feat: allow defaulting to printer default page size (#49812)

Co-authored-by: Edvan de Matos <edvan.santos@querodelivery.com>

.github/PULL_REQUEST_TEMPLATE.md

@@ -11,7 +11,6 @@ Contributors guide: https://github.com/electron/electron/blob/main/CONTRIBUTING.
 <!-- Remove items that do not apply. For completed items, change [ ] to [x]. -->
 
 - [ ] PR description included
-- [ ] I have built and tested this PR
 - [ ] `npm test` passes
 - [ ] tests are [changed or added](https://github.com/electron/electron/blob/main/docs/development/testing.md)
 - [ ] relevant API documentation, tutorials, and examples are updated and follow the [documentation style guide](https://github.com/electron/electron/blob/main/docs/development/style-guide.md)

.github/actions/build-electron/action.yml

@@ -26,9 +26,6 @@ inputs:
   is-asan:
     description: 'The ASan Linux build'
     required: false
-  upload-out-gen-artifacts:
-    description: 'Whether to upload the out/${dir}/gen artifacts'
-    required: false
 runs:
   using: "composite"
   steps:
@@ -98,7 +95,7 @@ runs:
         # Upload build stats to Datadog
         if ($env:DD_API_KEY) {
           try {
-            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats
+            npx node electron\script\build-stats.mjs out\Default\siso.exe.INFO --upload-stats ; $LASTEXITCODE = 0
           } catch {
             Write-Host "Build stats upload failed, continuing..."
           }
@@ -283,9 +280,3 @@ runs:
       with:
         name: src_artifacts_${{ env.ARTIFACT_KEY }}
         path: ./src_artifacts_${{ inputs.artifact-platform }}_${{ inputs.target-arch }}
-    - name: Upload Out Gen Artifacts ${{ inputs.step-suffix }}
-      if: ${{ inputs.upload-out-gen-artifacts == 'true' }}
-      uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
-      with:
-        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
-        path: ./src/out/Default/gen

.github/copilot-instructions.md

@@ -0,0 +1,122 @@
+# Copilot Instructions for Electron
+
+## Build System
+
+Electron uses `@electron/build-tools` (`e` CLI). Install with `npm i -g @electron/build-tools`.
+
+```bash
+e sync              # Fetch sources and apply patches
+e build             # Build Electron (GN + Ninja)
+e build -k 999      # Build, continuing through errors
+e start             # Run built Electron
+e start --version   # Verify Electron launches
+e test              # Run full test suite
+e debug             # Run in debugger (lldb on macOS, gdb on Linux)
+```
+
+### Linting
+
+```bash
+npm run lint              # Run all linters (JS, C++, Python, GN, docs)
+npm run lint:js           # JavaScript/TypeScript only
+npm run lint:clang-format # C++ formatting only
+npm run lint:cpp          # C++ linting only
+npm run lint:docs         # Documentation only
+```
+
+### Running a Single Test
+
+```bash
+npm run test -- -g "pattern"   # Run tests matching a regex pattern
+# Example: npm run test -- -g "ipc"
+```
+
+### Running a Single Node.js Test
+
+```bash
+node script/node-spec-runner.js parallel/test-crypto-keygen
+```
+
+## Architecture
+
+Electron embeds Chromium (rendering) and Node.js (backend) to enable desktop apps with web technologies. The parent directory (`../`) is the Chromium source tree.
+
+### Process Model
+
+Electron has two primary process types, mirroring Chromium:
+
+- **Main process** (`shell/browser/` + `lib/browser/`): Controls app lifecycle, creates windows, system APIs
+- **Renderer process** (`shell/renderer/` + `lib/renderer/`): Runs web content in BrowserWindows
+
+### Native ↔ JavaScript Bridge
+
+Each API is implemented as a C++/JS pair:
+
+- C++ side: `shell/browser/api/electron_api_{name}.cc/.h` — uses `gin::Wrappable` and `ObjectTemplateBuilder`
+- JS side: `lib/browser/api/{name}.ts` — exports the module, registered in `lib/browser/api/module-list.ts`
+- Binding: `NODE_LINKED_BINDING_CONTEXT_AWARE(electron_browser_{name}, Initialize)` in C++ and registered in `shell/common/node_bindings.cc`
+- Type declaration: `typings/internal-ambient.d.ts` maps `process._linkedBinding('electron_browser_{name}')`
+
+### Patches System
+
+Electron patches upstream dependencies (Chromium, Node.js, V8, etc.) rather than forking them. Patches live in `patches/` organized by target, with `patches/config.json` mapping directories to repos.
+
+```text
+patches/{target}/*.patch  →  [e sync]   →  target repo commits
+                          ←  [e patches] ←
+```
+
+Key rules:
+
+- Fix existing patches rather than creating new ones
+- Preserve original authorship in TODO comments — never change `TODO(name)` assignees
+- Each patch commit message must explain why the patch exists
+- After modifying patches, run `e patches {target}` to export
+
+When working on the `roller/chromium/main` branch for Chromium upgrades, use `e sync --3` for 3-way merge conflict resolution.
+
+## Conventions
+
+### File Naming
+
+- JS/TS files: kebab-case (`file-name.ts`)
+- C++ files: snake_case with `electron_api_` prefix (`electron_api_safe_storage.cc`)
+- Test files: `api-{module-name}-spec.ts` in `spec/`
+- Source file lists are maintained in `filenames.gni` (with platform-specific sections)
+
+### JavaScript/TypeScript
+
+- Semicolons required (`"semi": ["error", "always"]`)
+- `const` and `let` only (no `var`)
+- Arrow functions preferred
+- Import order enforced: `@electron/internal` → `@electron` → `electron` → external → builtin → relative
+- API naming: `PascalCase` for classes (`BrowserWindow`), `camelCase` for module APIs (`globalShortcut`)
+- Prefer getters/setters over jQuery-style `.text([text])` patterns
+
+### C++
+
+- Follows Chromium coding style, enforced by `clang-format` and `clang-tidy`
+- Uses Chromium abstractions (`base::`, `content::`, etc.)
+- Header guards: `#ifndef ELECTRON_SHELL_BROWSER_API_ELECTRON_API_{NAME}_H_`
+- Platform-specific files: `_mac.mm`, `_win.cc`, `_linux.cc`
+
+### Testing
+
+- Framework: Mocha + Chai + Sinon
+- Test helpers in `spec/lib/` (e.g., `spec-helpers.ts`, `window-helpers.ts`)
+- Use `defer()` from spec-helpers for cleanup, `closeAllWindows()` for window teardown
+- Tests import from `electron/main` or `electron/renderer`
+
+### Documentation
+
+- API docs in `docs/api/` as Markdown, parsed by `@electron/docs-parser` to generate `electron.d.ts`
+- API history tracked via YAML blocks in HTML comments within doc files
+- Docs must pass `npm run lint:docs`
+
+### Build Configuration
+
+- `BUILD.gn`: Main GN build config
+- `buildflags/buildflags.gni`: Feature flags (PDF viewer, extensions, spellchecker)
+- `build/args/`: Build argument profiles (`testing.gn`, `release.gn`, `all.gn`)
+- `DEPS`: Dependency versions and checkout paths
+- `chromium_src/`: Chromium source file overrides (compiled instead of originals)

.github/workflows/archaeologist-dig.yml

@@ -13,11 +13,11 @@ jobs:
       contents: read
     steps:
       - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           fetch-depth: 0
       - name: Setup Node.js/npm
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
         with:
           node-version: 24.12.x
       - name: Setting Up Dig Site

.github/workflows/audit-branch-ci.yml

@@ -11,17 +11,16 @@ permissions: {}
 jobs:
   audit_branch_ci:
     name: Audit CI on Branches
-    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions:
       contents: read
     steps:
       - name: Setup Node.js
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: 22.17.x
       - name: Sparse checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           sparse-checkout: |
             .

.github/workflows/branch-created.yml

@@ -14,7 +14,7 @@ permissions: {}
 jobs:
   release-branch-created:
     name: Release Branch Created
-    if: ${{ github.repository == 'electron/electron' && (github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller'))) }}
+    if: ${{ github.event_name == 'workflow_dispatch' || (github.event.ref_type == 'branch' && endsWith(github.event.ref, '-x-y') && !startsWith(github.event.ref, 'roller')) }}
     permissions:
       contents: read
       pull-requests: write
@@ -68,7 +68,7 @@ jobs:
           done
       - name: Generate GitHub App token
         if: ${{ steps.check-major-version.outputs.MAJOR }}
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}

.github/workflows/build-git-cache.yml

@@ -10,7 +10,6 @@ permissions: {}
 
 jobs:
   build-git-cache-linux:
-    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -24,7 +23,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -34,7 +33,6 @@ jobs:
         target-platform: linux
 
   build-git-cache-windows:
-    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -49,7 +47,7 @@ jobs:
       TARGET_OS: 'win'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -59,7 +57,6 @@ jobs:
         target-platform: win
 
   build-git-cache-macos:
-    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -75,7 +72,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/build.yml

@@ -47,7 +47,6 @@ permissions: {}
 
 jobs:
   setup:
-    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -58,7 +57,7 @@ jobs:
         build-image-sha: ${{ steps.set-output.outputs.build-image-sha }}
         docs-only: ${{ steps.set-output.outputs.docs-only }}
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         ref: ${{ github.event.pull_request.head.sha }}
     - uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
@@ -125,7 +124,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -157,7 +156,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -189,7 +188,7 @@ jobs:
       build-image-sha: ${{ needs.setup.outputs.build-image-sha}}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -284,15 +283,13 @@ jobs:
       contents: read
       issues: read
       pull-requests: read
-    uses: ./.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml
+    uses: ./.github/workflows/pipeline-electron-build-and-test-and-nan.yml
     needs: checkout-linux
     if: ${{ needs.setup.outputs.src == 'true' }}
     with:
       build-runs-on: electron-arc-centralus-linux-amd64-32core
-      clang-tidy-runs-on: electron-arc-centralus-linux-amd64-8core
       test-runs-on: electron-arc-centralus-linux-amd64-4core
       build-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
-      clang-tidy-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root","volumes":["/mnt/cross-instance-cache:/mnt/cross-instance-cache"]}'
       test-container: '{"image":"ghcr.io/electron/build:${{ needs.checkout-linux.outputs.build-image-sha }}","options":"--user root --privileged --init"}'
       target-platform: linux
       target-arch: x64
@@ -429,7 +426,7 @@ jobs:
     permissions:
       contents: read
     needs: [docs-only, macos-x64, macos-arm64, linux-x64, linux-x64-asan, linux-arm, linux-arm64, windows-x64, windows-x86, windows-arm64]
-    if: always() && github.repository == 'electron/electron' && !contains(needs.*.result, 'failure')
+    if: always() && !contains(needs.*.result, 'failure')
     steps: 
     - name: GitHub Actions Jobs Done
       run: |

.github/workflows/clean-src-cache.yml

@@ -12,7 +12,6 @@ permissions: {}
 
 jobs:
   clean-src-cache:
-    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read

.github/workflows/issue-commented.yml

@@ -21,7 +21,7 @@ jobs:
           AUTHOR_ASSOCIATION=$(gh api /repos/electron/electron/issues/comments/${{ github.event.comment.id }} --jq '.author_association')
           echo "author_association=$AUTHOR_ASSOCIATION" >> "$GITHUB_OUTPUT"
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         if: ${{ !contains(fromJSON('["MEMBER", "OWNER", "COLLABORATOR"]'), steps.get-author-association.outputs.author_association) }}
         id: generate-token
         with:

.github/workflows/issue-labeled.yml

@@ -15,7 +15,7 @@ jobs:
       contents: read
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -36,7 +36,7 @@ jobs:
       contents: read
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -69,7 +69,7 @@ jobs:
           fi
       - name: Generate GitHub App token
         if: ${{ steps.check-for-comment.outputs.SHOULD_COMMENT }}
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}

.github/workflows/issue-opened.yml

@@ -14,7 +14,7 @@ jobs:
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -32,13 +32,13 @@ jobs:
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
           org: electron
       - name: Sparse checkout repository
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           sparse-checkout: |
             .

.github/workflows/issue-transferred.yml

@@ -14,7 +14,7 @@ jobs:
     if: ${{ !github.event.changes.new_repository.private }}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}

.github/workflows/issue-unlabeled.yml

@@ -24,7 +24,7 @@ jobs:
           fi
       - name: Generate GitHub App token
         if: ${{ steps.check-for-blocked-labels.outputs.NOT_BLOCKED }}
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}

.github/workflows/linux-publish.yml

@@ -21,7 +21,6 @@ permissions: {}
 
 jobs:
   checkout-linux:
-    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -36,7 +35,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/macos-disk-cleanup.yml

@@ -13,7 +13,6 @@ permissions: {}
 
 jobs:
   macos-disk-cleanup:
-    if: github.repository == 'electron/electron'
     strategy:
       fail-fast: false
       matrix:
@@ -26,7 +25,7 @@ jobs:
       contents: read
     steps:
       - name: Checkout
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           sparse-checkout: |
             .github/actions/free-space-macos

.github/workflows/macos-publish.yml

@@ -22,7 +22,6 @@ permissions: {}
 
 jobs:
   checkout-macos:
-    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -37,7 +36,7 @@ jobs:
       GCLIENT_EXTRA_ARGS: '--custom-var=checkout_mac=True --custom-var=host_os=mac'
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-electron-build-and-tidy-and-test-and-nan.yml

@@ -1,124 +0,0 @@
-name: Electron Build & Clang Tidy & Test (+ Node + NaN) Pipeline
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux.'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      build-runs-on:
-        type: string
-        description: 'What host to run the build'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      test-runs-on:
-        type: string
-        description: 'What host to run the tests on'
-        required: true
-      build-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information to run clang-tidy on'
-        required: false
-        default: '{"image":null}'
-      test-container:
-        type: string
-        description: 'JSON container information for testing'
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: 'Whether this build job is a release job'
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: 'The gn build type - testing or release'
-        required: true
-        type: string
-        default: testing
-      generate-symbols: 
-        description: 'Whether or not to generate symbols'
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage: 
-        description: 'Whether or not to upload build artifacts to external storage'
-        required: true
-        type: string
-        default: '0'
-      is-asan: 
-        description: 'Building the Address Sanitizer (ASan) Linux build'
-        required: false
-        type: boolean
-        default: false
-
-permissions: {}
-
-concurrency:
-  group: electron-build-and-test-and-nan-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-
-jobs:
-  build:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
-    with:
-      build-runs-on: ${{ inputs.build-runs-on }}
-      build-container: ${{ inputs.build-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-      is-release: ${{ inputs.is-release }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-      generate-symbols: ${{ inputs.generate-symbols }}
-      upload-to-storage: ${{ inputs.upload-to-storage }}
-      upload-out-gen-artifacts: true
-    secrets: inherit
-  clang-tidy:
-    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
-      clang-tidy-container: ${{ inputs.clang-tidy-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-    secrets: inherit
-  test:
-    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-    secrets: inherit
-  nn-test:
-    uses: ./.github/workflows/pipeline-segment-node-nan-test.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-    secrets: inherit

.github/workflows/pipeline-electron-build-and-tidy-and-test.yml

@@ -1,121 +0,0 @@
-name: Electron Build & Clang Tidy & Test Pipeline
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      build-runs-on:
-        type: string
-        description: 'What host to run the build'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      test-runs-on:
-        type: string
-        description: 'What host to run the tests on'
-        required: true
-      build-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information to run clang-tidy on'
-        required: false
-        default: '{"image":null}'
-      test-container:
-        type: string
-        description: 'JSON container information for testing'
-        required: false
-        default: '{"image":null}'
-      is-release:
-        description: 'Whether this build job is a release job'
-        required: true
-        type: boolean
-        default: false
-      gn-build-type:
-        description: 'The gn build type - testing or release'
-        required: true
-        type: string
-        default: testing
-      generate-symbols: 
-        description: 'Whether or not to generate symbols'
-        required: true
-        type: boolean
-        default: false
-      upload-to-storage: 
-        description: 'Whether or not to upload build artifacts to external storage'
-        required: true
-        type: string
-        default: '0'
-      is-asan: 
-        description: 'Building the Address Sanitizer (ASan) Linux build'
-        required: false
-        type: boolean
-        default: false
-      enable-ssh:
-        description: 'Enable SSH debugging'
-        required: false
-        type: boolean
-        default: false
-
-concurrency:
-  group: electron-build-and-tidy-and-test-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref_protected == true && github.run_id || github.ref }}
-  cancel-in-progress: ${{ github.ref_protected != true }}
-
-permissions: {}
-
-jobs:
-  build:
-    uses: ./.github/workflows/pipeline-segment-electron-build.yml
-    permissions:
-      contents: read
-    with:
-      build-runs-on: ${{ inputs.build-runs-on }}
-      build-container: ${{ inputs.build-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-      is-release: ${{ inputs.is-release }}
-      gn-build-type: ${{ inputs.gn-build-type }}
-      generate-symbols: ${{ inputs.generate-symbols }}
-      upload-to-storage: ${{ inputs.upload-to-storage }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
-      upload-out-gen-artifacts: true
-    secrets: inherit
-  clang-tidy:
-    uses: ./.github/workflows/pipeline-segment-electron-clang-tidy.yml
-    permissions:
-      contents: read
-    needs: build
-    with:
-      clang-tidy-runs-on: ${{ inputs.clang-tidy-runs-on }}
-      clang-tidy-container: ${{ inputs.clang-tidy-container }}
-      target-platform: ${{ inputs.target-platform }}
-      target-arch: ${{ inputs.target-arch }}
-    secrets: inherit
-  test:
-    uses: ./.github/workflows/pipeline-segment-electron-test.yml
-    permissions:
-      contents: read
-      issues: read
-      pull-requests: read
-    needs: build
-    with:
-      target-arch: ${{ inputs.target-arch }}
-      target-platform: ${{ inputs.target-platform }}
-      test-runs-on: ${{ inputs.test-runs-on }}
-      test-container: ${{ inputs.test-container }}
-      is-asan: ${{ inputs.is-asan }}
-      enable-ssh: ${{ inputs.enable-ssh }}
-    secrets: inherit

.github/workflows/pipeline-electron-docs-only.yml

@@ -27,7 +27,7 @@ jobs:
     container: ${{ fromJSON(inputs.container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -43,7 +43,7 @@ jobs:
       with:
         target-platform: linux
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-electron-lint.yml

@@ -27,7 +27,7 @@ jobs:
     container: ${{ fromJSON(inputs.container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-segment-electron-build.yml

@@ -53,11 +53,6 @@ on:
         required: false
         type: boolean
         default: false
-      upload-out-gen-artifacts:
-        description: 'Whether to upload the src/gen artifacts'
-        required: false
-        type: boolean
-        default: false
       enable-ssh:
         description: 'Enable SSH debugging'
         required: false
@@ -100,7 +95,7 @@ jobs:
       run: |
         mkdir src
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -124,7 +119,7 @@ jobs:
       run: df -h
     - name: Setup Node.js/npm
       if: ${{ inputs.target-platform == 'macos' }}
-      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
       with:
         node-version: 22.21.x
         cache: yarn
@@ -168,7 +163,7 @@ jobs:
       if: ${{ inputs.target-platform == 'linux' }}
       uses: ./src/electron/.github/actions/restore-cache-aks
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -206,7 +201,6 @@ jobs:
         generate-symbols: '${{ inputs.generate-symbols }}'
         upload-to-storage: '${{ inputs.upload-to-storage }}'
         is-asan: '${{ inputs.is-asan }}'
-        upload-out-gen-artifacts: '${{ inputs.upload-out-gen-artifacts }}'
     - name: Set GN_EXTRA_ARGS for MAS Build
       if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' || inputs.target-variant == 'mas') }}
       run: |

.github/workflows/pipeline-segment-electron-clang-tidy.yml

@@ -1,159 +0,0 @@
-name: Pipeline Segment - Electron Clang-Tidy
-
-on:
-  workflow_call:
-    inputs:
-      target-platform:
-        type: string
-        description: 'Platform to run on, can be macos, win or linux'
-        required: true
-      target-arch:
-        type: string
-        description: 'Arch to build for, can be x64, arm64 or arm'
-        required: true
-      clang-tidy-runs-on:
-        type: string
-        description: 'What host to run clang-tidy on'
-        required: true
-      clang-tidy-container:
-        type: string
-        description: 'JSON container information for aks runs-on'
-        required: false
-        default: '{"image":null}'
-
-permissions: {}
-
-concurrency:
-  group: electron-clang-tidy-${{ inputs.target-platform }}-${{ inputs.target-arch }}-${{ github.ref }}
-  cancel-in-progress: true
-
-env:
-  GCLIENT_EXTRA_ARGS: ${{ inputs.target-platform == 'macos' && '--custom-var=checkout_mac=True --custom-var=host_os=mac' || (inputs.target-platform == 'linux' && '--custom-var=checkout_arm=True --custom-var=checkout_arm64=True' || '--custom-var=checkout_win=True') }}
-  ELECTRON_OUT_DIR: Default
-
-jobs:
-  clang-tidy:
-    defaults:
-      run:
-        shell: bash
-    runs-on: ${{ inputs.clang-tidy-runs-on }}
-    permissions:
-      contents: read
-    container: ${{ fromJSON(inputs.clang-tidy-container) }}
-    env:
-      BUILD_TYPE: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}
-      TARGET_ARCH: ${{ inputs.target-arch }}
-      TARGET_PLATFORM: ${{ inputs.target-platform }}
-      ARTIFACT_KEY: ${{ inputs.target-platform == 'macos' && 'darwin' || inputs.target-platform }}_${{ inputs.target-arch }}
-    steps:
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Cleanup disk space on macOS
-      if: ${{ inputs.target-platform == 'macos' }}
-      shell: bash
-      run: |   
-        sudo mkdir -p $TMPDIR/del-target
-
-        tmpify() {
-          if [ -d "$1" ]; then
-            sudo mv "$1" $TMPDIR/del-target/$(echo $1|shasum -a 256|head -n1|cut -d " " -f1)
-          fi
-        }   
-        tmpify /Library/Developer/CoreSimulator
-        tmpify ~/Library/Developer/CoreSimulator
-        sudo rm -rf $TMPDIR/del-target
-    - name: Check disk space after freeing up space
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: df -h
-    - name: Set Chromium Git Cookie
-      uses: ./src/electron/.github/actions/set-chromium-cookie
-    - name: Install Build Tools
-      uses: ./src/electron/.github/actions/install-build-tools
-    - name: Enable windows toolchain
-      if: ${{ inputs.target-platform == 'win' }}
-      run: |
-        echo "ELECTRON_DEPOT_TOOLS_WIN_TOOLCHAIN=1" >> $GITHUB_ENV
-    - name: Generate DEPS Hash
-      run: |
-        node src/electron/script/generate-deps-hash.js
-        DEPSHASH=v1-src-cache-$(cat src/electron/.depshash)
-        echo "DEPSHASH=$DEPSHASH" >> $GITHUB_ENV
-        echo "CACHE_PATH=$DEPSHASH.tar" >> $GITHUB_ENV
-    - name: Restore src cache via AZCopy
-      if: ${{ inputs.target-platform == 'macos' }}
-      uses: ./src/electron/.github/actions/restore-cache-azcopy
-      with:
-        target-platform: ${{ inputs.target-platform }}      
-    - name: Restore src cache via AKS
-      if: ${{ inputs.target-platform == 'linux' || inputs.target-platform == 'win' }}
-      uses: ./src/electron/.github/actions/restore-cache-aks
-      with:
-        target-platform: ${{ inputs.target-platform }}
-    - name: Run Electron Only Hooks
-      run: |
-        echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False},'managed':False}]" > tmpgclient
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          echo "solutions=[{'name':'src/electron','url':None,'deps_file':'DEPS','custom_vars':{'process_deps':False,'install_sysroot':False,'checkout_win':True},'managed':False}]" > tmpgclient
-          echo "target_os=['win']" >> tmpgclient
-        fi
-        e d gclient runhooks --gclientfile=tmpgclient
-
-        # Fix VS Toolchain
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          rm -rf src/third_party/depot_tools/win_toolchain/vs_files
-          e d python3 src/build/vs_toolchain.py update --force
-        fi
-    - name: Regenerate DEPS Hash
-      run: |
-        (cd src/electron && git checkout .) && node src/electron/script/generate-deps-hash.js
-        echo "DEPSHASH=$(cat src/electron/.depshash)" >> $GITHUB_ENV
-    - name: Add CHROMIUM_BUILDTOOLS_PATH to env
-      run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
-    - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
-      with:
-        path: src/electron
-        fetch-depth: 0
-        ref: ${{ github.event.pull_request.head.sha }}
-    - name: Install Dependencies
-      uses: ./src/electron/.github/actions/install-dependencies
-    - name: Default GN gen
-      run: |
-        cd src/electron
-        git pack-refs
-    - name: Download Out Gen Artifacts
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131
-      with:
-        name: out_gen_artifacts_${{ env.ARTIFACT_KEY }}
-        path: ./src/out/${{ env.ELECTRON_OUT_DIR }}/gen
-    - name: Add Clang problem matcher
-      shell: bash
-      run: echo "::add-matcher::src/electron/.github/problem-matchers/clang.json"
-    - name: Run Clang-Tidy
-      run: |
-        e init -f --root=$(pwd) --out=${ELECTRON_OUT_DIR} testing --target-cpu ${TARGET_ARCH}
-
-        export GN_EXTRA_ARGS="target_cpu=\"${TARGET_ARCH}\""
-        if [ "${{ inputs.target-platform }}" = "win" ]; then
-          export GN_EXTRA_ARGS="$GN_EXTRA_ARGS use_v8_context_snapshot=true target_os=\"win\""
-        fi
-
-        e build --only-gen
-
-        cd src/electron
-        node script/yarn.js lint:clang-tidy --jobs 8 --out-dir ../out/${ELECTRON_OUT_DIR}
-    - name: Remove Clang problem matcher
-      shell: bash
-      run: echo "::remove-matcher owner=clang::"
-    - name: Wait for active SSH sessions
-      if: always() && !cancelled()
-      shell: bash
-      run: |
-        while [ -f /var/.ssh-lock ]
-        do
-          sleep 60
-        done

.github/workflows/pipeline-segment-electron-gn-check.yml

@@ -48,7 +48,7 @@ jobs:
     container: ${{ fromJSON(inputs.check-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -115,7 +115,7 @@ jobs:
     - name: Add CHROMIUM_BUILDTOOLS_PATH to env
       run: echo "CHROMIUM_BUILDTOOLS_PATH=$(pwd)/src/buildtools" >> $GITHUB_ENV
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pipeline-segment-electron-publish.yml

@@ -56,11 +56,6 @@ on:
         required: false
         type: boolean
         default: false
-      upload-out-gen-artifacts:
-        description: Whether to upload the src/gen artifacts
-        required: false
-        type: boolean
-        default: false
       enable-ssh:
         description: Enable SSH debugging
         required: false
@@ -107,7 +102,7 @@ jobs:
         run: |
           mkdir src
       - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           path: src/electron
           fetch-depth: 0
@@ -132,7 +127,7 @@ jobs:
         run: df -h
       - name: Setup Node.js/npm
         if: ${{ inputs.target-platform == 'macos' }}
-        uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
         with:
           node-version: 22.21.x
           cache: yarn
@@ -177,7 +172,7 @@ jobs:
         if: ${{ inputs.target-platform == 'linux' }}
         uses: ./src/electron/.github/actions/restore-cache-aks
       - name: Checkout Electron
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
         with:
           path: src/electron
           fetch-depth: 0
@@ -221,7 +216,6 @@ jobs:
           generate-symbols: ${{ inputs.generate-symbols }}
           upload-to-storage: ${{ inputs.upload-to-storage }}
           is-asan: ${{ inputs.is-asan }}
-          upload-out-gen-artifacts: ${{ inputs.upload-out-gen-artifacts }}
       - name: Set GN_EXTRA_ARGS for MAS Build
         if: ${{ inputs.target-platform == 'macos' && (inputs.target-variant == 'all' ||
           inputs.target-variant == 'mas') }}

