Node v24.15.0 nsolid v6.2.3 release

[santigimeno]

Summary by CodeRabbit

• New Features

  • Added Windows DSC configuration for automated build tools installation
  • Extended crypto benchmarks with raw key format support
  • Added new startup and buffer performance benchmarks
  • Introduced --debug-symbols configure option
  • Enhanced minimatch with recursion depth controls
  • Extended Merve with C API and error location tracking

• Bug Fixes

  • Fixed URL component offset handling
  • Improved UTF-8 validation in search params
  • Enhanced const-correctness in cryptographic operations

• Documentation

  • Updated BUILDING.md with Windows build guidance
  • Updated npm CLI documentation across all commands

• Chores

  • Updated dependencies (acorn, ada, llhttp, googletest, npm, minimatch, nbytes)
  • Updated GitHub Actions and workflow configurations

[coderabbitai]

Walkthrough

This pull request introduces a new Windows DSC configuration for Visual Studio Build Tools installation, updates multiple GitHub Actions workflows with action version bumps and logic refinements, updates several dependencies (acorn, ada, llhttp, minimatch, nbytes, ncrypto, merve), expands benchmark coverage with new tests and parameter configurations, and updates documentation including BUILDING.md with expanded platform/toolchain support guidance.

Changes

Cohort / File(s)	Summary
Windows DSC Configuration .configurations/configuration.vsBuildTools.dsc.yaml	New DSC configuration defining resources for WinGet package installation (Python 3.14, Visual Studio 2022 Build Tools, Git, NASM) and Visual Studio component provisioning (VCTools, LLVM/Clang toolset).
GitHub Actions Workflow Updates – Version Bumps .github/workflows/build-tarball.yml, .github/workflows/close-stale-feature-requests.yml, .github/workflows/close-stalled.yml, .github/workflows/codeql.yml, .github/workflows/doc.yml, .github/workflows/scorecard.yml	Action reference updates: artifact handlers upgraded (v6→v7, v7→v8), stale-triage to v10.2.0, CodeQL to v4.32.4, and runner environment changes (ubuntu-slim→ubuntu-latest, arm→latest).
GitHub Actions Workflow Updates – Logic Changes .github/workflows/auto-start-ci.yml, .github/workflows/coverage-windows.yml, .github/workflows/daily-wpt-fyi.yml, .github/workflows/lint-release-proposal.yml, .github/workflows/notify-on-push.yml, .github/workflows/timezone-update.yml, .github/workflows/tools.yml	Logic modifications: dynamic script downloading, paths→paths-ignore filters, Node.js nightly selection (x64→arm64), regex refinements, multi-commit validation, WinGet/DSC docs, and new test426-fixtures matrix entry.
Build Configuration & Tooling common.gypi, configure.py	V8 embedder string bump (node.44→node.48), new --debug-symbols CLI option, v8_enable_v8_checks/gdbjit logic updates.
Documentation Updates BUILDING.md, CHANGELOG.md, Makefile	BUILDING.md expanded with GNU/Linux riscv64 support, Visual Studio 2022/2026 toolchain guidance, WinGet DSC automation instructions; CHANGELOG.md and Makefile updated with version/help-text changes.
Benchmark Framework Additions benchmark/fixtures/import-builtins.mjs, benchmark/misc/startup-core.js, benchmark/util/strip-vt-control-characters.js, benchmark/webstreams/readable-read-buffered.js	New benchmark fixtures/scripts: builtin module imports, startup measurement, VT control character stripping, and pre-buffered stream reading performance tests.
Benchmark Configuration Expansions benchmark/buffers/buffer-bytelength-string.js, benchmark/buffers/buffer-fill.js, benchmark/buffers/buffer-indexof.js, benchmark/buffers/buffer-tostring.js, benchmark/buffers/buffer-copy-bytes-from.js, benchmark/buffers/buffer-transcode.js	Extended encoding variants, new fill test case, additional benchmark modes (partial offset/length), control-flow adjustments (return vs process.exit).
Benchmark Crypto Updates benchmark/crypto/create-keyobject.js, benchmark/crypto/oneshot-sign.js, benchmark/crypto/oneshot-verify.js, benchmark/crypto/hash-stream-creation.js, benchmark/crypto/hash-stream-throughput.js, benchmark/crypto/kem.js, benchmark/crypto/rsa-sign-verify-throughput.js	Added raw key format support (raw-public, raw-private, raw-seed), warmup phases, renamed writes→n parameter, extended KEM/signature verification benchmark coverage, and re-exported key handling.
Benchmark dgram & Misc benchmark/dgram/single-buffer.js	Parameter rename from num to n for consistency with other benchmarks.
Acorn Updates deps/acorn/acorn-walk/CHANGELOG.md, deps/acorn/acorn-walk/README.md, deps/acorn/acorn-walk/package.json, deps/acorn/acorn/CHANGELOG.md, deps/acorn/acorn/README.md, deps/acorn/acorn/package.json	Version bumps (acorn 8.15.0→8.16.0, acorn-walk 8.3.4→8.3.5), ESM import syntax examples, sourceType commonjs support documentation, Unicode 17 support.
Ada Updates deps/ada/ada.cpp, deps/ada/ada.gyp, deps/ada/ada.h	Version bump (3.4.2→3.4.4), simdutf dependency integration, scheme matching optimization via fast path keying, URL offset/search-params sorting fixes, boundary checks for pathname handling.
Amaro Updates deps/amaro/README.md, deps/amaro/package.json	Version bump (1.1.7→1.1.8), updated loader documentation from --experimental-transform-types to --enable-source-maps, added programmatic module.register() guidance.
GoogleTest Updates deps/googletest/include/gtest/gtest-test-part.h, deps/googletest/include/gtest/gtest.h, deps/googletest/include/gtest/internal/gtest-internal.h, deps/googletest/include/gtest/internal/gtest-port.h, deps/googletest/src/gtest-port.cc, deps/googletest/src/gtest-test-part.cc, deps/googletest/src/gtest.cc	std\::string_view migration for parameter signatures, MinGW-specific Notification implementation via Win32 events, defaulted destructors, regex error handling improvements.
LLHttp Updates deps/llhttp/.gitignore, deps/llhttp/CMakeLists.txt, deps/llhttp/README.md, deps/llhttp/include/llhttp.h, deps/llhttp/src/llhttp.c	Version bump (9.3.0→9.3.1), CMake build option rename (BUILD_→LLHTTP_BUILD_), enum reordering for error codes, NEON SIMD optimizations (u8/u16 mask adjustments, match_len forcing), lookup table byte adjustment.
Merve Updates deps/merve/BUILD.gn, deps/merve/merve.cpp, deps/merve/merve.h, deps/merve/merve_c.h, deps/merve/unofficial.gni	Version bump (1.0.0→1.2.2), thread-local error tracking with source locations, export entries now store line numbers, new C API with error location reporting, GN/cmake build definitions.
Minimatch Updates deps/minimatch/README.md, deps/minimatch/index.js, deps/minimatch/package.json	Version bump (10.1.2→10.2.4), ReDoS security warning, maxGlobstarRecursion/maxExtglobRecursion options, AST refactoring with adoption/usurp logic, extglob depth limiting, Windows escape handling, brace-expansion dependency update.
Nbytes Updates deps/nbytes/.release-please-manifest.json, deps/nbytes/CHANGELOG.md, deps/nbytes/CMakeLists.txt, deps/nbytes/include/nbytes.h, deps/nbytes/nbytes.pc.in, deps/nbytes/release-please-config.json, deps/nbytes/src/nbytes.cpp	Version bump (0.1.1→0.1.3), pkg-config metadata generation, arithmetic-based HexEncode replacing lookup tables, release-please configuration.
Ncrypto Updates deps/ncrypto/ncrypto.cc, deps/ncrypto/ncrypto.h	OpenSSL accessor usage (ASN1_STRING_get0_data, X509_get0_*) for const-correctness, EC point form configuration, raw key format support (RAW_PUBLIC/PRIVATE/SEED), BIO null handling, cofactor-based key setting logic.
NPM Docs/Command HTML Updates deps/npm/docs/content/commands/..., deps/npm/docs/output/commands/..., deps/npm/docs/output/configuring-npm/..., deps/npm/docs/output/using-npm/..., deps/npm/man/man1/npm-*.1	Version bump (11.11.0→11.12.1), include-attestations audit option documentation, min-release-age environment export note, workspace dependency resolution clarification, scripts.html User section removal.
NPM Library Updates deps/npm/lib/commands/outdated.js, deps/npm/lib/utils/cmd-list.js	Comment/documentation-only refactoring within command/utility implementations; no behavioral changes.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Possibly related PRs

• Both modify Windows DSC/WinGet provisioning to install Visual Studio, Python, and related components for automated environment setup.
• Both update GitHub Actions workflow versions and configuration logic across multiple CI/CD automation files.
• Both expand npm dependency documentation and functionality, including audit attestation handling and configuration options.

