nodejs · panva · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026
diff --git a/.github/sync-node-ncrypto.json b/.github/sync-node-ncrypto.json
@@ -0,0 +1,3 @@
+{
+  "node_commit": "8385efc01343a835e3a0efe05611f44272cbb413"
+}
diff --git a/.github/workflows/bazel.yml b/.github/workflows/bazel.yml
@@ -25,8 +25,8 @@ jobs:
   macos:
     runs-on: macos-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: bazel-contrib/setup-bazel@bbf8fe8b219f642c7f8bc673215f28eb1d9dec51 # v0.10.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 # 0.19.0
         with:
           bazelisk-cache: true
           disk-cache: ${{ github.workflow }}
@@ -45,8 +45,8 @@ jobs:
             cxx: clang++-18
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - uses: bazel-contrib/setup-bazel@bbf8fe8b219f642c7f8bc673215f28eb1d9dec51 # v0.10.0
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      - uses: bazel-contrib/setup-bazel@c5acdfb288317d0b5c0bbd7a396a3dc868bb0f86 # 0.19.0
         with:
           bazelisk-cache: true
           disk-cache: ${{ github.workflow }}

diff --git a/.github/workflows/commitlint.yml b/.github/workflows/commitlint.yml
@@ -10,7 +10,7 @@ jobs:
   commitlint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           fetch-depth: 100
       - uses: wagoid/commitlint-github-action@b948419dd99f3fd78a6548d48f94e3df7f6bf3ed # v6.2.1
diff --git a/.github/workflows/linter.yml b/.github/workflows/linter.yml
@@ -24,10 +24,10 @@ jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
       - name: Run clang-format
-        uses: jidicula/clang-format-action@6cd220de46c89139a0365edae93eee8eb30ca8fe # v4.16.0
+        uses: jidicula/clang-format-action@654a770daa28443dd111d133e4083e21c1075674 # v4.18.0
         with:
           clang-format-version: '21'
           fallback-style: 'Google'

diff --git a/.github/workflows/macos.yml b/.github/workflows/macos.yml
@@ -28,9 +28,9 @@ jobs:
         runs-on: [macos-14, macos-15]
     runs-on: ${{matrix.runs-on}}
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: ccache
-        uses: hendrikmuhs/ccache-action@v1.2
+        uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23
         with:
           key: ${{github.job}}-${{matrix.os}}
       - name: Prepare
@@ -40,4 +40,4 @@ jobs:
         # Ref: https://docs.github.com/en/actions/using-github-hosted-runners/using-github-hosted-runners/about-github-hosted-runners
         run: cmake --build build -j=3
       - name: Test
-        run: ctest --output-on-failure --test-dir build
+        run: ctest --output-on-failure --test-dir build
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -13,4 +13,4 @@ jobs:
   release-please:
     runs-on: ubuntu-latest
     steps:
-      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38  # v4.4.0
+      - uses: googleapis/release-please-action@45996ed1f6d02564a971a2fa1b5860e934307cf7 # v5.0.0
diff --git a/.github/workflows/sync-node-ncrypto.yml b/.github/workflows/sync-node-ncrypto.yml
@@ -0,0 +1,109 @@
+name: Sync Node ncrypto
+
+on:
+  workflow_dispatch:
+    inputs:
+      node_ref:
+        description: nodejs/node ref to sync from
+        required: true
+        default: main
+      base_node_ref:
+        description: Optional previous nodejs/node ref for bootstrap or recovery
+        required: false
+        default: ''
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  sync:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Sync from nodejs/node
+        id: sync
+        env:
+          NODE_REF: ${{ inputs.node_ref }}
+          BASE_NODE_REF: ${{ inputs.base_node_ref }}
+        run: |
+          python3 tools/sync-node-ncrypto.py \
+            --node-ref "$NODE_REF" \
+            --base-node-ref "$BASE_NODE_REF"
+
+      - name: Stop when there are no changes
+        if: steps.sync.outputs.has_changes != 'true'
+        run: echo 'No ncrypto changes to sync.'
+
+      - name: Commit sync branch
+        id: commit
+        if: steps.sync.outputs.has_changes == 'true'
+        run: |
+          branch='${{ steps.sync.outputs.branch_name }}'
+          git switch -c "$branch"
+          git fetch origin "$branch:refs/remotes/origin/$branch" || true
+          git config user.name 'github-actions[bot]'
+          git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
+          git add \
+            .github/sync-node-ncrypto.json \
+            include/ncrypto.h \
+            src/engine.cpp \
+            src/ncrypto.cpp
+          git commit \
+            -m 'chore: sync ncrypto from nodejs/node' \
+            -m 'Node-Base-Commit: ${{ steps.sync.outputs.base_sha }}' \
+            -m 'Node-Target-Commit: ${{ steps.sync.outputs.target_sha }}'
+          git push --force-with-lease origin "$branch"
+          echo "branch=$branch" >> "$GITHUB_OUTPUT"
+
+      - name: Prepare PR body
+        if: steps.sync.outputs.has_changes == 'true'
+        run: |
+          {
+            echo 'Syncs `deps/ncrypto` from `nodejs/node` into this repository.'
+            echo
+            echo '- Base node commit: `${{ steps.sync.outputs.base_sha }}`'
+            echo '- Target node commit: `${{ steps.sync.outputs.target_sha }}`'
+            echo '- Conflicts: `${{ steps.sync.outputs.has_conflicts }}`'
+            if [ '${{ steps.sync.outputs.has_conflicts }}' = 'true' ]; then
+              echo
+              echo 'This PR was opened as a draft because the 3-way merge produced conflicts:'
+              echo
+              printf '%s\n' '${{ steps.sync.outputs.conflicts }}' | sed 's/^/- `/' | sed 's/$/`/'
+            fi
+          } > "$RUNNER_TEMP/pr-body.md"
+
+      - name: Open or update PR
+        if: steps.sync.outputs.has_changes == 'true'
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          branch='${{ steps.commit.outputs.branch }}'
+          title='chore: sync ncrypto from nodejs/node'
+          existing_url="$(gh pr view "$branch" --json url --jq .url 2>/dev/null || true)"
+          if [ -n "$existing_url" ]; then
+            gh pr edit "$branch" --title "$title" --body-file "$RUNNER_TEMP/pr-body.md"
+            if [ '${{ steps.sync.outputs.has_conflicts }}' = 'true' ]; then
+              gh pr ready "$branch" --undo || true
+            else
+              gh pr ready "$branch" || true
+            fi
+            echo "$existing_url"
+            exit 0
+          fi
+
+          args=(
+            pr create
+            --base main
+            --head "$branch"
+            --title "$title"
+            --body-file "$RUNNER_TEMP/pr-body.md"
+          )
+          if [ '${{ steps.sync.outputs.has_conflicts }}' = 'true' ]; then
+            args+=(--draft)
+          fi
+          gh "${args[@]}"
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -29,9 +29,9 @@ jobs:
         cxx: [g++-14]
     runs-on: ${{matrix.runs-on}}
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: ccache
-        uses: hendrikmuhs/ccache-action@v1.2
+        uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23
         with:
           key: ${{github.job}}-${{matrix.os}}-{{matrix.shared}}
       - name: Setup Ninja
@@ -52,10 +52,10 @@ jobs:
       OPENSSL_VERSION: "3.4.1"
       OPENSSL_DIR: "${{ github.workspace }}/openssl-install"
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Cache OpenSSL
         id: cache-openssl
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ env.OPENSSL_DIR }}
           key: openssl-${{ env.OPENSSL_VERSION }}-${{ runner.os }}
@@ -69,7 +69,7 @@ jobs:
           make -j$(nproc)
           make install_sw
       - name: ccache
-        uses: hendrikmuhs/ccache-action@v1.2
+        uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23
         with:
           key: ${{github.job}}-openssl
       - name: Setup dependencies
@@ -93,10 +93,10 @@ jobs:
       OPENSSL_VERSION: "3.4.1"
       OPENSSL_DIR: "${{ github.workspace }}/openssl-install"
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
       - name: Cache OpenSSL
         id: cache-openssl
-        uses: actions/cache@v4
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ${{ env.OPENSSL_DIR }}
           key: openssl-${{ env.OPENSSL_VERSION }}-${{ runner.os }}
@@ -110,7 +110,7 @@ jobs:
           make -j$(nproc)
           make install_sw
       - name: ccache
-        uses: hendrikmuhs/ccache-action@v1.2
+        uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23
         with:
           key: ${{github.job}}-openssl-no-argon2
       - name: Setup dependencies