.github/workflows/pipeline-segment-electron-test.yml

@@ -72,7 +72,7 @@ jobs:
         cp $(which node) /mnt/runner-externals/node24/bin/
     - name: Setup Node.js/npm
       if: ${{ inputs.target-platform == 'win' }}
-      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f
       with:
         node-version: 22.21.x
     - name: Add TCC permissions on macOS
@@ -119,7 +119,7 @@ jobs:
       if: ${{ inputs.target-platform == 'macos' }}
       run: sudo xcode-select --switch /Applications/Xcode_16.4.app
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -191,18 +191,12 @@ jobs:
       run: |
         cd src/out/Default
         unzip -:o dist.zip
-    - name: Import & Trust Self-Signed Codesigning Cert on MacOS
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: |
-        cd src/electron
-        ./script/codesign/generate-identity.sh
-    - name: Sign Electron.app for macOS tests
-      if: ${{ inputs.target-platform == 'macos' }}
-      run: |
-        identity=$(src/electron/script/codesign/get-trusted-identity.sh)
-        if [ -n "$identity" ]; then
-          codesign -s "$identity" --deep --force src/out/Default/Electron.app
-        fi
+    #- name: Import & Trust Self-Signed Codesigning Cert on MacOS
+    #  if: ${{ inputs.target-platform == 'macos' && inputs.target-arch == 'x64' }}
+    #  run: |
+    #    sudo security authorizationdb write com.apple.trust-settings.admin allow
+    #    cd src/electron
+    #    ./script/codesign/generate-identity.sh
 
     - name: Run Electron Tests
       shell: bash

.github/workflows/pipeline-segment-node-nan-test.yml

@@ -50,7 +50,7 @@ jobs:
     container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0
@@ -106,7 +106,7 @@ jobs:
     container: ${{ fromJSON(inputs.test-container) }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

.github/workflows/pull-request-labeled.yml

@@ -32,7 +32,7 @@ jobs:
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}
@@ -44,35 +44,3 @@ jobs:
           project-number: 94
           field: Status
           field-value: ✅ Reviewed
-  pull-request-labeled-ai-pr:
-    name: ai-pr label added
-    if: github.event.label.name == 'ai-pr'
-    runs-on: ubuntu-latest
-    permissions: {}
-    steps:
-    - name: Generate GitHub App token
-      uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
-      id: generate-token
-      with:
-        creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
-    - name: Create comment
-      uses: actions-cool/issues-helper@e2ff99831a4f13625d35064e2b3dfe65c07a0396 # v3.7.5
-      with:
-        actions: 'create-comment'
-        token: ${{ steps.generate-token.outputs.token }}
-        issue-number: ${{ github.event.pull_request.number }}
-        body: |
-          <!-- ai-pr -->
-
-          *AI PR Detected*
-
-          Hello @${{ github.event.pull_request.user.login }}. Due to the high amount of AI spam PRs we receive, if a PR is detected to be majority AI-generated without disclosure and untested, we will automatically close the PR.
-
-          We welcome the use of AI tools, as long as the PR meets our quality standards and has clearly been built and tested. If you believe your PR was closed in error, we welcome you to resubmit. However, please read our [CONTRIBUTING.md](http://contributing.md/) carefully before reopening. Thanks for your contribution.
-    - name: Close the pull request
-      env:
-        GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
-        GH_REPO: electron/electron
-        PR_NUMBER: ${{ github.event.pull_request.number }}
-      run: |
-        gh pr close "$PR_NUMBER"

.github/workflows/scorecards.yml

@@ -13,7 +13,6 @@ permissions: read-all
 jobs:
   analysis:
     name: Scorecards analysis
-    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions:
       # Needed to upload the results to code-scanning dashboard.
@@ -23,7 +22,7 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: false
 
@@ -51,6 +50,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v3.29.5
+        uses: github/codeql-action/upload-sarif@cdefb33c0f6224e58673d9004f47f7cb3e328b89 # v3.29.5
         with:
           sarif_file: results.sarif

.github/workflows/stable-prep-items.yml

@@ -10,12 +10,11 @@ permissions: {}
 jobs:
   check-stable-prep-items:
     name: Check Stable Prep Items
-    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.RELEASE_BOARD_GH_APP_CREDS }}

.github/workflows/stale.yml

@@ -9,12 +9,11 @@ permissions: {}
 
 jobs:
   stale:
-    if: github.repository == 'electron/electron'
     runs-on: ubuntu-latest
     permissions: {}
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}
@@ -34,11 +33,11 @@ jobs:
   pending-repro:
     runs-on: ubuntu-latest
     permissions: {}
-    if: ${{ always() && github.repository == 'electron/electron' }}
+    if: ${{ always() }}
     needs: stale
     steps:
       - name: Generate GitHub App token
-        uses: electron/github-app-auth-action@e14e47722ed120360649d0789e25b9baece12725 # v2.0.0
+        uses: electron/github-app-auth-action@384fd19694fe7b6dcc9a684746c6976ad78228ae # v1.1.1
         id: generate-token
         with:
           creds: ${{ secrets.ISSUE_TRIAGE_GH_APP_CREDS }}

.github/workflows/windows-publish.yml

@@ -22,7 +22,6 @@ permissions: {}
 
 jobs:
   checkout-windows:
-    if: github.repository == 'electron/electron'
     runs-on: electron-arc-centralus-linux-amd64-32core
     permissions:
       contents: read
@@ -41,7 +40,7 @@ jobs:
       build-image-sha: ${{ inputs.build-image-sha }}
     steps:
     - name: Checkout Electron
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
       with:
         path: src/electron
         fetch-depth: 0

BUILD.gn

@@ -596,7 +596,6 @@ source_set("electron_lib") {
     use_libcxx_modules = false
 
     deps += [
-      "//components/os_crypt/async/browser:keychain_key_provider",
       "//components/os_crypt/common:keychain_password_mac",
       "//components/remote_cocoa/app_shim",
       "//components/remote_cocoa/browser",
@@ -659,9 +658,6 @@ source_set("electron_lib") {
       ":libnotify_loader",
       "//build/config/linux/gtk",
       "//components/crash/content/browser",
-      "//components/os_crypt/async/browser:freedesktop_secret_key_provider",
-      "//components/os_crypt/async/browser:posix_key_provider",
-      "//components/os_crypt/async/browser:secret_portal_key_provider",
       "//dbus",
       "//device/bluetooth",
       "//third_party/crashpad/crashpad/client",
@@ -702,7 +698,6 @@ source_set("electron_lib") {
     deps += [
       "//components/app_launch_prefetch",
       "//components/crash/core/app:crash_export_thunks",
-      "//components/os_crypt/async/browser:dpapi_key_provider",
       "//third_party/libxml:xml_writer",
       "//ui/wm",
       "//ui/wm/public",

CLAUDE.md

@@ -155,6 +155,10 @@ e test                    # Run full test suite
 
 When working on the `roller/chromium/main` branch to upgrade Chromium activate the "Electron Chromium Upgrade" skill.
 
+## Pull Requests
+
+PR bodies must always include a `Notes:` section as the **last line** of the body. This is a consumer-facing release note for Electron app developers — describe the user-visible fix or change, not internal implementation details. Use `Notes: none` if there is no user-facing change.
+
 ## Code Style
 
 **C++:** Follows Chromium style, enforced by clang-format

build/fuses/fuses.json5

@@ -9,5 +9,6 @@
   "embedded_asar_integrity_validation": "0",
   "only_load_app_from_asar": "0",
   "load_browser_process_specific_v8_snapshot": "0",
-  "grant_file_protocol_extra_privileges": "1"
+  "grant_file_protocol_extra_privileges": "1",
+  "wasm_trap_handlers": "1"
 }

build/siso/backend.star

@@ -0,0 +1,21 @@
+# -*- bazel-starlark -*-
+
+load("@builtin//struct.star", "module")
+
+def __platform_properties(ctx):
+    container_image = "docker://gcr.io/chops-public-images-prod/rbe/siso-chromium/linux@sha256:d7cb1ab14a0f20aa669c23f22c15a9dead761dcac19f43985bf9dd5f41fbef3a"
+    return {
+        "default": {
+            "OSFamily": "Linux",
+            "container-image": container_image,
+        },
+        "large": {
+            "OSFamily": "Linux",
+            "container-image": container_image,
+        },
+    }
+
+backend = module(
+    "backend",
+    platform_properties = __platform_properties,
+)

build/siso/main.star

@@ -0,0 +1,66 @@
+load("@builtin//encoding.star", "json")
+load("@builtin//path.star", "path")
+load("@builtin//runtime.star", "runtime")
+load("@builtin//struct.star", "module")
+load("@config//main.star", upstream_init = "init")
+load("@config//win_sdk.star", "win_sdk")
+load("@config//gn_logs.star", "gn_logs")
+
+def init(ctx):
+    mod = upstream_init(ctx)
+    step_config = json.decode(mod.step_config)
+
+    # Buildbarn doesn't support input_root_absolute_path so disable that
+    for rule in step_config["rules"]:    
+      input_root_absolute_path = rule.get("input_root_absolute_path", False)
+      if input_root_absolute_path:
+        rule.pop("input_root_absolute_path", None)
+
+    # Only wrap clang rules with a remote wrapper if not on Linux. These are currently only
+    # needed for X-Compile builds, which run on Windows and Mac.
+    if runtime.os != "linux":
+      for rule in step_config["rules"]:
+        if rule["name"].startswith("clang/") or rule["name"].startswith("clang-cl/"):
+          rule["remote_wrapper"] = "../../buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper"
+          if "inputs" not in rule:
+            rule["inputs"] = []
+          rule["inputs"].append("buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper")
+          rule["inputs"].append("third_party/llvm-build/Release+Asserts_linux/bin/clang")
+
+      if "executables" not in step_config:
+        step_config["executables"] = []
+      step_config["executables"].append("buildtools/reclient_cfgs/chromium-browser-clang/clang_remote_wrapper")
+      step_config["executables"].append("third_party/llvm-build/Release+Asserts_linux/bin/clang")
+
+    if runtime.os == "darwin":
+      # Update platforms to match our default siso config instead of reclient configs.
+      step_config["platforms"].update({
+          "clang": step_config["platforms"]["default"],
+          "clang_large": step_config["platforms"]["default"],          
+      })      
+
+    if runtime.os == "windows":
+      # Add additional Windows SDK headers needed by Electron      
+      win_toolchain_dir = win_sdk.toolchain_dir(ctx)
+      if win_toolchain_dir:
+        sdk_version = gn_logs.read(ctx).get("windows_sdk_version")
+        step_config["input_deps"][win_toolchain_dir + ":headers"].extend([
+          # third_party/electron_node/deps/uv/include/uv/win.h includes mswsock.h
+          path.join(win_toolchain_dir, "Windows Kits/10/Include", sdk_version, "um/mswsock.h"),
+          # third_party/electron_node/src/debug_utils.cc includes lm.h
+          path.join(win_toolchain_dir, "Windows Kits/10/Include", sdk_version, "um/Lm.h"),          
+        ])
+      
+      # Update platforms to match our default siso config instead of reclient configs.
+      step_config["platforms"].update({
+          "clang-cl": step_config["platforms"]["default"],
+          "clang-cl_large": step_config["platforms"]["default"],
+          "lld-link": step_config["platforms"]["default"],
+      })
+
+    return module(
+      "config",
+      step_config = json.encode(step_config),
+      filegroups = mod.filegroups,
+      handlers = mod.handlers,
+    )

docs/api/app.md

@@ -250,7 +250,9 @@ Returns:
 
 Emitted when the user clicks the native macOS new tab button. The new
 tab button is only visible if the current `BrowserWindow` has a
-`tabbingIdentifier`
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.
 
 ### Event: 'browser-window-blur'
 

docs/api/base-window.md

@@ -351,7 +351,11 @@ Emitted when the window has closed a sheet.
 
 #### Event: 'new-window-for-tab' _macOS_
 
-Emitted when the native new tab button is clicked.
+Emitted when the user clicks the native macOS new tab button. The new
+tab button is only visible if the current `BrowserWindow` has a
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.
 
 #### Event: 'system-context-menu' _Windows_ _Linux_
 

docs/api/browser-window.md

@@ -435,7 +435,11 @@ Emitted when the window has closed a sheet.
 
 #### Event: 'new-window-for-tab' _macOS_
 
-Emitted when the native new tab button is clicked.
+Emitted when the user clicks the native macOS new tab button. The new
+tab button is only visible if the current `BrowserWindow` has a
+`tabbingIdentifier`.
+
+You must create a window in this handler in order for macOS tabbing to work as expected.
 
 #### Event: 'system-context-menu' _Windows_ _Linux_
 

docs/api/cookies.md

@@ -107,7 +107,7 @@ the response.
     cookie and will not be retained between sessions.
   * `sameSite` string (optional) - The [Same Site](https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_cookies) policy to apply to this cookie.  Can be `unspecified`, `no_restriction`, `lax` or `strict`.  Default is `lax`.
 
-Returns `Promise<void>` - A promise which resolves when the cookie has been set.
+Returns `Promise<void>` - A promise which resolves when the cookie has been set
 
 Sets a cookie with `details`.
 
@@ -116,16 +116,16 @@ Sets a cookie with `details`.
 * `url` string - The URL associated with the cookie.
 * `name` string - The name of cookie to remove.
 
-Returns `Promise<void>` - A promise which resolves when the cookie has been removed.
+Returns `Promise<void>` - A promise which resolves when the cookie has been removed
 
-Removes the cookies matching `url` and `name`.
+Removes the cookies matching `url` and `name`
 
 #### `cookies.flushStore()`
 
-Returns `Promise<void>` - A promise which resolves when the cookie store has been flushed.
+Returns `Promise<void>` - A promise which resolves when the cookie store has been flushed
 
-Writes any unwritten cookies data to disk.
+Writes any unwritten cookies data to disk
 
-Cookies written by any method will not be written to disk immediately, but will be written every 30 seconds or 512 operations.
+Cookies written by any method will not be written to disk immediately, but will be written every 30 seconds or 512 operations
 
 Calling this method can cause the cookie to be written to disk immediately.

docs/api/menu.md

@@ -123,7 +123,7 @@ Appends the `menuItem` to the menu.
 
 - `id` string
 
-Returns [`MenuItem | null`](menu-item.md) - the item with the specified `id`
+Returns `MenuItem | null` the item with the specified `id`
 
 #### `menu.insert(pos, menuItem)`
 

docs/api/safe-storage.md

@@ -7,44 +7,21 @@ Process: [Main](../glossary.md#main-process)
 This module adds extra protection to data being stored on disk by using OS-provided cryptography systems. Current
 security semantics for each platform are outlined below.
 
-> [!NOTE]
-> We recommend using the asynchronous API (`encryptStringAsync`/`decryptStringAsync`) over the synchronous API.
-> The async API is non-blocking, supports key rotation, and handles temporary unavailability gracefully.
-> The synchronous API may be deprecated in a future version of Electron.
-
-## Platform-Specific Key Providers
-
-### Synchronous API
-
 * **macOS**: Encryption keys are stored for your app in [Keychain Access](https://support.apple.com/en-ca/guide/keychain-access/kyca1083/mac) in a way that prevents
 other applications from loading them without user override. Therefore, content is protected from other users and other apps running in the same userspace.
-* **Windows**: Encryption keys are generated via [DPAPI](https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata). As per the Windows documentation: "Typically, only a user with the same logon credential as the user who encrypted the data can typically decrypt the data". Therefore, content is protected from other users on the same machine, but not from other apps running in the
+* **Windows**: Encryption keys are generated via [DPAPI](https://learn.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata).
+As per the Windows documentation: "Typically, only a user with the same logon credential as the user who encrypted the data can typically
+decrypt the data". Therefore, content is protected from other users on the same machine, but not from other apps running in the
 same userspace.
 * **Linux**: Encryption keys are generated and stored in a secret store that varies depending on your window manager and system setup. Options currently supported are `kwallet`, `kwallet5`, `kwallet6` and `gnome-libsecret`, but more may be available in future versions of Electron. As such, the
 security semantics of content protected via the `safeStorage` API vary between window managers and secret stores.
-  * Note that not all Linux setups have an available secret store. If no secret store is available, items stored in using the `safeStorage` API will be unprotected as they are encrypted via hardcoded plaintext password. You can detect when this happens when `safeStorage.getSelectedStorageBackend()` returns `basic_text`.
+  * Note that not all Linux setups have an available secret store. If no secret store is available, items stored in using the `safeStorage` API will be unprotected
+as they are encrypted via hardcoded plaintext password. You can detect when this happens when `safeStorage.getSelectedStorageBackend()` returns `basic_text`.
 
-Note that on macOS, access to the system Keychain is required and
+Note that on Mac, access to the system Keychain is required and
 these calls can block the current thread to collect user input.
 The same is true for Linux, if a password management tool is available.
 
-### Asynchronous API
-
-The asynchronous API uses pluggable key providers that vary by platform:
-
-* **macOS**: Encryption keys are stored and retrieved from [Keychain Access](https://developer.apple.com/documentation/security/keychain-items). This provides the same security model as the synchronous API, protecting content from other users and other apps running in the same userspace.
-* **Windows**: Encryption keys are protected via [DPAPI](https://learn.microsoft.com/en-us/windows/win32/api/dpapi). This provides the same security model as the synchronous API, protecting content from other users on the same machine but not from other apps running in the same userspace.
-* **Linux**: Multiple key providers may be available depending on the desktop environment:
-  * [`org.freedesktop.portal.Secret`](https://flatpak.github.io/xdg-desktop-portal/docs/doc-org.freedesktop.portal.Secret.html): Uses the Portal Secret D-Bus interface to retrieve application-specific secrets. This is the preferred provider for sandboxed environments like Flatpak.
-  * [Secret Service API](https://specifications.freedesktop.org/secret-service/latest/): Uses the freedesktop.org Secret Service API (e.g., GNOME Keyring) for key storage.
-  * A fallback provider is used for environments without a secret service available.
-
-Unlike the synchronous API, these operations are non-blocking and support additional features like key rotation (indicated by `shouldReEncrypt`) and temporary unavailability handling (indicated by `isTemporarilyUnavailable`).
-
-## Events
-
-The `safeStorage` module emits the following events:
-
 ## Methods
 
 The `safeStorage` module has the following methods:
@@ -57,10 +34,6 @@ On Linux, returns true if the app has emitted the `ready` event and the secret k
 On MacOS, returns true if Keychain is available.
 On Windows, returns true once the app has emitted the `ready` event.
 
-### `safeStorage.isAsyncEncryptionAvailable()`
-
-Returns `Promise<Boolean>` - Whether encryption is available for asynchronous safeStorage operations.
-
 ### `safeStorage.encryptString(plainText)`
 
 * `plainText` string
@@ -76,21 +49,7 @@ This function will throw an error if encryption fails.
 Returns `string` - the decrypted string. Decrypts the encrypted buffer
 obtained  with `safeStorage.encryptString` back into a string.
 
-### `safeStorage.encryptStringAsync(plainText)`
-
-* `plainText` string
-
-Returns `Promise<Buffer>` -  An array of bytes representing the encrypted string.
-
-### `safeStorage.decryptStringAsync(encrypted)`
-
-* `encrypted` Buffer
-
-Returns `Promise<Object>` - Resolve with an object containing the following:
-
-* `shouldReEncrypt` boolean - whether data that has just been returned from the decrypt operation should be
-  re-encrypted, as the key has been rotated or a new  key is available that provides a different security level. If `true`, you should call `decryptStringAsync` again to receive the new decrypted string.
-* `result` string - the decrypted string.
+This function will throw an error if decryption fails.
 
 ### `safeStorage.setUsePlainTextEncryption(usePlainText)`
 

docs/api/shared-texture.md

@@ -1,6 +1,6 @@
 # sharedTexture
 
-> Import shared textures into Electron and converts platform specific handles into [`VideoFrame`](https://developer.mozilla.org/en-US/docs/Web/API/VideoFrame). Supports all Web rendering systems, and can be transferred across Electron processes. Read [here](https://github.com/electron/electron/blob/main/shell/common/api/shared_texture/README.md) for more information.
+> Import shared textures into Electron and converts platform specific handles into [`VideoFrame`](https://developer.mozilla.org/en-US/docs/Web/API/VideoFrame). Supports all Web rendering systems, and can be transferred across Electron processes. Read [here](../../shell/common/api/shared_texture/README.md) for more information.
 
 Process: [Main](../glossary.md#main-process), [Renderer](../glossary.md#renderer-process)
 
@@ -21,7 +21,7 @@ Imports the shared texture from the given options.
 > [!NOTE]
 > This method is only available in the main process.
 
-Returns [`SharedTextureImported`](structures/shared-texture-imported.md) - The imported shared texture.
+Returns `SharedTextureImported` - The imported shared texture.
 
 ### `sharedTexture.sendSharedTexture(options, ...args)` _Experimental_
 

docs/api/structures/shared-texture-import-texture-info.md

@@ -5,7 +5,6 @@
   * `rgba` - 32bpp RGBA (byte-order), 1 plane.
   * `rgbaf16` - Half float RGBA, 1 plane.
   * `nv12` - 12bpp with Y plane followed by a 2x2 interleaved UV plane.
-  * `p010le` - 4:2:0 10-bit YUV (little-endian), Y plane followed by a 2x2 interleaved UV plane.
 * `colorSpace` [ColorSpace](color-space.md) (optional) - The color space of the texture.
 * `codedSize` [Size](size.md) - The full dimensions of the shared texture.
 * `visibleRect` [Rectangle](rectangle.md) (optional) - A subsection of [0, 0, codedSize.width, codedSize.height]. In common cases, it is the full section area.

docs/api/structures/web-preferences.md

@@ -94,7 +94,6 @@
     The actual output pixel format and color space of the texture should refer to [`OffscreenSharedTexture`](../structures/offscreen-shared-texture.md) object in the `paint` event.
     * `argb` - The requested output texture format is 8-bit unorm RGBA, with SRGB SDR color space.
     * `rgbaf16` - The requested output texture format is 16-bit float RGBA, with scRGB HDR color space.
-  * `deviceScaleFactor` number (optional) _Experimental_ - The device scale factor of the offscreen rendering output. If not set, will use primary display's scale factor as default.
 * `contextIsolation` boolean (optional) - Whether to run Electron APIs and
   the specified `preload` script in a separate JavaScript context. Defaults
   to `true`. The context that the `preload` script runs in will only have

docs/api/view.md

@@ -62,17 +62,9 @@ it becomes the topmost view.
 
 If the view passed as a parameter is not a child of this view, this method is a no-op.
 
-#### `view.setBounds(bounds[, options])`
+#### `view.setBounds(bounds)`
 
 * `bounds` [Rectangle](structures/rectangle.md) - New bounds of the View.
-* `options` Object (optional) - Options for setting the bounds.
-  * `animate` boolean | Object (optional) - If true, the bounds change will be animated. If an object is passed, it can contain the following properties:
-    * `duration` Integer (optional) - Duration of the animation in milliseconds. Default is `250`.
-    * `easing` string (optional) - Easing function for the animation. Default is `linear`.
-      * `linear`
-      * `ease-in`
-      * `ease-out`
-      * `ease-in-out`
 
 #### `view.getBounds()`
 

docs/api/web-contents.md

@@ -933,7 +933,7 @@ copying data between CPU and GPU memory, with Chromium's hardware acceleration s
 Only a limited number of textures can exist at the same time, so it's important that you call `texture.release()` as soon as you're done with the texture.
 By managing the texture lifecycle by yourself, you can safely pass the `texture.textureInfo` to other processes through IPC.
 
-More details can be found in the [offscreen rendering tutorial](../tutorial/offscreen-rendering.md). To learn about how to handle the texture in native code, refer to [offscreen rendering's code documentation.](https://github.com/electron/electron/blob/main/shell/browser/osr/README.md).
+More details can be found in the [offscreen rendering tutorial](../tutorial/offscreen-rendering.md). To learn about how to handle the texture in native code, refer to [offscreen rendering's code documentation.](../../shell/browser/osr/README.md).
 
 ```js
 const { BrowserWindow } = require('electron')

docs/breaking-changes.md

@@ -12,16 +12,6 @@ This document uses the following convention to categorize breaking changes:
 * **Deprecated:** An API was marked as deprecated. The API will continue to function, but will emit a deprecation warning, and will be removed in a future release.
 * **Removed:** An API or feature was removed, and is no longer supported by Electron.
 
-## Planned Breaking API Changes (42.0)
-
-### Behavior Changed: Offscreen rendering will use `1.0` as default device scale factor.
-
-Previously, OSR used the primary display's device scale factor for rendering, which made the output frame size vary across users.
-Developers had to manually calculate the correct size using `screen.getPrimaryDisplay().scaleFactor`. We now provide an optional property
-`webPreferences.offscreen.deviceScaleFactor` to specify a custom value when creating an OSR window. At first, if the property is not set, it defaults
-to the primary display's scale factor (preserving the old behavior). Starting from Electron 42, the default will change to a constant value of `1.0`
-for more consistent output sizes.
-
 ## Planned Breaking API Changes (41.0)
 
 ### Behavior Changed: PDFs no longer create a separate WebContents

docs/development/build-instructions-gn.md

@@ -41,7 +41,7 @@ e init --root=~/electron --bootstrap testing
 ```
 
 The `--bootstrap` flag also runs `e sync` (synchronizes source code branches from
-[`DEPS`](https://github.com/electron/electron/blob/main/DEPS) using
+[`DEPS`](../../DEPS) using
 [`gclient`](https://chromium.googlesource.com/chromium/tools/depot_tools.git/+/HEAD/README.gclient.md))
 and `e build` (compiles the Electron binary into the `${root}/src/out` folder).
 
@@ -63,7 +63,7 @@ Some quick tips on building once your checkout is set up:
 * **Updating your checkout:** Run git commands such as `git checkout <branch>` and `git pull` from `${root}/src/electron`.
   Whenever you update your commit `HEAD`, make sure to `e sync` before `e build` to sync dependencies
   such as Chromium and Node.js. This is especially relevant because the Chromium version in
-  [`DEPS`](https://github.com/electron/electron/blob/main/DEPS) changes frequently.
+  [`DEPS`](../../DEPS) changes frequently.
 * **Rebuilding:** When making changes to code in `${root}/src/electron/` in a local branch, you only need to re-run `e build`.
 * **Adding patches:** When contributing changes in `${root}/src/` outside of `${root}/src/electron/`, you need to do so
   via Electron's [patch system](./patches.md). The `e patches` command can export all relevant patches to
@@ -98,7 +98,7 @@ Project configurations can be found in the `.gn` and `.gni` files in the `electr
 
 The following `gn` files contain the main rules for building Electron:
 
-* [`BUILD.gn`](https://github.com/electron/electron/blob/main/BUILD.gn) defines how Electron itself
+* [`BUILD.gn`](../../BUILD.gn) defines how Electron itself
   is built and includes the default configurations for linking with Chromium.
 * [`build/args/{testing,release,all}.gn`](https://github.com/electron/electron/tree/main/build/args)
   contain the default build arguments for building Electron.

docs/development/creating-api.md

@@ -6,7 +6,7 @@ This is not a comprehensive end-all guide to creating an Electron Browser API, r
 
 ## Add your files to Electron's project configuration
 
-Electron uses [GN](https://gn.googlesource.com/gn) as a meta build system to generate files for its compiler, [Ninja](https://ninja-build.org/). This means that in order to tell Electron to compile your code, we have to add your API's code and header file names into [`filenames.gni`](https://github.com/electron/electron/blob/main/filenames.gni).
+Electron uses [GN](https://gn.googlesource.com/gn) as a meta build system to generate files for its compiler, [Ninja](https://ninja-build.org/). This means that in order to tell Electron to compile your code, we have to add your API's code and header file names into [`filenames.gni`](../../filenames.gni).
 