Suggested labels

dependencies, documentation, build, github-actions, windows

Suggested reviewers

• RafaelGSS

Poem

🐇 Whiskers twitching, nose held high,
Workflows optimized, benchmarks fly!
New DSC tales of VS and Git,
Merve's line numbers—a clever fit!
Dependencies dancing to versions anew,
Node.js builds better—hop right through! 🐰

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch node-v24.15.0-nsolid-v6.2.3-release

[coderabbitai]

Actionable comments posted: 9

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

deps/ncrypto/ncrypto.h (1)

857-873: ⚠️ Potential issue | 🟠 Major

Wire the new key formats and point-form option through the serializer/parser before exposing them.

At Line 861 and Line 873, the public config starts advertising RAW_PUBLIC, RAW_PRIVATE, RAW_SEED, and ec_point_form, but deps/ncrypto/ncrypto.cc still only handles PEM/DER/JWK in TryParsePublicKey(), TryParsePrivateKey(), writePublicKey(), and writePrivateKey(), and none of those paths read ec_point_form. As written, callers that select the new raw formats still hit the existing failure paths, and non-default point-form requests are silently ignored.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deps/ncrypto/ncrypto.h` around lines 857 - 873, The public API added
RAW_PUBLIC/RAW_PRIVATE/RAW_SEED and ec_point_form in AsymmetricKeyEncodingConfig
but the serializer/parser functions still only support PEM/DER/JWK; update
TryParsePublicKey, TryParsePrivateKey, writePublicKey, and writePrivateKey to
honor PKFormatType::RAW_PUBLIC/RAW_PRIVATE/RAW_SEED and to respect
AsymmetricKeyEncodingConfig::ec_point_form when serializing EC keys.
Specifically, add parsing branches in TryParsePublicKey/TryParsePrivateKey to
accept raw byte inputs (using the appropriate OpenSSL
d2i/EVP_PKEY_from_raw/public/private APIs or seed-to-key derivation for
RAW_SEED) and add write paths in writePublicKey/writePrivateKey that emit raw
public/private/seed formats, and set EC_POINT conversion form via
EC_KEY_set_conv_form or i2o_*/o2i_* helpers using ec_point_form when serializing
EC keys so callers selecting RAW_* and non-default ec_point_form get the correct
behavior.

🧹 Nitpick comments (1)

benchmark/util/strip-vt-control-characters.js (1)

15-28: Add a default case in the input switch for fail-fast behavior.

Line 15 currently relies fully on benchmark config correctness. A default branch makes unexpected inputs explicit and easier to debug.

🧩 Suggested hardening

   switch (input) {
@@
     case 'ansi-long':
       str = ('\u001B[31m' + 'colored text '.repeat(10) + '\u001B[39m').repeat(10);
       break;
+    default:
+      throw new Error(`Unknown input variant: ${input}`);
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@benchmark/util/strip-vt-control-characters.js` around lines 15 - 28, The
switch over the input variable that assigns str lacks a default branch, so add a
default case to the switch (the same switch that currently handles
'noAnsi-short', 'noAnsi-long', 'ansi-short', 'ansi-long') that fails fast by
throwing an Error (or calling assert) with a clear message including the
unexpected input value; this will make the behavior of the code (the assignment
to str) explicit and easier to debug when the input is invalid.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/coverage-windows.yml:
- Around line 6-28: The paths-ignore block currently contains unsupported
negation patterns '!.github/workflows/coverage-windows.yml' and a broad '.**'
entry that together cause this workflow file to be ignored; remove the negation
lines and ensure the workflow file itself is not excluded (either delete the
'.**' pattern or explicitly remove the workflow filename from the ignore list)
so changes to .github/workflows/coverage-windows.yml will trigger the job;
update the paths-ignore block (reference: paths-ignore, '.**', and
'!.github/workflows/coverage-windows.yml') accordingly.

In `@benchmark/buffers/buffer-bytelength-string.js`:
- Line 7: The benchmark adds 'hex' to the encoding list but getInput() only
prepares base64, so when encoding === 'hex' the test feeds plain text instead of
hex bytes; update getInput() to return a proper hex-encoded string for the hex
case (mirror how base64 is prepared in getInput()), e.g. convert the buffer to
hex when encoding === 'hex', so the buffer.byteLength path measures real hex
input; adjust any variable names in getInput() and references to encoding to
ensure the 'hex' branch is covered.

In `@benchmark/crypto/kem.js`:
- Around line 133-141: The decapsulation warmup uses crypto.encapsulate on a
private key KeyObject (keyObjects[0]) which is invalid; instead derive a public
key from that private KeyObject (use crypto.createPublicKey or the same helper
used elsewhere) and pass the public KeyObject to crypto.encapsulate to produce
warmupCiphertext, then call crypto.decapsulate(keyObject, warmupCiphertext) as
before; update the warmupCiphertext generation and reference crypto.encapsulate,
crypto.decapsulate, and keyObjects to locate the change.

In `@benchmark/util/strip-vt-control-characters.js`:
- Around line 30-34: The benchmark currently measures extra overhead because
assert.ok is executed inside the timed loop and bench.start/stop are misused;
move the assertion out of the measured section by declaring let result; before
the loop, call bench.start() correctly, run for (let i = 0; i < n; i++) { result
= stripVTControlCharacters(str); } then call bench.stop() and finally call
assert.ok(typeof result === 'string'); ensure you reference the existing symbols
stripVTControlCharacters, bench.start(), bench.stop(), assert.ok and the result
variable so the assertion no longer skews timing.

In `@benchmark/webstreams/readable-read-buffered.js`:
- Around line 18-23: The start(controller) implementation enqueues bufferSize
items without checking remaining quota, risking over-enqueueing when bufferSize
> n; update start to use the same boundary logic as pull by computing count =
Math.min(bufferSize, n - enqueued) (or equivalent) and only loop/enqueue that
many times, referencing the existing symbols start, controller, bufferSize,
enqueued, and n to locate and fix the logic.

In `@BUILDING.md`:
- Around line 682-685: The sentence in the WinGet instruction that currently
reads “install Node.js prerequisites” is inconsistent with the project name;
update the wording to refer to N|Solid instead (e.g., “install N|Solid
prerequisites”) in the block that begins “Use one of the above DSC files with
[winget configure]…” and the example line referencing “Visual Studio Community
Edition” so the guide consistently mentions N|Solid rather than Node.js.

In `@configure.py`:
- Around line 108-112: The --debug-symbols parser flag currently only adds a
Unix -g cflag, so update the GYP generation to also set MSVC-specific debug
settings when debug_symbols is true: instead of relying solely on cflags, add
msvs_settings entries for the compile and link steps (e.g., set
VCCLCompilerTool/ClCompile DebugInformationFormat to an appropriate value like
"Zi" or "Z7" and set the linker GenerateDebugInformation/LinkerSetting to true)
and ensure clang-cl builds map to these MSVC settings as well; locate where
debug_symbols is checked and -g is injected (the code that appends to cflags)
and augment it to emit the msvs_settings blocks for Windows/MSVC toolchains.

In `@deps/ncrypto/ncrypto.cc`:
- Around line 3558-3567: The uncompressed-point build currently ignores the
return values of x.encodePaddedInto(...) and y.encodePaddedInto(...), which can
leave the buffer zero-filled and allow invalid coordinates to be fed into
EC_POINT_oct2point(); modify the code around
DataPointer::Alloc/uncompressed_len/ptr and the two calls to encodePaddedInto so
you check each call's boolean/result and if either encodePaddedInto fails return
false (or otherwise abort) before calling EC_POINT_oct2point(); ensure you
reference the same symbols (ptr, field_len, encodePaddedInto,
EC_POINT_oct2point) so the function rejects bad/null/oversized coordinates the
same way as the affine path.

In `@deps/npm/lib/utils/verify-signatures.js`:
- Around line 63-67: Before emitting the JSON, ensure the attestations array is
sorted so output is deterministic: when building result with result.verified =
this.verified (guarded by this.npm.config.get('include-attestations')), sort
this.verified into a stable, well-defined order (e.g., by a unique key or string
compare) before calling output.buffer(result); apply the same sorting change to
the other occurrence that assigns result.verified around the later block (the
one at the other location referenced in the review) so both outputs are
deterministic.

