[pull] main from nodejs:main

SECURITY.md

@@ -309,6 +309,32 @@ the community they pose.
   Node.js releases won't be affected by such vulnerabilities. Users are
   responsible for keeping the software they use through Corepack up-to-date.
 
+#### Exposing Application-Level APIs to Untrusted Users (CWE-653)
+
+* Node.js trusts the application code that uses its APIs. When application code
+  exposes Node.js functionality to untrusted users in an unsafe manner, any
+  resulting crashes, data corruption, or other issues are not considered
+  vulnerabilities in Node.js itself. It is the application's responsibility to:
+  * Validate and sanitize all untrusted input before passing it to Node.js APIs.
+  * Design appropriate access controls and security boundaries.
+  * Avoid exposing low-level or dangerous APIs directly to untrusted users.
+
+* Examples of scenarios that are **not** Node.js vulnerabilities:
+  * Allowing untrusted users to register SQLite user-defined functions that can
+    perform arbitrary operations (e.g., closing database connections during query
+    execution, causing crashes or use-after-free conditions).
+  * Exposing `child_process.exec()` or similar APIs to untrusted users without
+    proper input validation, allowing command injection.
+  * Allowing untrusted users to control file paths passed to file system APIs
+    without validation, leading to path traversal issues.
+  * Permitting untrusted users to define custom code that executes with the
+    application's privileges (e.g., custom transforms, plugins, or callbacks).
+
+* These scenarios represent application-level security issues, not Node.js
+  vulnerabilities. The root cause is the application's failure to establish
+  proper security boundaries between trusted application logic and untrusted
+  user input.
+
 ## Assessing experimental features reports
 
 Experimental features are eligible for security reports just like any other

deps/ngtcp2/nghttp3/lib/includes/nghttp3/nghttp3.h

@@ -1749,7 +1749,11 @@ typedef struct nghttp3_conn nghttp3_conn;
 typedef struct nghttp3_settings {
   /**
    * :member:`max_field_section_size` specifies the maximum header
-   * section (block) size.
+   * section (block) size.  nghttp3 library does not enforce this
+   * limit.  Applications are responsible for imposing their own
+   * limits to protect against resource exhaustion.  See
+   * https://datatracker.ietf.org/doc/html/rfc9114#section-4.2.2 for
+   * details.
    */
   uint64_t max_field_section_size;
   /**
@@ -1828,6 +1832,44 @@ typedef struct nghttp3_settings {
   nghttp3_qpack_indexing_strat qpack_indexing_strat;
 } nghttp3_settings;
 
+#define NGHTTP3_PROTO_SETTINGS_V1 1
+#define NGHTTP3_PROTO_SETTINGS_VERSION NGHTTP3_PROTO_SETTINGS_V1
+
+/**
+ * @struct
+ *
+ * :type:`nghttp3_proto_settings` contains HTTP/3 settings that this
+ * library can recognize.  This field is available since v1.14.0.
+ */
+typedef struct nghttp3_proto_settings {
+  /**
+   * :member:`max_field_section_size` specifies the maximum header
+   * section (block) size.
+   */
+  uint64_t max_field_section_size;
+  /**
+   * :member:`qpack_max_dtable_capacity` is the maximum size of QPACK
+   * dynamic table.
+   */
+  size_t qpack_max_dtable_capacity;
+  /**
+   * :member:`qpack_blocked_streams` is the maximum number of streams
+   * which can be blocked while they are being decoded.
+   */
+  size_t qpack_blocked_streams;
+  /**
+   * :member:`enable_connect_protocol`, if set to nonzero, enables
+   * Extended CONNECT Method (see :rfc:`9220`).  Client ignores this
+   * field.
+   */
+  uint8_t enable_connect_protocol;
+  /**
+   * :member:`h3_datagram`, if set to nonzero, enables HTTP/3
+   * Datagrams (see :rfc:`9297`).
+   */
+  uint8_t h3_datagram;
+} nghttp3_proto_settings;
+
 /**
  * @functypedef
  *
@@ -2052,6 +2094,11 @@ typedef int (*nghttp3_shutdown)(nghttp3_conn *conn, int64_t id,
 /**
  * @functypedef
  *
+ * .. warning::
+ *
+ *   Deprecated since v1.14.0.  Use :type:`nghttp3_recv_settings2`
+ *   instead.  New settings will not be notified with this callback.
+ *
  * :type:`nghttp3_recv_settings` is a callback function which is
  * invoked when SETTINGS frame is received.  |settings| is a received
  * remote HTTP/3 settings.
@@ -2103,9 +2150,27 @@ typedef int (*nghttp3_end_origin)(nghttp3_conn *conn, void *conn_user_data);
  */
 typedef void (*nghttp3_rand)(uint8_t *dest, size_t destlen);
 