 You will need to append your API file names alphabetically into the appropriate files like so:
 
@@ -127,7 +127,7 @@ void Initialize(v8::Local<v8::Object> exports,
 
 ## Link your Electron API with Node
 
-In the [`typings/internal-ambient.d.ts`](https://github.com/electron/electron/blob/main/typings/internal-ambient.d.ts) file, we need to append a new property onto the `Process` interface like so:
+In the [`typings/internal-ambient.d.ts`](../../typings/internal-ambient.d.ts) file, we need to append a new property onto the `Process` interface like so:
 
 ```ts title='typings/internal-ambient.d.ts' @ts-nocheck
 interface Process {
@@ -141,7 +141,7 @@ At the very bottom of your `api_name.cc` file:
 NODE_LINKED_BINDING_CONTEXT_AWARE(electron_browser_{api_name},Initialize)
 ```
 
-In your [`shell/common/node_bindings.cc`](https://github.com/electron/electron/blob/main/shell/common/node_bindings.cc) file, add your node binding name to Electron's built-in modules.
+In your [`shell/common/node_bindings.cc`](../../shell/common/node_bindings.cc) file, add your node binding name to Electron's built-in modules.
 
 ```cpp title='shell/common/node_bindings.cc'
 #define ELECTRON_BROWSER_MODULES(V)      \
@@ -159,7 +159,7 @@ We will need to create a new TypeScript file in the path that follows:
 
 `"lib/browser/api/{electron_browser_{api_name}}.ts"`
 
-An example of the contents of this file can be found [here](https://github.com/electron/electron/blob/main/lib/browser/api/native-theme.ts).
+An example of the contents of this file can be found [here](../../lib/browser/api/native-theme.ts).
 
 ### Expose your module to TypeScript
 

docs/development/pull-requests.md

@@ -185,7 +185,7 @@ $ git push origin my-branch
 ### Step 9: Opening the Pull Request
 
 From within GitHub, opening a new pull request will present you with a template
-that should be filled out. It can be found [here](https://github.com/electron/electron/blob/main/.github/PULL_REQUEST_TEMPLATE.md).
+that should be filled out. It can be found [here](../../.github/PULL_REQUEST_TEMPLATE.md).
 
 If you do not adequately complete this template, your PR may be delayed in being merged as maintainers
 seek more information or clarify ambiguities.
@@ -218,8 +218,7 @@ seem unfamiliar, refer to this
 
 #### Approval and Request Changes Workflow
 
-All pull requests require approval from a
-[Code Owner](https://github.com/electron/electron/blob/main/.github/CODEOWNERS)
+All pull requests require approval from a [Code Owner](../../.github/CODEOWNERS)
 of the area you modified in order to land. Whenever a maintainer reviews a pull
 request they may request changes. These may be small, such as fixing a typo, or
 may involve substantive changes. Such requests are intended to be helpful, but

docs/development/source-code-directory-structure.md

@@ -10,7 +10,7 @@ to understand the source code better.
 ## Project structure
 
 Electron is a complex project containing multiple upstream dependencies, which are tracked in source
-control via the [`DEPS`](https://github.com/electron/electron/blob/main/DEPS) file. When
+control via the [`DEPS`](../../DEPS) file. When
 [initializing a local Electron checkout](./build-instructions-gn.md), Electron's source code is just one
 of many nested folders within the project root.
 

docs/tutorial/asar-archives.md

@@ -6,7 +6,7 @@ hide_title: false
 ---
 
 After creating an [application distribution](application-distribution.md), the
-app's source code are usually bundled into an [ASAR archive](https://github.com/electron/asar),
+app's source code is usually bundled into an [ASAR archive](https://github.com/electron/asar),
 which is a simple extensive archive format designed for Electron apps. By bundling the app
 we can mitigate issues around long path names on Windows, speed up `require` and conceal your source
 code from cursory inspection.
@@ -134,7 +134,7 @@ underlying system calls, Electron will extract the needed file into a
 temporary file and pass the path of the temporary file to the APIs to make them
 work. This adds a little overhead for those APIs.
 
-APIs that requires extra unpacking are:
+APIs that require extra unpacking are:
 
 * `child_process.execFile`
 * `child_process.execFileSync`

docs/tutorial/asar-integrity.md

@@ -15,6 +15,14 @@ Currently, ASAR integrity checking is supported on:
 * macOS as of `electron>=16.0.0`
 * Windows as of `electron>=30.0.0`
 
+> [!NOTE]
+> ASAR integrity is fully supported in Mac App Store (MAS) builds and is recommended
+> as a best practice. While MAS-installed applications have their `Resources/` folder
+> protected by the system (owned by root), ASAR integrity still provides an additional
+> layer of security. It is especially important if you use Electron's MAS build but
+> distribute your app through channels other than the Mac App Store (such as direct
+> download), since those installations won't have the system-level read-only protections.
+
 In order to enable ASAR integrity checking, you also need to ensure that your `app.asar` file
 was generated by a version of the `@electron/asar` npm package that supports ASAR integrity.
 
@@ -24,7 +32,7 @@ All versions of `@electron/asar` support ASAR integrity.
 ## How it works
 
 Each ASAR archive contains a JSON string header. The header format includes an `integrity` object
-that contain a hex encoded hash of the entire archive as well as an array of hex encoded hashes for each
+that contains a hex encoded hash of the entire archive as well as an array of hex encoded hashes for each
 block of `blockSize` bytes.
 
 ```json

docs/tutorial/automated-testing.md

@@ -203,7 +203,7 @@ test('launch app', async () => {
 })
 ```
 
-After that, you will access to an instance of Playwright's `ElectronApp` class. This
+After that, you will have access to an instance of Playwright's `ElectronApp` class. This
 is a powerful class that has access to main process modules for example:
 
 ```js {5-10} @ts-nocheck
@@ -237,7 +237,7 @@ test('save screenshot', async () => {
 })
 ```
 
-Putting all this together using the Playwright test-runner, let's create a `example.spec.js`
+Putting all this together using the Playwright test-runner, let's create an `example.spec.js`
 test file with a single test and assertion:
 
 ```js title='example.spec.js' @ts-nocheck
@@ -377,7 +377,7 @@ class TestDriver {
 module.exports = { TestDriver }
 ```
 
-In your app code, can then write a simple handler to receive RPC calls:
+In your app code, you can then write a simple handler to receive RPC calls:
 
 ```js title='main.js'
 const METHODS = {

docs/tutorial/code-signing.md

@@ -17,7 +17,7 @@ run them, users need to go through multiple advanced and manual steps.
 
 If you are building an Electron app that you intend to package and distribute,
 it should be code signed. The Electron ecosystem tooling makes codesigning your
-apps straightforward - this documentation explains how sign your apps on both
+apps straightforward - this documentation explains how to sign your apps on both
 Windows and macOS.
 
 ## Signing & notarizing macOS builds

docs/tutorial/custom-title-bar.md

@@ -110,7 +110,7 @@ const win = new BrowserWindow({
 #### Show and hide the traffic lights programmatically _macOS_
 
 You can also show and hide the traffic lights programmatically from the main process.
-The `win.setWindowButtonVisibility` forces traffic lights to be show or hidden depending
+The `win.setWindowButtonVisibility` forces traffic lights to be shown or hidden depending
 on the value of its boolean parameter.
 
 ```js title='main.js'

docs/tutorial/custom-window-interactions.md

@@ -5,12 +5,12 @@
 By default, windows are dragged using the title bar provided by the OS chrome. Apps
 that remove the default title bar need to use the `app-region` CSS property to define
 specific areas that can be used to drag the window. Setting `app-region: drag` marks
-a rectagular area as draggable.
+a rectangular area as draggable.
 
 It is important to note that draggable areas ignore all pointer events. For example,
 a button element that overlaps a draggable region will not emit mouse clicks or mouse
 enter/exit events within that overlapping area. Setting `app-region: no-drag` reenables
-pointer events by excluding a rectagular area from a draggable region.
+pointer events by excluding a rectangular area from a draggable region.
 
 To make the whole window draggable, you can add `app-region: drag` as
 `body`'s style:

docs/tutorial/dark-mode.md

@@ -29,7 +29,7 @@ be updated accordingly.
 In macOS 10.14 Mojave, Apple introduced a new [system-wide dark mode][system-wide-dark-mode]
 for all macOS computers. If your Electron app has a dark mode, you can make it
 follow the system-wide dark mode setting using
-[the `nativeTheme` api](../api/native-theme.md).
+[the `nativeTheme` API](../api/native-theme.md).
 
 In macOS 10.15 Catalina, Apple introduced a new "automatic" dark mode option
 for all macOS computers. In order for the `nativeTheme.shouldUseDarkColors` and

docs/tutorial/fuses.md

@@ -137,6 +137,33 @@ The extra privileges granted to the `file://` protocol by this fuse are incomple
 * `file://` protocol pages have universal access granted to child frames also running on `file://`
   protocols regardless of sandbox settings
 
+### `wasmTrapHandlers`
+
+**Default:** Enabled
+
+**@electron/fuses:** `FuseV1Options.WasmTrapHandlers`
+
+The `wasmTrapHandlers` fuse controls whether V8 will use signal handlers to trap Out of Bounds memory
+access from WebAssembly. The feature works by surrounding the WebAssembly memory with large guard regions
+and then installing a signal handler that traps attempt to access memory in the guard region. The feature
+is only supported on the following 64-bit systems.
+
+Linux. MacOS, Windows - x86_64
+Linux, MacOS - aarch64
+
+| Guard Pages | WASM heap | Guard Pages |
+|-----8GB-----|           |-----8GB-----|
+
+When the fuse is disabled V8 will use explicit bound checks in the generated WebAssembly code to ensure
+memory safety. However, this method has some downsides
+
+* The compiler generates extra nodes for each memory reference, leading to longer compile times due to the
+additional processing time needed for these nodes.
+* In turn, these extra nodes lead to lots of extra code being generated, making WebAssembly modules bigger
+than they ideally should be.
+* This extra code, particularly the compare and branch before every memory reference,
+incurs a significant runtime cost.
+
 ## How do I flip fuses?
 
 ### The easy way
@@ -197,4 +224,4 @@ Somewhere in the Electron binary, there will be a sequence of bytes that look li
 
 To flip a fuse, you find its position in the fuse wire and change it to "0" or "1" depending on the state you'd like.
 
-You can view the current schema [here](https://github.com/electron/electron/blob/main/build/fuses/fuses.json5).
+You can view the current schema [here](../../build/fuses/fuses.json5).

docs/tutorial/ipc.md

@@ -171,7 +171,7 @@ sections.
 
 In the main process, we'll be creating a `handleFileOpen()` function that calls
 `dialog.showOpenDialog` and returns the value of the file path selected by the user. This function
-is used as a callback whenever an `ipcRender.invoke` message is sent through the `dialog:openFile`
+is used as a callback whenever an `ipcRenderer.invoke` message is sent through the `dialog:openFile`
 channel from the renderer process. The return value is then returned as a Promise to the original
 `invoke` call.
 
@@ -446,7 +446,7 @@ After loading the preload script, your renderer process should have access to th
 We don't directly expose the whole `ipcRenderer.on` API for [security reasons][]. Make sure to
 limit the renderer's access to Electron APIs as much as possible.
 Also don't just pass the callback to `ipcRenderer.on` as this will leak `ipcRenderer` via `event.sender`.
-Use a custom handler that invoke the `callback` only with the desired arguments.
+Use a custom handler that invokes the `callback` only with the desired arguments.
 :::
 
 :::info

docs/tutorial/keyboard-shortcuts.md

@@ -10,7 +10,7 @@ hide_title: false
 ## Accelerators
 
 Accelerators are strings that can be used to represent keyboard shortcuts throughout your Electron.
-These strings can contain multiple modifiers keys and a single key code joined by the `+` character.
+These strings can contain multiple modifier keys and a single key code joined by the `+` character.
 
 > [!NOTE]
 > Accelerators are **case-insensitive**.

docs/tutorial/launch-app-from-url-in-another-app.md

@@ -62,9 +62,9 @@ const createWindow = () => {
 }
 ```
 
-In this next step, we will create our  `BrowserWindow` and tell our application how to handle an event in which an external protocol is clicked.
+In this next step, we will create our `BrowserWindow` and tell our application how to handle an event in which an external protocol is clicked.
 
-This code will be different in Windows and Linux compared to MacOS. This is due to both platforms emitting the `second-instance` event rather than the `open-url` event and Windows requiring additional code in order to open the contents of the protocol link within the same Electron instance. Read more about this [here](../api/app.md#apprequestsingleinstancelockadditionaldata).
+This code will be different in Windows and Linux compared to macOS. This is due to both platforms emitting the `second-instance` event rather than the `open-url` event and Windows requiring additional code in order to open the contents of the protocol link within the same Electron instance. Read more about this [here](../api/app.md#apprequestsingleinstancelockadditionaldata).
 
 #### Windows and Linux code:
 
@@ -91,7 +91,7 @@ if (!gotTheLock) {
 }
 ```
 
-#### MacOS code:
+#### macOS code:
 
 ```js @ts-type={createWindow:()=>void}
 // This method will be called when Electron has finished

docs/tutorial/mac-app-store-submission-guide.md

@@ -65,7 +65,7 @@ The full list of certificate types can be found
 Apps signed with "Apple Development" and "Apple Distribution" certificates can
 only run under [App Sandbox][app-sandboxing], so they must use the MAS build of
 Electron. However, the "Developer ID Application" certificate does not have this
-restrictions, so apps signed with it can use either the normal build or the MAS
+restriction, so apps signed with it can use either the normal build or the MAS
 build of Electron.
 
 #### Legacy certificate names
@@ -208,7 +208,7 @@ signAsync({
 After signing the app with the "Apple Distribution" certificate, you can
 continue to submit it to Mac App Store.
 
-However, this guide do not ensure your app will be approved by Apple; you
+However, this guide does not ensure your app will be approved by Apple; you
 still need to read Apple's [Submitting Your App][submitting-your-app] guide on
 how to meet the Mac App Store requirements.
 

docs/tutorial/macos-dock.md

@@ -25,7 +25,7 @@ Electron application, and this property only exists on macOS.
 One of the main uses for your app's Dock icon is to expose additional app menus. The Dock menu is
 triggered by right-clicking or <kbd>Ctrl</kbd>-clicking the app icon. By default, the app's Dock menu
 will come with system-provided window management utilities, including the ability to show all windows,
-hide the app, and switch betweeen different open windows.
+hide the app, and switch between different open windows.
 
 To set an app-defined custom Dock menu, pass any [Menu](../api/menu.md) instance into the
 [`dock.setMenu`](../api/dock.md#docksetmenumenu-macos) API.

docs/tutorial/native-code-and-electron-cpp-linux.md

@@ -1339,7 +1339,7 @@ For developers wanting to learn more, you can refer to the [official N-API docum
 
 ### Putting `cpp_addon.cc` together
 
-We've now finished the bridge part our addon - that is, the code that's most concerned with being the bridge between your JavaScript and C++ code (and by contrast, less so actually interacting with the operating system or GTK). After adding all the sections above, your `src/cpp_addon.cc` should look like this:
+We've now finished the bridge part of our addon - that is, the code that's most concerned with being the bridge between your JavaScript and C++ code (and by contrast, less so actually interacting with the operating system or GTK). After adding all the sections above, your `src/cpp_addon.cc` should look like this:
 
 ```cpp title='src/cpp_addon.cc'
 #include <napi.h>

docs/tutorial/native-code-and-electron-cpp-win32.md

@@ -4,13 +4,13 @@ This tutorial builds on the [general introduction to Native Code and Electron](.
 
 Specifically, we'll be integrating with two commonly used native Windows libraries:
 
-* `comctl32.lib`, which contains common controls and user interface components. It provides various UI elements like buttons, scrollbars, toolbars, status bars, progress bars, and tree views. As far as GUI development on Windows goes, this library is very low-level and basic - more modern frameworks like WinUI or WPF are advanced and alternatives but require a lot more C++ and Windows version considerations than are useful for this tutorial. This way, we can avoid the many perils of building native interfaces for multiple Windows versions!
+* `comctl32.lib`, which contains common controls and user interface components. It provides various UI elements like buttons, scrollbars, toolbars, status bars, progress bars, and tree views. As far as GUI development on Windows goes, this library is very low-level and basic - more modern frameworks like WinUI or WPF are more advanced alternatives but require a lot more C++ and Windows version considerations than are useful for this tutorial. This way, we can avoid the many perils of building native interfaces for multiple Windows versions!
 * `shcore.lib`, a library that provides high-DPI awareness functionality and other Shell-related features around managing displays and UI elements.
 
 This tutorial will be most useful to those who already have some familiarity with native C++ GUI development on Windows. You should have experience with basic window classes and procedures, like `WNDCLASSEXW` and `WindowProc` functions. You should also be familiar with the Windows message loop, which is the heart of any native application - our code will be using `GetMessage`, `TranslateMessage`, and `DispatchMessage` to handle messages. Lastly, we'll be using (but not explaining) standard Win32 controls like `WC_EDITW` or `WC_BUTTONW`.
 
 > [!NOTE]
-> If you're not familiar with C++ GUI development on Windows, we recommend Microsoft's excellent documentation and guides, particular for beginners. "[Get Started with Win32 and C++](https://learn.microsoft.com/en-us/windows/win32/learnwin32/learn-to-program-for-windows)" is a great introduction.
+> If you're not familiar with C++ GUI development on Windows, we recommend Microsoft's excellent documentation and guides, particularly for beginners. "[Get Started with Win32 and C++](https://learn.microsoft.com/en-us/windows/win32/learnwin32/learn-to-program-for-windows)" is a great introduction.
 
 ## Requirements
 
@@ -1333,7 +1333,7 @@ npm run build
 
 ## Conclusion
 
-You've now built a complete native Node.js addon for Windows using C++ and the Win32 API. Some of things we've done here are:
+You've now built a complete native Node.js addon for Windows using C++ and the Win32 API. Some of the things we've done here are:
 
 1. Creating a native Windows GUI from C++
 2. Implementing a Todo list application with Add, Edit, and Delete functionality

docs/tutorial/native-code-and-electron-swift-macos.md

@@ -1167,7 +1167,7 @@ The approach demonstrated here allows you to:
 * Setting up bidirectional communication using callbacks and events
 * Configuring a custom build process to compile Swift code
 
-For more information on developing with Swift and Swift, refer to Apple's developer documentation:
+For more information on developing with Swift and SwiftUI, refer to Apple's developer documentation:
 
 * [Swift Programming Language](https://developer.apple.com/swift/)
 * [SwiftUI Framework](https://developer.apple.com/documentation/swiftui)

docs/tutorial/offscreen-rendering.md

@@ -36,8 +36,8 @@ setting.
     This is an advanced feature requiring a native node module to work with your own code.
     The frames are directly copied in GPU textures, thus this mode is very fast because
     there's no CPU-GPU memory copies overhead, and you can directly import the shared
-    texture to your own rendering program. You can read more details at
-    [here](https://github.com/electron/electron/blob/main/shell/browser/osr/README.md).
+    texture to your own rendering program. You can read more details
+    [here](../../shell/common/api/shared_texture/README.md).
 
 2. Use CPU shared memory bitmap
 

docs/tutorial/performance.md

@@ -60,7 +60,7 @@ at once, consider the [Chrome Tracing](https://www.chromium.org/developers/how-t
 ## Checklist: Performance recommendations
 
 Chances are that your app could be a little leaner, faster, and generally less
-resource-hungry if you avoid the following common pitfalls.
+resource-hungry if you attempt these steps.
 
 1. [Carelessly including modules](#1-carelessly-including-modules)
 2. [Loading and running code too soon](#2-loading-and-running-code-too-soon)
@@ -294,7 +294,7 @@ particularly useful if users complain about your app sometimes "stuttering".
 
 Generally speaking, all advice for building performant web apps for modern
 browsers apply to Electron's renderers, too. The two primary tools at your
-disposal  are currently `requestIdleCallback()` for small operations and
+disposal are currently `requestIdleCallback()` for small operations and
 `Web Workers` for long-running operations.
 
 _`requestIdleCallback()`_ allows developers to queue up a function to be
@@ -360,7 +360,7 @@ turning into a desktop application. As web developers, we are used to loading
 resources from a variety of content delivery networks. Now that you are
 shipping a proper desktop application, attempt to "cut the cord" where possible
 and avoid letting your users wait for resources that never change and could
-easily be included  in your app.
+easily be included in your app.
 
 A typical example is Google Fonts. Many developers make use of Google's
 impressive collection of free fonts, which comes with a content delivery

docs/tutorial/process-model.md

@@ -113,7 +113,7 @@ For a full list of Electron's main process modules, check out our API documentat
 
 Each Electron app spawns a separate renderer process for each open `BrowserWindow`
 (and each web embed). As its name implies, a renderer is responsible for
-_rendering_ web content. For all intents and purposes, code ran in renderer processes
+_rendering_ web content. For all intents and purposes, code run in renderer processes
 should behave according to web standards (insofar as Chromium does, at least).
 
 Therefore, all user interfaces and app functionality within a single browser

docs/tutorial/security.md

@@ -9,7 +9,7 @@ toc_max_heading_level: 3
 
 :::info Reporting security issues
 For information on how to properly disclose an Electron vulnerability,
-see [SECURITY.md](https://github.com/electron/electron/blob/main/SECURITY.md).
+see [SECURITY.md](../../SECURITY.md).
 
 For upstream Chromium vulnerabilities: Electron keeps up to date with alternating
 Chromium releases. For more information, see the
@@ -771,7 +771,7 @@ ipcMain.handle('get-secrets', (e) => {
 })
 
 function validateSender (frame) {
-  // Value the host of the URL using an actual URL parser and an allowlist
+  // Validate the host of the URL using an actual URL parser and an allowlist
   if ((new URL(frame.url)).host === 'electronjs.org') return true
   return false
 }

docs/tutorial/support.md

@@ -2,4 +2,4 @@
 
 * For information on supported releases, see the [Electron Releases](./electron-timelines.md) doc.
 * For community support on Electron, see the [Community page](https://www.electronjs.org/community).
-* For platform support info, see the [README](https://github.com/electron/electron/blob/main/README.md).
+* For platform support info, see the [README](../../README.md).

docs/tutorial/testing-on-headless-ci.md

@@ -2,8 +2,8 @@
 
 Being based on Chromium, Electron requires a display driver to function.
 If Chromium can't find a display driver, Electron will fail to launch -
-and therefore not executing any of your tests, regardless of how you are running
-them. Testing Electron-based apps on Travis, CircleCI, Jenkins or similar Systems
+and therefore not execute any of your tests, regardless of how you are running
+them. Testing Electron-based apps on Travis, CircleCI, Jenkins or similar systems
 requires therefore a little bit of configuration. In essence, we need to use
 a virtual display driver.
 

docs/tutorial/tutorial-5-packaging.md

@@ -44,25 +44,11 @@ have to worry about wiring them all together.
 You can install Electron Forge's CLI in your project's `devDependencies` and import your
 existing project with a handy conversion script.
 
-<Tabs>
-  <TabItem value="npm" label="npm">
-
-```sh
+```sh npm2yarn
 npm install --save-dev @electron-forge/cli
 npx electron-forge import
 ```
 
-  </TabItem>
-  <TabItem value="yarn" label="Yarn">
-
-```sh
-yarn add --dev @electron-forge/cli
-yarn electron-forge import
-```
-
-  </TabItem>
-</Tabs>
-
 Once the conversion script is done, Forge should have added a few scripts
 to your `package.json` file.
 