---

Outside diff comments:
In `@deps/ncrypto/ncrypto.h`:
- Around line 857-873: The public API added RAW_PUBLIC/RAW_PRIVATE/RAW_SEED and
ec_point_form in AsymmetricKeyEncodingConfig but the serializer/parser functions
still only support PEM/DER/JWK; update TryParsePublicKey, TryParsePrivateKey,
writePublicKey, and writePrivateKey to honor
PKFormatType::RAW_PUBLIC/RAW_PRIVATE/RAW_SEED and to respect
AsymmetricKeyEncodingConfig::ec_point_form when serializing EC keys.
Specifically, add parsing branches in TryParsePublicKey/TryParsePrivateKey to
accept raw byte inputs (using the appropriate OpenSSL
d2i/EVP_PKEY_from_raw/public/private APIs or seed-to-key derivation for
RAW_SEED) and add write paths in writePublicKey/writePrivateKey that emit raw
public/private/seed formats, and set EC_POINT conversion form via
EC_KEY_set_conv_form or i2o_*/o2i_* helpers using ec_point_form when serializing
EC keys so callers selecting RAW_* and non-default ec_point_form get the correct
behavior.

---

Nitpick comments:
In `@benchmark/util/strip-vt-control-characters.js`:
- Around line 15-28: The switch over the input variable that assigns str lacks a
default branch, so add a default case to the switch (the same switch that
currently handles 'noAnsi-short', 'noAnsi-long', 'ansi-short', 'ansi-long') that
fails fast by throwing an Error (or calling assert) with a clear message
including the unexpected input value; this will make the behavior of the code
(the assignment to str) explicit and easier to debug when the input is invalid.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 5c901a09-f8aa-4bcd-8159-2795fd101fd7

📥 Commits

Reviewing files that changed from the base of the PR and between 1fec452 and 8298ca5.

⛔ Files ignored due to path filters (48)

• deps/acorn/acorn-walk/dist/walk.d.mts is excluded by !**/dist/**
• deps/acorn/acorn-walk/dist/walk.d.ts is excluded by !**/dist/**
• deps/acorn/acorn-walk/dist/walk.js is excluded by !**/dist/**
• deps/acorn/acorn-walk/dist/walk.mjs is excluded by !**/dist/**
• deps/acorn/acorn/dist/acorn.d.mts is excluded by !**/dist/**
• deps/acorn/acorn/dist/acorn.d.ts is excluded by !**/dist/**
• deps/acorn/acorn/dist/acorn.js is excluded by !**/dist/**
• deps/acorn/acorn/dist/acorn.mjs is excluded by !**/dist/**
• deps/amaro/dist/index.js is excluded by !**/dist/**
• deps/amaro/dist/package.json is excluded by !**/dist/**
• deps/icu-small/source/data/in/icudt78l.dat.bz2 is excluded by !**/*.bz2
• deps/minimatch/dist/commonjs/assert-valid-pattern.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/assert-valid-pattern.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/assert-valid-pattern.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/ast.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/ast.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/ast.js is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/ast.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/brace-expressions.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/brace-expressions.js is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/brace-expressions.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/escape.js is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/escape.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/index.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/index.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/index.js is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/index.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/commonjs/unescape.js is excluded by !**/dist/**
• deps/minimatch/dist/commonjs/unescape.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/assert-valid-pattern.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/esm/assert-valid-pattern.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/assert-valid-pattern.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/ast.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/esm/ast.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/ast.js is excluded by !**/dist/**
• deps/minimatch/dist/esm/ast.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/brace-expressions.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/brace-expressions.js is excluded by !**/dist/**
• deps/minimatch/dist/esm/brace-expressions.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/escape.js is excluded by !**/dist/**
• deps/minimatch/dist/esm/escape.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/index.d.ts is excluded by !**/dist/**
• deps/minimatch/dist/esm/index.d.ts.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/index.js is excluded by !**/dist/**
• deps/minimatch/dist/esm/index.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/dist/esm/unescape.js is excluded by !**/dist/**
• deps/minimatch/dist/esm/unescape.js.map is excluded by !**/dist/**, !**/*.map
• deps/minimatch/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (252)