+/**
+ * @functypedef
+ *
+ * :type:`nghttp3_recv_settings2` is a callback function which is
+ * invoked when SETTINGS frame is received.  |settings| is a received
+ * remote HTTP/3 settings.
+ *
+ * The implementation of this callback must return 0 if it succeeds.
+ * Returning :macro:`NGHTTP3_ERR_CALLBACK_FAILURE` will return to the
+ * caller immediately.  Any values other than 0 is treated as
+ * :macro:`NGHTTP3_ERR_CALLBACK_FAILURE`.  This callback is available
+ * since v1.14.0.
+ */
+typedef int (*nghttp3_recv_settings2)(nghttp3_conn *conn,
+                                      const nghttp3_proto_settings *settings,
+                                      void *conn_user_data);
+
 #define NGHTTP3_CALLBACKS_V1 1
 #define NGHTTP3_CALLBACKS_V2 2
-#define NGHTTP3_CALLBACKS_VERSION NGHTTP3_CALLBACKS_V2
+#define NGHTTP3_CALLBACKS_V3 3
+#define NGHTTP3_CALLBACKS_VERSION NGHTTP3_CALLBACKS_V3
 
 /**
  * @struct
@@ -2195,6 +2260,11 @@ typedef struct nghttp3_callbacks {
    */
   nghttp3_shutdown shutdown;
   /**
+   * .. warning::
+   *
+   *   Deprecated since v1.14.0.  Use :member:`recv_settings2`
+   *   instead.
+   *
    * :member:`recv_settings` is a callback function which is invoked
    * when SETTINGS frame is received.
    */
@@ -2221,6 +2291,12 @@ typedef struct nghttp3_callbacks {
    * v1.11.0.
    */
   nghttp3_rand rand;
+  /**
+   * :member:`recv_settings2` is a callback function which is invoked
+   * when SETTINGS frame is received.  This field is available since
+   * v1.14.0.
+   */
+  nghttp3_recv_settings2 recv_settings2;
 } nghttp3_callbacks;
 
 /**

deps/ngtcp2/nghttp3/lib/includes/nghttp3/version.h

@@ -31,7 +31,7 @@
  *
  * Version number of the nghttp3 library release.
  */
-#define NGHTTP3_VERSION "1.13.1"
+#define NGHTTP3_VERSION "1.14.0"
 
 /**
  * @macro
@@ -41,6 +41,6 @@
  * number, 8 bits for minor and 8 bits for patch. Version 1.2.3
  * becomes 0x010203.
  */
-#define NGHTTP3_VERSION_NUM 0x010d01
+#define NGHTTP3_VERSION_NUM 0x010e00
 
 #endif /* !defined(NGHTTP3_VERSION_H) */

deps/ngtcp2/nghttp3/lib/nghttp3_balloc.h

@@ -64,7 +64,7 @@ typedef struct nghttp3_balloc {
 
 /*
  * nghttp3_balloc_init initializes |balloc| with |blklen| which is the
- * size of memory block.
+ * size of memory block.  |blklen| must be divisible by 16.
  */
 void nghttp3_balloc_init(nghttp3_balloc *balloc, size_t blklen,
                          const nghttp3_mem *mem);

deps/ngtcp2/nghttp3/lib/nghttp3_buf.c

@@ -72,10 +72,12 @@ int nghttp3_buf_reserve(nghttp3_buf *buf, size_t size, const nghttp3_mem *mem) {
     return NGHTTP3_ERR_NOMEM;
   }
 
-  buf->begin = p;
-  buf->end = p + size;
-  buf->pos = p + pos_offset;
-  buf->last = p + last_offset;
+  *buf = (nghttp3_buf){
+    .begin = p,
+    .end = p + size,
+    .pos = p + pos_offset,
+    .last = p + last_offset,
+  };
 
   return 0;
 }

deps/ngtcp2/nghttp3/lib/nghttp3_callbacks.c

@@ -66,6 +66,8 @@ size_t nghttp3_callbackslen_version(int callbacks_version) {
   switch (callbacks_version) {
   case NGHTTP3_CALLBACKS_VERSION:
     return sizeof(callbacks);
+  case NGHTTP3_CALLBACKS_V2:
+    return offsetof(nghttp3_callbacks, rand) + sizeof(callbacks.rand);
   case NGHTTP3_CALLBACKS_V1:
     return offsetof(nghttp3_callbacks, recv_settings) +
            sizeof(callbacks.recv_settings);