docs/tutorial/updates.md

@@ -44,7 +44,7 @@ following JSON format:
       "updateTo": {
         "version": "1.2.1",
         "pub_date": "2023-09-18T12:29:53+01:00",
-        "notes": "Theses are some release notes innit",
+        "notes": "These are some release notes innit",
         "name": "1.2.1",
         "url": "https://mycompany.example.com/myapp/releases/myrelease"
       }
@@ -54,7 +54,7 @@ following JSON format:
       "updateTo": {
         "version": "1.2.3",
         "pub_date": "2024-09-18T12:29:53+01:00",
-        "notes": "Theses are some more release notes innit",
+        "notes": "These are some more release notes innit",
         "name": "1.2.3",
         "url": "https://mycompany.example.com/myapp/releases/myrelease3"
       }
@@ -307,7 +307,7 @@ app update. All other properties in the object are optional.
 {
     "url": "https://your-static.storage/your-app-1.2.3-darwin.zip",
     "name": "1.2.3",
-    "notes": "Theses are some release notes innit",
+    "notes": "These are some release notes innit",
     "pub_date": "2024-09-18T12:29:53+01:00"
 }
 ```

docs/tutorial/using-native-node-modules.md

@@ -149,7 +149,7 @@ for an example delay-load hook if you're implementing your own.
 native Node modules with prebuilt binaries for multiple versions of Node
 and Electron.
 
-If the `prebuild`-powered module provide binaries for the usage in Electron,
+If the `prebuild`-powered module provides binaries for the usage in Electron,
 make sure to omit `--build-from-source` and the `npm_config_build_from_source`
 environment variable in order to take full advantage of the prebuilt binaries.
 

docs/tutorial/windows-arm.md

@@ -38,7 +38,7 @@ To test your app, use a Windows on Arm device running Windows 10 (version 1903 o
 
 ### Node.js/node-gyp
 
-[Node.js v12.9.0 or later is recommended.](https://nodejs.org/en/) If updating to a new version of Node is  undesirable, you can instead [update npm's copy of node-gyp manually](https://github.com/nodejs/node-gyp/wiki/Updating-npm's-bundled-node-gyp) to version 5.0.2 or later, which contains the required changes to compile native modules for Arm.
+[Node.js v12.9.0 or later is recommended.](https://nodejs.org/en/) If updating to a new version of Node is undesirable, you can instead [update npm's copy of node-gyp manually](https://github.com/nodejs/node-gyp/wiki/Updating-npm's-bundled-node-gyp) to version 5.0.2 or later, which contains the required changes to compile native modules for Arm.
 
 ### Visual Studio 2017
 

docs/tutorial/windows-store-guide.md

@@ -134,7 +134,7 @@ system.
 
 Before running the CLI for the first time, you will have to setup the "Windows Desktop App
 Converter". This will take a few minutes, but don't worry - you only have to do
-this once. Download and Desktop App Converter from [here][app-converter].
+this once. Download the Desktop App Converter from [here][app-converter].
 You will receive two files: `DesktopAppConverter.zip` and `BaseImage-14316.wim`.
 
 1. Unzip `DesktopAppConverter.zip`. From an elevated PowerShell (opened with

filenames.gni

@@ -299,7 +299,6 @@ filenames = {
     "shell/browser/api/electron_api_push_notifications.cc",
     "shell/browser/api/electron_api_push_notifications.h",
     "shell/browser/api/electron_api_safe_storage.cc",
-    "shell/browser/api/electron_api_safe_storage.h",
     "shell/browser/api/electron_api_screen.cc",
     "shell/browser/api/electron_api_screen.h",
     "shell/browser/api/electron_api_service_worker_context.cc",

lib/browser/api/safe-storage.ts

@@ -1,3 +1,3 @@
-const { safeStorage } = process._linkedBinding('electron_browser_safe_storage');
+const safeStorage = process._linkedBinding('electron_browser_safe_storage');
 
-export default safeStorage;
+module.exports = safeStorage;

package.json

@@ -12,7 +12,6 @@
     "@electron/github-app-auth": "^3.2.0",
     "@electron/lint-roller": "^3.2.0",
     "@electron/typescript-definitions": "^9.1.5",
-    "@hurdlegroup/robotjs": "^0.12.3",
     "@octokit/rest": "^20.1.2",
     "@primer/octicons": "^10.0.0",
     "@types/minimist": "^1.2.5",
@@ -65,7 +64,7 @@
   "scripts": {
     "asar": "asar",
     "generate-version-json": "node script/generate-version-json.js",
-    "lint": "node ./script/lint.js && npm run lint:docs",
+    "lint": "node ./script/lint.js && npm run lint:docs && npm run lint:chromium-roller",
     "lint:js": "node ./script/lint.js --js",
     "lint:clang-format": "python3 script/run-clang-format.py -r -c shell/ || (echo \"\\nCode not formatted correctly.\" && exit 1)",
     "lint:clang-tidy": "ts-node ./script/run-clang-tidy.ts",
@@ -75,11 +74,12 @@
     "lint:gn": "node ./script/lint.js --gn",
     "lint:docs": "remark docs -qf && npm run lint:js-in-markdown && npm run create-typescript-definitions && npm run lint:ts-check-js-in-markdown && npm run lint:docs-fiddles && npm run lint:docs-relative-links && npm run lint:markdown && npm run lint:api-history",
     "lint:docs-fiddles": "standard \"docs/fiddles/**/*.js\"",
-    "lint:docs-relative-links": "lint-roller-markdown-links --root docs \"**/*.md\"",
+    "lint:docs-relative-links": "lint-roller-markdown-links --resource-root . --root docs \"**/*.md\"",
     "lint:markdown": "node ./script/lint.js --md",
     "lint:ts-check-js-in-markdown": "lint-roller-markdown-ts-check --root docs \"**/*.md\" --ignore \"breaking-changes.md\"",
     "lint:js-in-markdown": "lint-roller-markdown-standard --root docs \"**/*.md\"",
     "lint:api-history": "lint-roller-markdown-api-history --root \"./docs/api/\" --schema \"./docs/api-history.schema.json\" --breaking-changes-file \"./docs/breaking-changes.md\" --check-placement --check-strings \"*.md\"",
+    "lint:chromium-roller": "node ./script/lint-roller-chromium-changes.mjs",
     "create-api-json": "node script/create-api-json.mjs",
     "create-typescript-definitions": "npm run create-api-json && electron-typescript-definitions --api=electron-api.json && node spec/ts-smoke/runner.js",
     "gn-typescript-definitions": "npm run create-typescript-definitions && node script/cp.mjs electron.d.ts",
@@ -103,6 +103,9 @@
     "electron"
   ],
   "lint-staged": {
+    "*": [
+      "npm run lint:chromium-roller"
+    ],
     "*.{js,ts}": [
       "node script/lint.js --js --fix --only --"
     ],

patches/chromium/.patches

@@ -142,7 +142,6 @@ chore_disable_protocol_handler_dcheck.patch
 fix_check_for_file_existence_before_setting_mtime.patch
 fix_linux_tray_id.patch
 expose_gtk_ui_platform_field.patch
-patch_osr_control_screen_info.patch
-loaf_add_feature_to_enable_sourceurl_for_all_protocols.patch
+fix_os_crypt_async_cookie_encryption.patch
 cherry-pick-e045399a1ecb.patch
-refactor_allow_customizing_config_in_freedesktopsecretkeyprovider.patch
+loaf_add_feature_to_enable_sourceurl_for_all_protocols.patch

patches/chromium/chore_add_electron_objects_to_wrappablepointertag.patch

@@ -8,24 +8,20 @@ electron objects that extend gin::Wrappable and gets
 allocated on the cpp heap
 
 diff --git a/gin/public/wrappable_pointer_tags.h b/gin/public/wrappable_pointer_tags.h
-index 573bcb2e56068a2ade6d8ab28964b077487874fd..acb0c0b44f6530e49b32ea7602c25d498ae4f210 100644
+index 573bcb2e56068a2ade6d8ab28964b077487874fd..42add73062b723b03fc15ddcce905e4d5061c384 100644
 --- a/gin/public/wrappable_pointer_tags.h
 +++ b/gin/public/wrappable_pointer_tags.h
-@@ -74,7 +74,19 @@ enum WrappablePointerTag : uint16_t {
+@@ -74,7 +74,15 @@ enum WrappablePointerTag : uint16_t {
    kTextInputControllerBindings,  // content::TextInputControllerBindings
    kWebAXObjectProxy,             // content::WebAXObjectProxy
    kWrappedExceptionHandler,      // extensions::WrappedExceptionHandler
 -  kLastPointerTag = kWrappedExceptionHandler,
 +  kElectronApp,                         // electron::api::App
-+  kElectronDataPipeHolder,              // electron::api::DataPipeHolder
 +  kElectronDebugger,                    // electron::api::Debugger
 +  kElectronEvent,                       // gin_helper::internal::Event
 +  kElectronMenu,                        // electron::api::Menu
 +  kElectronNetLog,                      // electron::api::NetLog
-+  kElectronPowerMonitor,                // electron::api::PowerMonitor
-+  kElectronPowerSaveBlocker,            // electron::api::PowerSaveBlocker
 +  kElectronReplyChannel,                // gin_helper::internal::ReplyChannel
-+  kElectronScreen,                      // electron::api::Screen
 +  kElectronSession,                     // electron::api::Session
 +  kElectronWebRequest,                  // electron::api::WebRequest
 +  kLastPointerTag = kElectronWebRequest,

patches/chromium/fix_adjust_headless_mode_handling_in_native_widget.patch

@@ -23,10 +23,10 @@ additional headless changes from breaking macOS window behavior.
 https://chromium-review.googlesource.com/c/chromium/src/+/7487666
 
 diff --git a/components/remote_cocoa/app_shim/native_widget_mac_nswindow.mm b/components/remote_cocoa/app_shim/native_widget_mac_nswindow.mm
-index 96588e0dfd084822f5c98cfaf2ee3c403fbd5e5f..b7983880254a09722d540c41937095f63cbb8109 100644
+index f8f58f12464189650399879756f7a450d86beaf0..09542474dcb5d470b6aad53ff4e657ce78f217ef 100644
 --- a/components/remote_cocoa/app_shim/native_widget_mac_nswindow.mm
 +++ b/components/remote_cocoa/app_shim/native_widget_mac_nswindow.mm
-@@ -218,6 +218,7 @@ @implementation NativeWidgetMacNSWindow {
+@@ -231,6 +231,7 @@ @implementation NativeWidgetMacNSWindow {
    BOOL _isEnforcingNeverMadeVisible;
    BOOL _activationIndependence;
    BOOL _isTooltip;
@@ -34,7 +34,7 @@ index 96588e0dfd084822f5c98cfaf2ee3c403fbd5e5f..b7983880254a09722d540c41937095f6
    BOOL _isShufflingForOrdering;
    BOOL _miniaturizationInProgress;
    std::unique_ptr<NativeWidgetMacNSWindowHeadlessInfo> _headless_info;
-@@ -225,6 +226,7 @@ @implementation NativeWidgetMacNSWindow {
+@@ -238,6 +239,7 @@ @implementation NativeWidgetMacNSWindow {
  @synthesize bridgedNativeWidgetId = _bridgedNativeWidgetId;
  @synthesize bridge = _bridge;
  @synthesize isTooltip = _isTooltip;
@@ -42,7 +42,7 @@ index 96588e0dfd084822f5c98cfaf2ee3c403fbd5e5f..b7983880254a09722d540c41937095f6
  @synthesize isShufflingForOrdering = _isShufflingForOrdering;
  @synthesize preventKeyWindow = _preventKeyWindow;
  @synthesize childWindowAddedHandler = _childWindowAddedHandler;
-@@ -246,23 +248,6 @@ - (instancetype)initWithContentRect:(NSRect)contentRect
+@@ -259,23 +261,6 @@ - (instancetype)initWithContentRect:(NSRect)contentRect
    return self;
  }
  

patches/chromium/fix_os_crypt_async_cookie_encryption.patch

@@ -0,0 +1,790 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Keeley Hammond <khammond@slack-corp.com>
+Date: Tue, 13 Jan 2026 13:26:29 -0800
+Subject: fix: revert OS_Crypt Async in Cookie Encryption
+
+Electron 40/M144 uses os_crypt async by default for cookie store
+providers when using cookie encryption. We need time to properly
+implement this in Electron and make sure the async logic is
+working properly.
+
+This patch reverts the port of os_crypt async and falls back to
+the old sync logic to unlock Electron 40. This patch can be removed
+when os_crypt async is added to Electron.
+
+Revert "Reland "Port net::CookieCryptoDelegate to os_crypt async""
+
+This reverts commit f01b115c7e21a09cc762f65bf7fd9c6ea9d9d0f8.
+
+diff --git a/chrome/browser/BUILD.gn b/chrome/browser/BUILD.gn
+index c75d7e336ad00230c2a7852f62c69b8f0cae748d..8e80ebd537871b204f254a4468996350b8f4f231 100644
+--- a/chrome/browser/BUILD.gn
++++ b/chrome/browser/BUILD.gn
+@@ -716,6 +716,8 @@ static_library("browser") {
+     "net/chrome_report_sender.h",
+     "net/convert_explicitly_allowed_network_ports_pref.cc",
+     "net/convert_explicitly_allowed_network_ports_pref.h",
++    "net/cookie_encryption_provider_impl.cc",
++    "net/cookie_encryption_provider_impl.h",
+     "net/default_dns_over_https_config_source.cc",
+     "net/default_dns_over_https_config_source.h",
+     "net/dns_over_https_config_source.h",
+diff --git a/chrome/browser/extensions/chrome_extension_cookies.cc b/chrome/browser/extensions/chrome_extension_cookies.cc
+index fc13abe302557d38cfce798d46551989337abb2c..22eac75cf685039796ecf40e7d86c9f54084a08b 100644
+--- a/chrome/browser/extensions/chrome_extension_cookies.cc
++++ b/chrome/browser/extensions/chrome_extension_cookies.cc
+@@ -6,7 +6,6 @@
+ 
+ #include <optional>
+ 
+-#include "chrome/browser/browser_process.h"
+ #include "chrome/browser/content_settings/cookie_settings_factory.h"
+ #include "chrome/browser/content_settings/host_content_settings_map_factory.h"
+ #include "chrome/browser/extensions/chrome_extension_cookies_factory.h"
+@@ -49,9 +48,7 @@ ChromeExtensionCookies::ChromeExtensionCookies(Profile* profile)
+         profile_->GetPath().Append(chrome::kExtensionsCookieFilename),
+         profile_->ShouldRestoreOldSessionCookies(),
+         profile_->ShouldPersistSessionCookies()));
+-    creation_config->crypto_delegate = cookie_config::GetCookieCryptoDelegate(
+-        g_browser_process->os_crypt_async(),
+-        content::GetUIThreadTaskRunner({}));
++    creation_config->crypto_delegate = cookie_config::GetCookieCryptoDelegate();
+   }
+   creation_config->cookieable_schemes.push_back(extensions::kExtensionScheme);
+ 
+diff --git a/chrome/browser/net/chrome_network_service_browsertest.cc b/chrome/browser/net/chrome_network_service_browsertest.cc
+index fa37d56b3a3b1e324ca121992fd7b54a945d75f7..05d4d5eaecf119a956210539f601b8f437aaa788 100644
+--- a/chrome/browser/net/chrome_network_service_browsertest.cc
++++ b/chrome/browser/net/chrome_network_service_browsertest.cc
+@@ -5,7 +5,6 @@
+ #include "base/feature_list.h"
+ #include "base/files/file_path.h"
+ #include "base/files/file_util.h"
+-#include "base/task/sequenced_task_runner.h"
+ #include "base/test/bind.h"
+ #include "base/test/scoped_feature_list.h"
+ #include "base/threading/thread_restrictions.h"
+@@ -20,7 +19,6 @@
+ #include "chrome/test/base/in_process_browser_test.h"
+ #include "chrome/test/base/ui_test_utils.h"
+ #include "components/cookie_config/cookie_store_util.h"
+-#include "components/os_crypt/async/browser/test_utils.h"
+ #include "content/public/browser/browser_context.h"
+ #include "content/public/browser/network_service_instance.h"
+ #include "content/public/browser/network_service_util.h"
+@@ -139,16 +137,10 @@ class ChromeNetworkServiceBrowserTest
+ IN_PROC_BROWSER_TEST_P(ChromeNetworkServiceBrowserTest,
+                        PRE_PRE_EncryptedCookies) {
+   // These test is only valid if crypto is enabled on the platform.
+-  auto os_crypt_async = os_crypt_async::GetTestOSCryptAsyncForTesting(
+-      /*is_sync_for_unittests=*/true);
+-  auto crypto_delegate = cookie_config::GetCookieCryptoDelegate(
+-      os_crypt_async.get(), base::SequencedTaskRunner::GetCurrentDefault());
++  auto crypto_delegate = cookie_config::GetCookieCryptoDelegate();
+   if (!crypto_delegate) {
+     GTEST_SKIP() << "No crypto on this platform.";
+   }
+-  base::RunLoop run_loop;
+-  crypto_delegate->Init(run_loop.QuitClosure());
+-  run_loop.Run();
+   std::string ciphertext;
+   crypto_delegate->EncryptString(kCookieValue, &ciphertext);
+   ASSERT_NE(ciphertext, kCookieValue) << "Crypto should really encrypt.";
+diff --git a/services/network/public/cpp/cookie_encryption_provider_impl.cc b/chrome/browser/net/cookie_encryption_provider_impl.cc
+similarity index 71%
+rename from services/network/public/cpp/cookie_encryption_provider_impl.cc
+rename to chrome/browser/net/cookie_encryption_provider_impl.cc
+index 52fedf2057b963951be560a362fec28208c2a4b5..3f770666618f2df56b8cd6855766418d319481f0 100644
+--- a/services/network/public/cpp/cookie_encryption_provider_impl.cc
++++ b/chrome/browser/net/cookie_encryption_provider_impl.cc
+@@ -1,19 +1,18 @@
+-// Copyright 2025 The Chromium Authors
++// Copyright 2024 The Chromium Authors
+ // Use of this source code is governed by a BSD-style license that can be
+ // found in the LICENSE file.
+ 
+-#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
++#include "chrome/browser/net/cookie_encryption_provider_impl.h"
+ 
++#include "chrome/browser/browser_process.h"
+ #include "components/os_crypt/async/browser/os_crypt_async.h"
+ 
+-CookieEncryptionProviderImpl::CookieEncryptionProviderImpl(
+-    os_crypt_async::OSCryptAsync* os_crypt_async)
+-    : os_crypt_async_(os_crypt_async) {}
++CookieEncryptionProviderImpl::CookieEncryptionProviderImpl() = default;
+ 
+ CookieEncryptionProviderImpl::~CookieEncryptionProviderImpl() = default;
+ 
+ void CookieEncryptionProviderImpl::GetEncryptor(GetEncryptorCallback callback) {
+-  os_crypt_async_->GetInstance(base::BindOnce(
++  g_browser_process->os_crypt_async()->GetInstance(base::BindOnce(
+       [](GetEncryptorCallback callback, os_crypt_async::Encryptor encryptor) {
+         std::move(callback).Run(std::move(encryptor));
+       },
+diff --git a/services/network/public/cpp/cookie_encryption_provider_impl.h b/chrome/browser/net/cookie_encryption_provider_impl.h
+similarity index 65%
+rename from services/network/public/cpp/cookie_encryption_provider_impl.h
+rename to chrome/browser/net/cookie_encryption_provider_impl.h
+index 8f80cabd7c919c682e603ff6af0c12ae4431e366..68df8a7a04e9a8455b7143432173d9e48dc1ea5e 100644
+--- a/services/network/public/cpp/cookie_encryption_provider_impl.h
++++ b/chrome/browser/net/cookie_encryption_provider_impl.h
+@@ -1,27 +1,20 @@
+-// Copyright 2025 The Chromium Authors
++// Copyright 2024 The Chromium Authors
+ // Use of this source code is governed by a BSD-style license that can be
+ // found in the LICENSE file.
+ 
+-#ifndef SERVICES_NETWORK_PUBLIC_CPP_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
+-#define SERVICES_NETWORK_PUBLIC_CPP_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
++#ifndef CHROME_BROWSER_NET_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
++#define CHROME_BROWSER_NET_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
+ 
+-#include "base/component_export.h"
+-#include "base/memory/raw_ptr.h"
+ #include "components/os_crypt/async/common/encryptor.h"
+ #include "mojo/public/cpp/bindings/receiver_set.h"
+ #include "services/network/public/mojom/cookie_encryption_provider.mojom.h"
+ 
+-namespace os_crypt_async {
+-class OSCryptAsync;
+-}
+-
+ // Implementation of CookieEncryptionProvider interface. This is Windows only
+ // for now, but will be expanded to other platforms in future.
+-class COMPONENT_EXPORT(NETWORK_CPP) CookieEncryptionProviderImpl
++class CookieEncryptionProviderImpl
+     : public network::mojom::CookieEncryptionProvider {
+  public:
+-  explicit CookieEncryptionProviderImpl(
+-      os_crypt_async::OSCryptAsync* os_crypt_async);
++  CookieEncryptionProviderImpl();
+   ~CookieEncryptionProviderImpl() override;
+ 
+   CookieEncryptionProviderImpl(const CookieEncryptionProviderImpl&) = delete;
+@@ -37,7 +30,6 @@ class COMPONENT_EXPORT(NETWORK_CPP) CookieEncryptionProviderImpl
+ 
+  private:
+   mojo::ReceiverSet<network::mojom::CookieEncryptionProvider> receivers_;
+-  raw_ptr<os_crypt_async::OSCryptAsync> os_crypt_async_;
+ };
+ 
+-#endif  // SERVICES_NETWORK_PUBLIC_CPP_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
++#endif  // CHROME_BROWSER_NET_COOKIE_ENCRYPTION_PROVIDER_IMPL_H_
+diff --git a/chrome/browser/net/cookie_encryption_provider_interactive_uitest.cc b/chrome/browser/net/cookie_encryption_provider_interactive_uitest.cc
+index b862afe7663111a6cbd342d33723942770bb0490..9dc46cedb109cea63bf71aa43fc7a2b64730ed12 100644
+--- a/chrome/browser/net/cookie_encryption_provider_interactive_uitest.cc
++++ b/chrome/browser/net/cookie_encryption_provider_interactive_uitest.cc
+@@ -13,6 +13,7 @@
+ #include "base/test/test_future.h"
+ #include "build/config/linux/dbus/buildflags.h"
+ #include "chrome/browser/browser_features.h"
++#include "chrome/browser/net/cookie_encryption_provider_impl.h"
+ #include "chrome/browser/policy/chrome_browser_policy_connector.h"
+ #include "chrome/browser/profiles/profile.h"
+ #include "chrome/browser/ui/browser.h"
+@@ -25,7 +26,6 @@
+ #include "content/public/test/browser_test.h"
+ #include "content/public/test/test_launcher.h"
+ #include "net/cookies/canonical_cookie.h"
+-#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
+ #include "services/network/public/mojom/cookie_manager.mojom.h"
+ #include "services/network/public/mojom/network_context.mojom.h"
+ #include "testing/gtest/include/gtest/gtest.h"
+diff --git a/chrome/browser/net/system_network_context_manager.cc b/chrome/browser/net/system_network_context_manager.cc
+index 223c7a55b1db65430d22dcff9898845ccaca68a0..9f7347a39c1a0a982632fc6a6b04240b0a3b9510 100644
+--- a/chrome/browser/net/system_network_context_manager.cc
++++ b/chrome/browser/net/system_network_context_manager.cc
+@@ -919,13 +919,8 @@ void SystemNetworkContextManager::DisableQuic() {
+ void SystemNetworkContextManager::
+     AddCookieEncryptionManagerToNetworkContextParams(
+         network::mojom::NetworkContextParams* network_context_params) {
+-  if (!cookie_encryption_provider_) {
+-    cookie_encryption_provider_ =
+-        std::make_unique<CookieEncryptionProviderImpl>(
+-            g_browser_process->os_crypt_async());
+-  }
+   network_context_params->cookie_encryption_provider =
+-      cookie_encryption_provider_->BindNewRemote();
++      cookie_encryption_provider_.BindNewRemote();
+ }
+ 
+ void SystemNetworkContextManager::AddSSLConfigToNetworkContextParams(
+diff --git a/chrome/browser/net/system_network_context_manager.h b/chrome/browser/net/system_network_context_manager.h
+index 611833bce86135d792670a2cbfbfc661bcedf8dd..6d39b73f77d294ec21aa2d9c328e7f1fa9aad47d 100644
+--- a/chrome/browser/net/system_network_context_manager.h
++++ b/chrome/browser/net/system_network_context_manager.h
+@@ -14,6 +14,7 @@
+ #include "base/memory/raw_ptr.h"
+ #include "base/memory/scoped_refptr.h"
+ #include "chrome/browser/net/cert_verifier_service_time_updater.h"
++#include "chrome/browser/net/cookie_encryption_provider_impl.h"
+ #include "chrome/browser/net/proxy_config_monitor.h"
+ #include "chrome/browser/net/stub_resolver_config_reader.h"
+ #include "chrome/browser/ssl/ssl_config_service_manager.h"
+@@ -23,7 +24,6 @@
+ #include "mojo/public/cpp/bindings/pending_receiver.h"
+ #include "mojo/public/cpp/bindings/remote.h"
+ #include "services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom-forward.h"
+-#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
+ #include "services/network/public/mojom/host_resolver.mojom-forward.h"
+ #include "services/network/public/mojom/network_context.mojom.h"
+ #include "services/network/public/mojom/network_service.mojom.h"
+@@ -303,7 +303,7 @@ class SystemNetworkContextManager {
+   GssapiLibraryLoadObserver gssapi_library_loader_observer_{this};
+ #endif  // BUILDFLAG(IS_LINUX)
+ 
+-  std::unique_ptr<CookieEncryptionProviderImpl> cookie_encryption_provider_;
++  CookieEncryptionProviderImpl cookie_encryption_provider_;
+ 
+   std::unique_ptr<CertVerifierServiceTimeUpdater> cert_verifier_time_updater_;
+ };
+diff --git a/components/cookie_config/BUILD.gn b/components/cookie_config/BUILD.gn
+index e348b0d1a59470c5cf153ae02e420b9dd6bd1892..a7a51003386fe7b62aaf5b7008c63acefd428942 100644
+--- a/components/cookie_config/BUILD.gn
++++ b/components/cookie_config/BUILD.gn
+@@ -13,7 +13,7 @@ component("cookie_config") {
+   public_deps = [ "//base" ]
+ 
+   deps = [
+-    "//components/os_crypt/async/browser",
++    "//components/os_crypt/sync",
+     "//net:extras",
+   ]
+ }
+diff --git a/components/cookie_config/DEPS b/components/cookie_config/DEPS
+index 2c847bf159af83cd12bb343deff0cae9957a4183..a428c0b502bee622fbc7eff7d83a2e8500c058df 100644
+--- a/components/cookie_config/DEPS
++++ b/components/cookie_config/DEPS
+@@ -1,4 +1,4 @@
+ include_rules = [
+-  "+components/os_crypt/async",
++  "+components/os_crypt/sync",
+   "+net/extras/sqlite",
+ ]
+diff --git a/components/cookie_config/cookie_store_util.cc b/components/cookie_config/cookie_store_util.cc
+index 55742de998756cbcd686d13a77b2a695eda06884..e7efdfe3a5ecae3b5461bba469f0377b3c920b21 100644
+--- a/components/cookie_config/cookie_store_util.cc
++++ b/components/cookie_config/cookie_store_util.cc
+@@ -5,12 +5,8 @@
+ #include "components/cookie_config/cookie_store_util.h"
+ 
+ #include "base/functional/callback.h"
+-#include "base/memory/scoped_refptr.h"
+-#include "base/memory/weak_ptr.h"
+-#include "base/task/sequenced_task_runner.h"
+ #include "build/build_config.h"
+-#include "components/os_crypt/async/browser/os_crypt_async.h"
+-#include "components/os_crypt/async/common/encryptor.h"
++#include "components/os_crypt/sync/os_crypt.h"
+ #include "net/extras/sqlite/cookie_crypto_delegate.h"
+ 
+ namespace cookie_config {
+@@ -19,123 +15,40 @@ namespace cookie_config {
+     BUILDFLAG(IS_CHROMEOS)
+ namespace {
+ 
+-void OnOsCryptReadyOnUi(
+-    base::OnceCallback<void(os_crypt_async::Encryptor)> callback,
+-    scoped_refptr<base::SequencedTaskRunner> task_runner,