• .configurations/configuration.vsBuildTools.dsc.yaml
• .github/workflows/auto-start-ci.yml
• .github/workflows/build-tarball.yml
• .github/workflows/close-stale-feature-requests.yml
• .github/workflows/close-stalled.yml
• .github/workflows/codeql.yml
• .github/workflows/coverage-windows.yml
• .github/workflows/daily-wpt-fyi.yml
• .github/workflows/doc.yml
• .github/workflows/lint-release-proposal.yml
• .github/workflows/notify-on-push.yml
• .github/workflows/scorecard.yml
• .github/workflows/timezone-update.yml
• .github/workflows/tools.yml
• BUILDING.md
• CHANGELOG.md
• Makefile
• benchmark/buffers/buffer-bytelength-string.js
• benchmark/buffers/buffer-copy-bytes-from.js
• benchmark/buffers/buffer-fill.js
• benchmark/buffers/buffer-indexof.js
• benchmark/buffers/buffer-tostring.js
• benchmark/buffers/buffer-transcode.js
• benchmark/crypto/create-keyobject.js
• benchmark/crypto/hash-stream-creation.js
• benchmark/crypto/hash-stream-throughput.js
• benchmark/crypto/kem.js
• benchmark/crypto/oneshot-sign.js
• benchmark/crypto/oneshot-verify.js
• benchmark/crypto/rsa-sign-verify-throughput.js
• benchmark/dgram/single-buffer.js
• benchmark/fixtures/empty.mjs
• benchmark/fixtures/import-builtins.mjs
• benchmark/misc/startup-core.js
• benchmark/util/strip-vt-control-characters.js
• benchmark/webstreams/readable-read-buffered.js
• common.gypi
• configure.py
• deps/acorn/acorn-walk/CHANGELOG.md
• deps/acorn/acorn-walk/README.md
• deps/acorn/acorn-walk/package.json
• deps/acorn/acorn/CHANGELOG.md
• deps/acorn/acorn/README.md
• deps/acorn/acorn/package.json
• deps/ada/ada.cpp
• deps/ada/ada.gyp
• deps/ada/ada.h
• deps/amaro/README.md
• deps/amaro/package.json
• deps/googletest/include/gtest/gtest-test-part.h
• deps/googletest/include/gtest/gtest.h
• deps/googletest/include/gtest/internal/gtest-internal.h
• deps/googletest/include/gtest/internal/gtest-port.h
• deps/googletest/src/gtest-port.cc
• deps/googletest/src/gtest-test-part.cc
• deps/googletest/src/gtest.cc
• deps/llhttp/.gitignore
• deps/llhttp/CMakeLists.txt
• deps/llhttp/README.md
• deps/llhttp/include/llhttp.h
• deps/llhttp/src/llhttp.c
• deps/merve/BUILD.gn
• deps/merve/merve.cpp
• deps/merve/merve.h
• deps/merve/merve_c.h
• deps/merve/unofficial.gni
• deps/minimatch/README.md
• deps/minimatch/index.js
• deps/minimatch/package.json
• deps/nbytes/.release-please-manifest.json
• deps/nbytes/CHANGELOG.md
• deps/nbytes/CMakeLists.txt
• deps/nbytes/include/nbytes.h
• deps/nbytes/nbytes.pc.in
• deps/nbytes/release-please-config.json
• deps/nbytes/src/nbytes.cpp
• deps/ncrypto/ncrypto.cc
• deps/ncrypto/ncrypto.h
• deps/npm/docs/content/commands/npm-audit.md
• deps/npm/docs/content/commands/npm-install-test.md
• deps/npm/docs/content/commands/npm-install.md
• deps/npm/docs/content/commands/npm-ls.md
• deps/npm/docs/content/commands/npm-outdated.md
• deps/npm/docs/content/commands/npm-publish.md
• deps/npm/docs/content/commands/npm-trust.md
• deps/npm/docs/content/commands/npm-update.md
• deps/npm/docs/content/commands/npm.md
• deps/npm/docs/content/using-npm/config.md
• deps/npm/docs/content/using-npm/scripts.md
• deps/npm/docs/content/using-npm/workspaces.md
• deps/npm/docs/lib/index.js
• deps/npm/docs/output/commands/npm-access.html
• deps/npm/docs/output/commands/npm-adduser.html
• deps/npm/docs/output/commands/npm-audit.html
• deps/npm/docs/output/commands/npm-bugs.html
• deps/npm/docs/output/commands/npm-cache.html
• deps/npm/docs/output/commands/npm-ci.html
• deps/npm/docs/output/commands/npm-completion.html
• deps/npm/docs/output/commands/npm-config.html
• deps/npm/docs/output/commands/npm-dedupe.html
• deps/npm/docs/output/commands/npm-deprecate.html
• deps/npm/docs/output/commands/npm-diff.html
• deps/npm/docs/output/commands/npm-dist-tag.html
• deps/npm/docs/output/commands/npm-docs.html
• deps/npm/docs/output/commands/npm-doctor.html
• deps/npm/docs/output/commands/npm-edit.html
• deps/npm/docs/output/commands/npm-exec.html
• deps/npm/docs/output/commands/npm-explain.html
• deps/npm/docs/output/commands/npm-explore.html
• deps/npm/docs/output/commands/npm-find-dupes.html
• deps/npm/docs/output/commands/npm-fund.html
• deps/npm/docs/output/commands/npm-get.html
• deps/npm/docs/output/commands/npm-help-search.html
• deps/npm/docs/output/commands/npm-help.html
• deps/npm/docs/output/commands/npm-init.html
• deps/npm/docs/output/commands/npm-install-ci-test.html
• deps/npm/docs/output/commands/npm-install-test.html
• deps/npm/docs/output/commands/npm-install.html
• deps/npm/docs/output/commands/npm-link.html
• deps/npm/docs/output/commands/npm-ll.html
• deps/npm/docs/output/commands/npm-login.html
• deps/npm/docs/output/commands/npm-logout.html
• deps/npm/docs/output/commands/npm-ls.html
• deps/npm/docs/output/commands/npm-org.html
• deps/npm/docs/output/commands/npm-outdated.html
• deps/npm/docs/output/commands/npm-owner.html
• deps/npm/docs/output/commands/npm-pack.html
• deps/npm/docs/output/commands/npm-ping.html
• deps/npm/docs/output/commands/npm-pkg.html
• deps/npm/docs/output/commands/npm-prefix.html
• deps/npm/docs/output/commands/npm-profile.html
• deps/npm/docs/output/commands/npm-prune.html
• deps/npm/docs/output/commands/npm-publish.html
• deps/npm/docs/output/commands/npm-query.html
• deps/npm/docs/output/commands/npm-rebuild.html
• deps/npm/docs/output/commands/npm-repo.html
• deps/npm/docs/output/commands/npm-restart.html
• deps/npm/docs/output/commands/npm-root.html
• deps/npm/docs/output/commands/npm-run.html
• deps/npm/docs/output/commands/npm-sbom.html
• deps/npm/docs/output/commands/npm-search.html
• deps/npm/docs/output/commands/npm-set.html
• deps/npm/docs/output/commands/npm-shrinkwrap.html
• deps/npm/docs/output/commands/npm-star.html
• deps/npm/docs/output/commands/npm-stars.html
• deps/npm/docs/output/commands/npm-start.html
• deps/npm/docs/output/commands/npm-stop.html
• deps/npm/docs/output/commands/npm-team.html
• deps/npm/docs/output/commands/npm-test.html
• deps/npm/docs/output/commands/npm-token.html
• deps/npm/docs/output/commands/npm-trust.html
• deps/npm/docs/output/commands/npm-undeprecate.html
• deps/npm/docs/output/commands/npm-uninstall.html
• deps/npm/docs/output/commands/npm-unpublish.html
• deps/npm/docs/output/commands/npm-unstar.html
• deps/npm/docs/output/commands/npm-update.html
• deps/npm/docs/output/commands/npm-version.html
• deps/npm/docs/output/commands/npm-view.html
• deps/npm/docs/output/commands/npm-whoami.html
• deps/npm/docs/output/commands/npm.html
• deps/npm/docs/output/commands/npx.html
• deps/npm/docs/output/configuring-npm/folders.html
• deps/npm/docs/output/configuring-npm/install.html
• deps/npm/docs/output/configuring-npm/npm-global.html
• deps/npm/docs/output/configuring-npm/npm-json.html
• deps/npm/docs/output/configuring-npm/npm-shrinkwrap-json.html
• deps/npm/docs/output/configuring-npm/npmrc.html
• deps/npm/docs/output/configuring-npm/package-json.html
• deps/npm/docs/output/configuring-npm/package-lock-json.html
• deps/npm/docs/output/using-npm/config.html
• deps/npm/docs/output/using-npm/dependency-selectors.html
• deps/npm/docs/output/using-npm/developers.html
• deps/npm/docs/output/using-npm/logging.html
• deps/npm/docs/output/using-npm/orgs.html
• deps/npm/docs/output/using-npm/package-spec.html
• deps/npm/docs/output/using-npm/registry.html
• deps/npm/docs/output/using-npm/removal.html
• deps/npm/docs/output/using-npm/scope.html
• deps/npm/docs/output/using-npm/scripts.html
• deps/npm/docs/output/using-npm/workspaces.html
• deps/npm/lib/arborist-cmd.js
• deps/npm/lib/base-cmd.js
• deps/npm/lib/cli/entry.js
• deps/npm/lib/cli/exit-handler.js
• deps/npm/lib/cli/update-notifier.js
• deps/npm/lib/cli/validate-engines.js
• deps/npm/lib/commands/audit.js
• deps/npm/lib/commands/cache.js
• deps/npm/lib/commands/ci.js
• deps/npm/lib/commands/completion.js
• deps/npm/lib/commands/config.js
• deps/npm/lib/commands/dedupe.js
• deps/npm/lib/commands/diff.js
• deps/npm/lib/commands/dist-tag.js
• deps/npm/lib/commands/doctor.js
• deps/npm/lib/commands/exec.js
• deps/npm/lib/commands/explore.js
• deps/npm/lib/commands/find-dupes.js
• deps/npm/lib/commands/fund.js
• deps/npm/lib/commands/help-search.js
• deps/npm/lib/commands/help.js
• deps/npm/lib/commands/init.js
• deps/npm/lib/commands/install-ci-test.js
• deps/npm/lib/commands/install-test.js
• deps/npm/lib/commands/install.js
• deps/npm/lib/commands/link.js
• deps/npm/lib/commands/ls.js
• deps/npm/lib/commands/org.js
• deps/npm/lib/commands/outdated.js
• deps/npm/lib/commands/pack.js
• deps/npm/lib/commands/pkg.js
• deps/npm/lib/commands/profile.js
• deps/npm/lib/commands/prune.js
• deps/npm/lib/commands/publish.js
• deps/npm/lib/commands/run.js
• deps/npm/lib/commands/sbom.js
• deps/npm/lib/commands/shrinkwrap.js
• deps/npm/lib/commands/team.js
• deps/npm/lib/commands/trust/index.js
• deps/npm/lib/commands/unpublish.js
• deps/npm/lib/commands/update.js
• deps/npm/lib/commands/view.js
• deps/npm/lib/lifecycle-cmd.js
• deps/npm/lib/npm.js
• deps/npm/lib/package-url-cmd.js
• deps/npm/lib/utils/audit-error.js
• deps/npm/lib/utils/auth.js
• deps/npm/lib/utils/cmd-list.js
• deps/npm/lib/utils/error-message.js
• deps/npm/lib/utils/explain-dep.js
• deps/npm/lib/utils/explain-eresolve.js
• deps/npm/lib/utils/format-bytes.js
• deps/npm/lib/utils/format-search-stream.js
• deps/npm/lib/utils/get-identity.js
• deps/npm/lib/utils/log-file.js
• deps/npm/lib/utils/oidc.js
• deps/npm/lib/utils/open-url.js
• deps/npm/lib/utils/ping.js
• deps/npm/lib/utils/queryable.js
• deps/npm/lib/utils/reify-finish.js
• deps/npm/lib/utils/reify-output.js
• deps/npm/lib/utils/update-workspaces.js
• deps/npm/lib/utils/verify-signatures.js
• deps/npm/man/man1/npm-access.1
• deps/npm/man/man1/npm-adduser.1
• deps/npm/man/man1/npm-audit.1
• deps/npm/man/man1/npm-bugs.1
• deps/npm/man/man1/npm-cache.1
• deps/npm/man/man1/npm-ci.1
• deps/npm/man/man1/npm-completion.1
• deps/npm/man/man1/npm-config.1
• deps/npm/man/man1/npm-dedupe.1

💤 Files with no reviewable changes (6)

• deps/npm/docs/content/using-npm/scripts.md
• deps/npm/lib/commands/install-ci-test.js
• deps/npm/lib/commands/install-test.js
• deps/npm/docs/content/commands/npm-trust.md
• deps/npm/lib/commands/find-dupes.js
• deps/npm/lib/commands/prune.js

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In GitHub Actions, do pull_request.paths-ignoreandpush.paths-ignoresupport negated patterns like!path to re-include files? What is the documented approach to include one workflow file while broadly ignoring dotfiles?

