08454a3] - src: iterate metadata version entries with std::array (Chengzhong Wu) #​57866
• [f87836f3ae] - src: internalize v8::ConvertableToTraceFormat in traces (Chengzhong Wu) #​57866
• [852b8e46d8] - src: remove duplicate assignment of O_EXCL in node_constants.cc (Daniel Osvaldo R) #​59049
• [64ffde608f] - src: add Intel CET properties to large_pages.S (tjuhaszrh) #​59363
• [823dce32ec] - src: update OpenSSL pqc checks (Filip Skokan) #​59436
• [8dc6f5b696] - (SEMVER-MINOR) stream: add brotli support to CompressionStream and DecompressionStream (Matthew Aitken) #​59464
• [b2b8383755] - test: use mustSucceed in test-repl-tab-complete-import (Sohyeon Kim) #​59368
• [e3ad5cc2c6] - test: skip sea tests on Linux ppc64le (Richard Lau) #​59563
• [f78f47ca5a] - test: support standalone env comment in tests (Pietro Marchini) #​59546
• [0e8bc2c7ac] - test: rename test-net-server-drop-connections-in-cluster.js to -http- (Meghan Denny) #​59532
• [ed339580af] - test: lazy-load internalTTy (Pietro Marchini) #​59517
• [fe86bc6da8] - test: fix test-setproctitle status when ps is not available (Antoine du Hamel) #​59523
• [e517792973] - test: add parseTestMetadata support (Pietro Marchini) #​59503
• [31092972d6] - test: update WPT for WebCryptoAPI to ff26d9b (Node.js GitHub Bot) #​59497
• [16afd103cc] - (SEMVER-MINOR) test: add Web Cryptography wrap/unwrap vectors (Filip Skokan) #​59365
• [5598baf34e] - (SEMVER-MINOR) test: cleanup test-webcrypto-supports (Filip Skokan) #​59365
• [e7809d6ddb] - test: make test-debug-process locale-independent (BCD1me) #​59254
• [ca7856e73c] - test: mark test-wasi-pthread as flaky (Joyee Cheung) #​59488
• [0ecd82197f] - test: split test-wasi.js (Joyee Cheung) #​59488
• [0930c218d6] - test: deflake connection refused proxy tests (Joyee Cheung) #​59476
• [7f457f886a] - test: use case-insensitive path checking on Windows in fs.cpSync tests (Joyee Cheung) #​59475
• [37809115f9] - test: add missing hasPostData in test-inspector-emit-protocol-event (Shima Ryuhei) #​59412
• [f4722b1672] - test: refactor error checks to use assert.ifError/mustSucceed (Sohyeon Kim) #​59424
• [9ff71a672d] - test: fix typos (Lee Jiho) #​59330
• [9a7700da62] - test: skip test-watch-mode inspect when no inspector (James M Snell) #​59440
• [e964c4334e] - test_runner: do not error when getting fullName of root context (René) #​59377
• [e076f7857c] - test_runner: add option to rerun only failed tests (Moshe Atlow) #​59443
• [eb8b1939a4] - test_runner: fix isSkipped check in junit (Sungwon) #​59414
• [4e02ea1c52] - tools: update gyp-next to 0.20.3 (Node.js GitHub Bot) #​59603
• [99da7fbe11] - tools: avoid parsing test files twice (Pietro Marchini) #​59526
• [9a6a8e319b] - tools: update coverage GitHub Actions to fixed version (Rich Trott) #​59512
• [8d28236aff] - tools: fix return value of try_check_compiler (theanarkh) #​59434
• [52ab64ec3a] - tools: bump @​eslint/plugin-kit from 0.3.3 to 0.3.4 in /tools/eslint (dependabot[bot]) #​59271
• [baa22893bb] - typings: add missing URLBinding methods (성우현 | Woohyun Sung) #​59468
• [b68e0d1eca] - util: fix error's namespaced node_modules highlighting using inspect (Ruben Bridgewater) #​59446
• [15ae21b88a] - util: add some additional error classes to wellKnownPrototypes (Mark S. Miller) #​59456
• [c38b7cfa35] - worker: fix worker name with \0 (theanarkh) #​59214
• [f54ace694a] - worker: add worker name to report (theanarkh) #​58935

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

📦 Packages

Package	Install
Template Set	bun add @settlemint/settlemint/[email protected]