+-    os_crypt_async::Encryptor encryptor) {
+-  task_runner->PostTask(
+-      FROM_HERE, base::BindOnce(std::move(callback), std::move(encryptor)));
+-}
+-
+-void InitOnUi(base::OnceCallback<void(os_crypt_async::Encryptor)> callback,
+-              os_crypt_async::OSCryptAsync* os_crypt_async,
+-              scoped_refptr<base::SequencedTaskRunner> task_runner) {
+-  os_crypt_async->GetInstance(
+-      base::BindOnce(&OnOsCryptReadyOnUi, std::move(callback),
+-                     std::move(task_runner)),
+-      os_crypt_async::Encryptor::Option::kEncryptSyncCompat);
+-}
+-
+ // Use the operating system's mechanisms to encrypt cookies before writing
+ // them to persistent store.  Currently this only is done with desktop OS's
+ // because ChromeOS and Android already protect the entire profile contents.
+ class CookieOSCryptoDelegate : public net::CookieCryptoDelegate {
+  public:
+-  CookieOSCryptoDelegate(
+-      os_crypt_async::OSCryptAsync* os_crypt_async,
+-      scoped_refptr<base::SequencedTaskRunner> ui_task_runner);
+-
+-  CookieOSCryptoDelegate(const CookieOSCryptoDelegate&) = delete;
+-  CookieOSCryptoDelegate& operator=(const CookieOSCryptoDelegate&) = delete;
+-
+-  ~CookieOSCryptoDelegate() override;
+-
+-  // net::CookieCryptoDelegate implementation:
+   void Init(base::OnceClosure callback) override;
+   bool EncryptString(const std::string& plaintext,
+                      std::string* ciphertext) override;
+   bool DecryptString(const std::string& ciphertext,
+                      std::string* plaintext) override;
+-
+- private:
+-  void OnOsCryptReady(os_crypt_async::Encryptor encryptor);
+-
+-  raw_ptr<os_crypt_async::OSCryptAsync> os_crypt_async_;
+-  scoped_refptr<base::SequencedTaskRunner> ui_task_runner_;
+-  std::optional<os_crypt_async::Encryptor> encryptor_;
+-
+-  bool initializing_ = false;
+-  std::vector<base::OnceClosure> init_callbacks_;
+-
+-  base::WeakPtrFactory<CookieOSCryptoDelegate> weak_ptr_factory_{this};
+ };
+ 
+-CookieOSCryptoDelegate::CookieOSCryptoDelegate(
+-    os_crypt_async::OSCryptAsync* os_crypt_async,
+-    scoped_refptr<base::SequencedTaskRunner> ui_task_runner)
+-    : os_crypt_async_(os_crypt_async), ui_task_runner_(ui_task_runner) {}
+-
+-CookieOSCryptoDelegate::~CookieOSCryptoDelegate() = default;
+-
+ void CookieOSCryptoDelegate::Init(base::OnceClosure callback) {
+-  if (encryptor_.has_value()) {
+-    std::move(callback).Run();
+-    return;
+-  }
+-
+-  init_callbacks_.emplace_back(std::move(callback));
+-  if (initializing_) {
+-    return;
+-  }
+-  initializing_ = true;
+-
+-  // PostTaskAndReplyWithResult can't be used here because
+-  // OSCryptAsync::GetInstance() is async.
+-  ui_task_runner_->PostTask(
+-      FROM_HERE,
+-      base::BindOnce(&InitOnUi,
+-                     base::BindOnce(&CookieOSCryptoDelegate::OnOsCryptReady,
+-                                    weak_ptr_factory_.GetWeakPtr()),
+-                     os_crypt_async_,
+-                     base::SequencedTaskRunner::GetCurrentDefault()));
+-  os_crypt_async_ = nullptr;
++  std::move(callback).Run();
+ }
+ 
+ bool CookieOSCryptoDelegate::EncryptString(const std::string& plaintext,
+                                            std::string* ciphertext) {
+-  CHECK(encryptor_) << "EncryptString called before Init completed";
+-  return encryptor_->EncryptString(plaintext, ciphertext);
++  return OSCrypt::EncryptString(plaintext, ciphertext);
+ }
+ 
+ bool CookieOSCryptoDelegate::DecryptString(const std::string& ciphertext,
+                                            std::string* plaintext) {
+-  CHECK(encryptor_) << "DecryptString called before Init completed";
+-  return encryptor_->DecryptString(ciphertext, plaintext);
+-}
+-
+-void CookieOSCryptoDelegate::OnOsCryptReady(
+-    os_crypt_async::Encryptor encryptor) {
+-  encryptor_ = std::move(encryptor);
+-  initializing_ = false;
+-  for (auto& callback : init_callbacks_) {
+-    std::move(callback).Run();
+-  }
+-  init_callbacks_.clear();
++  return OSCrypt::DecryptString(ciphertext, plaintext);
+ }
+ 
+ }  // namespace
+ 
+-std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate(
+-    os_crypt_async::OSCryptAsync* os_crypt_async,
+-    scoped_refptr<base::SequencedTaskRunner> ui_task_runner) {
+-  return std::make_unique<CookieOSCryptoDelegate>(os_crypt_async,
+-                                                  ui_task_runner);
++std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate() {
++  return std::make_unique<CookieOSCryptoDelegate>();
+ }
+ #else   // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_LINUX) ||
+         // BUILDFLAG(IS_CHROMEOS)
+-std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate(
+-    os_crypt_async::OSCryptAsync* os_crypt_async,
+-    scoped_refptr<base::SequencedTaskRunner> ui_task_runner) {
++std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate() {
+   return nullptr;
+ }
+ #endif  // BUILDFLAG(IS_WIN) || BUILDFLAG(IS_MAC) || BUILDFLAG(IS_LINUX) ||
+diff --git a/components/cookie_config/cookie_store_util.h b/components/cookie_config/cookie_store_util.h
+index 9d142e9f13fb0d30d5795c2a82f2cbc5274d381c..1e1b7ebc234d7e3f981e023fe49cd0b13ed62c6e 100644
+--- a/components/cookie_config/cookie_store_util.h
++++ b/components/cookie_config/cookie_store_util.h
+@@ -8,28 +8,17 @@
+ #include <memory>
+ 
+ #include "base/component_export.h"
+-#include "base/memory/scoped_refptr.h"
+-
+-namespace base {
+-class SequencedTaskRunner;
+-}
+ 
+ namespace net {
+ class CookieCryptoDelegate;
+ }  // namespace net
+ 
+-namespace os_crypt_async {
+-class OSCryptAsync;
+-}  // namespace os_crypt_async
+-
+ namespace cookie_config {
+ 
+ // Factory method for returning a CookieCryptoDelegate if one is appropriate for
+ // this platform.
+ COMPONENT_EXPORT(COMPONENTS_COOKIE_CONFIG)
+-std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate(
+-    os_crypt_async::OSCryptAsync* os_crypt_async,
+-    scoped_refptr<base::SequencedTaskRunner> ui_task_runner);
++std::unique_ptr<net::CookieCryptoDelegate> GetCookieCryptoDelegate();
+ 
+ }  // namespace cookie_config
+ 
+diff --git a/components/os_crypt/sync/BUILD.gn b/components/os_crypt/sync/BUILD.gn
+index bb308187837371ecfa2482affaf35ac7ed98c1f3..1e554fe95b0521a883ced83fc67f5d52a3d45759 100644
+--- a/components/os_crypt/sync/BUILD.gn
++++ b/components/os_crypt/sync/BUILD.gn
+@@ -12,7 +12,13 @@ component("sync") {
+   visibility = [
+     "//electron:*",
+     "//chrome/browser",
++    "//chrome/browser/prefs:impl",
++    "//chrome/browser/ui",
++    "//chrome/browser/web_applications",
+     "//chrome/test:test_support",
++    "//components/autofill/content/browser",
++    "//components/cookie_config",
++    "//components/gcm_driver",
+     "//components/os_crypt/async/browser:dpapi_key_provider",
+     "//components/os_crypt/async/browser:freedesktop_secret_key_provider",
+     "//components/os_crypt/async/browser:keychain_key_provider",
+@@ -22,18 +28,24 @@ component("sync") {
+     "//components/os_crypt/async/common:unit_tests",
+     "//components/os_crypt/sync:test_support",
+     "//components/os_crypt/sync:unit_tests",
++    "//components/password_manager/core/browser",
++    "//components/password_manager/core/browser:hash_password_manager",
++    "//components/password_manager/core/browser:unit_tests",
++    "//components/password_manager/core/browser/password_store:password_store_impl",
++    "//components/password_manager/core/browser/password_store:unit_tests",
+     "//components/signin/core/browser",
+     "//components/sync:unit_tests",
+     "//components/sync/nigori",
+     "//components/sync/service",
++    "//components/trusted_vault",
++    "//components/trusted_vault:unit_tests",
++    "//content/browser",
+     "//headless:headless_non_renderer",
++    "//headless:headless_shell_lib",
+     "//ios/chrome/browser/web/model:web_internal",
+     "//services/network:network_service",
+     "//services/test/echo:lib",
+   ]
+-  if (is_mac) {
+-    visibility += [ "//headless:headless_shell_lib" ]
+-  }
+ 
+   sources = [
+     "os_crypt.h",
+diff --git a/headless/BUILD.gn b/headless/BUILD.gn
+index 0d07069219883d28af7add90ad4509a94109603f..b732da23aa014aaa3525bbadaec97178d7844e04 100644
+--- a/headless/BUILD.gn
++++ b/headless/BUILD.gn
+@@ -373,7 +373,6 @@ component("headless_non_renderer") {
+     "//components/keyed_service/content",
+     "//components/origin_trials:browser",
+     "//components/origin_trials:common",
+-    "//components/os_crypt/async/browser",
+     "//components/os_crypt/sync",
+     "//components/policy:generated",
+     "//components/policy/content",
+diff --git a/headless/lib/browser/DEPS b/headless/lib/browser/DEPS
+index 75d0960a5964fabf518d0b8b2f67e29e9b3d6fe6..8261f1ab27597459726063cc6faa2a5ed0bfce17 100644
+--- a/headless/lib/browser/DEPS
++++ b/headless/lib/browser/DEPS
+@@ -44,7 +44,6 @@ specific_include_rules = {
+   "headless_browser_impl.*": [
+     "+services/device/public/cpp/geolocation/system_geolocation_source_apple.h",
+     "+services/device/public/cpp/geolocation/geolocation_system_permission_manager.h",
+-    "+components/os_crypt/async",
+     "+components/password_manager/core/browser/password_manager_switches.h",
+     "+components/policy",
+     "+components/prefs",
+@@ -53,9 +52,6 @@ specific_include_rules = {
+     "+components/metrics",
+     "+components/variations",
+   ],
+-  "headless_request_context_manager.cc": [
+-    "+components/os_crypt/async/browser",
+-  ],
+   "headless_browser_impl_unittest.cc": [
+     "+third_party/blink/public/common/features.h",
+   ],
+diff --git a/headless/lib/browser/headless_browser_context_impl.cc b/headless/lib/browser/headless_browser_context_impl.cc
+index f664e9994a3c38ef2aa30773f6ca4668451dd76c..ad83a721a8bf17225af7d2c5954ecdd82cf8e1dc 100644
+--- a/headless/lib/browser/headless_browser_context_impl.cc
++++ b/headless/lib/browser/headless_browser_context_impl.cc
+@@ -77,7 +77,7 @@ HeadlessBrowserContextImpl::HeadlessBrowserContextImpl(
+           ? base::FilePath()
+           : path_;
+   request_context_manager_ = std::make_unique<HeadlessRequestContextManager>(
+-      context_options_.get(), user_data_path, browser->os_crypt_async());
++      context_options_.get(), user_data_path);
+   profile_metrics::SetBrowserProfileType(
+       this, IsOffTheRecord() ? profile_metrics::BrowserProfileType::kIncognito
+                              : profile_metrics::BrowserProfileType::kRegular);
+diff --git a/headless/lib/browser/headless_browser_impl.cc b/headless/lib/browser/headless_browser_impl.cc
+index f0c79ccd63e102c4ef51535f476ceddc6c5156a9..c1e9430b3f5b67338f204ca5563a02c2da87cd49 100644
+--- a/headless/lib/browser/headless_browser_impl.cc
++++ b/headless/lib/browser/headless_browser_impl.cc
+@@ -16,8 +16,6 @@
+ #include "base/task/single_thread_task_runner.h"
+ #include "build/config/linux/dbus/buildflags.h"
+ #include "components/embedder_support/user_agent_utils.h"
+-#include "components/os_crypt/async/browser/os_crypt_async.h"
+-#include "components/os_crypt/async/common/encryptor.h"
+ #include "components/version_info/version_info.h"
+ #include "content/public/browser/browser_task_traits.h"
+ #include "content/public/browser/browser_thread.h"
+@@ -212,8 +210,7 @@ void HeadlessBrowserImpl::SetDefaultBrowserContext(
+   if (default_browser_context_ && !system_request_context_manager_) {
+     system_request_context_manager_ =
+         HeadlessRequestContextManager::CreateSystemContext(
+-            HeadlessBrowserContextImpl::From(browser_context)->options(),
+-            os_crypt_async());
++            HeadlessBrowserContextImpl::From(browser_context)->options());
+   }
+ }
+ 
+@@ -269,8 +266,6 @@ bool HeadlessBrowserImpl::ShouldStartDevToolsServer() {
+ }
+ 
+ void HeadlessBrowserImpl::PreMainMessageLoopRun() {
+-  CreateOSCryptAsync();
+-
+   platform_delegate_->Initialize(options_.value());
+ 
+   // We don't support the tethering domain on this agent host.
+@@ -287,7 +282,6 @@ void HeadlessBrowserImpl::WillRunMainMessageLoop(base::RunLoop& run_loop) {
+ }
+ 
+ void HeadlessBrowserImpl::PostMainMessageLoopRun() {
+-  os_crypt_async_.reset();
+ #if defined(HEADLESS_USE_PREFS)
+   if (local_state_) {
+     local_state_->CommitPendingWrite();
+diff --git a/headless/lib/browser/headless_browser_impl.h b/headless/lib/browser/headless_browser_impl.h
+index 1d9ba1861de0065cb059710fab7b619c0df55216..69056c94a348566e2d080307c794e5dd28322dff 100644
+--- a/headless/lib/browser/headless_browser_impl.h
++++ b/headless/lib/browser/headless_browser_impl.h
+@@ -31,9 +31,11 @@ class PolicyService;
+ class PrefService;
+ #endif
+ 
+-namespace os_crypt_async {
+-class OSCryptAsync;
+-}
++#if BUILDFLAG(IS_MAC)
++namespace device {
++class GeolocationSystemPermissionManager;
++}  // namespace device
++#endif
+ 
+ namespace ui {
+ class Compositor;
+@@ -99,10 +101,6 @@ class HEADLESS_EXPORT HeadlessBrowserImpl : public HeadlessBrowser {
+ 
+   int exit_code() const { return exit_code_; }
+ 
+-  os_crypt_async::OSCryptAsync* os_crypt_async() {
+-    return os_crypt_async_.get();
+-  }
+-
+ #if defined(HEADLESS_USE_PREFS)
+   void CreatePrefService();
+   PrefService* GetPrefs();
+@@ -121,8 +119,6 @@ class HEADLESS_EXPORT HeadlessBrowserImpl : public HeadlessBrowser {
+ 
+   int exit_code_ = 0;
+ 
+-  std::unique_ptr<os_crypt_async::OSCryptAsync> os_crypt_async_;
+-
+   base::flat_map<std::string, std::unique_ptr<HeadlessBrowserContextImpl>>
+       browser_contexts_;
+   raw_ptr<HeadlessBrowserContext, AcrossTasksDanglingUntriaged>
+diff --git a/headless/lib/browser/headless_request_context_manager.cc b/headless/lib/browser/headless_request_context_manager.cc
+index 6c4ce0a6fa6624cace08bfdb2c62b12836a744fa..fe1a11f94a709400434fb41a5bdcdb8f4d47a959 100644
+--- a/headless/lib/browser/headless_request_context_manager.cc
++++ b/headless/lib/browser/headless_request_context_manager.cc
+@@ -11,7 +11,6 @@
+ #include "base/task/single_thread_task_runner.h"
+ #include "build/build_config.h"
+ #include "components/embedder_support/switches.h"
+-#include "components/os_crypt/async/browser/os_crypt_async.h"
+ #include "content/public/browser/browser_thread.h"
+ #include "content/public/browser/network_service_instance.h"
+ #include "headless/lib/browser/headless_browser_context_options.h"
+@@ -138,10 +137,9 @@ class HeadlessProxyConfigMonitor
+ // static
+ std::unique_ptr<HeadlessRequestContextManager>
+ HeadlessRequestContextManager::CreateSystemContext(
+-    const HeadlessBrowserContextOptions* options,
+-    os_crypt_async::OSCryptAsync* os_crypt_async) {
++    const HeadlessBrowserContextOptions* options) {
+   auto manager = std::make_unique<HeadlessRequestContextManager>(
+-      options, base::FilePath(), os_crypt_async);
++      options, base::FilePath());
+ 
+   base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
+   auto auth_params = ::network::mojom::HttpAuthDynamicParams::New();
+@@ -172,8 +170,7 @@ HeadlessRequestContextManager::CreateSystemContext(
+ 
+ HeadlessRequestContextManager::HeadlessRequestContextManager(
+     const HeadlessBrowserContextOptions* options,
+-    base::FilePath user_data_path,
+-    os_crypt_async::OSCryptAsync* os_crypt_async)
++    base::FilePath user_data_path)
+     :
+ // On Windows, Cookie encryption requires access to local_state prefs.
+ #if BUILDFLAG(IS_WIN) && !defined(HEADLESS_USE_PREFS)
+@@ -183,7 +180,6 @@ HeadlessRequestContextManager::HeadlessRequestContextManager(
+           !base::CommandLine::ForCurrentProcess()->HasSwitch(
+               switches::kDisableCookieEncryption)),
+ #endif
+-      os_crypt_async_(os_crypt_async),
+       user_data_path_(std::move(user_data_path)),
+       disk_cache_dir_(options->disk_cache_dir()),
+       accept_language_(options->accept_language()),
+@@ -192,10 +188,6 @@ HeadlessRequestContextManager::HeadlessRequestContextManager(
+           options->proxy_config()
+               ? std::make_unique<net::ProxyConfig>(*options->proxy_config())
+               : nullptr) {
+-  if (cookie_encryption_enabled_) {
+-    cookie_encryption_provider_ =
+-        std::make_unique<CookieEncryptionProviderImpl>(os_crypt_async_.get());
+-  }
+   if (!proxy_config_) {
+     base::CommandLine* command_line = base::CommandLine::ForCurrentProcess();
+     if (command_line->HasSwitch(switches::kNoSystemProxyConfigService)) {
+@@ -240,10 +232,6 @@ void HeadlessRequestContextManager::ConfigureNetworkContextParamsInternal(
+ 
+   if (!user_data_path_.empty()) {
+     context_params->enable_encrypted_cookies = cookie_encryption_enabled_;
+-    if (cookie_encryption_enabled_) {
+-      context_params->cookie_encryption_provider =
+-          cookie_encryption_provider_->BindNewRemote();
+-    }
+     context_params->file_paths =
+         ::network::mojom::NetworkContextFilePaths::New();
+     context_params->file_paths->data_directory =
+diff --git a/headless/lib/browser/headless_request_context_manager.h b/headless/lib/browser/headless_request_context_manager.h
+index 91d74eaadd9f4d451e809b38a2f999b298068820..e45427ce90f909e609688ab59f4581b185b6757e 100644
+--- a/headless/lib/browser/headless_request_context_manager.h
++++ b/headless/lib/browser/headless_request_context_manager.h
+@@ -13,13 +13,8 @@
+ #include "content/public/browser/browser_context.h"
+ #include "mojo/public/cpp/bindings/pending_remote.h"
+ #include "services/cert_verifier/public/mojom/cert_verifier_service_factory.mojom-forward.h"
+-#include "services/network/public/cpp/cookie_encryption_provider_impl.h"
+ #include "services/network/public/mojom/network_context.mojom.h"
+ 
+-namespace os_crypt_async {
+-class OSCryptAsync;
+-}
+-
+ namespace headless {
+ 
+ class HeadlessBrowserContextOptions;
+@@ -28,12 +23,10 @@ class HeadlessProxyConfigMonitor;
+ class HeadlessRequestContextManager {
+  public:
+   static std::unique_ptr<HeadlessRequestContextManager> CreateSystemContext(
+-      const HeadlessBrowserContextOptions* options,
+-      os_crypt_async::OSCryptAsync* os_crypt_async);
++      const HeadlessBrowserContextOptions* options);
+ 
+   HeadlessRequestContextManager(const HeadlessBrowserContextOptions* options,
+-                                base::FilePath user_data_path,
+-                                os_crypt_async::OSCryptAsync* os_crypt_async);
++                                base::FilePath user_data_path);
+ 
+   HeadlessRequestContextManager(const HeadlessRequestContextManager&) = delete;
+   HeadlessRequestContextManager& operator=(
+@@ -56,15 +49,12 @@ class HeadlessRequestContextManager {
+ 
+   const bool cookie_encryption_enabled_;
+ 
+-  const raw_ptr<os_crypt_async::OSCryptAsync> os_crypt_async_;
+-
+   base::FilePath user_data_path_;
+   base::FilePath disk_cache_dir_;
+   std::string accept_language_;
+   std::string user_agent_;
+   std::unique_ptr<net::ProxyConfig> proxy_config_;
+   std::unique_ptr<HeadlessProxyConfigMonitor> proxy_config_monitor_;
+-  std::unique_ptr<CookieEncryptionProviderImpl> cookie_encryption_provider_;
+ 
+   mojo::PendingRemote<::network::mojom::NetworkContext> system_context_;
+ };
+diff --git a/services/network/network_context.cc b/services/network/network_context.cc
+index f9e704f9dc76f802b330487238717a6df3ba7b36..1702b7f7603d98e2f08a8af7310daa1fb3250d54 100644
+--- a/services/network/network_context.cc
++++ b/services/network/network_context.cc
+@@ -3274,12 +3274,7 @@ NetworkContext::MakeSessionCleanupCookieStore() const {
+       crypto_delegate = std::make_unique<CookieOSCryptAsyncDelegate>(
+           std::move(params_->cookie_encryption_provider));
+     } else {
+-#if !BUILDFLAG(IS_ANDROID)
+-      // A cookie crypto delegate should not be created on Android to
+-      // match the behavior of cookie_config::GetCookieCryptoDelegate().
+-      // See https://crbug.com/449652881
+-      NOTREACHED();
+-#endif
++      crypto_delegate = cookie_config::GetCookieCryptoDelegate();
+     }
+   }
+ 
+diff --git a/services/network/public/cpp/BUILD.gn b/services/network/public/cpp/BUILD.gn
+index eb6d8e40d27b7d1027e9afcace37aad487c333d7..3916ffd9787183bdd1e04dce1fe8e9dafd16b338 100644
+--- a/services/network/public/cpp/BUILD.gn
++++ b/services/network/public/cpp/BUILD.gn
+@@ -69,8 +69,6 @@ component("cpp") {
+     "content_decoding_interceptor.h",
+     "content_language_parser.cc",
+     "content_language_parser.h",
+-    "cookie_encryption_provider_impl.cc",
+-    "cookie_encryption_provider_impl.h",
+     "cors/cors.cc",
+     "cors/cors.h",
+     "cors/origin_access_list.cc",
+@@ -191,8 +189,6 @@ component("cpp") {
+   deps = [
+     "//base",
+     "//components/link_header_util",
+-    "//components/os_crypt/async/browser",
+-    "//components/os_crypt/async/common",
+     "//components/prefs",
+     "//ipc",
+     "//net",
+diff --git a/services/network/public/mojom/network_context.mojom b/services/network/public/mojom/network_context.mojom
+index 0a837fbd18a0e597805b418a7f3022c499fb0c41..e511f65399c20cb9889c56a1c2c9e97eb84b3bf2 100644
+--- a/services/network/public/mojom/network_context.mojom
++++ b/services/network/public/mojom/network_context.mojom
+@@ -576,9 +576,10 @@ struct NetworkContextParams {
+   bool acam_preflight_spec_conformant = true;
+ 
+   // Sets the cookie encryption provider to be used by this network context if
+-  // `enable_encrypted_cookies` is enabled.
+-  // The `GetEncryptor` method on the supplied `cookie_encryption_provider` is
+-  // called to obtain a valid set of keys for cookie encryption.
++  // `enable_encrypted_cookies` is also enabled.
++  // If both are set then the `GetEncryptor` method on the supplied
++  // `cookie_encryption_provider` is called to obtain a valid set of keys for
++  // cookie encryption.
+   pending_remote<CookieEncryptionProvider>? cookie_encryption_provider;
+ 
+   // Enables Device Bound Session Credential for this network context.

patches/chromium/make_gtk_getlibgtk_public.patch

@@ -1,13 +1,13 @@
 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
 From: deepak1556 <hop2deep@gmail.com>
 Date: Thu, 7 Apr 2022 20:30:16 +0900
-Subject: Make gtk::GetLibGdkPixbuf public
+Subject: Make gtk::GetLibGdkPixbuf and gtk::GetLibGdk public
 
-Allows embedders to get a handle to the gdk_pixbuf
-library already loaded in the process.
+Allows embedders to get handles to the gdk_pixbuf
+and gdk libraries already loaded in the process.
 
 diff --git a/ui/gtk/gtk_compat.cc b/ui/gtk/gtk_compat.cc
-index e05b4f2eb1b22d5a647cb020bae4e4052a2e735c..c06af1c03487fafe76fde3bfa157a7d265e2f3a0 100644
+index e05b4f2eb1b22d5a647cb020bae4e4052a2e735c..86524a419606bea3e7d090415fda8f2d8ce24df2 100644
 --- a/ui/gtk/gtk_compat.cc
 +++ b/ui/gtk/gtk_compat.cc
 @@ -78,11 +78,6 @@ void* GetLibGio() {
@@ -22,7 +22,7 @@ index e05b4f2eb1b22d5a647cb020bae4e4052a2e735c..c06af1c03487fafe76fde3bfa157a7d2
  void* GetLibGdk3() {
    static void* libgdk3 = DlOpen("libgdk-3.so.0");
    return libgdk3;
-@@ -175,6 +170,11 @@ gfx::Insets InsetsFromGtkBorder(const GtkBorder& border) {
+@@ -175,6 +170,15 @@ gfx::Insets InsetsFromGtkBorder(const GtkBorder& border) {
  
  }  // namespace
  
@@ -30,20 +30,27 @@ index e05b4f2eb1b22d5a647cb020bae4e4052a2e735c..c06af1c03487fafe76fde3bfa157a7d2
 +  static void* libgdk_pixbuf = DlOpen("libgdk_pixbuf-2.0.so.0");
 +  return libgdk_pixbuf;
 +}
++
++void* GetLibGdk() {
++  return GtkCheckVersion(4) ? GetLibGtk4() : GetLibGdk3();
++}
 +
  bool LoadGtk(ui::LinuxUiBackend backend) {
    static bool loaded = LoadGtkImpl(backend);
    return loaded;
 diff --git a/ui/gtk/gtk_compat.h b/ui/gtk/gtk_compat.h
-index 841e2e8fcdbe2da4aac487badd4d352476e461a2..e458df649546fa3bee10e24f0edac147186cc152 100644
+index 841e2e8fcdbe2da4aac487badd4d352476e461a2..043c3ab4dde02ca71798034e8cb2b3f2d2677af7 100644
 --- a/ui/gtk/gtk_compat.h
 +++ b/ui/gtk/gtk_compat.h
-@@ -42,6 +42,9 @@ using SkColor = uint32_t;
+@@ -42,6 +42,12 @@ using SkColor = uint32_t;
  
  namespace gtk {
  
 +// Get handle to the currently loaded gdk_pixbuf library in the process.
 +void* GetLibGdkPixbuf();
++
++// Get handle to the currently loaded gdk library in the process.
++void* GetLibGdk();
 +
  // Loads libgtk and related libraries and returns true on success.
  bool LoadGtk(ui::LinuxUiBackend backend);

patches/chromium/mas_avoid_private_macos_api_usage.patch.patch

@@ -640,7 +640,7 @@ index 889c0849910afa8f5be8bd8f55692bb482335383..ff2a4bc790b0fa2dec9702d82a022185
  // The NSWindow used by BridgedNativeWidget. Provides hooks into AppKit that
  // can only be accomplished by overriding methods.
 diff --git a/components/remote_cocoa/app_shim/native_widget_mac_nswindow.mm b/components/remote_cocoa/app_shim/native_widget_mac_nswindow.mm
-index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c403fbd5e5f 100644
+index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..f8f58f12464189650399879756f7a450d86beaf0 100644
 --- a/components/remote_cocoa/app_shim/native_widget_mac_nswindow.mm
 +++ b/components/remote_cocoa/app_shim/native_widget_mac_nswindow.mm