💡 Result:

Yes—GitHub Actions path filters support negated patterns (glob patterns prefixed with !) but they apply within the paths filter, not within paths-ignore. 1) paths-ignore does NOT re-include via ! - The documented semantics for paths-ignore are: “When all the path names match patterns in paths-ignore, the workflow will not run. If any path names do not match patterns in paths-ignore … the workflow will run.” This means paths-ignore is purely an exclusion list; you can’t reliably “subtract then add back” using ! inside paths-ignore. 2) Documented approach: use paths with positive pattern(s) plus ! exclusions - If you want both include and exclude logic for one event, the docs say to use the paths filter and prefix excluded entries with ! (negative patterns). - Also, if you define a ! negated path, you must define at least one non-! (positive) pattern. Practical example (broadly ignore dotfiles, but still include one specific workflow file) - Put a broad positive include for what you want to generally consider, then exclude dotfiles, and finally add back the specific file using another negated/excluded ordering rule via paths. - Example structure: on: pull_request: paths: - '' - '!/.*' # ignore dotfiles/hidden files and hidden directories - '!.github/workflows/ci.yml' # re-include one workflow file (note: must be expressed in paths, not paths-ignore) Notes: - Use paths (not paths-ignore) when you need “ignore dotfiles but include one file” behavior. - The docs also note ordering matters and that negated patterns are evaluated in order. Sources support: - GitHub Docs: paths/paths-ignore behavior and the rule that for include+exclude you must use paths with !, plus the requirement for at least one positive pattern when using !.

Citations:

• 1: https://docs.github.com/actions/using-workflows/workflow-syntax-for-github-actions
• 2: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions
• 3: https://stackoverflow.com/questions/71070064/github-workflow-excluding-paths-does-not-work

---

Remove negation patterns from paths-ignore—they don't re-include files.

paths-ignore in GitHub Actions does not support negation patterns (prefixed with !). The pattern !.github/workflows/coverage-windows.yml on lines 28 and 54 has no effect. Combined with the .** pattern, changes to this workflow file itself will be ignored, preventing the workflow from running on its own edits.

Suggested fix

   pull_request:
     types: [opened, synchronize, reopened, ready_for_review]
     paths-ignore:
@@
-      - .**
-      - '!.github/workflows/coverage-windows.yml'
@@
   push:
@@
     paths-ignore:
@@
-      - .**
-      - '!.github/workflows/coverage-windows.yml'

Also applies to: 32-54

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/coverage-windows.yml around lines 6 - 28, The paths-ignore
block currently contains unsupported negation patterns
'!.github/workflows/coverage-windows.yml' and a broad '.**' entry that together
cause this workflow file to be ignored; remove the negation lines and ensure the
workflow file itself is not excluded (either delete the '.**' pattern or
explicitly remove the workflow filename from the ignore list) so changes to
.github/workflows/coverage-windows.yml will trigger the job; update the
paths-ignore block (reference: paths-ignore, '.**', and
'!.github/workflows/coverage-windows.yml') accordingly.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Hex case is added at Line 7, but input is never hex-encoded

getInput() only prepares base64 (Lines 24-26). With encoding === 'hex', the benchmark feeds regular text, so this path mostly measures invalid-hex handling rather than normal hex byte-length behavior.

Proposed fix

 function getInput(type, repeat, encoding) {
   const original = (repeat === 1) ? chars[type] : chars[type].repeat(repeat);
   if (encoding === 'base64') {
     return Buffer.from(original, 'utf8').toString('base64');
   }
+  if (encoding === 'hex') {
+    return Buffer.from(original, 'utf8').toString('hex');
+  }
   return original;
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@benchmark/buffers/buffer-bytelength-string.js` at line 7, The benchmark adds
'hex' to the encoding list but getInput() only prepares base64, so when encoding
=== 'hex' the test feeds plain text instead of hex bytes; update getInput() to
return a proper hex-encoded string for the hex case (mirror how base64 is
prepared in getInput()), e.g. convert the buffer to hex when encoding === 'hex',
so the buffer.byteLength path measures real hex input; adjust any variable names
in getInput() and references to encoding to ensure the 'hex' branch is covered.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf 'Benchmark warmup path in benchmark/crypto/kem.js:\n'
rg -n -C2 'createKeyFn = isEncapsulate \? crypto\.createPublicKey : crypto\.createPrivateKey|crypto\.encapsulate\(keyObjects\[0\]\)' benchmark/crypto/kem.js

printf '\nRelevant crypto API docs in the repository:\n'
rg -n -C2 'Key encapsulation using a KEM algorithm with a public key|Key decapsulation using a KEM algorithm with a private key|crypto\.encapsulate\(key\[, callback\]\)|crypto\.decapsulate\(key, ciphertext\[, callback\]\)'

Repository: nodesource/nsolid

Length of output: 1800

---

🏁 Script executed:

cat benchmark/crypto/kem.js

Repository: nodesource/nsolid

Length of output: 1885

---

🌐 Web query:

Node.js crypto.encapsulate() crypto.decapsulate() public key private key requirements documentation

💡 Result:

Node.js provides crypto.encapsulate and crypto.decapsulate functions in the node:crypto module for Key Encapsulation Mechanisms (KEMs), added in recent versions (around v24.7.0+ with OpenSSL 3.0+ support, stability 1.2 - release candidate). These are used for post-quantum cryptography like ML-KEM and other algorithms. ### crypto.encapsulate(key[, callback]) - key: Public key (KeyObject, or input passed to crypto.createPublicKey). Supported types: * 'rsa' (OpenSSL >=3.0): RSA Secret Value Encapsulation * 'ec' (OpenSSL >=3.2): DHKEM(P-256/P-384/P-521, HKDF-SHA256) * 'x25519' (OpenSSL >=3.2): DHKEM(X25519, HKDF-SHA256) * 'x448' (OpenSSL >=3.2): DHKEM(X448, HKDF-SHA512) * 'ml-kem-512/768/1024' (OpenSSL >=3.5): ML-KEM - Returns synchronously: { sharedKey: Buffer, ciphertext: Buffer } - Async via callback: (err, { sharedKey, ciphertext }) ### crypto.decapsulate(key, ciphertext[, callback]) - key: Private key (KeyObject, or input passed to crypto.createPrivateKey). Same supported types as above. - ciphertext: Buffer from encapsulate. - Returns synchronously: sharedKey: Buffer - Async via callback: (err, sharedKey) Keys are generated with crypto.generateKeyPair('ml-kem-512') etc., returning { publicKey, privateKey } as KeyObjects. The Web Crypto API (globalThis.crypto.subtle) has similar methods: encapsulateBits, decapsulateBits, etc., primarily for ML-KEM, using CryptoKey objects with usages like 'encapsulateBits'/'decapsulateBits'. Example (node:crypto): const { generateKeyPairSync, encapsulate, decapsulate } = require('node:crypto'); const { publicKey, privateKey } = generateKeyPairSync('ml-kem-512'); const { sharedKey: encShared, ciphertext } = encapsulate(publicKey); const sharedKey = decapsulate(privateKey, ciphertext); console.log(encShared.equals(sharedKey)); // true Requires Node.js built with OpenSSL supporting KEM (3.0+), throws ERR_CRYPTO_KEM_NOT_SUPPORTED otherwise.

Citations:

• 1: https://nodejs.org/api/webcrypto.html
• 2: https://bun.com/reference/node/crypto/decapsulate
• 3: https://dev.to/zaheetdev/nodejs-v2470-released-post-quantum-cryptography-modern-webcrypto-and-more-1df9
• 4: nodejs/node@61c3bcdc56
• 5: crypto: support ML-KEM, DHKEM, and RSASVE key encapsulation mechanisms nodejs/node#59491
• 6: nodejs/node@14741539a7
• 7: https://nodejs.org/docs/latest-v25.x/api/crypto.html
• 8: https://nodejs.org/api/crypto.html
• 9: https://nodejs.org/docs/latest/api/webcrypto.html
• 10: nodejs/node@18a2ee5b6c
• 11: http://nodejs.org/docs/latest/api/webcrypto.html

---

Derive a public key before generating the decapsulation warmup ciphertext.