diff --git a/.github/workflows/visual-studio.yml b/.github/workflows/visual-studio.yml
@@ -30,9 +30,9 @@ jobs:
           - {gen: Visual Studio 17 2022, arch: x64, config: Release}
           - {gen: Visual Studio 17 2022, arch: x64, config: Debug}
     steps:
-    - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
     - name: ccache
-      uses: hendrikmuhs/ccache-action@v1.2
+      uses: hendrikmuhs/ccache-action@d62db5f07c26379fc4b4e0916f098a92573c3b03 # v1.2.23
       with:
           key: ${{github.job}}-${{matrix.os}}-${{matrix.config}}
     - name: Install Dependencies

diff --git a/include/ncrypto.h b/include/ncrypto.h
@@ -899,6 +899,9 @@ class EVPKeyPointer final {
     DER,
     PEM,
     JWK,
+    RAW_PUBLIC,
+    RAW_PRIVATE,
+    RAW_SEED,
   };
 
   enum class PKParseError { NOT_RECOGNIZED, NEED_PASSPHRASE, FAILED };
@@ -908,6 +911,7 @@ class EVPKeyPointer final {
     bool output_key_object = false;
     PKFormatType format = PKFormatType::DER;
     PKEncodingType type = PKEncodingType::PKCS8;
+    int ec_point_form = POINT_CONVERSION_UNCOMPRESSED;
     AsymmetricKeyEncodingConfig() = default;
     AsymmetricKeyEncodingConfig(bool output_key_object,
                                 PKFormatType format,
@@ -1622,8 +1626,9 @@ int NoPasswordCallback(char* buf, int size, int rwflag, void* u);
 
 int PasswordCallback(char* buf, int size, int rwflag, void* u);
 
-bool SafeX509SubjectAltNamePrint(const BIOPointer& out, X509_EXTENSION* ext);
-bool SafeX509InfoAccessPrint(const BIOPointer& out, X509_EXTENSION* ext);
+bool SafeX509SubjectAltNamePrint(const BIOPointer& out,
+                                 const X509_EXTENSION* ext);
+bool SafeX509InfoAccessPrint(const BIOPointer& out, const X509_EXTENSION* ext);
 
 // ============================================================================
 // SPKAC