 @@ -22,6 +22,7 @@
@@ -677,7 +677,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  @end
  
  struct NSEdgeAndCornerThicknesses {
-@@ -159,13 +164,17 @@ - (void)cr_mouseDownOnFrameView:(NSEvent*)event;
+@@ -159,13 +164,30 @@ - (void)cr_mouseDownOnFrameView:(NSEvent*)event;
  @implementation NSView (CRFrameViewAdditions)
  // If a mouseDown: falls through to the frame view, turn it into a window drag.
  - (void)cr_mouseDownOnFrameView:(NSEvent*)event {
@@ -685,6 +685,19 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
    if ([self.window _resizeDirectionForMouseLocation:event.locationInWindow] !=
        -1)
      return;
++#else
++  // For MAS builds, approximate the resize direction check.
++  if (self.window.styleMask & NSWindowStyleMaskResizable) {
++    constexpr CGFloat kResizeThreshold = 5.0;
++    NSPoint location = event.locationInWindow;
++    NSRect frame = self.window.frame;
++    CGFloat width = NSWidth(frame);
++    CGFloat height = NSHeight(frame);
++    if (location.x < kResizeThreshold || location.x > width - kResizeThreshold ||
++        location.y < kResizeThreshold || location.y > height - kResizeThreshold) {
++      return;
++    }
++  }
 +#endif
    [self.window performWindowDragWithEvent:event];
  }
@@ -695,7 +708,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  @implementation NativeWidgetMacNSWindowTitledFrame
  - (void)mouseDown:(NSEvent*)event {
    if (self.window.isMovable)
-@@ -193,6 +202,8 @@ - (BOOL)usesCustomDrawing {
+@@ -193,6 +215,8 @@ - (BOOL)usesCustomDrawing {
  }
  @end
  
@@ -704,7 +717,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  @implementation NativeWidgetMacNSWindow {
   @private
    CommandDispatcher* __strong _commandDispatcher;
-@@ -262,6 +273,7 @@ - (NativeWidgetMacNSWindowHeadlessInfo*)headlessInfo {
+@@ -262,6 +286,7 @@ - (NativeWidgetMacNSWindowHeadlessInfo*)headlessInfo {
  // bubbles and the find bar, but these should not be movable.
  // Instead, let's push this up to the parent window which should be
  // the browser.
@@ -712,7 +725,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  - (void)_zoomToScreenEdge:(NSUInteger)edge {
    if (self.parentWindow) {
      [self.parentWindow _zoomToScreenEdge:edge];
-@@ -269,6 +281,7 @@ - (void)_zoomToScreenEdge:(NSUInteger)edge {
+@@ -269,6 +294,7 @@ - (void)_zoomToScreenEdge:(NSUInteger)edge {
      [super _zoomToScreenEdge:edge];
    }
  }
@@ -720,7 +733,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  
  // This override helps diagnose lifetime issues in crash stacktraces by
  // inserting a symbol on NativeWidgetMacNSWindow and should be kept even if it
-@@ -401,6 +414,8 @@ - (NSAccessibilityRole)accessibilityRole {
+@@ -401,6 +427,8 @@ - (NSAccessibilityRole)accessibilityRole {
  
  // NSWindow overrides.
  
@@ -729,7 +742,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  + (Class)frameViewClassForStyleMask:(NSWindowStyleMask)windowStyle {
    if (windowStyle & NSWindowStyleMaskTitled) {
      if (Class customFrame = [NativeWidgetMacNSWindowTitledFrame class])
-@@ -412,6 +427,8 @@ + (Class)frameViewClassForStyleMask:(NSWindowStyleMask)windowStyle {
+@@ -412,6 +440,8 @@ + (Class)frameViewClassForStyleMask:(NSWindowStyleMask)windowStyle {
    return [super frameViewClassForStyleMask:windowStyle];
  }
  
@@ -738,7 +751,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  - (NSRect)constrainFrameRect:(NSRect)frameRect toScreen:(NSScreen*)screen {
    if (self.isHeadless || self.parentWindow) {
      // AppKit's default implementation moves child windows down to avoid
-@@ -449,12 +466,14 @@ - (BOOL)_usesCustomDrawing {
+@@ -449,12 +479,14 @@ - (BOOL)_usesCustomDrawing {
  // if it were valid to set that style for windows, setting the window style
  // recalculates and re-caches a bunch of stuff, so a surgical override is the
  // cleanest approach.
@@ -753,7 +766,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  
  + (void)_getExteriorResizeEdgeThicknesses:
              (NSEdgeAndCornerThicknesses*)outThicknesses
-@@ -708,9 +727,11 @@ - (id)archiver:(NSKeyedArchiver*)archiver willEncodeObject:(id)object {
+@@ -708,9 +740,11 @@ - (id)archiver:(NSKeyedArchiver*)archiver willEncodeObject:(id)object {
  }
  
  - (void)saveRestorableState {
@@ -765,7 +778,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  
    // Certain conditions, such as in the Speedometer 3 benchmark, can trigger a
    // rapid succession of calls to saveRestorableState. If there's no pending
-@@ -777,6 +798,7 @@ - (void)reallySaveRestorableState {
+@@ -777,6 +811,7 @@ - (void)reallySaveRestorableState {
  // affects its restorable state changes.
  - (void)invalidateRestorableState {
    [super invalidateRestorableState];
@@ -773,7 +786,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
    if ([self _isConsideredOpenForPersistentState]) {
      if (_willUpdateRestorableState)
        return;
-@@ -789,6 +811,7 @@ - (void)invalidateRestorableState {
+@@ -789,6 +824,7 @@ - (void)invalidateRestorableState {
      _willUpdateRestorableState = NO;
      [NSObject cancelPreviousPerformRequestsWithTarget:self];
    }
@@ -781,7 +794,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
  }
  
  // On newer SDKs, _canMiniaturize respects NSWindowStyleMaskMiniaturizable in
-@@ -965,6 +988,7 @@ - (void)maybeRemoveTreeFromOrderingGroups {
+@@ -965,6 +1001,7 @@ - (void)maybeRemoveTreeFromOrderingGroups {
    // Since _removeFromGroups: is not documented it could go away in newer
    // versions of macOS. If the selector does not exist, DumpWithoutCrashing() so
    // we hear about the change.
@@ -789,7 +802,7 @@ index 20fbdb2d4ac747aa174c5d8e19fd9f1ea48314a9..96588e0dfd084822f5c98cfaf2ee3c40
    if (![NSWindow instancesRespondToSelector:@selector(_removeFromGroups:)]) {
      base::debug::DumpWithoutCrashing();
      return;
-@@ -982,6 +1006,7 @@ - (void)maybeRemoveTreeFromOrderingGroups {
+@@ -982,6 +1019,7 @@ - (void)maybeRemoveTreeFromOrderingGroups {
        [currentWindow _removeFromGroups:child];
      }
    }

patches/chromium/patch_osr_control_screen_info.patch

@@ -1,22 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: reito <reito@chromium.org>
-Date: Wed, 29 Oct 2025 00:50:03 +0800
-Subject: patch: osr control screen info
-
-We need to override GetNewScreenInfosForUpdate to ensure the screen info
-is updated correctly, instead of overriding GetScreenInfo which seems not
-working.
-
-diff --git a/content/browser/renderer_host/render_widget_host_view_base.h b/content/browser/renderer_host/render_widget_host_view_base.h
-index 1a18bdda39f76cfae36adc0ffde136e788a98262..1062bada30908399f5429b51031e245f4d010f84 100644
---- a/content/browser/renderer_host/render_widget_host_view_base.h
-+++ b/content/browser/renderer_host/render_widget_host_view_base.h
-@@ -680,7 +680,7 @@ class CONTENT_EXPORT RenderWidgetHostViewBase
- 
-   // Generates the most current set of ScreenInfos from the current set of
-   // displays in the system for use in UpdateScreenInfo.
--  display::ScreenInfos GetNewScreenInfosForUpdate();
-+  virtual display::ScreenInfos GetNewScreenInfosForUpdate();
- 
-   // Called when display properties that need to be synchronized with the
-   // renderer process changes. This method is called before notifying

patches/chromium/refactor_allow_customizing_config_in_freedesktopsecretkeyprovider.patch

@@ -1,225 +0,0 @@
-From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
-From: Shelley Vohr <shelley.vohr@gmail.com>
-Date: Tue, 20 Jan 2026 10:20:39 +0000
-Subject: refactor: allow customizing config in FreedesktopSecretKeyProvider
-
-This commit allows customizing components of the FreedesktopSecretKeyProvider
-via config, specifically:
-* App name
-* KWallet folder name
-* KWallet key name
-
-This allows FreedesktopSecretKeyProvider to be used by multiple apps without
-naming conflicts. This should be upstreamed to Chromium if possible.
-
-diff --git a/components/os_crypt/async/browser/freedesktop_secret_key_provider.cc b/components/os_crypt/async/browser/freedesktop_secret_key_provider.cc
-index c45f79eea18190a9216fd5ff1b3cf9d0d86ec059..356c6931017c83f7a89c5125f0bb90c8bc58569d 100644
---- a/components/os_crypt/async/browser/freedesktop_secret_key_provider.cc
-+++ b/components/os_crypt/async/browser/freedesktop_secret_key_provider.cc
-@@ -36,6 +36,30 @@ namespace os_crypt_async {
- 
- namespace {
- 
-+const char* GetDefaultAppName() {
-+#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
-+  return "chrome";
-+#else
-+  return "chromium";
-+#endif
-+}
-+
-+const char* GetDefaultKWalletFolder() {
-+#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
-+  return "Chrome Keys";
-+#else
-+  return "Chromium Keys";
-+#endif
-+}
-+
-+const char* GetDefaultKeyName() {
-+#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
-+  return "Chrome Safe Storage";
-+#else
-+  return "Chromium Safe Storage";
-+#endif
-+}
-+
- constexpr char kUmaInitStatus[] =
-     "OSCrypt.FreedesktopSecretKeyProvider.InitStatus";
- constexpr char kUmaErrorDetail[] =
-@@ -116,6 +140,24 @@ const char* InitStatusToString(
- 
- }  // namespace
- 
-+FreedesktopSecretKeyProvider::Config::Config()
-+    : app_name(GetDefaultAppName()),
-+      kwallet_folder(GetDefaultKWalletFolder()),
-+      key_name(GetDefaultKeyName()) {}
-+
-+FreedesktopSecretKeyProvider::Config::~Config() = default;
-+
-+FreedesktopSecretKeyProvider::Config::Config(const Config&) = default;
-+
-+FreedesktopSecretKeyProvider::Config&
-+FreedesktopSecretKeyProvider::Config::operator=(const Config&) = default;
-+
-+// static
-+FreedesktopSecretKeyProvider::Config
-+FreedesktopSecretKeyProvider::GetDefaultConfig() {
-+  return Config();
-+}
-+
- // A helper class to handle a Secret Service prompt. It is templated on the
- // return type expected from the prompt.
- template <typename T>
-@@ -246,8 +288,19 @@ FreedesktopSecretKeyProvider::FreedesktopSecretKeyProvider(
-     const std::string& password_store,
-     const std::string& product_name,
-     scoped_refptr<dbus::Bus> bus)
-+    : FreedesktopSecretKeyProvider(password_store,
-+                                   product_name,
-+                                   GetDefaultConfig(),
-+                                   std::move(bus)) {}
-+
-+FreedesktopSecretKeyProvider::FreedesktopSecretKeyProvider(
-+    const std::string& password_store,
-+    const std::string& product_name,
-+    const Config& config,
-+    scoped_refptr<dbus::Bus> bus)
-     : password_store_(password_store),
-       product_name_(product_name),
-+      config_(config),
-       bus_(std::move(bus)) {
-   if (!bus_) {
-     bus_ = dbus_thread_linux::GetSharedSessionBus();
-@@ -479,7 +532,7 @@ void FreedesktopSecretKeyProvider::OnOpenSession(
-   session_opened_ = true;
- 
-   std::map<std::string, std::string> search_attrs{
--      {kApplicationAttributeKey, kAppName}};
-+      {kApplicationAttributeKey, config_.app_name}};
- 
-   dbus_utils::CallMethod<"a{ss}", "ao">(
-       default_collection_proxy_, kSecretCollectionInterface, kMethodSearchItems,
-@@ -668,7 +721,7 @@ void FreedesktopSecretKeyProvider::OnKWalletOpen(int32_t handle) {
-       kwallet_proxy_, kKWalletInterface, kKWalletMethodHasFolder,
-       base::BindOnce(&FreedesktopSecretKeyProvider::OnKWalletHasFolder,
-                      weak_ptr_factory_.GetWeakPtr()),
--      kwallet_handle_, kKWalletFolder, product_name_);
-+      kwallet_handle_, config_.kwallet_folder, product_name_);
- }
- 
- void FreedesktopSecretKeyProvider::OnKWalletHasFolder(
-@@ -685,13 +738,13 @@ void FreedesktopSecretKeyProvider::OnKWalletHasFolder(
-         kwallet_proxy_, kKWalletInterface, kKWalletMethodHasEntry,
-         base::BindOnce(&FreedesktopSecretKeyProvider::OnKWalletHasEntry,
-                        weak_ptr_factory_.GetWeakPtr()),
--        kwallet_handle_, kKWalletFolder, kKeyName, product_name_);
-+        kwallet_handle_, config_.kwallet_folder, config_.key_name, product_name_);
-   } else {
-     dbus_utils::CallMethod<"iss", "b">(
-         kwallet_proxy_, kKWalletInterface, kKWalletMethodCreateFolder,
-         base::BindOnce(&FreedesktopSecretKeyProvider::OnKWalletCreateFolder,
-                        weak_ptr_factory_.GetWeakPtr()),
--        kwallet_handle_, kKWalletFolder, product_name_);
-+        kwallet_handle_, config_.kwallet_folder, product_name_);
-   }
- }
- 
-@@ -725,7 +778,7 @@ void FreedesktopSecretKeyProvider::OnKWalletHasEntry(
-         kwallet_proxy_, kKWalletInterface, kKWalletMethodReadPassword,
-         base::BindOnce(&FreedesktopSecretKeyProvider::OnKWalletReadPassword,
-                        weak_ptr_factory_.GetWeakPtr()),
--        kwallet_handle_, kKWalletFolder, kKeyName, product_name_);
-+        kwallet_handle_, config_.kwallet_folder, config_.key_name, product_name_);
-   } else {
-     GenerateAndWriteKWalletPassword();
-   }
-@@ -761,7 +814,7 @@ void FreedesktopSecretKeyProvider::GenerateAndWriteKWalletPassword() {
-       kwallet_proxy_, kKWalletInterface, kKWalletMethodWritePassword,
-       base::BindOnce(&FreedesktopSecretKeyProvider::OnKWalletWritePassword,
-                      weak_ptr_factory_.GetWeakPtr(), secret),
--      kwallet_handle_, kKWalletFolder, kKeyName, secret->as_string(),
-+      kwallet_handle_, config_.kwallet_folder, config_.key_name, secret->as_string(),
-       product_name_);
- }
- 
-@@ -789,14 +842,14 @@ void FreedesktopSecretKeyProvider::OnKWalletWritePassword(
- void FreedesktopSecretKeyProvider::CreateItem(
-     scoped_refptr<base::RefCountedMemory> secret) {
-   std::map<std::string, std::string> attributes{
--      {kApplicationAttributeKey, kAppName},
-+      {kApplicationAttributeKey, config_.app_name},
-       {kSchemaAttributeKey, kSchemaAttributeValue}};
- 
-   std::map<std::string, dbus_utils::Variant> props;
-   props.emplace(kSecretItemAttributesProperty,
-                 dbus_utils::Variant::Wrap<"a{ss}">(std::move(attributes)));
-   props.emplace(kSecretItemLabelProperty,
--                dbus_utils::Variant::Wrap<"s">(kKeyName));
-+                dbus_utils::Variant::Wrap<"s">(config_.key_name));
- 
-   std::vector<uint8_t> secret_bytes(secret->begin(), secret->end());
-   auto secret_struct =
-diff --git a/components/os_crypt/async/browser/freedesktop_secret_key_provider.h b/components/os_crypt/async/browser/freedesktop_secret_key_provider.h
-index bc2c74090d3db088b97132c5cd83950510fe85b4..38f6384083537f60d12f016fbb67adc694e6f457 100644
---- a/components/os_crypt/async/browser/freedesktop_secret_key_provider.h
-+++ b/components/os_crypt/async/browser/freedesktop_secret_key_provider.h
-@@ -81,11 +81,32 @@ class FreedesktopSecretKeyProvider : public KeyProvider {
-     kMaxValue = kExtraDataInResponse,
-   };
- 
-+  struct Config {
-+    Config();
-+    ~Config();
-+    Config(const Config&);
-+    Config& operator=(const Config&);
-+
-+    // The application name used for D-Bus attributes.
-+    std::string app_name;
-+    // The folder name used in KWallet.
-+    std::string kwallet_folder;
-+    // The key name used for storing the encryption key.
-+    std::string key_name;
-+  };
-+
-   FreedesktopSecretKeyProvider(const std::string& password_store,
-                                const std::string& product_name,
-                                scoped_refptr<dbus::Bus> bus);
-+  FreedesktopSecretKeyProvider(const std::string& password_store,
-+                               const std::string& product_name,
-+                               const Config& config,
-+                               scoped_refptr<dbus::Bus> bus);
-   ~FreedesktopSecretKeyProvider() override;
- 
-+  // Returns the default configuration with platform-specific defaults.
-+  static Config GetDefaultConfig();
-+
-   // KeyProvider:
-   void GetKey(KeyCallback callback) override;
-   bool UseForEncryption() override;
-@@ -172,16 +193,6 @@ class FreedesktopSecretKeyProvider : public KeyProvider {
-   static constexpr int kKWalletInvalidHandle = -1;
-   static constexpr int kKWalletInvalidTransactionId = -1;
- 
--#if BUILDFLAG(GOOGLE_CHROME_BRANDING)
--  static constexpr char kKWalletFolder[] = "Chrome Keys";
--  static constexpr char kKeyName[] = "Chrome Safe Storage";
--  static constexpr char kAppName[] = "chrome";
--#else
--  static constexpr char kKWalletFolder[] = "Chromium Keys";
--  static constexpr char kKeyName[] = "Chromium Safe Storage";
--  static constexpr char kAppName[] = "chromium";
--#endif
--
-   void InitializeFreedesktopSecretService();
-   void OnServiceStarted(std::optional<bool> service_started);
-   void OnReadAliasDefault(dbus_utils::CallMethodResultSig<"o"> collection_path);
-@@ -238,6 +249,7 @@ class FreedesktopSecretKeyProvider : public KeyProvider {
- 
-   const std::string password_store_;
-   const std::string product_name_;
-+  const Config config_;
-   scoped_refptr<dbus::Bus> bus_;
-   KeyCallback key_callback_;
- 

patches/node/api_delete_deprecated_fields_on_v8_isolate.patch

@@ -6,10 +6,10 @@ Subject: Delete deprecated fields on v8::Isolate
 https://chromium-review.googlesource.com/c/v8/v8/+/7081397
 
 diff --git a/src/api/environment.cc b/src/api/environment.cc
-index cfc9b3157d08d62f43e2e5bb01229fe663f3ca61..cce0e1cdc37aa324aa2c52ba134fc1a9a55b10ba 100644
+index cb1e4e6176e7385f8bc2bc9510761d3fc9c3182d..730254bfc16eceb7394f5aa766b648da4b96511f 100644
 --- a/src/api/environment.cc
 +++ b/src/api/environment.cc
-@@ -218,8 +218,6 @@ void SetIsolateCreateParamsForNode(Isolate::CreateParams* params) {
+@@ -226,8 +226,6 @@ void SetIsolateCreateParamsForNode(Isolate::CreateParams* params) {
      // heap based on the actual physical memory.
      params->constraints.ConfigureDefaults(total_memory, 0);
    }

patches/node/api_promote_deprecation_of_v8_context_and_v8_object_api_methods.patch

@@ -58,10 +58,10 @@ index 404e2aa8c88d0cc0e6717c01e0df68899c64cc32..16462f305a2ac6b6c3d7b85024f2e526
  }
  
 diff --git a/src/env-inl.h b/src/env-inl.h
-index 74bbb9fb83246a90bc425e259150f0868020ac9e..a4b3a1c0907c9d50baf6c8cd473cb4c7369d0a5c 100644
+index 777335321fc9037d91d88fb5852bbf5b05f50d0a..3dceb8b5448fd4971245f7408db4cae103f0a347 100644
 --- a/src/env-inl.h
 +++ b/src/env-inl.h
-@@ -189,7 +189,8 @@ inline Environment* Environment::GetCurrent(v8::Local<v8::Context> context) {
+@@ -199,7 +199,8 @@ inline Environment* Environment::GetCurrent(v8::Local<v8::Context> context) {
    }
    return static_cast<Environment*>(
        context->GetAlignedPointerFromEmbedderData(

patches/node/api_remove_deprecated_getisolate.patch

@@ -6,10 +6,10 @@ Subject: Remove deprecated `GetIsolate`
 https://chromium-review.googlesource.com/c/v8/v8/+/6905244
 
 diff --git a/src/api/environment.cc b/src/api/environment.cc
-index d753ad6c6b49b26b86920124f7ac90c1e052638e..cfc9b3157d08d62f43e2e5bb01229fe663f3ca61 100644
+index 0f19cb09ea0963a9c505c51f89d1c7a939f2730b..cb1e4e6176e7385f8bc2bc9510761d3fc9c3182d 100644
 --- a/src/api/environment.cc
 +++ b/src/api/environment.cc
-@@ -668,7 +668,7 @@ std::unique_ptr<MultiIsolatePlatform> MultiIsolatePlatform::Create(
+@@ -682,7 +682,7 @@ std::unique_ptr<MultiIsolatePlatform> MultiIsolatePlatform::Create(
  
  MaybeLocal<Object> GetPerContextExports(Local<Context> context,
                                          IsolateData* isolate_data) {
@@ -18,7 +18,7 @@ index d753ad6c6b49b26b86920124f7ac90c1e052638e..cfc9b3157d08d62f43e2e5bb01229fe6
    EscapableHandleScope handle_scope(isolate);
  
    Local<Object> global = context->Global();
-@@ -714,7 +714,7 @@ void ProtoThrower(const FunctionCallbackInfo<Value>& info) {
+@@ -728,7 +728,7 @@ void ProtoThrower(const FunctionCallbackInfo<Value>& info) {
  // This runs at runtime, regardless of whether the context
  // is created from a snapshot.
  Maybe<void> InitializeContextRuntime(Local<Context> context) {
@@ -27,7 +27,7 @@ index d753ad6c6b49b26b86920124f7ac90c1e052638e..cfc9b3157d08d62f43e2e5bb01229fe6
    HandleScope handle_scope(isolate);
  
    // When `IsCodeGenerationFromStringsAllowed` is true, V8 takes the fast path
-@@ -793,7 +793,7 @@ Maybe<void> InitializeContextRuntime(Local<Context> context) {
+@@ -807,7 +807,7 @@ Maybe<void> InitializeContextRuntime(Local<Context> context) {
  }
  
  Maybe<void> InitializeBaseContextForSnapshot(Local<Context> context) {
@@ -36,7 +36,7 @@ index d753ad6c6b49b26b86920124f7ac90c1e052638e..cfc9b3157d08d62f43e2e5bb01229fe6
    HandleScope handle_scope(isolate);
  
    // Delete `Intl.v8BreakIterator`
-@@ -818,7 +818,7 @@ Maybe<void> InitializeBaseContextForSnapshot(Local<Context> context) {
+@@ -832,7 +832,7 @@ Maybe<void> InitializeBaseContextForSnapshot(Local<Context> context) {
  }
  
  Maybe<void> InitializeMainContextForSnapshot(Local<Context> context) {
@@ -45,7 +45,7 @@ index d753ad6c6b49b26b86920124f7ac90c1e052638e..cfc9b3157d08d62f43e2e5bb01229fe6
    HandleScope handle_scope(isolate);
  
    // Initialize the default values.
-@@ -836,7 +836,7 @@ Maybe<void> InitializeMainContextForSnapshot(Local<Context> context) {
+@@ -850,7 +850,7 @@ Maybe<void> InitializeMainContextForSnapshot(Local<Context> context) {
  MaybeLocal<Object> InitializePrivateSymbols(Local<Context> context,
                                              IsolateData* isolate_data) {
    CHECK(isolate_data);
@@ -54,7 +54,7 @@ index d753ad6c6b49b26b86920124f7ac90c1e052638e..cfc9b3157d08d62f43e2e5bb01229fe6
    EscapableHandleScope scope(isolate);
    Context::Scope context_scope(context);
  
-@@ -860,7 +860,7 @@ MaybeLocal<Object> InitializePrivateSymbols(Local<Context> context,
+@@ -874,7 +874,7 @@ MaybeLocal<Object> InitializePrivateSymbols(Local<Context> context,
  MaybeLocal<Object> InitializePerIsolateSymbols(Local<Context> context,
                                                 IsolateData* isolate_data) {
    CHECK(isolate_data);
@@ -63,7 +63,7 @@ index d753ad6c6b49b26b86920124f7ac90c1e052638e..cfc9b3157d08d62f43e2e5bb01229fe6
    EscapableHandleScope scope(isolate);
    Context::Scope context_scope(context);
  
-@@ -886,7 +886,7 @@ MaybeLocal<Object> InitializePerIsolateSymbols(Local<Context> context,
+@@ -900,7 +900,7 @@ MaybeLocal<Object> InitializePerIsolateSymbols(Local<Context> context,
  Maybe<void> InitializePrimordials(Local<Context> context,
                                    IsolateData* isolate_data) {
    // Run per-context JS files.

patches/node/fix_crypto_tests_to_run_with_bssl.patch

@@ -10,6 +10,18 @@ This should be upstreamed in some form, though it may need to be tweaked
 before it's acceptable to upstream, as this patch comments out a couple
 of tests that upstream probably cares about.
 
+diff --git a/test/fixtures/crypto/rsa_pss.js b/test/fixtures/crypto/rsa_pss.js
+index 423f2c4d77bfc98bfbdab93c09aff8012c678cbd..fa0bcceb5697486930a9530732f9a9ab6e1bb5b0 100644
+--- a/test/fixtures/crypto/rsa_pss.js
++++ b/test/fixtures/crypto/rsa_pss.js
+@@ -1,6 +1,6 @@
+ 'use strict';
+ 
+-module.exports = function() {
++module.exports = function () {
+   const pkcs8 = Buffer.from(
+     '308204bf020100300d06092a864886f70d0101010500048204a9308204a5020100028' +
+     '2010100d3576092e62957364544e7e4233b7bdb293db2085122c479328546f9f0f712' +
 diff --git a/test/parallel/test-crypto-async-sign-verify.js b/test/parallel/test-crypto-async-sign-verify.js
 index 9876c4bb6ecd2e5b8879f153811cd0a0a22997aa..2c4bf03452eb10fec52c38a361b6aad93169f08d 100644
 --- a/test/parallel/test-crypto-async-sign-verify.js
@@ -41,102 +53,6 @@ index 9876c4bb6ecd2e5b8879f153811cd0a0a22997aa..2c4bf03452eb10fec52c38a361b6aad9
  
  // Test Parallel Execution w/ KeyObject is threadsafe in openssl3
  {
-diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js
-index e8fedf2d5d5072e00afd493ac2ac44748212b02e..6fcbe244871d25b2151d39160149aaa50dc96012 100644
---- a/test/parallel/test-crypto-authenticated.js
-+++ b/test/parallel/test-crypto-authenticated.js
-@@ -627,21 +627,25 @@ for (const test of TEST_CASES) {
- {
-   // CCM cipher without data should not crash, see https://github.com/nodejs/node/issues/38035.
-   const algo = 'aes-128-ccm';
--  const key = Buffer.alloc(16);
--  const iv = Buffer.alloc(12);
--  const opts = { authTagLength: 10 };
-+  if (!ciphers.includes(algo)) {
-+    common.printSkipMessage(`unsupported ${algo} test`);
-+  } else {
-+    const key = Buffer.alloc(16);
-+    const iv = Buffer.alloc(12);
-+    const opts = { authTagLength: 10 };
- 
--  const cipher = crypto.createCipheriv(algo, key, iv, opts);
--  assert.throws(() => {
--    cipher.final();
--  }, hasOpenSSL3 ? {
--    code: 'ERR_OSSL_TAG_NOT_SET'
--  } : {
--    message: /Unsupported state/
--  });
-+    const cipher = crypto.createCipheriv(algo, key, iv, opts);
-+    assert.throws(() => {
-+      cipher.final();
-+    }, hasOpenSSL3 ? {
-+      code: 'ERR_OSSL_TAG_NOT_SET'
-+    } : {
-+      message: /Unsupported state/
-+    });
-+  }
- }
- 
--{
-+if (!process.features.openssl_is_boringssl) {
-   const key = Buffer.alloc(32);
-   const iv = Buffer.alloc(12);
- 
-@@ -653,11 +657,13 @@ for (const test of TEST_CASES) {
-       message: errMessages.authTagLength