Line 139 calls crypto.encapsulate(keyObjects[0]) in the decapsulation branch, but keyObjects[0] is a private KeyObject created via crypto.createPrivateKey(). The Node.js crypto API requires encapsulate() to receive a public key, while decapsulate() is the private-key counterpart. This will fail at runtime. Derive a public key first, matching what the ciphertext pre-generation block already does.

💡 Proposed fix

   } else {
-    const warmupCiphertext = crypto.encapsulate(keyObjects[0]).ciphertext;
+    const warmupCiphertext =
+      crypto.encapsulate(crypto.createPublicKey(keyObjects[0])).ciphertext;
     for (const keyObject of keyObjects) {
       crypto.decapsulate(keyObject, warmupCiphertext);
     }
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@benchmark/crypto/kem.js` around lines 133 - 141, The decapsulation warmup
uses crypto.encapsulate on a private key KeyObject (keyObjects[0]) which is
invalid; instead derive a public key from that private KeyObject (use
crypto.createPublicKey or the same helper used elsewhere) and pass the public
KeyObject to crypto.encapsulate to produce warmupCiphertext, then call
crypto.decapsulate(keyObject, warmupCiphertext) as before; update the
warmupCiphertext generation and reference crypto.encapsulate,
crypto.decapsulate, and keyObjects to locate the change.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify whether assertions are inside the timed benchmark section in this file.
python - <<'PY'
from pathlib import Path

p = Path("benchmark/util/strip-vt-control-characters.js")
lines = p.read_text().splitlines()

start = end = None
for i, line in enumerate(lines, 1):
    if "bench.start()" in line:
        start = i
    if "bench.end(" in line:
        end = i

print(f"timed_section={start}-{end}")
for i in range(start, end + 1):
    if "assert." in lines[i - 1]:
        print(f"assert_in_timed_section: Line {i}: {lines[i - 1].strip()}")
PY

Repository: nodesource/nsolid

Length of output: 1800

---

🏁 Script executed:

#!/bin/bash
# Verify the current state of the benchmark file
cat -n benchmark/util/strip-vt-control-characters.js

Repository: nodesource/nsolid

Length of output: 1885

---

🌐 Web query:

benchmark/util/strip-vt-control-characters.js nodesource/nsolid github

💡 Result:

The file benchmark/util/strip-vt-control-characters.js is a Node.js core benchmark script added in PR #61833 (merged Feb 24, 2026) to test performance improvements in util.stripVTControlCharacters, particularly a fast path for strings without ANSI escape codes using String.prototype.indexOf checks for ESC (\u001B) and CSI (\u009B). It benchmarks short/long inputs with/without ANSI codes using Node's benchmark runner, showing ~1.93x faster for short non-ANSI and ~6.91x for long non-ANSI strings. No evidence found of this exact file or path in nodesource/nsolid GitHub repository (https://github.com/nodesource/nsolid), which is a Node.js fork (latest branch node-v24.x-nsolid-v6.x, last push Apr 2, 2026). N|Solid does not appear to have a public 'benchmark/util' directory or specific references to this file. NodeSource maintains separate benchmark repos like nodejs-package-benchmark, but none match this path. The query likely refers to the Node.js core file, possibly in context of N|Solid performance testing.

Citations:

• 1: util: add fast path to stripVTControlCharacters nodejs/node#61833
• 2: nodejs/node@192c0382f4
• 3: https://github.com/nodesource/nsolid
• 4: https://github.com/nodesource/nsolid/pulls
• 5: https://github.com/nodesource/nodejs-package-benchmark

---

🌐 Web query:

site:github.com/nodejs/node benchmark/util/strip-vt-control-characters.js raw content

💡 Result:

'use strict'; const common = require('../common.js'); const { stripVTControlCharacters } = require('node:util'); const assert = require('node:assert'); const bench = common.createBenchmark(main, { input: ['noAnsi-short', 'noAnsi-long', 'ansi-short', 'ansi-long'], n: [1e6], }); function main({ input, n }) { let str; switch (input) { case 'noAnsi-short': str = 'This is a plain text string without any ANSI codes'; break; case 'noAnsi-long': str = 'Long plain text without ANSI. '.repeat(333); break; case 'ansi-short': str = '\u001B[31mHello\u001B[39m'; break; case 'ansi-long': str = ('\u001B[31m' + 'colored text '.repeat(10) + '\u001B[39m').repeat(10); break; } bench.start; for (let i = 0; i < n; i++) { const result = stripVTControlCharacters(str); assert.ok(typeof result === 'string'); } bench.end(n); }

Citations:

• 1: nodejs/node@192c0382f4

---

Move assertion out of the timed loop to avoid skewed benchmark results.

The assertion at line 33 adds overhead to every measured iteration, so the benchmark no longer isolates stripVTControlCharacters performance.

⚙️ Proposed fix

-  bench.start;
+  bench.start();
+  let result;
   for (let i = 0; i < n; i++) {
-    const result = stripVTControlCharacters(str);
-    assert.ok(typeof result === 'string');
+    result = stripVTControlCharacters(str);
    }
    bench.end(n);
+  assert.strictEqual(typeof result, 'string');

(Note: Also fix missing parentheses in bench.start() call.)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@benchmark/util/strip-vt-control-characters.js` around lines 30 - 34, The
benchmark currently measures extra overhead because assert.ok is executed inside
the timed loop and bench.start/stop are misused; move the assertion out of the
measured section by declaring let result; before the loop, call bench.start()
correctly, run for (let i = 0; i < n; i++) { result =
stripVTControlCharacters(str); } then call bench.stop() and finally call
assert.ok(typeof result === 'string'); ensure you reference the existing symbols
stripVTControlCharacters, bench.start(), bench.stop(), assert.ok and the result
variable so the assertion no longer skews timing.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Add boundary check to prevent over-enqueueing in edge cases.

The start method enqueues bufferSize items without checking whether bufferSize > n. While the current benchmark configuration ensures bufferSize is always much smaller than n, this could cause the stream to enqueue more items than intended if the parameters are changed. The pull method correctly uses Math.min(bufferSize, n - enqueued) at line 27.

🛡️ Proposed fix to add consistent boundary checking

     start(controller) {
       // Pre-fill the buffer
-      for (let i = 0; i < bufferSize; i++) {
+      const toEnqueue = Math.min(bufferSize, n);
+      for (let i = 0; i < toEnqueue; i++) {
         controller.enqueue('a');
         enqueued++;
       }
     },

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	start(controller) {
	// Pre-fill the buffer
	for (let i = 0; i < bufferSize; i++) {
	controller.enqueue('a');
	enqueued++;
	}
	start(controller) {
	// Pre-fill the buffer
	const toEnqueue = Math.min(bufferSize, n);
	for (let i = 0; i < toEnqueue; i++) {
	controller.enqueue('a');
	enqueued++;
	}
	},

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@benchmark/webstreams/readable-read-buffered.js` around lines 18 - 23, The
start(controller) implementation enqueues bufferSize items without checking
remaining quota, risking over-enqueueing when bufferSize > n; update start to
use the same boundary logic as pull by computing count = Math.min(bufferSize, n
- enqueued) (or equivalent) and only loop/enqueue that many times, referencing
the existing symbols start, controller, bufferSize, enqueued, and n to locate
and fix the logic.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

In GYP/MSVS builds, does adding -gtotarget_defaults.cflags enable debug symbols for Windows/MSVC or clang-cl, and what is the correct equivalent setting if not?

💡 Result:

No, adding -g to target_defaults.cflags does not enable debug symbols for Windows/MSVC or clang-cl builds in GYP/MSVS generators. The cflags are Unix-style flags primarily used by make/ninja generators. For MSVS (Visual Studio) generator, cflags are typically ignored or not translated to MSVC-specific flags like /Zi, /Z7, or /DEBUG for debug symbols. The correct equivalent is to use 'configurations' with 'msvs_settings': 'configurations': { 'Debug': { 'msvs_settings': { 'VCCLCompilerTool': { 'DebugInformationFormat': '3', # /Zi (Program Database) }, 'VCLinkerTool': { 'GenerateDebugInformation': 'true', } } } } For newer MSBuild (VS2010+), it maps to ClCompile/DebugInformationFormat = 'ProgramDatabase [/Zi]' and Link/GenerateDebugInformation = 'true [/DEBUG]'. This is evident from GYP's MSVS generator code which processes msvs_settings into VCProj/VCXProj tool settings for ClCompile/Link, including DebugInformationFormat (values like 1=Disabled, 3=Zi, 4=Z7), while cflags! are used to remove flags but generic cflags like -g are not specially handled for MSVS. For clang-cl, since it emulates MSVC driver, it recognizes MSVC flags (/Zi, /Z7) rather than -g, so same msvs_settings apply when using MSVS generator. Sources confirm MSVSSettings.py validates settings like DebugInformationFormat/BasicRuntimeChecks for VCCLCompilerTool/ClCompile, and generator/msvs.py applies msvs_settings to tools.

