RepoJournal
Node.js

@nodejs

The Node.js runtime — every backend team's CVE source of truth

Pick a date

  1. Tue 5 may
  2. Wed 6 may
  3. Thu 7 may
  4. Fri 8 may
  5. Sat 9 may
  6. Sun 10 may
  7. Mon 11 may
  8. Tue 12 may
  9. Wed 13 may
  10. Thu 14 may
  11. Fri 15 may
  12. Sat 16 may
  13. Sun 17 may
  14. Mon 18 may
  15. Tue 19 may
  16. Wed 20 may
  17. Thu 21 may
  18. Sat 23 may
  19. Sun 24 may
  20. Mon 25 may
  21. Tue 26 may
  22. Wed 27 may
  23. Thu 28 may
  24. Fri 29 may
  25. Sat 30 may
  26. Sun 31 may
  27. Mon 1 jun
  28. Mon 8 jun
  29. Tue 9 jun
  30. Today 10 jun

The Wire · Showcase

NODE STRIPS 14 ROOT CERTIFICATES, ADDS PERMISSION.DROP CONTROL

By RepoJournal · Filed · About Node.js

Node's certificate store just got pruned hard, removing 14 trusted roots including DigiCert and COMODO, while a new permission.drop API gives you runtime control over what your code can access.

The crypto update [1] lands certificates from NSS 3.123.1 (Firefox 151.0.1's version), clearing out a substantial list of legacy certificate authorities that failed modern security standards. This is the kind of maintenance that keeps TLS chains trustworthy but requires you to validate if any internal or legacy systems relied on the removed roots. In parallel, Node added permission.drop [2], a new capability that lets you revoke permissions at runtime instead of being locked into initial grants, giving you finer control over what dangerous operations your code can execute. The undici core also got a simplification [3] to its abort listener utility, reducing complexity without breaking behavior. Over at amaro, SWC bumped to v1.15.40 [4] and the project shipped v1.1.10 [5] with workflow hardening post-CVE-2025-30066. The undici dependency chain picked up ws 8.21.0 [6], which fixes a remote memory exhaustion DoS and adds configurable buffering limits for fragmented messages.

Action items

References

  1. [1] crypto: update root certificates to NSS 3.123.1 nodejs/node
  2. [2] lib,permission: add permission.drop nodejs/node
  3. [3] fix(core): simplify `addAbortListener` util (#5317) nodejs/undici
  4. [4] chore(deps): update SWC to v1.15.40 ↗ nodejs/amaro
  5. [5] v1.1.10 ↗ nodejs/amaro
  6. [6] build(deps-dev): bump ws from 8.20.0 to 8.21.0 ↗ nodejs/undici

FAQ

What changed in Node.js on May 27, 2026?
Node's certificate store just got pruned hard, removing 14 trusted roots including DigiCert and COMODO, while a new permission.drop API gives you runtime control over what your code can access.
What should Node.js teams do about it?
Audit TLS chains if you rely on any removed root CAs (DigiCert, COMODO, QuoVadis, SecureTrust, Certigna, others) • Review permission.drop API if your app grants risky permissions at startup • Update undici for the ws 8.21.0 DoS fix if you handle fragmented messages
Which Node.js repositories shipped on May 27, 2026?
nodejs/node, nodejs/undici, nodejs/amaro

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.