-     });
-   }
-+} else {
-+  common.printSkipMessage('Skipping unsupported chacha20-poly1305 test');
- }
- 
- // ChaCha20-Poly1305 should respect the authTagLength option and should not
- // require the authentication tag before calls to update() during decryption.
--{
-+if (!process.features.openssl_is_boringssl) {
-   const key = Buffer.alloc(32);
-   const iv = Buffer.alloc(12);
- 
-@@ -697,6 +703,8 @@ for (const test of TEST_CASES) {
-       }
-     }
-   }
-+} else {
-+  common.printSkipMessage('Skipping unsupported chacha20-poly1305 test');
- }
- 
- // ChaCha20-Poly1305 should default to an authTagLength of 16. When encrypting,
-@@ -706,7 +714,7 @@ for (const test of TEST_CASES) {
- // shorter tags as long as their length was valid according to NIST SP 800-38D.
- // For ChaCha20-Poly1305, we intentionally deviate from that because there are
- // no recommended or approved authentication tag lengths below 16 bytes.
--{
-+if (!process.features.openssl_is_boringssl) {
-   const rfcTestCases = TEST_CASES.filter(({ algo, tampered }) => {
-     return algo === 'chacha20-poly1305' && tampered === false;
-   });
-@@ -740,10 +748,12 @@ for (const test of TEST_CASES) {
- 
-     assert.strictEqual(plaintext.toString('hex'), testCase.plain);
-   }
-+} else {
-+  common.printSkipMessage('Skipping unsupported chacha20-poly1305 test');
- }
- 
- // https://github.com/nodejs/node/issues/45874
--{
-+if (!process.features.openssl_is_boringssl) {
-   const rfcTestCases = TEST_CASES.filter(({ algo, tampered }) => {
-     return algo === 'chacha20-poly1305' && tampered === false;
-   });
-@@ -771,4 +781,6 @@ for (const test of TEST_CASES) {
-   assert.throws(() => {
-     decipher.final();
-   }, /Unsupported state or unable to authenticate data/);
-+} else {
-+  common.printSkipMessage('Skipping unsupported chacha20-poly1305 test');
- }
 diff --git a/test/parallel/test-crypto-cipheriv-decipheriv.js b/test/parallel/test-crypto-cipheriv-decipheriv.js
 index 6742722f9e90914b4dc8c079426d10040d476f72..8801ddfe7023fd0f7d5657b86a9164d75765322e 100644
 --- a/test/parallel/test-crypto-cipheriv-decipheriv.js
@@ -152,21 +68,6 @@ index 6742722f9e90914b4dc8c079426d10040d476f72..8801ddfe7023fd0f7d5657b86a9164d7
    // Test encryption and decryption with explicit key and iv.
    // AES Key Wrap test vector comes from RFC3394
    const plaintext = Buffer.from('00112233445566778899AABBCCDDEEFF', 'hex');
-diff --git a/test/parallel/test-crypto-default-shake-lengths-oneshot.js b/test/parallel/test-crypto-default-shake-lengths-oneshot.js
-index 247e58d93c4303ffde132e49fb25cf88d76fae7c..de1648d97c2189c2eb8a6509b19b0c462c203453 100644
---- a/test/parallel/test-crypto-default-shake-lengths-oneshot.js
-+++ b/test/parallel/test-crypto-default-shake-lengths-oneshot.js
-@@ -5,6 +5,10 @@ const common = require('../common');
- if (!common.hasCrypto)
-   common.skip('missing crypto');
- 
-+if (process.features.openssl_is_boringssl) {
-+  common.skip('Skipping unsupported shake128 digest method test');
-+}
-+
- const { hash } = require('crypto');
- 
- common.expectWarning({
 diff --git a/test/parallel/test-crypto-dh-curves.js b/test/parallel/test-crypto-dh-curves.js
 index 81a469c226c261564dee1e0b06b6571b18a41f1f..58b66045dba4201b7ebedd78b129420ffc316051 100644
 --- a/test/parallel/test-crypto-dh-curves.js
@@ -181,71 +82,18 @@ index 81a469c226c261564dee1e0b06b6571b18a41f1f..58b66045dba4201b7ebedd78b129420f
  
  const availableCurves = new Set(crypto.getCurves());
 diff --git a/test/parallel/test-crypto-dh-errors.js b/test/parallel/test-crypto-dh-errors.js
-index d7527d82617efccd931f0fc2f700ab876872c1e6..5474d094c7af1bec1e9d144e04663a41def9df3c 100644
+index d7527d82617efccd931f0fc2f700ab876872c1e6..b14b4bbf88b902b6de916b92e3d48335c01df911 100644
 --- a/test/parallel/test-crypto-dh-errors.js
 +++ b/test/parallel/test-crypto-dh-errors.js
-@@ -27,13 +27,13 @@ assert.throws(() => crypto.createDiffieHellman('abcdef', 13.37), {
+@@ -27,7 +27,7 @@ assert.throws(() => crypto.createDiffieHellman('abcdef', 13.37), {
  for (const bits of [-1, 0, 1]) {
    if (hasOpenSSL3) {
      assert.throws(() => crypto.createDiffieHellman(bits), {
 -      code: 'ERR_OSSL_DH_MODULUS_TOO_SMALL',
-+      code: /ERR_OSSL_(BN_BITS|DH_MODULUS)_TOO_SMALL/,
++      code: 'ERR_OSSL_BN_BITS_TOO_SMALL',
        name: 'Error',
        message: /modulus too small/,
      });
-   } else {
-     assert.throws(() => crypto.createDiffieHellman(bits), {
--      code: 'ERR_OSSL_BN_BITS_TOO_SMALL',
-+      code: /ERR_OSSL_(BN_BITS|DH_MODULUS)_TOO_SMALL/,
-       name: 'Error',
-       message: /bits[\s_]too[\s_]small/i,
-     });
-diff --git a/test/parallel/test-crypto-dh-group-setters.js b/test/parallel/test-crypto-dh-group-setters.js
-index 7c774111952eada92c62d45674c0845667ead1bf..37d0a44d0e1e102e5a9893cd8e48967050407c76 100644
---- a/test/parallel/test-crypto-dh-group-setters.js
-+++ b/test/parallel/test-crypto-dh-group-setters.js
-@@ -6,6 +6,10 @@ if (!common.hasCrypto)
- const assert = require('assert');
- const crypto = require('crypto');
- 
-+if (process.features.openssl_is_boringssl) {
-+  common.skip('Skipping unsupported Diffie-Hellman tests');
-+}
-+
- // Unlike DiffieHellman, DiffieHellmanGroup does not have any setters.
- const dhg = crypto.getDiffieHellman('modp1');
- assert.strictEqual(dhg.constructor, crypto.DiffieHellmanGroup);
-diff --git a/test/parallel/test-crypto-dh-modp2-views.js b/test/parallel/test-crypto-dh-modp2-views.js
-index 8d01731af79394cb33477a1ba4bb13561604e5e5..a28e615b7f35c7f4fc6ec6f7b065505336e6f832 100644
---- a/test/parallel/test-crypto-dh-modp2-views.js
-+++ b/test/parallel/test-crypto-dh-modp2-views.js
-@@ -7,6 +7,10 @@ const assert = require('assert');
- const crypto = require('crypto');
- const { modp2buf } = require('../common/crypto');
- 
-+if (process.features.openssl_is_boringssl) {
-+  common.skip('Skipping unsupported Diffie-Hellman tests');
-+}
-+
- const modp2 = crypto.createDiffieHellmanGroup('modp2');
- 
- const views = common.getArrayBufferViews(modp2buf);
-diff --git a/test/parallel/test-crypto-dh-modp2.js b/test/parallel/test-crypto-dh-modp2.js
-index 19767d26f4e5fbd1d82b5bfa6ebe0afddc412c3e..eb262f235ff30bf5dc988c1b34052c9856f4d186 100644
---- a/test/parallel/test-crypto-dh-modp2.js
-+++ b/test/parallel/test-crypto-dh-modp2.js
-@@ -6,6 +6,11 @@ if (!common.hasCrypto)
- const assert = require('assert');
- const crypto = require('crypto');
- const { modp2buf } = require('../common/crypto');
-+
-+if (process.features.openssl_is_boringssl) {
-+  common.skip('Skipping unsupported Diffie-Hellman tests');
-+}
-+
- const modp2 = crypto.createDiffieHellmanGroup('modp2');
- 
- {
 diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js
 index 3c00a5fc73bb9f86f944df74f29d6b5225bc2f0e..b4e7002d862907d2af3b4f8e985700bd03300809 100644
 --- a/test/parallel/test-crypto-dh.js
@@ -298,233 +146,6 @@ index d22281abbd5c3cab3aaa3ac494301fa6b4a8a968..5f0c6a4aed2e868a1a1049212edf2187
  
  s.pipe(h).on('data', common.mustCall(function(c) {
    assert.strictEqual(c, expect);
-diff --git a/test/parallel/test-crypto-key-objects-to-crypto-key.js b/test/parallel/test-crypto-key-objects-to-crypto-key.js
-index 141e51d1ab74a4fc3b176b303807fb1cf2a58ce1..ba4fc881aa72ba7c39e8ae227a08be0ecf501c6f 100644
---- a/test/parallel/test-crypto-key-objects-to-crypto-key.js
-+++ b/test/parallel/test-crypto-key-objects-to-crypto-key.js
-@@ -26,9 +26,14 @@ function assertCryptoKey(cryptoKey, keyObject, algorithm, extractable, usages) {
- {
-   for (const length of [128, 192, 256]) {
-     const key = createSecretKey(randomBytes(length >> 3));
--    const algorithms = ['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW'];
-+    let algorithms = ['AES-CTR', 'AES-CBC', 'AES-GCM', 'AES-KW'];
-     if (length === 256)
-       algorithms.push('ChaCha20-Poly1305');
-+
-+    if (process.features.openssl_is_boringssl) {
-+      algorithms = algorithms.filter((a) => a !== 'AES-KW' && a !== 'ChaCha20-Poly1305');
-+    }
-+
-     for (const algorithm of algorithms) {
-       const usages = algorithm === 'AES-KW' ? ['wrapKey', 'unwrapKey'] : ['encrypt', 'decrypt'];
-       for (const extractable of [true, false]) {
-@@ -97,7 +102,13 @@ function assertCryptoKey(cryptoKey, keyObject, algorithm, extractable, usages) {
- }
- 
- {
--  for (const algorithm of ['Ed25519', 'Ed448', 'X25519', 'X448']) {
-+  const algorithms = ['Ed25519', 'X25519'];
-+
-+  if (!process.features.openssl_is_boringssl) {
-+    algorithms.push('X448', 'Ed448');
-+  }
-+
-+  for (const algorithm of algorithms) {
-     const { publicKey, privateKey } = generateKeyPairSync(algorithm.toLowerCase());
-     assert.throws(() => {
-       publicKey.toCryptoKey(algorithm === 'Ed25519' ? 'X25519' : 'Ed25519', true, []);
-diff --git a/test/parallel/test-crypto-key-objects.js b/test/parallel/test-crypto-key-objects.js
-index e8359ed6d0362c6e8da8be08b0fd42245fa7ae47..bd8211d98261a1acc928e849bf713578c85ff877 100644
---- a/test/parallel/test-crypto-key-objects.js
-+++ b/test/parallel/test-crypto-key-objects.js
-@@ -302,11 +302,11 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-   }, hasOpenSSL3 ? {
-     message: 'error:1E08010C:DECODER routines::unsupported',
-   } : {
--    message: 'error:0909006C:PEM routines:get_name:no start line',
-+    message: /no.start.line/i,
-     code: 'ERR_OSSL_PEM_NO_START_LINE',
--    reason: 'no start line',
-+    reason: /no.start.line/i,
-     library: 'PEM routines',
--    function: 'get_name',
-+    function: /get_name|OPENSSL_internal/,
-   });
- 
-   // This should not abort either: https://github.com/nodejs/node/issues/29904
-@@ -329,12 +329,12 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-     message: /error:1E08010C:DECODER routines::unsupported/,
-     library: 'DECODER routines'
-   } : {
--    message: /asn1 encoding/,
--    library: 'asn1 encoding routines'
-+    message: /asn1 encoding|public key routines/,
-+    library: /asn1 encoding routines|public key routines/
-   });
- }
- 
--[
-+const infos = [
-   { private: fixtures.readKey('ed25519_private.pem', 'ascii'),
-     public: fixtures.readKey('ed25519_public.pem', 'ascii'),
-     keyType: 'ed25519',
-@@ -344,17 +344,6 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-       d: 'wVK6M3SMhQh3NK-7GRrSV-BVWQx1FO5pW8hhQeu_NdA',
-       kty: 'OKP'
-     } },
--  { private: fixtures.readKey('ed448_private.pem', 'ascii'),
--    public: fixtures.readKey('ed448_public.pem', 'ascii'),
--    keyType: 'ed448',
--    jwk: {
--      crv: 'Ed448',
--      x: 'oX_ee5-jlcU53-BbGRsGIzly0V-SZtJ_oGXY0udf84q2hTW2RdstLktvwpkVJOoNb7o' +
--         'Dgc2V5ZUA',
--      d: '060Ke71sN0GpIc01nnGgMDkp0sFNQ09woVo4AM1ffax1-mjnakK0-p-S7-Xf859QewX' +
--         'jcR9mxppY',
--      kty: 'OKP'
--    } },
-   { private: fixtures.readKey('x25519_private.pem', 'ascii'),
-     public: fixtures.readKey('x25519_public.pem', 'ascii'),
-     keyType: 'x25519',
-@@ -364,18 +353,37 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-       d: 'mL_IWm55RrALUGRfJYzw40gEYWMvtRkesP9mj8o8Omc',
-       kty: 'OKP'
-     } },
--  { private: fixtures.readKey('x448_private.pem', 'ascii'),
-+]
-+
-+if (!process.features.openssl_is_boringssl) {
-+  infos.push({
-+    private: fixtures.readKey('ed448_private.pem', 'ascii'),
-+    public: fixtures.readKey('ed448_public.pem', 'ascii'),
-+    keyType: 'ed448',
-+    jwk: {
-+      crv: 'Ed448',
-+      x: 'oX_ee5-jlcU53-BbGRsGIzly0V-SZtJ_oGXY0udf84q2hTW2RdstLktvwpkVJOoNb7o' +
-+        'Dgc2V5ZUA',
-+      d: '060Ke71sN0GpIc01nnGgMDkp0sFNQ09woVo4AM1ffax1-mjnakK0-p-S7-Xf859QewX' +
-+        'jcR9mxppY',
-+      kty: 'OKP'
-+    }
-+  }, {
-+    private: fixtures.readKey('x448_private.pem', 'ascii'),
-     public: fixtures.readKey('x448_public.pem', 'ascii'),
-     keyType: 'x448',
-     jwk: {
-       crv: 'X448',
-       x: 'ioHSHVpTs6hMvghosEJDIR7ceFiE3-Xccxati64oOVJ7NWjfozE7ae31PXIUFq6cVYg' +
--         'vSKsDFPA',
-+        'vSKsDFPA',
-       d: 'tMNtrO_q8dlY6Y4NDeSTxNQ5CACkHiPvmukidPnNIuX_EkcryLEXt_7i6j6YZMKsrWy' +
--         'S0jlSYJk',
-+        'S0jlSYJk',
-       kty: 'OKP'
--    } },
--].forEach((info) => {
-+    }
-+  });
-+}
-+
-+infos.forEach((info) => {
-   const keyType = info.keyType;
- 
-   {
-@@ -417,7 +425,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-   }
- });
- 
--[
-+const ecInfos = [
-   { private: fixtures.readKey('ec_p256_private.pem', 'ascii'),
-     public: fixtures.readKey('ec_p256_public.pem', 'ascii'),
-     keyType: 'ec',
-@@ -429,17 +437,6 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-       x: 'X0mMYR_uleZSIPjNztIkAS3_ud5LhNpbiIFp6fNf2Gs',
-       y: 'UbJuPy2Xi0lW7UYTBxPK3yGgDu9EAKYIecjkHX5s2lI'
-     } },
--  { private: fixtures.readKey('ec_secp256k1_private.pem', 'ascii'),
--    public: fixtures.readKey('ec_secp256k1_public.pem', 'ascii'),
--    keyType: 'ec',
--    namedCurve: 'secp256k1',
--    jwk: {
--      crv: 'secp256k1',
--      d: 'c34ocwTwpFa9NZZh3l88qXyrkoYSxvC0FEsU5v1v4IM',
--      kty: 'EC',
--      x: 'cOzhFSpWxhalCbWNdP2H_yUkdC81C9T2deDpfxK7owA',
--      y: '-A3DAZTk9IPppN-f03JydgHaFvL1fAHaoXf4SX4NXyo'
--    } },
-   { private: fixtures.readKey('ec_p384_private.pem', 'ascii'),
-     public: fixtures.readKey('ec_p384_public.pem', 'ascii'),
-     keyType: 'ec',
-@@ -465,7 +462,25 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-       y: 'Ad3flexBeAfXceNzRBH128kFbOWD6W41NjwKRqqIF26vmgW_8COldGKZjFkOSEASxPB' +
-          'cvA2iFJRUyQ3whC00j0Np'
-     } },
--].forEach((info) => {
-+]
-+
-+if (!process.features.openssl_is_boringssl) {
-+  ecInfos.push({
-+    private: fixtures.readKey('ec_secp256k1_private.pem', 'ascii'),
-+    public: fixtures.readKey('ec_secp256k1_public.pem', 'ascii'),
-+    keyType: 'ec',
-+    namedCurve: 'secp256k1',
-+    jwk: {
-+      crv: 'secp256k1',
-+      d: 'c34ocwTwpFa9NZZh3l88qXyrkoYSxvC0FEsU5v1v4IM',
-+      kty: 'EC',
-+      x: 'cOzhFSpWxhalCbWNdP2H_yUkdC81C9T2deDpfxK7owA',
-+      y: '-A3DAZTk9IPppN-f03JydgHaFvL1fAHaoXf4SX4NXyo'
-+    }
-+  });
-+}
-+
-+ecInfos.forEach((info) => {
-   const { keyType, namedCurve } = info;
- 
-   {
-@@ -540,7 +555,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-     format: 'pem',
-     passphrase: Buffer.alloc(1024, 'a')
-   }), {
--    message: /bad decrypt/
-+    message: /bad.decrypt/i
-   });
- 
-   const publicKey = createPublicKey(publicDsa);
-@@ -566,7 +581,7 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
- 
- {
-   // Test RSA-PSS.
--  {
-+  if (!process.features.openssl_is_boringssl) {
-     // This key pair does not restrict the message digest algorithm or salt
-     // length.
-     const publicPem = fixtures.readKey('rsa_pss_public_2048.pem');
-@@ -625,6 +640,8 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
-     }, {
-       code: 'ERR_CRYPTO_INCOMPATIBLE_KEY_OPTIONS'
-     });
-+  } else {
-+    common.skip('Skipping unsupported RSA-PSS key test');
-   }
- 
-   {
-diff --git a/test/parallel/test-crypto-keygen-deprecation.js b/test/parallel/test-crypto-keygen-deprecation.js
-index 926dfbbc4ae987217ab404ec25a3ca0a2ef2edcf..df0b379c1b1e982b96ea97c9814f38991d734ce4 100644
---- a/test/parallel/test-crypto-keygen-deprecation.js
-+++ b/test/parallel/test-crypto-keygen-deprecation.js
-@@ -4,6 +4,10 @@ const common = require('../common');
- if (!common.hasCrypto)
-   common.skip('missing crypto');
- 
-+if (process.features.openssl_is_boringssl) {
-+  common.skip('Skipping unsupported RSA-PSS key tests');
-+}
-+
- const DeprecationWarning = [];
- DeprecationWarning.push([
-   '"options.hash" is deprecated, use "options.hashAlgorithm" instead.',
 diff --git a/test/parallel/test-crypto-oneshot-hash-xof.js b/test/parallel/test-crypto-oneshot-hash-xof.js
 index 75cb4800ff1bd51fedd7bc4e2d7e6af6f4f48346..b4363c31592763235116d970a5f45d4cf63de373 100644
 --- a/test/parallel/test-crypto-oneshot-hash-xof.js
@@ -556,7 +177,7 @@ index 37eab463deae472a78102c9fc6e03d4b642854ce..99e8c47702c55a9518ff093a58d87c75
  
  const assert = require('assert');
 diff --git a/test/parallel/test-crypto-rsa-dsa.js b/test/parallel/test-crypto-rsa-dsa.js
-index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..ad9cd4fd81aff32ec175f469176e1012b81872ac 100644
+index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..8d13b105fa426015a873c411ad1d7f64b3d9580e 100644
 --- a/test/parallel/test-crypto-rsa-dsa.js
 +++ b/test/parallel/test-crypto-rsa-dsa.js
 @@ -29,12 +29,11 @@ const dsaPkcs8KeyPem = fixtures.readKey('dsa_private_pkcs8.pem');
@@ -569,29 +190,24 @@ index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..ad9cd4fd81aff32ec175f469176e1012
 -  reason: 'bad decrypt',
 -  function: 'EVP_DecryptFinal_ex',
 -  library: 'digital envelope routines',
-+  message: /bad decrypt|BAD_DECRYPT/i,
-+  code: /ERR_OSSL_(EVP_)?BAD_DECRYPT/,
-+  reason: /bad decrypt|BAD_DECRYPT/i,
++  message: /error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt|error:1e000065:Cipher functions:OPENSSL_internal:BAD_DECRYPT/,
++  code: /ERR_OSSL(_EVP)?_BAD_DECRYPT/,
++  reason: /bad decrypt|BAD_DECRYPT/,
 +  function: /EVP_DecryptFinal_ex|OPENSSL_internal/,
 +  library: /digital envelope routines|Cipher functions/,
  };
  
  const decryptError = hasOpenSSL3 ?
-@@ -325,9 +324,12 @@ function test_rsa(padding, encryptOaepHash, decryptOaepHash) {
- }
+@@ -223,7 +222,7 @@ function test_rsa(padding, encryptOaepHash, decryptOaepHash) {
+   }, bufferToEncrypt);
  
- test_rsa('RSA_NO_PADDING');
--test_rsa('RSA_PKCS1_PADDING');
- test_rsa('RSA_PKCS1_OAEP_PADDING');
  
-+if (!process.features.openssl_is_boringssl) {
-+  test_rsa('RSA_PKCS1_PADDING');
-+}
-+
- // Test OAEP with different hash functions.
- test_rsa('RSA_PKCS1_OAEP_PADDING', undefined, 'sha1');
- test_rsa('RSA_PKCS1_OAEP_PADDING', 'sha1', undefined);
-@@ -489,7 +491,7 @@ assert.throws(() => {
+-  if (padding === constants.RSA_PKCS1_PADDING) {
++  if (!process.features.openssl_is_boringssl) {
+     if (!process.config.variables.node_shared_openssl) {
+       // TODO(richardlau) remove check and else branch after deps/openssl
+       // is upgraded.
+@@ -489,7 +488,7 @@ assert.throws(() => {
  //
  // Test DSA signing and verification
  //
@@ -600,48 +216,6 @@ index 119bc3c2d20ea7d681f0b579f9d91ad46cdc3634..ad9cd4fd81aff32ec175f469176e1012
    const input = 'I AM THE WALRUS';
  
    // DSA signatures vary across runs so there is no static string to verify
-@@ -512,13 +514,15 @@ assert.throws(() => {
-   verify2.update(input);
- 
-   assert.strictEqual(verify2.verify(dsaPubPem, signature2, 'hex'), true);
-+} else {
-+  common.printSkipMessage('Skipping unsupported DSA test case');
- }
- 
- 
- //
- // Test DSA signing and verification with PKCS#8 private key
- //
--{
-+if (!process.features.openssl_is_boringssl) {
-   const input = 'I AM THE WALRUS';
- 
-   // DSA signatures vary across runs so there is no static string to verify
-@@ -531,6 +535,8 @@ assert.throws(() => {
-   verify.update(input);
- 
-   assert.strictEqual(verify.verify(dsaPubPem, signature, 'hex'), true);
-+} else {
-+  common.printSkipMessage('Skipping unsupported DSA test case');
- }
- 
- 
-@@ -547,7 +553,7 @@ const input = 'I AM THE WALRUS';
-   }, decryptPrivateKeyError);
- }
- 
--{
-+if (!process.features.openssl_is_boringssl) {
-   // DSA signatures vary across runs so there is no static string to verify
-   // against.
-   const sign = crypto.createSign('SHA1');
-@@ -559,4 +565,6 @@ const input = 'I AM THE WALRUS';
-   verify.update(input);
- 
-   assert.strictEqual(verify.verify(dsaPubPem, signature, 'hex'), true);
-+} else {
-+  common.printSkipMessage('Skipping unsupported DSA test case');
- }
 diff --git a/test/parallel/test-crypto-scrypt.js b/test/parallel/test-crypto-scrypt.js
 index eafdfe392bde8eb1fde1dc7e7e9ae51682c74b87..2907e0175379266c90acb9df829d10283bd46652 100644
 --- a/test/parallel/test-crypto-scrypt.js
@@ -714,7 +288,7 @@ index a66f0a94efd7c952c1d2320fbc7a39fe3a88a8a1..dc5846db0e3dcf8f7cb5f7efcdbc81c1
    for (const [file, length] of keys) {
      const privKey = fixtures.readKey(file);
 diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js
-index d21a6bd3d98d6db26cc82896e62da2869cf22842..21553911f8e16a76187bfff120dfbeead04e6269 100644
+index d21a6bd3d98d6db26cc82896e62da2869cf22842..115a2046b4d4b2688eaf033b58514c903af7a4b5 100644
 --- a/test/parallel/test-crypto.js
 +++ b/test/parallel/test-crypto.js
 @@ -62,7 +62,7 @@ assert.throws(() => {
@@ -753,297 +327,81 @@ index d21a6bd3d98d6db26cc82896e62da2869cf22842..21553911f8e16a76187bfff120dfbeea
  validateList(crypto.getHashes());
  // Make sure all of the hashes are supported by OpenSSL
  for (const algo of crypto.getHashes())
-@@ -197,61 +195,63 @@ assert.throws(
+@@ -197,6 +195,7 @@ assert.throws(
    }
  );
  
--assert.throws(() => {
--  const priv = [
--    '-----BEGIN RSA PRIVATE KEY-----',
--    'MIGrAgEAAiEA+3z+1QNF2/unumadiwEr+C5vfhezsb3hp4jAnCNRpPcCAwEAAQIgQNriSQK4',
--    'EFwczDhMZp2dvbcz7OUUyt36z3S4usFPHSECEQD/41K7SujrstBfoCPzwC1xAhEA+5kt4BJy',
--    'eKN7LggbF3Dk5wIQN6SL+fQ5H/+7NgARsVBp0QIRANxYRukavs4QvuyNhMx+vrkCEQCbf6j/',
--    'Ig6/HueCK/0Jkmp+',
--    '-----END RSA PRIVATE KEY-----',
--    '',
--  ].join('\n');
--  crypto.createSign('SHA256').update('test').sign(priv);
--}, (err) => {
--  if (!hasOpenSSL3)
--    assert.ok(!('opensslErrorStack' in err));
--  assert.throws(() => { throw err; }, hasOpenSSL3 ? {
--    name: 'Error',
--    message: 'error:02000070:rsa routines::digest too big for rsa key',
--    library: 'rsa routines',
--  } : {
--    name: 'Error',
--    message: /routines:RSA_sign:digest too big for rsa key$/,
--    library: /rsa routines/i,
--    function: 'RSA_sign',
--    reason: /digest[\s_]too[\s_]big[\s_]for[\s_]rsa[\s_]key/i,
--    code: 'ERR_OSSL_RSA_DIGEST_TOO_BIG_FOR_RSA_KEY'
--  });
--  return true;
--});
--
--if (!hasOpenSSL3) {
 +if (!process.features.openssl_is_boringssl) {
-   assert.throws(() => {
--    // The correct header inside `rsa_private_pkcs8_bad.pem` should have been
--    // -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----
--    // instead of
--    // -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
--    const sha1_privateKey = fixtures.readKey('rsa_private_pkcs8_bad.pem',
--                                             'ascii');
--    // This would inject errors onto OpenSSL's error stack
--    crypto.createSign('sha1').sign(sha1_privateKey);
-+    const priv = [
-+      '-----BEGIN RSA PRIVATE KEY-----',
-+      'MIGrAgEAAiEA+3z+1QNF2/unumadiwEr+C5vfhezsb3hp4jAnCNRpPcCAwEAAQIgQNriSQK4',
-+      'EFwczDhMZp2dvbcz7OUUyt36z3S4usFPHSECEQD/41K7SujrstBfoCPzwC1xAhEA+5kt4BJy',
-+      'eKN7LggbF3Dk5wIQN6SL+fQ5H/+7NgARsVBp0QIRANxYRukavs4QvuyNhMx+vrkCEQCbf6j/',
-+      'Ig6/HueCK/0Jkmp+',
-+      '-----END RSA PRIVATE KEY-----',
-+      '',
-+    ].join('\n');
-+    crypto.createSign('SHA256').update('test').sign(priv);
-   }, (err) => {
--    // Do the standard checks, but then do some custom checks afterwards.
--    assert.throws(() => { throw err; }, {
--      message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:' +
--               'wrong tag',
--      library: 'asn1 encoding routines',
--      function: 'asn1_check_tlen',
--      reason: 'wrong tag',
--      code: 'ERR_OSSL_ASN1_WRONG_TAG',
-+    if (!hasOpenSSL3)
-+      assert.ok(!('opensslErrorStack' in err));
-+    assert.throws(() => { throw err; }, hasOpenSSL3 ? {
-+      name: 'Error',
-+      message: 'error:02000070:rsa routines::digest too big for rsa key',
-+      library: 'rsa routines',
-+    } : {
-+      name: 'Error',
-+      message: /routines:RSA_sign:digest too big for rsa key$/,
-+      library: /rsa routines/i,
-+      function: 'RSA_sign',
-+      reason: /digest[\s_]too[\s_]big[\s_]for[\s_]rsa[\s_]key/i,
-+      code: 'ERR_OSSL_RSA_DIGEST_TOO_BIG_FOR_RSA_KEY'
-     });
--    // Throws crypto error, so there is an opensslErrorStack property.
--    // The openSSL stack should have content.
--    assert(Array.isArray(err.opensslErrorStack));
--    assert(err.opensslErrorStack.length > 0);
+ assert.throws(() => {
+   const priv = [
+     '-----BEGIN RSA PRIVATE KEY-----',
+@@ -253,7 +252,7 @@ if (!hasOpenSSL3) {
      return true;
    });
-+
-+  if (!hasOpenSSL3) {
-+    assert.throws(() => {
-+      // The correct header inside `rsa_private_pkcs8_bad.pem` should have been
-+      // -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----
-+      // instead of
-+      // -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY-----
-+      const sha1_privateKey = fixtures.readKey('rsa_private_pkcs8_bad.pem',
-+                                              'ascii');
-+      // This would inject errors onto OpenSSL's error stack
-+      crypto.createSign('sha1').sign(sha1_privateKey);
-+    }, (err) => {
-+      // Do the standard checks, but then do some custom checks afterwards.
-+      assert.throws(() => { throw err; }, {
-+        message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:' +
-+                'wrong tag',
-+        library: 'asn1 encoding routines',