Citations:

• 1: https://chromium.googlesource.com/external/gyp/+/md-pages/docs/LanguageSpecification.md
• 2: https://gyp3.org/docs/UserDocumentation.html
• 3: https://github.com/nodejs/node-gyp/blob/main/gyp/pylib/gyp/generator/msvs.py
• 4: https://github.com/nodejs/node-gyp/blob/085b445d/gyp/pylib/gyp/generator/msvs.py
• 5: https://android.googlesource.com/platform/external/v8/+/30d0143/tools/gyp/pylib/gyp/generator/msvs.py
• 6: https://chromium.googlesource.com/external/gyp.git/+/master/pylib/gyp/generator/msvs.py
• 7: https://github.com/nodejs/node-gyp/blob/main/gyp/pylib/gyp/MSVSSettings.py
• 8: https://github.com/nodejs/node-gyp/blob/085b445d/gyp/pylib/gyp/MSVSSettings.py
• 9: https://github.com/nodejs/node-gyp/blob/main/gyp/pylib/gyp/MSVSSettings_test.py
• 10: https://chromium.googlesource.com/experimental/external/gyp/+/refs/heads/master/pylib/gyp/MSVSSettings_test.py

---

🏁 Script executed:

# First, let's examine the configure.py file around the lines mentioned in the review
cd /tmp && find . -name "configure.py" -type f 2>/dev/null | head -5

Repository: nodesource/nsolid

Length of output: 1885

---

🏁 Script executed:

# List files to understand repo structure
git ls-files | grep -E "configure\.(py|js)" | head -10

Repository: nodesource/nsolid

Length of output: 1885

---

🏁 Script executed:

# Check the actual configure.py implementation at the relevant lines
head -1580 configure.py | tail -15

Repository: nodesource/nsolid

Length of output: 1885

---

🏁 Script executed:

# Search for how --debug-symbols is used after line 1578
sed -n '1570,1600p' configure.py

Repository: nodesource/nsolid

Length of output: 1885

---

🏁 Script executed:

# Search for Windows/MSVS specific debug symbol handling
rg -n "debug.*symbol|msvs.*debug|cflags.*debug" configure.py -A 2 -B 2

Repository: nodesource/nsolid

Length of output: 1885

---

Add MSVC-specific debug symbol flags for Windows builds.

Line 1578 injects -g via cflags, which is a Unix/GNU-Clang flag. The GYP MSVS generator does not translate -g to MSVC debug info flags (/Zi, /Z7, /DEBUG). For Windows/MSVC and clang-cl builds to generate debug symbols, the code must use msvs_settings with VCCLCompilerTool/ClCompile configuration (DebugInformationFormat) and linker settings (GenerateDebugInformation). The current implementation will only enable debug symbols on Unix-like toolchains (make/ninja with GCC/Clang), not on Windows.

Affects lines: 1576–1578

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@configure.py` around lines 108 - 112, The --debug-symbols parser flag
currently only adds a Unix -g cflag, so update the GYP generation to also set
MSVC-specific debug settings when debug_symbols is true: instead of relying
solely on cflags, add msvs_settings entries for the compile and link steps
(e.g., set VCCLCompilerTool/ClCompile DebugInformationFormat to an appropriate
value like "Zi" or "Z7" and set the linker
GenerateDebugInformation/LinkerSetting to true) and ensure clang-cl builds map
to these MSVC settings as well; locate where debug_symbols is checked and -g is
injected (the code that appends to cflags) and augment it to emit the
msvs_settings blocks for Windows/MSVC toolchains.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Check both coordinate writes before parsing the uncompressed point.

Line 3566 and Line 3567 ignore the result of encodePaddedInto(). If either coordinate is null or wider than field_len, this buffer stays zero-filled and the new fast path can feed substituted coordinates into EC_POINT_oct2point() instead of failing. The old affine-coordinate path rejected that input; this branch should do the same.

Proposed fix

   // Field element byte length: ceil(degree_bits / 8).
   size_t field_len = (EC_GROUP_get_degree(group) + 7) / 8;
   // Build an uncompressed point: 0x04 || x || y, each padded to field_len.
   size_t uncompressed_len = 1 + 2 * field_len;
   auto buf = DataPointer::Alloc(uncompressed_len);
   if (!buf) return false;
   unsigned char* ptr = static_cast<unsigned char*>(buf.get());
   ptr[0] = POINT_CONVERSION_UNCOMPRESSED;
-  x.encodePaddedInto(ptr + 1, field_len);
-  y.encodePaddedInto(ptr + 1 + field_len, field_len);
+  if (x.encodePaddedInto(ptr + 1, field_len) != field_len ||
+      y.encodePaddedInto(ptr + 1 + field_len, field_len) != field_len) {
+    return false;
+  }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Field element byte length: ceil(degree_bits / 8).
	size_t field_len = (EC_GROUP_get_degree(group) + 7) / 8;
	// Build an uncompressed point: 0x04 || x || y, each padded to field_len.
	size_t uncompressed_len = 1 + 2 * field_len;
	auto buf = DataPointer::Alloc(uncompressed_len);
	if (!buf) return false;
	unsigned char* ptr = static_cast<unsigned char*>(buf.get());
	ptr[0] = POINT_CONVERSION_UNCOMPRESSED;
	x.encodePaddedInto(ptr + 1, field_len);
	y.encodePaddedInto(ptr + 1 + field_len, field_len);
	// Field element byte length: ceil(degree_bits / 8).
	size_t field_len = (EC_GROUP_get_degree(group) + 7) / 8;
	// Build an uncompressed point: 0x04 || x || y, each padded to field_len.
	size_t uncompressed_len = 1 + 2 * field_len;
	auto buf = DataPointer::Alloc(uncompressed_len);
	if (!buf) return false;
	unsigned char* ptr = static_cast<unsigned char*>(buf.get());
	ptr[0] = POINT_CONVERSION_UNCOMPRESSED;
	if (x.encodePaddedInto(ptr + 1, field_len) != field_len ||
	y.encodePaddedInto(ptr + 1 + field_len, field_len) != field_len) {
	return false;
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deps/ncrypto/ncrypto.cc` around lines 3558 - 3567, The uncompressed-point
build currently ignores the return values of x.encodePaddedInto(...) and
y.encodePaddedInto(...), which can leave the buffer zero-filled and allow
invalid coordinates to be fed into EC_POINT_oct2point(); modify the code around
DataPointer::Alloc/uncompressed_len/ptr and the two calls to encodePaddedInto so
you check each call's boolean/result and if either encodePaddedInto fails return
false (or otherwise abort) before calling EC_POINT_oct2point(); ensure you
reference the same symbols (ptr, field_len, encodePaddedInto,
EC_POINT_oct2point) so the function rejects bad/null/oversized coordinates the
same way as the affine path.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Sort verified before emitting JSON to keep output deterministic.

this.verified is appended during concurrent pMap execution, so result order can vary run-to-run. Stable ordering helps CI automation and snapshot consumers.

Suggested fix

     if (this.npm.config.get('json')) {
       const result = { invalid, missing }
       if (this.npm.config.get('include-attestations')) {
-        result.verified = this.verified
+        result.verified = this.verified.slice().sort(sortAlphabetically)
       }
       output.buffer(result)
       return
     }

Also applies to: 359-366

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@deps/npm/lib/utils/verify-signatures.js` around lines 63 - 67, Before
emitting the JSON, ensure the attestations array is sorted so output is
deterministic: when building result with result.verified = this.verified
(guarded by this.npm.config.get('include-attestations')), sort this.verified
into a stable, well-defined order (e.g., by a unique key or string compare)
before calling output.buffer(result); apply the same sorting change to the other
occurrence that assigns result.verified around the later block (the one at the
other location referenced in the review) so both outputs are deterministic.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

configure.py (1)

1576-1578: ⚠️ Potential issue | 🟠 Major

--debug-symbols currently misses Windows/MSVS debug symbol generation.

Line 1578 only appends -g to cflags. For MSVS/clang-cl project generation, this does not provide the equivalent /Zi + /DEBUG settings, so the flag is ineffective on Windows MSVS builds.

💡 Proposed fix

   o['variables']['debug_symbols'] = b(options.debug_symbols)
   if options.debug_symbols:
-    o['cflags'] += ['-g']
+    if flavor == 'win':
+      msvs_settings = o.setdefault('msvs_settings', {})
+      cxx_tool = msvs_settings.setdefault('VCCLCompilerTool', {})
+      linker_tool = msvs_settings.setdefault('VCLinkerTool', {})
+      # /Zi
+      cxx_tool['DebugInformationFormat'] = '3'
+      # /DEBUG
+      linker_tool['GenerateDebugInformation'] = 'true'
+    else:
+      o['cflags'] += ['-g']

Use this read-only verification script to confirm the gap:

#!/bin/bash
set -euo pipefail

# Locate where --debug-symbols is parsed/applied.
rg -n -C3 --type=py -- '--debug-symbols|debug_symbols|\\-g' configure.py

# Check whether MSVC debug-info settings exist near this flow.
rg -n -C3 --type=py 'DebugInformationFormat|GenerateDebugInformation|VCCLCompilerTool|VCLinkerTool' configure.py

# Cross-check whether these settings are configured elsewhere in repo.
rg -n -C2 'DebugInformationFormat|GenerateDebugInformation'

Expected result: configure.py shows -g injection for debug_symbols, but no corresponding DebugInformationFormat/GenerateDebugInformation wiring in that code path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@configure.py` around lines 1576 - 1578, The patch only appends "-g" to
o['cflags'] when options.debug_symbols is set, which doesn't enable
MSVC/clang-cl debug info; update the branch that handles options.debug_symbols
(check symbols o['variables']['debug_symbols'], options.debug_symbols, and
o['cflags']) to detect MSVC/clang-cl toolchains and add the MSVC equivalents:
append "/Zi" to the MSVC/clang-cl compiler flags (e.g., o['cflags'] or the
MSVC-specific flag list) and ensure the linker receives "/DEBUG" (e.g., add to
o['ldflags'] or the MSVC linker flag list), leaving "-g" for GCC/Clang; use the
existing compiler/host detection logic in the file to choose which flags to add
so Windows MSVC project generation gets "/Zi" + "/DEBUG".

🧹 Nitpick comments (1)

Makefile (1)

342-361: checkmake maxbodylength warnings: confirm CI policy; consider delegating to *-impl targets.

Static analysis flags test and test-only for exceeding checkmake’s allowed recipe line counts. If CI treats this as a failure, we should reduce the test/test-only recipe bodies (e.g., move the existing commands into test-impl and test-only-impl, then make test/test-only invoke those with a single $(MAKE) line).

Optional refactor sketch

+.PHONY: test-impl
+test-impl:
+	$(MAKE) -s tooltest
+	$(MAKE) -s test-doc
+	$(MAKE) -s build-addons
+	$(MAKE) -s build-js-native-api-tests
+	$(MAKE) -s build-node-api-tests
+	$(MAKE) -s build-sqlite-tests
+	$(MAKE) -s cctest
+	$(MAKE) -s jstest
+
 test: all ## Run default tests and build docs.
-	$(MAKE) -s tooltest
-	$(MAKE) -s test-doc
-	$(MAKE) -s build-addons
-	$(MAKE) -s build-js-native-api-tests
-	$(MAKE) -s build-node-api-tests
-	$(MAKE) -s build-sqlite-tests
-	$(MAKE) -s cctest
-	$(MAKE) -s jstest
+	$(MAKE) -s test-impl
+
+.PHONY: test-only-impl
+test-only-impl:
+	$(MAKE) build-addons
+	$(MAKE) build-js-native-api-tests
+	$(MAKE) build-node-api-tests
+	$(MAKE) build-sqlite-tests
+	$(MAKE) cctest
+	$(MAKE) jstest
+	$(MAKE) tooltest
 
 test-only: all  ## Run default tests without building the docs.
-	$(MAKE) build-addons
-	$(MAKE) build-js-native-api-tests
-	$(MAKE) build-node-api-tests
-	$(MAKE) build-sqlite-tests
-	$(MAKE) cctest
-	$(MAKE) jstest
-	$(MAKE) tooltest
+	$(MAKE) -s test-only-impl

Please confirm whether your CI currently fails on checkmake maxbodylength warnings for Makefile targets (vs only reporting them). If it fails, the delegation refactor above should be prioritized.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 342 - 361, Reduce the recipe body for the Makefile
targets flagged by checkmake (test and test-only) by moving their multiple
command lines into new helper targets (e.g., test-impl and test-only-impl) and
update test and test-only to delegate with a single invocation like "$(MAKE) -s
test-impl" or "$(MAKE) test-only-impl"; ensure the helper targets contain the
original sequence of sub-target calls (tooltest, test-doc, build-addons,
build-js-native-api-tests, build-node-api-tests, build-sqlite-tests, cctest,
jstest) and keep the PHONY declarations for the new impl targets to match
existing behavior.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@configure.py`:
- Line 1823: The list comprehension that appends libraries uses an ambiguous
loop variable `l`; update the comprehension that modifies output['libraries']
(the expression using default_libs.split(',')) to use a descriptive name such as
`lib` or `library` instead of `l` (e.g., replace `f'-l{l}' for l in
default_libs.split(',')` with `f'-l{lib}' for lib in default_libs.split(',')`)
so Ruff E741 is resolved while preserving the same behavior.

---

Duplicate comments:
In `@configure.py`:
- Around line 1576-1578: The patch only appends "-g" to o['cflags'] when
options.debug_symbols is set, which doesn't enable MSVC/clang-cl debug info;
update the branch that handles options.debug_symbols (check symbols
o['variables']['debug_symbols'], options.debug_symbols, and o['cflags']) to
detect MSVC/clang-cl toolchains and add the MSVC equivalents: append "/Zi" to
the MSVC/clang-cl compiler flags (e.g., o['cflags'] or the MSVC-specific flag
list) and ensure the linker receives "/DEBUG" (e.g., add to o['ldflags'] or the
MSVC linker flag list), leaving "-g" for GCC/Clang; use the existing
compiler/host detection logic in the file to choose which flags to add so
Windows MSVC project generation gets "/Zi" + "/DEBUG".

---

Nitpick comments:
In `@Makefile`:
- Around line 342-361: Reduce the recipe body for the Makefile targets flagged
by checkmake (test and test-only) by moving their multiple command lines into
new helper targets (e.g., test-impl and test-only-impl) and update test and
test-only to delegate with a single invocation like "$(MAKE) -s test-impl" or
"$(MAKE) test-only-impl"; ensure the helper targets contain the original
sequence of sub-target calls (tooltest, test-doc, build-addons,
build-js-native-api-tests, build-node-api-tests, build-sqlite-tests, cctest,
jstest) and keep the PHONY declarations for the new impl targets to match
existing behavior.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: d293ac7c-c589-4fe9-a01b-77b0064ca57c

📥 Commits

Reviewing files that changed from the base of the PR and between c86d1e3 and a1e0379.

📒 Files selected for processing (7)

• BUILDING.md
• Makefile
• agents/statsd/src/binding.cc
• agents/zmq/src/binding.cc
• agents/zmq/src/http_client.h
• common.gypi
• configure.py

✅ Files skipped from review due to trivial changes (4)

• common.gypi
• agents/zmq/src/binding.cc
• agents/zmq/src/http_client.h
• agents/statsd/src/binding.cc

🚧 Files skipped from review as they are similar to previous changes (1)

• BUILDING.md

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Rename the loop variable to resolve Ruff E741.

Line 1823 uses l, which is flagged as ambiguous (E741). Rename to a descriptive identifier.

✏️ Proposed fix

-      output['libraries'] += [f'-l{l}' for l in default_libs.split(',')]
+      output['libraries'] += [f'-l{lib_name}' for lib_name in default_libs.split(',')]

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	output['libraries'] += [f'-l{l}' for l in default_libs.split(',')]
	output['libraries'] += [f'-l{lib_name}' for lib_name in default_libs.split(',')]

🧰 Tools

🪛 Ruff (0.15.12)

[error] 1823-1823: Ambiguous variable name: l

(E741)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@configure.py` at line 1823, The list comprehension that appends libraries
uses an ambiguous loop variable `l`; update the comprehension that modifies
output['libraries'] (the expression using default_libs.split(',')) to use a
descriptive name such as `lib` or `library` instead of `l` (e.g., replace
`f'-l{l}' for l in default_libs.split(',')` with `f'-l{lib}' for lib in
default_libs.split(',')`) so Ruff E741 is resolved while preserving the same
behavior.