-+        function: 'asn1_check_tlen',
-+        reason: 'wrong tag',
-+        code: 'ERR_OSSL_ASN1_WRONG_TAG',
-+      });
-+      // Throws crypto error, so there is an opensslErrorStack property.
-+      // The openSSL stack should have content.
-+      assert(Array.isArray(err.opensslErrorStack));
-+      assert(err.opensslErrorStack.length > 0);
-+      return true;
-+    });
-+  }
  }
- 
- // Make sure memory isn't released before being returned
-diff --git a/test/parallel/test-tls-client-auth.js b/test/parallel/test-tls-client-auth.js
-index b347c0a88df571296127985f8e7b70de66726cc0..66465783d344dab1330069e36577d41fc75db962 100644
---- a/test/parallel/test-tls-client-auth.js
-+++ b/test/parallel/test-tls-client-auth.js
-@@ -112,7 +112,7 @@ if (tls.DEFAULT_MAX_VERSION === 'TLSv1.3') connect({
-   // and sends a fatal Alert to the client that the client discovers there has
-   // been a fatal error.
-   pair.client.conn.once('error', common.mustCall((err) => {
--    assert.strictEqual(err.code, 'ERR_SSL_TLSV13_ALERT_CERTIFICATE_REQUIRED');
-+    //assert.strictEqual(err.code, 'ERR_SSL_TLSV13_ALERT_CERTIFICATE_REQUIRED');
-     cleanup();
-   }));
- });
-diff --git a/test/parallel/test-tls-peer-certificate.js b/test/parallel/test-tls-peer-certificate.js
-index 41e3c883d950e074dffcdd6df888eaf47696039c..304724b564956ff3c38cb42793141ddcc57dfd75 100644
---- a/test/parallel/test-tls-peer-certificate.js
-+++ b/test/parallel/test-tls-peer-certificate.js
-@@ -55,7 +55,7 @@ connect({
-   assert.strictEqual(peerCert.ca, false);
-   assert.strictEqual(peerCert.issuerCertificate.ca, true);
-   assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org');
--  assert.strictEqual(peerCert.serialNumber, '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
-+  assert.match(peerCert.serialNumber, /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i);
-   assert.strictEqual(peerCert.exponent, '0x10001');
-   assert.strictEqual(peerCert.bits, 2048);
-   // The conversion to bits is odd because modulus isn't a buffer, its a hex
-@@ -95,7 +95,7 @@ connect({
- 
-   const issuer = peerCert.issuerCertificate;
-   assert.strictEqual(issuer.issuerCertificate, issuer);
--  assert.strictEqual(issuer.serialNumber, '4AB16C8DFD6A7D0D2DFCABDF9C4B0E92C6AD0229');
-+  assert.match(issuer.serialNumber, /4AB16C8DFD6A7D0D2DFCABDF9C4B0E92C6AD0229/i);
- 
-   return cleanup();
- });
-@@ -114,7 +114,7 @@ connect({
- 
-   assert.ok(peerCert.issuerCertificate);
-   assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org');
--  assert.strictEqual(peerCert.serialNumber, '32E8197681DA33185867B52885F678BFDBA51727');
-+  assert.match(peerCert.serialNumber, /32E8197681DA33185867B52885F678BFDBA51727/i);
-   assert.strictEqual(peerCert.exponent, undefined);
-   assert.strictEqual(peerCert.pubKey, undefined);
-   assert.strictEqual(peerCert.modulus, undefined);
-@@ -146,7 +146,6 @@ connect({
- 
-   const issuer = peerCert.issuerCertificate;
-   assert.strictEqual(issuer.issuerCertificate, issuer);
--  assert.strictEqual(issuer.serialNumber, '32E8197681DA33185867B52885F678BFDBA51727');
 -
-+  assert.match(issuer.serialNumber, /32E8197681DA33185867B52885F678BFDBA51727/i);
-   return cleanup();
- });
-diff --git a/test/parallel/test-tls-pfx-authorizationerror.js b/test/parallel/test-tls-pfx-authorizationerror.js
-index eb705d591ef23a90bd78d52797fd1a58bc84a7dd..da428f1320e9e7bd1683724806a7438ed5aa38cc 100644
---- a/test/parallel/test-tls-pfx-authorizationerror.js
-+++ b/test/parallel/test-tls-pfx-authorizationerror.js
-@@ -22,13 +22,13 @@ const server = tls
-       rejectUnauthorized: false
-     },
-     common.mustCall(function(c) {
--      assert.strictEqual(c.getPeerCertificate().serialNumber,
--                         '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
-+      assert.match(c.getPeerCertificate().serialNumber,
-+                         /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i);
-       assert.strictEqual(c.authorizationError, null);
-       c.end();
-     })
-   )
--  .listen(0, function() {
-+  .listen(0, common.mustCall(function() {
-     const client = tls.connect(
-       {
-         port: this.address().port,
-@@ -36,16 +36,16 @@ const server = tls
-         passphrase: 'sample',
-         rejectUnauthorized: false
-       },
--      function() {
-+      common.mustCall(() => {
-         for (let i = 0; i < 10; ++i) {
-           // Calling this repeatedly is a regression test that verifies
-           // that .getCertificate() does not accidentally decrease the
-           // reference count of the X509* certificate on the native side.
--          assert.strictEqual(client.getCertificate().serialNumber,
--                             '147D36C1C2F74206DE9FAB5F2226D78ADB00A426');
-+          assert.match(client.getCertificate().serialNumber,
-+                             /147D36C1C2F74206DE9FAB5F2226D78ADB00A426/i);
-         }
-         client.end();
-         server.close();
--      }
-+      }),
-     );
--  });
-+  }));
-diff --git a/test/parallel/test-tls-set-sigalgs.js b/test/parallel/test-tls-set-sigalgs.js
-index 985ca13ba2ac7d58f87c263c7654c4f4087efddf..21c199bdb12739f82a075c4e10e08faf8c587cf4 100644
---- a/test/parallel/test-tls-set-sigalgs.js
-+++ b/test/parallel/test-tls-set-sigalgs.js
-@@ -65,13 +65,14 @@ test('RSA-PSS+SHA256:RSA-PSS+SHA512:ECDSA+SHA256',
-      'RSA-PSS+SHA256:ECDSA+SHA256',
-      ['RSA-PSS+SHA256', 'ECDSA+SHA256']);
++}
+ // Make sure memory isn't released before being returned
+ console.log(crypto.randomBytes(16));
  
-+const cerr = process.features.openssl_is_boringssl ?
-+  'ERR_SSL_NO_COMMON_SIGNATURE_ALGORITHMS' : 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS';
-+
- // Do not have shared sigalgs.
- const handshakeErr = hasOpenSSL(3, 2) ?
-   'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE';
- test('RSA-PSS+SHA384', 'ECDSA+SHA256',
--     undefined, handshakeErr,
--     'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS');
-+     undefined, handshakeErr, cerr);
- 
- test('RSA-PSS+SHA384:ECDSA+SHA256', 'ECDSA+SHA384:RSA-PSS+SHA256',
--     undefined, handshakeErr,
--     'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS');
-+     undefined, handshakeErr, cerr);
-\ No newline at end of file
-diff --git a/test/parallel/test-webcrypto-export-import-cfrg.js b/test/parallel/test-webcrypto-export-import-cfrg.js
-index ae203e1005de0ab4370bd611f4f2ae64bb7a9a6a..216ce5fd14001183e7deb2abadc93178e7a18a58 100644
---- a/test/parallel/test-webcrypto-export-import-cfrg.js
-+++ b/test/parallel/test-webcrypto-export-import-cfrg.js
-@@ -411,7 +411,7 @@ async function testImportRaw({ name, publicUsages }) {
-   await Promise.all(tests);
- })().then(common.mustCall());
- 
--{
-+if (!process.features.openssl_is_boringssl) {
-   const rsaPublic = crypto.createPublicKey(
-     fixtures.readKey('rsa_public_2048.pem'));
-   const rsaPrivate = crypto.createPrivateKey(
-@@ -432,4 +432,6 @@ async function testImportRaw({ name, publicUsages }) {
-       { name },
-       true, privateUsages), { message: /Invalid key type/ }).then(common.mustCall());
-   }
-+} else {
-+  common.printSkipMessage('Skipping RSA key import tests');
- }
 diff --git a/test/parallel/test-webcrypto-wrap-unwrap.js b/test/parallel/test-webcrypto-wrap-unwrap.js
-index bd788ec4ed88289d35798b8af8c9490a68e081a2..c6a6f33490595faabaefc9b58afdd813f0887258 100644
+index bd788ec4ed88289d35798b8af8c9490a68e081a2..1a5477ba928bce93320f8056db02e1a7b8ddcdf3 100644
 --- a/test/parallel/test-webcrypto-wrap-unwrap.js
 +++ b/test/parallel/test-webcrypto-wrap-unwrap.js
-@@ -179,13 +179,6 @@ async function generateKeysToWrap() {
-       usages: ['encrypt', 'decrypt'],
-       pair: false,
-     },
--    {
--      algorithm: {
--        name: 'ChaCha20-Poly1305'
--      },
--      usages: ['encrypt', 'decrypt'],
--      pair: false,
+@@ -20,14 +20,15 @@ const kWrappingData = {
+     wrap: { label: new Uint8Array(8) },
+     pair: true
+   },
+-  'AES-CTR': {
++  'AES-CBC': {
+     generate: { length: 128 },
+-    wrap: { counter: new Uint8Array(16), length: 64 },
++    wrap: { iv: new Uint8Array(16) },
+     pair: false
+   },
+-  'AES-CBC': {
++  /*
++  'AES-CTR': {
+     generate: { length: 128 },
+-    wrap: { iv: new Uint8Array(16) },
++    wrap: { counter: new Uint8Array(16), length: 64 },
+     pair: false
+   },
+   'AES-GCM': {
+@@ -46,30 +47,9 @@ if (!process.features.openssl_is_boringssl) {
+     generate: { length: 128 },
+     wrap: { },
+     pair: false
+-  };
+-  kWrappingData['ChaCha20-Poly1305'] = {
+-    wrap: {
+-      iv: new Uint8Array(12),
+-      additionalData: new Uint8Array(16),
+-      tagLength: 128
 -    },
-     {
-       algorithm: {
-         name: 'HMAC',
-@@ -210,6 +203,18 @@ async function generateKeysToWrap() {
-     common.printSkipMessage('Skipping unsupported AES-KW test case');
-   }
- 
-+  if (!process.features.openssl_is_boringssl) {
-+    parameters.push({
-+      algorithm: {
-+        name: 'ChaCha20-Poly1305'
-+      },
-+      usages: ['encrypt', 'decrypt'],
-+      pair: false,
-+    });
-+  } else {
-+    common.printSkipMessage('Skipping unsupported ChaCha20-Poly1305 test case');
+-    pair: false
+-  };
+-} else {
+-  common.printSkipMessage('Skipping unsupported AES-KW test case');
+-}
+-
+-if (hasOpenSSL(3)) {
+-  kWrappingData['AES-OCB'] = {
+-    generate: { length: 128 },
+-    wrap: {
+-      iv: new Uint8Array(15),
+-      additionalData: new Uint8Array(16),
+-      tagLength: 128
+-    },
+-    pair: false
+-  };
+-}
 +  }
-+
-   if (hasOpenSSL(3, 5)) {
-     for (const name of ['ML-DSA-44', 'ML-DSA-65', 'ML-DSA-87']) {
-       parameters.push({
++  */
++};
+ 
+ function generateWrappingKeys() {
+   return Promise.all(Object.keys(kWrappingData).map(async (name) => {
 diff --git a/test/parallel/test-x509-escaping.js b/test/parallel/test-x509-escaping.js
 index c8fc4abbb108a6d6849e8452d97d29187da2ebe6..825ba4c8dce775f401080a0522565bb7a087bcc3 100644
 --- a/test/parallel/test-x509-escaping.js

patches/node/refactor_attach_cppgc_heap_on_v8_isolate_creation.patch

@@ -18,10 +18,10 @@ This can be removed when Node.js upgrades to a version of V8 containing CLs
 from the above issue.
 
 diff --git a/src/api/environment.cc b/src/api/environment.cc
-index 53f05293bd94e159dfedf48735989e668acdd08e..d753ad6c6b49b26b86920124f7ac90c1e052638e 100644
+index 5c8bc870dcf2e974036cf3bcb60fd288e59045d9..0f19cb09ea0963a9c505c51f89d1c7a939f2730b 100644
 --- a/src/api/environment.cc
 +++ b/src/api/environment.cc
-@@ -323,6 +323,10 @@ Isolate* NewIsolate(Isolate::CreateParams* params,
+@@ -331,6 +331,10 @@ Isolate* NewIsolate(Isolate::CreateParams* params,
                      MultiIsolatePlatform* platform,
                      const SnapshotData* snapshot_data,
                      const IsolateSettings& settings) {
@@ -32,7 +32,7 @@ index 53f05293bd94e159dfedf48735989e668acdd08e..d753ad6c6b49b26b86920124f7ac90c1
    IsolateGroup group = GetOrCreateIsolateGroup();
    Isolate* isolate = Isolate::Allocate(group);
    if (isolate == nullptr) return nullptr;
-@@ -373,9 +377,12 @@ Isolate* NewIsolate(ArrayBufferAllocator* allocator,
+@@ -387,9 +391,12 @@ Isolate* NewIsolate(ArrayBufferAllocator* allocator,
                      uv_loop_t* event_loop,
                      MultiIsolatePlatform* platform,
                      const EmbedderSnapshotData* snapshot_data,

patches/node/support_v8_sandboxed_pointers.patch

@@ -6,6 +6,75 @@ Subject: support V8 sandboxed pointers
 This refactors several allocators to allocate within the V8 memory cage,
 allowing them to be compatible with the V8_SANDBOXED_POINTERS feature.
 
+diff --git a/src/api/environment.cc b/src/api/environment.cc
+index 53f05293bd94e159dfedf48735989e668acdd08e..5c8bc870dcf2e974036cf3bcb60fd288e59045d9 100644
+--- a/src/api/environment.cc
++++ b/src/api/environment.cc
+@@ -111,6 +111,14 @@ MaybeLocal<Value> PrepareStackTraceCallback(Local<Context> context,
+   return result;
+ }
+ 
++NodeArrayBufferAllocator::NodeArrayBufferAllocator() {
++  zero_fill_field_ = static_cast<uint32_t*>(allocator_->Allocate(sizeof(*zero_fill_field_)));
++}
++
++NodeArrayBufferAllocator::~NodeArrayBufferAllocator() {
++  allocator_->Free(zero_fill_field_, sizeof(*zero_fill_field_));
++}
++
+ void* NodeArrayBufferAllocator::Allocate(size_t size) {
+   void* ret;
+   COUNT_GENERIC_USAGE("NodeArrayBufferAllocator.Allocate.ZeroFilled");
+@@ -337,6 +345,12 @@ Isolate* NewIsolate(Isolate::CreateParams* params,
+     // but also otherwise just doesn't work, and the only real alternative
+     // is disabling shared-readonly-heap mode altogether.
+     static Isolate::CreateParams first_params = *params;
++    // Clear allocator pointers to prevent use-after-free during static
++    // destruction. The static first_params can outlive V8's internal
++    // allocator systems, causing crashes when its destructor tries to
++    // free resources after V8 has shut down.
++    first_params.array_buffer_allocator = nullptr;
++    first_params.array_buffer_allocator_shared.reset();
+     params->snapshot_blob = first_params.snapshot_blob;
+     params->external_references = first_params.external_references;
+   }
+diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc
+index 46a7d1396dc1a175ae99f4e403721f1730fdd320..bbb0abb3b9563074d350578e0f5a8fa211046b17 100644
+--- a/src/crypto/crypto_dh.cc
++++ b/src/crypto/crypto_dh.cc
+@@ -61,17 +61,22 @@ MaybeLocal<Value> DataPointerToBuffer(Environment* env, DataPointer&& data) {
+     bool secure;
+   };
+ #ifdef V8_ENABLE_SANDBOX
+-  auto backing = ArrayBuffer::NewBackingStore(
+-      env->isolate(),
+-      data.size(),
+-      BackingStoreInitializationMode::kUninitialized,
+-      BackingStoreOnFailureMode::kReturnNull);
+-  if (!backing) {
+-    THROW_ERR_MEMORY_ALLOCATION_FAILED(env);
+-    return MaybeLocal<Value>();
+-  }
++  std::unique_ptr<v8::BackingStore> backing;
+   if (data.size() > 0) {
+-    memcpy(backing->Data(), data.get(), data.size());
++    std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
++    void* v8_data = allocator->Allocate(data.size());
++    CHECK(v8_data);
++    memcpy(v8_data, data.get(), data.size());
++    backing = ArrayBuffer::NewBackingStore(
++        v8_data,
++        data.size(),
++        [](void* data, size_t length, void*) {
++          std::unique_ptr<ArrayBuffer::Allocator> allocator(ArrayBuffer::Allocator::NewDefaultAllocator());
++          allocator->Free(data, length);
++        }, nullptr);
++  } else {
++    NoArrayBufferZeroFillScope no_zero_fill_scope(env->isolate_data());
++    backing = v8::ArrayBuffer::NewBackingStore(env->isolate(), data.size());
+   }
+ #else
+   auto backing = ArrayBuffer::NewBackingStore(
 diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
 index 12b0d804c6f1d4998b85160b0aac8eb7a3b5576b..27bd93769233dc65a064710db4095d9cdc3a8b1a 100644
 --- a/src/crypto/crypto_util.cc
@@ -120,11 +189,110 @@ index b30297eac08ad9587642b723f91d7e3b954294d4..4c5427596d1c90d3a413cdd9ff4f1151
  #else
    auto backing = ArrayBuffer::NewBackingStore(
        mem->data,
+diff --git a/src/env-inl.h b/src/env-inl.h
+index 74bbb9fb83246a90bc425e259150f0868020ac9e..777335321fc9037d91d88fb5852bbf5b05f50d0a 100644
+--- a/src/env-inl.h
++++ b/src/env-inl.h
+@@ -44,6 +44,16 @@
+ 
+ namespace node {
+ 
++NoArrayBufferZeroFillScope::NoArrayBufferZeroFillScope(
++    IsolateData* isolate_data)
++    : node_allocator_(isolate_data->node_allocator()) {
++  if (node_allocator_ != nullptr) node_allocator_->zero_fill_field()[0] = 0;
++}
++
++NoArrayBufferZeroFillScope::~NoArrayBufferZeroFillScope() {
++  if (node_allocator_ != nullptr) node_allocator_->zero_fill_field()[0] = 1;
++}
++
+ inline v8::Isolate* IsolateData::isolate() const {
+   return isolate_;
+ }
+diff --git a/src/env.h b/src/env.h
+index 754ddf7b331465c56081db05d6fd2a45fe50596a..db1ed241f730791ba3e3f93349cb5ff3437c738d 100644
+--- a/src/env.h
++++ b/src/env.h
+@@ -111,6 +111,19 @@ class ModuleWrap;
+ class Environment;
+ class Realm;
+ 
++// Disables zero-filling for ArrayBuffer allocations in this scope. This is
++// similar to how we implement Buffer.allocUnsafe() in JS land.
++class NoArrayBufferZeroFillScope {
++ public:
++  inline explicit NoArrayBufferZeroFillScope(IsolateData* isolate_data);
++  inline ~NoArrayBufferZeroFillScope();
++
++ private:
++  NodeArrayBufferAllocator* node_allocator_;
++
++  friend class Environment;
++};
++
+ struct IsolateDataSerializeInfo {
+   std::vector<SnapshotIndex> primitive_values;
+   std::vector<PropInfo> template_values;
 diff --git a/src/node_buffer.cc b/src/node_buffer.cc
-index ddee7b7e40c3ee4054b2b15b75154607aa6431ed..decc3c8c966c2322f22d6bdd871514bb53882a29 100644
+index ddee7b7e40c3ee4054b2b15b75154607aa6431ed..9b74343d01913a27bde608d73d890ae127143960 100644
 --- a/src/node_buffer.cc
 +++ b/src/node_buffer.cc
-@@ -1420,7 +1420,7 @@ inline size_t CheckNumberToSize(Local<Value> number) {
+@@ -81,6 +81,7 @@ using v8::SharedArrayBuffer;
+ using v8::String;
+ using v8::Uint32;
+ using v8::Uint8Array;
++using v8::Uint32Array;
+ using v8::Value;
+ 
+ namespace {
+@@ -1243,6 +1244,45 @@ void SetBufferPrototype(const FunctionCallbackInfo<Value>& args) {
+   realm->set_buffer_prototype_object(proto);
+ }
+ 
++void GetZeroFillToggle(const FunctionCallbackInfo<Value>& args) {
++  Environment* env = Environment::GetCurrent(args);
++  NodeArrayBufferAllocator* allocator = env->isolate_data()->node_allocator();
++  Local<ArrayBuffer> ab;
++  // It can be a nullptr when running inside an isolate where we
++  // do not own the ArrayBuffer allocator.
++  if (allocator == nullptr || env->isolate_data()->is_building_snapshot()) {
++    // Create a dummy Uint32Array - the JS land can only toggle the C++ land
++    // setting when the allocator uses our toggle. With this the toggle in JS
++    // land results in no-ops.
++    // When building a snapshot, just use a dummy toggle as well to avoid
++    // introducing the dynamic external reference. We'll re-initialize the
++    // toggle with a real one connected to the C++ allocator after snapshot
++    // deserialization.
++
++    ab = ArrayBuffer::New(env->isolate(), sizeof(uint32_t));
++  } else {
++    // TODO(joyeecheung): save ab->GetBackingStore()->Data() in the Node.js
++    // array buffer allocator and include it into the C++ toggle while the
++    // Environment is still alive.
++    uint32_t* zero_fill_field = allocator->zero_fill_field();
++    std::unique_ptr<BackingStore> backing =
++        ArrayBuffer::NewBackingStore(zero_fill_field,
++                                     sizeof(*zero_fill_field),
++                                     [](void*, size_t, void*) {},
++                                     nullptr);
++    ab = ArrayBuffer::New(env->isolate(), std::move(backing));
++  }
++
++  if (ab->SetPrivate(env->context(),
++                     env->untransferable_object_private_symbol(),
++                     True(env->isolate()))
++          .IsNothing()) {
++    return;
++  }
++
++  args.GetReturnValue().Set(Uint32Array::New(ab, 0, 1));
++}
++
+ static void Btoa(const FunctionCallbackInfo<Value>& args) {
+   CHECK_EQ(args.Length(), 1);
+   Environment* env = Environment::GetCurrent(args);
+@@ -1420,7 +1460,7 @@ inline size_t CheckNumberToSize(Local<Value> number) {
    CHECK(value >= 0 && value < maxSize);
    size_t size = static_cast<size_t>(value);
  #ifdef V8_ENABLE_SANDBOX
@@ -133,6 +301,22 @@ index ddee7b7e40c3ee4054b2b15b75154607aa6431ed..decc3c8c966c2322f22d6bdd871514bb
  #endif
    return size;
  }
+@@ -1638,6 +1678,7 @@ void Initialize(Local<Object> target,
+                 "utf8WriteStatic",
+                 SlowWriteString<UTF8>,
+                 &fast_write_string_utf8);
++  SetMethod(context, target, "getZeroFillToggle", GetZeroFillToggle);
+ }
+ 
+ }  // anonymous namespace
+@@ -1686,6 +1727,7 @@ void RegisterExternalReferences(ExternalReferenceRegistry* registry) {
+   registry->Register(StringWrite<HEX>);
+   registry->Register(StringWrite<UCS2>);
+   registry->Register(StringWrite<UTF8>);
++  registry->Register(GetZeroFillToggle);
+ 
+   registry->Register(CopyArrayBuffer);
+   registry->Register(CreateUnsafeArrayBuffer);
 diff --git a/src/node_i18n.cc b/src/node_i18n.cc
 index 3c4f419aa29470b3280174b58680b9421b0340b5..3b24ad2a2316f89d98b067e2c13988f87a9a00d2 100644
 --- a/src/node_i18n.cc
@@ -173,6 +357,28 @@ index 3c4f419aa29470b3280174b58680b9421b0340b5..3b24ad2a2316f89d98b067e2c13988f8
  }
  
  constexpr const char* EncodingName(const enum encoding encoding) {
+diff --git a/src/node_internals.h b/src/node_internals.h
+index 61a58b6ccfb26efefd6d3b61a1c8741f9550ae8d..29d1ecc2b209c9c3c2e956263ba2d57fb688b34c 100644
+--- a/src/node_internals.h
++++ b/src/node_internals.h
+@@ -124,6 +124,9 @@ v8::MaybeLocal<v8::Object> InitializePrivateSymbols(
+ 
+ class NodeArrayBufferAllocator : public ArrayBufferAllocator {
+  public:
++  NodeArrayBufferAllocator();
++  ~NodeArrayBufferAllocator() override;
++  inline uint32_t* zero_fill_field() { return zero_fill_field_; }
+   void* Allocate(size_t size) override;  // Defined in src/node.cc
+   void* AllocateUninitialized(size_t size) override;
+   void Free(void* data, size_t size) override;
+@@ -140,6 +143,7 @@ class NodeArrayBufferAllocator : public ArrayBufferAllocator {
+   }
+ 
+  private:
++  uint32_t* zero_fill_field_ = nullptr;  // Boolean but exposed as uint32 to JS land.
+   std::atomic<size_t> total_mem_usage_ {0};
+ 
+   // Delegate to V8's allocator for compatibility with the V8 memory cage.
 diff --git a/src/node_serdes.cc b/src/node_serdes.cc
 index 00fcd4b6afccce47ff21c4447d9cd60f25c11835..5f96ee2051e5339456185efddb149c4d43093f31 100644
 --- a/src/node_serdes.cc

script/codesign/cleanup-identity.sh

@@ -1,21 +0,0 @@
-#!/bin/sh
-
-# Removes the codesigning keychain created by generate-identity.sh.
-# Safe to run even if generate-identity.sh was never run (each step
-# is guarded).
-
-set -eo pipefail
-
-KEYCHAIN="electron-codesign.keychain-db"
-
-# delete-keychain also removes it from the search list
-if security list-keychains -d user | grep -q "$KEYCHAIN"; then
-  security delete-keychain "$KEYCHAIN"
-  echo "Deleted keychain: $KEYCHAIN"
-else
-  echo "Keychain not found, nothing to delete"
-fi
-
-# Clean up working directory
-rm -rf "$(dirname $0)"/.working
-echo "Cleanup complete"

script/codesign/generate-identity.sh

@@ -3,8 +3,6 @@
 set -eo pipefail
 
 dir="$(dirname $0)"/.working
-KEYCHAIN="electron-codesign.keychain-db"
-KEYCHAIN_TEMP="$(openssl rand -hex 12)"
 
 cleanup() {
     rm -rf "$dir"
@@ -20,16 +18,30 @@ mkdir -p "$dir"
 
 # Generate Certs
 openssl req -new -newkey rsa:2048 -x509 -days 7300 -nodes -config "$(dirname $0)"/codesign.cnf -extensions extended -batch -out "$dir"/certificate.cer -keyout "$dir"/certificate.key
+sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain "$dir"/certificate.cer
+sudo security import "$dir"/certificate.key -A -k /Library/Keychains/System.keychain
 
-# macOS 15+ blocks modifications to the system keychain via SIP/TCC,
-# so we use a custom user-scoped keychain instead.
-# Refs https://github.com/electron/electron/issues/48182
-security create-keychain -p "$KEYCHAIN_TEMP" "$KEYCHAIN"
-security set-keychain-settings -t 3600 -u "$KEYCHAIN"
-security unlock-keychain -p "$KEYCHAIN_TEMP" "$KEYCHAIN"
+# restart(reload) taskgated daemon
+sudo pkill -f /usr/libexec/taskgated
 
-security list-keychains -d user -s "$KEYCHAIN" $(security list-keychains -d user | tr -d '"')
-security import "$dir"/certificate.cer -k "$KEYCHAIN" -T /usr/bin/codesign
-security import "$dir"/certificate.key -k "$KEYCHAIN" -T /usr/bin/codesign -A
+# need once
+sudo security authorizationdb write system.privilege.taskport allow
+# need once
+DevToolsSecurity -enable
 
-security set-key-partition-list -S apple-tool:,apple:,codesign: -s -k "$KEYCHAIN_TEMP" "$KEYCHAIN"
+# openssl req -newkey rsa:2048 -nodes -keyout "$dir"/private.pem -x509 -days 1 -out "$dir"/certificate.pem -extensions extended -config "$(dirname $0)"/codesign.cnf
+# openssl x509 -inform PEM -in "$dir"/certificate.pem -outform DER -out "$dir"/certificate.cer
+# openssl x509 -pubkey -noout -in "$dir"/certificate.pem > "$dir"/public.key
+# rm -f "$dir"/certificate.pem
+
+# Import Certs
+# security import "$dir"/certificate.cer -k $KEY_CHAIN
+# security import "$dir"/private.pem -k $KEY_CHAIN
+# security import "$dir"/public.key -k $KEY_CHAIN
+
+# Generate Trust Settings
+# TODO: Remove NPX
+npm_config_yes=true npx ts-node "$(dirname $0)"/gen-trust.ts "$dir"/certificate.cer "$dir"/trust.xml
+
+# Import Trust Settings
+sudo security trust-settings-import -d "$dir/trust.xml"

script/codesign/get-trusted-identity.sh

@@ -2,7 +2,7 @@
 
 set -e
 
-valid_certs=$(security find-identity -p codesigning)
+valid_certs=$(security find-identity -p codesigning -v)
 if [[ $valid_certs == *"1)"* ]]; then
   first_valid_cert=$(echo $valid_certs | sed 's/ \".*//' | sed 's/.* //')
   echo $first_valid_cert